mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-21 15:45:02 +00:00
Import version 3.2alpha7
This commit is contained in:
parent
5a1a935563
commit
0eab801c99
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor/ipfilter/dist/; revision=26119
18
contrib/ipfilter/FreeBSD-2.2/files.diffs
Normal file
18
contrib/ipfilter/FreeBSD-2.2/files.diffs
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
*** /sys/conf/files.orig Sat May 24 14:05:28 1997
|
||||||
|
--- /sys/conf/files Sat May 24 14:06:44 1997
|
||||||
|
***************
|
||||||
|
*** 217,222 ****
|
||||||
|
--- 217,228 ----
|
||||||
|
netinet/tcp_timer.c optional inet
|
||||||
|
netinet/tcp_usrreq.c optional inet
|
||||||
|
netinet/udp_usrreq.c optional inet
|
||||||
|
+ netinet/ip_fil.c optional ipfilter inet
|
||||||
|
+ netinet/fil.c optional ipfilter inet
|
||||||
|
+ netinet/ip_nat.c optional ipfilter inet
|
||||||
|
+ netinet/ip_frag.c optional ipfilter inet
|
||||||
|
+ netinet/ip_state.c optional ipfilter inet
|
||||||
|
+ netinet/ip_proxy.c optional ipfilter inet
|
||||||
|
+ netinet/mlf_ipl.c optional ipfilter inet
|
||||||
|
netipx/ipx.c optional ipx
|
||||||
|
netipx/ipx_cksum.c optional ipx
|
||||||
|
netipx/ipx_error.c optional ipx
|
16
contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
Normal file
16
contrib/ipfilter/FreeBSD-2.2/files.newconf.diffs
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
*** files.newconf.orig Sun Jun 25 02:17:29 1995
|
||||||
|
--- files.newconf Sun Jun 25 02:19:10 1995
|
||||||
|
***************
|
||||||
|
*** 161,166 ****
|
||||||
|
--- 161,171 ----
|
||||||
|
file netinet/ip_input.c inet
|
||||||
|
file netinet/ip_mroute.c inet
|
||||||
|
file netinet/ip_output.c inet
|
||||||
|
+ file netinet/ip_fil.c ipfilter
|
||||||
|
+ file netinet/fil.c ipfilter
|
||||||
|
+ file netinet/ip_nat.c ipfilter
|
||||||
|
+ file netinet/ip_frag.c ipfilter
|
||||||
|
+ file netinet/ip_state.c ipfilter
|
||||||
|
file netinet/raw_ip.c inet
|
||||||
|
file netinet/tcp_debug.c inet
|
||||||
|
file netinet/tcp_input.c inet
|
@ -1,5 +1,5 @@
|
|||||||
*** in_proto.c.orig Wed Apr 2 19:50:00 1997
|
*** /sys/netinet/in_proto.c.orig Sat May 24 13:42:26 1997
|
||||||
--- in_proto.c Wed Apr 2 19:51:21 1997
|
--- /sys/netinet/in_proto.c Sat May 24 13:42:36 1997
|
||||||
***************
|
***************
|
||||||
*** 89,94 ****
|
*** 89,94 ****
|
||||||
--- 89,99 ----
|
--- 89,99 ----
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
*** ip_input.c.orig Wed Apr 2 19:41:44 1997
|
*** /sys/netinet/ip_input.c.orig Sat May 24 13:37:16 1997
|
||||||
--- /sys/netinet/ip_input.c Wed Apr 2 19:28:53 1997
|
--- /sys/netinet/ip_input.c Sat May 24 13:38:58 1997
|
||||||
***************
|
***************
|
||||||
*** 74,79 ****
|
*** 74,79 ****
|
||||||
--- 74,82 ----
|
--- 74,82 ----
|
||||||
@ -13,7 +13,7 @@
|
|||||||
int rsvp_on = 0;
|
int rsvp_on = 0;
|
||||||
static int ip_rsvp_on;
|
static int ip_rsvp_on;
|
||||||
***************
|
***************
|
||||||
*** 310,316 ****
|
*** 310,315 ****
|
||||||
--- 313,327 ----
|
--- 313,327 ----
|
||||||
* - Wrap: fake packet's addr/port <unimpl.>
|
* - Wrap: fake packet's addr/port <unimpl.>
|
||||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||||
@ -21,12 +21,12 @@
|
|||||||
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
|
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
|
||||||
+ if (fr_checkp) {
|
+ if (fr_checkp) {
|
||||||
+ struct mbuf *m1 = m;
|
+ struct mbuf *m1 = m;
|
||||||
|
+
|
||||||
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
|
+ if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
|
||||||
+ return;
|
+ return;
|
||||||
+ ip = mtod(m = m1, struct ip *);
|
+ ip = mtod(m = m1, struct ip *);
|
||||||
+ }
|
+ }
|
||||||
+ #endif
|
+ #endif
|
||||||
|
|
||||||
#ifdef COMPAT_IPFW
|
#ifdef COMPAT_IPFW
|
||||||
if (ip_fw_chk_ptr) {
|
if (ip_fw_chk_ptr) {
|
||||||
int action;
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
*** ip_output.c.orig Wed Apr 2 19:41:48 1997
|
*** /sys/netinet/ip_output.c.orig Sat May 24 14:07:24 1997
|
||||||
--- /sys/netinet/ip_output.c Wed Apr 2 19:38:19 1997
|
--- /sys/netinet/ip_output.c Sat May 24 15:00:29 1997
|
||||||
***************
|
***************
|
||||||
*** 67,72 ****
|
*** 67,72 ****
|
||||||
--- 67,76 ----
|
--- 67,76 ----
|
||||||
@ -31,7 +31,7 @@
|
|||||||
static int ip_setmoptions
|
static int ip_setmoptions
|
||||||
__P((int, struct ip_moptions **, struct mbuf *));
|
__P((int, struct ip_moptions **, struct mbuf *));
|
||||||
***************
|
***************
|
||||||
*** 338,344 ****
|
*** 338,343 ****
|
||||||
--- 342,358 ----
|
--- 342,358 ----
|
||||||
* - Wrap: fake packet's addr/port <unimpl.>
|
* - Wrap: fake packet's addr/port <unimpl.>
|
||||||
* - Encapsulate: put it in another IP and send out. <unimp.>
|
* - Encapsulate: put it in another IP and send out. <unimp.>
|
||||||
@ -39,17 +39,17 @@
|
|||||||
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
|
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
|
||||||
+ if (fr_checkp) {
|
+ if (fr_checkp) {
|
||||||
+ struct mbuf *m1 = m;
|
+ struct mbuf *m1 = m;
|
||||||
|
+
|
||||||
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
|
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m1))
|
||||||
+ error = EHOSTUNREACH;
|
+ error = EHOSTUNREACH;
|
||||||
+ if (error || !m1)
|
+ if (error || !m1)
|
||||||
+ goto done;
|
+ goto done;
|
||||||
+ ip = mtod(m = m1, struct ip *);
|
+ ip = mtod(m = m1, struct ip *);
|
||||||
+ }
|
+ }
|
||||||
+ #endif
|
+ #endif
|
||||||
|
|
||||||
#ifdef COMPAT_IPFW
|
#ifdef COMPAT_IPFW
|
||||||
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
|
if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, ifp, IP_NAT_OUT)) {
|
||||||
error = EACCES;
|
|
||||||
***************
|
***************
|
||||||
*** 559,565 ****
|
*** 559,565 ****
|
||||||
* Copy options from ip to jp,
|
* Copy options from ip to jp,
|
||||||
@ -59,7 +59,7 @@
|
|||||||
ip_optcopy(ip, jp)
|
ip_optcopy(ip, jp)
|
||||||
struct ip *ip, *jp;
|
struct ip *ip, *jp;
|
||||||
{
|
{
|
||||||
--- 573,579 ----
|
--- 574,580 ----
|
||||||
* Copy options from ip to jp,
|
* Copy options from ip to jp,
|
||||||
* omitting those not copied during fragmentation.
|
* omitting those not copied during fragmentation.
|
||||||
*/
|
*/
|
||||||
|
61
contrib/ipfilter/FreeBSD-2.2/kinstall
Executable file
61
contrib/ipfilter/FreeBSD-2.2/kinstall
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/csh -f
|
||||||
|
#
|
||||||
|
set dir=`pwd`
|
||||||
|
set karch=`uname -m`
|
||||||
|
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
|
||||||
|
if ( -d /sys/$karch ) set archdir="/sys/$karch"
|
||||||
|
set confdir="$archdir/conf"
|
||||||
|
|
||||||
|
if ( $dir =~ */FreeBSD* ) cd ..
|
||||||
|
echo -n "Installing "
|
||||||
|
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
|
||||||
|
ip_proxy.[ch] ip_ftp_pxy.c mlf_ipl.c ipl.h ip_compat.h)
|
||||||
|
echo -n "$i ";
|
||||||
|
cp $i /sys/netinet
|
||||||
|
chmod 644 /sys/netinet/$i
|
||||||
|
end
|
||||||
|
echo ""
|
||||||
|
echo "Copying /usr/include/osreldate.h to /sys/sys"
|
||||||
|
cp /usr/include/osreldate.h /sys/sys
|
||||||
|
echo "Patching ip_input.c, ip_output.c and in_proto.c"
|
||||||
|
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
|
||||||
|
(cd /sys/netinet; patch)
|
||||||
|
|
||||||
|
if ( -f /sys/conf/files.newconf ) then
|
||||||
|
echo "Patching /sys/conf/files.newconf"
|
||||||
|
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch)
|
||||||
|
echo "Patching /sys/conf/files"
|
||||||
|
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch)
|
||||||
|
endif
|
||||||
|
if ( -f /sys/conf/files.oldconf ) then
|
||||||
|
echo "Patching /sys/conf/files.oldconf"
|
||||||
|
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch)
|
||||||
|
echo "Patching /sys/conf/files"
|
||||||
|
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch)
|
||||||
|
endif
|
||||||
|
|
||||||
|
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
|
||||||
|
echo -n "Kernel configuration to update [$config] "
|
||||||
|
set newconfig=$<
|
||||||
|
if ( "$newconfig" != "" ) then
|
||||||
|
set config="$confdir/$newconfig"
|
||||||
|
else
|
||||||
|
set newconfig=$config
|
||||||
|
endif
|
||||||
|
echo "Re-config'ing $newconfig..."
|
||||||
|
if ( -f $confdir/$newconfig ) then
|
||||||
|
mv $confdir/$newconfig $confdir/$newconfig.bak
|
||||||
|
endif
|
||||||
|
if ( -d $archdir/../compile/$newconfig ) then
|
||||||
|
set bak=".bak"
|
||||||
|
set dot=0
|
||||||
|
while ( -d $archdir/../compile/${newconfig}.${bak} )
|
||||||
|
set bak=".bak.$dot"
|
||||||
|
set dot=`expr 1 + $dot`
|
||||||
|
end
|
||||||
|
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
|
||||||
|
endif
|
||||||
|
awk '{print $0;if($2=="INET"){print"options IPFILTER"}}' \
|
||||||
|
$confdir/$newconfig.bak > $confdir/$newconfig
|
||||||
|
echo 'You will now need to run "config" and build a new kernel.'
|
||||||
|
exit 0
|
55
contrib/ipfilter/FreeBSD-2.2/unkinstall
Executable file
55
contrib/ipfilter/FreeBSD-2.2/unkinstall
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/bin/csh -f
|
||||||
|
#
|
||||||
|
set dir=`pwd`
|
||||||
|
set karch=`uname -m`
|
||||||
|
if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
|
||||||
|
if ( -d /sys/$karch ) set archdir="/sys/$karch"
|
||||||
|
set confdir="$archdir/conf"
|
||||||
|
|
||||||
|
if ( $dir =~ */FreeBSD* ) cd ..
|
||||||
|
echo -n "Uninstalling "
|
||||||
|
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c ip_compat.h)
|
||||||
|
echo -n "$i ";
|
||||||
|
/bin/rm -f /sys/netinet/$i
|
||||||
|
end
|
||||||
|
echo ""
|
||||||
|
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
|
||||||
|
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
|
||||||
|
(cd /sys/netinet; patch -R)
|
||||||
|
|
||||||
|
if ( -f /sys/conf/files.newconf ) then
|
||||||
|
echo "Unpatching /sys/conf/files.newconf"
|
||||||
|
cat FreeBSD-2.2/files.newconf.diffs | (cd /sys/conf; patch -R)
|
||||||
|
echo "Unpatching /sys/conf/files"
|
||||||
|
cat FreeBSD-2.2/files.diffs | (cd /sys/conf; patch -R)
|
||||||
|
endif
|
||||||
|
if ( -f /sys/conf/files.oldconf ) then
|
||||||
|
echo "Unpatching /sys/conf/files.oldconf"
|
||||||
|
cat FreeBSD-2.2/files.oldconf.diffs | (cd /sys/conf; patch -R)
|
||||||
|
echo "Unpatching /sys/conf/files"
|
||||||
|
cat FreeBSD-2.2/filez.diffs | (cd /sys/conf; patch -R)
|
||||||
|
endif
|
||||||
|
|
||||||
|
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
|
||||||
|
echo -n "Kernel configuration to update [$config] "
|
||||||
|
set newconfig=$<
|
||||||
|
if ( "$newconfig" != "" ) then
|
||||||
|
set config="$confdir/$newconfig"
|
||||||
|
else
|
||||||
|
set newconfig=$config
|
||||||
|
endif
|
||||||
|
if ( -f $confdir/$newconfig ) then
|
||||||
|
mv $confdir/$newconfig $confdir/$newconfig.bak
|
||||||
|
endif
|
||||||
|
if ( -d $archdir/../compile/$newconfig ) then
|
||||||
|
set bak=".bak"
|
||||||
|
set dot=0
|
||||||
|
while ( -d $archdir/../compile/${newconfig}.${bak} )
|
||||||
|
set bak=".bak.$dot"
|
||||||
|
set dot=`expr 1 + $dot`
|
||||||
|
end
|
||||||
|
mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
|
||||||
|
endif
|
||||||
|
egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
|
||||||
|
echo 'You will now need to run "config" and build a new kernel.'
|
||||||
|
exit 0
|
@ -6,9 +6,9 @@ if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
|
|||||||
if ( -d /sys/$karch ) set archdir="/sys/$karch"
|
if ( -d /sys/$karch ) set archdir="/sys/$karch"
|
||||||
set confdir="$archdir/conf"
|
set confdir="$archdir/conf"
|
||||||
|
|
||||||
if ( $dir =~ */FreeBSD ) cd ..
|
if ( $dir =~ */FreeBSD* ) cd ..
|
||||||
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
|
echo "Unpatching ip_input.c, ip_output.c and in_proto.c"
|
||||||
cat FreeBSD/ip_{in,out}put.c.diffs FreeBSD/in_proto.c.diffs | \
|
cat FreeBSD-2.2/ip_{in,out}put.c.diffs FreeBSD-2.2/in_proto.c.diffs | \
|
||||||
(cd /sys/netinet; patch -R)
|
(cd /sys/netinet; patch -R)
|
||||||
|
|
||||||
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
|
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
|
||||||
|
@ -5,6 +5,59 @@
|
|||||||
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
|
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
|
||||||
# loan of a machine to work on a Solaris 2.x port of this software.
|
# loan of a machine to work on a Solaris 2.x port of this software.
|
||||||
#
|
#
|
||||||
|
3.2alpha7 25/5/97 - Released
|
||||||
|
|
||||||
|
add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com>
|
||||||
|
|
||||||
|
setup bits and pieces for compiling into a FreeBSD-2.2 kernel.
|
||||||
|
|
||||||
|
split up "bsd" targets. Now a separate netbsd/freebsd/bsd target.
|
||||||
|
mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd).
|
||||||
|
|
||||||
|
fix (negative) host matching in filtering.
|
||||||
|
|
||||||
|
add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels
|
||||||
|
or later.
|
||||||
|
|
||||||
|
make all the candidates for kernel compiling include "netinet/..." and build
|
||||||
|
a subdirectory "netinet" when compiling and symlink all .h files into this.
|
||||||
|
|
||||||
|
add install make target to Makefile.ipsend
|
||||||
|
|
||||||
|
3.2alpha6 8/5/97 - Released
|
||||||
|
|
||||||
|
Add "!" (not) to hostname/ip matching.
|
||||||
|
|
||||||
|
Automatically add packet info to the fragment cache if it is a fragment
|
||||||
|
and we're translating addreses for.
|
||||||
|
|
||||||
|
Automatically add packet info to the fragment cache if it is a fragment
|
||||||
|
and we're "keeping state" for the packet.
|
||||||
|
|
||||||
|
Solaris2 patches - Anthony Baxter (arb@connect.com.au)
|
||||||
|
|
||||||
|
change install procedure for FreeBSD 2.2 to allow building to a kernel
|
||||||
|
which is different to the running kernel.
|
||||||
|
|
||||||
|
add FIONREAD for Solaris2!
|
||||||
|
|
||||||
|
when expiring NAT table entries, if we would set a time to fr_tcpclosed
|
||||||
|
(which is 1), make it fr_tcplaskack(20) so that the state tables have a
|
||||||
|
chance to clear up.
|
||||||
|
|
||||||
|
3.2alpha5
|
||||||
|
|
||||||
|
add proxying skeleton support and sample ftp transparent proxy code.
|
||||||
|
|
||||||
|
add printfs at startup to tell user what is happening.
|
||||||
|
|
||||||
|
add packets & bytes for EXPIRE NAT log records.
|
||||||
|
|
||||||
|
fix the "install-bsd" target in the root Makefile. Chris Williams
|
||||||
|
<psion@mv.mv.com>
|
||||||
|
|
||||||
|
Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange.
|
||||||
|
|
||||||
3.2alpha4 2/4/97 - Released
|
3.2alpha4 2/4/97 - Released
|
||||||
|
|
||||||
Some compiler warnings cleaned up.
|
Some compiler warnings cleaned up.
|
||||||
@ -656,4 +709,3 @@ added code for ouput filtering as well as input filtering and added support for
|
|||||||
|
|
||||||
1.0 22/04/93 - Released
|
1.0 22/04/93 - Released
|
||||||
First release cut.
|
First release cut.
|
||||||
|
|
||||||
|
@ -1,21 +1,26 @@
|
|||||||
|
|
||||||
To build a kernel for use with the loadable kernel module, follow these
|
To build a kernel for use with the loadable kernel module, follow these
|
||||||
steps:
|
steps:
|
||||||
1. do "make freebsd22"
|
1. In /sys/i386/conf, create a new kernel config file (to be used
|
||||||
|
with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL"
|
||||||
|
|
||||||
2. do "make install-bsd"
|
2. build the object files, telling it the name of the kernel to be
|
||||||
|
used. "freebsd22" MUST be the target, so the command would be
|
||||||
|
something like this: "make freebsd22 IPFILKERN=FIREWALL"
|
||||||
|
|
||||||
|
3. do "make install-bsd"
|
||||||
(probably has to be done as root)
|
(probably has to be done as root)
|
||||||
|
|
||||||
3. run "FreeBSD-2.2/minstall" as root
|
4. run "FreeBSD-2.2/minstall" as root
|
||||||
|
|
||||||
4. build a new kernel
|
5. build a new kernel
|
||||||
|
|
||||||
5. install and reboot with the new kernel
|
6. install and reboot with the new kernel
|
||||||
|
|
||||||
6. use modload(8) to load the packet filter with:
|
7. use modload(8) to load the packet filter with:
|
||||||
modload if_ipl.o
|
modload if_ipl.o
|
||||||
|
|
||||||
7. do "modstat" to confirm that it has been loaded successfully.
|
8. do "modstat" to confirm that it has been loaded successfully.
|
||||||
|
|
||||||
There is no need to use mknod to create the device in /dev;
|
There is no need to use mknod to create the device in /dev;
|
||||||
- upon loading the module, it will create itself with the correct values,
|
- upon loading the module, it will create itself with the correct values,
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
To build a kernel for use with the loadable kernel module, follow these
|
To build a kernel for use with the loadable kernel module, follow these
|
||||||
steps:
|
steps:
|
||||||
1. do "make bsd"
|
1. do "make freebsd"
|
||||||
|
|
||||||
2. do "make install-bsd"
|
2. do "make install-bsd"
|
||||||
(probably has to be done as root)
|
(probably has to be done as root)
|
||||||
@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev;
|
|||||||
|
|
||||||
To build a kernel with the IP filter, follow these steps:
|
To build a kernel with the IP filter, follow these steps:
|
||||||
|
|
||||||
1. do "make bsd"
|
1. do "make freebsd"
|
||||||
|
|
||||||
2. do "make install-bsd"
|
2. do "make install-bsd"
|
||||||
(probably has to be done as root)
|
(probably has to be done as root)
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
|
|
||||||
To build a kernel for use with the loadable kernel module, follow these
|
To build a kernel for use with the loadable kernel module, follow these
|
||||||
steps:
|
steps:
|
||||||
1. do "make bsd"
|
1. do "make netbsd"
|
||||||
|
|
||||||
2. do "make install-bsd"
|
2. do "make install-bsd"
|
||||||
(probably has to be done as root)
|
(probably has to be done as root)
|
||||||
@ -27,7 +27,7 @@ There is no need to use mknod to create the device in /dev;
|
|||||||
|
|
||||||
To build a kernel with the IP filter, follow these steps:
|
To build a kernel with the IP filter, follow these steps:
|
||||||
|
|
||||||
1. do "make bsd"
|
1. do "make netbsd"
|
||||||
|
|
||||||
2. do "make install-bsd"
|
2. do "make install-bsd"
|
||||||
(probably has to be done as root)
|
(probably has to be done as root)
|
||||||
|
@ -5,13 +5,13 @@
|
|||||||
# and is not changed in any way. The author accepts no responsibility
|
# and is not changed in any way. The author accepts no responsibility
|
||||||
# for the use of this software. I hate legaleese, don't you ?
|
# for the use of this software. I hate legaleese, don't you ?
|
||||||
#
|
#
|
||||||
# $Id: Makefile,v 2.0.2.7 1997/04/02 12:23:14 darrenr Exp $
|
# $Id: Makefile,v 2.0.2.12 1997/05/24 08:13:34 darrenr Exp $
|
||||||
#
|
#
|
||||||
# where to put things.
|
# where to put things.
|
||||||
#
|
#
|
||||||
BINDEST=/usr/local/ip_fil3.1.1/bin
|
BINDEST=/usr/local/bin
|
||||||
SBINDEST=/usr/local/ip_fil3.1.1/sbin
|
SBINDEST=/sbin
|
||||||
MANDIR=/usr/local/ip_fil3.1.1/man
|
MANDIR=/usr/local/man
|
||||||
#To test prototyping
|
#To test prototyping
|
||||||
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror
|
#CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror
|
||||||
CC=gcc
|
CC=gcc
|
||||||
@ -65,20 +65,44 @@ tests:
|
|||||||
@if [ -d test ]; then (cd test; make) \
|
@if [ -d test ]; then (cd test; make) \
|
||||||
else echo test directory not present, sorry; fi
|
else echo test directory not present, sorry; fi
|
||||||
|
|
||||||
sunos solaris:
|
include:
|
||||||
|
mkdir -p netinet
|
||||||
|
(cd netinet; /bin/rm -f *; ln -s ../*.h .; ln -s ../ip_ftp_pxy.c .)
|
||||||
|
|
||||||
|
sunos solaris: include
|
||||||
./buildsunos
|
./buildsunos
|
||||||
|
|
||||||
freebsd22 freebsd30:
|
freebsd22 freebsd30: include
|
||||||
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
||||||
@if [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
|
-rm -f BSD/$(CPU)/ioconf.h
|
||||||
echo "Can't find ioconf.h"; \
|
@if [ -n $(IPFILKERN) ] ; then \
|
||||||
|
ln -s /sys/$(IPFILKERN)/ioconf.h BSD/$(CPU); \
|
||||||
|
elif [ ! -f `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h ] ; then \
|
||||||
|
echo -n "Can't find ioconf.h in "; \
|
||||||
|
echo `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`; \
|
||||||
exit 1;\
|
exit 1;\
|
||||||
|
else \
|
||||||
|
ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU) ; \
|
||||||
fi
|
fi
|
||||||
rm -f BSD/$(CPU)/ioconf.h
|
make freebsd
|
||||||
ln -s `uname -v|sed -e 's@^.*:\(/[^: ]*\).*@\1@'`/ioconf.h BSD/$(CPU)
|
|
||||||
make bsd
|
|
||||||
|
|
||||||
bsd netbsd freebsd freebsd20 freebsd21:
|
netbsd: include
|
||||||
|
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
||||||
|
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
|
||||||
|
-ln -s ../Makefile BSD/$(CPU)/Makefile
|
||||||
|
-ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend
|
||||||
|
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mln_ipl.c"; cd ..)
|
||||||
|
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
||||||
|
|
||||||
|
freebsd freebsd20 freebsd21: include
|
||||||
|
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
||||||
|
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
|
||||||
|
-ln -s ../Makefile BSD/$(CPU)/Makefile
|
||||||
|
-ln -s ../Makefile.ipsend BSD/$(CPU)/Makefile.ipsend
|
||||||
|
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS) "ML=mlf_ipl.c"; cd ..)
|
||||||
|
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
||||||
|
|
||||||
|
bsd: include
|
||||||
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
||||||
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
|
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
|
||||||
-ln -s ../Makefile BSD/$(CPU)/Makefile
|
-ln -s ../Makefile BSD/$(CPU)/Makefile
|
||||||
@ -86,7 +110,7 @@ bsd netbsd freebsd freebsd20 freebsd21:
|
|||||||
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..)
|
(cd BSD/$(CPU); make build "TOP=../.." $(MFLAGS); cd ..)
|
||||||
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
(cd BSD/$(CPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
||||||
|
|
||||||
bsdi bsdos:
|
bsdi bsdos: include
|
||||||
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
-if [ ! -d BSD/$(CPU) ] ; then mkdir BSD/$(CPU); fi
|
||||||
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
|
-rm -f BSD/$(CPU)/Makefile BSD/$(CPU)/Makefile.ipsend
|
||||||
-ln -s ../Makefile BSD/$(CPU)/Makefile
|
-ln -s ../Makefile BSD/$(CPU)/Makefile
|
||||||
@ -138,20 +162,15 @@ sunos5x86 solaris2x86:
|
|||||||
(cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
|
(cd SunOS5/$(CPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
|
||||||
|
|
||||||
install-bsd: bsd
|
install-bsd: bsd
|
||||||
(cd BSD/$(CPU); $(MAKE) "CPU=$(CPU) TOP=../.." install)
|
(cd BSD/$(CPU); make install "TOP=../.." $(MFLAGS); cd ..)
|
||||||
|
(cd BSD/$(CPU); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..)
|
||||||
|
|
||||||
install-sunos4: solaris
|
install-sunos4: solaris
|
||||||
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
|
(cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install)
|
||||||
|
|
||||||
install-sunos5: solaris
|
install-sunos5: solaris
|
||||||
(cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install)
|
(cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install)
|
||||||
|
|
||||||
# XXX FIXME: bogus to depend on all!
|
|
||||||
install: all ip_fil.h
|
|
||||||
-$(CP) ip_fil.h /usr/include/netinet/ip_fil.h
|
|
||||||
-$(CHMOD) 444 /usr/include/netinet/ip_fil.h
|
|
||||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST)
|
|
||||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST)
|
|
||||||
(cd man; $(MAKE) INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd ..)
|
|
||||||
|
|
||||||
rcsget:
|
rcsget:
|
||||||
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
|
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
|
||||||
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
|
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
# $Id: buildsunos,v 2.0.2.3 1997/03/30 15:37:34 darrenr Exp $
|
# $Id: buildsunos,v 2.0.2.4 1997/05/24 07:32:46 darrenr Exp $
|
||||||
:
|
:
|
||||||
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
|
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
|
||||||
cpu=`uname -m`
|
cpu=`uname -m`
|
||||||
if [ $rev = 5 ] ; then
|
if [ $rev = 5 ] ; then
|
||||||
solrev=`uname -r | sed -e 's/^\([0-9]*\)\.\([0-9]*\)$/\2/'`
|
solrev=`uname -r | sh -c 'IFS=. read j n x; echo $n'`
|
||||||
mkdir -p SunOS5/${cpu}
|
mkdir -p SunOS5/${cpu}
|
||||||
/bin/rm -f SunOS5/${cpu}/Makefile
|
/bin/rm -f SunOS5/${cpu}/Makefile
|
||||||
/bin/rm -f SunOS5/${cpu}/Makefile.ipsend
|
/bin/rm -f SunOS5/${cpu}/Makefile.ipsend
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
*/
|
*/
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
|
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
|
||||||
static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $";
|
static char rcsid[] = "$Id: fil.c,v 2.0.2.13 1997/05/24 07:33:37 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <sys/errno.h>
|
#include <sys/errno.h>
|
||||||
@ -45,11 +45,12 @@ static char rcsid[] = "$Id: fil.c,v 2.0.2.7 1997/04/02 12:23:15 darrenr Exp $";
|
|||||||
#include <netinet/udp.h>
|
#include <netinet/udp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <netinet/ip_icmp.h>
|
#include <netinet/ip_icmp.h>
|
||||||
#include "ip_compat.h"
|
#include "netinet/ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "netinet/ip_fil.h"
|
||||||
#include "ip_nat.h"
|
#include "netinet/ip_proxy.h"
|
||||||
#include "ip_frag.h"
|
#include "netinet/ip_nat.h"
|
||||||
#include "ip_state.h"
|
#include "netinet/ip_frag.h"
|
||||||
|
#include "netinet/ip_state.h"
|
||||||
#ifndef MIN
|
#ifndef MIN
|
||||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||||
#endif
|
#endif
|
||||||
@ -70,7 +71,6 @@ extern int opts;
|
|||||||
# define IPLLOG(a, c, d, e) ipllog()
|
# define IPLLOG(a, c, d, e) ipllog()
|
||||||
# if SOLARIS
|
# if SOLARIS
|
||||||
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
|
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(ip)
|
||||||
# define bcmp memcmp
|
|
||||||
# else
|
# else
|
||||||
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
|
# define ICMP_ERROR(b, ip, t, c, if, src) icmp_error(b, ip, if)
|
||||||
# endif
|
# endif
|
||||||
@ -100,19 +100,12 @@ extern kmutex_t ipf_mutex;
|
|||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef IPF_LOGGING
|
|
||||||
#define IPF_LOGGING 0
|
|
||||||
#endif
|
|
||||||
#ifdef IPF_DEFAULT_PASS
|
|
||||||
#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH)
|
|
||||||
#else
|
|
||||||
#define IPF_NOMATCH (FR_PASS|FR_NOMATCH)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
|
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
|
||||||
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
|
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
|
||||||
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
|
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
|
||||||
int fr_flags = IPF_LOGGING, fr_active = 0;
|
int fr_flags = IPF_LOGGING, fr_active = 0;
|
||||||
|
int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH);
|
||||||
|
|
||||||
fr_info_t frcache[2];
|
fr_info_t frcache[2];
|
||||||
|
|
||||||
@ -417,7 +410,7 @@ void *m;
|
|||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
register u_long *ld, *lm, *lip;
|
register u_long *ld, *lm, *lip;
|
||||||
register int i;
|
register int i, j;
|
||||||
|
|
||||||
lip = (u_long *)fi;
|
lip = (u_long *)fi;
|
||||||
lm = (u_long *)&fr->fr_mip;
|
lm = (u_long *)&fr->fr_mip;
|
||||||
@ -425,10 +418,10 @@ void *m;
|
|||||||
i = ((lip[0] & lm[0]) != ld[0]);
|
i = ((lip[0] & lm[0]) != ld[0]);
|
||||||
FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
|
FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
|
||||||
lip[0], lm[0], ld[0]));
|
lip[0], lm[0], ld[0]));
|
||||||
i |= ((lip[1] & lm[1]) != ld[1]);
|
i |= ((lip[1] & lm[1]) != ld[1]) << 21;
|
||||||
FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
|
FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
|
||||||
lip[1], lm[1], ld[1]));
|
lip[1], lm[1], ld[1]));
|
||||||
i |= ((lip[2] & lm[2]) != ld[2]);
|
i |= ((lip[2] & lm[2]) != ld[2]) << 22;
|
||||||
FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
|
FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
|
||||||
lip[2], lm[2], ld[2]));
|
lip[2], lm[2], ld[2]));
|
||||||
i |= ((lip[3] & lm[3]) != ld[3]);
|
i |= ((lip[3] & lm[3]) != ld[3]);
|
||||||
@ -437,6 +430,7 @@ void *m;
|
|||||||
i |= ((lip[4] & lm[4]) != ld[4]);
|
i |= ((lip[4] & lm[4]) != ld[4]);
|
||||||
FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
|
FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
|
||||||
lip[4], lm[4], ld[4]));
|
lip[4], lm[4], ld[4]));
|
||||||
|
i ^= (fi->fi_fl & (FR_NOTSRCIP|FR_NOTDSTIP));
|
||||||
if (i)
|
if (i)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -557,6 +551,7 @@ int out;
|
|||||||
fr_makefrip(hlen, ip, fin);
|
fr_makefrip(hlen, ip, fin);
|
||||||
fin->fin_ifp = ifp;
|
fin->fin_ifp = ifp;
|
||||||
fin->fin_out = out;
|
fin->fin_out = out;
|
||||||
|
fin->fin_mp = mp;
|
||||||
|
|
||||||
MUTEX_ENTER(&ipf_mutex);
|
MUTEX_ENTER(&ipf_mutex);
|
||||||
if (!out) {
|
if (!out) {
|
||||||
@ -566,24 +561,8 @@ int out;
|
|||||||
frstats[0].fr_acct++;
|
frstats[0].fr_acct++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((pass = ipfr_knownfrag(ip, fin))) {
|
if (!(pass = ipfr_knownfrag(ip, fin)) &&
|
||||||
if ((pass & FR_KEEPSTATE)) {
|
!(pass = fr_checkstate(ip, fin))) {
|
||||||
if (fr_addstate(ip, fin, pass) == -1)
|
|
||||||
frstats[out].fr_bads++;
|
|
||||||
else
|
|
||||||
frstats[out].fr_ads++;
|
|
||||||
}
|
|
||||||
} else if ((pass = fr_checkstate(ip, fin))) {
|
|
||||||
if ((pass & FR_KEEPFRAG)) {
|
|
||||||
if (fin->fin_fi.fi_fl & FI_FRAG) {
|
|
||||||
if (ipfr_newfrag(ip, fin, pass) == -1)
|
|
||||||
frstats[out].fr_bnfr++;
|
|
||||||
else
|
|
||||||
frstats[out].fr_nfr++;
|
|
||||||
} else
|
|
||||||
frstats[out].fr_cfr++;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
fc = frcache + out;
|
fc = frcache + out;
|
||||||
if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
|
if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
|
||||||
/*
|
/*
|
||||||
@ -594,16 +573,16 @@ int out;
|
|||||||
frstats[out].fr_chit++;
|
frstats[out].fr_chit++;
|
||||||
pass = fin->fin_fr->fr_flags;
|
pass = fin->fin_fr->fr_flags;
|
||||||
} else {
|
} else {
|
||||||
pass = IPF_NOMATCH;
|
pass = fr_pass;
|
||||||
if ((fin->fin_fr = ipfilter[out][fr_active]))
|
if ((fin->fin_fr = ipfilter[out][fr_active]))
|
||||||
pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m);
|
pass = FR_SCANLIST(fr_pass, ip, fin, m);
|
||||||
bcopy((char *)fin, (char *)fc, FI_CSIZE);
|
bcopy((char *)fin, (char *)fc, FI_CSIZE);
|
||||||
if (pass & FR_NOMATCH)
|
if (pass & FR_NOMATCH)
|
||||||
frstats[out].fr_nom++;
|
frstats[out].fr_nom++;
|
||||||
}
|
}
|
||||||
fr = fin->fin_fr;
|
fr = fin->fin_fr;
|
||||||
|
|
||||||
if ((pass & FR_KEEPFRAG)) {
|
if (pass & FR_KEEPFRAG) {
|
||||||
if (fin->fin_fi.fi_fl & FI_FRAG) {
|
if (fin->fin_fi.fi_fl & FI_FRAG) {
|
||||||
if (ipfr_newfrag(ip, fin, pass) == -1)
|
if (ipfr_newfrag(ip, fin, pass) == -1)
|
||||||
frstats[out].fr_bnfr++;
|
frstats[out].fr_bnfr++;
|
||||||
@ -660,6 +639,19 @@ int out;
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* IPFILTER_LOG */
|
#endif /* IPFILTER_LOG */
|
||||||
|
#ifdef _KERNEL
|
||||||
|
/*
|
||||||
|
* Only allow FR_DUP to work if a rule matched - it makes no sense to
|
||||||
|
* set FR_DUP as a "default" as there are no instructions about where
|
||||||
|
* to send the packet.
|
||||||
|
*/
|
||||||
|
if (fr && (pass & FR_DUP))
|
||||||
|
# if SOLARIS
|
||||||
|
mc = dupmsg(m);
|
||||||
|
# else
|
||||||
|
mc = m_copy(m, 0, M_COPYALL);
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
if (pass & FR_PASS)
|
if (pass & FR_PASS)
|
||||||
frstats[out].fr_pass++;
|
frstats[out].fr_pass++;
|
||||||
@ -703,10 +695,16 @@ int out;
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If we didn't drop off the bottom of the list of rules (and thus
|
||||||
|
* the 'current' rule fr is not NULL), then we may have some extra
|
||||||
|
* instructions about what to do with a packet.
|
||||||
|
* Once we're finished return to our caller, freeing the packet if
|
||||||
|
* we are dropping it (* BSD ONLY *).
|
||||||
|
*/
|
||||||
#ifdef _KERNEL
|
#ifdef _KERNEL
|
||||||
# if !SOLARIS
|
# if !SOLARIS
|
||||||
if (pass & FR_DUP)
|
|
||||||
mc = m_copy(m, 0, M_COPYALL);
|
|
||||||
if (fr) {
|
if (fr) {
|
||||||
frdest_t *fdp = &fr->fr_tif;
|
frdest_t *fdp = &fr->fr_tif;
|
||||||
|
|
||||||
@ -722,8 +720,6 @@ int out;
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
return (pass & FR_PASS) ? 0 : -1;
|
return (pass & FR_PASS) ? 0 : -1;
|
||||||
# else
|
# else
|
||||||
if (pass & FR_DUP)
|
|
||||||
mc = dupmsg(m);
|
|
||||||
if (fr) {
|
if (fr) {
|
||||||
frdest_t *fdp = &fr->fr_tif;
|
frdest_t *fdp = &fr->fr_tif;
|
||||||
|
|
||||||
@ -777,3 +773,126 @@ int len;
|
|||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
u_short ipf_cksum(addr, len)
|
||||||
|
register u_short *addr;
|
||||||
|
register int len;
|
||||||
|
{
|
||||||
|
register u_long sum = 0;
|
||||||
|
|
||||||
|
for (sum = 0; len > 1; len -= 2)
|
||||||
|
sum += *addr++;
|
||||||
|
|
||||||
|
/* mop up an odd byte, if necessary */
|
||||||
|
if (len == 1)
|
||||||
|
sum += *(u_char *)addr;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* add back carry outs from top 16 bits to low 16 bits
|
||||||
|
*/
|
||||||
|
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
|
||||||
|
sum += (sum >> 16); /* add carry */
|
||||||
|
return (u_short)(~sum);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* NB: This function assumes we've pullup'd enough for all of the IP header
|
||||||
|
* and the TCP header. We also assume that data blocks aren't allocated in
|
||||||
|
* odd sizes.
|
||||||
|
*/
|
||||||
|
u_short fr_tcpsum(m, ip, tcp)
|
||||||
|
#if SOLARIS
|
||||||
|
mblk_t *m;
|
||||||
|
#else
|
||||||
|
struct mbuf *m;
|
||||||
|
#endif
|
||||||
|
ip_t *ip;
|
||||||
|
tcphdr_t *tcp;
|
||||||
|
{
|
||||||
|
union {
|
||||||
|
u_char c[2];
|
||||||
|
u_short s;
|
||||||
|
} bytes;
|
||||||
|
u_long sum;
|
||||||
|
u_short *sp;
|
||||||
|
int len, add, hlen, ilen;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Add up IP Header portion
|
||||||
|
*/
|
||||||
|
ilen = len = ip->ip_len - (ip->ip_hl << 2);
|
||||||
|
bytes.c[0] = 0;
|
||||||
|
bytes.c[1] = IPPROTO_TCP;
|
||||||
|
sum = bytes.s;
|
||||||
|
sum += htons((u_short)len);
|
||||||
|
sp = (u_short *)&ip->ip_src;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
if (sp != (u_short *)tcp)
|
||||||
|
sp = (u_short *)tcp;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp++;
|
||||||
|
sum += *sp;
|
||||||
|
sp += 2; /* Skip over checksum */
|
||||||
|
sum += *sp++;
|
||||||
|
|
||||||
|
#if SOLARIS
|
||||||
|
/*
|
||||||
|
* In case we had to copy the IP & TCP header out of mblks,
|
||||||
|
* skip over the mblk bits which are the header
|
||||||
|
*/
|
||||||
|
if ((caddr_t)ip != (caddr_t)m->b_rptr) {
|
||||||
|
hlen = (caddr_t)sp - (caddr_t)ip;
|
||||||
|
while (hlen) {
|
||||||
|
add = MIN(hlen, m->b_wptr - m->b_rptr);
|
||||||
|
sp = (u_short *)((caddr_t)m->b_rptr + add);
|
||||||
|
if ((hlen -= add))
|
||||||
|
m = m->b_cont;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if (!(len -= sizeof(*tcp)))
|
||||||
|
goto nodata;
|
||||||
|
while (len > 1) {
|
||||||
|
sum += *sp++;
|
||||||
|
len -= 2;
|
||||||
|
#if SOLARIS
|
||||||
|
if ((caddr_t)sp > (caddr_t)m->b_wptr) {
|
||||||
|
m = m->b_cont;
|
||||||
|
PANIC((!m),("fr_tcpsum: not enough data"));
|
||||||
|
sp = (u_short *)m->b_rptr;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
# ifdef m_data
|
||||||
|
if ((caddr_t)sp > (m->m_data + m->m_len))
|
||||||
|
# else
|
||||||
|
if ((caddr_t)sp > (caddr_t)(m->m_dat + m->m_off + m->m_len))
|
||||||
|
# endif
|
||||||
|
{
|
||||||
|
m = m->m_next;
|
||||||
|
PANIC((!m),("fr_tcpsum: not enough data"));
|
||||||
|
sp = mtod(m, u_short *);
|
||||||
|
}
|
||||||
|
#endif /* SOLARIS */
|
||||||
|
}
|
||||||
|
if (len) {
|
||||||
|
bytes.c[1] = 0;
|
||||||
|
bytes.c[0] = *(u_char *)sp;
|
||||||
|
sum += bytes.s;
|
||||||
|
}
|
||||||
|
nodata:
|
||||||
|
sum = (sum >> 16) + (sum & 0xffff);
|
||||||
|
sum += (sum >> 16);
|
||||||
|
sum = (u_short)((~sum) & 0xffff);
|
||||||
|
return sum;
|
||||||
|
}
|
||||||
|
@ -30,9 +30,11 @@
|
|||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <arpa/nameser.h>
|
#include <arpa/nameser.h>
|
||||||
#include <resolv.h>
|
#include <resolv.h>
|
||||||
|
#include <netinet/tcp.h>
|
||||||
#include "ip_compat.h"
|
#include "ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "ip_fil.h"
|
||||||
#include "ipf.h"
|
#include "ipf.h"
|
||||||
|
#include "ip_proxy.h"
|
||||||
#include "ip_nat.h"
|
#include "ip_nat.h"
|
||||||
#include "ip_frag.h"
|
#include "ip_frag.h"
|
||||||
#include "ip_state.h"
|
#include "ip_state.h"
|
||||||
@ -43,7 +45,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
|
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
|
||||||
static char rcsid[] = "$Id: fils.c,v 2.0.2.7 1997/04/02 12:23:16 darrenr Exp $";
|
static char rcsid[] = "$Id: fils.c,v 2.0.2.9 1997/05/08 10:11:31 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
#ifdef _PATH_UNIX
|
#ifdef _PATH_UNIX
|
||||||
#define VMUNIX _PATH_UNIX
|
#define VMUNIX _PATH_UNIX
|
||||||
@ -95,7 +97,7 @@ char *argv[];
|
|||||||
(void)setuid(getuid());
|
(void)setuid(getuid());
|
||||||
(void)setgid(getgid());
|
(void)setgid(getgid());
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "afhIiosvd:")) != -1)
|
while ((c = getopt(argc, argv, "afhIinosvd:")) != -1)
|
||||||
{
|
{
|
||||||
switch (c)
|
switch (c)
|
||||||
{
|
{
|
||||||
@ -148,9 +150,18 @@ char *argv[];
|
|||||||
perror("ioctl(SIOCGETFS)");
|
perror("ioctl(SIOCGETFS)");
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
if ((opts & OPT_IPSTATES) && (ioctl(fd, SIOCGIPST, &ipsst) == -1)) {
|
if ((opts & OPT_IPSTATES)) {
|
||||||
perror("ioctl(SIOCGIPST)");
|
int sfd = open(IPL_STATE, O_RDONLY);
|
||||||
exit(-1);
|
|
||||||
|
if (sfd == -1) {
|
||||||
|
perror("open");
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) {
|
||||||
|
perror("ioctl(SIOCGIPST)");
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
close(sfd);
|
||||||
}
|
}
|
||||||
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
|
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
|
||||||
perror("ioctl(SIOCGFRST)");
|
perror("ioctl(SIOCGFRST)");
|
||||||
|
@ -55,7 +55,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
|
static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
|
||||||
static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.3 1997/03/27 13:45:00 darrenr Exp $";
|
static char rcsid[] = "$Id: inet_addr.c,v 2.0.2.4 1997/05/08 10:11:34 darrenr Exp $";
|
||||||
#endif /* LIBC_SCCS and not lint */
|
#endif /* LIBC_SCCS and not lint */
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
@ -179,7 +179,11 @@ inet_aton(cp, addr)
|
|||||||
* Ascii internet address interpretation routine.
|
* Ascii internet address interpretation routine.
|
||||||
* The value returned is in network order.
|
* The value returned is in network order.
|
||||||
*/
|
*/
|
||||||
|
#if defined(SOLARIS2) && (SOLARIS2 > 5)
|
||||||
|
u_int
|
||||||
|
#else
|
||||||
u_long
|
u_long
|
||||||
|
#endif
|
||||||
inet_addr(cp)
|
inet_addr(cp)
|
||||||
register const char *cp;
|
register const char *cp;
|
||||||
{
|
{
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993, 1994, 1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*
|
*
|
||||||
* @(#)ip_compat.h 1.8 1/14/96
|
* @(#)ip_compat.h 1.8 1/14/96
|
||||||
* $Id: ip_compat.h,v 2.0.2.6 1997/04/02 12:23:17 darrenr Exp $
|
* $Id: ip_compat.h,v 2.0.2.11 1997/05/04 05:29:02 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef __IP_COMPAT_H_
|
#ifndef __IP_COMPAT_H__
|
||||||
#define __IP_COMPAT_H__
|
#define __IP_COMPAT_H__
|
||||||
|
|
||||||
#ifndef __P
|
#ifndef __P
|
||||||
@ -24,6 +24,22 @@
|
|||||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(_KERNEL) && !defined(KERNEL)
|
||||||
|
#define KERNEL
|
||||||
|
#endif
|
||||||
|
#if defined(KERNEL) && !defined(_KERNEL)
|
||||||
|
#define _KERNEL
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(__SVR4) || defined(__svr4__)
|
||||||
|
#define index strchr
|
||||||
|
# ifndef _KERNEL
|
||||||
|
# define bzero(a,b) memset(a,0,b)
|
||||||
|
# define bcmp memcmp
|
||||||
|
# define bcopy(a,b,c) memmove(b,a,c)
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
#if SOLARIS
|
#if SOLARIS
|
||||||
# define MTYPE(m) ((m)->b_datap->db_type)
|
# define MTYPE(m) ((m)->b_datap->db_type)
|
||||||
# include <sys/ioccom.h>
|
# include <sys/ioccom.h>
|
||||||
@ -58,8 +74,10 @@
|
|||||||
#if BSD > 199306
|
#if BSD > 199306
|
||||||
# define USE_QUAD_T
|
# define USE_QUAD_T
|
||||||
# define U_QUAD_T u_quad_t
|
# define U_QUAD_T u_quad_t
|
||||||
|
# define QUAD_T quad_t
|
||||||
#else
|
#else
|
||||||
# define U_QUAD_T u_long
|
# define U_QUAD_T u_long
|
||||||
|
# define QUAD_T long
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef MAX
|
#ifndef MAX
|
||||||
@ -167,6 +185,7 @@ extern ill_t *get_unit __P((char *));
|
|||||||
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
|
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
|
||||||
# define SLEEP(id, n) sleep((id), PZERO+1)
|
# define SLEEP(id, n) sleep((id), PZERO+1)
|
||||||
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
|
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
|
||||||
|
# define KFREES(x,s) kmem_free((char *)(x), (s))
|
||||||
# if SOLARIS
|
# if SOLARIS
|
||||||
typedef struct qif {
|
typedef struct qif {
|
||||||
struct qif *qf_next;
|
struct qif *qf_next;
|
||||||
@ -219,13 +238,16 @@ extern vm_map_t kmem_map;
|
|||||||
# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c))
|
# define KMALLOC(a,b,c) (a) = (b)kmem_alloc(kmem_map, (c))
|
||||||
# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
|
# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
|
||||||
sizeof(*(x)))
|
sizeof(*(x)))
|
||||||
|
# define KFREES(x,s) kmem_free(kmem_map, (vm_offset_t)(x), (s))
|
||||||
*/
|
*/
|
||||||
# ifdef M_PFIL
|
# ifdef M_PFIL
|
||||||
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
|
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
|
||||||
# define KFREE(x) FREE((x), M_PFIL)
|
# define KFREE(x) FREE((x), M_PFIL)
|
||||||
|
# define KFREES(x,s) FREE((x), M_PFIL)
|
||||||
# else
|
# else
|
||||||
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
|
# define KMALLOC(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT)
|
||||||
# define KFREE(x) FREE((x), M_TEMP)
|
# define KFREE(x) FREE((x), M_TEMP)
|
||||||
|
# define KFREES(x,s) FREE((x), M_TEMP)
|
||||||
# endif
|
# endif
|
||||||
# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
|
# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
|
||||||
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
|
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
|
||||||
@ -238,7 +260,9 @@ extern vm_map_t kmem_map;
|
|||||||
# define SPLX(x) (void) splx(x)
|
# define SPLX(x) (void) splx(x)
|
||||||
# endif
|
# endif
|
||||||
# endif
|
# endif
|
||||||
|
# define PANIC(x,y) if (x) panic y
|
||||||
#else
|
#else
|
||||||
|
# define PANIC(x,y) ;
|
||||||
# define MUTEX_ENTER(x) ;
|
# define MUTEX_ENTER(x) ;
|
||||||
# define MUTEX_EXIT(x) ;
|
# define MUTEX_EXIT(x) ;
|
||||||
# define SPLNET(x) ;
|
# define SPLNET(x) ;
|
||||||
@ -246,6 +270,7 @@ extern vm_map_t kmem_map;
|
|||||||
# define SPLX(x) ;
|
# define SPLX(x) ;
|
||||||
# define KMALLOC(a,b,c) (a) = (b)malloc(c)
|
# define KMALLOC(a,b,c) (a) = (b)malloc(c)
|
||||||
# define KFREE(x) free(x)
|
# define KFREE(x) free(x)
|
||||||
|
# define KFREES(x,s) free(x)
|
||||||
# define GETUNIT(x) get_unit(x)
|
# define GETUNIT(x) get_unit(x)
|
||||||
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
|
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
|
||||||
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
|
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
|
||||||
@ -365,6 +390,7 @@ struct ipovly {
|
|||||||
|
|
||||||
# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
|
# define KMALLOC(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC)
|
||||||
# define KFREE(x) kfree_s((x), sizeof(*(x)))
|
# define KFREE(x) kfree_s((x), sizeof(*(x)))
|
||||||
|
# define KFREES(x,s) kfree_s((x), (s))
|
||||||
# define IRCOPY(a,b,c) { \
|
# define IRCOPY(a,b,c) { \
|
||||||
error = verify_area(VERIFY_READ, \
|
error = verify_area(VERIFY_READ, \
|
||||||
(b) ,sizeof((b))); \
|
(b) ,sizeof((b))); \
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
@ -7,7 +7,7 @@
|
|||||||
*/
|
*/
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
|
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $";
|
static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.12 1997/05/24 07:39:56 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef SOLARIS
|
#ifndef SOLARIS
|
||||||
@ -15,7 +15,14 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef __FreeBSD__
|
#ifdef __FreeBSD__
|
||||||
#include <osreldate.h>
|
# if defined(KERNEL) && !defined(_KERNEL)
|
||||||
|
# define _KERNEL
|
||||||
|
# endif
|
||||||
|
# if defined(_KERNEL) && !defined(IPFILTER_LKM)
|
||||||
|
# include <sys/osreldate.h>
|
||||||
|
# else
|
||||||
|
# include <osreldate.h>
|
||||||
|
# endif
|
||||||
#endif
|
#endif
|
||||||
#ifndef _KERNEL
|
#ifndef _KERNEL
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -25,7 +32,12 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
|
|||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/file.h>
|
#include <sys/file.h>
|
||||||
#include <sys/ioctl.h>
|
#if __FreeBSD_version >= 220000 && defined(_KERNEL)
|
||||||
|
# include <sys/fcntl.h>
|
||||||
|
# include <sys/filio.h>
|
||||||
|
#else
|
||||||
|
# include <sys/ioctl.h>
|
||||||
|
#endif
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
#ifdef _KERNEL
|
#ifdef _KERNEL
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
@ -35,9 +47,6 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
|
|||||||
#include <sys/dir.h>
|
#include <sys/dir.h>
|
||||||
#include <sys/mbuf.h>
|
#include <sys/mbuf.h>
|
||||||
#else
|
#else
|
||||||
#define bcmp memcmp
|
|
||||||
#define bzero(a,b) memset(a,0,b)
|
|
||||||
#define bcopy(a,b,c) memcpy(b,a,c)
|
|
||||||
#include <sys/filio.h>
|
#include <sys/filio.h>
|
||||||
#endif
|
#endif
|
||||||
#include <sys/protosw.h>
|
#include <sys/protosw.h>
|
||||||
@ -47,6 +56,9 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
|
|||||||
#ifdef sun
|
#ifdef sun
|
||||||
#include <net/af.h>
|
#include <net/af.h>
|
||||||
#endif
|
#endif
|
||||||
|
#if __FreeBSD_version >= 300000
|
||||||
|
# include <net/if_var.h>
|
||||||
|
#endif
|
||||||
#include <net/route.h>
|
#include <net/route.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <netinet/in_var.h>
|
#include <netinet/in_var.h>
|
||||||
@ -57,17 +69,23 @@ static char rcsid[] = "$Id: ip_fil.c,v 2.0.2.6 1997/04/02 12:23:19 darrenr Exp $
|
|||||||
#include <netinet/udp.h>
|
#include <netinet/udp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <netinet/ip_icmp.h>
|
#include <netinet/ip_icmp.h>
|
||||||
#include <syslog.h>
|
#ifndef _KERNEL
|
||||||
#include "ip_compat.h"
|
# include <syslog.h>
|
||||||
#include "ip_fil.h"
|
#endif
|
||||||
#include "ip_frag.h"
|
#include "netinet/ip_compat.h"
|
||||||
#include "ip_nat.h"
|
#include "netinet/ip_fil.h"
|
||||||
#include "ip_state.h"
|
#include "netinet/ip_proxy.h"
|
||||||
|
#include "netinet/ip_nat.h"
|
||||||
|
#include "netinet/ip_frag.h"
|
||||||
|
#include "netinet/ip_state.h"
|
||||||
#ifndef MIN
|
#ifndef MIN
|
||||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||||
#endif
|
#endif
|
||||||
|
#if !SOLARIS && defined(_KERNEL)
|
||||||
|
extern int ip_optcopy __P((struct ip *, struct ip *));
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
extern fr_flags, fr_active;
|
|
||||||
extern struct protosw inetsw[];
|
extern struct protosw inetsw[];
|
||||||
#if BSD < 199306
|
#if BSD < 199306
|
||||||
static int (*fr_saveslowtimo) __P((void));
|
static int (*fr_saveslowtimo) __P((void));
|
||||||
@ -139,6 +157,7 @@ char *s;
|
|||||||
|
|
||||||
int iplattach()
|
int iplattach()
|
||||||
{
|
{
|
||||||
|
char *defpass;
|
||||||
int s, i;
|
int s, i;
|
||||||
|
|
||||||
SPLNET(s);
|
SPLNET(s);
|
||||||
@ -157,11 +176,21 @@ int iplattach()
|
|||||||
/*
|
/*
|
||||||
* Set log buffer pointers for each of the log buffers
|
* Set log buffer pointers for each of the log buffers
|
||||||
*/
|
*/
|
||||||
|
#ifdef IPFILTER_LOG
|
||||||
for (i = 0; i <= 2; i++) {
|
for (i = 0; i <= 2; i++) {
|
||||||
iplh[i] = iplbuf[i];
|
iplh[i] = iplbuf[i];
|
||||||
iplt[i] = iplbuf[i];
|
iplt[i] = iplbuf[i];
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
SPLX(s);
|
SPLX(s);
|
||||||
|
if (fr_pass & FR_PASS)
|
||||||
|
defpass = "pass";
|
||||||
|
else if (fr_pass & FR_BLOCK)
|
||||||
|
defpass = "block";
|
||||||
|
else
|
||||||
|
defpass = "no-match -> block";
|
||||||
|
|
||||||
|
printf("IP Filter: initialized. Default = %s all\n", defpass);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -258,7 +287,8 @@ caddr_t data;
|
|||||||
* Filter ioctl interface.
|
* Filter ioctl interface.
|
||||||
*/
|
*/
|
||||||
int iplioctl(dev, cmd, data, mode
|
int iplioctl(dev, cmd, data, mode
|
||||||
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
|
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
|
||||||
|
(__FreeBSD_version >= 220000)) && defined(_KERNEL)
|
||||||
, p)
|
, p)
|
||||||
struct proc *p;
|
struct proc *p;
|
||||||
#else
|
#else
|
||||||
@ -278,10 +308,21 @@ int mode;
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
SPLNET(s);
|
SPLNET(s);
|
||||||
|
|
||||||
|
if (unit == IPL_LOGNAT) {
|
||||||
|
error = nat_ioctl(data, cmd, mode);
|
||||||
|
SPLX(s);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
if (unit == IPL_LOGSTATE) {
|
||||||
|
error = fr_state_ioctl(data, cmd, mode);
|
||||||
|
SPLX(s);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
switch (cmd) {
|
switch (cmd) {
|
||||||
case FIONREAD :
|
case FIONREAD :
|
||||||
#ifdef IPFILTER_LOG
|
#ifdef IPFILTER_LOG
|
||||||
*(int *)data = iplused[unit];
|
*(int *)data = iplused[IPL_LOGIPF];
|
||||||
#endif
|
#endif
|
||||||
break;
|
break;
|
||||||
#if !defined(IPFILTER_LKM) && defined(_KERNEL)
|
#if !defined(IPFILTER_LKM) && defined(_KERNEL)
|
||||||
@ -373,24 +414,13 @@ int mode;
|
|||||||
else {
|
else {
|
||||||
*(int *)data = iplused[unit];
|
*(int *)data = iplused[unit];
|
||||||
iplh[unit] = iplt[unit] = iplbuf[unit];
|
iplh[unit] = iplt[unit] = iplbuf[unit];
|
||||||
iplused[unit] = 0;
|
iplused[unix] = 0;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif /* IPFILTER_LOG */
|
#endif /* IPFILTER_LOG */
|
||||||
case SIOCADNAT :
|
|
||||||
case SIOCRMNAT :
|
|
||||||
case SIOCGNATS :
|
|
||||||
case SIOCGNATL :
|
|
||||||
case SIOCFLNAT :
|
|
||||||
case SIOCCNATL :
|
|
||||||
error = nat_ioctl(data, cmd, mode);
|
|
||||||
break;
|
|
||||||
case SIOCGFRST :
|
case SIOCGFRST :
|
||||||
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
|
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
|
||||||
break;
|
break;
|
||||||
case SIOCGIPST :
|
|
||||||
IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
|
|
||||||
break;
|
|
||||||
default :
|
default :
|
||||||
error = EINVAL;
|
error = EINVAL;
|
||||||
break;
|
break;
|
||||||
@ -508,7 +538,8 @@ caddr_t data;
|
|||||||
* routines below for saving IP headers to buffer
|
* routines below for saving IP headers to buffer
|
||||||
*/
|
*/
|
||||||
int iplopen(dev, flags
|
int iplopen(dev, flags
|
||||||
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
|
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
|
||||||
|
(__FreeBSD_version >= 220000)) && defined(_KERNEL)
|
||||||
, devtype, p)
|
, devtype, p)
|
||||||
int devtype;
|
int devtype;
|
||||||
struct proc *p;
|
struct proc *p;
|
||||||
@ -529,7 +560,8 @@ int flags;
|
|||||||
|
|
||||||
|
|
||||||
int iplclose(dev, flags
|
int iplclose(dev, flags
|
||||||
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506)) && defined(_KERNEL)
|
#if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \
|
||||||
|
(__FreeBSD_version >= 220000)) && defined(_KERNEL)
|
||||||
, devtype, p)
|
, devtype, p)
|
||||||
int devtype;
|
int devtype;
|
||||||
struct proc *p;
|
struct proc *p;
|
||||||
@ -699,6 +731,9 @@ struct tcpiphdr *ti;
|
|||||||
struct tcphdr *tcp;
|
struct tcphdr *tcp;
|
||||||
struct mbuf *m;
|
struct mbuf *m;
|
||||||
int tlen = 0;
|
int tlen = 0;
|
||||||
|
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
|
||||||
|
struct route ro;
|
||||||
|
#endif
|
||||||
|
|
||||||
if (ti->ti_flags & TH_RST)
|
if (ti->ti_flags & TH_RST)
|
||||||
return -1; /* feedback loop */
|
return -1; /* feedback loop */
|
||||||
@ -710,6 +745,8 @@ struct tcpiphdr *ti;
|
|||||||
# endif
|
# endif
|
||||||
if (m == NULL)
|
if (m == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
|
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
|
||||||
|
#endif
|
||||||
|
|
||||||
if (ti->ti_flags & TH_SYN)
|
if (ti->ti_flags & TH_SYN)
|
||||||
tlen = 1;
|
tlen = 1;
|
||||||
@ -743,18 +780,29 @@ struct tcpiphdr *ti;
|
|||||||
ip->ip_ttl = ip_defttl;
|
ip->ip_ttl = ip_defttl;
|
||||||
# endif
|
# endif
|
||||||
|
|
||||||
|
#if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
|
||||||
|
bzero((char *)&ro, sizeof(ro));
|
||||||
|
(void) ip_output(m, (struct mbuf *)0, &ro, 0, 0);
|
||||||
|
if (ro.ro_rt)
|
||||||
|
RTFREE(ro.ro_rt);
|
||||||
|
#else
|
||||||
/*
|
/*
|
||||||
* extra 0 in case of multicast
|
* extra 0 in case of multicast
|
||||||
*/
|
*/
|
||||||
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
||||||
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# ifndef IPFILTER_LKM
|
# if !defined(IPFILTER_LKM) && !(__FreeBSD_version >= 300000)
|
||||||
# if BSD < 199306
|
# if BSD < 199306
|
||||||
|
int iplinit __P((void));
|
||||||
|
|
||||||
int
|
int
|
||||||
# else
|
# else
|
||||||
|
void iplinit __P((void));
|
||||||
|
|
||||||
void
|
void
|
||||||
# endif
|
# endif
|
||||||
iplinit()
|
iplinit()
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993-1996 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*
|
*
|
||||||
* @(#)ip_fil.h 1.35 6/5/96
|
* @(#)ip_fil.h 1.35 6/5/96
|
||||||
* $Id: ip_fil.h,v 2.0.2.9 1997/04/02 12:23:20 darrenr Exp $
|
* $Id: ip_fil.h,v 2.0.2.13 1997/05/24 07:41:55 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef __IP_FIL_H__
|
#ifndef __IP_FIL_H__
|
||||||
@ -97,6 +97,7 @@ typedef struct fr_info {
|
|||||||
u_short fin_dlen;
|
u_short fin_dlen;
|
||||||
char *fin_dp; /* start of data past IP header */
|
char *fin_dp; /* start of data past IP header */
|
||||||
struct frentry *fin_fr;
|
struct frentry *fin_fr;
|
||||||
|
void *fin_mp;
|
||||||
} fr_info_t;
|
} fr_info_t;
|
||||||
|
|
||||||
#define FI_CSIZE (sizeof(struct fr_ip) + 11)
|
#define FI_CSIZE (sizeof(struct fr_ip) + 11)
|
||||||
@ -179,16 +180,18 @@ typedef struct frentry {
|
|||||||
#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
|
#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
|
||||||
#define FR_DUP 0x20000 /* duplicate packet */
|
#define FR_DUP 0x20000 /* duplicate packet */
|
||||||
#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
|
#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
|
||||||
|
#define FR_NOTSRCIP 0x80000 /* not the src IP# */
|
||||||
|
#define FR_NOTDSTIP 0x100000 /* not the dst IP# */
|
||||||
|
|
||||||
#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
|
#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
|
||||||
/*
|
/*
|
||||||
* recognized flags for SIOCGETFF and SIOCSETFF
|
* recognized flags for SIOCGETFF and SIOCSETFF
|
||||||
*/
|
*/
|
||||||
#define FF_LOGPASS 0x100000
|
#define FF_LOGPASS 0x10000000
|
||||||
#define FF_LOGBLOCK 0x200000
|
#define FF_LOGBLOCK 0x20000000
|
||||||
#define FF_LOGNOMATCH 0x400000
|
#define FF_LOGNOMATCH 0x40000000
|
||||||
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
|
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
|
||||||
#define FF_BLOCKNONIP 0x800000 /* Solaris2 Only */
|
#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
|
||||||
|
|
||||||
#define FR_NONE 0
|
#define FR_NONE 0
|
||||||
#define FR_EQUAL 1
|
#define FR_EQUAL 1
|
||||||
@ -257,9 +260,9 @@ typedef struct ipl_ci {
|
|||||||
u_long flags;
|
u_long flags;
|
||||||
u_char ifname[IFNAMSIZ]; /* = 32 bytes */
|
u_char ifname[IFNAMSIZ]; /* = 32 bytes */
|
||||||
#else
|
#else
|
||||||
u_long flags:24;
|
u_long flags;
|
||||||
u_long unit:8;
|
u_int unit;
|
||||||
u_char ifname[4]; /* = 20 bytes */
|
u_char ifname[4]; /* = 24 bytes */
|
||||||
#endif
|
#endif
|
||||||
} ipl_ci_t;
|
} ipl_ci_t;
|
||||||
|
|
||||||
@ -268,6 +271,13 @@ typedef struct ipl_ci {
|
|||||||
#define ICMP_UNREACH_FILTER 13
|
#define ICMP_UNREACH_FILTER 13
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifndef IPF_LOGGING
|
||||||
|
#define IPF_LOGGING 0
|
||||||
|
#endif
|
||||||
|
#ifndef IPF_DEFAULT_PASS
|
||||||
|
#define IPF_DEFAULT_PASS 0
|
||||||
|
#endif
|
||||||
|
|
||||||
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
|
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
|
||||||
#define IPLLOGSIZE 8192
|
#define IPLLOGSIZE 8192
|
||||||
|
|
||||||
@ -301,7 +311,12 @@ extern int send_reset __P((struct ip *, struct ifnet *));
|
|||||||
extern int icmp_error __P((struct ip *, struct ifnet *));
|
extern int icmp_error __P((struct ip *, struct ifnet *));
|
||||||
extern void ipllog __P((void));
|
extern void ipllog __P((void));
|
||||||
extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *));
|
extern void ipfr_fastroute __P((struct ip *, fr_info_t *, frdest_t *));
|
||||||
#else
|
extern int iplioctl __P((dev_t, int, caddr_t, int));
|
||||||
|
extern int iplopen __P((dev_t, int));
|
||||||
|
extern int iplclose __P((dev_t, int));
|
||||||
|
#else /* #ifndef _KERNEL */
|
||||||
|
extern int iplattach __P((void));
|
||||||
|
extern int ipldetach __P((void));
|
||||||
# if SOLARIS
|
# if SOLARIS
|
||||||
extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *,
|
extern int fr_check __P((struct ip *, int, struct ifnet *, int, qif_t *,
|
||||||
queue_t *, mblk_t **));
|
queue_t *, mblk_t **));
|
||||||
@ -309,33 +324,6 @@ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *,
|
|||||||
int, qif_t *, queue_t *, mblk_t *));
|
int, qif_t *, queue_t *, mblk_t *));
|
||||||
extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *,
|
extern int icmp_error __P((queue_t *, ip_t *, int, int, qif_t *,
|
||||||
struct in_addr));
|
struct in_addr));
|
||||||
# else
|
|
||||||
extern int fr_check __P((struct ip *, int, struct ifnet *, int,
|
|
||||||
struct mbuf **));
|
|
||||||
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
|
|
||||||
struct mbuf **));
|
|
||||||
extern int send_reset __P((struct tcpiphdr *));
|
|
||||||
extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
|
|
||||||
extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
extern int fr_copytolog __P((int, char *, int));
|
|
||||||
extern int ipl_unreach;
|
|
||||||
extern fr_info_t frcache[];
|
|
||||||
extern char *iplh[3], *iplt[3];
|
|
||||||
extern char iplbuf[3][IPLLOGSIZE];
|
|
||||||
extern int iplused[3];
|
|
||||||
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
|
|
||||||
extern struct filterstats frstats[];
|
|
||||||
|
|
||||||
#ifndef _KERNEL
|
|
||||||
extern int iplioctl __P((dev_t, int, caddr_t, int));
|
|
||||||
extern int iplopen __P((dev_t, int));
|
|
||||||
extern int iplclose __P((dev_t, int));
|
|
||||||
#else
|
|
||||||
extern int iplattach __P((void));
|
|
||||||
extern int ipldetach __P((void));
|
|
||||||
# if SOLARIS
|
|
||||||
extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
|
extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
|
||||||
extern int iplopen __P((dev_t *, int, int, cred_t *));
|
extern int iplopen __P((dev_t *, int, int, cred_t *));
|
||||||
extern int iplclose __P((dev_t, int, int, cred_t *));
|
extern int iplclose __P((dev_t, int, int, cred_t *));
|
||||||
@ -343,11 +331,21 @@ extern int ipfsync __P((void));
|
|||||||
# ifdef IPFILTER_LOG
|
# ifdef IPFILTER_LOG
|
||||||
extern int iplread __P((dev_t, struct uio *, cred_t *));
|
extern int iplread __P((dev_t, struct uio *, cred_t *));
|
||||||
# endif
|
# endif
|
||||||
# else
|
extern u_short fr_tcpsum __P((mblk_t *, ip_t *, tcphdr_t *));
|
||||||
|
# else /* SOLARIS */
|
||||||
|
extern int fr_check __P((struct ip *, int, struct ifnet *, int,
|
||||||
|
struct mbuf **));
|
||||||
|
extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int,
|
||||||
|
struct mbuf **));
|
||||||
|
extern int send_reset __P((struct tcpiphdr *));
|
||||||
|
extern int ipllog __P((u_int, int, struct ip *, fr_info_t *, struct mbuf *));
|
||||||
|
extern void ipfr_fastroute __P((struct mbuf *, fr_info_t *, frdest_t *));
|
||||||
# ifdef IPFILTER_LKM
|
# ifdef IPFILTER_LKM
|
||||||
extern int iplidentify __P((char *));
|
extern int iplidentify __P((char *));
|
||||||
# endif
|
# endif
|
||||||
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 199612)
|
extern u_short fr_tcpsum __P((struct mbuf *, ip_t *, tcphdr_t *));
|
||||||
|
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
|
||||||
|
(NetBSD >= 199511)
|
||||||
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
|
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
|
||||||
extern int iplopen __P((dev_t, int, int, struct proc *));
|
extern int iplopen __P((dev_t, int, int, struct proc *));
|
||||||
extern int iplclose __P((dev_t, int, int, struct proc *));
|
extern int iplclose __P((dev_t, int, int, struct proc *));
|
||||||
@ -366,5 +364,18 @@ extern int iplread __P((dev_t, struct uio *));
|
|||||||
# define iplread noread
|
# define iplread noread
|
||||||
# endif /* IPFILTER_LOG */
|
# endif /* IPFILTER_LOG */
|
||||||
# endif /* SOLARIS */
|
# endif /* SOLARIS */
|
||||||
#endif /* _KERNEL */
|
#endif /* #ifndef _KERNEL */
|
||||||
|
extern u_short ipf_cksum __P((u_short *, int));
|
||||||
|
extern int fr_copytolog __P((int, char *, int));
|
||||||
|
extern int ipl_unreach;
|
||||||
|
extern int ipl_inited;
|
||||||
|
extern int fr_pass;
|
||||||
|
extern int fr_flags;
|
||||||
|
extern int fr_active;
|
||||||
|
extern fr_info_t frcache[];
|
||||||
|
extern char *iplh[3], *iplt[3];
|
||||||
|
extern char iplbuf[3][IPLLOGSIZE];
|
||||||
|
extern int iplused[3];
|
||||||
|
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
|
||||||
|
extern struct filterstats frstats[];
|
||||||
#endif /* __IP_FIL_H__ */
|
#endif /* __IP_FIL_H__ */
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
*/
|
*/
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
|
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp $";
|
static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.10 1997/05/24 07:36:23 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if !defined(_KERNEL) && !defined(KERNEL)
|
#if !defined(_KERNEL) && !defined(KERNEL)
|
||||||
@ -19,8 +19,7 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp
|
|||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
#include <sys/file.h>
|
#include <sys/file.h>
|
||||||
#if defined(__FreeBSD__) && (__FreeBSD__ >= 3)
|
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
|
||||||
#include <sys/ioccom.h>
|
|
||||||
#include <sys/filio.h>
|
#include <sys/filio.h>
|
||||||
#include <sys/fcntl.h>
|
#include <sys/fcntl.h>
|
||||||
#else
|
#else
|
||||||
@ -54,39 +53,36 @@ static char rcsid[] = "$Id: ip_frag.c,v 2.0.2.5 1997/04/02 12:23:21 darrenr Exp
|
|||||||
#include <netinet/udp.h>
|
#include <netinet/udp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <netinet/ip_icmp.h>
|
#include <netinet/ip_icmp.h>
|
||||||
#include "ip_compat.h"
|
#include "netinet/ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "netinet/ip_fil.h"
|
||||||
#include "ip_frag.h"
|
#include "netinet/ip_proxy.h"
|
||||||
#include "ip_nat.h"
|
#include "netinet/ip_nat.h"
|
||||||
#include "ip_state.h"
|
#include "netinet/ip_frag.h"
|
||||||
|
#include "netinet/ip_state.h"
|
||||||
|
|
||||||
ipfr_t *ipfr_heads[IPFT_SIZE];
|
ipfr_t *ipfr_heads[IPFT_SIZE];
|
||||||
|
ipfr_t *ipfr_nattab[IPFT_SIZE];
|
||||||
ipfrstat_t ipfr_stats;
|
ipfrstat_t ipfr_stats;
|
||||||
u_long ipfr_inuse = 0,
|
u_long ipfr_inuse = 0,
|
||||||
fr_ipfrttl = 120; /* 60 seconds */
|
fr_ipfrttl = 120; /* 60 seconds */
|
||||||
#ifdef _KERNEL
|
#ifdef _KERNEL
|
||||||
extern int ipfr_timer_id;
|
extern int ipfr_timer_id;
|
||||||
#endif
|
#endif
|
||||||
#if SOLARIS
|
#if SOLARIS && defined(_KERNEL)
|
||||||
# ifdef _KERNEL
|
|
||||||
extern kmutex_t ipf_frag;
|
extern kmutex_t ipf_frag;
|
||||||
# else
|
extern kmutex_t ipf_natfrag;
|
||||||
#define bcmp(a,b,c) memcmp(a,b,c)
|
extern kmutex_t ipf_nat;
|
||||||
#define bcopy(a,b,c) memmove(b,a,c)
|
|
||||||
# endif
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef __FreeBSD__
|
|
||||||
# if BSD < 199306
|
static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, int, ipfr_t **));
|
||||||
int ipfr_slowtimer __P((void));
|
static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
|
||||||
# else
|
|
||||||
void ipfr_slowtimer __P((void));
|
|
||||||
# endif
|
|
||||||
#endif /* __FreeBSD__ */
|
|
||||||
|
|
||||||
ipfrstat_t *ipfr_fragstats()
|
ipfrstat_t *ipfr_fragstats()
|
||||||
{
|
{
|
||||||
ipfr_stats.ifs_table = ipfr_heads;
|
ipfr_stats.ifs_table = ipfr_heads;
|
||||||
|
ipfr_stats.ifs_nattab = ipfr_nattab;
|
||||||
ipfr_stats.ifs_inuse = ipfr_inuse;
|
ipfr_stats.ifs_inuse = ipfr_inuse;
|
||||||
return &ipfr_stats;
|
return &ipfr_stats;
|
||||||
}
|
}
|
||||||
@ -96,10 +92,11 @@ ipfrstat_t *ipfr_fragstats()
|
|||||||
* add a new entry to the fragment cache, registering it as having come
|
* add a new entry to the fragment cache, registering it as having come
|
||||||
* through this box, with the result of the filter operation.
|
* through this box, with the result of the filter operation.
|
||||||
*/
|
*/
|
||||||
int ipfr_newfrag(ip, fin, pass)
|
static ipfr_t *ipfr_new(ip, fin, pass, table)
|
||||||
ip_t *ip;
|
ip_t *ip;
|
||||||
fr_info_t *fin;
|
fr_info_t *fin;
|
||||||
int pass;
|
int pass;
|
||||||
|
ipfr_t *table[];
|
||||||
{
|
{
|
||||||
ipfr_t **fp, *fr, frag;
|
ipfr_t **fp, *fr, frag;
|
||||||
u_int idx;
|
u_int idx;
|
||||||
@ -119,33 +116,77 @@ int pass;
|
|||||||
/*
|
/*
|
||||||
* first, make sure it isn't already there...
|
* first, make sure it isn't already there...
|
||||||
*/
|
*/
|
||||||
MUTEX_ENTER(&ipf_frag);
|
for (fp = &table[idx]; (fr = *fp); fp = &fr->ipfr_next)
|
||||||
for (fp = &ipfr_heads[idx]; (fr = *fp); fp = &fr->ipfr_next)
|
|
||||||
if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src,
|
if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src,
|
||||||
IPFR_CMPSZ)) {
|
IPFR_CMPSZ)) {
|
||||||
ipfr_stats.ifs_exists++;
|
ipfr_stats.ifs_exists++;
|
||||||
MUTEX_EXIT(&ipf_frag);
|
MUTEX_EXIT(&ipf_frag);
|
||||||
return -1;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* allocate some memory, if possible, if not, just record that we
|
||||||
|
* failed to do so.
|
||||||
|
*/
|
||||||
KMALLOC(fr, ipfr_t *, sizeof(*fr));
|
KMALLOC(fr, ipfr_t *, sizeof(*fr));
|
||||||
if (fr == NULL) {
|
if (fr == NULL) {
|
||||||
ipfr_stats.ifs_nomem++;
|
ipfr_stats.ifs_nomem++;
|
||||||
MUTEX_EXIT(&ipf_frag);
|
MUTEX_EXIT(&ipf_frag);
|
||||||
return -1;
|
return NULL;
|
||||||
}
|
}
|
||||||
if ((fr->ipfr_next = ipfr_heads[idx]))
|
|
||||||
ipfr_heads[idx]->ipfr_prev = fr;
|
/*
|
||||||
|
* Instert the fragment into the fragment table, copy the struct used
|
||||||
|
* in the search using bcopy rather than reassign each field.
|
||||||
|
* Set the ttl to the default and mask out logging from "pass"
|
||||||
|
*/
|
||||||
|
if ((fr->ipfr_next = table[idx]))
|
||||||
|
table[idx]->ipfr_prev = fr;
|
||||||
fr->ipfr_prev = NULL;
|
fr->ipfr_prev = NULL;
|
||||||
ipfr_heads[idx] = fr;
|
fr->ipfr_data = NULL;
|
||||||
|
table[idx] = fr;
|
||||||
bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ);
|
bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ);
|
||||||
fr->ipfr_ttl = fr_ipfrttl;
|
fr->ipfr_ttl = fr_ipfrttl;
|
||||||
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
|
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
|
||||||
|
/*
|
||||||
|
* Compute the offset of the expected start of the next packet.
|
||||||
|
*/
|
||||||
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
|
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
|
||||||
ipfr_stats.ifs_new++;
|
ipfr_stats.ifs_new++;
|
||||||
ipfr_inuse++;
|
ipfr_inuse++;
|
||||||
|
return fr;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int ipfr_newfrag(ip, fin, pass)
|
||||||
|
ip_t *ip;
|
||||||
|
fr_info_t *fin;
|
||||||
|
int pass;
|
||||||
|
{
|
||||||
|
ipfr_t *ipf;
|
||||||
|
|
||||||
|
MUTEX_ENTER(&ipf_frag);
|
||||||
|
ipf = ipfr_new(ip, fin, pass, ipfr_heads);
|
||||||
MUTEX_EXIT(&ipf_frag);
|
MUTEX_EXIT(&ipf_frag);
|
||||||
return 0;
|
return ipf ? 0 : -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int ipfr_nat_newfrag(ip, fin, pass, nat)
|
||||||
|
ip_t *ip;
|
||||||
|
fr_info_t *fin;
|
||||||
|
int pass;
|
||||||
|
nat_t *nat;
|
||||||
|
{
|
||||||
|
ipfr_t *ipf;
|
||||||
|
|
||||||
|
MUTEX_ENTER(&ipf_natfrag);
|
||||||
|
if ((ipf = ipfr_new(ip, fin, pass, ipfr_nattab))) {
|
||||||
|
ipf->ipfr_data = nat;
|
||||||
|
nat->nat_frag = ipf;
|
||||||
|
}
|
||||||
|
MUTEX_EXIT(&ipf_natfrag);
|
||||||
|
return ipf ? 0 : -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -153,9 +194,10 @@ int pass;
|
|||||||
* check the fragment cache to see if there is already a record of this packet
|
* check the fragment cache to see if there is already a record of this packet
|
||||||
* with its filter result known.
|
* with its filter result known.
|
||||||
*/
|
*/
|
||||||
int ipfr_knownfrag(ip, fin)
|
static ipfr_t *ipfr_lookup(ip, fin, table)
|
||||||
ip_t *ip;
|
ip_t *ip;
|
||||||
fr_info_t *fin;
|
fr_info_t *fin;
|
||||||
|
ipfr_t *table[];
|
||||||
{
|
{
|
||||||
ipfr_t *f, frag;
|
ipfr_t *f, frag;
|
||||||
u_int idx;
|
u_int idx;
|
||||||
@ -164,6 +206,8 @@ fr_info_t *fin;
|
|||||||
/*
|
/*
|
||||||
* For fragments, we record protocol, packet id, TOS and both IP#'s
|
* For fragments, we record protocol, packet id, TOS and both IP#'s
|
||||||
* (these should all be the same for all fragments of a packet).
|
* (these should all be the same for all fragments of a packet).
|
||||||
|
*
|
||||||
|
* build up a hash value to index the table with.
|
||||||
*/
|
*/
|
||||||
frag.ipfr_p = ip->ip_p;
|
frag.ipfr_p = ip->ip_p;
|
||||||
idx = ip->ip_p;
|
idx = ip->ip_p;
|
||||||
@ -177,25 +221,26 @@ fr_info_t *fin;
|
|||||||
idx *= 127;
|
idx *= 127;
|
||||||
idx %= IPFT_SIZE;
|
idx %= IPFT_SIZE;
|
||||||
|
|
||||||
MUTEX_ENTER(&ipf_frag);
|
/*
|
||||||
for (f = ipfr_heads[idx]; f; f = f->ipfr_next)
|
* check the table, careful to only compare the right amount of data
|
||||||
|
*/
|
||||||
|
for (f = table[idx]; f; f = f->ipfr_next)
|
||||||
if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
|
if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
|
||||||
IPFR_CMPSZ)) {
|
IPFR_CMPSZ)) {
|
||||||
u_short atoff, off;
|
u_short atoff, off;
|
||||||
|
|
||||||
if (f != ipfr_heads[idx]) {
|
if (f != table[idx]) {
|
||||||
/*
|
/*
|
||||||
* move fragment info. to the top of the list
|
* move fragment info. to the top of the list
|
||||||
* to speed up searches.
|
* to speed up searches.
|
||||||
*/
|
*/
|
||||||
if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
|
if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
|
||||||
f->ipfr_next->ipfr_prev = f->ipfr_prev;
|
f->ipfr_next->ipfr_prev = f->ipfr_prev;
|
||||||
f->ipfr_next = ipfr_heads[idx];
|
f->ipfr_next = table[idx];
|
||||||
ipfr_heads[idx]->ipfr_prev = f;
|
table[idx]->ipfr_prev = f;
|
||||||
f->ipfr_prev = NULL;
|
f->ipfr_prev = NULL;
|
||||||
ipfr_heads[idx] = f;
|
table[idx] = f;
|
||||||
}
|
}
|
||||||
ret = f->ipfr_pass;
|
|
||||||
off = ip->ip_off;
|
off = ip->ip_off;
|
||||||
atoff = (off & 0x1fff) - (fin->fin_dlen >> 3);
|
atoff = (off & 0x1fff) - (fin->fin_dlen >> 3);
|
||||||
/*
|
/*
|
||||||
@ -209,11 +254,45 @@ fr_info_t *fin;
|
|||||||
f->ipfr_off = off;
|
f->ipfr_off = off;
|
||||||
}
|
}
|
||||||
ipfr_stats.ifs_hits++;
|
ipfr_stats.ifs_hits++;
|
||||||
MUTEX_EXIT(&ipf_frag);
|
return f;
|
||||||
return ret;
|
|
||||||
}
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* functional interface for normal lookups of the fragment cache
|
||||||
|
*/
|
||||||
|
nat_t *ipfr_nat_knownfrag(ip, fin)
|
||||||
|
ip_t *ip;
|
||||||
|
fr_info_t *fin;
|
||||||
|
{
|
||||||
|
nat_t *nat;
|
||||||
|
ipfr_t *ipf;
|
||||||
|
|
||||||
|
MUTEX_ENTER(&ipf_natfrag);
|
||||||
|
ipf = ipfr_lookup(ip, fin, ipfr_heads);
|
||||||
|
nat = ipf ? ipf->ipfr_data : NULL;
|
||||||
|
MUTEX_EXIT(&ipf_natfrag);
|
||||||
|
return nat;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* functional interface for NAT lookups of the NAT fragment cache
|
||||||
|
*/
|
||||||
|
int ipfr_knownfrag(ip, fin)
|
||||||
|
ip_t *ip;
|
||||||
|
fr_info_t *fin;
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
ipfr_t *ipf;
|
||||||
|
|
||||||
|
MUTEX_ENTER(&ipf_frag);
|
||||||
|
ipf = ipfr_lookup(ip, fin, ipfr_heads);
|
||||||
|
ret = ipf ? ipf->ipfr_pass : 0;
|
||||||
MUTEX_EXIT(&ipf_frag);
|
MUTEX_EXIT(&ipf_frag);
|
||||||
return 0;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -223,20 +302,35 @@ fr_info_t *fin;
|
|||||||
void ipfr_unload()
|
void ipfr_unload()
|
||||||
{
|
{
|
||||||
ipfr_t **fp, *fr;
|
ipfr_t **fp, *fr;
|
||||||
|
nat_t *nat;
|
||||||
int idx;
|
int idx;
|
||||||
#if !SOLARIS && defined(_KERNEL)
|
#if !SOLARIS && defined(_KERNEL)
|
||||||
int s;
|
int s;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
MUTEX_ENTER(&ipf_frag);
|
|
||||||
SPLNET(s);
|
SPLNET(s);
|
||||||
|
MUTEX_ENTER(&ipf_frag);
|
||||||
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
||||||
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
|
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
|
||||||
*fp = fr->ipfr_next;
|
*fp = fr->ipfr_next;
|
||||||
KFREE(fr);
|
KFREE(fr);
|
||||||
}
|
}
|
||||||
SPLX(s);
|
|
||||||
MUTEX_EXIT(&ipf_frag);
|
MUTEX_EXIT(&ipf_frag);
|
||||||
|
|
||||||
|
MUTEX_ENTER(&ipf_nat);
|
||||||
|
MUTEX_ENTER(&ipf_natfrag);
|
||||||
|
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
||||||
|
for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
|
||||||
|
*fp = fr->ipfr_next;
|
||||||
|
if ((nat = (nat_t *)fr->ipfr_data)) {
|
||||||
|
if (nat->nat_frag == fr)
|
||||||
|
nat->nat_frag = NULL;
|
||||||
|
}
|
||||||
|
KFREE(fr);
|
||||||
|
}
|
||||||
|
MUTEX_EXIT(&ipf_natfrag);
|
||||||
|
MUTEX_EXIT(&ipf_nat);
|
||||||
|
SPLX(s);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -252,11 +346,17 @@ int ipfr_slowtimer()
|
|||||||
# endif
|
# endif
|
||||||
{
|
{
|
||||||
ipfr_t **fp, *fr;
|
ipfr_t **fp, *fr;
|
||||||
|
nat_t *nat;
|
||||||
int s, idx;
|
int s, idx;
|
||||||
|
|
||||||
MUTEX_ENTER(&ipf_frag);
|
MUTEX_ENTER(&ipf_frag);
|
||||||
SPLNET(s);
|
SPLNET(s);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Go through the entire table, looking for entries to expire,
|
||||||
|
* decreasing the ttl by one for each entry. If it reaches 0,
|
||||||
|
* remove it from the chain and free it.
|
||||||
|
*/
|
||||||
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
||||||
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
|
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
|
||||||
--fr->ipfr_ttl;
|
--fr->ipfr_ttl;
|
||||||
@ -274,12 +374,45 @@ int ipfr_slowtimer()
|
|||||||
} else
|
} else
|
||||||
fp = &fr->ipfr_next;
|
fp = &fr->ipfr_next;
|
||||||
}
|
}
|
||||||
|
MUTEX_EXIT(&ipf_frag);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Same again for the NAT table, except that if the structure also
|
||||||
|
* still points to a NAT structure, and the NAT structure points back
|
||||||
|
* at the one to be free'd, NULL the reference from the NAT struct.
|
||||||
|
* NOTE: We need to grab both mutex's early, and in this order so as
|
||||||
|
* to prevent a deadlock if both try to expire at the same time.
|
||||||
|
*/
|
||||||
|
MUTEX_ENTER(&ipf_nat);
|
||||||
|
MUTEX_ENTER(&ipf_natfrag);
|
||||||
|
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
||||||
|
for (fp = &ipfr_nattab[idx]; (fr = *fp); ) {
|
||||||
|
--fr->ipfr_ttl;
|
||||||
|
if (fr->ipfr_ttl == 0) {
|
||||||
|
if (fr->ipfr_prev)
|
||||||
|
fr->ipfr_prev->ipfr_next =
|
||||||
|
fr->ipfr_next;
|
||||||
|
if (fr->ipfr_next)
|
||||||
|
fr->ipfr_next->ipfr_prev =
|
||||||
|
fr->ipfr_prev;
|
||||||
|
*fp = fr->ipfr_next;
|
||||||
|
ipfr_stats.ifs_expire++;
|
||||||
|
ipfr_inuse--;
|
||||||
|
if ((nat = (nat_t *)fr->ipfr_data)) {
|
||||||
|
if (nat->nat_frag == fr)
|
||||||
|
nat->nat_frag = NULL;
|
||||||
|
}
|
||||||
|
KFREE(fr);
|
||||||
|
} else
|
||||||
|
fp = &fr->ipfr_next;
|
||||||
|
}
|
||||||
|
MUTEX_EXIT(&ipf_natfrag);
|
||||||
|
MUTEX_EXIT(&ipf_nat);
|
||||||
SPLX(s);
|
SPLX(s);
|
||||||
# if SOLARIS
|
# if SOLARIS
|
||||||
MUTEX_EXIT(&ipf_frag);
|
|
||||||
fr_timeoutstate();
|
fr_timeoutstate();
|
||||||
ip_natexpire();
|
ip_natexpire();
|
||||||
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2);
|
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
|
||||||
# else
|
# else
|
||||||
fr_timeoutstate();
|
fr_timeoutstate();
|
||||||
ip_natexpire();
|
ip_natexpire();
|
||||||
|
@ -1,21 +1,22 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993, 1994, 1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*
|
*
|
||||||
* @(#)ip_frag.h 1.5 3/24/96
|
* @(#)ip_frag.h 1.5 3/24/96
|
||||||
* $Id: ip_frag.h,v 2.0.2.4 1997/03/27 13:45:09 darrenr Exp $
|
* $Id: ip_frag.h,v 2.0.2.7 1997/05/08 10:10:18 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef __IP_FRAG_H_
|
#ifndef __IP_FRAG_H__
|
||||||
#define __IP_FRAG_H__
|
#define __IP_FRAG_H__
|
||||||
|
|
||||||
#define IPFT_SIZE 257
|
#define IPFT_SIZE 257
|
||||||
|
|
||||||
typedef struct ipfr {
|
typedef struct ipfr {
|
||||||
struct ipfr *ipfr_next, *ipfr_prev;
|
struct ipfr *ipfr_next, *ipfr_prev;
|
||||||
|
void *ipfr_data;
|
||||||
struct in_addr ipfr_src;
|
struct in_addr ipfr_src;
|
||||||
struct in_addr ipfr_dst;
|
struct in_addr ipfr_dst;
|
||||||
u_short ipfr_id;
|
u_short ipfr_id;
|
||||||
@ -35,14 +36,18 @@ typedef struct ipfrstat {
|
|||||||
u_long ifs_expire;
|
u_long ifs_expire;
|
||||||
u_long ifs_inuse;
|
u_long ifs_inuse;
|
||||||
struct ipfr **ifs_table;
|
struct ipfr **ifs_table;
|
||||||
|
struct ipfr **ifs_nattab;
|
||||||
} ipfrstat_t;
|
} ipfrstat_t;
|
||||||
|
|
||||||
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
|
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
|
||||||
|
|
||||||
extern ipfrstat_t *ipfr_fragstats __P((void));
|
extern ipfrstat_t *ipfr_fragstats __P((void));
|
||||||
extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int));
|
extern int ipfr_newfrag __P((ip_t *, fr_info_t *, int));
|
||||||
|
extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, int, struct nat *));
|
||||||
|
extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
|
||||||
extern int ipfr_knownfrag __P((ip_t *, fr_info_t *));
|
extern int ipfr_knownfrag __P((ip_t *, fr_info_t *));
|
||||||
extern void ipfr_unload __P((void));
|
extern void ipfr_unload __P((void));
|
||||||
|
|
||||||
#if (BSD >= 199306) || SOLARIS
|
#if (BSD >= 199306) || SOLARIS
|
||||||
extern void ipfr_slowtimer __P((void));
|
extern void ipfr_slowtimer __P((void));
|
||||||
#else
|
#else
|
||||||
|
@ -9,10 +9,10 @@
|
|||||||
*/
|
*/
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
|
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $";
|
static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.18 1997/05/24 07:34:44 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(__FreeBSD__) && defined(KERNEL)
|
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
|
||||||
#define _KERNEL
|
#define _KERNEL
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -26,7 +26,13 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $
|
|||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
#include <sys/file.h>
|
#include <sys/file.h>
|
||||||
#include <sys/ioctl.h>
|
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
|
||||||
|
# include <sys/filio.h>
|
||||||
|
# include <sys/fnctl.h>
|
||||||
|
#else
|
||||||
|
# include <sys/ioctl.h>
|
||||||
|
#endif
|
||||||
|
#include <sys/fcntl.h>
|
||||||
#include <sys/uio.h>
|
#include <sys/uio.h>
|
||||||
#include <sys/protosw.h>
|
#include <sys/protosw.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
@ -36,13 +42,19 @@ static char rcsid[] = "$Id: ip_nat.c,v 2.0.2.8 1997/04/02 12:23:23 darrenr Exp $
|
|||||||
#if !defined(__SVR4) && !defined(__svr4__)
|
#if !defined(__SVR4) && !defined(__svr4__)
|
||||||
# include <sys/mbuf.h>
|
# include <sys/mbuf.h>
|
||||||
#else
|
#else
|
||||||
|
# include <sys/filio.h>
|
||||||
# include <sys/byteorder.h>
|
# include <sys/byteorder.h>
|
||||||
# include <sys/dditypes.h>
|
# include <sys/dditypes.h>
|
||||||
# include <sys/stream.h>
|
# include <sys/stream.h>
|
||||||
# include <sys/kmem.h>
|
# include <sys/kmem.h>
|
||||||
#endif
|
#endif
|
||||||
|
#if __FreeBSD_version >= 300000
|
||||||
|
# include <sys/queue.h>
|
||||||
|
#endif
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
|
#if __FreeBSD_version >= 300000
|
||||||
|
# include <net/if_var.h>
|
||||||
|
#endif
|
||||||
#ifdef sun
|
#ifdef sun
|
||||||
#include <net/af.h>
|
#include <net/af.h>
|
||||||
#endif
|
#endif
|
||||||
@ -62,36 +74,30 @@ extern struct ifnet vpnif;
|
|||||||
#include <netinet/udp.h>
|
#include <netinet/udp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <netinet/ip_icmp.h>
|
#include <netinet/ip_icmp.h>
|
||||||
#include "ip_compat.h"
|
#include "netinet/ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "netinet/ip_fil.h"
|
||||||
#include "ip_nat.h"
|
#include "netinet/ip_proxy.h"
|
||||||
#include "ip_state.h"
|
#include "netinet/ip_nat.h"
|
||||||
|
#include "netinet/ip_frag.h"
|
||||||
|
#include "netinet/ip_state.h"
|
||||||
#ifndef MIN
|
#ifndef MIN
|
||||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||||
#endif
|
#endif
|
||||||
|
#undef SOCKADDR_IN
|
||||||
|
#define SOCKADDR_IN struct sockaddr_in
|
||||||
|
|
||||||
nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
|
nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
|
||||||
ipnat_t *nat_list = NULL;
|
ipnat_t *nat_list = NULL;
|
||||||
u_long nat_inuse = 0,
|
u_long fr_defnatage = 1200;
|
||||||
fr_defnatage = 1200;
|
|
||||||
natstat_t nat_stats;
|
natstat_t nat_stats;
|
||||||
#if SOLARIS
|
#if SOLARIS && defined(_KERNEL)
|
||||||
# ifndef _KERNEL
|
|
||||||
#define bzero(a,b) memset(a,0,b)
|
|
||||||
#define bcmp(a,b,c) memcpy(a,b,c)
|
|
||||||
#define bcopy(a,b,c) memmove(b,a,c)
|
|
||||||
# else
|
|
||||||
extern kmutex_t ipf_nat;
|
extern kmutex_t ipf_nat;
|
||||||
# endif
|
extern kmutex_t ipf_natfrag;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int flush_nattable __P((void)), clear_natlist __P((void));
|
static int flush_nattable __P((void)), clear_natlist __P((void));
|
||||||
static void nattable_sync __P((void)), nat_delete __P((struct nat *));
|
|
||||||
static nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
|
|
||||||
static void fix_outcksum __P((u_short *, u_long));
|
|
||||||
static void fix_incksum __P((u_short *, u_long));
|
|
||||||
|
|
||||||
static void fix_outcksum(sp, n)
|
void fix_outcksum(sp, n)
|
||||||
u_short *sp;
|
u_short *sp;
|
||||||
u_long n;
|
u_long n;
|
||||||
{
|
{
|
||||||
@ -112,7 +118,7 @@ u_long n;
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void fix_incksum(sp, n)
|
void fix_incksum(sp, n)
|
||||||
u_short *sp;
|
u_short *sp;
|
||||||
u_long n;
|
u_long n;
|
||||||
{
|
{
|
||||||
@ -197,6 +203,7 @@ int cmd, mode;
|
|||||||
}
|
}
|
||||||
IRCOPY((char *)data, (char *)n, sizeof(*n));
|
IRCOPY((char *)data, (char *)n, sizeof(*n));
|
||||||
n->in_ifp = (void *)GETUNIT(n->in_ifname);
|
n->in_ifp = (void *)GETUNIT(n->in_ifname);
|
||||||
|
n->in_apr = ap_match(n->in_p, n->in_plabel);
|
||||||
n->in_next = *np;
|
n->in_next = *np;
|
||||||
n->in_use = 0;
|
n->in_use = 0;
|
||||||
n->in_space = ~(0xffffffff & ntohl(n->in_outmsk));
|
n->in_space = ~(0xffffffff & ntohl(n->in_outmsk));
|
||||||
@ -208,7 +215,7 @@ int cmd, mode;
|
|||||||
n->in_nip = ntohl(n->in_outip) + 1;
|
n->in_nip = ntohl(n->in_outip) + 1;
|
||||||
else
|
else
|
||||||
n->in_nip = ntohl(n->in_outip);
|
n->in_nip = ntohl(n->in_outip);
|
||||||
if (n->in_redir == NAT_MAP) {
|
if (n->in_redir & NAT_MAP) {
|
||||||
n->in_pnext = ntohs(n->in_pmin);
|
n->in_pnext = ntohs(n->in_pmin);
|
||||||
/*
|
/*
|
||||||
* Multiply by the number of ports made available.
|
* Multiply by the number of ports made available.
|
||||||
@ -219,6 +226,7 @@ int cmd, mode;
|
|||||||
}
|
}
|
||||||
/* Otherwise, these fields are preset */
|
/* Otherwise, these fields are preset */
|
||||||
*np = n;
|
*np = n;
|
||||||
|
nat_stats.ns_rules++;
|
||||||
break;
|
break;
|
||||||
case SIOCRMNAT :
|
case SIOCRMNAT :
|
||||||
if (!(mode & FWRITE)) {
|
if (!(mode & FWRITE)) {
|
||||||
@ -230,15 +238,20 @@ int cmd, mode;
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
*np = n->in_next;
|
*np = n->in_next;
|
||||||
|
if (!n->in_use) {
|
||||||
KFREE(n);
|
if (n->in_apr)
|
||||||
nattable_sync();
|
ap_free(n->in_apr);
|
||||||
|
KFREE(n);
|
||||||
|
nat_stats.ns_rules--;
|
||||||
|
} else {
|
||||||
|
n->in_flags |= IPN_DELETE;
|
||||||
|
n->in_next = NULL;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case SIOCGNATS :
|
case SIOCGNATS :
|
||||||
nat_stats.ns_table[0] = nat_table[0];
|
nat_stats.ns_table[0] = nat_table[0];
|
||||||
nat_stats.ns_table[1] = nat_table[1];
|
nat_stats.ns_table[1] = nat_table[1];
|
||||||
nat_stats.ns_list = nat_list;
|
nat_stats.ns_list = nat_list;
|
||||||
nat_stats.ns_inuse = nat_inuse;
|
|
||||||
IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
|
IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
|
||||||
break;
|
break;
|
||||||
case SIOCGNATL :
|
case SIOCGNATL :
|
||||||
@ -269,6 +282,11 @@ int cmd, mode;
|
|||||||
ret = clear_natlist();
|
ret = clear_natlist();
|
||||||
IWCOPY((caddr_t)&ret, data, sizeof(ret));
|
IWCOPY((caddr_t)&ret, data, sizeof(ret));
|
||||||
break;
|
break;
|
||||||
|
case FIONREAD :
|
||||||
|
#ifdef IPFILTER_LOG
|
||||||
|
*(int *)data = iplused[IPL_LOGNAT];
|
||||||
|
#endif
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
SPLX(s);
|
SPLX(s);
|
||||||
MUTEX_EXIT(&ipf_nat);
|
MUTEX_EXIT(&ipf_nat);
|
||||||
@ -280,6 +298,7 @@ static void nat_delete(natd)
|
|||||||
struct nat *natd;
|
struct nat *natd;
|
||||||
{
|
{
|
||||||
register struct nat **natp, *nat;
|
register struct nat **natp, *nat;
|
||||||
|
struct ipnat *ipn;
|
||||||
|
|
||||||
for (natp = natd->nat_hstart[0]; (nat = *natp);
|
for (natp = natd->nat_hstart[0]; (nat = *natp);
|
||||||
natp = &nat->nat_hnext[0])
|
natp = &nat->nat_hnext[0])
|
||||||
@ -295,12 +314,21 @@ struct nat *natd;
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (natd->nat_ptr) {
|
if ((ipn = natd->nat_ptr)) {
|
||||||
natd->nat_ptr->in_space++;
|
ipn->in_space++;
|
||||||
natd->nat_ptr->in_use--;
|
ipn->in_use--;
|
||||||
|
if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) {
|
||||||
|
if (ipn->in_apr)
|
||||||
|
ap_free(ipn->in_apr);
|
||||||
|
KFREE(ipn);
|
||||||
|
nat_stats.ns_rules--;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
MUTEX_ENTER(&ipf_natfrag);
|
||||||
|
if (nat->nat_frag && nat->nat_frag->ipfr_data == nat)
|
||||||
|
nat->nat_frag->ipfr_data = NULL;
|
||||||
|
MUTEX_EXIT(&ipf_natfrag);
|
||||||
KFREE(natd);
|
KFREE(natd);
|
||||||
nat_inuse--;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -329,44 +357,28 @@ static int flush_nattable()
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
* I know this is O(N*M), but it can't be avoided.
|
|
||||||
*/
|
|
||||||
static void nattable_sync()
|
|
||||||
{
|
|
||||||
register nat_t *nat;
|
|
||||||
register ipnat_t *np;
|
|
||||||
int i;
|
|
||||||
|
|
||||||
for (i = NAT_SIZE - 1; i >= 0; i--)
|
|
||||||
for (nat = nat_instances; nat; nat = nat->nat_next) {
|
|
||||||
for (np = nat_list; np; np = np->in_next)
|
|
||||||
if (nat->nat_ptr == np)
|
|
||||||
break;
|
|
||||||
/*
|
|
||||||
* XXX - is it better to remove this if ? works the
|
|
||||||
* same if it is just "nat->nat_ptr = np".
|
|
||||||
*/
|
|
||||||
if (!np)
|
|
||||||
nat->nat_ptr = NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* clear_natlist - delete all entries in the active NAT mapping list.
|
* clear_natlist - delete all entries in the active NAT mapping list.
|
||||||
*/
|
*/
|
||||||
static int clear_natlist()
|
static int clear_natlist()
|
||||||
{
|
{
|
||||||
register ipnat_t *n, **np;
|
register ipnat_t *n, **np = &nat_list;
|
||||||
int i = 0;
|
int i = 0;
|
||||||
|
|
||||||
for (np = &nat_list; (n = *np); i++) {
|
while ((n = *np)) {
|
||||||
*np = n->in_next;
|
*np = n->in_next;
|
||||||
KFREE(n);
|
if (!n->in_use) {
|
||||||
|
if (n->in_apr)
|
||||||
|
ap_free(n->in_apr);
|
||||||
|
KFREE(n);
|
||||||
|
nat_stats.ns_rules--;
|
||||||
|
i++;
|
||||||
|
} else {
|
||||||
|
n->in_flags |= IPN_DELETE;
|
||||||
|
n->in_next = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
nat_stats.ns_inuse = 0;
|
||||||
nattable_sync();
|
|
||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -374,7 +386,7 @@ static int clear_natlist()
|
|||||||
/*
|
/*
|
||||||
* Create a new NAT table entry.
|
* Create a new NAT table entry.
|
||||||
*/
|
*/
|
||||||
static nat_t *nat_new(np, ip, fin, flags, direction)
|
nat_t *nat_new(np, ip, fin, flags, direction)
|
||||||
ipnat_t *np;
|
ipnat_t *np;
|
||||||
ip_t *ip;
|
ip_t *ip;
|
||||||
fr_info_t *fin;
|
fr_info_t *fin;
|
||||||
@ -426,15 +438,31 @@ int direction;
|
|||||||
struct ifaddr *ifa;
|
struct ifaddr *ifa;
|
||||||
struct sockaddr_in *sin;
|
struct sockaddr_in *sin;
|
||||||
|
|
||||||
ifa = ifp->if_addrlist;
|
# if (__FreeBSD_version >= 300000)
|
||||||
# if BSD < 199306
|
ifa = TAILQ_FIRST(&ifp->if_addrhead);
|
||||||
sin = (struct sockaddr_in *)&ifa->ifa_addr;
|
|
||||||
# else
|
# else
|
||||||
sin = (struct sockaddr_in *)ifa->ifa_addr;
|
# ifdef __NetBSD__
|
||||||
|
ifa = ifp->if_addrlist.tqh_first;
|
||||||
|
# else
|
||||||
|
ifa = ifp->if_addrlist;
|
||||||
|
# endif
|
||||||
|
# endif
|
||||||
|
# if BSD < 199306
|
||||||
|
sin = (SOCKADDR_IN *)&ifa->ifa_addr;
|
||||||
|
# else
|
||||||
|
sin = (SOCKADDR_IN *)ifa->ifa_addr;
|
||||||
while (sin && ifa &&
|
while (sin && ifa &&
|
||||||
sin->sin_family != AF_INET) {
|
sin->sin_family != AF_INET) {
|
||||||
|
# if (__FreeBSD_version >= 300000)
|
||||||
|
ifa = TAILQ_NEXT(ifa, ifa_link);
|
||||||
|
# else
|
||||||
|
# ifdef __NetBSD__
|
||||||
|
ifa = ifa->ifa_list.tqe_next;
|
||||||
|
# else
|
||||||
ifa = ifa->ifa_next;
|
ifa = ifa->ifa_next;
|
||||||
sin = (struct sockaddr_in *)ifa->ifa_addr;
|
# endif
|
||||||
|
# endif
|
||||||
|
sin = (SOCKADDR_IN *)ifa->ifa_addr;
|
||||||
}
|
}
|
||||||
if (!ifa)
|
if (!ifa)
|
||||||
sin = NULL;
|
sin = NULL;
|
||||||
@ -465,7 +493,8 @@ int direction;
|
|||||||
if ((np->in_nip & ntohl(np->in_outmsk)) >
|
if ((np->in_nip & ntohl(np->in_outmsk)) >
|
||||||
ntohl(np->in_outip))
|
ntohl(np->in_outip))
|
||||||
np->in_nip = ntohl(np->in_outip) + 1;
|
np->in_nip = ntohl(np->in_outip) + 1;
|
||||||
} while (nat_inlookup(flags, ip->ip_dst, dport, in, port));
|
} while (nat_inlookup(fin->fin_ifp, flags, ip->ip_dst,
|
||||||
|
dport, in, port));
|
||||||
|
|
||||||
/* Setup the NAT table */
|
/* Setup the NAT table */
|
||||||
nat->nat_inip = ip->ip_src;
|
nat->nat_inip = ip->ip_src;
|
||||||
@ -562,7 +591,10 @@ int direction;
|
|||||||
nat->nat_hnext[1] = *natp;
|
nat->nat_hnext[1] = *natp;
|
||||||
*natp = nat;
|
*natp = nat;
|
||||||
nat->nat_ptr = np;
|
nat->nat_ptr = np;
|
||||||
np->in_use++;
|
nat->nat_bytes = 0;
|
||||||
|
nat->nat_pkts = 0;
|
||||||
|
nat->nat_ifp = fin->fin_ifp;
|
||||||
|
nat->nat_dir = direction;
|
||||||
if (direction == NAT_OUTBOUND) {
|
if (direction == NAT_OUTBOUND) {
|
||||||
if (flags & IPN_TCPUDP)
|
if (flags & IPN_TCPUDP)
|
||||||
tcp->th_sport = htons(port);
|
tcp->th_sport = htons(port);
|
||||||
@ -571,7 +603,8 @@ int direction;
|
|||||||
tcp->th_dport = htons(nport);
|
tcp->th_dport = htons(nport);
|
||||||
}
|
}
|
||||||
nat_stats.ns_added++;
|
nat_stats.ns_added++;
|
||||||
nat_inuse++;
|
nat_stats.ns_inuse++;
|
||||||
|
np->in_use++;
|
||||||
return nat;
|
return nat;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -586,7 +619,8 @@ int direction;
|
|||||||
* we're looking for a table entry, based on the destination address.
|
* we're looking for a table entry, based on the destination address.
|
||||||
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
|
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
|
||||||
*/
|
*/
|
||||||
nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport)
|
nat_t *nat_inlookup(ifp, flags, src, sport, mapdst, mapdport)
|
||||||
|
void *ifp;
|
||||||
register int flags;
|
register int flags;
|
||||||
struct in_addr src , mapdst;
|
struct in_addr src , mapdst;
|
||||||
u_short sport, mapdport;
|
u_short sport, mapdport;
|
||||||
@ -597,7 +631,8 @@ u_short sport, mapdport;
|
|||||||
|
|
||||||
nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
|
nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
|
||||||
for (; nat; nat = nat->nat_hnext[1])
|
for (; nat; nat = nat->nat_hnext[1])
|
||||||
if (nat->nat_oip.s_addr == src.s_addr &&
|
if ((!ifp || ifp == nat->nat_ifp) &&
|
||||||
|
nat->nat_oip.s_addr == src.s_addr &&
|
||||||
nat->nat_outip.s_addr == mapdst.s_addr &&
|
nat->nat_outip.s_addr == mapdst.s_addr &&
|
||||||
flags == nat->nat_flags && (!flags ||
|
flags == nat->nat_flags && (!flags ||
|
||||||
(nat->nat_oport == sport &&
|
(nat->nat_oport == sport &&
|
||||||
@ -613,7 +648,8 @@ u_short sport, mapdport;
|
|||||||
* we're looking for a table entry, based on the source address.
|
* we're looking for a table entry, based on the source address.
|
||||||
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
|
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
|
||||||
*/
|
*/
|
||||||
nat_t *nat_outlookup(flags, src, sport, dst, dport)
|
nat_t *nat_outlookup(ifp, flags, src, sport, dst, dport)
|
||||||
|
void *ifp;
|
||||||
register int flags;
|
register int flags;
|
||||||
struct in_addr src , dst;
|
struct in_addr src , dst;
|
||||||
u_short sport, dport;
|
u_short sport, dport;
|
||||||
@ -624,7 +660,8 @@ u_short sport, dport;
|
|||||||
|
|
||||||
nat = nat_table[0][src.s_addr % NAT_SIZE];
|
nat = nat_table[0][src.s_addr % NAT_SIZE];
|
||||||
for (; nat; nat = nat->nat_hnext[0])
|
for (; nat; nat = nat->nat_hnext[0])
|
||||||
if (nat->nat_inip.s_addr == src.s_addr &&
|
if ((!ifp || ifp == nat->nat_ifp) &&
|
||||||
|
nat->nat_inip.s_addr == src.s_addr &&
|
||||||
nat->nat_oip.s_addr == dst.s_addr &&
|
nat->nat_oip.s_addr == dst.s_addr &&
|
||||||
flags == nat->nat_flags && (!flags ||
|
flags == nat->nat_flags && (!flags ||
|
||||||
(nat->nat_inport == sport && nat->nat_oport == dport)))
|
(nat->nat_inport == sport && nat->nat_oport == dport)))
|
||||||
@ -638,7 +675,8 @@ u_short sport, dport;
|
|||||||
* real destination address/port. We use this lookup when sending a packet
|
* real destination address/port. We use this lookup when sending a packet
|
||||||
* out, we're looking for a table entry, based on the source address.
|
* out, we're looking for a table entry, based on the source address.
|
||||||
*/
|
*/
|
||||||
nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport)
|
nat_t *nat_lookupmapip(ifp, flags, mapsrc, mapsport, dst, dport)
|
||||||
|
void *ifp;
|
||||||
register int flags;
|
register int flags;
|
||||||
struct in_addr mapsrc , dst;
|
struct in_addr mapsrc , dst;
|
||||||
u_short mapsport, dport;
|
u_short mapsport, dport;
|
||||||
@ -649,8 +687,9 @@ u_short mapsport, dport;
|
|||||||
|
|
||||||
nat = nat_table[1][mapsrc.s_addr % NAT_SIZE];
|
nat = nat_table[1][mapsrc.s_addr % NAT_SIZE];
|
||||||
for (; nat; nat = nat->nat_hnext[0])
|
for (; nat; nat = nat->nat_hnext[0])
|
||||||
if (nat->nat_outip.s_addr == mapsrc.s_addr &&
|
if ((!ifp || ifp == nat->nat_ifp) &&
|
||||||
nat->nat_oip.s_addr == dst.s_addr &&
|
nat->nat_oip.s_addr == dst.s_addr &&
|
||||||
|
nat->nat_outip.s_addr == mapsrc.s_addr &&
|
||||||
flags == nat->nat_flags && (!flags ||
|
flags == nat->nat_flags && (!flags ||
|
||||||
(nat->nat_outport == mapsport &&
|
(nat->nat_outport == mapsport &&
|
||||||
nat->nat_oport == dport)))
|
nat->nat_oport == dport)))
|
||||||
@ -671,7 +710,7 @@ register natlookup_t *np;
|
|||||||
* If nl_inip is non null, this is a lookup based on the real
|
* If nl_inip is non null, this is a lookup based on the real
|
||||||
* ip address. Else, we use the fake.
|
* ip address. Else, we use the fake.
|
||||||
*/
|
*/
|
||||||
if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport,
|
if ((nat = nat_outlookup(NULL, IPN_TCPUDP, np->nl_inip, np->nl_inport,
|
||||||
np->nl_outip, np->nl_outport))) {
|
np->nl_outip, np->nl_outport))) {
|
||||||
np->nl_inip = nat->nat_outip;
|
np->nl_inip = nat->nat_outip;
|
||||||
np->nl_inport = nat->nat_outport;
|
np->nl_inport = nat->nat_outport;
|
||||||
@ -718,43 +757,56 @@ fr_info_t *fin;
|
|||||||
ipa = ip->ip_src.s_addr;
|
ipa = ip->ip_src.s_addr;
|
||||||
|
|
||||||
MUTEX_ENTER(&ipf_nat);
|
MUTEX_ENTER(&ipf_nat);
|
||||||
for (np = nat_list; np; np = np->in_next)
|
if ((nat = ipfr_nat_knownfrag(ip, fin)))
|
||||||
if ((np->in_ifp == ifp) && np->in_space &&
|
;
|
||||||
(!np->in_flags || (np->in_flags & nflags)) &&
|
else if ((nat = nat_outlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
|
||||||
((ipa & np->in_inmsk) == np->in_inip) &&
|
ip->ip_dst, dport)))
|
||||||
((np->in_redir == NAT_MAP) ||
|
np = nat->nat_ptr;
|
||||||
(np->in_pnext == sport))) {
|
else
|
||||||
/*
|
/*
|
||||||
* If there is no current entry in the nat table for
|
* If there is no current entry in the nat table for this IP#,
|
||||||
* this IP#, create one for it.
|
* create one for it (if there is a matching rule).
|
||||||
*/
|
*/
|
||||||
if (!(nat = nat_outlookup(nflags, ip->ip_src, sport,
|
for (np = nat_list; np; np = np->in_next)
|
||||||
ip->ip_dst, dport))) {
|
if ((np->in_ifp == ifp) && np->in_space &&
|
||||||
|
(!np->in_flags || (np->in_flags & nflags)) &&
|
||||||
|
((ipa & np->in_inmsk) == np->in_inip) &&
|
||||||
|
((np->in_redir & NAT_MAP) ||
|
||||||
|
(np->in_pnext == sport))) {
|
||||||
|
if (*np->in_plabel && !ap_ok(ip, tcp, np))
|
||||||
|
continue;
|
||||||
/*
|
/*
|
||||||
* If it's a redirection, then we don't want
|
* If it's a redirection, then we don't want to
|
||||||
* to create new outgoing port stuff.
|
* create new outgoing port stuff.
|
||||||
* Redirections are only for incoming
|
* Redirections are only for incoming
|
||||||
* connections.
|
* connections.
|
||||||
*/
|
*/
|
||||||
if (np->in_redir == NAT_REDIRECT)
|
if (!(np->in_redir & NAT_MAP))
|
||||||
continue;
|
continue;
|
||||||
if (!(nat = nat_new(np, ip, fin, nflags,
|
if ((nat = nat_new(np, ip, fin, nflags,
|
||||||
NAT_OUTBOUND)))
|
NAT_OUTBOUND)))
|
||||||
break;
|
|
||||||
#ifdef IPFILTER_LOG
|
#ifdef IPFILTER_LOG
|
||||||
nat_log(nat, (u_short)np->in_redir);
|
nat_log(nat, (u_short)np->in_redir);
|
||||||
|
#else
|
||||||
|
;
|
||||||
#endif
|
#endif
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
ip->ip_src = nat->nat_outip;
|
|
||||||
|
|
||||||
nat->nat_age = fr_defnatage; /* 5 mins */
|
if (nat) {
|
||||||
|
if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
|
||||||
|
ipfr_nat_newfrag(ip, fin, 0, nat);
|
||||||
|
nat->nat_age = fr_defnatage;
|
||||||
|
ip->ip_src = nat->nat_outip;
|
||||||
|
nat->nat_bytes += ip->ip_len;
|
||||||
|
nat->nat_pkts++;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Fix up checksums, not by recalculating them, but
|
* Fix up checksums, not by recalculating them, but
|
||||||
* simply computing adjustments.
|
* simply computing adjustments.
|
||||||
*/
|
*/
|
||||||
#if SOLARIS
|
#if SOLARIS
|
||||||
if (np->in_redir == NAT_MAP)
|
if (nat->nat_dir == NAT_OUTBOUND)
|
||||||
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
|
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||||
else
|
else
|
||||||
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
|
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||||
@ -770,6 +822,14 @@ fr_info_t *fin;
|
|||||||
csump = &tcp->th_sum;
|
csump = &tcp->th_sum;
|
||||||
fr_tcp_age(&nat->nat_age,
|
fr_tcp_age(&nat->nat_age,
|
||||||
nat->nat_state, ip, fin,1);
|
nat->nat_state, ip, fin,1);
|
||||||
|
/*
|
||||||
|
* Increase this because we may have
|
||||||
|
* "keep state" following this too and
|
||||||
|
* packet storms can occur if this is
|
||||||
|
* removed too quickly.
|
||||||
|
*/
|
||||||
|
if (nat->nat_age == fr_tcpclosed)
|
||||||
|
nat->nat_age = fr_tcplastack;
|
||||||
} else if (ip->ip_p == IPPROTO_UDP) {
|
} else if (ip->ip_p == IPPROTO_UDP) {
|
||||||
udphdr_t *udp = (udphdr_t *)tcp;
|
udphdr_t *udp = (udphdr_t *)tcp;
|
||||||
|
|
||||||
@ -781,7 +841,7 @@ fr_info_t *fin;
|
|||||||
csump = &ic->icmp_cksum;
|
csump = &ic->icmp_cksum;
|
||||||
}
|
}
|
||||||
if (csump) {
|
if (csump) {
|
||||||
if (np->in_redir == NAT_MAP)
|
if (nat->nat_dir == NAT_OUTBOUND)
|
||||||
fix_outcksum(csump,
|
fix_outcksum(csump,
|
||||||
nat->nat_sumd);
|
nat->nat_sumd);
|
||||||
else
|
else
|
||||||
@ -789,6 +849,7 @@ fr_info_t *fin;
|
|||||||
nat->nat_sumd);
|
nat->nat_sumd);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
(void) ap_check(ip, tcp, fin, nat);
|
||||||
nat_stats.ns_mapped[1]++;
|
nat_stats.ns_mapped[1]++;
|
||||||
MUTEX_EXIT(&ipf_nat);
|
MUTEX_EXIT(&ipf_nat);
|
||||||
return 1;
|
return 1;
|
||||||
@ -829,38 +890,55 @@ fr_info_t *fin;
|
|||||||
in = ip->ip_dst;
|
in = ip->ip_dst;
|
||||||
|
|
||||||
MUTEX_ENTER(&ipf_nat);
|
MUTEX_ENTER(&ipf_nat);
|
||||||
for (np = nat_list; np; np = np->in_next)
|
|
||||||
if ((np->in_ifp == ifp) &&
|
if ((nat = ipfr_nat_knownfrag(ip, fin)))
|
||||||
(!np->in_flags || (nflags & np->in_flags)) &&
|
;
|
||||||
((in.s_addr & np->in_outmsk) == np->in_outip) &&
|
else if ((nat = nat_inlookup(fin->fin_ifp, nflags, ip->ip_src, sport,
|
||||||
(np->in_redir == NAT_MAP || np->in_pmin == dport)) {
|
ip->ip_dst, dport)))
|
||||||
if (!(nat = nat_inlookup(nflags, ip->ip_src, sport,
|
np = nat->nat_ptr;
|
||||||
ip->ip_dst, dport))) {
|
else
|
||||||
|
/*
|
||||||
|
* If there is no current entry in the nat table for this IP#,
|
||||||
|
* create one for it (if there is a matching rule).
|
||||||
|
*/
|
||||||
|
for (np = nat_list; np; np = np->in_next)
|
||||||
|
if ((np->in_ifp == ifp) &&
|
||||||
|
(!np->in_flags || (nflags & np->in_flags)) &&
|
||||||
|
((in.s_addr & np->in_outmsk) == np->in_outip) &&
|
||||||
|
(np->in_redir & NAT_REDIRECT ||
|
||||||
|
np->in_pmin == dport)) {
|
||||||
/*
|
/*
|
||||||
* If this rule (np) is a redirection, rather
|
* If this rule (np) is a redirection, rather
|
||||||
* than a mapping, then do a nat_new.
|
* than a mapping, then do a nat_new.
|
||||||
* Otherwise, if it's just a mapping, do a
|
* Otherwise, if it's just a mapping, do a
|
||||||
* continue;
|
* continue;
|
||||||
*/
|
*/
|
||||||
if (np->in_redir == NAT_MAP)
|
if (!(np->in_redir & NAT_REDIRECT))
|
||||||
continue;
|
continue;
|
||||||
if (!(nat = nat_new(np, ip, fin, nflags,
|
if ((nat = nat_new(np, ip, fin, nflags,
|
||||||
NAT_INBOUND)))
|
NAT_INBOUND)))
|
||||||
break;
|
|
||||||
#ifdef IPFILTER_LOG
|
#ifdef IPFILTER_LOG
|
||||||
nat_log(nat, (u_short)np->in_redir);
|
nat_log(nat, (u_short)np->in_redir);
|
||||||
|
#else
|
||||||
|
;
|
||||||
#endif
|
#endif
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
ip->ip_dst = nat->nat_inip;
|
if (nat) {
|
||||||
|
if (!nat->nat_frag && fin->fin_fi.fi_fl & FI_FRAG)
|
||||||
|
ipfr_nat_newfrag(ip, fin, 0, nat);
|
||||||
|
(void) ap_check(ip, tcp, fin, nat);
|
||||||
nat->nat_age = fr_defnatage;
|
nat->nat_age = fr_defnatage;
|
||||||
|
ip->ip_dst = nat->nat_inip;
|
||||||
|
nat->nat_bytes += ip->ip_len;
|
||||||
|
nat->nat_pkts++;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Fix up checksums, not by recalculating them, but
|
* Fix up checksums, not by recalculating them, but
|
||||||
* simply computing adjustments.
|
* simply computing adjustments.
|
||||||
*/
|
*/
|
||||||
#if SOLARIS
|
#if SOLARIS
|
||||||
if (np->in_redir == NAT_MAP)
|
if (nat->nat_dir == NAT_OUTBOUND)
|
||||||
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
|
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||||
else
|
else
|
||||||
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
|
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||||
@ -875,6 +953,14 @@ fr_info_t *fin;
|
|||||||
csump = &tcp->th_sum;
|
csump = &tcp->th_sum;
|
||||||
fr_tcp_age(&nat->nat_age,
|
fr_tcp_age(&nat->nat_age,
|
||||||
nat->nat_state, ip, fin,0);
|
nat->nat_state, ip, fin,0);
|
||||||
|
/*
|
||||||
|
* Increase this because we may have
|
||||||
|
* "keep state" following this too and
|
||||||
|
* packet storms can occur if this is
|
||||||
|
* removed too quickly.
|
||||||
|
*/
|
||||||
|
if (nat->nat_age == fr_tcpclosed)
|
||||||
|
nat->nat_age = fr_tcplastack;
|
||||||
} else if (ip->ip_p == IPPROTO_UDP) {
|
} else if (ip->ip_p == IPPROTO_UDP) {
|
||||||
udphdr_t *udp = (udphdr_t *)tcp;
|
udphdr_t *udp = (udphdr_t *)tcp;
|
||||||
|
|
||||||
@ -886,7 +972,7 @@ fr_info_t *fin;
|
|||||||
csump = &ic->icmp_cksum;
|
csump = &ic->icmp_cksum;
|
||||||
}
|
}
|
||||||
if (csump) {
|
if (csump) {
|
||||||
if (np->in_redir == NAT_MAP)
|
if (nat->nat_dir == NAT_OUTBOUND)
|
||||||
fix_incksum(csump,
|
fix_incksum(csump,
|
||||||
nat->nat_sumd);
|
nat->nat_sumd);
|
||||||
else
|
else
|
||||||
@ -914,6 +1000,7 @@ void ip_natunload()
|
|||||||
SPLNET(s);
|
SPLNET(s);
|
||||||
(void) clear_natlist();
|
(void) clear_natlist();
|
||||||
(void) flush_nattable();
|
(void) flush_nattable();
|
||||||
|
(void) ap_unload();
|
||||||
SPLX(s)
|
SPLX(s)
|
||||||
MUTEX_EXIT(&ipf_nat);
|
MUTEX_EXIT(&ipf_nat);
|
||||||
}
|
}
|
||||||
@ -970,12 +1057,14 @@ u_short type;
|
|||||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||||
microtime((struct timeval *)&natl);
|
microtime((struct timeval *)&natl);
|
||||||
# endif
|
# endif
|
||||||
natl.nl_origport = nat->nat_oport;
|
|
||||||
natl.nl_outport = nat->nat_outport;
|
|
||||||
natl.nl_inport = nat->nat_inport;
|
|
||||||
natl.nl_origip = nat->nat_oip;
|
|
||||||
natl.nl_outip = nat->nat_outip;
|
|
||||||
natl.nl_inip = nat->nat_inip;
|
natl.nl_inip = nat->nat_inip;
|
||||||
|
natl.nl_outip = nat->nat_outip;
|
||||||
|
natl.nl_origip = nat->nat_oip;
|
||||||
|
natl.nl_bytes = nat->nat_bytes;
|
||||||
|
natl.nl_pkts = nat->nat_pkts;
|
||||||
|
natl.nl_origport = nat->nat_oport;
|
||||||
|
natl.nl_inport = nat->nat_inport;
|
||||||
|
natl.nl_outport = nat->nat_outport;
|
||||||
natl.nl_type = type;
|
natl.nl_type = type;
|
||||||
natl.nl_rule = -1;
|
natl.nl_rule = -1;
|
||||||
if (nat->nat_ptr) {
|
if (nat->nat_ptr) {
|
||||||
|
@ -1,17 +1,21 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1995 by Darren Reed.
|
* (C)opyright 1995-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*
|
*
|
||||||
* @(#)ip_nat.h 1.5 2/4/96
|
* @(#)ip_nat.h 1.5 2/4/96
|
||||||
* $Id: ip_nat.h,v 2.0.2.6 1997/03/31 10:05:30 darrenr Exp $
|
* $Id: ip_nat.h,v 2.0.2.12 1997/05/24 07:35:20 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef __IP_NAT_H_
|
#ifndef __IP_NAT_H__
|
||||||
#define __IP_NAT_H__
|
#define __IP_NAT_H__
|
||||||
|
|
||||||
|
#ifndef __IP_PROXY_H__
|
||||||
|
#include "netinet/ip_proxy.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifndef SOLARIS
|
#ifndef SOLARIS
|
||||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||||
#endif
|
#endif
|
||||||
@ -44,9 +48,12 @@ typedef struct nat {
|
|||||||
int nat_flags;
|
int nat_flags;
|
||||||
u_long nat_sumd;
|
u_long nat_sumd;
|
||||||
u_long nat_ipsumd;
|
u_long nat_ipsumd;
|
||||||
|
struct ipfr *nat_frag;
|
||||||
struct in_addr nat_inip;
|
struct in_addr nat_inip;
|
||||||
struct in_addr nat_outip;
|
struct in_addr nat_outip;
|
||||||
struct in_addr nat_oip; /* other ip */
|
struct in_addr nat_oip; /* other ip */
|
||||||
|
U_QUAD_T nat_pkts;
|
||||||
|
U_QUAD_T nat_bytes;
|
||||||
u_short nat_oport; /* other port */
|
u_short nat_oport; /* other port */
|
||||||
u_short nat_inport;
|
u_short nat_inport;
|
||||||
u_short nat_outport;
|
u_short nat_outport;
|
||||||
@ -56,6 +63,8 @@ typedef struct nat {
|
|||||||
struct nat *nat_next;
|
struct nat *nat_next;
|
||||||
struct nat *nat_hnext[2];
|
struct nat *nat_hnext[2];
|
||||||
struct nat **nat_hstart[2];
|
struct nat **nat_hstart[2];
|
||||||
|
void *nat_ifp;
|
||||||
|
int nat_dir;
|
||||||
} nat_t;
|
} nat_t;
|
||||||
|
|
||||||
typedef struct ipnat {
|
typedef struct ipnat {
|
||||||
@ -69,8 +78,12 @@ typedef struct ipnat {
|
|||||||
u_short in_port[2];
|
u_short in_port[2];
|
||||||
struct in_addr in_in[2];
|
struct in_addr in_in[2];
|
||||||
struct in_addr in_out[2];
|
struct in_addr in_out[2];
|
||||||
|
struct aproxy *in_apr;
|
||||||
int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
|
int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
|
||||||
char in_ifname[IFNAMSIZ];
|
char in_ifname[IFNAMSIZ];
|
||||||
|
char in_plabel[APR_LABELLEN]; /* proxy label */
|
||||||
|
char in_p; /* protocol */
|
||||||
|
u_short in_dport;
|
||||||
} ipnat_t;
|
} ipnat_t;
|
||||||
|
|
||||||
#define in_pmin in_port[0] /* Also holds static redir port */
|
#define in_pmin in_port[0] /* Also holds static redir port */
|
||||||
@ -81,11 +94,12 @@ typedef struct ipnat {
|
|||||||
#define in_outip in_out[0].s_addr
|
#define in_outip in_out[0].s_addr
|
||||||
#define in_outmsk in_out[1].s_addr
|
#define in_outmsk in_out[1].s_addr
|
||||||
|
|
||||||
#define NAT_INBOUND 0
|
#define NAT_OUTBOUND 0
|
||||||
#define NAT_OUTBOUND 1
|
#define NAT_INBOUND 1
|
||||||
|
|
||||||
#define NAT_MAP 0
|
#define NAT_MAP 0x01
|
||||||
#define NAT_REDIRECT 1
|
#define NAT_REDIRECT 0x02
|
||||||
|
#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT)
|
||||||
|
|
||||||
#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \
|
#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \
|
||||||
sizeof(int))
|
sizeof(int))
|
||||||
@ -99,6 +113,7 @@ typedef struct natlookup {
|
|||||||
|
|
||||||
typedef struct natstat {
|
typedef struct natstat {
|
||||||
u_long ns_mapped[2];
|
u_long ns_mapped[2];
|
||||||
|
u_long ns_rules;
|
||||||
u_long ns_added;
|
u_long ns_added;
|
||||||
u_long ns_expire;
|
u_long ns_expire;
|
||||||
u_long ns_inuse;
|
u_long ns_inuse;
|
||||||
@ -108,10 +123,11 @@ typedef struct natstat {
|
|||||||
ipnat_t *ns_list;
|
ipnat_t *ns_list;
|
||||||
} natstat_t;
|
} natstat_t;
|
||||||
|
|
||||||
#define IPN_ANY 0
|
#define IPN_ANY 0x00
|
||||||
#define IPN_TCP 1
|
#define IPN_TCP 0x01
|
||||||
#define IPN_UDP 2
|
#define IPN_UDP 0x02
|
||||||
#define IPN_TCPUDP 3
|
#define IPN_TCPUDP 0x03
|
||||||
|
#define IPN_DELETE 0x04
|
||||||
|
|
||||||
|
|
||||||
typedef struct natlog {
|
typedef struct natlog {
|
||||||
@ -124,6 +140,8 @@ typedef struct natlog {
|
|||||||
u_short nl_inport;
|
u_short nl_inport;
|
||||||
u_short nl_type;
|
u_short nl_type;
|
||||||
int nl_rule;
|
int nl_rule;
|
||||||
|
U_QUAD_T nl_pkts;
|
||||||
|
U_QUAD_T nl_bytes;
|
||||||
} natlog_t;
|
} natlog_t;
|
||||||
|
|
||||||
|
|
||||||
@ -132,18 +150,22 @@ typedef struct natlog {
|
|||||||
#define NL_EXPIRE 0xffff
|
#define NL_EXPIRE 0xffff
|
||||||
|
|
||||||
|
|
||||||
|
extern u_long fr_defnatage;
|
||||||
extern nat_t *nat_table[2][NAT_SIZE];
|
extern nat_t *nat_table[2][NAT_SIZE];
|
||||||
extern int nat_ioctl __P((caddr_t, int, int));
|
extern int nat_ioctl __P((caddr_t, int, int));
|
||||||
extern nat_t *nat_outlookup __P((int, struct in_addr, u_short,
|
extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_short, int));
|
||||||
|
extern nat_t *nat_outlookup __P((void *, int, struct in_addr, u_short,
|
||||||
struct in_addr, u_short));
|
struct in_addr, u_short));
|
||||||
extern nat_t *nat_inlookup __P((int, struct in_addr, u_short,
|
extern nat_t *nat_inlookup __P((void *, int, struct in_addr, u_short,
|
||||||
struct in_addr, u_short));
|
struct in_addr, u_short));
|
||||||
extern nat_t *nat_lookupredir __P((natlookup_t *));
|
extern nat_t *nat_lookupredir __P((natlookup_t *));
|
||||||
extern nat_t *nat_lookupmapip __P((int, struct in_addr, u_short,
|
extern nat_t *nat_lookupmapip __P((void *, int, struct in_addr, u_short,
|
||||||
struct in_addr, u_short));
|
struct in_addr, u_short));
|
||||||
|
|
||||||
extern int ip_natout __P((ip_t *, int, fr_info_t *));
|
extern int ip_natout __P((ip_t *, int, fr_info_t *));
|
||||||
extern int ip_natin __P((ip_t *, int, fr_info_t *));
|
extern int ip_natin __P((ip_t *, int, fr_info_t *));
|
||||||
extern void ip_natunload __P((void)), ip_natexpire __P((void));
|
extern void ip_natunload __P((void)), ip_natexpire __P((void));
|
||||||
extern void nat_log __P((struct nat *, u_short));
|
extern void nat_log __P((struct nat *, u_short));
|
||||||
|
extern void fix_incksum __P((u_short *, u_long));
|
||||||
|
extern void fix_outcksum __P((u_short *, u_long));
|
||||||
#endif /* __IP_NAT_H__ */
|
#endif /* __IP_NAT_H__ */
|
||||||
|
@ -9,7 +9,7 @@
|
|||||||
*/
|
*/
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
|
static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp $";
|
static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.8 1997/05/24 07:42:56 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -18,6 +18,7 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp
|
|||||||
#include <sys/cpuvar.h>
|
#include <sys/cpuvar.h>
|
||||||
#include <sys/open.h>
|
#include <sys/open.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
|
#include <sys/filio.h>
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
#include <sys/cred.h>
|
#include <sys/cred.h>
|
||||||
#include <sys/ddi.h>
|
#include <sys/ddi.h>
|
||||||
@ -43,8 +44,8 @@ static char rcsid[] = "$Id: ip_sfil.c,v 2.0.2.3 1997/03/27 13:45:13 darrenr Exp
|
|||||||
#include "ip_compat.h"
|
#include "ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "ip_fil.h"
|
||||||
#include "ip_state.h"
|
#include "ip_state.h"
|
||||||
#include "ip_frag.h"
|
|
||||||
#include "ip_nat.h"
|
#include "ip_nat.h"
|
||||||
|
#include "ip_frag.h"
|
||||||
#include <inet/ip_ire.h>
|
#include <inet/ip_ire.h>
|
||||||
#ifndef MIN
|
#ifndef MIN
|
||||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||||
@ -63,11 +64,11 @@ int ipllog __P((u_int, int, ip_t *, fr_info_t *, mblk_t *));
|
|||||||
static void frflush __P((caddr_t));
|
static void frflush __P((caddr_t));
|
||||||
char iplbuf[3][IPLLOGSIZE];
|
char iplbuf[3][IPLLOGSIZE];
|
||||||
caddr_t iplh[3], iplt[3];
|
caddr_t iplh[3], iplt[3];
|
||||||
static int iplused[3] = {0, 0, 0};
|
int iplused[3] = {0, 0, 0};
|
||||||
#endif /* IPFILTER_LOG */
|
#endif /* IPFILTER_LOG */
|
||||||
static int frrequest __P((int, caddr_t, int));
|
static int frrequest __P((int, caddr_t, int));
|
||||||
kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex;
|
kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex;
|
||||||
kmutex_t ipf_frag, ipf_state, ipf_nat;
|
kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag;
|
||||||
kcondvar_t iplwait;
|
kcondvar_t iplwait;
|
||||||
|
|
||||||
|
|
||||||
@ -86,6 +87,7 @@ int ipldetach()
|
|||||||
mutex_destroy(&ipfs_mutex);
|
mutex_destroy(&ipfs_mutex);
|
||||||
mutex_destroy(&ipf_frag);
|
mutex_destroy(&ipf_frag);
|
||||||
mutex_destroy(&ipf_state);
|
mutex_destroy(&ipf_state);
|
||||||
|
mutex_destroy(&ipf_natfrag);
|
||||||
mutex_destroy(&ipf_nat);
|
mutex_destroy(&ipf_nat);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -107,8 +109,9 @@ int iplattach __P((void))
|
|||||||
mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL);
|
mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL);
|
||||||
mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL);
|
mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL);
|
||||||
mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL);
|
mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL);
|
||||||
|
mutex_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", MUTEX_DRIVER, NULL);
|
||||||
cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
|
cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
|
||||||
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2);
|
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000));
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -190,6 +193,17 @@ int *rp;
|
|||||||
int error = 0, unit;
|
int error = 0, unit;
|
||||||
|
|
||||||
unit = getminor(dev);
|
unit = getminor(dev);
|
||||||
|
if ((2 < unit) || (unit < 0))
|
||||||
|
return ENXIO;
|
||||||
|
|
||||||
|
if (unit == IPL_LOGNAT) {
|
||||||
|
error = nat_ioctl((caddr_t)data, cmd, mode);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
if (unit == IPL_LOGSTATE) {
|
||||||
|
error = fr_state_ioctl((caddr_t)data, cmd, mode);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
|
||||||
switch (cmd) {
|
switch (cmd) {
|
||||||
case SIOCFRENB :
|
case SIOCFRENB :
|
||||||
@ -304,6 +318,11 @@ int *rp;
|
|||||||
IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data,
|
IWCOPY((caddr_t)fr_statetstats(), (caddr_t)data,
|
||||||
sizeof(ips_stat_t));
|
sizeof(ips_stat_t));
|
||||||
break;
|
break;
|
||||||
|
case FIONREAD :
|
||||||
|
#ifdef IPFILTER_LOG
|
||||||
|
*(int *)data = iplused[IPL_LOGIPF];
|
||||||
|
#endif
|
||||||
|
break;
|
||||||
default :
|
default :
|
||||||
error = EINVAL;
|
error = EINVAL;
|
||||||
break;
|
break;
|
||||||
@ -365,7 +384,11 @@ caddr_t data;
|
|||||||
if (!ill)
|
if (!ill)
|
||||||
ire = (ire_t *)-1;
|
ire = (ire_t *)-1;
|
||||||
else if ((ipif = ill->ill_ipif)) {
|
else if ((ipif = ill->ill_ipif)) {
|
||||||
|
#if SOLARIS2 > 5
|
||||||
|
ire = ipif_to_ire(ipif);
|
||||||
|
#else
|
||||||
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
|
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
|
||||||
|
#endif
|
||||||
if (!ire)
|
if (!ire)
|
||||||
ire = (ire_t *)-1;
|
ire = (ire_t *)-1;
|
||||||
else
|
else
|
||||||
@ -380,7 +403,11 @@ caddr_t data;
|
|||||||
if (!ill)
|
if (!ill)
|
||||||
ire = (ire_t *)-1;
|
ire = (ire_t *)-1;
|
||||||
else if ((ipif = ill->ill_ipif)) {
|
else if ((ipif = ill->ill_ipif)) {
|
||||||
|
#if SOLARIS2 > 5
|
||||||
|
ire = ipif_to_ire(ipif);
|
||||||
|
#else
|
||||||
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
|
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
|
||||||
|
#endif
|
||||||
if (!ire)
|
if (!ire)
|
||||||
ire = (ire_t *)-1;
|
ire = (ire_t *)-1;
|
||||||
}
|
}
|
||||||
@ -629,27 +656,6 @@ mblk_t *m;
|
|||||||
#endif /* IPFILTER_LOG */
|
#endif /* IPFILTER_LOG */
|
||||||
|
|
||||||
|
|
||||||
u_short ipf_cksum(addr, len)
|
|
||||||
register u_short *addr;
|
|
||||||
register int len;
|
|
||||||
{
|
|
||||||
register u_long sum = 0;
|
|
||||||
|
|
||||||
for (sum = 0; len > 1; len -= 2)
|
|
||||||
sum += *addr++;
|
|
||||||
|
|
||||||
/* mop up an odd byte, if necessary */
|
|
||||||
if (len == 1)
|
|
||||||
sum += *(u_char *)addr;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* add back carry outs from top 16 bits to low 16 bits
|
|
||||||
*/
|
|
||||||
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
|
|
||||||
sum += (sum >> 16); /* add carry */
|
|
||||||
return (u_short)(~sum);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* send_reset - this could conceivably be a call to tcp_respond(), but that
|
* send_reset - this could conceivably be a call to tcp_respond(), but that
|
||||||
* requires a large amount of setting up and isn't any more efficient.
|
* requires a large amount of setting up and isn't any more efficient.
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
*/
|
*/
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
|
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp $";
|
static char rcsid[] = "$Id: ip_state.c,v 2.0.2.12 1997/05/24 07:34:10 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if !defined(_KERNEL) && !defined(KERNEL)
|
#if !defined(_KERNEL) && !defined(KERNEL)
|
||||||
@ -19,12 +19,11 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
|
|||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/time.h>
|
#include <sys/time.h>
|
||||||
#include <sys/file.h>
|
#include <sys/file.h>
|
||||||
#if defined(__FreeBSD__) && (__FreeBSD__ >= 3)
|
#if defined(KERNEL) && (__FreeBSD_version >= 220000)
|
||||||
#include <sys/ioccom.h>
|
# include <sys/filio.h>
|
||||||
#include <sys/filio.h>
|
# include <sys/fcntl.h>
|
||||||
#include <sys/fcntl.h>
|
|
||||||
#else
|
#else
|
||||||
#include <sys/ioctl.h>
|
# include <sys/ioctl.h>
|
||||||
#endif
|
#endif
|
||||||
#include <sys/uio.h>
|
#include <sys/uio.h>
|
||||||
#include <sys/protosw.h>
|
#include <sys/protosw.h>
|
||||||
@ -35,6 +34,7 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
|
|||||||
#if !defined(__SVR4) && !defined(__svr4__)
|
#if !defined(__SVR4) && !defined(__svr4__)
|
||||||
# include <sys/mbuf.h>
|
# include <sys/mbuf.h>
|
||||||
#else
|
#else
|
||||||
|
# include <sys/filio.h>
|
||||||
# include <sys/byteorder.h>
|
# include <sys/byteorder.h>
|
||||||
# include <sys/dditypes.h>
|
# include <sys/dditypes.h>
|
||||||
# include <sys/stream.h>
|
# include <sys/stream.h>
|
||||||
@ -55,9 +55,10 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
|
|||||||
#include <netinet/udp.h>
|
#include <netinet/udp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <netinet/ip_icmp.h>
|
#include <netinet/ip_icmp.h>
|
||||||
#include "ip_compat.h"
|
#include "netinet/ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "netinet/ip_fil.h"
|
||||||
#include "ip_state.h"
|
#include "netinet/ip_nat.h"
|
||||||
|
#include "netinet/ip_state.h"
|
||||||
#ifndef MIN
|
#ifndef MIN
|
||||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||||
#endif
|
#endif
|
||||||
@ -67,11 +68,8 @@ static char rcsid[] = "$Id: ip_state.c,v 2.0.2.6 1997/04/02 12:23:24 darrenr Exp
|
|||||||
ipstate_t *ips_table[IPSTATE_SIZE];
|
ipstate_t *ips_table[IPSTATE_SIZE];
|
||||||
int ips_num = 0;
|
int ips_num = 0;
|
||||||
ips_stat_t ips_stats;
|
ips_stat_t ips_stats;
|
||||||
#if SOLARIS
|
#if SOLARIS && defined(_KERNEL)
|
||||||
extern kmutex_t ipf_state;
|
extern kmutex_t ipf_state;
|
||||||
# if !defined(_KERNEL)
|
|
||||||
#define bcopy(a,b,c) memmove(b,a,c)
|
|
||||||
# endif
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
@ -94,10 +92,27 @@ ips_stat_t *fr_statetstats()
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
|
int fr_state_ioctl(data, cmd, mode)
|
||||||
(((s1) == (d2)) && ((d1) == (s2))))
|
caddr_t data;
|
||||||
#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
|
int cmd;
|
||||||
(s2).s_addr, (d2).s_addr)
|
int mode;
|
||||||
|
{
|
||||||
|
switch (cmd)
|
||||||
|
{
|
||||||
|
case SIOCGIPST :
|
||||||
|
IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
|
||||||
|
break;
|
||||||
|
case FIONREAD :
|
||||||
|
#ifdef IPFILTER_LOG
|
||||||
|
*(int *)data = iplused[IPL_LOGSTATE];
|
||||||
|
#endif
|
||||||
|
break;
|
||||||
|
default :
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Create a new ipstate structure and hang it off the hash table.
|
* Create a new ipstate structure and hang it off the hash table.
|
||||||
@ -212,6 +227,8 @@ u_int pass;
|
|||||||
ipstate_log(is, ISL_NEW);
|
ipstate_log(is, ISL_NEW);
|
||||||
#endif
|
#endif
|
||||||
MUTEX_EXIT(&ipf_state);
|
MUTEX_EXIT(&ipf_state);
|
||||||
|
if (fin->fin_fi.fi_fl & FI_FRAG)
|
||||||
|
ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -346,8 +363,9 @@ fr_info_t *fin;
|
|||||||
is->is_pkts++;
|
is->is_pkts++;
|
||||||
is->is_bytes += ip->ip_len;
|
is->is_bytes += ip->ip_len;
|
||||||
ips_stats.iss_hits++;
|
ips_stats.iss_hits++;
|
||||||
|
pass = is->is_pass;
|
||||||
MUTEX_EXIT(&ipf_state);
|
MUTEX_EXIT(&ipf_state);
|
||||||
return is->is_pass;
|
return pass;
|
||||||
}
|
}
|
||||||
MUTEX_EXIT(&ipf_state);
|
MUTEX_EXIT(&ipf_state);
|
||||||
break;
|
break;
|
||||||
@ -364,10 +382,10 @@ fr_info_t *fin;
|
|||||||
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
|
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
|
||||||
IPPAIR(src, dst, is->is_src, is->is_dst))
|
IPPAIR(src, dst, is->is_src, is->is_dst))
|
||||||
if (fr_tcpstate(is, fin, ip, tcp, sport)) {
|
if (fr_tcpstate(is, fin, ip, tcp, sport)) {
|
||||||
|
pass = is->is_pass;
|
||||||
#ifdef _KERNEL
|
#ifdef _KERNEL
|
||||||
MUTEX_EXIT(&ipf_state);
|
MUTEX_EXIT(&ipf_state);
|
||||||
#else
|
#else
|
||||||
int pass = is->is_pass;
|
|
||||||
|
|
||||||
if (tcp->th_flags & TCP_CLOSE) {
|
if (tcp->th_flags & TCP_CLOSE) {
|
||||||
*isp = is->is_next;
|
*isp = is->is_next;
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1995 by Darren Reed.
|
* (C)opyright 1995-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*
|
*
|
||||||
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
|
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
|
||||||
* $Id: ip_state.h,v 2.0.2.5 1997/03/31 10:05:32 darrenr Exp $
|
* $Id: ip_state.h,v 2.0.2.9 1997/05/24 07:35:11 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
#ifndef __IP_STATE_H__
|
#ifndef __IP_STATE_H__
|
||||||
#define __IP_STATE_H__
|
#define __IP_STATE_H__
|
||||||
@ -14,6 +14,12 @@
|
|||||||
#define IPSTATE_SIZE 257
|
#define IPSTATE_SIZE 257
|
||||||
#define IPSTATE_MAX 2048 /* Maximum number of states held */
|
#define IPSTATE_MAX 2048 /* Maximum number of states held */
|
||||||
|
|
||||||
|
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
|
||||||
|
(((s1) == (d2)) && ((d1) == (s2))))
|
||||||
|
#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
|
||||||
|
(s2).s_addr, (d2).s_addr)
|
||||||
|
|
||||||
|
|
||||||
typedef struct udpstate {
|
typedef struct udpstate {
|
||||||
u_short us_sport;
|
u_short us_sport;
|
||||||
u_short us_dport;
|
u_short us_dport;
|
||||||
@ -106,6 +112,14 @@ typedef struct ips_stat {
|
|||||||
ipstate_t **iss_table;
|
ipstate_t **iss_table;
|
||||||
} ips_stat_t;
|
} ips_stat_t;
|
||||||
|
|
||||||
|
|
||||||
|
extern u_long fr_tcpidletimeout;
|
||||||
|
extern u_long fr_tcpclosewait;
|
||||||
|
extern u_long fr_tcplastack;
|
||||||
|
extern u_long fr_tcptimeout;
|
||||||
|
extern u_long fr_tcpclosed;
|
||||||
|
extern u_long fr_udptimeout;
|
||||||
|
extern u_long fr_icmptimeout;
|
||||||
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
|
extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *,
|
||||||
tcphdr_t *, u_short));
|
tcphdr_t *, u_short));
|
||||||
extern ips_stat_t *fr_statetstats __P((void));
|
extern ips_stat_t *fr_statetstats __P((void));
|
||||||
@ -115,4 +129,5 @@ extern void fr_timeoutstate __P((void));
|
|||||||
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
|
extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int));
|
||||||
extern void fr_stateunload __P((void));
|
extern void fr_stateunload __P((void));
|
||||||
extern void ipstate_log __P((struct ipstate *, u_short));
|
extern void ipstate_log __P((struct ipstate *, u_short));
|
||||||
|
extern int fr_state_ioctl __P((caddr_t, int, int));
|
||||||
#endif /* __IP_STATE_H__ */
|
#endif /* __IP_STATE_H__ */
|
||||||
|
@ -5,6 +5,9 @@
|
|||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*/
|
*/
|
||||||
|
#ifdef __FreeBSD__
|
||||||
|
# include <osreldate.h>
|
||||||
|
#endif
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@ -22,7 +25,11 @@
|
|||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <netinet/in_systm.h>
|
#include <netinet/in_systm.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
|
#if __FreeBSD_version >= 300000
|
||||||
|
# include <net/if_var.h>
|
||||||
|
#endif
|
||||||
#include <netinet/ip.h>
|
#include <netinet/ip.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <arpa/nameser.h>
|
#include <arpa/nameser.h>
|
||||||
@ -33,7 +40,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
|
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipf.c,v 2.0.2.5 1997/03/31 10:05:33 darrenr Exp $";
|
static char rcsid[] = "$Id: ipf.c,v 2.0.2.6 1997/04/30 13:59:59 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if SOLARIS
|
#if SOLARIS
|
||||||
|
@ -1,14 +1,17 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993-1996 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*
|
*
|
||||||
* @(#)ipf.h 1.12 6/5/96
|
* @(#)ipf.h 1.12 6/5/96
|
||||||
* $Id: ipf.h,v 2.0.2.4 1997/03/27 13:45:18 darrenr Exp $
|
* $Id: ipf.h,v 2.0.2.6 1997/04/30 13:49:05 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#ifndef __IPF_H__
|
||||||
|
#define __IPF_H__
|
||||||
|
|
||||||
#ifndef SOLARIS
|
#ifndef SOLARIS
|
||||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||||
#endif
|
#endif
|
||||||
@ -46,12 +49,6 @@ extern void binprint __P((struct frentry *)), initparse __P((void));
|
|||||||
extern u_short portnum __P((char *));
|
extern u_short portnum __P((char *));
|
||||||
|
|
||||||
|
|
||||||
#if defined(__SVR4) || defined(__svr4__)
|
|
||||||
#define index strchr
|
|
||||||
#define bzero(a,b) memset(a, 0, b)
|
|
||||||
#define bcopy(a,b,c) memmove(b,a,c)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
struct ipopt_names {
|
struct ipopt_names {
|
||||||
int on_value;
|
int on_value;
|
||||||
int on_bit;
|
int on_bit;
|
||||||
@ -79,3 +76,4 @@ extern char *sys_errlist[];
|
|||||||
#define MIN(a,b) ((a) > (b) ? (b) : (a))
|
#define MIN(a,b) ((a) > (b) ? (b) : (a))
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#endif /* __IPF_H__ */
|
||||||
|
@ -31,6 +31,7 @@ etherfind -n -t
|
|||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
#include <netinet/in_systm.h>
|
#include <netinet/in_systm.h>
|
||||||
@ -42,12 +43,13 @@ etherfind -n -t
|
|||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
|
#include "ip_compat.h"
|
||||||
#include "ipf.h"
|
#include "ipf.h"
|
||||||
#include "ipt.h"
|
#include "ipt.h"
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
|
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.3 1997/03/10 08:10:24 darrenr Exp $";
|
static char rcsid[] = "$Id: ipft_ef.c,v 2.0.2.4 1997/04/30 13:55:06 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int etherf_open __P((char *));
|
static int etherf_open __P((char *));
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
@ -33,12 +34,13 @@
|
|||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <arpa/nameser.h>
|
#include <arpa/nameser.h>
|
||||||
#include <resolv.h>
|
#include <resolv.h>
|
||||||
|
#include "ip_compat.h"
|
||||||
#include "ipf.h"
|
#include "ipf.h"
|
||||||
#include "ipt.h"
|
#include "ipt.h"
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
|
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.3 1997/03/10 08:10:25 darrenr Exp $";
|
static char rcsid[] = "$Id: ipft_hx.c,v 2.0.2.4 1997/04/30 13:55:07 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
extern int opts;
|
extern int opts;
|
||||||
|
@ -25,12 +25,13 @@
|
|||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
|
#include "ip_compat.h"
|
||||||
#include "ipf.h"
|
#include "ipf.h"
|
||||||
#include "ipt.h"
|
#include "ipt.h"
|
||||||
#include "pcap.h"
|
#include "pcap.h"
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.3 1997/03/10 08:10:26 darrenr Exp $";
|
static char rcsid[] = "$Id: ipft_pc.c,v 2.0.2.4 1997/04/30 13:55:09 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
struct llc {
|
struct llc {
|
||||||
|
@ -21,6 +21,7 @@
|
|||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
#include <sys/ioctl.h>
|
#include <sys/ioctl.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <netinet/in_systm.h>
|
#include <netinet/in_systm.h>
|
||||||
#include <netinet/ip_var.h>
|
#include <netinet/ip_var.h>
|
||||||
@ -28,12 +29,13 @@
|
|||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
|
#include "ip_compat.h"
|
||||||
#include "ipf.h"
|
#include "ipf.h"
|
||||||
#include "ipt.h"
|
#include "ipt.h"
|
||||||
#include "snoop.h"
|
#include "snoop.h"
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.3 1997/03/10 08:10:29 darrenr Exp $";
|
static char rcsid[] = "$Id: ipft_sn.c,v 2.0.2.4 1997/04/30 13:55:10 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
struct llc {
|
struct llc {
|
||||||
|
@ -35,6 +35,7 @@ tcpdump -nqte
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
@ -51,12 +52,13 @@ tcpdump -nqte
|
|||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
|
#include "ip_compat.h"
|
||||||
#include "ipf.h"
|
#include "ipf.h"
|
||||||
#include "ipt.h"
|
#include "ipt.h"
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
|
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.3 1997/03/10 08:10:30 darrenr Exp $";
|
static char rcsid[] = "$Id: ipft_td.c,v 2.0.2.4 1997/04/30 13:55:12 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int tcpd_open __P((char *));
|
static int tcpd_open __P((char *));
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
@ -40,7 +41,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
|
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.3 1997/03/10 08:10:31 darrenr Exp $";
|
static char rcsid[] = "$Id: ipft_tx.c,v 2.0.2.4 1997/04/30 13:55:13 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
extern int opts;
|
extern int opts;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993-1996 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
@ -8,9 +8,9 @@
|
|||||||
* @(#)ipl.h 1.21 6/5/96
|
* @(#)ipl.h 1.21 6/5/96
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef __IPL_H_
|
#ifndef __IPL_H__
|
||||||
#define __IPL_H__
|
#define __IPL_H__
|
||||||
|
|
||||||
#define IPL_VERSION "IP Filter v3.2alpha4"
|
#define IPL_VERSION "IP Filter v3.2alpha7"
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -15,6 +15,7 @@
|
|||||||
#include <strings.h>
|
#include <strings.h>
|
||||||
#include <sys/dir.h>
|
#include <sys/dir.h>
|
||||||
#else
|
#else
|
||||||
|
#include <sys/filio.h>
|
||||||
#include <sys/byteorder.h>
|
#include <sys/byteorder.h>
|
||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -48,12 +49,13 @@
|
|||||||
|
|
||||||
#include "ip_compat.h"
|
#include "ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "ip_fil.h"
|
||||||
|
#include "ip_proxy.h"
|
||||||
#include "ip_nat.h"
|
#include "ip_nat.h"
|
||||||
#include "ip_state.h"
|
#include "ip_state.h"
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed";
|
static char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1996 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipmon.c,v 2.0.2.6 1997/04/02 12:23:27 darrenr Exp $";
|
static char rcsid[] = "$Id: ipmon.c,v 2.0.2.9 1997/04/30 13:54:10 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
@ -443,6 +445,15 @@ int blen;
|
|||||||
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
|
(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
|
||||||
portname(res, NULL, nl->nl_origport));
|
portname(res, NULL, nl->nl_origport));
|
||||||
t += strlen(t);
|
t += strlen(t);
|
||||||
|
if (nl->nl_type == NL_EXPIRE) {
|
||||||
|
#ifdef USE_QUAD_T
|
||||||
|
(void) sprintf(t, " Pkts %qd Bytes %qd",
|
||||||
|
#else
|
||||||
|
(void) sprintf(t, " Pkts %ld Bytes %ld",
|
||||||
|
#endif
|
||||||
|
nl->nl_pkts, nl->nl_bytes);
|
||||||
|
t += strlen(t);
|
||||||
|
}
|
||||||
|
|
||||||
*t++ = '\n';
|
*t++ = '\n';
|
||||||
*t++ = '\0';
|
*t++ = '\0';
|
||||||
@ -495,21 +506,21 @@ int blen;
|
|||||||
hostname(res, sl->isl_src),
|
hostname(res, sl->isl_src),
|
||||||
portname(res, proto, sl->isl_sport));
|
portname(res, proto, sl->isl_sport));
|
||||||
t += strlen(t);
|
t += strlen(t);
|
||||||
(void) sprintf(t, "%s,%s PR %s ",
|
(void) sprintf(t, "%s,%s PR %s",
|
||||||
hostname(res, sl->isl_dst),
|
hostname(res, sl->isl_dst),
|
||||||
portname(res, proto, sl->isl_dport), proto);
|
portname(res, proto, sl->isl_dport), proto);
|
||||||
} else if (sl->isl_p == IPPROTO_ICMP) {
|
} else if (sl->isl_p == IPPROTO_ICMP) {
|
||||||
(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
|
(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
|
||||||
t += strlen(t);
|
t += strlen(t);
|
||||||
(void) sprintf(t, "%s PR icmp %d ",
|
(void) sprintf(t, "%s PR icmp %d",
|
||||||
hostname(res, sl->isl_dst), sl->isl_itype);
|
hostname(res, sl->isl_dst), sl->isl_itype);
|
||||||
}
|
}
|
||||||
t += strlen(t);
|
t += strlen(t);
|
||||||
if (sl->isl_type != ISL_NEW) {
|
if (sl->isl_type != ISL_NEW) {
|
||||||
#ifdef USE_QUAD_T
|
#ifdef USE_QUAD_T
|
||||||
(void) sprintf(t, "Pkts %qd Bytes %qd",
|
(void) sprintf(t, " Pkts %qd Bytes %qd",
|
||||||
#else
|
#else
|
||||||
(void) sprintf(t, "Pkts %ld Bytes %ld",
|
(void) sprintf(t, " Pkts %ld Bytes %ld",
|
||||||
#endif
|
#endif
|
||||||
sl->isl_pkts, sl->isl_bytes);
|
sl->isl_pkts, sl->isl_bytes);
|
||||||
t += strlen(t);
|
t += strlen(t);
|
||||||
|
@ -48,13 +48,14 @@
|
|||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
#include "ip_compat.h"
|
#include "ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "ip_fil.h"
|
||||||
|
#include "ip_proxy.h"
|
||||||
#include "ip_nat.h"
|
#include "ip_nat.h"
|
||||||
#include "kmem.h"
|
#include "kmem.h"
|
||||||
|
|
||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
|
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipnat.c,v 2.0.2.6 1997/04/02 12:23:29 darrenr Exp $";
|
static char rcsid[] = "$Id: ipnat.c,v 2.0.2.9 1997/05/05 14:03:55 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if SOLARIS
|
#if SOLARIS
|
||||||
@ -130,8 +131,8 @@ char *argv[];
|
|||||||
usage(argv[0]);
|
usage(argv[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) &&
|
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) &&
|
||||||
((fd = open(IPL_NAME, O_RDONLY)) == -1)) {
|
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
|
||||||
perror("open");
|
perror("open");
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
@ -182,8 +183,25 @@ void *ptr;
|
|||||||
{
|
{
|
||||||
int bits;
|
int bits;
|
||||||
|
|
||||||
|
switch (np->in_redir)
|
||||||
|
{
|
||||||
|
case NAT_REDIRECT :
|
||||||
|
printf("redir ");
|
||||||
|
break;
|
||||||
|
case NAT_MAP :
|
||||||
|
printf("map ");
|
||||||
|
break;
|
||||||
|
case NAT_BIMAP :
|
||||||
|
printf("bimap ");
|
||||||
|
break;
|
||||||
|
default :
|
||||||
|
fprintf(stderr, "unknown value for in_redir: %#x\n",
|
||||||
|
np->in_redir);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if (np->in_redir == NAT_REDIRECT) {
|
if (np->in_redir == NAT_REDIRECT) {
|
||||||
printf("rdr %s %s", np->in_ifname, inet_ntoa(np->in_out[0]));
|
printf("%s %s", np->in_ifname, inet_ntoa(np->in_out[0]));
|
||||||
bits = countbits(np->in_out[1].s_addr);
|
bits = countbits(np->in_out[1].s_addr);
|
||||||
if (bits != -1)
|
if (bits != -1)
|
||||||
printf("/%d ", bits);
|
printf("/%d ", bits);
|
||||||
@ -207,7 +225,7 @@ void *ptr;
|
|||||||
np->in_use);
|
np->in_use);
|
||||||
} else {
|
} else {
|
||||||
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
|
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
|
||||||
printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
|
printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
|
||||||
bits = countbits(np->in_in[1].s_addr);
|
bits = countbits(np->in_in[1].s_addr);
|
||||||
if (bits != -1)
|
if (bits != -1)
|
||||||
printf("%d ", bits);
|
printf("%d ", bits);
|
||||||
@ -219,7 +237,13 @@ void *ptr;
|
|||||||
printf("%d ", bits);
|
printf("%d ", bits);
|
||||||
else
|
else
|
||||||
printf("%s", inet_ntoa(np->in_out[1]));
|
printf("%s", inet_ntoa(np->in_out[1]));
|
||||||
if (np->in_pmin || np->in_pmax) {
|
if (*np->in_plabel) {
|
||||||
|
printf(" proxy");
|
||||||
|
if (np->in_dport)
|
||||||
|
printf(" %hu", ntohs(np->in_dport));
|
||||||
|
printf(" %.*s/%d", sizeof(np->in_plabel),
|
||||||
|
np->in_plabel, np->in_p);
|
||||||
|
} else if (np->in_pmin || np->in_pmax) {
|
||||||
printf(" portmap");
|
printf(" portmap");
|
||||||
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
|
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
|
||||||
printf(" tcp/udp");
|
printf(" tcp/udp");
|
||||||
@ -245,13 +269,29 @@ void *ptr;
|
|||||||
char *getnattype(ipnat)
|
char *getnattype(ipnat)
|
||||||
ipnat_t *ipnat;
|
ipnat_t *ipnat;
|
||||||
{
|
{
|
||||||
|
char *which;
|
||||||
ipnat_t ipnatbuff;
|
ipnat_t ipnatbuff;
|
||||||
|
|
||||||
if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
|
if (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat,
|
||||||
sizeof(ipnatbuff)))
|
sizeof(ipnatbuff)))
|
||||||
return "???";
|
return "???";
|
||||||
|
|
||||||
return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR";
|
switch (ipnatbuff.in_redir)
|
||||||
|
{
|
||||||
|
case NAT_MAP :
|
||||||
|
which = "MAP";
|
||||||
|
break;
|
||||||
|
case NAT_REDIRECT :
|
||||||
|
which = "RDR";
|
||||||
|
break;
|
||||||
|
case NAT_BIMAP :
|
||||||
|
which = "BIMAP";
|
||||||
|
break;
|
||||||
|
default :
|
||||||
|
which = "unknown";
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return which;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -275,7 +315,7 @@ int fd, opts;
|
|||||||
ns.ns_mapped[0], ns.ns_mapped[1]);
|
ns.ns_mapped[0], ns.ns_mapped[1]);
|
||||||
printf("added\t%lu\texpired\t%lu\n",
|
printf("added\t%lu\texpired\t%lu\n",
|
||||||
ns.ns_added, ns.ns_expire);
|
ns.ns_added, ns.ns_expire);
|
||||||
printf("inuse\t%lu\n", ns.ns_inuse);
|
printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules);
|
||||||
if (opts & OPT_VERBOSE)
|
if (opts & OPT_VERBOSE)
|
||||||
printf("table %p list %p\n", ns.ns_table, ns.ns_list);
|
printf("table %p list %p\n", ns.ns_table, ns.ns_list);
|
||||||
}
|
}
|
||||||
@ -419,6 +459,7 @@ int *resolved;
|
|||||||
ipnat_t *parse(line)
|
ipnat_t *parse(line)
|
||||||
char *line;
|
char *line;
|
||||||
{
|
{
|
||||||
|
struct protoent *pr;
|
||||||
static ipnat_t ipn;
|
static ipnat_t ipn;
|
||||||
char *s, *t;
|
char *s, *t;
|
||||||
char *shost, *snetm, *dhost, *proto;
|
char *shost, *snetm, *dhost, *proto;
|
||||||
@ -438,9 +479,11 @@ char *line;
|
|||||||
ipn.in_redir = NAT_MAP;
|
ipn.in_redir = NAT_MAP;
|
||||||
else if (!strcasecmp(s, "rdr"))
|
else if (!strcasecmp(s, "rdr"))
|
||||||
ipn.in_redir = NAT_REDIRECT;
|
ipn.in_redir = NAT_REDIRECT;
|
||||||
|
else if (!strcasecmp(s, "bimap"))
|
||||||
|
ipn.in_redir = NAT_BIMAP;
|
||||||
else {
|
else {
|
||||||
(void)fprintf(stderr,
|
(void)fprintf(stderr,
|
||||||
"expected \"map\" or \"rdr\", got \"%s\"\n", s);
|
"expected map/rdr/bimap, got \"%s\"\n", s);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -508,7 +551,7 @@ char *line;
|
|||||||
}
|
}
|
||||||
dhost = s;
|
dhost = s;
|
||||||
|
|
||||||
if (ipn.in_redir == NAT_MAP) {
|
if (ipn.in_redir & NAT_MAP) {
|
||||||
if (!(s = strtok(NULL, " \t"))) {
|
if (!(s = strtok(NULL, " \t"))) {
|
||||||
dnetm = strrchr(dhost, '/');
|
dnetm = strrchr(dhost, '/');
|
||||||
if (!dnetm) {
|
if (!dnetm) {
|
||||||
@ -517,7 +560,8 @@ char *line;
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!s || !strcasecmp(s, "portmap")) {
|
if (!s || !strcasecmp(s, "portmap") ||
|
||||||
|
!strcasecmp(s, "proxy")) {
|
||||||
dnetm = strrchr(dhost, '/');
|
dnetm = strrchr(dhost, '/');
|
||||||
if (!dnetm) {
|
if (!dnetm) {
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
@ -562,7 +606,7 @@ char *line;
|
|||||||
if (*snetm == '/')
|
if (*snetm == '/')
|
||||||
*snetm++ = '\0';
|
*snetm++ = '\0';
|
||||||
|
|
||||||
if (ipn.in_redir == NAT_MAP) {
|
if (ipn.in_redir & NAT_MAP) {
|
||||||
ipn.in_inip = hostnum(shost, &resolved);
|
ipn.in_inip = hostnum(shost, &resolved);
|
||||||
if (resolved == -1)
|
if (resolved == -1)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -612,6 +656,55 @@ char *line;
|
|||||||
}
|
}
|
||||||
if (!s)
|
if (!s)
|
||||||
return &ipn;
|
return &ipn;
|
||||||
|
if (ipn.in_redir == NAT_BIMAP) {
|
||||||
|
fprintf(stderr, "extra words at the end of bimap line: %s\n",
|
||||||
|
s);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
if (!strcasecmp(s, "proxy")) {
|
||||||
|
if (!(s = strtok(NULL, " \t"))) {
|
||||||
|
fprintf(stderr, "missing parameter for \"proxy\"\n");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
dport = NULL;
|
||||||
|
|
||||||
|
if (!strcasecmp(s, "port")) {
|
||||||
|
if (!(s = strtok(NULL, " \t"))) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"missing parameter for \"port\"\n");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
dport = s;
|
||||||
|
|
||||||
|
if (!(s = strtok(NULL, " \t"))) {
|
||||||
|
fprintf(stderr,
|
||||||
|
"missing parameter for \"proxy\"\n");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if ((proto = index(s, '/'))) {
|
||||||
|
*proto++ = '\0';
|
||||||
|
if ((pr = getprotobyname(proto)))
|
||||||
|
ipn.in_p = pr->p_proto;
|
||||||
|
else
|
||||||
|
ipn.in_p = atoi(proto);
|
||||||
|
if (dport)
|
||||||
|
ipn.in_dport = portnum(dport, proto);
|
||||||
|
} else {
|
||||||
|
ipn.in_p = 0;
|
||||||
|
if (dport)
|
||||||
|
ipn.in_dport = portnum(dport, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
(void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel));
|
||||||
|
if ((s = strtok(NULL, " \t"))) {
|
||||||
|
fprintf(stderr, "too many parameters for \"proxy\"\n");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
return &ipn;
|
||||||
|
|
||||||
|
}
|
||||||
if (strcasecmp(s, "portmap")) {
|
if (strcasecmp(s, "portmap")) {
|
||||||
fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s);
|
fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s);
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -32,6 +32,9 @@ all:
|
|||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(LINUXK) -c $< -o $@
|
$(CC) $(CFLAGS) $(LINUXK) -c $< -o $@
|
||||||
|
|
||||||
|
install:
|
||||||
|
-$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST)
|
||||||
|
|
||||||
bpf sunos4-bpf :
|
bpf sunos4-bpf :
|
||||||
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
|
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
|
||||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||||
|
@ -25,11 +25,6 @@ static char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
|
|||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
#include "ipsend.h"
|
#include "ipsend.h"
|
||||||
|
|
||||||
#if defined(__SVR4) || defined(__svr4__)
|
|
||||||
#define bcopy(a,b,c) memmove(b,a,c)
|
|
||||||
#define bzero(a,c) memset(a,0,c)
|
|
||||||
#define bcmp(a,b,c) memcmp(a,b,c)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* lookup host and return
|
* lookup host and return
|
||||||
|
@ -175,7 +175,7 @@ char **argv;
|
|||||||
ip->ip_len = sizeof(*ip);
|
ip->ip_len = sizeof(*ip);
|
||||||
ip->ip_hl = sizeof(*ip) >> 2;
|
ip->ip_hl = sizeof(*ip) >> 2;
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
|
while ((c = (char)getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
|
||||||
switch (c)
|
switch (c)
|
||||||
{
|
{
|
||||||
case 'I' :
|
case 'I' :
|
||||||
|
@ -108,7 +108,8 @@ char **argv;
|
|||||||
ip->ip_len = sizeof(*ip);
|
ip->ip_len = sizeof(*ip);
|
||||||
ip->ip_hl = sizeof(*ip) >> 2;
|
ip->ip_hl = sizeof(*ip) >> 2;
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
|
while ((c = (char)getopt(argc, argv,
|
||||||
|
"1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
|
||||||
switch (c)
|
switch (c)
|
||||||
{
|
{
|
||||||
case '1' :
|
case '1' :
|
||||||
|
@ -27,6 +27,9 @@ static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
|||||||
#endif
|
#endif
|
||||||
#include <kvm.h>
|
#include <kvm.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
#if defined(solaris)
|
||||||
|
# include <sys/stream.h>
|
||||||
|
#endif
|
||||||
#include <sys/socketvar.h>
|
#include <sys/socketvar.h>
|
||||||
#ifdef sun
|
#ifdef sun
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
|
@ -5,6 +5,9 @@
|
|||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*/
|
*/
|
||||||
|
#ifdef __FreeBSD__
|
||||||
|
# include <osreldate.h>
|
||||||
|
#endif
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@ -16,6 +19,7 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
@ -30,6 +34,9 @@
|
|||||||
#include <netinet/ip_icmp.h>
|
#include <netinet/ip_icmp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
|
#if __FreeBSD_version >= 300000
|
||||||
|
# include <net/if_var.h>
|
||||||
|
#endif
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <arpa/nameser.h>
|
#include <arpa/nameser.h>
|
||||||
#include <arpa/inet.h>
|
#include <arpa/inet.h>
|
||||||
@ -42,7 +49,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed";
|
static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed";
|
||||||
static char rcsid[] = "$Id: ipt.c,v 2.0.2.4 1997/04/02 12:23:30 darrenr Exp $";
|
static char rcsid[] = "$Id: ipt.c,v 2.0.2.5 1997/04/30 13:59:39 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
extern char *optarg;
|
extern char *optarg;
|
||||||
@ -66,7 +73,7 @@ char *argv[];
|
|||||||
char *rules = NULL, *datain = NULL, *iface = NULL;
|
char *rules = NULL, *datain = NULL, *iface = NULL;
|
||||||
int fd, i, dir = 0;
|
int fd, i, dir = 0;
|
||||||
|
|
||||||
while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1)
|
while ((c = (char)getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1)
|
||||||
switch (c)
|
switch (c)
|
||||||
{
|
{
|
||||||
case 'b' :
|
case 'b' :
|
||||||
|
@ -1,12 +1,15 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
* $Id: ipt.h,v 2.0.2.4 1997/03/27 13:45:23 darrenr Exp $
|
* $Id: ipt.h,v 2.0.2.6 1997/04/30 13:49:22 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#ifndef __IPT_H__
|
||||||
|
#define __IPT_H__
|
||||||
|
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#ifdef __STDC__
|
#ifdef __STDC__
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
@ -23,3 +26,5 @@ struct ipread {
|
|||||||
|
|
||||||
extern void debug __P((char *, ...));
|
extern void debug __P((char *, ...));
|
||||||
extern void verbose __P((char *, ...));
|
extern void verbose __P((char *, ...));
|
||||||
|
|
||||||
|
#endif /* __IPT_H__ */
|
||||||
|
@ -1,12 +1,15 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
* $Id: kmem.h,v 2.0.2.3 1997/03/10 08:10:38 darrenr Exp $
|
* $Id: kmem.h,v 2.0.2.5 1997/04/30 13:49:35 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#ifndef __KMEM_H__
|
||||||
|
#define __KMEM_H__
|
||||||
|
|
||||||
#ifndef __P
|
#ifndef __P
|
||||||
# ifdef __STDC__
|
# ifdef __STDC__
|
||||||
# define __P(x) x
|
# define __P(x) x
|
||||||
@ -19,3 +22,4 @@ extern int kmemcpy __P((char *, long, int));
|
|||||||
|
|
||||||
#define KMEM "/dev/kmem"
|
#define KMEM "/dev/kmem"
|
||||||
|
|
||||||
|
#endif /* __KMEM_H__ */
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
@ -7,7 +7,7 @@
|
|||||||
* responsibility and is not changed in any way.
|
* responsibility and is not changed in any way.
|
||||||
*
|
*
|
||||||
* I hate legaleese, don't you ?
|
* I hate legaleese, don't you ?
|
||||||
* $Id: linux.h,v 2.0.2.2 1997/02/23 10:38:08 darrenr Exp $
|
* $Id: linux.h,v 2.0.2.3 1997/04/07 09:59:01 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <linux/config.h>
|
#include <linux/config.h>
|
||||||
|
@ -99,7 +99,7 @@ Zero global statistics held in the kernel for filtering only (this doesn't
|
|||||||
affect fragment or state statistics).
|
affect fragment or state statistics).
|
||||||
.DT
|
.DT
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipfstat(1), ipftest(1), ipf(5)
|
ipfstat(1), ipftest(1), ipf(5), mkfilters(1)
|
||||||
.SH DIAGNOSTICS
|
.SH DIAGNOSTICS
|
||||||
.PP
|
.PP
|
||||||
Needs to be run as root for the packet filtering lists to actually
|
Needs to be run as root for the packet filtering lists to actually
|
||||||
|
@ -277,7 +277,10 @@ packets from both protocols are compared. This is equivalent to "proto
|
|||||||
tcp/udp". When composing \fBport\fP comparisons, either the service
|
tcp/udp". When composing \fBport\fP comparisons, either the service
|
||||||
name or an integer port number may be used. Port comparisons may be
|
name or an integer port number may be used. Port comparisons may be
|
||||||
done in a number of forms, with a number of comparison operators, or
|
done in a number of forms, with a number of comparison operators, or
|
||||||
port ranges may be specified. See the examples for more information.
|
port ranges may be specified. When the port appears as part of the
|
||||||
|
\fBfrom\fP object, it matches the source port number, when it appears
|
||||||
|
as part of the \fBto\fP object, it matches the destination port number.
|
||||||
|
See the examples for more information.
|
||||||
.PP
|
.PP
|
||||||
The \fBall\fP keyword is essentially a synonym for "from any to any"
|
The \fBall\fP keyword is essentially a synonym for "from any to any"
|
||||||
with no other match parameters.
|
with no other match parameters.
|
||||||
@ -430,4 +433,4 @@ would be needed before the first block.
|
|||||||
.br
|
.br
|
||||||
/etc/hosts
|
/etc/hosts
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipf(1), ipftest(1)
|
ipf(1), ipftest(1), mkfilters(1)
|
||||||
|
@ -4,4 +4,4 @@ IP FIlter
|
|||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
.PP
|
.PP
|
||||||
.SH SEE ALSO
|
.SH SEE ALSO
|
||||||
ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5)
|
ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1)
|
||||||
|
13
contrib/ipfilter/man/mkfilters.1
Normal file
13
contrib/ipfilter/man/mkfilters.1
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
.TH IPF 1
|
||||||
|
.SH NAME
|
||||||
|
mkfilters \- generate a minimal firewall ruleset for ipfilter
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B mkfilters
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.PP
|
||||||
|
\fBmkfilters\fP is a perl script that generates a minimal filter rule set for
|
||||||
|
use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
|
||||||
|
.DT
|
||||||
|
.SH SEE ALSO
|
||||||
|
ipf(1), ipf(5), ipfilter(5), ifconfig(8)
|
||||||
|
|
@ -15,6 +15,7 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
@ -40,7 +41,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
|
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
|
||||||
static char rcsid[] = "$Id: misc.c,v 2.0.2.5 1997/03/31 10:05:36 darrenr Exp $";
|
static char rcsid[] = "$Id: misc.c,v 2.0.2.6 1997/04/30 13:54:24 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
extern int opts;
|
extern int opts;
|
||||||
|
@ -13,19 +13,12 @@
|
|||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
|
||||||
/*
|
|
||||||
* Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
|
|
||||||
* on those hooks. We don't need any special mods with this!
|
|
||||||
*/
|
|
||||||
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
|
|
||||||
(defined(NetBSD1_2) && NetBSD1_2 > 1)
|
|
||||||
# define NETBSD_PF
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
|
#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
|
||||||
# include <osreldate.h>
|
|
||||||
# ifdef IPFILTER_LKM
|
# ifdef IPFILTER_LKM
|
||||||
|
# include <osreldate.h>
|
||||||
# define ACTUALLY_LKM_NOT_KERNEL
|
# define ACTUALLY_LKM_NOT_KERNEL
|
||||||
|
# else
|
||||||
|
# include <sys/osreldate.h>
|
||||||
# endif
|
# endif
|
||||||
#endif
|
#endif
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
@ -48,8 +41,10 @@
|
|||||||
#include <sys/mount.h>
|
#include <sys/mount.h>
|
||||||
#include <sys/exec.h>
|
#include <sys/exec.h>
|
||||||
#include <sys/mbuf.h>
|
#include <sys/mbuf.h>
|
||||||
#if defined(__NetBSD__) || (defined(__FreeBSD_version) && \
|
#if BSD >= 199506
|
||||||
(__FreeBSD_version >= 199511))
|
# include <sys/sysctl.h>
|
||||||
|
#endif
|
||||||
|
#if (__FreeBSD_version >= 199511)
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <netinet/in_systm.h>
|
#include <netinet/in_systm.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
@ -59,13 +54,13 @@
|
|||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#endif
|
#endif
|
||||||
#ifndef __NetBSD__
|
#if (__FreeBSD__ > 1)
|
||||||
#include <sys/sysent.h>
|
# include <sys/sysent.h>
|
||||||
#endif
|
#endif
|
||||||
#include <sys/lkm.h>
|
#include <sys/lkm.h>
|
||||||
#include "ipl.h"
|
#include "netinet/ipl.h"
|
||||||
#include "ip_compat.h"
|
#include "netinet/ip_compat.h"
|
||||||
#include "ip_fil.h"
|
#include "netinet/ip_fil.h"
|
||||||
|
|
||||||
#ifndef IPL_NAME
|
#ifndef IPL_NAME
|
||||||
#define IPL_NAME "/dev/ipl"
|
#define IPL_NAME "/dev/ipl"
|
||||||
@ -84,43 +79,12 @@
|
|||||||
extern int lkmenodev __P((void));
|
extern int lkmenodev __P((void));
|
||||||
|
|
||||||
|
|
||||||
#ifdef NETBSD_PF
|
|
||||||
#include <net/pfil.h>
|
|
||||||
#endif
|
|
||||||
#ifndef IPFILTER_LOG
|
|
||||||
# ifdef NETBSD_PF
|
|
||||||
# define iplread enodev
|
|
||||||
# else
|
|
||||||
# define iplread nodev
|
|
||||||
# endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef NETBSD_PF
|
|
||||||
int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static int ipl_unload __P((void));
|
static int ipl_unload __P((void));
|
||||||
static int ipl_load __P((void));
|
static int ipl_load __P((void));
|
||||||
static int ipl_remove __P((void));
|
static int ipl_remove __P((void));
|
||||||
int xxxinit __P((struct lkm_table *, int, int));
|
int xxxinit __P((struct lkm_table *, int, int));
|
||||||
|
|
||||||
|
|
||||||
#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
|
|
||||||
(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
|
|
||||||
struct cdevsw ipldevsw =
|
|
||||||
{
|
|
||||||
iplopen, /* open */
|
|
||||||
iplclose, /* close */
|
|
||||||
iplread, /* read */
|
|
||||||
0, /* write */
|
|
||||||
iplioctl, /* ioctl */
|
|
||||||
0, /* stop */
|
|
||||||
0, /* tty */
|
|
||||||
0, /* select */
|
|
||||||
0, /* mmap */
|
|
||||||
NULL /* strategy */
|
|
||||||
};
|
|
||||||
#else
|
|
||||||
struct cdevsw ipldevsw =
|
struct cdevsw ipldevsw =
|
||||||
{
|
{
|
||||||
iplopen, /* open */
|
iplopen, /* open */
|
||||||
@ -135,6 +99,16 @@ struct cdevsw ipldevsw =
|
|||||||
(void *)nullop, /* mmap */
|
(void *)nullop, /* mmap */
|
||||||
NULL /* strategy */
|
NULL /* strategy */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#ifdef SYSCTL_INT
|
||||||
|
SYSCTL_NODE(_net_inet, OID_AUTO, ipf, CTLFLAG_RW, 0, "IPF");
|
||||||
|
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
|
||||||
|
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
|
||||||
|
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
|
||||||
|
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW,
|
||||||
|
&ipl_unreach, 0, "");
|
||||||
|
SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD,
|
||||||
|
&ipl_inited, 0, "");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
|
#if !defined(__FreeBSD_version) || (__FreeBSD_version < 220000)
|
||||||
@ -149,7 +123,7 @@ extern int nchrdev;
|
|||||||
int ipl_major = CDEV_MAJOR;
|
int ipl_major = CDEV_MAJOR;
|
||||||
|
|
||||||
static struct cdevsw ipl_cdevsw = {
|
static struct cdevsw ipl_cdevsw = {
|
||||||
iplopen, iplclose, iplread, nowrite, /* 79 */
|
iplopen, iplclose, iplread, nowrite, /* 79 */
|
||||||
iplioctl, nostop, noreset, nodevtotty,
|
iplioctl, nostop, noreset, nodevtotty,
|
||||||
noselect, nommap, nostrategy, "ipl",
|
noselect, nommap, nostrategy, "ipl",
|
||||||
NULL, -1
|
NULL, -1
|
||||||
@ -157,6 +131,8 @@ static struct cdevsw ipl_cdevsw = {
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
static int iplaction __P((struct lkm_table *, int));
|
||||||
|
|
||||||
|
|
||||||
static int iplaction(lkmtp, cmd)
|
static int iplaction(lkmtp, cmd)
|
||||||
struct lkm_table *lkmtp;
|
struct lkm_table *lkmtp;
|
||||||
@ -229,6 +205,7 @@ static int ipl_remove __P((void))
|
|||||||
VOP_LOCK(nd.ni_vp);
|
VOP_LOCK(nd.ni_vp);
|
||||||
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
|
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
|
||||||
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
|
(void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -237,9 +214,6 @@ static int ipl_unload()
|
|||||||
int error = 0;
|
int error = 0;
|
||||||
|
|
||||||
error = ipldetach();
|
error = ipldetach();
|
||||||
#ifdef NETBSD_PF
|
|
||||||
pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT);
|
|
||||||
#endif
|
|
||||||
if (!error)
|
if (!error)
|
||||||
error = ipl_remove();
|
error = ipl_remove();
|
||||||
return error;
|
return error;
|
||||||
@ -253,9 +227,6 @@ static int ipl_load()
|
|||||||
int error = 0, fmode = S_IFCHR|0600;
|
int error = 0, fmode = S_IFCHR|0600;
|
||||||
|
|
||||||
error = iplattach();
|
error = iplattach();
|
||||||
#ifdef NETBSD_PF
|
|
||||||
pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT);
|
|
||||||
#endif
|
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
(void) ipl_remove();
|
(void) ipl_remove();
|
||||||
@ -327,6 +298,20 @@ static int ipl_load()
|
|||||||
|
|
||||||
|
|
||||||
#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
|
#if defined(__FreeBSD_version) && (__FreeBSD_version < 220000)
|
||||||
|
/*
|
||||||
|
* strlen isn't present in 2.1.* kernels.
|
||||||
|
*/
|
||||||
|
size_t strlen(string)
|
||||||
|
char *string;
|
||||||
|
{
|
||||||
|
register char *s;
|
||||||
|
|
||||||
|
for (s = string; *s; s++)
|
||||||
|
;
|
||||||
|
return (size_t)(s - string);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int xxxinit(lkmtp, cmd, ver)
|
int xxxinit(lkmtp, cmd, ver)
|
||||||
struct lkm_table *lkmtp;
|
struct lkm_table *lkmtp;
|
||||||
int cmd, ver;
|
int cmd, ver;
|
||||||
@ -334,8 +319,8 @@ int cmd, ver;
|
|||||||
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
|
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
#include <sys/exec.h>
|
# ifdef IPFILTER_LKM
|
||||||
#include <sys/sysent.h>
|
# include <sys/exec.h>
|
||||||
|
|
||||||
MOD_DECL(if_ipl);
|
MOD_DECL(if_ipl);
|
||||||
|
|
||||||
@ -354,21 +339,39 @@ int cmd, ver;
|
|||||||
{
|
{
|
||||||
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
|
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
|
||||||
}
|
}
|
||||||
|
# else
|
||||||
|
|
||||||
/*
|
#ifdef DEVFS
|
||||||
|
static void *ipf_devfs_token[3];
|
||||||
|
#endif
|
||||||
static ipl_devsw_installed = 0;
|
static ipl_devsw_installed = 0;
|
||||||
|
|
||||||
static void ipl_drvinit __P((void *unused))
|
static void ipl_drvinit __P((void *unused))
|
||||||
{
|
{
|
||||||
dev_t dev;
|
dev_t dev;
|
||||||
|
#ifdef DEVFS
|
||||||
|
void **tp = ipf_devfs_token;
|
||||||
|
#endif
|
||||||
|
|
||||||
if( ! ipl_devsw_installed ) {
|
if (!ipl_devsw_installed ) {
|
||||||
dev = makedev(CDEV_MAJOR,0);
|
dev = makedev(CDEV_MAJOR, 0);
|
||||||
cdevsw_add(&dev, &ipl_cdevsw,NULL);
|
cdevsw_add(&dev, &ipl_cdevsw, NULL);
|
||||||
ipl_devsw_installed = 1;
|
ipl_devsw_installed = 1;
|
||||||
}
|
|
||||||
|
#ifdef DEVFS
|
||||||
|
tp[IPL_LOGIPF] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGIPF,
|
||||||
|
DV_CHR, 0, 0, 0600,
|
||||||
|
"ipf", IPL_LOGIPF);
|
||||||
|
tp[IPL_LOGNAT] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGNAT,
|
||||||
|
DV_CHR, 0, 0, 0600,
|
||||||
|
"ipnat", IPL_LOGNAT);
|
||||||
|
tp[IPL_LOGSTATE] = devfs_add_devswf(&ipl_cdevsw, IPL_LOGSTATE,
|
||||||
|
DV_CHR, 0, 0, 0600,
|
||||||
|
"ipstate", IPL_LOGSTATE);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
|
SYSINIT(ipldev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE+CDEV_MAJOR,ipl_drvinit,NULL)
|
||||||
*/
|
# endif /* IPFILTER_LKM */
|
||||||
#endif /* __FreeBSD__ */
|
#endif /* _FreeBSD_version */
|
||||||
|
@ -14,6 +14,7 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
#include <sys/time.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
@ -34,7 +35,7 @@
|
|||||||
|
|
||||||
#if !defined(lint) && defined(LIBC_SCCS)
|
#if !defined(lint) && defined(LIBC_SCCS)
|
||||||
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
|
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
|
||||||
static char rcsid[] = "$Id: parse.c,v 2.0.2.5 1997/03/31 10:05:38 darrenr Exp $";
|
static char rcsid[] = "$Id: parse.c,v 2.0.2.7 1997/05/08 11:24:09 darrenr Exp $";
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
extern struct ipopt_names ionames[], secclass[];
|
extern struct ipopt_names ionames[], secclass[];
|
||||||
@ -325,6 +326,10 @@ char *line;
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
ch = 0;
|
ch = 0;
|
||||||
|
if (**cpp == '!') {
|
||||||
|
fil.fr_flags |= FR_NOTSRCIP;
|
||||||
|
(*cpp)++;
|
||||||
|
}
|
||||||
if (hostmask(&cpp, (u_long *)&fil.fr_src,
|
if (hostmask(&cpp, (u_long *)&fil.fr_src,
|
||||||
(u_long *)&fil.fr_smsk, &fil.fr_sport, &ch,
|
(u_long *)&fil.fr_smsk, &fil.fr_sport, &ch,
|
||||||
&fil.fr_stop)) {
|
&fil.fr_stop)) {
|
||||||
@ -350,6 +355,10 @@ char *line;
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
ch = 0;
|
ch = 0;
|
||||||
|
if (**cpp == '!') {
|
||||||
|
fil.fr_flags |= FR_NOTDSTIP;
|
||||||
|
(*cpp)++;
|
||||||
|
}
|
||||||
if (hostmask(&cpp, (u_long *)&fil.fr_dst,
|
if (hostmask(&cpp, (u_long *)&fil.fr_dst,
|
||||||
(u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch,
|
(u_long *)&fil.fr_dmsk, &fil.fr_dport, &ch,
|
||||||
&fil.fr_dtop)) {
|
&fil.fr_dtop)) {
|
||||||
@ -1164,10 +1173,11 @@ struct frentry *fp;
|
|||||||
(void)printf("proto %d ", fp->fr_proto);
|
(void)printf("proto %d ", fp->fr_proto);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
|
||||||
if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr)
|
if (!fp->fr_src.s_addr & !fp->fr_smsk.s_addr)
|
||||||
(void)printf("from any ");
|
(void)printf("any ");
|
||||||
else {
|
else {
|
||||||
(void)printf("from %s", inet_ntoa(fp->fr_src));
|
(void)printf("%s", inet_ntoa(fp->fr_src));
|
||||||
if ((ones = countbits(fp->fr_smsk.s_addr)) == -1)
|
if ((ones = countbits(fp->fr_smsk.s_addr)) == -1)
|
||||||
(void)printf("/%s ", inet_ntoa(fp->fr_smsk));
|
(void)printf("/%s ", inet_ntoa(fp->fr_smsk));
|
||||||
else
|
else
|
||||||
@ -1180,10 +1190,12 @@ struct frentry *fp;
|
|||||||
else
|
else
|
||||||
(void)printf("port %s %s ", pcmp1[fp->fr_scmp],
|
(void)printf("port %s %s ", pcmp1[fp->fr_scmp],
|
||||||
portname(pr, fp->fr_sport));
|
portname(pr, fp->fr_sport));
|
||||||
|
|
||||||
|
printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
|
||||||
if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr)
|
if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr)
|
||||||
(void)printf("to any");
|
(void)printf("any");
|
||||||
else {
|
else {
|
||||||
(void)printf("to %s", inet_ntoa(fp->fr_dst));
|
(void)printf("%s", inet_ntoa(fp->fr_dst));
|
||||||
if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1)
|
if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1)
|
||||||
(void)printf("/%s", inet_ntoa(fp->fr_dmsk));
|
(void)printf("/%s", inet_ntoa(fp->fr_dmsk));
|
||||||
else
|
else
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993-1996 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
* $Id: pcap.h,v 2.0.2.2 1997/02/23 10:38:17 darrenr Exp $
|
* $Id: pcap.h,v 2.0.2.3 1997/04/07 09:59:02 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* This header file is constructed to match the version described by
|
* This header file is constructed to match the version described by
|
||||||
|
6
contrib/ipfilter/rules/ftppxy
Executable file
6
contrib/ipfilter/rules/ftppxy
Executable file
@ -0,0 +1,6 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# The proxy bit is as follows:
|
||||||
|
# proxy [port <portname>] <tag>/<protocol>
|
||||||
|
# the <tag> should match a tagname in the proxy table, as does the protocol.
|
||||||
|
# this format isn't finalised yet
|
||||||
|
echo "map ed0 0/0 -> 192.1.1.1/32 proxy port ftp ftp/tcp" | /sbin/ipnat -f -
|
@ -1,14 +1,17 @@
|
|||||||
/*
|
/*
|
||||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
* (C)opyright 1993-1997 by Darren Reed.
|
||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms are permitted
|
* Redistribution and use in source and binary forms are permitted
|
||||||
* provided that this notice is preserved and due credit is given
|
* provided that this notice is preserved and due credit is given
|
||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#ifndef __SNOOP_H__
|
||||||
|
#define __SNOOP_H__
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* written to comply with the RFC (1761) from Sun.
|
* written to comply with the RFC (1761) from Sun.
|
||||||
* $Id: snoop.h,v 2.0.2.2 1997/02/23 10:38:19 darrenr Exp $
|
* $Id: snoop.h,v 2.0.2.4 1997/04/30 13:49:52 darrenr Exp $
|
||||||
*/
|
*/
|
||||||
struct snoophdr {
|
struct snoophdr {
|
||||||
char s_id[8];
|
char s_id[8];
|
||||||
@ -40,3 +43,5 @@ struct snooppkt {
|
|||||||
int sp_sec;
|
int sp_sec;
|
||||||
int sp_usec;
|
int sp_usec;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#endif /* __SNOOP_H__ */
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
* to the original author and the contributors.
|
* to the original author and the contributors.
|
||||||
*/
|
*/
|
||||||
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
|
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
|
||||||
#pragma ident "$Id: solaris.c,v 2.0.2.3 1997/03/27 13:45:28 darrenr Exp $";
|
#pragma ident "$Id: solaris.c,v 2.0.2.5 1997/05/08 10:11:04 darrenr Exp $";
|
||||||
|
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -177,18 +177,18 @@ ddi_attach_cmd_t cmd;
|
|||||||
#ifdef IPFDEBUG
|
#ifdef IPFDEBUG
|
||||||
cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance);
|
cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance);
|
||||||
#endif
|
#endif
|
||||||
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, instance,
|
if (ddi_create_minor_node(dip, "ipf", S_IFCHR, IPL_LOGIPF,
|
||||||
DDI_PSEUDO, 0) == DDI_FAILURE) {
|
DDI_PSEUDO, 0) == DDI_FAILURE) {
|
||||||
ddi_remove_minor_node(dip, NULL);
|
ddi_remove_minor_node(dip, NULL);
|
||||||
goto attach_failed;
|
goto attach_failed;
|
||||||
}
|
}
|
||||||
if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, instance,
|
if (ddi_create_minor_node(dip, "ipnat", S_IFCHR, IPL_LOGNAT,
|
||||||
DDI_PSEUDO, 1) == DDI_FAILURE) {
|
DDI_PSEUDO, 0) == DDI_FAILURE) {
|
||||||
ddi_remove_minor_node(dip, NULL);
|
ddi_remove_minor_node(dip, NULL);
|
||||||
goto attach_failed;
|
goto attach_failed;
|
||||||
}
|
}
|
||||||
if (ddi_create_minor_node(dip, "ipstate", S_IFCHR, instance,
|
if (ddi_create_minor_node(dip, "ipstate", S_IFCHR,IPL_LOGSTATE,
|
||||||
DDI_PSEUDO, 2) == DDI_FAILURE) {
|
DDI_PSEUDO, 0) == DDI_FAILURE) {
|
||||||
ddi_remove_minor_node(dip, NULL);
|
ddi_remove_minor_node(dip, NULL);
|
||||||
goto attach_failed;
|
goto attach_failed;
|
||||||
}
|
}
|
||||||
@ -942,7 +942,11 @@ frdest_t *fdp;
|
|||||||
else
|
else
|
||||||
dst = fin->fin_fi.fi_dst;
|
dst = fin->fin_fi.fi_dst;
|
||||||
|
|
||||||
|
#if SOLARIS2 > 5
|
||||||
|
if (dir = ire_cache_lookup(dst.s_addr))
|
||||||
|
#else
|
||||||
if (dir = ire_lookup(dst.s_addr))
|
if (dir = ire_lookup(dst.s_addr))
|
||||||
|
#endif
|
||||||
if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length)
|
if (!dir->ire_ll_hdr_mp || !dir->ire_ll_hdr_length)
|
||||||
dir = NULL;
|
dir = NULL;
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@ first:
|
|||||||
-mkdir -p results
|
-mkdir -p results
|
||||||
|
|
||||||
# Filtering tests
|
# Filtering tests
|
||||||
ftests: 1 2 3 4 5 6 7 8 9 10 11 12
|
ftests: 1 2 3 4 5 6 7 8 9 10 11 12 14
|
||||||
|
|
||||||
# Rule parsing tests
|
# Rule parsing tests
|
||||||
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
|
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
|
||||||
@ -25,7 +25,7 @@ ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
|
|||||||
0:
|
0:
|
||||||
@(cd ..; make ipftest; )
|
@(cd ..; make ipftest; )
|
||||||
|
|
||||||
1 2 3 4 5 6 7 8 9 10 11:
|
1 2 3 4 5 6 7 8 9 10 11 14:
|
||||||
@./dotest $@
|
@./dotest $@
|
||||||
|
|
||||||
12:
|
12:
|
||||||
|
40
contrib/ipfilter/test/expected/14
Normal file
40
contrib/ipfilter/test/expected/14
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
nomatch
|
||||||
|
block
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
pass
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
block
|
||||||
|
block
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
pass
|
||||||
|
pass
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
block
|
||||||
|
block
|
||||||
|
block
|
||||||
|
nomatch
|
||||||
|
nomatch
|
||||||
|
pass
|
||||||
|
pass
|
||||||
|
pass
|
||||||
|
nomatch
|
||||||
|
block
|
||||||
|
block
|
||||||
|
block
|
||||||
|
block
|
||||||
|
block
|
||||||
|
pass
|
||||||
|
pass
|
||||||
|
pass
|
||||||
|
pass
|
||||||
|
pass
|
@ -3,6 +3,8 @@ block out from any to any
|
|||||||
log in from any to any
|
log in from any to any
|
||||||
log body in from any to any
|
log body in from any to any
|
||||||
count in from any to any
|
count in from any to any
|
||||||
|
pass in from !any to any
|
||||||
|
block in from any to !any
|
||||||
pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32
|
pass in on ed0(!) from 127.0.0.1/32 to 127.0.0.1/32
|
||||||
block in log first on lo0(!) from any to any
|
block in log first on lo0(!) from any to any
|
||||||
pass in log body quick from any to any
|
pass in log body quick from any to any
|
||||||
|
5
contrib/ipfilter/test/input/14
Normal file
5
contrib/ipfilter/test/input/14
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
in 127.0.0.1 127.0.0.1
|
||||||
|
in 1.1.1.1 1.2.1.1
|
||||||
|
in 1.1.1.2 1.2.1.1
|
||||||
|
in 1.1.2.2 1.2.1.1
|
||||||
|
in 1.2.2.2 1.2.1.1
|
8
contrib/ipfilter/test/regress/14
Normal file
8
contrib/ipfilter/test/regress/14
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
block in from !1.1.1.1 to any
|
||||||
|
pass in from 1.1.1.1 to !any
|
||||||
|
block in from 1.1.1.1/24 to !any
|
||||||
|
pass in from !1.1.1.1/24 to any
|
||||||
|
block in from !1.1.1.1/16 to any
|
||||||
|
pass in from 1.1.1.1/16 to !any
|
||||||
|
block in from 1.1.1.1/0 to !any
|
||||||
|
pass in from !1.1.1.1/0 to any
|
@ -3,6 +3,8 @@ block out all
|
|||||||
log in all
|
log in all
|
||||||
log body in all
|
log body in all
|
||||||
count in from any to any
|
count in from any to any
|
||||||
|
pass in from !any to any
|
||||||
|
block in from any to !any
|
||||||
pass in on ed0 from localhost to localhost
|
pass in on ed0 from localhost to localhost
|
||||||
block in log first on lo0 from any to any
|
block in log first on lo0 from any to any
|
||||||
pass in log body quick from any to any
|
pass in log body quick from any to any
|
||||||
|
@ -1,12 +1,5 @@
|
|||||||
* automatically use the interface's IP# for NAT rather than any specific IP#
|
|
||||||
- Done. Use "0/32" as destination address/mask. Uses first interface IP#
|
|
||||||
set for an interface.
|
|
||||||
|
|
||||||
* use fr_tcpstate() with NAT code for increased NAT usage security or even
|
* use fr_tcpstate() with NAT code for increased NAT usage security or even
|
||||||
fr_checkstate()
|
fr_checkstate() - suspect this is not possible.
|
||||||
|
|
||||||
* use minor devices for controlling access to alternate parts of IP Filter
|
|
||||||
such as filtering, accounting, state, NAT, etc.
|
|
||||||
|
|
||||||
* see if the Solaris2 and dynamic plumb/unplumb problem is solvable
|
* see if the Solaris2 and dynamic plumb/unplumb problem is solvable
|
||||||
|
|
||||||
@ -17,11 +10,17 @@ time permitting:
|
|||||||
* record buffering for TCP/UDP
|
* record buffering for TCP/UDP
|
||||||
|
|
||||||
* modular application proxying
|
* modular application proxying
|
||||||
|
on the way
|
||||||
|
|
||||||
* invesitgate making logging better
|
* invesitgate making logging better
|
||||||
|
|
||||||
|
done ?
|
||||||
* add reverse nat (similar to rdr) to map addresses going in both directions
|
* add reverse nat (similar to rdr) to map addresses going in both directions
|
||||||
|
|
||||||
* add 'tail' switch to ipmon
|
|
||||||
(this might just be some changes to rdr). In 1:1 relationships maybe make
|
(this might just be some changes to rdr). In 1:1 relationships maybe make
|
||||||
it an option.
|
it an option.
|
||||||
|
|
||||||
|
* keep fragment information for NAT/state entries automatically.
|
||||||
|
done
|
||||||
|
|
||||||
|
* support traceroute through the firewall
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user