mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-19 15:33:56 +00:00
This commit was generated by cvs2svn to compensate for changes in r22514,
which included commits to RCS files with non-trunk default branches.
This commit is contained in:
commit
d67150e941
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=22515
64
contrib/ipfilter/BNF
Normal file
64
contrib/ipfilter/BNF
Normal file
@ -0,0 +1,64 @@
|
||||
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
|
||||
[ proto ] [ ip ] .
|
||||
|
||||
insert = "@" decnumber .
|
||||
action = block | "pass" | log | "count" | call .
|
||||
in-out = "in" | "out" .
|
||||
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
|
||||
tos = "tos" decnumber | "tos" hexnumber .
|
||||
ttl = "ttl" decnumber .
|
||||
proto = "proto" protocol .
|
||||
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
||||
|
||||
block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
|
||||
call = "call" [ "now" ] function-name .
|
||||
dup = "dup-to" interface-name[":"ipaddr] .
|
||||
froute = "fastroute" | "to" interface-name .
|
||||
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
|
||||
srcdst = "all" | fromto .
|
||||
fromto = "from" object "to" object .
|
||||
|
||||
object = addr [ port-comp | port-range ] .
|
||||
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
|
||||
port-comp = "port" compare port-num .
|
||||
port-range = "port" port-num range port-num .
|
||||
flags = "flags" flag { flag } [ "/" flag { flag } ] .
|
||||
with = "with" | "and" .
|
||||
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
|
||||
return-code = "("icmp-code")" .
|
||||
keep = "keep" "state" | "keep" "frags" .
|
||||
|
||||
nummask = host-name [ "/" decnumber ] .
|
||||
host-name = ipaddr | hostname | "any" .
|
||||
ipaddr = host-num "." host-num "." host-num "." host-num .
|
||||
host-num = digit [ digit [ digit ] ] .
|
||||
port-num = service-name | decnumber .
|
||||
|
||||
withopt = [ "not" | "no" ] opttype [ withopt ] .
|
||||
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
|
||||
optname = ipopts [ "," optname ] .
|
||||
ipopts = optlist | "sec-class" [ secname ] .
|
||||
secname = seclvl [ "," secname ] .
|
||||
seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
|
||||
"reserv-4" | "secret" | "topsecret" .
|
||||
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
|
||||
"timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
|
||||
"inforep" | "maskreq" | "maskrep" | decnumber .
|
||||
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
|
||||
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
|
||||
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
|
||||
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
|
||||
"sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
|
||||
"visa" | "imitd" | "eip" | "finn" .
|
||||
|
||||
hexnumber = "0" "x" hexstring .
|
||||
hexstring = hexdigit [ hexstring ] .
|
||||
decnumber = digit [ decnumber ] .
|
||||
|
||||
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
|
||||
"le" | "ge" .
|
||||
range = "<>" | "><" .
|
||||
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
|
||||
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
|
||||
flag = "F" | "S" | "R" | "P" | "A" | "U" .
|
11
contrib/ipfilter/COMPILE.2.5
Normal file
11
contrib/ipfilter/COMPILE.2.5
Normal file
@ -0,0 +1,11 @@
|
||||
|
||||
If you get the following error whilst compiling:
|
||||
|
||||
In file included from /usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3/include/sys/user.h:48,
|
||||
from /usr/include/sys/file.h:15,
|
||||
from ../ip_nat.c:15:
|
||||
/usr/include/sys/psw.h:19: #error Kernel include of psw.h
|
||||
|
||||
Remove (comment out) the line in
|
||||
/usr/local/lib/gcc-lib/sparc-sun-solaris2.3/2.6.3include/sys/user.h
|
||||
which includes psw.h
|
16
contrib/ipfilter/FWTK/README
Normal file
16
contrib/ipfilter/FWTK/README
Normal file
@ -0,0 +1,16 @@
|
||||
|
||||
There are two patch files in this directory, each allowing for the Firewall
|
||||
Toolkit to be used in a transparent proxy configuration.
|
||||
|
||||
ftp-gw.diff - A patch written by myself for use only with IP Filter and
|
||||
ftp-gw from the Firewall Toolkit.
|
||||
|
||||
fwtkp - A set of patches written by James B. Croall (jcroall@foo.org)
|
||||
for use with both IP Filter and ipfwadm (for Linux) and more
|
||||
of the various FWTK gateway plugins, including:
|
||||
ftp-gw http-gw plug-gw rlogin-gw tn-gw
|
||||
|
||||
Both patches when applied to the Firewall toolkit require the same
|
||||
configuration for IP Filter.
|
||||
|
||||
Darren
|
237
contrib/ipfilter/FWTK/ftp-gw.diff
Normal file
237
contrib/ipfilter/FWTK/ftp-gw.diff
Normal file
@ -0,0 +1,237 @@
|
||||
*** ftp-gw.c.orig Sat Nov 5 10:30:16 1994
|
||||
--- ftp-gw.c Sun Jul 7 12:25:15 1996
|
||||
***************
|
||||
*** 11,31 ****
|
||||
*/
|
||||
static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.1.1 1997/01/09 15:14:46 darrenr Exp $";
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/signal.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/errno.h>
|
||||
- extern int errno;
|
||||
- extern char *sys_errlist[];
|
||||
#include <arpa/ftp.h>
|
||||
#include <arpa/telnet.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
|
||||
extern char *rindex();
|
||||
extern char *index();
|
||||
--- 11,37 ----
|
||||
*/
|
||||
static char RcsId[] = "$Header: /devel/CVS/IP-Filter/FWTK/ftp-gw.diff,v 2.0.1.1 1997/01/09 15:14:46 darrenr Exp $";
|
||||
|
||||
+ /*
|
||||
+ * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96
|
||||
+ * darrenr@cyber.com.au
|
||||
+ */
|
||||
+ static char vIpFilter[] = "v3.1.0";
|
||||
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <syslog.h>
|
||||
+ #include <unistd.h>
|
||||
+ #include <fcntl.h>
|
||||
#include <sys/signal.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/errno.h>
|
||||
#include <arpa/ftp.h>
|
||||
#include <arpa/telnet.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
+ #include <net/if.h>
|
||||
|
||||
extern char *rindex();
|
||||
extern char *index();
|
||||
***************
|
||||
*** 36,41 ****
|
||||
--- 42,48 ----
|
||||
|
||||
#include "firewall.h"
|
||||
|
||||
+ #include "ip_nat.h"
|
||||
|
||||
#ifndef BSIZ
|
||||
#define BSIZ 2048
|
||||
***************
|
||||
*** 83,88 ****
|
||||
--- 90,97 ----
|
||||
static int cmd_noop();
|
||||
static int cmd_abor();
|
||||
static int cmd_passthru();
|
||||
+ static int nat_destination();
|
||||
+ static int connectdest();
|
||||
static void saveline();
|
||||
static void flushsaved();
|
||||
static void trap_sigurg();
|
||||
***************
|
||||
*** 317,323 ****
|
||||
if(authallflg)
|
||||
if(say(0,"220-Proxy first requires authentication"))
|
||||
exit(1);
|
||||
! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
|
||||
if(say(0,xuf))
|
||||
exit(1);
|
||||
}
|
||||
--- 326,335 ----
|
||||
if(authallflg)
|
||||
if(say(0,"220-Proxy first requires authentication"))
|
||||
exit(1);
|
||||
! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
|
||||
! if(say(0,xuf))
|
||||
! exit(1);
|
||||
! sprintf(xuf,"220-%s TIS ftp-gw with IP Filter %s NAT extensions",huf,vIpFilter);
|
||||
if(say(0,xuf))
|
||||
exit(1);
|
||||
}
|
||||
***************
|
||||
*** 338,343 ****
|
||||
--- 350,357 ----
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+ nat_destination(0);
|
||||
+
|
||||
/* main loop */
|
||||
while(1) {
|
||||
FD_ZERO(&rdy);
|
||||
***************
|
||||
*** 608,619 ****
|
||||
static char narg[] = "501 Missing or extra username";
|
||||
static char noad[] = "501 Use user@site to connect via proxy";
|
||||
char buf[1024];
|
||||
- char mbuf[512];
|
||||
char *p;
|
||||
char *dest;
|
||||
char *user;
|
||||
int x;
|
||||
- int msg_int;
|
||||
short port = FTPPORT;
|
||||
|
||||
/* kludgy but effective. if authorizing everything call auth instead */
|
||||
--- 622,631 ----
|
||||
***************
|
||||
*** 643,648 ****
|
||||
--- 655,681 ----
|
||||
return(sayn(0,noad,sizeof(noad)));
|
||||
}
|
||||
|
||||
+ if((rfd == -1) && (x = connectdest(dest,port)))
|
||||
+ return x;
|
||||
+ sprintf(buf,"USER %s",user);
|
||||
+ if(say(rfd,buf))
|
||||
+ return(1);
|
||||
+ x = getresp(rfd,buf,sizeof(buf),1);
|
||||
+ if(sendsaved(0,x))
|
||||
+ return(1);
|
||||
+ return(say(0,buf));
|
||||
+ }
|
||||
+
|
||||
+ static int
|
||||
+ connectdest(dest,port)
|
||||
+ char *dest;
|
||||
+ short port;
|
||||
+ {
|
||||
+ char buf[1024];
|
||||
+ char mbuf[512];
|
||||
+ int msg_int;
|
||||
+ int x;
|
||||
+
|
||||
if(*dest == '\0')
|
||||
dest = "localhost";
|
||||
|
||||
***************
|
||||
*** 685,691 ****
|
||||
char ebuf[512];
|
||||
|
||||
strcpy(ebuf,buf);
|
||||
! sprintf(buf,"521 %s: %s",dest,ebuf);
|
||||
return(say(0,buf));
|
||||
}
|
||||
sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
|
||||
--- 718,724 ----
|
||||
char ebuf[512];
|
||||
|
||||
strcpy(ebuf,buf);
|
||||
! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
|
||||
return(say(0,buf));
|
||||
}
|
||||
sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
|
||||
***************
|
||||
*** 698,711 ****
|
||||
return(say(0,buf));
|
||||
}
|
||||
saveline(buf);
|
||||
!
|
||||
! sprintf(buf,"USER %s",user);
|
||||
! if(say(rfd,buf))
|
||||
! return(1);
|
||||
! x = getresp(rfd,buf,sizeof(buf),1);
|
||||
! if(sendsaved(0,x))
|
||||
! return(1);
|
||||
! return(say(0,buf));
|
||||
}
|
||||
|
||||
|
||||
--- 731,738 ----
|
||||
return(say(0,buf));
|
||||
}
|
||||
saveline(buf);
|
||||
! sendsaved(0,-1);
|
||||
! return 0;
|
||||
}
|
||||
|
||||
|
||||
***************
|
||||
*** 1591,1593 ****
|
||||
--- 1618,1659 ----
|
||||
dup(nread);
|
||||
}
|
||||
#endif
|
||||
+
|
||||
+
|
||||
+ static int
|
||||
+ nat_destination(fd)
|
||||
+ int fd;
|
||||
+ {
|
||||
+ struct sockaddr_in laddr, faddr;
|
||||
+ struct natlookup natlookup;
|
||||
+ char *dest;
|
||||
+ int slen, natfd;
|
||||
+
|
||||
+ bzero((char *)&laddr, sizeof(laddr));
|
||||
+ bzero((char *)&faddr, sizeof(faddr));
|
||||
+ slen = sizeof(laddr);
|
||||
+ if(getsockname(fd,(struct sockaddr *)&laddr,&slen) < 0) {
|
||||
+ perror("getsockname");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ slen = sizeof(faddr);
|
||||
+ if(getpeername(fd,(struct sockaddr *)&faddr,&slen) < 0) {
|
||||
+ perror("getsockname");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ natlookup.nl_inport = laddr.sin_port;
|
||||
+ natlookup.nl_outport = faddr.sin_port;
|
||||
+ natlookup.nl_inip = laddr.sin_addr;
|
||||
+ natlookup.nl_outip = faddr.sin_addr;
|
||||
+ if((natfd = open("/dev/ipl", O_RDONLY)) < 0) {
|
||||
+ perror("open");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
|
||||
+ perror("ioctl");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ close(natfd);
|
||||
+ return connectdest(inet_ntoa(natlookup.nl_inip),ntohs(natlookup.nl_inport));
|
||||
+ }
|
812
contrib/ipfilter/FWTK/fwtkp
Normal file
812
contrib/ipfilter/FWTK/fwtkp
Normal file
@ -0,0 +1,812 @@
|
||||
diff -c -r ./ftp-gw/ftp-gw.c ../../NEW/fwtk/ftp-gw/ftp-gw.c
|
||||
*** ./ftp-gw/ftp-gw.c Fri Sep 6 12:55:05 1996
|
||||
--- ../../NEW/fwtk/ftp-gw/ftp-gw.c Wed Oct 9 02:51:35 1996
|
||||
***************
|
||||
*** 40,47 ****
|
||||
|
||||
extern char *optarg;
|
||||
|
||||
! #include "firewall.h"
|
||||
|
||||
|
||||
#ifndef BSIZ
|
||||
#define BSIZ 2048
|
||||
--- 40,48 ----
|
||||
|
||||
extern char *optarg;
|
||||
|
||||
! char *getdsthost();
|
||||
|
||||
+ #include "firewall.h"
|
||||
|
||||
#ifndef BSIZ
|
||||
#define BSIZ 2048
|
||||
***************
|
||||
*** 84,89 ****
|
||||
--- 85,92 ----
|
||||
static int cmdcnt = 0;
|
||||
static int timeout = PROXY_TIMEOUT;
|
||||
|
||||
+ static int do_transparent=0;
|
||||
+
|
||||
|
||||
static int cmd_user();
|
||||
static int cmd_authorize();
|
||||
***************
|
||||
*** 98,103 ****
|
||||
--- 101,107 ----
|
||||
static void saveline();
|
||||
static void flushsaved();
|
||||
static void trap_sigurg();
|
||||
+ static int connectdest();
|
||||
|
||||
#define OP_CONN 001 /* only valid if connected */
|
||||
#define OP_WCON 002 /* writethrough if connected */
|
||||
***************
|
||||
*** 170,175 ****
|
||||
--- 174,180 ----
|
||||
char xuf[1024];
|
||||
char huf[128];
|
||||
char *passuser = (char *)0; /* passed user as av */
|
||||
+ char *psychic, *hotline;
|
||||
|
||||
#ifndef LOG_DAEMON
|
||||
openlog("ftp-gw",LOG_PID);
|
||||
***************
|
||||
*** 314,319 ****
|
||||
--- 319,326 ----
|
||||
} else
|
||||
timeout = 60*60;
|
||||
|
||||
+ psychic=getdsthost(0,NULL);
|
||||
+ if(psychic) { do_transparent++; }
|
||||
|
||||
/* display a welcome file or message */
|
||||
if(passuser == (char *)0) {
|
||||
***************
|
||||
*** 322,327 ****
|
||||
--- 329,340 ----
|
||||
syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
|
||||
exit(1);
|
||||
}
|
||||
+ if(do_transparent) {
|
||||
+ if(sayfile2(0,cf->argv[0],220)) {
|
||||
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ } else
|
||||
if(sayfile(0,cf->argv[0],220)) {
|
||||
syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
|
||||
exit(1);
|
||||
***************
|
||||
*** 332,338 ****
|
||||
if(authallflg)
|
||||
if(say(0,"220-Proxy first requires authentication"))
|
||||
exit(1);
|
||||
! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
|
||||
if(say(0,xuf))
|
||||
exit(1);
|
||||
}
|
||||
--- 345,357 ----
|
||||
if(authallflg)
|
||||
if(say(0,"220-Proxy first requires authentication"))
|
||||
exit(1);
|
||||
! /* foo */
|
||||
! if(do_transparent)
|
||||
! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
|
||||
! else
|
||||
! sprintf(xuf,"220 %s FTP Proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
|
||||
! /* foo */
|
||||
!
|
||||
if(say(0,xuf))
|
||||
exit(1);
|
||||
}
|
||||
***************
|
||||
*** 353,358 ****
|
||||
--- 372,381 ----
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+ if(do_transparent) {
|
||||
+ connectdest(psychic,21);
|
||||
+ }
|
||||
+
|
||||
/* main loop */
|
||||
while(1) {
|
||||
FD_ZERO(&rdy);
|
||||
***************
|
||||
*** 676,681 ****
|
||||
--- 699,713 ----
|
||||
return(sayn(0,noad,sizeof(noad)-1));
|
||||
}
|
||||
|
||||
+ if(do_transparent) {
|
||||
+ if((rfd==(-1)) && (x=connectdest(dest,port))) return x;
|
||||
+ sprintf(buf,"USER %s",user);
|
||||
+ if(say(rfd,buf)) return(1);
|
||||
+ x=getresp(rfd,buf,sizeof(buf),1);
|
||||
+ if(sendsaved(0,x)) return(1);
|
||||
+ return(say(0,buf));
|
||||
+ }
|
||||
+
|
||||
if(*dest == '\0')
|
||||
dest = "localhost";
|
||||
|
||||
***************
|
||||
*** 701,708 ****
|
||||
if(msg_int == 1) {
|
||||
sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
|
||||
syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
|
||||
! say(0,mbuf);
|
||||
! return(1);
|
||||
} else {
|
||||
if(msg_int == -1) {
|
||||
sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
|
||||
--- 733,740 ----
|
||||
if(msg_int == 1) {
|
||||
sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
|
||||
syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
|
||||
! say(0,mbuf);
|
||||
! return(1);
|
||||
} else {
|
||||
if(msg_int == -1) {
|
||||
sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
|
||||
***************
|
||||
*** 717,723 ****
|
||||
char ebuf[512];
|
||||
|
||||
strcpy(ebuf,buf);
|
||||
! sprintf(buf,"521 %s: %s",dest,ebuf);
|
||||
rfd = -1;
|
||||
return(say(0,buf));
|
||||
}
|
||||
--- 749,759 ----
|
||||
char ebuf[512];
|
||||
|
||||
strcpy(ebuf,buf);
|
||||
! if(do_transparent) {
|
||||
! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
|
||||
! } else {
|
||||
! sprintf(buf,"521 %s: %s",dest,ebuf);
|
||||
! }
|
||||
rfd = -1;
|
||||
return(say(0,buf));
|
||||
}
|
||||
***************
|
||||
*** 732,737 ****
|
||||
--- 768,778 ----
|
||||
}
|
||||
saveline(buf);
|
||||
|
||||
+ /* if(do_transparent) {
|
||||
+ sendsaved(0,-1);
|
||||
+ return(0);
|
||||
+ } /* EEEk. I can't remember what this does. */
|
||||
+
|
||||
sprintf(buf,"USER %s",user);
|
||||
if(say(rfd,buf))
|
||||
return(1);
|
||||
***************
|
||||
*** 744,749 ****
|
||||
--- 785,860 ----
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ static int connectdest(dest, port)
|
||||
+ char *dest;
|
||||
+ short port;
|
||||
+ {
|
||||
+ char buf[1024], mbuf[512];
|
||||
+ int msg_int, x;
|
||||
+
|
||||
+ if(*dest == '\0')
|
||||
+ dest = "localhost";
|
||||
+
|
||||
+ if(validests != (char **)0) {
|
||||
+ char **xp;
|
||||
+ int x;
|
||||
+
|
||||
+ for(xp = validests; *xp != (char *)0; xp++) {
|
||||
+ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
|
||||
+ return(baddest(0,dest));
|
||||
+ } else {
|
||||
+ if(hostmatch(*xp,dest))
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if(*xp == (char *)0)
|
||||
+ return(baddest(0,dest));
|
||||
+ }
|
||||
+
|
||||
+ /* Extended permissions processing goes in here for destination */
|
||||
+ if(extendperm) {
|
||||
+ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
|
||||
+ if(msg_int == 1) {
|
||||
+ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
|
||||
+ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
|
||||
+ say(0,mbuf);
|
||||
+ return(1);
|
||||
+ } else {
|
||||
+ if(msg_int == -1) {
|
||||
+ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
|
||||
+ say(0,mbuf);
|
||||
+ return(1);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
|
||||
+
|
||||
+ if((rfd = conn_server(dest,port,0,buf)) < 0) {
|
||||
+ char ebuf[512];
|
||||
+
|
||||
+ strcpy(ebuf,buf);
|
||||
+ sprintf(buf,"521 %s: %s",dest,ebuf);
|
||||
+ rfd = -1;
|
||||
+ return(say(0,buf));
|
||||
+ }
|
||||
+ if(!do_transparent) {
|
||||
+ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
|
||||
+ saveline(buf);
|
||||
+ }
|
||||
+
|
||||
+ /* we are now connected and need to try the autologin thing */
|
||||
+ x = getresp(rfd,buf,sizeof(buf),1);
|
||||
+ if(x / 100 != COMPLETE) {
|
||||
+ sendsaved(0,-1);
|
||||
+ return(say(0,buf));
|
||||
+ }
|
||||
+ saveline(buf);
|
||||
+
|
||||
+ sendsaved(0,-1);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
|
||||
|
||||
static int
|
||||
***************
|
||||
*** 1053,1058 ****
|
||||
--- 1164,1171 ----
|
||||
static char nprn[] = "500 cannot get peername";
|
||||
char buf[512];
|
||||
|
||||
+ /* syslog(LLEV,"DEBUG: port cmd"); */
|
||||
+
|
||||
if(ac < 2)
|
||||
return(sayn(0,narg,sizeof(narg)-1));
|
||||
|
||||
***************
|
||||
*** 1119,1124 ****
|
||||
--- 1232,1238 ----
|
||||
#define UC(c) (((int)c) & 0xff)
|
||||
sprintf(buf,"PORT %d,%d,%d,%d,%d,%d\r\n",UC(k[0]),UC(k[1]),UC(k[2]),
|
||||
UC(k[3]),UC(l[0]),UC(l[1]));
|
||||
+ /* syslog(LLEV,"DEBUG: %s",buf); */
|
||||
s = strlen(buf);
|
||||
if (write(rfd, buf, s) != s)
|
||||
return 1;
|
||||
***************
|
||||
*** 1330,1335 ****
|
||||
--- 1444,1450 ----
|
||||
callback()
|
||||
{
|
||||
/* if we haven't gotten a valid PORT scrub the connection */
|
||||
+ /* syslog(LLEV,"DEBUG: callback()."); */
|
||||
if((outgoing = accept(boundport,(struct sockaddr *)0,(int *)0)) < 0 || clntport.sin_port == 0)
|
||||
goto bomb;
|
||||
if(pasvport != -1) { /* incoming handled by PASVcallback */
|
||||
***************
|
||||
*** 1796,1801 ****
|
||||
--- 1911,1960 ----
|
||||
}
|
||||
return(0);
|
||||
}
|
||||
+
|
||||
+ /* ok, so i'm in a hurry. english paper due RSN. */
|
||||
+ sayfile2(fd,fn,code)
|
||||
+ int fd;
|
||||
+ char *fn;
|
||||
+ int code;
|
||||
+ {
|
||||
+ FILE *f;
|
||||
+ char buf[BUFSIZ];
|
||||
+ char yuf[BUFSIZ];
|
||||
+ char *c;
|
||||
+ int x;
|
||||
+ int saidsomething = 0;
|
||||
+
|
||||
+ if((f = fopen(fn,"r")) == (FILE *)0)
|
||||
+ return(1);
|
||||
+ while(fgets(buf,sizeof(buf),f) != (char *)0) {
|
||||
+ if((c = index(buf,'\n')) != (char *)0)
|
||||
+ *c = '\0';
|
||||
+ x = fgetc(f);
|
||||
+ if(feof(f))
|
||||
+ sprintf(yuf,"%3.3d-%s",code,buf);
|
||||
+ else {
|
||||
+ sprintf(yuf,"%3.3d-%s",code,buf);
|
||||
+ ungetc(x,f);
|
||||
+ }
|
||||
+ if(say(fd,yuf)) {
|
||||
+ fclose(f);
|
||||
+ return(1);
|
||||
+ }
|
||||
+ saidsomething++;
|
||||
+ }
|
||||
+ fclose(f);
|
||||
+ if (!saidsomething) {
|
||||
+ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
|
||||
+ sprintf(yuf, "%3.3d The file to display is empty",code);
|
||||
+ if(say(fd,yuf)) {
|
||||
+ fclose(f);
|
||||
+ return(1);
|
||||
+ }
|
||||
+ }
|
||||
+ return(0);
|
||||
+ }
|
||||
+
|
||||
|
||||
|
||||
porttoaddr(s,a)
|
||||
diff -c -r ./http-gw/http-gw.c ../../NEW/fwtk/http-gw/http-gw.c
|
||||
*** ./http-gw/http-gw.c Mon Sep 9 14:40:53 1996
|
||||
--- ../../NEW/fwtk/http-gw/http-gw.c Wed Oct 9 02:51:57 1996
|
||||
***************
|
||||
*** 27,32 ****
|
||||
--- 27,37 ----
|
||||
static char http_buffer[8192];
|
||||
static char reason[8192];
|
||||
static int checkBrowserType = 1;
|
||||
+ /* foo */
|
||||
+ static int do_transparent=0;
|
||||
+ /* foo */
|
||||
+
|
||||
+ char *getdsthost();
|
||||
|
||||
static void do_logging()
|
||||
{ char *proto = "GOPHER";
|
||||
***************
|
||||
*** 422,427 ****
|
||||
--- 427,443 ----
|
||||
/*(NOT A SPECIAL FORM)*/
|
||||
|
||||
if((rem_type & TYPE_LOCAL)== 0){
|
||||
+ /* foo */
|
||||
+ char *psychic=getdsthost(sockfd,&def_port);
|
||||
+ if(psychic) {
|
||||
+ if(strlen(psychic)<=MAXHOSTNAMELEN) {
|
||||
+ do_transparent++;
|
||||
+ strncpy(def_httpd,psychic,strlen(psychic));
|
||||
+ strncpy(def_server,psychic,strlen(psychic));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* foo */
|
||||
/* See if it can be forwarded */
|
||||
|
||||
if( can_forward(buf)){
|
||||
***************
|
||||
*** 1513,1519 ****
|
||||
parse_vec[0],
|
||||
parse_vec[1],
|
||||
ourname, ourport);
|
||||
! }else{
|
||||
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
|
||||
parse_vec[0], parse_vec[2],
|
||||
parse_vec[3], chk_type_ch,
|
||||
--- 1529,1541 ----
|
||||
parse_vec[0],
|
||||
parse_vec[1],
|
||||
ourname, ourport);
|
||||
! }
|
||||
! /* FOO */
|
||||
! else if(do_transparent) {
|
||||
! sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]);
|
||||
! }
|
||||
! /* FOO */
|
||||
! else{
|
||||
sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
|
||||
parse_vec[0], parse_vec[2],
|
||||
parse_vec[3], chk_type_ch,
|
||||
diff -c -r ./lib/hnam.c ../../NEW/fwtk/lib/hnam.c
|
||||
*** ./lib/hnam.c Fri Nov 4 18:30:19 1994
|
||||
--- ../../NEW/fwtk/lib/hnam.c Wed Oct 9 02:34:13 1996
|
||||
***************
|
||||
*** 22,27 ****
|
||||
--- 22,31 ----
|
||||
|
||||
|
||||
#include "firewall.h"
|
||||
+ #ifdef __FreeBSD__
|
||||
+ #include <net/if.h>
|
||||
+ #include "ip_nat.h"
|
||||
+ #endif /* __FreeBSD__ */
|
||||
|
||||
|
||||
char *
|
||||
***************
|
||||
*** 44,47 ****
|
||||
--- 48,115 ----
|
||||
|
||||
bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
|
||||
return(inet_ntoa(sin.sin_addr));
|
||||
+ }
|
||||
+
|
||||
+ char *getdsthost(fd, ptr)
|
||||
+ int fd;
|
||||
+ int *ptr;
|
||||
+ {
|
||||
+ struct sockaddr_in sin;
|
||||
+ struct hostent *hp;
|
||||
+ int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0;
|
||||
+ char buf[255], hostbuf[255];
|
||||
+ #ifdef __FreeBSD__
|
||||
+ struct sockaddr_in rsin;
|
||||
+ struct natlookup natlookup;
|
||||
+ #endif
|
||||
+
|
||||
+ #ifdef linux
|
||||
+ /* This should also work for UDP. Unfortunately, it doesn't.
|
||||
+ Maybe when the Linux UDP proxy code gets a little cleaner.
|
||||
+ */
|
||||
+ if(!(err=getsockname(0,&sin,&sl))) {
|
||||
+ if(ptr) *ptr=ntohs(sin.sin_port);
|
||||
+ sprintf(buf,"%s",inet_ntoa(sin.sin_addr));
|
||||
+ gethostname(hostbuf,254);
|
||||
+ hp=gethostbyname(hostbuf);
|
||||
+ while(hp->h_addr_list[i]) {
|
||||
+ bzero(&sin,&sl);
|
||||
+ memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++]));
|
||||
+ if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++;
|
||||
+ }
|
||||
+ if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); }
|
||||
+ else { return(buf); }
|
||||
+ }
|
||||
+ #endif
|
||||
+
|
||||
+ #ifdef __FreeBSD__
|
||||
+ /* The basis for this block of code is Darren Reed's
|
||||
+ patches to the TIS ftwk's ftp-gw.
|
||||
+ */
|
||||
+ bzero((char*)&sin,sizeof(sin));
|
||||
+ bzero((char*)&rsin,sizeof(rsin));
|
||||
+ if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ sl=sizeof(rsin);
|
||||
+ if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ natlookup.nl_inport=sin.sin_port;
|
||||
+ natlookup.nl_outport=rsin.sin_port;
|
||||
+ natlookup.nl_inip=sin.sin_addr;
|
||||
+ natlookup.nl_outip=rsin.sin_addr;
|
||||
+ if((natfd=open("/dev/ipl",O_RDONLY))<0) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
+ if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
|
||||
+ return(NULL);
|
||||
+ }
|
||||
+ close(natfd);
|
||||
+ if(ptr) *ptr=ntohs(natlookup.nl_inport);
|
||||
+ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip));
|
||||
+ #endif
|
||||
+
|
||||
+ /* No transparent proxy support */
|
||||
+ return(NULL);
|
||||
}
|
||||
Only in ./lib: hnam.c.orig
|
||||
diff -c -r ./plug-gw/plug-gw.c ../../NEW/fwtk/plug-gw/plug-gw.c
|
||||
*** ./plug-gw/plug-gw.c Thu Sep 5 15:36:33 1996
|
||||
--- ../../NEW/fwtk/plug-gw/plug-gw.c Wed Oct 9 02:46:48 1996
|
||||
***************
|
||||
*** 39,44 ****
|
||||
--- 39,48 ----
|
||||
static char **validdests = (char **)0;
|
||||
static Cfg *confp;
|
||||
|
||||
+ int do_transparent=0;
|
||||
+
|
||||
+ char *getdsthost();
|
||||
+
|
||||
main(ac,av)
|
||||
int ac;
|
||||
char *av[];
|
||||
***************
|
||||
*** 193,201 ****
|
||||
--- 197,213 ----
|
||||
char *ptr;
|
||||
int state = 0;
|
||||
int ssl_plug = 0;
|
||||
+ int pport=0;
|
||||
|
||||
struct timeval timo;
|
||||
|
||||
+ /* Transparent plug-gw is probably a bad idea, but hey .. */
|
||||
+ dhost=getdsthost(0,&pport);
|
||||
+ if(dhost) {
|
||||
+ do_transparent++;
|
||||
+ portid=pport;
|
||||
+ }
|
||||
+
|
||||
if(c->flags & PERM_DENY) {
|
||||
if (p == -1)
|
||||
syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
|
||||
***************
|
||||
*** 215,221 ****
|
||||
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
|
||||
exit (1);
|
||||
}
|
||||
! dhost = av[x];
|
||||
continue;
|
||||
}
|
||||
|
||||
--- 227,234 ----
|
||||
syslog(LLEV,"fwtkcfgerr: -plug-to takes an argument, line %d",c->ln);
|
||||
exit (1);
|
||||
}
|
||||
! if(!dhost) dhost = av[x];
|
||||
! /* syslog(LLEV,"DEBUG: dhost now is [%s]",dhost); */
|
||||
continue;
|
||||
}
|
||||
|
||||
diff -c -r ./rlogin-gw/rlogin-gw.c ../../NEW/fwtk/rlogin-gw/rlogin-gw.c
|
||||
*** ./rlogin-gw/rlogin-gw.c Fri Sep 6 12:56:33 1996
|
||||
--- ../../NEW/fwtk/rlogin-gw/rlogin-gw.c Wed Oct 9 02:49:04 1996
|
||||
***************
|
||||
*** 39,45 ****
|
||||
--- 39,47 ----
|
||||
|
||||
|
||||
extern char *maphostname();
|
||||
+ char *getdsthost();
|
||||
|
||||
+ int do_transparent=0;
|
||||
|
||||
static int cmd_quit();
|
||||
static int cmd_help();
|
||||
***************
|
||||
*** 120,125 ****
|
||||
--- 122,130 ----
|
||||
static char *tokav[56];
|
||||
int tokac;
|
||||
struct timeval timo;
|
||||
+ /* foo */
|
||||
+ char *psychic;
|
||||
+ /* foo */
|
||||
|
||||
#ifndef LOG_NDELAY
|
||||
openlog("rlogin-gw",LOG_PID);
|
||||
***************
|
||||
*** 185,191 ****
|
||||
xforwarder = cf->argv[0];
|
||||
}
|
||||
|
||||
!
|
||||
|
||||
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
|
||||
if(cf->argc != 1) {
|
||||
--- 190,203 ----
|
||||
xforwarder = cf->argv[0];
|
||||
}
|
||||
|
||||
! /* foo */
|
||||
! psychic=getdsthost(0,NULL);
|
||||
! if(psychic) {
|
||||
! do_transparent++;
|
||||
! strncpy(dest,psychic,511);
|
||||
! dest[511]='\0';
|
||||
! }
|
||||
! /* foo */
|
||||
|
||||
if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
|
||||
if(cf->argc != 1) {
|
||||
***************
|
||||
*** 260,269 ****
|
||||
}
|
||||
|
||||
/* if present a host name, chop and save username and hostname */
|
||||
! dest[0] = '\0';
|
||||
if((p = index(rusername,'@')) != (char *)0) {
|
||||
char *namp;
|
||||
|
||||
*p++ = '\0';
|
||||
if(*p == '\0')
|
||||
p = "localhost";
|
||||
--- 272,282 ----
|
||||
}
|
||||
|
||||
/* if present a host name, chop and save username and hostname */
|
||||
! /* dest[0] = '\0'; */
|
||||
if((p = index(rusername,'@')) != (char *)0) {
|
||||
char *namp;
|
||||
|
||||
+ dest[0] = '\0';
|
||||
*p++ = '\0';
|
||||
if(*p == '\0')
|
||||
p = "localhost";
|
||||
***************
|
||||
*** 293,300 ****
|
||||
--- 306,326 ----
|
||||
goto leave;
|
||||
}
|
||||
|
||||
+ /* syslog(LLEV,"DEBUG: Uh-oh, $dest = %s\n",dest); */
|
||||
+
|
||||
if(dest[0] != '\0') {
|
||||
/* Setup connection directly to remote machine */
|
||||
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
|
||||
+ if(cf->argc != 1) {
|
||||
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if(sayfile(0,cf->argv[0])) {
|
||||
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ }
|
||||
+ /* Does this cmd_connect thing feel like a kludge or what? */
|
||||
sprintf(buf,"connect %.1000s",dest);
|
||||
tokac = enargv(buf, tokav, 56, tokbuf, sizeof(tokbuf));
|
||||
if (cmd_connect(tokac, tokav, buf) != 2)
|
||||
***************
|
||||
*** 526,539 ****
|
||||
char ebuf[512];
|
||||
|
||||
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,namp);
|
||||
if(strlen(namp) > 20)
|
||||
namp[20] = '\0';
|
||||
if(rusername[0] != '\0')
|
||||
sprintf(ebuf,"Trying %s@%s...",rusername,namp);
|
||||
else
|
||||
sprintf(ebuf,"Trying %s...",namp);
|
||||
! if(say(0,ebuf))
|
||||
! return(1);
|
||||
} else
|
||||
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
|
||||
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
|
||||
--- 552,567 ----
|
||||
char ebuf[512];
|
||||
|
||||
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,namp);
|
||||
+ if(!do_transparent) {
|
||||
if(strlen(namp) > 20)
|
||||
namp[20] = '\0';
|
||||
if(rusername[0] != '\0')
|
||||
sprintf(ebuf,"Trying %s@%s...",rusername,namp);
|
||||
else
|
||||
sprintf(ebuf,"Trying %s...",namp);
|
||||
! if(say(0,ebuf))
|
||||
! return(1);
|
||||
! }
|
||||
} else
|
||||
syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
|
||||
if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
|
||||
diff -c -r ./tn-gw/tn-gw.c ../../NEW/fwtk/tn-gw/tn-gw.c
|
||||
*** ./tn-gw/tn-gw.c Fri Sep 6 12:55:48 1996
|
||||
--- ../../NEW/fwtk/tn-gw/tn-gw.c Wed Oct 9 02:50:17 1996
|
||||
***************
|
||||
*** 87,92 ****
|
||||
--- 87,94 ----
|
||||
static int cmd_xforward();
|
||||
static int cmd_timeout();
|
||||
|
||||
+ char *getdsthost();
|
||||
+
|
||||
static int tn3270 = 1; /* don't do tn3270 stuff */
|
||||
static int doX;
|
||||
|
||||
***************
|
||||
*** 97,102 ****
|
||||
--- 99,106 ----
|
||||
static int timeout = PROXY_TIMEOUT;
|
||||
static char timed_out_msg[] = "\r\nConnection closed due to inactivity";
|
||||
|
||||
+ int do_transparent=0;
|
||||
+
|
||||
typedef struct {
|
||||
char *name;
|
||||
char *hmsg;
|
||||
***************
|
||||
*** 140,145 ****
|
||||
--- 144,151 ----
|
||||
char tokbuf[BSIZ];
|
||||
char *tokav[56];
|
||||
int tokac;
|
||||
+ int port;
|
||||
+ char *psychic;
|
||||
|
||||
#ifndef LOG_DAEMON
|
||||
openlog("tn-gw",LOG_PID);
|
||||
***************
|
||||
*** 308,313 ****
|
||||
--- 314,346 ----
|
||||
}
|
||||
}
|
||||
|
||||
+ psychic=getdsthost(0,&port);
|
||||
+ if(psychic) {
|
||||
+ if((strlen(psychic) + 10) < 510) {
|
||||
+ do_transparent++;
|
||||
+ if(port)
|
||||
+ sprintf(dest,"%s:%d",psychic,port);
|
||||
+ else
|
||||
+ sprintf(dest,"%s",psychic);
|
||||
+
|
||||
+
|
||||
+ if(!welcomedone)
|
||||
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
|
||||
+ if(cf->argc != 1) {
|
||||
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if(sayfile(0,cf->argv[0])) {
|
||||
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ welcomedone = 1;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
while (argc > 1) {
|
||||
argc--;
|
||||
argv++;
|
||||
***************
|
||||
*** 864,877 ****
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
if((namp = maphostname(av[1])) != (char *)0) {
|
||||
char ebuf[512];
|
||||
|
||||
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
|
||||
! sprintf(ebuf,"Trying %s port %d...",namp,port);
|
||||
! if(say(0,ebuf))
|
||||
! return(1);
|
||||
} else
|
||||
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
|
||||
|
||||
--- 897,911 ----
|
||||
}
|
||||
}
|
||||
|
||||
if((namp = maphostname(av[1])) != (char *)0) {
|
||||
char ebuf[512];
|
||||
|
||||
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
|
||||
! if(!do_transparent) {
|
||||
! sprintf(ebuf,"Trying %s port %d...",namp,port);
|
||||
! if(say(0,ebuf))
|
||||
! return(1);
|
||||
! }
|
||||
} else
|
||||
syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
|
||||
|
||||
***************
|
||||
*** 903,910 ****
|
||||
|
||||
syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
|
||||
strncpy(dest,av[1], 511);
|
||||
! sprintf(buf, "Connected to %s.", dest);
|
||||
! say(0, buf);
|
||||
return(2);
|
||||
}
|
||||
|
||||
--- 937,946 ----
|
||||
|
||||
syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
|
||||
strncpy(dest,av[1], 511);
|
||||
! if(!do_transparent) {
|
||||
! sprintf(buf, "Connected to %s.", dest);
|
||||
! say(0, buf);
|
||||
! }
|
||||
return(2);
|
||||
}
|
||||
|
||||
|
||||
|
567
contrib/ipfilter/HISTORY
Normal file
567
contrib/ipfilter/HISTORY
Normal file
@ -0,0 +1,567 @@
|
||||
#
|
||||
# NOTE: Quite a few patches and suggestions come from other sources, to whom
|
||||
# I'm greatly indebted, even if no names are mentioned.
|
||||
#
|
||||
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
|
||||
# loan of a machine to work on a Solaris 2.x port of this software.
|
||||
#
|
||||
3.1.7 8/2/97 - Released
|
||||
|
||||
Macros used for ntohs/htons supplied with gcc don't always work very well
|
||||
when the assignment is the same variable being converted.
|
||||
|
||||
Filter matching doesn't not match rule which checks tcp flags on packets
|
||||
which are fragments - David Wilson
|
||||
|
||||
3.1.7beta 30/1/97 - Released
|
||||
|
||||
Fix up NAT bugs introduced in last major change (now tested), including
|
||||
nat_delete(), nat_lookupredir(), checksum changes, etc.
|
||||
|
||||
3.1.7alpha 30/1/97 - Released
|
||||
|
||||
Many changes to NAT code, including contributions from Laurent Joncheray
|
||||
<lpj@ans.net>
|
||||
|
||||
Use "NO_SLEEP" when allocating memory under SunOS.
|
||||
|
||||
Make kernel printf's nicer for BSD/SunOS4
|
||||
|
||||
Always do a checksum for packets being filtered going out and being
|
||||
processed by fastroute.
|
||||
|
||||
Leave kernel to play with cdevsw on *BSD systems with LKM's.
|
||||
|
||||
ipnat.1 man page fixes.
|
||||
|
||||
3.1.6 21/1/97 - Released
|
||||
|
||||
Allow NAT to work on BSD systems in conjunction with "pass .. to ifname"
|
||||
|
||||
Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried
|
||||
to free memory twice.
|
||||
|
||||
NAT recalculates IP header checksum based on difference between IP#'s and
|
||||
port numbers - should be just IP#'s (Solaris2 only)
|
||||
|
||||
3.1.5 13/1/97 - Released
|
||||
|
||||
fixed setting of NAT timeouts and use different timeouts for concurrent
|
||||
TCP sessions using the same IP# mapping (when port mapping isn't used)
|
||||
|
||||
multiple loading/unloading of LKM's doesn't clean up cdevsw properly for
|
||||
*BSD systems.
|
||||
|
||||
3.1.4 10/1/97 - Released
|
||||
|
||||
add command line options -C and -F to ipnat to flush NAT list and table
|
||||
|
||||
ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com)
|
||||
|
||||
NetBSD/FreeBSD kernel malloc changes - Daniel Carosone
|
||||
|
||||
3.1.3 10/1/97 - Released
|
||||
|
||||
NAT chains not constructed correctly in hash tables - Antony Y.R Lu
|
||||
(antony@hawk.ee.ncku.edu.tw)
|
||||
|
||||
Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2
|
||||
|
||||
man page update (ipf.5) from Daniel Carosone (dan@geek.com.au)
|
||||
|
||||
ICMP header checksum update now included in NAT.
|
||||
|
||||
Solaris2 needs to modify IP header checksums in ip_natin and ip_natout.
|
||||
|
||||
3.1.2 4/12/96 - Released
|
||||
|
||||
ipmon doesn't use syslog all the time when given -s option
|
||||
|
||||
fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro
|
||||
|
||||
check the results of hostname resolution in ipnat
|
||||
|
||||
"make *install" fixed for subdirectories.
|
||||
|
||||
problems with "ARCH:=" and gnu make resolved
|
||||
|
||||
parser reports an error for lines with whitespaces only rather than skipping
|
||||
them. D.Carosone@abm.com.au (Daniel Carosone)
|
||||
|
||||
patches for integration into NetBSD-current (post 1.2).
|
||||
|
||||
add an option to allow non-IP packets going up/down the stream on Solaris2
|
||||
to be dropped. John Bass.
|
||||
|
||||
3.1.2beta 21/11/96 - Released
|
||||
|
||||
make ipsend compile on Linux 2.0.24
|
||||
|
||||
changes to TCP kept state algorithm, making it watch state on TCP
|
||||
connections in both directions. Also use the same algorithm for NAT TCP.
|
||||
|
||||
-Wall cleanup - Bernd Ernesti
|
||||
|
||||
added "or-block" for "pass .. log or-block" after a suggestion from
|
||||
David Oppenheim (davido@optimation.com.au)
|
||||
|
||||
added subdirectories for building IP Filter in SunOS5/BSD for different
|
||||
cpu architecures
|
||||
|
||||
Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2
|
||||
|
||||
mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96
|
||||
|
||||
3.1.1 28/10/96 - Released
|
||||
|
||||
Installation script fixes and deinstall scripts for IP Filter on:
|
||||
SunOS4/FreeBSD/NetBSD
|
||||
|
||||
Man page fixes - Paul Dubois (dubois@primate.wisc.edu)
|
||||
|
||||
Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!)
|
||||
|
||||
parsing isn't completely case insensitive - David Wilson
|
||||
(davidw@optimation.com.au)
|
||||
|
||||
Release ipl_mutex across uiomove() calls
|
||||
|
||||
print entire rule entries out for "ipf -z" when zero'ing per-rule stats.
|
||||
|
||||
ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik
|
||||
(ts@polynet.lviv.ua)
|
||||
|
||||
New algorithm for setting timeouts for TCP connection (more closely follow
|
||||
TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com)
|
||||
|
||||
Track both window sizes for TCP connections through "keep state".
|
||||
|
||||
Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel
|
||||
(wezel@bio.vu.nl)
|
||||
|
||||
3.1.1-beta2 6/10/96 - Released
|
||||
|
||||
Solaris2 fastroute/dup-to/to now works
|
||||
|
||||
ipmon `record' reading rewritten
|
||||
|
||||
Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au)
|
||||
|
||||
Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson
|
||||
(davidw@optimation.com.au)
|
||||
|
||||
Michael Ryan (mike@NetworX.ie) reports the following:
|
||||
* The Trumpet WinSock under Windows always sends its SYN packet with an ACK
|
||||
value of 1, unlike any other implementation I've seen, which would set it
|
||||
to zero. The "keep state" feature of IP Filter doesn't work when receiving
|
||||
non-zero ACK values on new connection requests.
|
||||
* */Makefile install rule doesn't install all the binaries/man pages
|
||||
* Make ipnat use "tcp/udp" instead of "tcpudp"
|
||||
* Print out "tcp/udp" properly
|
||||
* ipnat "portmap tcp" matches "portmap udp" when adding/removing
|
||||
* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't
|
||||
|
||||
3.1.1-beta 1/9/96 - Released
|
||||
|
||||
add better detection of TCP connections closing to TCP state monitoring.
|
||||
|
||||
fr_addstate() not called correctly for fragments. "keep state" and
|
||||
"keep frag" code don't work together 100% - Songqing Cai
|
||||
(songqing_cai@sterling.com)
|
||||
|
||||
call to fr_addstate() incorrect for adding state in combination with keeping
|
||||
fragment information - Songqing Cai (songqing_cai@sterling.com)
|
||||
|
||||
KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood
|
||||
(cgull@smoke.marlboro.vt.us)
|
||||
|
||||
make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban
|
||||
(dima@best.net)
|
||||
|
||||
3.1.1-alpha 23/8/96 - Released
|
||||
|
||||
kernel panic's when ICMP packets go through NAT code
|
||||
|
||||
stats aren't zero'd properly with ipf -Z
|
||||
|
||||
ipnat doesn't show port numbers correctly all the time and also add the
|
||||
protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com)
|
||||
|
||||
fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com)
|
||||
|
||||
NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com>
|
||||
|
||||
Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu)
|
||||
|
||||
ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall
|
||||
(nrh@tardis.ed.ac.uk)
|
||||
|
||||
3.1.0 7/7/96 - Released
|
||||
|
||||
Reformatted ipnat output to be compatible with it's input, so that
|
||||
"ipnat -l | ipnat -rf -" is possible.
|
||||
|
||||
3.1.0beta 30/6/96 - Released
|
||||
|
||||
NetBSD-1.2 patches from Greg Woods (woods@most.weird.com)
|
||||
|
||||
kernel module must not be installed stripped (Solaris2), as created by
|
||||
"make package" for Solaris2 - Peter Heimann
|
||||
(peter@i3.informatik.rwth-aachen.de)
|
||||
|
||||
3.1.0alpha 5/6/96 - Released
|
||||
|
||||
include examples in package for solaris2
|
||||
|
||||
patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS)
|
||||
|
||||
removed trailing space from printouts of rules in ipf.
|
||||
|
||||
ipresend supports the same range of inputs that ipftest does.
|
||||
|
||||
sending a duplicate copy of a packet to another network devices is now
|
||||
supported. ("dup-to")
|
||||
|
||||
sending a packet to an arbitary interface is now supported, irrespective
|
||||
of its actual route, with no ttl decrement. Can also be routed without
|
||||
the ttl being decremented. ("to" and "fastroute").
|
||||
|
||||
"call" option added to support calling a generic function if a packet is
|
||||
matched.
|
||||
|
||||
show all (upto 4) recorded bytes from the interface name in logging from
|
||||
ipmon.
|
||||
|
||||
support for using unix file permissions for read/write access on the device
|
||||
is now in place.
|
||||
|
||||
recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk>
|
||||
|
||||
ipftest doesn't call initparse() for THISHOST - Catherine Allen
|
||||
(cla@connect.com.au)
|
||||
|
||||
Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au)
|
||||
|
||||
3.0.4 10/4/96 - Released
|
||||
|
||||
looop in `parsing' IP packets with optlen 0 for ip options.
|
||||
|
||||
rule number not initialized and resulted in unexpected results for state
|
||||
maching.
|
||||
|
||||
option parsing and printing bugs - Pradeep Krishnan
|
||||
|
||||
3.0.4beta 25/3/96 - Released
|
||||
|
||||
wouldn't parse "keep flags keep state" correctly.
|
||||
|
||||
SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon
|
||||
|
||||
patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems
|
||||
from Thorsten Lockert <tholo@tetherless.com>
|
||||
|
||||
b* functions in fil.c on Solaris 2.4
|
||||
|
||||
3.0.3 17/3/96 - Released
|
||||
|
||||
added patches to support IP Filter initialisation when compiled into the
|
||||
kernel.
|
||||
|
||||
added -x option to ipmon to display hex dumps of logged packets.
|
||||
|
||||
added -H option to ipftest to allow ascii-hex formatted input to specify
|
||||
arbitary IP packets.
|
||||
|
||||
Sending TCP RSTs as a response now work for Solaris2 x86
|
||||
|
||||
add patches to make IP Filter compile into NetBSD kernels properly.
|
||||
|
||||
patch to stop SunOS 4.1.x kernels panicing with "data traps".
|
||||
|
||||
ipfboot script unloads and reloads ipf module on Solaris2 if it is already
|
||||
loaded into the kernel.
|
||||
|
||||
Installation of IP Filter as a Solaris2 package is now supported.
|
||||
|
||||
Man pages for ipnat.4, ipnat.5 added.
|
||||
|
||||
added some more regression tests and fixed up IP Filter to pass the new tests
|
||||
(previous versions failed some of the tests in set 12).
|
||||
|
||||
IP option filter processing has changed so that saying "with opt lsrr" will
|
||||
check only for that one, but not mask out other options, so a packet with
|
||||
strict source routing, along with loose source routing will match all of
|
||||
"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr".
|
||||
|
||||
IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com)
|
||||
|
||||
patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de)
|
||||
|
||||
make install is incorrect - Julian Briggs (julian@lightwork.co.uk)
|
||||
|
||||
strtol() returns 0x7fffffff for all negative numbers,
|
||||
printfr() generates incorrect output for "opt sec-class *",
|
||||
handling of "not opt xxx opt yyy" incorrect.
|
||||
- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com)
|
||||
|
||||
m_pullup() called only for input and not output; caused problems
|
||||
with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com)
|
||||
|
||||
parsing problem for "port 1" and NetBSD patches incorrect -
|
||||
Andreas Gustafsson (gson@guava.araneus.fi)
|
||||
|
||||
3.0.2 4/2/96 - Released
|
||||
|
||||
Corrected bug where NAT recalculates checksums for fragments.
|
||||
|
||||
make NAT recalculate UDP checksums (rather than setting them to 0),
|
||||
if they're non-zero.
|
||||
|
||||
DNS patches - Real Page (Real.Page@Matrox.com)
|
||||
|
||||
alteration of checksum recalculations in NAT code and addition of
|
||||
redirection with NAT - Mike Neuman
|
||||
|
||||
core dump, if tcp/udp is used with a port number and not service name,
|
||||
in ipf - Mike Neuman (mcn@engarde.com)
|
||||
|
||||
initparse() call, missing to prime "<thishost>" hook - Craig Bishop
|
||||
|
||||
3.0.1 14/1/96 - Released
|
||||
|
||||
miscellaneous patches for Solaris2
|
||||
|
||||
3.0 14/1/96 - Released
|
||||
|
||||
Patch included for FDDI, from Richard Ohnemus
|
||||
(Richard_Ohnemus@dallas.csd.sterling.com)
|
||||
|
||||
Code cleanup for release.
|
||||
|
||||
3.0beta4 10/1/96
|
||||
|
||||
recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop
|
||||
|
||||
recursive mutex in sending TCP RSTs fixed, reported by Tony Becker
|
||||
|
||||
3.0beta3 9/1/96
|
||||
|
||||
FIxup for Solaris2.5 install and interface name bug in ipftest from
|
||||
Julian Briggs (julian@lightwork.co.uk)
|
||||
|
||||
Byte order patches for ipmon from Tony Becker (tony@mcrsys.com)
|
||||
|
||||
3.0beta2 7/1/96
|
||||
|
||||
Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD.
|
||||
Note, this isn't really what one would call IP account, when compared to
|
||||
process accounting, sigh.
|
||||
|
||||
Split up ipresend into iptest/ipresend/ipsend
|
||||
|
||||
Added another m_pullup() inside fr_check() for BSD style kernels and
|
||||
added some checks to ipllog() to not log more than is present (for short
|
||||
packets).
|
||||
|
||||
Fixed bug where failed hostname/netname resolution goes undetecte and
|
||||
becomes 0.0.0.0 (any) (reported Guido van Rooij)
|
||||
|
||||
3.0beta 11/11/95 - Released
|
||||
|
||||
Rewrote the way rule testing is done, reducing the number of files needed and
|
||||
generated.
|
||||
|
||||
SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green)
|
||||
|
||||
Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3
|
||||
BSD based Unixes (panic'd)
|
||||
|
||||
Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi>
|
||||
(I think someone else already told me about these but they got lost :-/)
|
||||
|
||||
Changed Makefile structure to build object files for different operating
|
||||
systems in separate directories by default.
|
||||
|
||||
BSDI has ef0 for first ethernet interface
|
||||
|
||||
Allow for a "not" operator before optional keywords.
|
||||
|
||||
The "rule number" was being incorrectly incremented every time it went through
|
||||
the loop rather than when it matched a rule.
|
||||
|
||||
2.8.2 24/10/95 - Released
|
||||
|
||||
Fixed up problems with "textip" for doing lots of testing.
|
||||
|
||||
Fixed bug in detection of "short" tcp/ip packets (all reported as being short).
|
||||
|
||||
Solaris 2.4 port now works 100%.
|
||||
|
||||
Man page errors reported and fixed.
|
||||
|
||||
Removed duplicate entry in etc/services for login on port 49 (Craig Bishop).
|
||||
|
||||
Fixed ipmon output to put a space after the log-letter.
|
||||
|
||||
Patch from Guido van Rooij to fix parsing problem.
|
||||
|
||||
2.8.1 15/10/95 - Released
|
||||
|
||||
Added ttl and tos filtering.
|
||||
|
||||
Patches for fixing up compilation and port problems (little endian)
|
||||
from Guido van Rooij <guido@IAEhv.nl>.
|
||||
|
||||
Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>.
|
||||
|
||||
ipsend doesn't compile properly on Solaris2.4
|
||||
|
||||
Lots of work done for Solaris2.4 to make it MT/MP safe and work.
|
||||
|
||||
2.8 15/9/95 - Released
|
||||
|
||||
ipmon can now send messages to syslogd (-s) and use names instead of
|
||||
numbers (-N).
|
||||
|
||||
IP packets are now "compiled" into a structure only containing filterable
|
||||
bits.
|
||||
|
||||
Added regression testing in the test/ subdirectory, using a new option
|
||||
(-b) with the ipftest program.
|
||||
|
||||
Added "nomatch" return to filter results. These are counted and show
|
||||
up in reports from ipfstat.
|
||||
|
||||
Moved filter code out of ip_fil.c and into fil.c - there is now only one
|
||||
instance of it in the package.
|
||||
|
||||
Added Solaris 2.4 support.
|
||||
|
||||
Added IPSO basic security option filtering.
|
||||
|
||||
Added name support for filtering on all 19 named IP options.
|
||||
|
||||
Patches from Ivan Brawley to log packet contents as well as packet headers.
|
||||
|
||||
Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU>
|
||||
|
||||
Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf,
|
||||
along with a new ioctl, SIOCFRENB.
|
||||
From: Dieter Dworkin Muller <dworkin@village.org>
|
||||
|
||||
2.7.3 31/7.95 - Released
|
||||
|
||||
Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green).
|
||||
|
||||
ipftest now deals with tcpdump3 binary output files (from libpcap) with -P.
|
||||
|
||||
Brought ipftest program upto date with actual filter code.
|
||||
|
||||
Filter would cause a match to occur when it wasn't meant to if the packet
|
||||
had short headers and was missing portions that should have been there.
|
||||
Err, it would rightly not match on them, but their absence caused a match
|
||||
when it shouldn't have been.
|
||||
|
||||
2.7.2 26/7/95 - Released
|
||||
|
||||
Problem with filtering just SYN flagged packets reported by
|
||||
Dieter Dworkin Muller <dworkin@village.org>. To solve this
|
||||
problem, added support for masking TCP flags for comparison "flags X/Y".
|
||||
|
||||
2.7.1 9/7/95 - Released
|
||||
|
||||
Added ip_dirbroadcast support for Sun ip_input.c
|
||||
|
||||
Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are
|
||||
better.
|
||||
|
||||
2.7 7/7/95 - Released
|
||||
|
||||
Added "return-rst" to return TCP RST's to TCP packets.
|
||||
|
||||
Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now.
|
||||
|
||||
Added insertion of filter rules. Use "@<#>" at the beginning of a filter
|
||||
to insert a rule at row #.
|
||||
|
||||
Filter keeps track of how many times each rule is matched.
|
||||
|
||||
Changed compile time things to match kernel option (IPFILTER_LKM &
|
||||
IPFILTER_LOG).
|
||||
|
||||
Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP.
|
||||
(No change required for 3.6)
|
||||
|
||||
Now includes TCP fragments which start inside the TCP header as being short.
|
||||
Added counting the number of times each rule is matched.
|
||||
|
||||
|
||||
2.6 11/5/95 - Released
|
||||
|
||||
Added -n option to ipf: when supplied, no changes are made to the kernel.
|
||||
|
||||
Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI.
|
||||
|
||||
Rewrote filtering to use a more generic mask & match procedure for
|
||||
checking if a packet matches a rule.
|
||||
|
||||
2.5.2 27/4/95 - Released
|
||||
|
||||
"tcp/udp" and a non-initialised pointer caused the "proto" to become
|
||||
a `random' value; added "ip#/dotted.mask" notation to the BNF.
|
||||
From Adam W. Feigin <feigin@iis.ee.ethz.ch>
|
||||
|
||||
2.5.1 22/3/95 - Released
|
||||
|
||||
"tcp/udp" had a strange effect (undesired) on getserv*() functions,
|
||||
causing protocol/service lookups to fail. Reported by Matthew Green.
|
||||
|
||||
2.5 17/3/95 - Released
|
||||
|
||||
Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop
|
||||
output through the ipftest program. Suggestions from:
|
||||
Michael Ciavarella (mikec@phyto.apana.org.au)
|
||||
|
||||
Conflicts occur when "general" filter rules are used for ports and the
|
||||
lack of a "proto" when used with "port" matches other packets when only
|
||||
TCP/UDP are implied.
|
||||
Reported Matthew Green (mrg@fulcom.com.au);
|
||||
reported & fixed 6-8/3/95
|
||||
|
||||
Added filtering of short TCP packets using "with short" 28/2/95
|
||||
(These can possibly slip by checks for the various flags). Short UDP
|
||||
or ICMP are dropped to the floor and logged.
|
||||
|
||||
Added filtering of fragmented packets using "with frag" 24/2/95
|
||||
|
||||
Port to NetBSD-current completed 20/2/95, using LKM.
|
||||
|
||||
Added logging of the rule # which caused the logging to happen and the
|
||||
interface on which the packet is currently as suggested by
|
||||
Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95
|
||||
|
||||
2.4 9/2/95 - Released
|
||||
Fixed saving of IP headers in ICMP packets.
|
||||
|
||||
2.3 29/1/95
|
||||
Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL).
|
||||
Fixed iplread() and iplsave() with help from Marc Huber.
|
||||
|
||||
2.2 7/1/95 - Released
|
||||
Added code from Marc Huber <huber@fzi.de> to allow it to allocate
|
||||
its own major char number dynamically when modload'ing. Fixed up
|
||||
use of <, >, <=, >= and >< for ports.
|
||||
|
||||
2.1 21/12/94 - Released
|
||||
repackaged to include the correct ip_output.c and ip_input.c *goof*
|
||||
|
||||
2.0 18/12/94 - Released
|
||||
added code to check for port ranges - complete.
|
||||
rewrote to work as a loadable kernel module - complete.
|
||||
|
||||
1.1
|
||||
added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers.
|
||||
|
||||
1.0 22/04/93 - Released
|
||||
First release cut.
|
||||
|
41
contrib/ipfilter/IMPORTANT
Normal file
41
contrib/ipfilter/IMPORTANT
Normal file
@ -0,0 +1,41 @@
|
||||
****************************************
|
||||
IMPORTANT NOTICE
|
||||
****************************************
|
||||
1)
|
||||
|
||||
If you're using this software and have a rule which ends like this:
|
||||
|
||||
flags S
|
||||
|
||||
(for TCP), then to make it totally effective, you need to change it to appear
|
||||
as follows:
|
||||
|
||||
flags S/SA
|
||||
|
||||
The problem is that the old code would compare all the TCP flags against the
|
||||
rule (which just has "S") to see if that matched exactly. It is very possible
|
||||
for this to not be the case and in these cases, the rule would fail to match
|
||||
a 'valid' TCP SYN packet.
|
||||
|
||||
Why does it need to be "S/SA" and not "S/S" ?
|
||||
|
||||
"S/S" will match the SYN-ACK as well the SYN.
|
||||
|
||||
By defalt, "flags S" will now be converted to "flags S/AUPRFS".
|
||||
|
||||
If you have any queries regarding this, see the examples and ipf(4).
|
||||
If you still have a query or suggestion, please email me.
|
||||
|
||||
|
||||
2)
|
||||
|
||||
If a filter rule used, in combination port comparisons and the flags
|
||||
keywords, a "short" TCP packet, if not explicitly blocked high up in
|
||||
the list of packets, would actually get matched even though it would
|
||||
otherwise not have been (due to the ports not). This behaviour has
|
||||
subsequently been fixed.
|
||||
|
||||
|
||||
Darren
|
||||
darrenr@cyber.com.au
|
||||
****************************************
|
41
contrib/ipfilter/INSTALL.FreeBSD
Normal file
41
contrib/ipfilter/INSTALL.FreeBSD
Normal file
@ -0,0 +1,41 @@
|
||||
|
||||
To build a kernel for use with the loadable kernel module, follow these
|
||||
steps:
|
||||
1. do "make bsd"
|
||||
|
||||
2. do "make install-bsd"
|
||||
(probably has to be done as root)
|
||||
|
||||
3. run "FreeBSD/minstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. install and reboot with the new kernel
|
||||
|
||||
6. use modload(8) to load the packet filter with:
|
||||
modload if_ipl.o
|
||||
|
||||
7. do "modstat" to confirm that it has been loaded successfully.
|
||||
|
||||
There is no need to use mknod to create the device in /dev;
|
||||
- upon loading the module, it will create itself with the correct values,
|
||||
under the name (IPL_NAME) from the Makefile. It will also remove itself
|
||||
from /dev when it is modunload'd.
|
||||
|
||||
To build a kernel with the IP filter, follow these steps:
|
||||
|
||||
1. do "make bsd"
|
||||
|
||||
2. do "make install-bsd"
|
||||
(probably has to be done as root)
|
||||
|
||||
3. run "FreeBSD/kinstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. create /dev/ipl with "mknod /dev/ipl c 20 0".
|
||||
|
||||
6. install and reboot with the new kernel
|
||||
|
||||
Darren Reed
|
||||
darrenr@cyber.com.au
|
48
contrib/ipfilter/INSTALL.NetBSD
Normal file
48
contrib/ipfilter/INSTALL.NetBSD
Normal file
@ -0,0 +1,48 @@
|
||||
|
||||
To build a kernel for use with the loadable kernel module, follow these
|
||||
steps:
|
||||
1. do "make bsd"
|
||||
|
||||
2. do "make install-bsd"
|
||||
(probably has to be done as root)
|
||||
|
||||
3(a) NetBSD systems prior to 1.2:
|
||||
run "NetBSD/minstall" as root
|
||||
3(b) NetBSD 1.2 systems or later:
|
||||
run "NetBSD-1.2/minstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. install and reboot with the new kernel
|
||||
|
||||
6. use modload(8) to load the packet filter with:
|
||||
modload if_ipl.o
|
||||
|
||||
7. do "modstat" to confirm that it has been loaded successfully.
|
||||
|
||||
There is no need to use mknod to create the device in /dev;
|
||||
- upon loading the module, it will create itself with the correct values,
|
||||
under the name (IPL_NAME) from the Makefile. It will also remove itself
|
||||
from /dev when it is modunload'd.
|
||||
|
||||
To build a kernel with the IP filter, follow these steps:
|
||||
|
||||
1. do "make bsd"
|
||||
|
||||
2. do "make install-bsd"
|
||||
(probably has to be done as root)
|
||||
|
||||
3(a) NetBSD systems prior to 1.2:
|
||||
run "NetBSD/kinstall" as root
|
||||
3(b) NetBSD 1.2 systems or later:
|
||||
run "NetBSD-1.2/kinstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. create /dev/ipl with "mknod /dev/ipl c 59 0".
|
||||
(for NetBSD-1.2, use "mknod /dev/ipl c 49 0")
|
||||
|
||||
6. install and reboot with the new kernel
|
||||
|
||||
Darren Reed
|
||||
darrenr@cyber.com.au
|
27
contrib/ipfilter/INSTALL.Sol2
Normal file
27
contrib/ipfilter/INSTALL.Sol2
Normal file
@ -0,0 +1,27 @@
|
||||
|
||||
For those running Solaris 2.5, please read COMPILE.2.5 before building
|
||||
IP Filter.
|
||||
|
||||
Type "make solaris" to build all the required binaries.
|
||||
|
||||
Once IP Filter has been successfully compiled, you may then install it using
|
||||
the usual package method (using pkgadd), however, the package needs to be
|
||||
created, prior to pkgadd'ing. To create the package in /var/spoo/pkg, change
|
||||
directory to SunOS5 and enter the following command:
|
||||
|
||||
make package
|
||||
|
||||
If you wish to then install it using `pkgadd', run the following command:
|
||||
|
||||
pkgadd -s '/var/spool/pkg'
|
||||
|
||||
As part of the postinstall script, it will install loadable kernel module
|
||||
as part of Solaris 2 (using add_drv) making it available for immeadiate use.
|
||||
|
||||
IP Filter will be installed into /opt/CYBSipf (programs, manual pages and
|
||||
examples) and create a directory /etc/opt/CYBSipf with a null body file
|
||||
called "ipf.conf" using touch. The rc scripts have been written to look
|
||||
for the configuration file here, using the installed binaries in /sbin.
|
||||
|
||||
Darren Reed
|
||||
darrenr@cyber.com.au
|
36
contrib/ipfilter/INSTALL.SunOS
Normal file
36
contrib/ipfilter/INSTALL.SunOS
Normal file
@ -0,0 +1,36 @@
|
||||
|
||||
To install as a Loadable Kernel Module (LKM):
|
||||
|
||||
1. do a "make sunos4" in this directory
|
||||
|
||||
2. Run the script "SunOS4/minstall" as root.
|
||||
|
||||
3. change directory to SunOS4 and run "make install"
|
||||
|
||||
4. Reboot using the new kernel
|
||||
|
||||
5. use modload(8) to load the packet filter with:
|
||||
modload if_ipl.o
|
||||
|
||||
6. do "modstat" to confirm that it has been loaded successfully.
|
||||
|
||||
There is no need to use mknod to create the device in /dev;
|
||||
- upon loading the module, it will create itself with the correct
|
||||
values, under the name (IPL_NAME) from the Makefile. It will
|
||||
also remove itself from /dev when it is modunload'd.
|
||||
|
||||
|
||||
To install as part of a SunOS 4.1.x kernel:
|
||||
|
||||
1. do a "make sunos4" in this directory
|
||||
|
||||
2. Run the script "SunOS4/kinstall" as root.
|
||||
NOTE: This script sets up /dev/ipl as char. device 59,0
|
||||
in /sys/sun/conf.c
|
||||
|
||||
3. Do "mknod /dev/ipl c 59 0" as root.
|
||||
|
||||
4. Reboot using the new kernel
|
||||
|
||||
Darren Reed
|
||||
darrenr@cyber.com.au
|
39
contrib/ipfilter/INSTALL.xBSD
Normal file
39
contrib/ipfilter/INSTALL.xBSD
Normal file
@ -0,0 +1,39 @@
|
||||
|
||||
To build a kernel for use with the loadable kernel module, follow these
|
||||
steps:
|
||||
1. do "make bsd"
|
||||
|
||||
2. cd to the "BSD" directory and type "make install"
|
||||
|
||||
3. run "4bsd/minstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. install and reboot with the new kernel
|
||||
|
||||
6. use modload(8) to load the packet filter with:
|
||||
modload if_ipl.o
|
||||
|
||||
7. do "modstat" to confirm that it has been loaded successfully.
|
||||
|
||||
There is no need to use mknod to create the device in /dev;
|
||||
- upon loading the module, it will create itself with the correct values,
|
||||
under the name (IPL_NAME) from the Makefile. It will also remove itself
|
||||
from /dev when it is modunload'd.
|
||||
|
||||
To build a kernel with the IP filter, follow these steps:
|
||||
|
||||
1. do "make bsd"
|
||||
|
||||
2. cd to the "BSD" directory and type "make install"
|
||||
|
||||
3. run "4bsd/kinstall" as root
|
||||
|
||||
4. build a new kernel
|
||||
|
||||
5. create /dev/ipl with "mknod /dev/ipl c 59 0".
|
||||
|
||||
6. install and reboot with the new kernel
|
||||
|
||||
Darren
|
||||
darrenr@cyber.com.au
|
16
contrib/ipfilter/LICENCE
Normal file
16
contrib/ipfilter/LICENCE
Normal file
@ -0,0 +1,16 @@
|
||||
/*
|
||||
* (C)opyright 1993, 1994, 1995 by Darren Reed.
|
||||
*
|
||||
* The author accepts no responsibility for the use of this software and
|
||||
* provides it on an ``as is'' basis without express or implied warranty.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
* I hate legaleese, don't you ?
|
||||
*/
|
158
contrib/ipfilter/Makefile
Normal file
158
contrib/ipfilter/Makefile
Normal file
@ -0,0 +1,158 @@
|
||||
#
|
||||
# (C)opyright 1993, 1994, 1995 by Darren Reed.
|
||||
#
|
||||
# This code may be freely distributed as long as it retains this notice
|
||||
# and is not changed in any way. The author accepts no responsibility
|
||||
# for the use of this software. I hate legaleese, don't you ?
|
||||
#
|
||||
# $Id: Makefile,v 2.0.1.4 1997/02/08 06:39:28 darrenr Exp $
|
||||
#
|
||||
# where to put things.
|
||||
#
|
||||
BINDEST=/usr/local/ip_fil3.1.1/bin
|
||||
SBINDEST=/usr/local/ip_fil3.1.1/sbin
|
||||
MANDIR=/usr/local/ip_fil3.1.1/man
|
||||
CC=gcc
|
||||
DEBUG=-g
|
||||
CFLAGS=-I$$(TOP)
|
||||
DCPU=`uname -m`
|
||||
#
|
||||
# To enable this to work as a Loadable Kernel Module...
|
||||
#
|
||||
IPFLKM=-DIPFILTER_LKM
|
||||
#
|
||||
# To enable logging of blocked/passed packets...
|
||||
#
|
||||
IPFLOG=-DIPFILTER_LOG
|
||||
#
|
||||
# The facility you wish to log messages from ipmon to syslogd with.
|
||||
#
|
||||
LOGFAC=-DLOGFAC=LOG_LOCAL0
|
||||
#
|
||||
# For packets which don't match any pass rules or any block rules, set either
|
||||
# FR_PASS or FR_BLOCK (respectively). It defaults to FR_PASS if left
|
||||
# undefined. This is ignored for ipftest, which can thus return three
|
||||
# results: pass, block and nomatch. This is the sort of "block unless
|
||||
# explicitly allowed" type #define switch.
|
||||
#
|
||||
POLICY=-DNOMATCH=FR_PASS
|
||||
#
|
||||
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
|
||||
"CC=$(CC)" 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
|
||||
"IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \
|
||||
"SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "ARCH=$(ARCH)"
|
||||
#
|
||||
########## ########## ########## ########## ########## ########## ##########
|
||||
#
|
||||
CP=/bin/cp
|
||||
RM=/bin/rm
|
||||
CHMOD=/bin/chmod
|
||||
INSTALL=install
|
||||
#
|
||||
DFLAGS=$(IPFLKM) $(IPFLOG) $(DEF)
|
||||
|
||||
all:
|
||||
@echo "Chose one of the following targets for making IP filter:"
|
||||
@echo ""
|
||||
@echo "solaris - auto-selects SunOS4.1.x/Solaris 2.[45]/Soalris2.[45]-x86"
|
||||
@echo "bsd - compile for 4.4BSD based Unixes (FreeBSD/NetBSD/OpenBSD)"
|
||||
@echo "bsdi - compile for BSD/OS"
|
||||
@echo ""
|
||||
|
||||
tests:
|
||||
@if [ -d test ]; then (cd test; make) \
|
||||
else echo test directory not present, sorry; fi
|
||||
|
||||
sunos solaris:
|
||||
./buildsunos
|
||||
|
||||
sunos4 solaris1:
|
||||
(cd SunOS4; make build TOP=.. $(MFLAGS); cd ..)
|
||||
(cd SunOS4; make -f Makefile.ipsend TOP=.. $(MFLAGS); cd ..)
|
||||
|
||||
sunos5 solaris2:
|
||||
(cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..)
|
||||
(cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
|
||||
|
||||
sunos5x86 solaris2x86:
|
||||
(cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..)
|
||||
(cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..)
|
||||
|
||||
bsd netbsd freebsd:
|
||||
-if [ ! -d BSD/$(DCPU) ] ; then mkdir BSD/$(DCPU); fi
|
||||
-rm -f BSD/$(DCPU)/Makefile BSD/$(DCPU)/Makefile.ipsend
|
||||
-ln -s ../Makefile BSD/$(DCPU)/Makefile
|
||||
-ln -s ../Makefile.ipsend BSD/$(DCPU)/Makefile.ipsend
|
||||
(cd BSD/$(DCPU); make build "TOP=../.." $(MFLAGS); cd ..)
|
||||
(cd BSD/$(DCPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
||||
|
||||
bsdi bsdos:
|
||||
-if [ ! -d BSD/$(DCPU) ] ; then mkdir BSD/$(DCPU); fi
|
||||
-rm -f BSD/$(DCPU)/Makefile BSD/$(DCPU)/Makefile.ipsend
|
||||
-ln -s ../Makefile BSD/$(DCPU)/Makefile
|
||||
-ln -s ../Makefile.ipsend BSD/$(DCPU)/Makefile.ipsend
|
||||
(cd BSD/$(DCPU); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..)
|
||||
(cd BSD/$(DCPU); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..)
|
||||
|
||||
clean:
|
||||
${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \
|
||||
vnode_if.h $(LKM)
|
||||
(cd SunOS4; make clean)
|
||||
(cd SunOS5; make clean)
|
||||
(cd BSD; make clean)
|
||||
[ -d test ] && (cd test; make clean)
|
||||
(cd ipsend; make clean)
|
||||
|
||||
clean-bsd:
|
||||
(cd BSD; make clean)
|
||||
|
||||
clean-sunos4:
|
||||
(cd SunOS4; make clean)
|
||||
|
||||
clean-sunos5:
|
||||
(cd SunOS5; make clean)
|
||||
|
||||
get:
|
||||
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
|
||||
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
|
||||
mls_ipl.c ip_compat.h ipl.h opt.c ip_fil.c ipl_ldev.c \
|
||||
parse.c ip_fil.h ipmon.c pcap.h ip_sfil.c ipt.c snoop.h \
|
||||
ip_state.c ip_state.h ip_nat.c ip_nat.h ip_frag.c \
|
||||
ip_frag.h ip_sfil.c misc.c; do \
|
||||
if [ ! -f $$i ] ; then \
|
||||
echo "getting $$i"; \
|
||||
sccs get $$i; \
|
||||
fi \
|
||||
done
|
||||
|
||||
install-bsd: bsd
|
||||
(cd BSD/$(DCPU); $(MAKE) "TOP=../.." install)
|
||||
install-sunos4: solaris
|
||||
(cd SunOS4; $(MAKE) "TOP=.." install)
|
||||
install-sunos5: solaris
|
||||
(cd SunOS5; $(MAKE) "TOP=.." install)
|
||||
|
||||
# XXX FIXME: bogus to depend on all!
|
||||
install: all ip_fil.h
|
||||
-$(CP) ip_fil.h /usr/include/netinet/ip_fil.h
|
||||
-$(CHMOD) 444 /usr/include/netinet/ip_fil.h
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipfstat ipf ipnat $(SBINDEST)
|
||||
-$(INSTALL) -cs -g wheel -m 755 -o root ipmon ipftest $(BINDEST)
|
||||
(cd man; $(MAKE) INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd ..)
|
||||
|
||||
rcsget:
|
||||
-@for i in ipf.c ipt.h solaris.c ipf.h kmem.c ipft_ef.c linux.h \
|
||||
ipft_pc.c fil.c ipft_sn.c mln_ipl.c fils.c ipft_td.c \
|
||||
mls_ipl.c ip_compat.h ipl.h opt.c ip_fil.c ipl_ldev.c \
|
||||
parse.c ip_fil.h ipmon.c pcap.h ip_sfil.c ipt.c snoop.h \
|
||||
ip_state.c ip_state.h ip_nat.c ip_nat.h ip_frag.c \
|
||||
ip_frag.h ip_sfil.c misc.c; do \
|
||||
if [ ! -f $$i ] ; then \
|
||||
echo "getting $$i"; \
|
||||
co $$i; \
|
||||
fi \
|
||||
done
|
||||
|
||||
do-cvs:
|
||||
find . -type d -name CVS -print | xargs /bin/rm -rf
|
||||
find . -type f -name .cvsignore -print | xargs /bin/rm -f
|
93
contrib/ipfilter/README
Normal file
93
contrib/ipfilter/README
Normal file
@ -0,0 +1,93 @@
|
||||
IP Filter - What's this about ?
|
||||
============================
|
||||
|
||||
The idea behind this package is allow those who use Unix workstations as
|
||||
routers (a common occurance in Universities it appears) to apply packet
|
||||
filtering to packets going in and out of them. This package has been
|
||||
tested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs.
|
||||
It is also quite possible for this small kernel extension to be installed
|
||||
and used effectively on Sun workstations which don't route IP, just for
|
||||
added security. It can also be integrated with the multicast patches.
|
||||
It has also been tested successfully on all of the modern free BSDs as
|
||||
well as BSDI.
|
||||
|
||||
The filter keeps a rule list for both inbound and outbound sides of
|
||||
the IP packet queue and a check is made as early as possible, aiming to
|
||||
stop the packet before it even gets as far as being checked for source
|
||||
route options. In the file "BNF", a set of rules for constructing filter
|
||||
rules understood by this package is given. The files in the directory
|
||||
"rules", "example.1" ... "example.sr" show example rules you might apply.
|
||||
|
||||
In practise, I've successfully isolated a workstation from all
|
||||
machines except the NFS file servers on its local subnets (yeah, ok, so
|
||||
this doesn't really increase security, because of NFS, but you get the
|
||||
drift on how it can be applied and used). I've also successfully
|
||||
setup and maintained my own firewalls using it with TIS's Firewall Toolkit,
|
||||
including using it on an mbone router.
|
||||
|
||||
When using it with multicast IP, the calls to fr_check() should be
|
||||
before the packet is unwrapped and after it is encapsulated. So the
|
||||
filter routines will see the packet as a UDP packet, protocol XYZ.
|
||||
Whether this is better or worse than having it filter on class D addresses
|
||||
is debateable, but the idea behind this package is to be able to
|
||||
discriminate between packets as they are on the 'wire', before they
|
||||
get routed anywhere, etc.
|
||||
|
||||
It is worth noting, that it is possible, using a small MTU and
|
||||
generating tiny fragmented IP packets to generate a TCP packet which
|
||||
doesn't contain enough information to filter on the "flags". Filtering
|
||||
on these types of packets is possible, but under the more general case
|
||||
of the packets being "short". ICMP and UDP packets which are too small
|
||||
(they don't contain a complete header) are dropped and logged, no questions
|
||||
asked. When filtering on fragmented packets, the last fragment will get
|
||||
through for TCP/UDP/ICMP packets.
|
||||
|
||||
|
||||
Some general notes.
|
||||
-------------------
|
||||
To add/delete a rule from memory, access to the device in /dev is needed,
|
||||
allowing non-root maintenaince. The filter list in kernel memory is built
|
||||
from the kernel's heap. Each packet coming *in* or *out* is checked against
|
||||
the appropriate list, rejects dropped, others passed through. Thus this will
|
||||
work on an individual host, not just gateways. Presently there is only one
|
||||
list for all interfaces, the changes required to make it a per-interface list
|
||||
require more .o replacements for the kernel. When checking a packet, the
|
||||
packet is compared to the entire list from top to bottom, the last matching
|
||||
line being effective.
|
||||
|
||||
|
||||
What does what ?
|
||||
----------------
|
||||
if_fil.o (Loadable kernel module)
|
||||
- additional kernel routines to check an access list as to whether
|
||||
or not to drop or pass a packet. It currently defaults to pass
|
||||
on all packets.
|
||||
|
||||
ipfstat
|
||||
- digs through your kernel (need to check #define VMUNIX in fils.c)
|
||||
and /dev/kmem for the access filter list and mini stats table.
|
||||
Obviously needs to be run priviledged if required.
|
||||
|
||||
ipf
|
||||
- reads the files passed as parameters as input files containing new
|
||||
filter rules to add/delete to the kernel list. The lines are
|
||||
inserted in order; the first line is inserted first, and ends up
|
||||
first on the list. Subsequent invocations append to the list
|
||||
unless specified otherwise.
|
||||
|
||||
ipftest
|
||||
- test the ruleset given by filename. Reads in the ruleset and then
|
||||
waits for stdin.
|
||||
|
||||
See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed
|
||||
information on what the above do.
|
||||
|
||||
mkfilters
|
||||
- suggests a set of filter rules to employ and suggests how to add
|
||||
routes to back these up.
|
||||
|
||||
BNF
|
||||
- BNF rule set for the filter rules
|
||||
|
||||
Darren Reed
|
||||
darrenr@cyber.com.au
|
83
contrib/ipfilter/bsdinstall
Executable file
83
contrib/ipfilter/bsdinstall
Executable file
@ -0,0 +1,83 @@
|
||||
#! /bin/sh
|
||||
#
|
||||
# @(#)install.sh 4.5 (Berkeley) 10/12/83
|
||||
#
|
||||
cmd=/bin/mv
|
||||
strip=""
|
||||
chmod="chmod 755"
|
||||
chown="chown -f root"
|
||||
chgrp="chgrp -f bin"
|
||||
while true ; do
|
||||
case $1 in
|
||||
-s ) strip="strip"
|
||||
shift
|
||||
;;
|
||||
-c ) cmd="cp"
|
||||
shift
|
||||
;;
|
||||
-m ) chmod="chmod $2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
-o ) chown="chown -f $2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
-g ) chgrp="chgrp -f $2"
|
||||
shift
|
||||
shift
|
||||
;;
|
||||
-d ) cmd="mkdir"
|
||||
shift
|
||||
;;
|
||||
* ) break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ ! ${2-""} ]
|
||||
then echo "install: no destination specified"
|
||||
exit 1
|
||||
fi
|
||||
if [ ${3-""} ]
|
||||
then echo "install: too many files specified -> $*"
|
||||
exit 1
|
||||
fi
|
||||
if [ $1 = $2 -o $2 = . ]
|
||||
then echo "install: can't move $1 onto itself"
|
||||
exit 1
|
||||
fi
|
||||
case $cmd in
|
||||
/bin/mkdir )
|
||||
file=$2/$1
|
||||
;;
|
||||
* )
|
||||
if [ '!' -f $1 ]
|
||||
then echo "install: can't open $1"
|
||||
exit 1
|
||||
fi
|
||||
if [ -d $2 ]
|
||||
then file=$2/$1
|
||||
else file=$2
|
||||
fi
|
||||
/bin/rm -f $file
|
||||
;;
|
||||
esac
|
||||
|
||||
case $cmd in
|
||||
/bin/mkdir )
|
||||
if [ ! -d "$file" ]
|
||||
then $cmd $file
|
||||
fi
|
||||
;;
|
||||
* )
|
||||
$cmd $1 $file
|
||||
if [ $strip ]
|
||||
then $strip $file
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
$chown $file
|
||||
$chgrp $file
|
||||
$chmod $file
|
23
contrib/ipfilter/buildsunos
Executable file
23
contrib/ipfilter/buildsunos
Executable file
@ -0,0 +1,23 @@
|
||||
#! /bin/sh
|
||||
# $Id: buildsunos,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
|
||||
:
|
||||
rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'`
|
||||
cpu=`uname -m`
|
||||
if [ $rev = 5 ] ; then
|
||||
solrev=`uname -r | sed -e 's/^\([0-9]*\)\.\([0-9]*\)$/\2/'`
|
||||
mkdir -p SunOS5/${cpu}
|
||||
/bin/rm -f SunOS5/${cpu}/Makefile
|
||||
/bin/rm -f SunOS5/${cpu}/Makefile.ipsend
|
||||
ln -s ../Makefile SunOS5/${cpu}/Makefile
|
||||
ln -s ../Makefile.ipsend SunOS5/${cpu}/Makefile.ipsend
|
||||
fi
|
||||
if [ $cpu = i86pc ] ; then
|
||||
make ${1+"$@"} sunos5x86 SOLARIS2="-DSOLARIS2=$solrev" DCPU=${cpu}
|
||||
exit $?
|
||||
fi
|
||||
if [ x$solrev = x ] ; then
|
||||
make ${1+"$@"} sunos$rev "ARCH=`uname -m`"
|
||||
exit $?
|
||||
fi
|
||||
make ${1+"$@"} sunos$rev SOLARIS2="-DSOLARIS2=$solrev" DCPU=${cpu}
|
||||
exit $?
|
95
contrib/ipfilter/etc/protocols
Normal file
95
contrib/ipfilter/etc/protocols
Normal file
@ -0,0 +1,95 @@
|
||||
icmp 1 ICMP # Internet Control Message
|
||||
igmp 2 IGMP # Internet Group Management
|
||||
ggp 3 GGP # Gateway-to-Gateway
|
||||
ip 4 IP # IP in IP (encasulation)
|
||||
st 5 ST # Stream
|
||||
tcp 6 TCP # Transmission Control
|
||||
ucl 7 UCL # UCL
|
||||
egp 8 EGP # Exterior Gateway Protocol
|
||||
igp 9 IGP # any private interior gateway
|
||||
bbn-rcc-mon 10 BBN-RCC-MON # BBN RCC Monitoring
|
||||
nvp-ii 11 NVP-II # Network Voice Protocol
|
||||
pup 12 PUP # PUP
|
||||
argus 13 ARGUS # ARGUS
|
||||
emcon 14 EMCON # EMCON
|
||||
xnet 15 XNET # Cross Net Debugger
|
||||
chaos 16 CHAOS # Chaos
|
||||
udp 17 UDP # User Datagram
|
||||
mux 18 MUX # Multiplexing
|
||||
dcn-meas 19 DCN-MEAS # DCN Measurement Subsystems
|
||||
hmp 20 HMP # Host Monitoring
|
||||
prm 21 PRM # Packet Radio Measurement
|
||||
xns-idp 22 XNS-IDP # XEROX NS IDP
|
||||
trunk-1 23 TRUNK-1 # Trunk-1
|
||||
trunk-2 24 TRUNK-2 # Trunk-2
|
||||
leaf-1 25 LEAF-1 # Leaf-1
|
||||
leaf-2 26 LEAF-2 # Leaf-2
|
||||
rdp 27 RDP # Reliable Data Protocol
|
||||
irtp 28 IRTP # Internet Reliable Transaction
|
||||
iso-tp4 29 ISO-TP4 # ISO Transport Protocol Class 4
|
||||
netblt 30 NETBLT # Bulk Data Transfer Protocol
|
||||
mfe-nsp 31 MFE-NSP # MFE Network Services Protocol
|
||||
merit-inp 32 MERIT-INP # MERIT Internodal Protocol
|
||||
sep 33 SEP # Sequential Exchange Protocol
|
||||
3pc 34 3PC # Third Party Connect Protocol
|
||||
idpr 35 IDPR # Inter-Domain Policy Routing Protocol
|
||||
xtp 36 XTP # XTP
|
||||
ddp 37 DDP # Datagram Delivery Protocol
|
||||
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport Proto
|
||||
tp++ 39 TP++ # TP++ Transport Protocol
|
||||
il 40 IL # IL Transport Protocol
|
||||
sip 41 SIP # Simple Internet Protocol
|
||||
sdrp 42 SDRP # Source Demand Routing Protocol
|
||||
sip-sr 43 SIP-SR # SIP Source Route
|
||||
sip-frag 44 SIP-FRAG # SIP Fragment
|
||||
idrp 45 IDRP # Inter-Domain Routing Protocol
|
||||
rsvp 46 RSVP # Reservation Protocol
|
||||
gre 47 GRE # General Routing Encapsulation
|
||||
mhrp 48 MHRP # Mobile Host Routing Protocol
|
||||
bna 49 BNA # BNA
|
||||
sipp-esp 50 SIPP-ESP # SIPP Encap Security Payload
|
||||
sipp-ah 51 SIPP-AH # SIPP Authentication Header
|
||||
i-nlsp 52 I-NLSP # Integrated Net Layer Security TUBA
|
||||
swipe 53 SWIPE # IP with Encryption
|
||||
nhrp 54 NHRP # NBMA Next Hop Resolution Protocol
|
||||
any 61 any # host internal protocol
|
||||
cftp 62 CFTP # CFTP
|
||||
any 63 any # local network
|
||||
sat-expak 64 SAT-EXPAK # SATNET and Backroom EXPAK
|
||||
kryptolan 65 KRYPTOLAN # Kryptolan
|
||||
rvd 66 RVD # MIT Remote Virtual Disk Protocol
|
||||
ippc 67 IPPC # Internet Pluribus Packet Core
|
||||
any 68 any # distributed file system
|
||||
sat-mon 69 SAT-MON # SATNET Monitoring
|
||||
visa 70 VISA # VISA Protocol
|
||||
ipcv 71 IPCV # Internet Packet Core Utility
|
||||
cpnx 72 CPNX # Computer Protocol Network Executive
|
||||
cphb 73 CPHB # Computer Protocol Heart Beat
|
||||
wsn 74 WSN # Wang Span Network
|
||||
pvp 75 PVP # Packet Video Protocol
|
||||
br-sat-mon 76 BR-SAT-MON # Backroom SATNET Monitoring
|
||||
sun-nd 77 SUN-ND # SUN ND PROTOCOL-Temporary
|
||||
wb-mon 78 WB-MON # WIDEBAND Monitoring
|
||||
wb-expak 79 WB-EXPAK # WIDEBAND EXPAK
|
||||
iso-ip 80 ISO-IP # ISO Internet Protocol
|
||||
vmtp 81 VMTP # VMTP
|
||||
secure-vmtp 82 SECURE-VMTP # SECURE-VMTP
|
||||
vines 83 VINES # VINES
|
||||
ttp 84 TTP # TTP
|
||||
nsfnet-igp 85 NSFNET-IGP # NSFNET-IGP
|
||||
dgp 86 DGP # Dissimilar Gateway Protocol
|
||||
tcf 87 TCF # TCF
|
||||
igrp 88 IGRP # IGRP
|
||||
ospfigp 89 OSPFIGP # OSPFIGP
|
||||
sprite-rpc 90 Sprite-RPC # Sprite RPC Protocol
|
||||
larp 91 LARP # Locus Address Resolution Protocol
|
||||
mtp 92 MTP # Multicast Transport Protocol
|
||||
ax.25 93 AX.25 # AX.25 Frames
|
||||
ipip 94 IPIP # IP-within-IP Encapsulation Protocol
|
||||
micp 95 MICP # Mobile Internetworking Control Pro.
|
||||
scc-sp 96 SCC-SP # Semaphore Communications Sec. Pro.
|
||||
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation
|
||||
encap 98 ENCAP # Encapsulation Header
|
||||
any 99 any # private encryption scheme
|
||||
gmtp 100 GMTP # GMTP
|
||||
reserved 255 Reserved #
|
731
contrib/ipfilter/etc/services
Normal file
731
contrib/ipfilter/etc/services
Normal file
@ -0,0 +1,731 @@
|
||||
tcpmux 1/tcp # TCP Port Service Multiplexer
|
||||
tcpmux 1/udp # TCP Port Service Multiplexer
|
||||
compressnet 2/tcp # Management Utility
|
||||
compressnet 2/udp # Management Utility
|
||||
compressnet 3/tcp # Compression Process
|
||||
compressnet 3/udp # Compression Process
|
||||
rje 5/tcp # Remote Job Entry
|
||||
rje 5/udp # Remote Job Entry
|
||||
echo 7/tcp # Echo
|
||||
echo 7/udp # Echo
|
||||
discard 9/tcp # Discard
|
||||
discard 9/udp # Discard
|
||||
systat 11/tcp # Active Users
|
||||
systat 11/udp # Active Users
|
||||
daytime 13/tcp # Daytime
|
||||
daytime 13/udp # Daytime
|
||||
qotd 17/tcp # Quote of the Day
|
||||
qotd 17/udp # Quote of the Day
|
||||
msp 18/tcp # Message Send Protocol
|
||||
msp 18/udp # Message Send Protocol
|
||||
chargen 19/tcp # Character Generator
|
||||
chargen 19/udp # Character Generator
|
||||
ftp-data 20/tcp # File Transfer
|
||||
ftp-data 20/udp # File Transfer
|
||||
ftp 21/tcp # File Transfer
|
||||
ftp 21/udp # File Transfer
|
||||
telnet 23/tcp # Telnet
|
||||
telnet 23/udp # Telnet
|
||||
smtp 25/tcp # Simple Mail Transfer
|
||||
smtp 25/udp # Simple Mail Transfer
|
||||
nsw-fe 27/tcp # NSW User System FE
|
||||
nsw-fe 27/udp # NSW User System FE
|
||||
msg-icp 29/tcp # MSG ICP
|
||||
msg-icp 29/udp # MSG ICP
|
||||
msg-auth 31/tcp # MSG Authentication
|
||||
msg-auth 31/udp # MSG Authentication
|
||||
dsp 33/tcp # Display Support Protocol
|
||||
dsp 33/udp # Display Support Protocol
|
||||
time 37/tcp # Time
|
||||
time 37/udp # Time
|
||||
rap 38/tcp # Route Access Protocol
|
||||
rap 38/udp # Route Access Protocol
|
||||
rlp 39/tcp # Resource Location Protocol
|
||||
rlp 39/udp # Resource Location Protocol
|
||||
graphics 41/tcp # Graphics
|
||||
graphics 41/udp # Graphics
|
||||
nameserver 42/tcp # Host Name Server
|
||||
nameserver 42/udp # Host Name Server
|
||||
nicname 43/tcp # Who Is
|
||||
nicname 43/udp # Who Is
|
||||
mpm-flags 44/tcp # MPM FLAGS Protocol
|
||||
mpm-flags 44/udp # MPM FLAGS Protocol
|
||||
mpm 45/tcp # Message Processing Module
|
||||
mpm 45/udp # Message Processing Module
|
||||
mpm-snd 46/tcp # MPM
|
||||
mpm-snd 46/udp # MPM
|
||||
ni-ftp 47/tcp # NI FTP
|
||||
ni-ftp 47/udp # NI FTP
|
||||
auditd 48/tcp # Digital Audit Daemon
|
||||
auditd 48/udp # Digital Audit Daemon
|
||||
re-mail-ck 50/tcp # Remote Mail Checking Protocol
|
||||
re-mail-ck 50/udp # Remote Mail Checking Protocol
|
||||
la-maint 51/tcp # IMP Logical Address Maintenance
|
||||
la-maint 51/udp # IMP Logical Address Maintenance
|
||||
xns-time 52/tcp # XNS Time Protocol
|
||||
xns-time 52/udp # XNS Time Protocol
|
||||
domain 53/tcp # Domain Name Server
|
||||
domain 53/udp # Domain Name Server
|
||||
xns-ch 54/tcp # XNS Clearinghouse
|
||||
xns-ch 54/udp # XNS Clearinghouse
|
||||
isi-gl 55/tcp # ISI Graphics Language
|
||||
isi-gl 55/udp # ISI Graphics Language
|
||||
xns-auth 56/tcp # XNS Authentication
|
||||
xns-auth 56/udp # XNS Authentication
|
||||
xns-mail 58/tcp # XNS Mail
|
||||
xns-mail 58/udp # XNS Mail
|
||||
ni-mail 61/tcp # NI MAIL
|
||||
ni-mail 61/udp # NI MAIL
|
||||
acas 62/tcp # ACA Services
|
||||
acas 62/udp # ACA Services
|
||||
covia 64/tcp # Communications Integrator (CI)
|
||||
covia 64/udp # Communications Integrator (CI)
|
||||
tacacs-ds 65/tcp # TACACS-Database Service
|
||||
tacacs-ds 65/udp # TACACS-Database Service
|
||||
sql*net 66/tcp # Oracle SQL*NET
|
||||
sql*net 66/udp # Oracle SQL*NET
|
||||
bootps 67/tcp # Bootstrap Protocol Server
|
||||
bootps 67/udp # Bootstrap Protocol Server
|
||||
bootpc 68/tcp # Bootstrap Protocol Client
|
||||
bootpc 68/udp # Bootstrap Protocol Client
|
||||
tftp 69/tcp # Trivial File Transfer
|
||||
tftp 69/udp # Trivial File Transfer
|
||||
gopher 70/tcp # Gopher
|
||||
gopher 70/udp # Gopher
|
||||
netrjs-1 71/tcp # Remote Job Service
|
||||
netrjs-1 71/udp # Remote Job Service
|
||||
netrjs-2 72/tcp # Remote Job Service
|
||||
netrjs-2 72/udp # Remote Job Service
|
||||
netrjs-3 73/tcp # Remote Job Service
|
||||
netrjs-3 73/udp # Remote Job Service
|
||||
netrjs-4 74/tcp # Remote Job Service
|
||||
netrjs-4 74/udp # Remote Job Service
|
||||
deos 76/tcp # Distributed External Object Store
|
||||
deos 76/udp # Distributed External Object Store
|
||||
vettcp 78/tcp # vettcp
|
||||
vettcp 78/udp # vettcp
|
||||
finger 79/tcp # Finger
|
||||
finger 79/udp # Finger
|
||||
www-http 80/tcp # World Wide Web HTTP
|
||||
www-http 80/udp # World Wide Web HTTP
|
||||
hosts2-ns 81/tcp # HOSTS2 Name Server
|
||||
hosts2-ns 81/udp # HOSTS2 Name Server
|
||||
xfer 82/tcp # XFER Utility
|
||||
xfer 82/udp # XFER Utility
|
||||
mit-ml-dev 83/tcp # MIT ML Device
|
||||
mit-ml-dev 83/udp # MIT ML Device
|
||||
ctf 84/tcp # Common Trace Facility
|
||||
ctf 84/udp # Common Trace Facility
|
||||
mit-ml-dev 85/tcp # MIT ML Device
|
||||
mit-ml-dev 85/udp # MIT ML Device
|
||||
mfcobol 86/tcp # Micro Focus Cobol
|
||||
mfcobol 86/udp # Micro Focus Cobol
|
||||
kerberos 88/tcp # Kerberos
|
||||
kerberos 88/udp # Kerberos
|
||||
su-mit-tg 89/tcp # SU/MIT Telnet Gateway
|
||||
su-mit-tg 89/udp # SU/MIT Telnet Gateway
|
||||
dnsix 90/tcp # DNSIX Securit Attribute Token Map
|
||||
dnsix 90/udp # DNSIX Securit Attribute Token Map
|
||||
mit-dov 91/tcp # MIT Dover Spooler
|
||||
mit-dov 91/udp # MIT Dover Spooler
|
||||
npp 92/tcp # Network Printing Protocol
|
||||
npp 92/udp # Network Printing Protocol
|
||||
dcp 93/tcp # Device Control Protocol
|
||||
dcp 93/udp # Device Control Protocol
|
||||
objcall 94/tcp # Tivoli Object Dispatcher
|
||||
objcall 94/udp # Tivoli Object Dispatcher
|
||||
supdup 95/tcp # SUPDUP
|
||||
supdup 95/udp # SUPDUP
|
||||
dixie 96/tcp # DIXIE Protocol Specification
|
||||
dixie 96/udp # DIXIE Protocol Specification
|
||||
swift-rvf 97/tcp # Swift Remote Vitural File Protocol
|
||||
swift-rvf 97/udp # Swift Remote Vitural File Protocol
|
||||
tacnews 98/tcp # TAC News
|
||||
tacnews 98/udp # TAC News
|
||||
metagram 99/tcp # Metagram Relay
|
||||
metagram 99/udp # Metagram Relay
|
||||
newacct 100/tcp
|
||||
hostname 101/tcp # NIC Host Name Server
|
||||
hostname 101/udp # NIC Host Name Server
|
||||
iso-tsap 102/tcp # ISO-TSAP
|
||||
iso-tsap 102/udp # ISO-TSAP
|
||||
gppitnp 103/tcp # Genesis Point-to-Point Trans Net
|
||||
gppitnp 103/udp # Genesis Point-to-Point Trans Net
|
||||
acr-nema 104/tcp # ACR-NEMA Digital Imag. & Comm. 300
|
||||
acr-nema 104/udp # ACR-NEMA Digital Imag. & Comm. 300
|
||||
csnet-ns 105/tcp # Mailbox Name Nameserver
|
||||
csnet-ns 105/udp # Mailbox Name Nameserver
|
||||
3com-tsmux 106/tcp # 3COM-TSMUX
|
||||
3com-tsmux 106/udp # 3COM-TSMUX
|
||||
rtelnet 107/tcp # Remote Telnet Service
|
||||
rtelnet 107/udp # Remote Telnet Service
|
||||
snagas 108/tcp # SNA Gateway Access Server
|
||||
snagas 108/udp # SNA Gateway Access Server
|
||||
pop2 109/tcp # Post Office Protocol - Version 2
|
||||
pop2 109/udp # Post Office Protocol - Version 2
|
||||
pop3 110/tcp # Post Office Protocol - Version 3
|
||||
pop3 110/udp # Post Office Protocol - Version 3
|
||||
sunrpc 111/tcp # SUN Remote Procedure Call
|
||||
sunrpc 111/udp # SUN Remote Procedure Call
|
||||
mcidas 112/tcp # McIDAS Data Transmission Protocol
|
||||
mcidas 112/udp # McIDAS Data Transmission Protocol
|
||||
auth 113/tcp # Authentication Service
|
||||
auth 113/udp # Authentication Service
|
||||
audionews 114/tcp # Audio News Multicast
|
||||
audionews 114/udp # Audio News Multicast
|
||||
sftp 115/tcp # Simple File Transfer Protocol
|
||||
sftp 115/udp # Simple File Transfer Protocol
|
||||
ansanotify 116/tcp # ANSA REX Notify
|
||||
ansanotify 116/udp # ANSA REX Notify
|
||||
uucp-path 117/tcp # UUCP Path Service
|
||||
uucp-path 117/udp # UUCP Path Service
|
||||
sqlserv 118/tcp # SQL Services
|
||||
sqlserv 118/udp # SQL Services
|
||||
nntp 119/tcp # Network News Transfer Protocol
|
||||
nntp 119/udp # Network News Transfer Protocol
|
||||
cfdptkt 120/tcp # CFDPTKT
|
||||
cfdptkt 120/udp # CFDPTKT
|
||||
erpc 121/tcp # Encore Expedited Remote Pro.Call
|
||||
erpc 121/udp # Encore Expedited Remote Pro.Call
|
||||
smakynet 122/tcp # SMAKYNET
|
||||
smakynet 122/udp # SMAKYNET
|
||||
ntp 123/tcp # Network Time Protocol
|
||||
ntp 123/udp # Network Time Protocol
|
||||
ansatrader 124/tcp # ANSA REX Trader
|
||||
ansatrader 124/udp # ANSA REX Trader
|
||||
locus-map 125/tcp # Locus PC-Interface Net Map Ser
|
||||
locus-map 125/udp # Locus PC-Interface Net Map Ser
|
||||
unitary 126/tcp # Unisys Unitary Login
|
||||
unitary 126/udp # Unisys Unitary Login
|
||||
locus-con 127/tcp # Locus PC-Interface Conn Server
|
||||
locus-con 127/udp # Locus PC-Interface Conn Server
|
||||
gss-xlicen 128/tcp # GSS X License Verification
|
||||
gss-xlicen 128/udp # GSS X License Verification
|
||||
pwdgen 129/tcp # Password Generator Protocol
|
||||
pwdgen 129/udp # Password Generator Protocol
|
||||
cisco-fna 130/tcp # cisco FNATIVE
|
||||
cisco-fna 130/udp # cisco FNATIVE
|
||||
cisco-tna 131/tcp # cisco TNATIVE
|
||||
cisco-tna 131/udp # cisco TNATIVE
|
||||
cisco-sys 132/tcp # cisco SYSMAINT
|
||||
cisco-sys 132/udp # cisco SYSMAINT
|
||||
statsrv 133/tcp # Statistics Service
|
||||
statsrv 133/udp # Statistics Service
|
||||
ingres-net 134/tcp # INGRES-NET Service
|
||||
ingres-net 134/udp # INGRES-NET Service
|
||||
loc-srv 135/tcp # Location Service
|
||||
loc-srv 135/udp # Location Service
|
||||
profile 136/tcp # PROFILE Naming System
|
||||
profile 136/udp # PROFILE Naming System
|
||||
netbios-ns 137/tcp # NETBIOS Name Service
|
||||
netbios-ns 137/udp # NETBIOS Name Service
|
||||
netbios-dgm 138/tcp # NETBIOS Datagram Service
|
||||
netbios-dgm 138/udp # NETBIOS Datagram Service
|
||||
netbios-ssn 139/tcp # NETBIOS Session Service
|
||||
netbios-ssn 139/udp # NETBIOS Session Service
|
||||
emfis-data 140/tcp # EMFIS Data Service
|
||||
emfis-data 140/udp # EMFIS Data Service
|
||||
emfis-cntl 141/tcp # EMFIS Control Service
|
||||
emfis-cntl 141/udp # EMFIS Control Service
|
||||
bl-idm 142/tcp # Britton-Lee IDM
|
||||
bl-idm 142/udp # Britton-Lee IDM
|
||||
imap2 143/tcp # Interim Mail Access Protocol v2
|
||||
imap2 143/udp # Interim Mail Access Protocol v2
|
||||
news 144/tcp # NewS
|
||||
news 144/udp # NewS
|
||||
uaac 145/tcp # UAAC Protocol
|
||||
uaac 145/udp # UAAC Protocol
|
||||
iso-tp0 146/tcp # ISO-IP0
|
||||
iso-tp0 146/udp # ISO-IP0
|
||||
iso-ip 147/tcp # ISO-IP
|
||||
iso-ip 147/udp # ISO-IP
|
||||
cronus 148/tcp # CRONUS-SUPPORT
|
||||
cronus 148/udp # CRONUS-SUPPORT
|
||||
aed-512 149/tcp # AED 512 Emulation Service
|
||||
aed-512 149/udp # AED 512 Emulation Service
|
||||
sql-net 150/tcp # SQL-NET
|
||||
sql-net 150/udp # SQL-NET
|
||||
hems 151/tcp # HEMS
|
||||
hems 151/udp # HEMS
|
||||
bftp 152/tcp # Background File Transfer Program
|
||||
bftp 152/udp # Background File Transfer Program
|
||||
sgmp 153/tcp # SGMP
|
||||
sgmp 153/udp # SGMP
|
||||
netsc-prod 154/tcp # NETSC
|
||||
netsc-prod 154/udp # NETSC
|
||||
netsc-dev 155/tcp # NETSC
|
||||
netsc-dev 155/udp # NETSC
|
||||
sqlsrv 156/tcp # SQL Service
|
||||
sqlsrv 156/udp # SQL Service
|
||||
knet-cmp 157/tcp # KNET/VM Command/Message Protocol
|
||||
knet-cmp 157/udp # KNET/VM Command/Message Protocol
|
||||
pcmail-srv 158/tcp # PCMail Server
|
||||
pcmail-srv 158/udp # PCMail Server
|
||||
nss-routing 159/tcp # NSS-Routing
|
||||
nss-routing 159/udp # NSS-Routing
|
||||
sgmp-traps 160/tcp # SGMP-TRAPS
|
||||
sgmp-traps 160/udp # SGMP-TRAPS
|
||||
snmp 161/tcp # SNMP
|
||||
snmp 161/udp # SNMP
|
||||
snmptrap 162/tcp # SNMPTRAP
|
||||
snmptrap 162/udp # SNMPTRAP
|
||||
cmip-man 163/tcp # CMIP/TCP Manager
|
||||
cmip-man 163/udp # CMIP/TCP Manager
|
||||
cmip-agent 164/tcp # CMIP/TCP Agent
|
||||
smip-agent 164/udp # CMIP/TCP Agent
|
||||
xns-courier 165/tcp # Xerox
|
||||
xns-courier 165/udp # Xerox
|
||||
s-net 166/tcp # Sirius Systems
|
||||
s-net 166/udp # Sirius Systems
|
||||
namp 167/tcp # NAMP
|
||||
namp 167/udp # NAMP
|
||||
rsvd 168/tcp # RSVD
|
||||
rsvd 168/udp # RSVD
|
||||
send 169/tcp # SEND
|
||||
send 169/udp # SEND
|
||||
print-srv 170/tcp # Network PostScript
|
||||
print-srv 170/udp # Network PostScript
|
||||
multiplex 171/tcp # Network Innovations Multiplex
|
||||
multiplex 171/udp # Network Innovations Multiplex
|
||||
cl/1 172/tcp # Network Innovations CL/1
|
||||
cl/1 172/udp # Network Innovations CL/1
|
||||
xyplex-mux 173/tcp # Xyplex
|
||||
xyplex-mux 173/udp # Xyplex
|
||||
mailq 174/tcp # MAILQ
|
||||
mailq 174/udp # MAILQ
|
||||
vmnet 175/tcp # VMNET
|
||||
vmnet 175/udp # VMNET
|
||||
genrad-mux 176/tcp # GENRAD-MUX
|
||||
genrad-mux 176/udp # GENRAD-MUX
|
||||
xdmcp 177/tcp # X Display Manager Control Protocol
|
||||
xdmcp 177/udp # X Display Manager Control Protocol
|
||||
nextstep 178/tcp # NextStep Window Server
|
||||
NextStep 178/udp # NextStep Window Server
|
||||
bgp 179/tcp # Border Gateway Protocol
|
||||
bgp 179/udp # Border Gateway Protocol
|
||||
ris 180/tcp # Intergraph
|
||||
ris 180/udp # Intergraph
|
||||
unify 181/tcp # Unify
|
||||
unify 181/udp # Unify
|
||||
audit 182/tcp # Unisys Audit SITP
|
||||
audit 182/udp # Unisys Audit SITP
|
||||
ocbinder 183/tcp # OCBinder
|
||||
ocbinder 183/udp # OCBinder
|
||||
ocserver 184/tcp # OCServer
|
||||
ocserver 184/udp # OCServer
|
||||
remote-kis 185/tcp # Remote-KIS
|
||||
remote-kis 185/udp # Remote-KIS
|
||||
kis 186/tcp # KIS Protocol
|
||||
kis 186/udp # KIS Protocol
|
||||
aci 187/tcp # Application Communication Interface
|
||||
aci 187/udp # Application Communication Interface
|
||||
mumps 188/tcp # Plus Five's MUMPS
|
||||
mumps 188/udp # Plus Five's MUMPS
|
||||
qft 189/tcp # Queued File Transport
|
||||
qft 189/udp # Queued File Transport
|
||||
gacp 190/tcp # Gateway Access Control Protocol
|
||||
cacp 190/udp # Gateway Access Control Protocol
|
||||
prospero 191/tcp # Prospero Directory Service
|
||||
prospero 191/udp # Prospero Directory Service
|
||||
osu-nms 192/tcp # OSU Network Monitoring System
|
||||
osu-nms 192/udp # OSU Network Monitoring System
|
||||
srmp 193/tcp # Spider Remote Monitoring Protocol
|
||||
srmp 193/udp # Spider Remote Monitoring Protocol
|
||||
irc 194/tcp # Internet Relay Chat Protocol
|
||||
irc 194/udp # Internet Relay Chat Protocol
|
||||
dn6-nlm-aud 195/tcp # DNSIX Network Level Module Audit
|
||||
dn6-nlm-aud 195/udp # DNSIX Network Level Module Audit
|
||||
dn6-smm-red 196/tcp # DNSIX Session Mgt Module Audit Redir
|
||||
dn6-smm-red 196/udp # DNSIX Session Mgt Module Audit Redir
|
||||
dls 197/tcp # Directory Location Service
|
||||
dls 197/udp # Directory Location Service
|
||||
dls-mon 198/tcp # Directory Location Service Monitor
|
||||
dls-mon 198/udp # Directory Location Service Monitor
|
||||
smux 199/tcp # SMUX
|
||||
smux 199/udp # SMUX
|
||||
src 200/tcp # IBM System Resource Controller
|
||||
src 200/udp # IBM System Resource Controller
|
||||
at-rtmp 201/tcp # AppleTalk Routing Maintenance
|
||||
at-rtmp 201/udp # AppleTalk Routing Maintenance
|
||||
at-nbp 202/tcp # AppleTalk Name Binding
|
||||
at-nbp 202/udp # AppleTalk Name Binding
|
||||
at-3 203/tcp # AppleTalk Unused
|
||||
at-3 203/udp # AppleTalk Unused
|
||||
at-echo 204/tcp # AppleTalk Echo
|
||||
at-echo 204/udp # AppleTalk Echo
|
||||
at-5 205/tcp # AppleTalk Unused
|
||||
at-5 205/udp # AppleTalk Unused
|
||||
at-zis 206/tcp # AppleTalk Zone Information
|
||||
at-zis 206/udp # AppleTalk Zone Information
|
||||
at-7 207/tcp # AppleTalk Unused
|
||||
at-7 207/udp # AppleTalk Unused
|
||||
at-8 208/tcp # AppleTalk Unused
|
||||
at-8 208/udp # AppleTalk Unused
|
||||
tam 209/tcp # Trivial Authenticated Mail Protocol
|
||||
tam 209/udp # Trivial Authenticated Mail Protocol
|
||||
z39.50 210/tcp # ANSI Z39.50
|
||||
z39.50 210/udp # ANSI Z39.50
|
||||
914c/g 211/tcp # Texas Instruments 914C/G Terminal
|
||||
914c/g 211/udp # Texas Instruments 914C/G Terminal
|
||||
anet 212/tcp # ATEXSSTR
|
||||
anet 212/udp # ATEXSSTR
|
||||
ipx 213/tcp # IPX
|
||||
ipx 213/udp # IPX
|
||||
vmpwscs 214/tcp # VM PWSCS
|
||||
vmpwscs 214/udp # VM PWSCS
|
||||
softpc 215/tcp # Insignia Solutions
|
||||
softpc 215/udp # Insignia Solutions
|
||||
atls 216/tcp # Access Technology License Server
|
||||
atls 216/udp # Access Technology License Server
|
||||
dbase 217/tcp # dBASE Unix
|
||||
dbase 217/udp # dBASE Unix
|
||||
mpp 218/tcp # Netix Message Posting Protocol
|
||||
mpp 218/udp # Netix Message Posting Protocol
|
||||
uarps 219/tcp # Unisys ARPs
|
||||
uarps 219/udp # Unisys ARPs
|
||||
imap3 220/tcp # Interactive Mail Access Protocol v3
|
||||
imap3 220/udp # Interactive Mail Access Protocol v3
|
||||
fln-spx 221/tcp # Berkeley rlogind with SPX auth
|
||||
fln-spx 221/udp # Berkeley rlogind with SPX auth
|
||||
rsh-spx 222/tcp # Berkeley rshd with SPX auth
|
||||
rsh-spx 222/udp # Berkeley rshd with SPX auth
|
||||
cdc 223/tcp # Certificate Distribution Center
|
||||
cdc 223/udp # Certificate Distribution Center
|
||||
sur-meas 243/tcp # Survey Measurement
|
||||
sur-meas 243/udp # Survey Measurement
|
||||
link 245/tcp # LINK
|
||||
link 245/udp # LINK
|
||||
dsp3270 246/tcp # Display Systems Protocol
|
||||
dsp3270 246/udp # Display Systems Protocol
|
||||
pdap 344/tcp # Prospero Data Access Protocol
|
||||
pdap 344/udp # Prospero Data Access Protocol
|
||||
pawserv 345/tcp # Perf Analysis Workbench
|
||||
pawserv 345/udp # Perf Analysis Workbench
|
||||
zserv 346/tcp # Zebra server
|
||||
zserv 346/udp # Zebra server
|
||||
fatserv 347/tcp # Fatmen Server
|
||||
fatserv 347/udp # Fatmen Server
|
||||
csi-sgwp 348/tcp # Cabletron Management Protocol
|
||||
csi-sgwp 348/udp # Cabletron Management Protocol
|
||||
clearcase 371/tcp # Clearcase
|
||||
clearcase 371/udp # Clearcase
|
||||
ulistserv 372/tcp # Unix Listserv
|
||||
ulistserv 372/udp # Unix Listserv
|
||||
legent-1 373/tcp # Legent Corporation
|
||||
legent-1 373/udp # Legent Corporation
|
||||
legent-2 374/tcp # Legent Corporation
|
||||
legent-2 374/udp # Legent Corporation
|
||||
hassle 375/tcp # Hassle
|
||||
hassle 375/udp # Hassle
|
||||
nip 376/tcp # Amiga Envoy Network Inquiry Proto
|
||||
nip 376/udp # Amiga Envoy Network Inquiry Proto
|
||||
tnETOS 377/tcp # NEC Corporation
|
||||
tnETOS 377/udp # NEC Corporation
|
||||
dsETOS 378/tcp # NEC Corporation
|
||||
dsETOS 378/udp # NEC Corporation
|
||||
is99c 379/tcp # TIA/EIA/IS-99 modem client
|
||||
is99c 379/udp # TIA/EIA/IS-99 modem client
|
||||
is99s 380/tcp # TIA/EIA/IS-99 modem server
|
||||
is99s 380/udp # TIA/EIA/IS-99 modem server
|
||||
hp-collector 381/tcp # hp performance data collector
|
||||
hp-collector 381/udp # hp performance data collector
|
||||
hp-managed-node 382/tcp # hp performance data managed node
|
||||
hp-managed-node 382/udp # hp performance data managed node
|
||||
hp-alarm-mgr 383/tcp # hp performance data alarm manager
|
||||
hp-alarm-mgr 383/udp # hp performance data alarm manager
|
||||
arns 384/tcp # A Remote Network Server System
|
||||
arns 384/udp # A Remote Network Server System
|
||||
ibm-app 385/tcp # IBM Application
|
||||
ibm-app 385/tcp # IBM Application
|
||||
asa 386/tcp # ASA Message Router Object Def.
|
||||
asa 386/udp # ASA Message Router Object Def.
|
||||
aurp 387/tcp # Appletalk Update-Based Routing Pro.
|
||||
aurp 387/udp # Appletalk Update-Based Routing Pro.
|
||||
unidata-ldm 388/tcp # Unidata LDM Version 4
|
||||
unidata-ldm 388/udp # Unidata LDM Version 4
|
||||
ldap 389/tcp # Lightweight Directory Access Protocol
|
||||
ldap 389/udp # Lightweight Directory Access Protocol
|
||||
uis 390/tcp # UIS
|
||||
uis 390/udp # UIS
|
||||
synotics-relay 391/tcp # SynOptics SNMP Relay Port
|
||||
synotics-relay 391/udp # SynOptics SNMP Relay Port
|
||||
synotics-broker 392/tcp # SynOptics Port Broker Port
|
||||
synotics-broker 392/udp # SynOptics Port Broker Port
|
||||
dis 393/tcp # Data Interpretation System
|
||||
dis 393/udp # Data Interpretation System
|
||||
embl-ndt 394/tcp # EMBL Nucleic Data Transfer
|
||||
embl-ndt 394/udp # EMBL Nucleic Data Transfer
|
||||
netcp 395/tcp # NETscout Control Protocol
|
||||
netcp 395/udp # NETscout Control Protocol
|
||||
netware-ip 396/tcp # Novell Netware over IP
|
||||
netware-ip 396/udp # Novell Netware over IP
|
||||
mptn 397/tcp # Multi Protocol Trans. Net.
|
||||
mptn 397/udp # Multi Protocol Trans. Net.
|
||||
kryptolan 398/tcp # Kryptolan
|
||||
kryptolan 398/udp # Kryptolan
|
||||
work-sol 400/tcp # Workstation Solutions
|
||||
work-sol 400/udp # Workstation Solutions
|
||||
ups 401/tcp # Uninterruptible Power Supply
|
||||
ups 401/udp # Uninterruptible Power Supply
|
||||
genie 402/tcp # Genie Protocol
|
||||
genie 402/udp # Genie Protocol
|
||||
decap 403/tcp # decap
|
||||
decap 403/udp # decap
|
||||
nced 404/tcp # nced
|
||||
nced 404/udp # nced
|
||||
ncld 405/tcp # ncld
|
||||
ncld 405/udp # ncld
|
||||
imsp 406/tcp # Interactive Mail Support Protocol
|
||||
imsp 406/udp # Interactive Mail Support Protocol
|
||||
timbuktu 407/tcp # Timbuktu
|
||||
timbuktu 407/udp # Timbuktu
|
||||
prm-sm 408/tcp # Prospero Resource Manager Sys. Man.
|
||||
prm-sm 408/udp # Prospero Resource Manager Sys. Man.
|
||||
prm-nm 409/tcp # Prospero Resource Manager Node Man.
|
||||
prm-nm 409/udp # Prospero Resource Manager Node Man.
|
||||
decladebug 410/tcp # DECLadebug Remote Debug Protocol
|
||||
decladebug 410/udp # DECLadebug Remote Debug Protocol
|
||||
rmt 411/tcp # Remote MT Protocol
|
||||
rmt 411/udp # Remote MT Protocol
|
||||
synoptics-trap 412/tcp # Trap Convention Port
|
||||
synoptics-trap 412/udp # Trap Convention Port
|
||||
smsp 413/tcp # SMSP
|
||||
smsp 413/udp # SMSP
|
||||
infoseek 414/tcp # InfoSeek
|
||||
infoseek 414/udp # InfoSeek
|
||||
bnet 415/tcp # BNet
|
||||
bnet 415/udp # BNet
|
||||
silverplatter 416/tcp # Silverplatter
|
||||
silverplatter 416/udp # Silverplatter
|
||||
onmux 417/tcp # Onmux
|
||||
onmux 417/udp # Onmux
|
||||
hyper-g 418/tcp # Hyper-G
|
||||
hyper-g 418/udp # Hyper-G
|
||||
ariel1 419/tcp # Ariel
|
||||
ariel1 419/udp # Ariel
|
||||
smpte 420/tcp # SMPTE
|
||||
smpte 420/udp # SMPTE
|
||||
ariel2 421/tcp # Ariel
|
||||
ariel2 421/udp # Ariel
|
||||
ariel3 422/tcp # Ariel
|
||||
ariel3 422/udp # Ariel
|
||||
opc-job-start 423/tcp # IBM Operations Planning and Control Start
|
||||
opc-job-start 423/udp # IBM Operations Planning and Control Start
|
||||
opc-job-track 424/tcp # IBM Operations Planning and Control Track
|
||||
opc-job-track 424/udp # IBM Operations Planning and Control Track
|
||||
icad-el 425/tcp # ICAD
|
||||
icad-el 425/udp # ICAD
|
||||
smartsdp 426/tcp # smartsdp
|
||||
smartsdp 426/udp # smartsdp
|
||||
svrloc 427/tcp # Server Location
|
||||
svrloc 427/udp # Server Location
|
||||
ocs_cmu 428/tcp # OCS_CMU
|
||||
ocs_cmu 428/udp # OCS_CMU
|
||||
ocs_amu 429/tcp # OCS_AMU
|
||||
ocs_amu 429/udp # OCS_AMU
|
||||
utmpsd 430/tcp # UTMPSD
|
||||
utmpsd 430/udp # UTMPSD
|
||||
utmpcd 431/tcp # UTMPCD
|
||||
utmpcd 431/udp # UTMPCD
|
||||
iasd 432/tcp # IASD
|
||||
iasd 432/udp # IASD
|
||||
nnsp 433/tcp # NNSP
|
||||
nnsp 433/udp # NNSP
|
||||
mobileip-agent 434/tcp # MobileIP-Agent
|
||||
mobileip-agent 434/udp # MobileIP-Agent
|
||||
mobilip-mn 435/tcp # MobilIP-MN
|
||||
mobilip-mn 435/udp # MobilIP-MN
|
||||
dna-cml 436/tcp # DNA-CML
|
||||
dna-cml 436/udp # DNA-CML
|
||||
comscm 437/tcp # comscm
|
||||
comscm 437/udp # comscm
|
||||
dsfgw 438/tcp # dsfgw
|
||||
dsfgw 438/udp # dsfgw
|
||||
dasp 439/tcp # dasp Thomas Obermair
|
||||
dasp 439/udp # dasp tommy@inlab.m.eunet.de
|
||||
sgcp 440/tcp # sgcp
|
||||
sgcp 440/udp # sgcp
|
||||
decvms-sysmgt 441/tcp # decvms-sysmgt
|
||||
decvms-sysmgt 441/udp # decvms-sysmgt
|
||||
cvc_hostd 442/tcp # cvc_hostd
|
||||
cvc_hostd 442/udp # cvc_hostd
|
||||
https 443/tcp # https MCom
|
||||
https 443/udp # https MCom
|
||||
snpp 444/tcp # Simple Network Paging Protocol
|
||||
snpp 444/udp # Simple Network Paging Protocol
|
||||
microsoft-ds 445/tcp # Microsoft-DS
|
||||
microsoft-ds 445/udp # Microsoft-DS
|
||||
ddm-rdb 446/tcp # DDM-RDB
|
||||
ddm-rdb 446/udp # DDM-RDB
|
||||
ddm-dfm 447/tcp # DDM-RFM
|
||||
ddm-dfm 447/udp # DDM-RFM
|
||||
ddm-byte 448/tcp # DDM-BYTE
|
||||
ddm-byte 448/udp # DDM-BYTE
|
||||
as-servermap 449/tcp # AS Server Mapper
|
||||
as-servermap 449/udp # AS Server Mapper
|
||||
tserver 450/tcp # TServer
|
||||
tserver 450/udp # TServer
|
||||
exec 512/tcp # remote process execution;
|
||||
biff 512/udp # used by mail system to notify users
|
||||
login 513/tcp # remote login a la telnet;
|
||||
who 513/udp # maintains data bases showing who's
|
||||
cmd 514/tcp # like exec, but automatic
|
||||
syslog 514/udp
|
||||
printer 515/tcp # spooler
|
||||
printer 515/udp # spooler
|
||||
talk 517/tcp # like tenex link, but across
|
||||
talk 517/udp # like tenex link, but across tcp connection is established)
|
||||
ntalk 518/tcp
|
||||
ntalk 518/udp
|
||||
utime 519/tcp # unixtime
|
||||
utime 519/udp # unixtime
|
||||
efs 520/tcp # extended file name server
|
||||
router 520/udp # local routing process (on site);
|
||||
timed 525/tcp # timeserver
|
||||
timed 525/udp # timeserver
|
||||
tempo 526/tcp # newdate
|
||||
tempo 526/udp # newdate
|
||||
courier 530/tcp # rpc
|
||||
courier 530/udp # rpc
|
||||
conference 531/tcp # chat
|
||||
conference 531/udp # chat
|
||||
netnews 532/tcp # readnews
|
||||
netnews 532/udp # readnews
|
||||
netwall 533/tcp # for emergency broadcasts
|
||||
netwall 533/udp # for emergency broadcasts
|
||||
apertus-ldp 539/tcp # Apertus Technologies Load Determination
|
||||
apertus-ldp 539/udp # Apertus Technologies Load Determination
|
||||
uucp 540/tcp # uucpd
|
||||
uucp 540/udp # uucpd
|
||||
uucp-rlogin 541/tcp # uucp-rlogin Stuart Lynne
|
||||
uucp-rlogin 541/udp # uucp-rlogin sl@wimsey.com
|
||||
klogin 543/tcp
|
||||
klogin 543/udp
|
||||
kshell 544/tcp # krcmd
|
||||
kshell 544/udp # krcmd
|
||||
new-rwho 550/tcp # new-who
|
||||
new-rwho 550/udp # new-who
|
||||
dsf 555/tcp
|
||||
dsf 555/udp
|
||||
remotefs 556/tcp # rfs server
|
||||
remotefs 556/udp # rfs server
|
||||
rmonitor 560/tcp # rmonitord
|
||||
rmonitor 560/udp # rmonitord
|
||||
monitor 561/tcp
|
||||
monitor 561/udp
|
||||
chshell 562/tcp # chcmd
|
||||
chshell 562/udp # chcmd
|
||||
9pfs 564/tcp # plan 9 file service
|
||||
9pfs 564/udp # plan 9 file service
|
||||
whoami 565/tcp # whoami
|
||||
whoami 565/udp # whoami
|
||||
meter 570/tcp # demon
|
||||
meter 570/udp # demon
|
||||
meter 571/tcp # udemon
|
||||
meter 571/udp # udemon
|
||||
ipcserver 600/tcp # Sun IPC server
|
||||
ipcserver 600/udp # Sun IPC server
|
||||
nqs 607/tcp # nqs
|
||||
nqs 607/udp # nqs
|
||||
urm 606/tcp # Cray Unified Resource Manager
|
||||
urm 606/udp # Cray Unified Resource Manager
|
||||
sift-uft 608/tcp # Sender-Initiated/Unsolicited File Transfer
|
||||
sift-uft 608/udp # Sender-Initiated/Unsolicited File Transfer
|
||||
npmp-trap 609/tcp # npmp-trap
|
||||
npmp-trap 609/udp # npmp-trap
|
||||
npmp-local 610/tcp # npmp-local
|
||||
npmp-local 610/udp # npmp-local
|
||||
npmp-gui 611/tcp # npmp-gui
|
||||
npmp-gui 611/udp # npmp-gui
|
||||
ginad 634/tcp # ginad
|
||||
ginad 634/udp # ginad
|
||||
mdqs 666/tcp
|
||||
mdqs 666/udp
|
||||
doom 666/tcp # doom Id Software
|
||||
doom 666/tcp # doom Id Software
|
||||
elcsd 704/tcp # errlog copy/server daemon
|
||||
elcsd 704/udp # errlog copy/server daemon
|
||||
entrustmanager 709/tcp # EntrustManager
|
||||
entrustmanager 709/udp # EntrustManager
|
||||
netviewdm1 729/tcp # IBM NetView DM/6000 Server/Client
|
||||
netviewdm1 729/udp # IBM NetView DM/6000 Server/Client
|
||||
netviewdm2 730/tcp # IBM NetView DM/6000 send/tcp
|
||||
netviewdm2 730/udp # IBM NetView DM/6000 send/tcp
|
||||
netviewdm3 731/tcp # IBM NetView DM/6000 receive/tcp
|
||||
netviewdm3 731/udp # IBM NetView DM/6000 receive/tcp
|
||||
netgw 741/tcp # netGW
|
||||
netgw 741/udp # netGW
|
||||
netrcs 742/tcp # Network based Rev. Cont. Sys.
|
||||
netrcs 742/udp # Network based Rev. Cont. Sys.
|
||||
flexlm 744/tcp # Flexible License Manager
|
||||
flexlm 744/udp # Flexible License Manager
|
||||
fujitsu-dev 747/tcp # Fujitsu Device Control
|
||||
fujitsu-dev 747/udp # Fujitsu Device Control
|
||||
ris-cm 748/tcp # Russell Info Sci Calendar Manager
|
||||
ris-cm 748/udp # Russell Info Sci Calendar Manager
|
||||
kerberos-adm 749/tcp # kerberos administration
|
||||
kerberos-adm 749/udp # kerberos administration
|
||||
rfile 750/tcp
|
||||
loadav 750/udp
|
||||
pump 751/tcp
|
||||
pump 751/udp
|
||||
qrh 752/tcp
|
||||
qrh 752/udp
|
||||
rrh 753/tcp
|
||||
rrh 753/udp
|
||||
tell 754/tcp # send
|
||||
tell 754/udp # send
|
||||
nlogin 758/tcp
|
||||
nlogin 758/udp
|
||||
con 759/tcp
|
||||
con 759/udp
|
||||
ns 760/tcp
|
||||
ns 760/udp
|
||||
rxe 761/tcp
|
||||
rxe 761/udp
|
||||
quotad 762/tcp
|
||||
quotad 762/udp
|
||||
cycleserv 763/tcp
|
||||
cycleserv 763/udp
|
||||
omserv 764/tcp
|
||||
omserv 764/udp
|
||||
webster 765/tcp
|
||||
webster 765/udp
|
||||
phonebook 767/tcp # phone
|
||||
phonebook 767/udp # phone
|
||||
vid 769/tcp
|
||||
vid 769/udp
|
||||
cadlock 770/tcp
|
||||
cadlock 770/udp
|
||||
rtip 771/tcp
|
||||
rtip 771/udp
|
||||
cycleserv2 772/tcp
|
||||
cycleserv2 772/udp
|
||||
submit 773/tcp
|
||||
notify 773/udp
|
||||
rpasswd 774/tcp
|
||||
acmaint_dbd 774/udp
|
||||
entomb 775/tcp
|
||||
acmaint_transd 775/udp
|
||||
wpages 776/tcp
|
||||
wpages 776/udp
|
||||
wpgs 780/tcp
|
||||
wpgs 780/udp
|
||||
concert 786/tcp # Concert
|
||||
concert 786/udp # Concert
|
||||
mdbs_daemon 800/tcp
|
||||
mdbs_daemon 800/udp
|
||||
device 801/tcp
|
||||
device 801/udp
|
||||
xtreelic 996/tcp # Central Point Software
|
||||
xtreelic 996/udp # Central Point Software
|
||||
maitrd 997/tcp
|
||||
maitrd 997/udp
|
||||
busboy 998/tcp
|
||||
puparp 998/udp
|
||||
garcon 999/tcp
|
||||
applix 999/udp # Applix ac
|
||||
puprouter 999/tcp
|
||||
puprouter 999/udp
|
||||
cadlock 1000/tcp
|
||||
ock 1000/udp
|
762
contrib/ipfilter/fil.c
Normal file
762
contrib/ipfilter/fil.c
Normal file
@ -0,0 +1,762 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
|
||||
static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#if defined(_KERNEL) || defined(KERNEL)
|
||||
# include <sys/systm.h>
|
||||
#else
|
||||
# include <stdio.h>
|
||||
# include <string.h>
|
||||
#endif
|
||||
#include <sys/uio.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
# include <sys/mbuf.h>
|
||||
#else
|
||||
# include <sys/byteorder.h>
|
||||
# include <sys/dditypes.h>
|
||||
# include <sys/stream.h>
|
||||
#endif
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
#ifdef sun
|
||||
# include <net/af.h>
|
||||
#endif
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_nat.h"
|
||||
#include "ip_frag.h"
|
||||
#include "ip_state.h"
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
|
||||
#ifndef _KERNEL
|
||||
#include "ipf.h"
|
||||
extern int opts;
|
||||
extern void debug(), verbose();
|
||||
|
||||
#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; }
|
||||
#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; }
|
||||
#define FR_VERBOSE(verb_pr) verbose verb_pr
|
||||
#define FR_DEBUG(verb_pr) debug verb_pr
|
||||
#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi)
|
||||
# if SOLARIS
|
||||
# define bcmp memcmp
|
||||
# endif
|
||||
#else
|
||||
#define FR_IFVERBOSE(ex,second,verb_pr) ;
|
||||
#define FR_IFDEBUG(ex,second,verb_pr) ;
|
||||
#define FR_VERBOSE(verb_pr)
|
||||
#define FR_DEBUG(verb_pr)
|
||||
#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
|
||||
extern int send_reset();
|
||||
# if SOLARIS
|
||||
extern int icmp_error(), ipfr_fastroute();
|
||||
extern kmutex_t ipf_mutex, ipl_mutex;
|
||||
# else
|
||||
extern void ipfr_fastroute();
|
||||
# endif
|
||||
extern int ipl_unreach, ipllog();
|
||||
#endif
|
||||
|
||||
#if SOLARIS
|
||||
# define SEND_RESET(ip, if, q) send_reset(ip, qif, q)
|
||||
# define ICMP_ERROR(b, ip, t, c, if, src) \
|
||||
icmp_error(b, ip, t, c, if, src)
|
||||
#else
|
||||
# define SEND_RESET(ip, if, q) send_reset(ip)
|
||||
# if BSD < 199103
|
||||
# define ICMP_ERROR(b, ip, t, c, if, src) \
|
||||
icmp_error(mtod(b, ip_t *), t, c, if, src)
|
||||
# else
|
||||
# define ICMP_ERROR(b, ip, t, c, if, src) \
|
||||
icmp_error(b, t, c, (src).s_addr, if)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
|
||||
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
|
||||
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
|
||||
int fr_flags = 0, fr_active = 0;
|
||||
|
||||
fr_info_t frcache[2];
|
||||
|
||||
|
||||
/*
|
||||
* bit values for identifying presence of individual IP options
|
||||
*/
|
||||
struct optlist ipopts[20] = {
|
||||
{ IPOPT_NOP, 0x000001 },
|
||||
{ IPOPT_RR, 0x000002 },
|
||||
{ IPOPT_ZSU, 0x000004 },
|
||||
{ IPOPT_MTUP, 0x000008 },
|
||||
{ IPOPT_MTUR, 0x000010 },
|
||||
{ IPOPT_ENCODE, 0x000020 },
|
||||
{ IPOPT_TS, 0x000040 },
|
||||
{ IPOPT_TR, 0x000080 },
|
||||
{ IPOPT_SECURITY, 0x000100 },
|
||||
{ IPOPT_LSRR, 0x000200 },
|
||||
{ IPOPT_E_SEC, 0x000400 },
|
||||
{ IPOPT_CIPSO, 0x000800 },
|
||||
{ IPOPT_SATID, 0x001000 },
|
||||
{ IPOPT_SSRR, 0x002000 },
|
||||
{ IPOPT_ADDEXT, 0x004000 },
|
||||
{ IPOPT_VISA, 0x008000 },
|
||||
{ IPOPT_IMITD, 0x010000 },
|
||||
{ IPOPT_EIP, 0x020000 },
|
||||
{ IPOPT_FINN, 0x040000 },
|
||||
{ 0, 0x000000 }
|
||||
};
|
||||
|
||||
/*
|
||||
* bit values for identifying presence of individual IP security options
|
||||
*/
|
||||
struct optlist secopt[8] = {
|
||||
{ IPSO_CLASS_RES4, 0x01 },
|
||||
{ IPSO_CLASS_TOPS, 0x02 },
|
||||
{ IPSO_CLASS_SECR, 0x04 },
|
||||
{ IPSO_CLASS_RES3, 0x08 },
|
||||
{ IPSO_CLASS_CONF, 0x10 },
|
||||
{ IPSO_CLASS_UNCL, 0x20 },
|
||||
{ IPSO_CLASS_RES2, 0x40 },
|
||||
{ IPSO_CLASS_RES1, 0x80 }
|
||||
};
|
||||
|
||||
|
||||
/*
|
||||
* compact the IP header into a structure which contains just the info.
|
||||
* which is useful for comparing IP headers with.
|
||||
*/
|
||||
void fr_makefrip(hlen, ip, fin)
|
||||
int hlen;
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
{
|
||||
struct optlist *op;
|
||||
tcphdr_t *tcp;
|
||||
fr_ip_t *fi = &fin->fin_fi;
|
||||
u_short optmsk = 0, secmsk = 0, auth = 0;
|
||||
int i, mv, ol, off;
|
||||
u_char *s, opt;
|
||||
|
||||
fin->fin_fr = NULL;
|
||||
fin->fin_tcpf = 0;
|
||||
fin->fin_data[0] = 0;
|
||||
fin->fin_data[1] = 0;
|
||||
fin->fin_rule = -1;
|
||||
#ifdef _KERNEL
|
||||
fin->fin_icode = ipl_unreach;
|
||||
#endif
|
||||
fi->fi_v = ip->ip_v;
|
||||
fi->fi_tos = ip->ip_tos;
|
||||
fin->fin_hlen = hlen;
|
||||
fin->fin_dlen = ip->ip_len - hlen;
|
||||
tcp = (tcphdr_t *)((char *)ip + hlen);
|
||||
fin->fin_dp = (void *)tcp;
|
||||
(*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4));
|
||||
(*(((u_long *)fi) + 1)) = (*(((u_long *)ip) + 3));
|
||||
(*(((u_long *)fi) + 2)) = (*(((u_long *)ip) + 4));
|
||||
|
||||
fi->fi_fl = (hlen > sizeof(struct ip)) ? FI_OPTIONS : 0;
|
||||
off = (ip->ip_off & 0x1fff) << 3;
|
||||
if (ip->ip_off & 0x3fff)
|
||||
fi->fi_fl |= FI_FRAG;
|
||||
switch (ip->ip_p)
|
||||
{
|
||||
case IPPROTO_ICMP :
|
||||
if ((!IPMINLEN(ip, icmp) && !off) ||
|
||||
(off && off < sizeof(struct icmp)))
|
||||
fi->fi_fl |= FI_SHORT;
|
||||
if (fin->fin_dlen > 1)
|
||||
fin->fin_data[0] = *(u_short *)tcp;
|
||||
break;
|
||||
case IPPROTO_TCP :
|
||||
fi->fi_fl |= FI_TCPUDP;
|
||||
if ((!IPMINLEN(ip, tcphdr) && !off) ||
|
||||
(off && off < sizeof(struct tcphdr)))
|
||||
fi->fi_fl |= FI_SHORT;
|
||||
if (!(fi->fi_fl & FI_SHORT) && !off)
|
||||
fin->fin_tcpf = tcp->th_flags;
|
||||
goto getports;
|
||||
case IPPROTO_UDP :
|
||||
fi->fi_fl |= FI_TCPUDP;
|
||||
if ((!IPMINLEN(ip, udphdr) && !off) ||
|
||||
(off && off < sizeof(struct udphdr)))
|
||||
fi->fi_fl |= FI_SHORT;
|
||||
getports:
|
||||
if (!off && (fin->fin_dlen > 3)) {
|
||||
fin->fin_data[0] = ntohs(tcp->th_sport);
|
||||
fin->fin_data[1] = ntohs(tcp->th_dport);
|
||||
}
|
||||
break;
|
||||
default :
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) {
|
||||
if (!(opt = *s))
|
||||
break;
|
||||
ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
|
||||
if (opt > 1 && (ol < 2 || ol > hlen))
|
||||
break;
|
||||
for (i = 9, mv = 4; mv >= 0; ) {
|
||||
op = ipopts + i;
|
||||
if (opt == (u_char)op->ol_val) {
|
||||
optmsk |= op->ol_bit;
|
||||
if (opt == IPOPT_SECURITY) {
|
||||
struct optlist *sp;
|
||||
u_char sec;
|
||||
int j, m;
|
||||
|
||||
sec = *(s + 2); /* classification */
|
||||
for (j = 3, m = 2; m >= 0; ) {
|
||||
sp = secopt + j;
|
||||
if (sec == sp->ol_val) {
|
||||
secmsk |= sp->ol_bit;
|
||||
auth = *(s + 3);
|
||||
auth *= 256;
|
||||
auth += *(s + 4);
|
||||
break;
|
||||
}
|
||||
if (sec < sp->ol_val)
|
||||
j -= m--;
|
||||
else
|
||||
j += m--;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (opt < op->ol_val)
|
||||
i -= mv--;
|
||||
else
|
||||
i += mv--;
|
||||
}
|
||||
hlen -= ol;
|
||||
s += ol;
|
||||
}
|
||||
if (auth && !(auth & 0x0100))
|
||||
auth &= 0xff00;
|
||||
fi->fi_optmsk = optmsk;
|
||||
fi->fi_secmsk = secmsk;
|
||||
fi->fi_auth = auth;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* check an IP packet for TCP/UDP characteristics such as ports and flags.
|
||||
*/
|
||||
int fr_tcpudpchk(fr, fin)
|
||||
frentry_t *fr;
|
||||
fr_info_t *fin;
|
||||
{
|
||||
register u_short po, tup;
|
||||
register char i;
|
||||
register int err = 1;
|
||||
|
||||
/*
|
||||
* Both ports should *always* be in the first fragment.
|
||||
* So far, I cannot find any cases where they can not be.
|
||||
*
|
||||
* compare destination ports
|
||||
*/
|
||||
if ((i = (int)fr->fr_dcmp)) {
|
||||
po = fr->fr_dport;
|
||||
tup = fin->fin_data[1];
|
||||
/*
|
||||
* Do opposite test to that required and
|
||||
* continue if that succeeds.
|
||||
*/
|
||||
if (!--i && tup != po) /* EQUAL */
|
||||
err = 0;
|
||||
else if (!--i && tup == po) /* NOTEQUAL */
|
||||
err = 0;
|
||||
else if (!--i && tup >= po) /* LESSTHAN */
|
||||
err = 0;
|
||||
else if (!--i && tup <= po) /* GREATERTHAN */
|
||||
err = 0;
|
||||
else if (!--i && tup > po) /* LT or EQ */
|
||||
err = 0;
|
||||
else if (!--i && tup < po) /* GT or EQ */
|
||||
err = 0;
|
||||
else if (!--i && /* Out of range */
|
||||
(tup >= po && tup <= fr->fr_dtop))
|
||||
err = 0;
|
||||
else if (!--i && /* In range */
|
||||
(tup <= po || tup >= fr->fr_dtop))
|
||||
err = 0;
|
||||
}
|
||||
/*
|
||||
* compare source ports
|
||||
*/
|
||||
if (err && (i = (int)fr->fr_scmp)) {
|
||||
po = fr->fr_sport;
|
||||
tup = fin->fin_data[0];
|
||||
if (!--i && tup != po)
|
||||
err = 0;
|
||||
else if (!--i && tup == po)
|
||||
err = 0;
|
||||
else if (!--i && tup >= po)
|
||||
err = 0;
|
||||
else if (!--i && tup <= po)
|
||||
err = 0;
|
||||
else if (!--i && tup > po)
|
||||
err = 0;
|
||||
else if (!--i && tup < po)
|
||||
err = 0;
|
||||
else if (!--i && /* Out of range */
|
||||
(tup >= po && tup <= fr->fr_stop))
|
||||
err = 0;
|
||||
else if (!--i && /* In range */
|
||||
(tup <= po || tup >= fr->fr_stop))
|
||||
err = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* If we don't have all the TCP/UDP header, then how can we
|
||||
* expect to do any sort of match on it ? If we were looking for
|
||||
* TCP flags, then NO match. If not, then match (which should
|
||||
* satisfy the "short" class too).
|
||||
*/
|
||||
if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) {
|
||||
if (fin->fin_fi.fi_fl & FI_SHORT)
|
||||
return !(fr->fr_tcpf | fr->fr_tcpfm);
|
||||
/*
|
||||
* Match the flags ? If not, abort this match.
|
||||
*/
|
||||
if (fr->fr_tcpf &&
|
||||
fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
|
||||
FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
|
||||
fr->fr_tcpfm, fr->fr_tcpf));
|
||||
err = 0;
|
||||
}
|
||||
}
|
||||
return err;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check the input/output list of rules for a match and result.
|
||||
* Could be per interface, but this gets real nasty when you don't have
|
||||
* kernel sauce.
|
||||
*/
|
||||
int fr_scanlist(pass, ip, fin, m)
|
||||
int pass;
|
||||
ip_t *ip;
|
||||
register fr_info_t *fin;
|
||||
void *m;
|
||||
{
|
||||
register struct frentry *fr;
|
||||
register fr_ip_t *fi = &fin->fin_fi;
|
||||
int rulen, portcmp = 0, off;
|
||||
|
||||
fr = fin->fin_fr;
|
||||
fin->fin_fr = NULL;
|
||||
fin->fin_rule = 0;
|
||||
off = ip->ip_off & 0x1fff;
|
||||
pass |= (fi->fi_fl << 20);
|
||||
|
||||
if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off)
|
||||
portcmp = 1;
|
||||
|
||||
for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
|
||||
/*
|
||||
* In all checks below, a null (zero) value in the
|
||||
* filter struture is taken to mean a wildcard.
|
||||
*
|
||||
* check that we are working for the right interface
|
||||
*/
|
||||
#ifdef _KERNEL
|
||||
if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)
|
||||
continue;
|
||||
#else
|
||||
if (opts & (OPT_VERBOSE|OPT_DEBUG))
|
||||
printf("\n");
|
||||
FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b'));
|
||||
if (fin->fin_ifp && *fr->fr_ifname &&
|
||||
strcasecmp((char *)fin->fin_ifp, fr->fr_ifname))
|
||||
continue;
|
||||
FR_VERBOSE((":i"));
|
||||
#endif
|
||||
{
|
||||
register u_long *ld, *lm, *lip;
|
||||
register int i;
|
||||
|
||||
lip = (u_long *)fi;
|
||||
lm = (u_long *)&fr->fr_mip;
|
||||
ld = (u_long *)&fr->fr_ip;
|
||||
i = ((lip[0] & lm[0]) != ld[0]);
|
||||
FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
|
||||
lip[0], lm[0], ld[0]));
|
||||
i |= ((lip[1] & lm[1]) != ld[1]);
|
||||
FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
|
||||
lip[1], lm[1], ld[1]));
|
||||
i |= ((lip[2] & lm[2]) != ld[2]);
|
||||
FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
|
||||
lip[2], lm[2], ld[2]));
|
||||
i |= ((lip[3] & lm[3]) != ld[3]);
|
||||
FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n",
|
||||
lip[3], lm[3], ld[3]));
|
||||
i |= ((lip[4] & lm[4]) != ld[4]);
|
||||
FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
|
||||
lip[4], lm[4], ld[4]));
|
||||
if (i)
|
||||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* If a fragment, then only the first has what we're looking
|
||||
* for here...
|
||||
*/
|
||||
if (fi->fi_fl & FI_TCPUDP) {
|
||||
if (portcmp) {
|
||||
if (!fr_tcpudpchk(fr, fin))
|
||||
continue;
|
||||
} else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf ||
|
||||
fr->fr_tcpfm)
|
||||
continue;
|
||||
} else if (fi->fi_p == IPPROTO_ICMP) {
|
||||
if (!off && (fin->fin_dlen > 1)) {
|
||||
if ((fin->fin_data[0] & fr->fr_icmpm) !=
|
||||
fr->fr_icmp) {
|
||||
FR_DEBUG(("i. %#x & %#x != %#x\n",
|
||||
fin->fin_data[0],
|
||||
fr->fr_icmpm, fr->fr_icmp));
|
||||
continue;
|
||||
}
|
||||
} else if (fr->fr_icmpm || fr->fr_icmp)
|
||||
continue;
|
||||
}
|
||||
FR_VERBOSE(("*"));
|
||||
/*
|
||||
* Just log this packet...
|
||||
*/
|
||||
pass = fr->fr_flags;
|
||||
if ((pass & FR_CALLNOW) && fr->fr_func)
|
||||
pass = (*fr->fr_func)(pass, ip, fin);
|
||||
#ifdef IPFILTER_LOG
|
||||
if ((pass & FR_LOGMASK) == FR_LOG) {
|
||||
if (!ipllog(fr->fr_flags, ip, fin, m))
|
||||
frstats[fin->fin_out].fr_skip++;
|
||||
frstats[fin->fin_out].fr_pkl++;
|
||||
}
|
||||
#endif /* IPFILTER_LOG */
|
||||
FR_DEBUG(("pass %#x\n", pass));
|
||||
fr->fr_hits++;
|
||||
if (pass & FR_ACCOUNT)
|
||||
fr->fr_bytes += ip->ip_len;
|
||||
else
|
||||
fin->fin_icode = fr->fr_icode;
|
||||
fin->fin_rule = rulen;
|
||||
fin->fin_fr = fr;
|
||||
if (pass & FR_QUICK)
|
||||
break;
|
||||
}
|
||||
return pass;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* frcheck - filter check
|
||||
* check using source and destination addresses/pors in a packet whether
|
||||
* or not to pass it on or not.
|
||||
*/
|
||||
int fr_check(ip, hlen, ifp, out
|
||||
#ifdef _KERNEL
|
||||
# if SOLARIS
|
||||
, qif, q, mp)
|
||||
qif_t *qif;
|
||||
queue_t *q;
|
||||
mblk_t **mp;
|
||||
# else
|
||||
, mp)
|
||||
struct mbuf **mp;
|
||||
# endif
|
||||
#else
|
||||
)
|
||||
#endif
|
||||
ip_t *ip;
|
||||
int hlen;
|
||||
struct ifnet *ifp;
|
||||
int out;
|
||||
{
|
||||
/*
|
||||
* The above really sucks, but short of writing a diff
|
||||
*/
|
||||
fr_info_t frinfo, *fc;
|
||||
register fr_info_t *fin = &frinfo;
|
||||
frentry_t *fr = NULL;
|
||||
int pass, changed;
|
||||
|
||||
#if !defined(__SVR4) && !defined(__svr4__) && defined(_KERNEL)
|
||||
register struct mbuf *m = *mp;
|
||||
struct mbuf *mc = NULL;
|
||||
|
||||
if ((ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP ||
|
||||
ip->ip_p == IPPROTO_ICMP)) {
|
||||
register int up = MIN(hlen + 8, ip->ip_len);
|
||||
|
||||
if (up > m->m_len) {
|
||||
if ((*mp = m_pullup(m, up)) == 0) {
|
||||
frstats[out].fr_pull[1]++;
|
||||
return -1;
|
||||
} else {
|
||||
frstats[out].fr_pull[0]++;
|
||||
m = *mp;
|
||||
ip = mtod(m, struct ip *);
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#if SOLARIS && defined(_KERNEL)
|
||||
mblk_t *mc = NULL, *m = qif->qf_m;
|
||||
#endif
|
||||
fr_makefrip(hlen, ip, fin);
|
||||
fin->fin_ifp = ifp;
|
||||
fin->fin_out = out;
|
||||
|
||||
MUTEX_ENTER(&ipf_mutex);
|
||||
if (!out) {
|
||||
changed = ip_natin(ip, hlen, fin);
|
||||
if ((fin->fin_fr = ipacct[0][fr_active]) &&
|
||||
(FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT))
|
||||
frstats[0].fr_acct++;
|
||||
}
|
||||
|
||||
if ((pass = ipfr_knownfrag(ip, fin))) {
|
||||
if ((pass & FR_KEEPSTATE)) {
|
||||
if (fr_addstate(ip, fin, pass) == -1)
|
||||
frstats[out].fr_bads++;
|
||||
else
|
||||
frstats[out].fr_ads++;
|
||||
}
|
||||
} else if ((pass = fr_checkstate(ip, fin))) {
|
||||
if ((pass & FR_KEEPFRAG)) {
|
||||
if (fin->fin_fi.fi_fl & FI_FRAG) {
|
||||
if (ipfr_newfrag(ip, fin, pass) == -1)
|
||||
frstats[out].fr_bnfr++;
|
||||
else
|
||||
frstats[out].fr_nfr++;
|
||||
} else
|
||||
frstats[out].fr_cfr++;
|
||||
}
|
||||
} else {
|
||||
fc = frcache + out;
|
||||
if (fc->fin_fr && !bcmp((char *)fin, (char *)fc, FI_CSIZE)) {
|
||||
/*
|
||||
* copy cached data so we can unlock the mutex
|
||||
* earlier.
|
||||
*/
|
||||
bcopy((char *)fc, (char *)fin, sizeof(*fin));
|
||||
frstats[out].fr_chit++;
|
||||
pass = fin->fin_fr->fr_flags;
|
||||
} else {
|
||||
pass = FR_NOMATCH;
|
||||
if ((fin->fin_fr = ipfilter[out][fr_active]))
|
||||
pass = FR_SCANLIST(FR_NOMATCH, ip, fin, m);
|
||||
bcopy((char *)fin, (char *)fc, FI_CSIZE);
|
||||
if (pass & FR_NOMATCH) {
|
||||
frstats[out].fr_nom++;
|
||||
#ifdef NOMATCH
|
||||
pass |= NOMATCH;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
fr = fin->fin_fr;
|
||||
|
||||
if ((pass & FR_KEEPFRAG)) {
|
||||
if (fin->fin_fi.fi_fl & FI_FRAG) {
|
||||
if (ipfr_newfrag(ip, fin, pass) == -1)
|
||||
frstats[out].fr_bnfr++;
|
||||
else
|
||||
frstats[out].fr_nfr++;
|
||||
} else
|
||||
frstats[out].fr_cfr++;
|
||||
}
|
||||
if (pass & FR_KEEPSTATE) {
|
||||
if (fr_addstate(ip, fin, pass) == -1)
|
||||
frstats[out].fr_bads++;
|
||||
else
|
||||
frstats[out].fr_ads++;
|
||||
}
|
||||
}
|
||||
|
||||
if (fr && fr->fr_func)
|
||||
pass = (*fr->fr_func)(pass, ip, fin);
|
||||
|
||||
if (out) {
|
||||
if ((fin->fin_fr = ipacct[1][fr_active]) &&
|
||||
(FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT))
|
||||
frstats[1].fr_acct++;
|
||||
fin->fin_fr = NULL;
|
||||
changed = ip_natout(ip, hlen, fin);
|
||||
}
|
||||
fin->fin_fr = fr;
|
||||
MUTEX_EXIT(&ipf_mutex);
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) {
|
||||
if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) {
|
||||
pass |= FF_LOGNOMATCH;
|
||||
frstats[out].fr_npkl++;
|
||||
goto logit;
|
||||
} else if (((pass & FR_LOGMASK) == FR_LOGP) ||
|
||||
((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
|
||||
if ((pass & FR_LOGMASK) != FR_LOGP)
|
||||
pass |= FF_LOGPASS;
|
||||
frstats[out].fr_ppkl++;
|
||||
goto logit;
|
||||
} else if (((pass & FR_LOGMASK) == FR_LOGB) ||
|
||||
((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
|
||||
if ((pass & FR_LOGMASK) != FR_LOGB)
|
||||
pass |= FF_LOGBLOCK;
|
||||
frstats[out].fr_bpkl++;
|
||||
logit:
|
||||
if (!ipllog(pass, ip, fin, m)) {
|
||||
frstats[out].fr_skip++;
|
||||
if ((pass & (FR_PASS|FR_LOGORBLOCK)) ==
|
||||
(FR_PASS|FR_LOGORBLOCK))
|
||||
pass ^= FR_PASS|FR_BLOCK;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* IPFILTER_LOG */
|
||||
|
||||
if (pass & FR_PASS)
|
||||
frstats[out].fr_pass++;
|
||||
else if (pass & FR_BLOCK) {
|
||||
frstats[out].fr_block++;
|
||||
/*
|
||||
* Should we return an ICMP packet to indicate error
|
||||
* status passing through the packet filter ?
|
||||
*/
|
||||
#ifdef _KERNEL
|
||||
if (pass & FR_RETICMP) {
|
||||
# if SOLARIS
|
||||
ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
|
||||
qif, ip->ip_src);
|
||||
# else
|
||||
ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
|
||||
ifp, ip->ip_src);
|
||||
m = NULL; /* freed by icmp_error() */
|
||||
# endif
|
||||
|
||||
frstats[0].fr_ret++;
|
||||
} else if ((pass & FR_RETRST) &&
|
||||
!(fin->fin_fi.fi_fl & FI_SHORT)) {
|
||||
if (SEND_RESET(ip, qif, q) == 0)
|
||||
frstats[1].fr_ret++;
|
||||
}
|
||||
#else
|
||||
if (pass & FR_RETICMP) {
|
||||
verbose("- ICMP unreachable sent\n");
|
||||
frstats[0].fr_ret++;
|
||||
} else if ((pass & FR_RETRST) &&
|
||||
!(fin->fin_fi.fi_fl & FI_SHORT)) {
|
||||
verbose("- TCP RST sent\n");
|
||||
frstats[1].fr_ret++;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#ifdef _KERNEL
|
||||
# if !SOLARIS
|
||||
if (pass & FR_DUP)
|
||||
mc = m_copy(m, 0, M_COPYALL);
|
||||
if (fr) {
|
||||
frdest_t *fdp = &fr->fr_tif;
|
||||
|
||||
if ((pass & FR_FASTROUTE) ||
|
||||
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
|
||||
ipfr_fastroute(m, fin, fdp);
|
||||
m = *mp = NULL;
|
||||
pass = 0;
|
||||
}
|
||||
if (mc)
|
||||
ipfr_fastroute(mc, fin, &fr->fr_dif);
|
||||
}
|
||||
if (!(pass & FR_PASS) && m)
|
||||
m_freem(m);
|
||||
return (pass & FR_PASS) ? 0 : -1;
|
||||
# else
|
||||
if (pass & FR_DUP)
|
||||
mc = dupmsg(m);
|
||||
if (fr) {
|
||||
frdest_t *fdp = &fr->fr_tif;
|
||||
|
||||
if ((pass & FR_FASTROUTE) ||
|
||||
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
|
||||
ipfr_fastroute(qif, ip, m, mp, fin, fdp);
|
||||
m = *mp = NULL;
|
||||
}
|
||||
if (mc)
|
||||
ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif);
|
||||
}
|
||||
return (pass & FR_PASS) ? changed : -1;
|
||||
# endif
|
||||
#else
|
||||
if (pass & FR_NOMATCH)
|
||||
return 1;
|
||||
if (pass & FR_PASS)
|
||||
return 0;
|
||||
return -1;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
# if !(defined(_KERNEL))
|
||||
static void ipllog()
|
||||
{
|
||||
verbose("l");
|
||||
}
|
||||
# endif
|
||||
|
||||
|
||||
int fr_copytolog(buf, len)
|
||||
char *buf;
|
||||
int len;
|
||||
{
|
||||
int clen, tail;
|
||||
|
||||
tail = (iplh >= iplt) ? (iplbuf + IPLLOGSIZE - iplh) : (iplt - iplh);
|
||||
clen = MIN(tail, len);
|
||||
bcopy(buf, iplh, clen);
|
||||
len -= clen;
|
||||
tail -= clen;
|
||||
iplh += clen;
|
||||
buf += clen;
|
||||
if (iplh == iplbuf + IPLLOGSIZE) {
|
||||
iplh = iplbuf;
|
||||
tail = iplt - iplh;
|
||||
}
|
||||
if (len && tail) {
|
||||
clen = MIN(tail, len);
|
||||
bcopy(buf, iplh, clen);
|
||||
len -= clen;
|
||||
iplh += clen;
|
||||
}
|
||||
return len;
|
||||
}
|
||||
#endif
|
366
contrib/ipfilter/fils.c
Normal file
366
contrib/ipfilter/fils.c
Normal file
@ -0,0 +1,366 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <stddef.h>
|
||||
#include <nlist.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <net/if.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_nat.h"
|
||||
#include "ip_frag.h"
|
||||
#include "ip_state.h"
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
#include "ipf.h"
|
||||
#include "kmem.h"
|
||||
#ifdef __NetBSD__
|
||||
#include <paths.h>
|
||||
#endif
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
|
||||
static char rcsid[] = "$Id: fils.c,v 2.0.1.2 1997/01/30 10:21:48 darrenr Exp $";
|
||||
#endif
|
||||
#ifdef _PATH_UNIX
|
||||
#define VMUNIX _PATH_UNIX
|
||||
#else
|
||||
#define VMUNIX "/vmunix"
|
||||
#endif
|
||||
|
||||
extern char *optarg;
|
||||
|
||||
#define PRINTF (void)printf
|
||||
#define FPRINTF (void)fprintf
|
||||
#define F_IN 0
|
||||
#define F_OUT 1
|
||||
#define F_AC 2
|
||||
static char *filters[4] = { "ipfilter(in)", "ipfilter(out)",
|
||||
"ipacct(in)", "ipacct(out)" };
|
||||
|
||||
int opts = 0;
|
||||
|
||||
static void showstats(), showfrstates();
|
||||
static void showlist(), showipstates();
|
||||
|
||||
void Usage(name)
|
||||
char *name;
|
||||
{
|
||||
fprintf(stderr, "Usage: %s [-afhIiosv] [-d <device>]\n", name);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
int main(argc,argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
friostat_t fio;
|
||||
ips_stat_t ipsst;
|
||||
ipfrstat_t ifrst;
|
||||
char c, *name = NULL, *device = IPL_NAME;
|
||||
int fd;
|
||||
|
||||
if (openkmem() == -1)
|
||||
exit(-1);
|
||||
|
||||
(void)setuid(getuid());
|
||||
(void)setgid(getgid());
|
||||
|
||||
while ((c = getopt(argc, argv, "afhIiosvd:")) != -1)
|
||||
{
|
||||
switch (c)
|
||||
{
|
||||
case 'a' :
|
||||
opts |= OPT_ACCNT|OPT_SHOWLIST;
|
||||
break;
|
||||
case 'd' :
|
||||
device = optarg;
|
||||
break;
|
||||
case 'f' :
|
||||
opts |= OPT_FRSTATES;
|
||||
break;
|
||||
case 'h' :
|
||||
opts |= OPT_HITS;
|
||||
break;
|
||||
case 'i' :
|
||||
opts |= OPT_INQUE|OPT_SHOWLIST;
|
||||
break;
|
||||
case 'n' :
|
||||
opts |= OPT_SHOWLINENO;
|
||||
break;
|
||||
case 'I' :
|
||||
opts |= OPT_INACTIVE;
|
||||
break;
|
||||
case 'o' :
|
||||
opts |= OPT_OUTQUE|OPT_SHOWLIST;
|
||||
break;
|
||||
case 's' :
|
||||
opts |= OPT_IPSTATES;
|
||||
break;
|
||||
case 'v' :
|
||||
opts |= OPT_VERBOSE;
|
||||
break;
|
||||
default :
|
||||
Usage(argv[0]);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ((fd = open(device, O_RDONLY)) < 0) {
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
bzero((char *)&fio, sizeof(fio));
|
||||
bzero((char *)&ipsst, sizeof(ipsst));
|
||||
bzero((char *)&ifrst, sizeof(ifrst));
|
||||
|
||||
if (ioctl(fd, SIOCGETFS, &fio) == -1) {
|
||||
perror("ioctl(SIOCGETFS)");
|
||||
exit(-1);
|
||||
}
|
||||
if ((opts & OPT_IPSTATES) && (ioctl(fd, SIOCGIPST, &ipsst) == -1)) {
|
||||
perror("ioctl(SIOCGIPST)");
|
||||
exit(-1);
|
||||
}
|
||||
if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) {
|
||||
perror("ioctl(SIOCGFRST)");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (opts & OPT_VERBOSE)
|
||||
PRINTF("opts %#x name %s\n", opts, name ? name : "<>");
|
||||
if (opts & OPT_SHOWLIST) {
|
||||
showlist(&fio);
|
||||
if((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){
|
||||
opts &= ~OPT_OUTQUE;
|
||||
showlist(&fio);
|
||||
}
|
||||
} else {
|
||||
if (opts & OPT_IPSTATES)
|
||||
showipstates(fd, &ipsst);
|
||||
else if (opts & OPT_FRSTATES)
|
||||
showfrstates(fd, &ifrst);
|
||||
else
|
||||
showstats(fd, &fio);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* read the kernel stats for packets blocked and passed
|
||||
*/
|
||||
static void showstats(fd, fp)
|
||||
int fd;
|
||||
struct friostat *fp;
|
||||
{
|
||||
int frf = 0;
|
||||
|
||||
if (ioctl(fd, SIOCGETFF, &frf) == -1)
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
|
||||
#if SOLARIS
|
||||
PRINTF("dropped packets:\tin %lu\tout %lu\n",
|
||||
fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
|
||||
PRINTF("non-ip packets:\t\tin %lu\tout %lu\n",
|
||||
fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
|
||||
PRINTF(" bad packets:\t\tin %lu\tout %lu\n",
|
||||
fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
|
||||
#endif
|
||||
PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
|
||||
fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
|
||||
fp->f_st[0].fr_nom);
|
||||
PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
|
||||
PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu",
|
||||
fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
|
||||
fp->f_st[1].fr_nom);
|
||||
PRINTF(" counted %lu\n", fp->f_st[0].fr_acct);
|
||||
PRINTF(" input packets logged:\tblocked %lu passed %lu\n",
|
||||
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
|
||||
PRINTF("output packets logged:\tblocked %lu passed %lu\n",
|
||||
fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
|
||||
PRINTF(" packets logged:\tinput %lu output %lu\n",
|
||||
fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
|
||||
PRINTF(" log failures:\t\tinput %lu output %lu\n",
|
||||
fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
|
||||
PRINTF("fragment state(in):\tkept %lu\tlost %lu\n",
|
||||
fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr);
|
||||
PRINTF("fragment state(out):\tkept %lu\tlost %lu\n",
|
||||
fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr);
|
||||
PRINTF("packet state(in):\tkept %lu\tlost %lu\n",
|
||||
fp->f_st[0].fr_ads, fp->f_st[0].fr_bads);
|
||||
PRINTF("packet state(out):\tkept %lu\tlost %lu\n",
|
||||
fp->f_st[1].fr_ads, fp->f_st[1].fr_bads);
|
||||
PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n",
|
||||
fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
|
||||
PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
|
||||
fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
|
||||
PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
|
||||
fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
|
||||
PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
|
||||
fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
|
||||
|
||||
PRINTF("Packet log flags set: (%#x)\n", frf);
|
||||
if (frf & FF_LOGPASS)
|
||||
PRINTF("\tpackets passed through filter\n");
|
||||
if (frf & FF_LOGBLOCK)
|
||||
PRINTF("\tpackets blocked by filter\n");
|
||||
if (!frf)
|
||||
PRINTF("\tnone\n");
|
||||
}
|
||||
|
||||
/*
|
||||
* print out filter rule list
|
||||
*/
|
||||
static void showlist(fiop)
|
||||
struct friostat *fiop;
|
||||
{
|
||||
struct frentry fb;
|
||||
struct frentry *fp = NULL;
|
||||
int i, set, n;
|
||||
|
||||
set = fiop->f_active;
|
||||
if (opts & OPT_INACTIVE)
|
||||
set = 1 - set;
|
||||
if (opts & OPT_ACCNT) {
|
||||
i = F_AC;
|
||||
if (opts & OPT_OUTQUE) {
|
||||
fp = (struct frentry *)fiop->f_acctout[set];
|
||||
i++;
|
||||
} else if (opts & OPT_INQUE)
|
||||
fp = (struct frentry *)fiop->f_acctin[set];
|
||||
} else if (opts & OPT_OUTQUE) {
|
||||
i = F_OUT;
|
||||
fp = (struct frentry *)fiop->f_fout[set];
|
||||
} else if (opts & OPT_INQUE) {
|
||||
i = F_IN;
|
||||
fp = (struct frentry *)fiop->f_fin[set];
|
||||
} else
|
||||
return;
|
||||
if (opts & OPT_VERBOSE)
|
||||
FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i);
|
||||
|
||||
if (opts & OPT_VERBOSE)
|
||||
PRINTF("fp %#x set %d\n", (u_int)fp, set);
|
||||
if (!fp) {
|
||||
FPRINTF(stderr, "empty list for %s%s\n",
|
||||
(opts & OPT_INACTIVE) ? "inactive " : "", filters[i]);
|
||||
return;
|
||||
}
|
||||
|
||||
for (n = 1; fp; n++) {
|
||||
if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) {
|
||||
perror("kmemcpy");
|
||||
return;
|
||||
}
|
||||
fp = &fb;
|
||||
if (opts & OPT_OUTQUE)
|
||||
fp->fr_flags |= FR_OUTQUE;
|
||||
if (opts & (OPT_HITS|OPT_VERBOSE))
|
||||
PRINTF("%ld ", fp->fr_hits);
|
||||
if (opts & (OPT_ACCNT|OPT_VERBOSE))
|
||||
PRINTF("%ld ", fp->fr_bytes);
|
||||
if (opts & OPT_SHOWLINENO)
|
||||
PRINTF("@%d ", n);
|
||||
printfr(fp);
|
||||
if (opts & OPT_VERBOSE)
|
||||
binprint(fp);
|
||||
fp = fp->fr_next;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void showipstates(fd, ipsp)
|
||||
int fd;
|
||||
ips_stat_t *ipsp;
|
||||
{
|
||||
ipstate_t *istab[IPSTATE_SIZE], ips;
|
||||
int i;
|
||||
|
||||
PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n",
|
||||
ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp);
|
||||
PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss);
|
||||
PRINTF("\t%lu maximum\n\t%lu no memory\n",
|
||||
ipsp->iss_max, ipsp->iss_nomem);
|
||||
PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n",
|
||||
ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin);
|
||||
if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab)))
|
||||
return;
|
||||
for (i = 0; i < IPSTATE_SIZE; i++)
|
||||
while (istab[i]) {
|
||||
if (kmemcpy(&ips, istab[i], sizeof(ips)) == -1)
|
||||
break;
|
||||
PRINTF("%s -> ", inet_ntoa(ips.is_src));
|
||||
PRINTF("%s age %d pass %d pr %d state %d/%d\n",
|
||||
inet_ntoa(ips.is_dst), ips.is_age,
|
||||
ips.is_pass, ips.is_p, ips.is_state[0],
|
||||
ips.is_state[1]);
|
||||
if (ips.is_p == IPPROTO_TCP)
|
||||
PRINTF("\t%hu -> %hu %lu:%lu %hu:%hu\n",
|
||||
ntohs(ips.is_sport),
|
||||
ntohs(ips.is_dport),
|
||||
ips.is_seq, ips.is_ack,
|
||||
ips.is_swin, ips.is_dwin);
|
||||
else if (ips.is_p == IPPROTO_UDP)
|
||||
PRINTF("\t%hu -> %hu\n", ntohs(ips.is_sport),
|
||||
ntohs(ips.is_dport));
|
||||
else if (ips.is_p == IPPROTO_ICMP)
|
||||
PRINTF("\t%hu %hu %d\n", ips.is_icmp.ics_id,
|
||||
ips.is_icmp.ics_seq,
|
||||
ips.is_icmp.ics_type);
|
||||
istab[i] = ips.is_next;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void showfrstates(fd, ifsp)
|
||||
int fd;
|
||||
ipfrstat_t *ifsp;
|
||||
{
|
||||
struct ipfr *ipfrtab[IPFT_SIZE], ifr;
|
||||
int i;
|
||||
|
||||
PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n",
|
||||
ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits);
|
||||
PRINTF("\t%lu no memory\n\t%lu already exist\n",
|
||||
ifsp->ifs_nomem, ifsp->ifs_exists);
|
||||
PRINTF("\t%lu inuse\n", ifsp->ifs_inuse);
|
||||
if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab)))
|
||||
return;
|
||||
for (i = 0; i < IPFT_SIZE; i++)
|
||||
while (ipfrtab[i]) {
|
||||
if (kmemcpy(&ifr, (u_long)ipfrtab[i],
|
||||
sizeof(ifr)) == -1)
|
||||
break;
|
||||
PRINTF("%s -> ", inet_ntoa(ifr.ipfr_src));
|
||||
PRINTF("%s %d %d %d %#02x = %#x\n",
|
||||
inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id,
|
||||
ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
|
||||
ifr.ipfr_pass);
|
||||
ipfrtab[i] = ifr.ipfr_next;
|
||||
}
|
||||
}
|
182
contrib/ipfilter/inet_addr.c
Normal file
182
contrib/ipfilter/inet_addr.c
Normal file
@ -0,0 +1,182 @@
|
||||
/*
|
||||
* ++Copyright++ 1983, 1990, 1993
|
||||
* -
|
||||
* Copyright (c) 1983, 1990, 1993
|
||||
* The Regents of the University of California. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* This product includes software developed by the University of
|
||||
* California, Berkeley and its contributors.
|
||||
* 4. Neither the name of the University nor the names of its contributors
|
||||
* may be used to endorse or promote products derived from this software
|
||||
* without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
* -
|
||||
* Portions Copyright (c) 1993 by Digital Equipment Corporation.
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies, and that
|
||||
* the name of Digital Equipment Corporation not be used in advertising or
|
||||
* publicity pertaining to distribution of the document or software without
|
||||
* specific, written prior permission.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
|
||||
* WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
|
||||
* CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
|
||||
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
|
||||
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
|
||||
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
|
||||
* SOFTWARE.
|
||||
* -
|
||||
* --Copyright--
|
||||
*/
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93";
|
||||
static char rcsid[] = "$Id: inet_addr.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $";
|
||||
#endif /* LIBC_SCCS and not lint */
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <ctype.h>
|
||||
|
||||
/*
|
||||
* Check whether "cp" is a valid ascii representation
|
||||
* of an Internet address and convert to a binary address.
|
||||
* Returns 1 if the address is valid, 0 if not.
|
||||
* This replaces inet_addr, the return value from which
|
||||
* cannot distinguish between failure and a local broadcast address.
|
||||
*/
|
||||
int
|
||||
inet_aton(cp, addr)
|
||||
register const char *cp;
|
||||
struct in_addr *addr;
|
||||
{
|
||||
register u_long val;
|
||||
register int base, n;
|
||||
register char c;
|
||||
u_int parts[4];
|
||||
register u_int *pp = parts;
|
||||
|
||||
c = *cp;
|
||||
for (;;) {
|
||||
/*
|
||||
* Collect number up to ``.''.
|
||||
* Values are specified as for C:
|
||||
* 0x=hex, 0=octal, isdigit=decimal.
|
||||
*/
|
||||
if (!isdigit(c))
|
||||
return (0);
|
||||
val = 0; base = 10;
|
||||
if (c == '0') {
|
||||
c = *++cp;
|
||||
if (c == 'x' || c == 'X')
|
||||
base = 16, c = *++cp;
|
||||
else
|
||||
base = 8;
|
||||
}
|
||||
for (;;) {
|
||||
if (isascii(c) && isdigit(c)) {
|
||||
val = (val * base) + (c - '0');
|
||||
c = *++cp;
|
||||
} else if (base == 16 && isascii(c) && isxdigit(c)) {
|
||||
val = (val << 4) |
|
||||
(c + 10 - (islower(c) ? 'a' : 'A'));
|
||||
c = *++cp;
|
||||
} else
|
||||
break;
|
||||
}
|
||||
if (c == '.') {
|
||||
/*
|
||||
* Internet format:
|
||||
* a.b.c.d
|
||||
* a.b.c (with c treated as 16 bits)
|
||||
* a.b (with b treated as 24 bits)
|
||||
*/
|
||||
if (pp >= parts + 3)
|
||||
return (0);
|
||||
*pp++ = val;
|
||||
c = *++cp;
|
||||
} else
|
||||
break;
|
||||
}
|
||||
/*
|
||||
* Check for trailing characters.
|
||||
*/
|
||||
if (c != '\0' && (!isascii(c) || !isspace(c)))
|
||||
return (0);
|
||||
/*
|
||||
* Concoct the address according to
|
||||
* the number of parts specified.
|
||||
*/
|
||||
n = pp - parts + 1;
|
||||
switch (n) {
|
||||
|
||||
case 0:
|
||||
return (0); /* initial nondigit */
|
||||
|
||||
case 1: /* a -- 32 bits */
|
||||
break;
|
||||
|
||||
case 2: /* a.b -- 8.24 bits */
|
||||
if (val > 0xffffff)
|
||||
return (0);
|
||||
val |= parts[0] << 24;
|
||||
break;
|
||||
|
||||
case 3: /* a.b.c -- 8.8.16 bits */
|
||||
if (val > 0xffff)
|
||||
return (0);
|
||||
val |= (parts[0] << 24) | (parts[1] << 16);
|
||||
break;
|
||||
|
||||
case 4: /* a.b.c.d -- 8.8.8.8 bits */
|
||||
if (val > 0xff)
|
||||
return (0);
|
||||
val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
|
||||
break;
|
||||
}
|
||||
if (addr)
|
||||
addr->s_addr = htonl(val);
|
||||
return (1);
|
||||
}
|
||||
|
||||
/* these are compatibility routines, not needed on recent BSD releases */
|
||||
|
||||
/*
|
||||
* Ascii internet address interpretation routine.
|
||||
* The value returned is in network order.
|
||||
*/
|
||||
u_long
|
||||
inet_addr(cp)
|
||||
register const char *cp;
|
||||
{
|
||||
struct in_addr val;
|
||||
|
||||
if (inet_aton(cp, &val))
|
||||
return (val.s_addr);
|
||||
return (0xffffffff);
|
||||
}
|
342
contrib/ipfilter/ip_compat.h
Normal file
342
contrib/ipfilter/ip_compat.h
Normal file
@ -0,0 +1,342 @@
|
||||
/*
|
||||
* (C)opyright 1993, 1994, 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_compat.h 1.8 1/14/96
|
||||
* $Id: ip_compat.h,v 2.0.1.4 1997/02/04 14:24:25 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_COMPAT_H_
|
||||
#define __IP_COMPAT_H__
|
||||
|
||||
#ifndef SOLARIS
|
||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||
#endif
|
||||
#if SOLARIS
|
||||
#define MTYPE(m) ((m)->b_datap->db_type)
|
||||
#endif
|
||||
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
|
||||
|
||||
#ifndef IP_OFFMASK
|
||||
#define IP_OFFMASK 0x1fff
|
||||
#endif
|
||||
|
||||
#ifndef MAX
|
||||
#define MAX(a,b) (((a) > (b)) ? (a) : (b))
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
|
||||
*
|
||||
* Basic Option
|
||||
*
|
||||
* 00000001 - (Reserved 4)
|
||||
* 00111101 - Top Secret
|
||||
* 01011010 - Secret
|
||||
* 10010110 - Confidential
|
||||
* 01100110 - (Reserved 3)
|
||||
* 11001100 - (Reserved 2)
|
||||
* 10101011 - Unclassified
|
||||
* 11110001 - (Reserved 1)
|
||||
*/
|
||||
#define IPSO_CLASS_RES4 0x01
|
||||
#define IPSO_CLASS_TOPS 0x3d
|
||||
#define IPSO_CLASS_SECR 0x5a
|
||||
#define IPSO_CLASS_CONF 0x96
|
||||
#define IPSO_CLASS_RES3 0x66
|
||||
#define IPSO_CLASS_RES2 0xcc
|
||||
#define IPSO_CLASS_UNCL 0xab
|
||||
#define IPSO_CLASS_RES1 0xf1
|
||||
|
||||
#define IPSO_AUTH_GENSER 0x80
|
||||
#define IPSO_AUTH_ESI 0x40
|
||||
#define IPSO_AUTH_SCI 0x20
|
||||
#define IPSO_AUTH_NSA 0x10
|
||||
#define IPSO_AUTH_DOE 0x08
|
||||
#define IPSO_AUTH_UN 0x06
|
||||
#define IPSO_AUTH_FTE 0x01
|
||||
|
||||
/*
|
||||
* IP option #defines
|
||||
*/
|
||||
/*#define IPOPT_RR 7 */
|
||||
#define IPOPT_ZSU 10 /* ZSU */
|
||||
#define IPOPT_MTUP 11 /* MTUP */
|
||||
#define IPOPT_MTUR 12 /* MTUR */
|
||||
#define IPOPT_ENCODE 15 /* ENCODE */
|
||||
/*#define IPOPT_TS 68 */
|
||||
#define IPOPT_TR 82 /* TR */
|
||||
/*#define IPOPT_SECURITY 130 */
|
||||
/*#define IPOPT_LSRR 131 */
|
||||
#define IPOPT_E_SEC 133 /* E-SEC */
|
||||
#define IPOPT_CIPSO 134 /* CIPSO */
|
||||
/*#define IPOPT_SATID 136 */
|
||||
#ifndef IPOPT_SID
|
||||
# define IPOPT_SID IPOPT_SATID
|
||||
#endif
|
||||
/*#define IPOPT_SSRR 137 */
|
||||
#define IPOPT_ADDEXT 147 /* ADDEXT */
|
||||
#define IPOPT_VISA 142 /* VISA */
|
||||
#define IPOPT_IMITD 144 /* IMITD */
|
||||
#define IPOPT_EIP 145 /* EIP */
|
||||
#define IPOPT_FINN 205 /* FINN */
|
||||
|
||||
|
||||
/*
|
||||
* Build some macros and #defines to enable the same code to compile anywhere
|
||||
* Well, that's the idea, anyway :-)
|
||||
*/
|
||||
#ifdef _KERNEL
|
||||
# if SOLARIS
|
||||
# define MUTEX_ENTER(x) mutex_enter(x)
|
||||
# define MUTEX_EXIT(x) mutex_exit(x)
|
||||
# define MTOD(m,t) (t)((m)->b_rptr)
|
||||
# define IRCOPY(a,b,c) copyin((a), (b), (c))
|
||||
# define IWCOPY(a,b,c) copyout((a), (b), (c))
|
||||
# else
|
||||
# define MUTEX_ENTER(x) ;
|
||||
# define MUTEX_EXIT(x) ;
|
||||
# ifndef linux
|
||||
# define MTOD(m,t) mtod(m,t)
|
||||
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
|
||||
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
|
||||
# endif
|
||||
# endif /* SOLARIS */
|
||||
|
||||
# ifdef sun
|
||||
# if defined(__svr4__) || defined(__SVR4)
|
||||
# define GETUNIT(n) get_unit((n))
|
||||
# else
|
||||
# include <sys/kmem_alloc.h>
|
||||
# define GETUNIT(n) ifunit((n), IFNAMSIZ)
|
||||
# endif
|
||||
# else
|
||||
# define GETUNIT(n) ifunit((n))
|
||||
# endif /* sun */
|
||||
|
||||
# if defined(sun) && !defined(linux)
|
||||
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
|
||||
# define SLEEP(id, n) sleep((id), PZERO+1)
|
||||
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
|
||||
# if SOLARIS
|
||||
typedef struct qif {
|
||||
struct qif *qf_next;
|
||||
ill_t *qf_ill;
|
||||
kmutex_t qf_lock;
|
||||
void *qf_iptr;
|
||||
void *qf_optr;
|
||||
queue_t *qf_in;
|
||||
queue_t *qf_out;
|
||||
void *qf_wqinfo;
|
||||
void *qf_rqinfo;
|
||||
int (*qf_inp)();
|
||||
int (*qf_outp)();
|
||||
mblk_t *qf_m;
|
||||
int qf_len;
|
||||
char qf_name[8];
|
||||
/*
|
||||
* in case the ILL has disappeared...
|
||||
*/
|
||||
int qf_hl; /* header length */
|
||||
} qif_t;
|
||||
# define SPLNET(x) ;
|
||||
# undef SPLX
|
||||
# define SPLX(x) ;
|
||||
# ifdef sparc
|
||||
# define ntohs(x) (x)
|
||||
# define ntohl(x) (x)
|
||||
# define htons(x) (x)
|
||||
# define htonl(x) (x)
|
||||
# endif
|
||||
# define KMALLOC(x) kmem_alloc((x), KM_NOSLEEP)
|
||||
# define GET_MINOR(x) getminor(x)
|
||||
# else
|
||||
# define KMALLOC(x) new_kmem_alloc((x), KMEM_NOSLEEP)
|
||||
# endif /* __svr4__ */
|
||||
# endif /* sun && !linux */
|
||||
# ifndef GET_MINOR
|
||||
# define GET_MINOR(x) minor(x)
|
||||
# endif
|
||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||
# include <vm/vm.h>
|
||||
# if !defined(__FreeBSD__)
|
||||
# include <vm/vm_extern.h>
|
||||
# include <sys/proc.h>
|
||||
extern vm_map_t kmem_map;
|
||||
# else
|
||||
# include <vm/vm_kern.h>
|
||||
# endif /* __FreeBSD__ */
|
||||
/*
|
||||
** # define KMALLOC(x) kmem_alloc(kmem_map, (x))
|
||||
** # define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
|
||||
sizeof(*(x)))
|
||||
*/
|
||||
# ifdef M_PFIL
|
||||
# define KMALLOC(x) malloc((x), M_PFIL, M_NOWAIT)
|
||||
# define KFREE(x) FREE((x), M_PFIL)
|
||||
# else
|
||||
# define KMALLOC(x) malloc((x), M_TEMP, M_NOWAIT)
|
||||
# define KFREE(x) FREE((x), M_TEMP)
|
||||
# endif
|
||||
# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
|
||||
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
|
||||
# endif /* BSD */
|
||||
# if defined(NetBSD1_0) && (NetBSD1_0 > 1)
|
||||
# define SPLNET(x) x = splsoftnet()
|
||||
# else
|
||||
# if !SOLARIS
|
||||
# define SPLNET(x) x = splnet()
|
||||
# define SPLX(x) (void) splx(x)
|
||||
# endif
|
||||
# endif
|
||||
#else
|
||||
# ifndef linux
|
||||
# define MUTEX_ENTER(x) ;
|
||||
# define MUTEX_EXIT(x) ;
|
||||
# define SPLNET(x) ;
|
||||
# define SPLX(x) ;
|
||||
# define KMALLOC(x) malloc(x)
|
||||
# define KFREE(x) free(x)
|
||||
# define GETUNIT(x) (x)
|
||||
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
|
||||
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
|
||||
# endif
|
||||
#endif /* KERNEL */
|
||||
|
||||
#ifdef linux
|
||||
# define ICMP_UNREACH ICMP_DEST_UNREACH
|
||||
# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH
|
||||
# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED
|
||||
# define ICMP_PARAMPROB ICMP_PARAMETERPROB
|
||||
|
||||
# define TH_FIN 0x01
|
||||
# define TH_SYN 0x02
|
||||
# define TH_RST 0x04
|
||||
# define TH_PUSH 0x08
|
||||
# define TH_ACK 0x10
|
||||
# define TH_URG 0x20
|
||||
|
||||
typedef struct {
|
||||
__u16 th_sport;
|
||||
__u16 th_dport;
|
||||
__u32 th_seq;
|
||||
__u32 th_ack;
|
||||
__u8 th_x;
|
||||
__u8 th_flags;
|
||||
__u16 th_win;
|
||||
__u16 th_sum;
|
||||
__u16 th_urp;
|
||||
} tcphdr_t;
|
||||
|
||||
typedef struct {
|
||||
__u16 uh_sport;
|
||||
__u16 uh_dport;
|
||||
__u16 uh_ulen;
|
||||
__u16 uh_sun;
|
||||
} udphdr_t;
|
||||
|
||||
typedef struct {
|
||||
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
|
||||
defined(vax)
|
||||
__u8 ip_hl:4;
|
||||
__u8 ip_v:4;
|
||||
# else
|
||||
__u8 ip_hl:4;
|
||||
__u8 ip_v:4;
|
||||
# endif
|
||||
__u8 ip_tos;
|
||||
__u16 ip_len;
|
||||
__u16 ip_id;
|
||||
__u16 ip_off;
|
||||
__u8 ip_ttl;
|
||||
__u8 ip_p;
|
||||
__u16 ip_sum;
|
||||
struct in_addr ip_src;
|
||||
struct in_addr ip_dst;
|
||||
} ip_t;
|
||||
|
||||
/*
|
||||
* Structure of an icmp header.
|
||||
*/
|
||||
struct icmp {
|
||||
u_char icmp_type; /* type of message, see below */
|
||||
u_char icmp_code; /* type sub code */
|
||||
u_short icmp_cksum; /* ones complement cksum of struct */
|
||||
union {
|
||||
u_char ih_pptr; /* ICMP_PARAMPROB */
|
||||
struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
|
||||
struct ih_idseq {
|
||||
n_short icd_id;
|
||||
n_short icd_seq;
|
||||
} ih_idseq;
|
||||
int ih_void;
|
||||
} icmp_hun;
|
||||
# define icmp_pptr icmp_hun.ih_pptr
|
||||
# define icmp_gwaddr icmp_hun.ih_gwaddr
|
||||
# define icmp_id icmp_hun.ih_idseq.icd_id
|
||||
# define icmp_seq icmp_hun.ih_idseq.icd_seq
|
||||
# define icmp_void icmp_hun.ih_void
|
||||
union {
|
||||
struct id_ts {
|
||||
n_time its_otime;
|
||||
n_time its_rtime;
|
||||
n_time its_ttime;
|
||||
} id_ts;
|
||||
struct id_ip {
|
||||
ip_t idi_ip;
|
||||
/* options and then 64 bits of data */
|
||||
} id_ip;
|
||||
u_long id_mask;
|
||||
char id_data[1];
|
||||
} icmp_dun;
|
||||
# define icmp_otime icmp_dun.id_ts.its_otime
|
||||
# define icmp_rtime icmp_dun.id_ts.its_rtime
|
||||
# define icmp_ttime icmp_dun.id_ts.its_ttime
|
||||
# define icmp_ip icmp_dun.id_ip.idi_ip
|
||||
# define icmp_mask icmp_dun.id_mask
|
||||
# define icmp_data icmp_dun.id_data
|
||||
};
|
||||
|
||||
struct ipovly {
|
||||
caddr_t ih_next, ih_prev; /* for protocol sequence q's */
|
||||
u_char ih_x1; /* (unused) */
|
||||
u_char ih_pr; /* protocol */
|
||||
short ih_len; /* protocol length */
|
||||
struct in_addr ih_src; /* source internet address */
|
||||
struct in_addr ih_dst; /* destination internet address */
|
||||
};
|
||||
|
||||
# define SPLX(x) (void)
|
||||
# define SPLNET(x) (void)
|
||||
|
||||
# define bcopy(a,b,c) memmove(b,a,c)
|
||||
# define bcmp(a,b,c) memcmp(a,b,c)
|
||||
|
||||
# define UNITNAME(n) dev_get((n))
|
||||
# define ifnet device
|
||||
|
||||
# define KMALLOC(x) kmalloc((x), GFP_ATOMIC)
|
||||
# define KFREE(x) kfree_s((x), sizeof(*(x)))
|
||||
# define IRCOPY(a,b,c) { \
|
||||
error = verify_area(VERIFY_READ, \
|
||||
(b) ,sizeof((b))); \
|
||||
if (!error) \
|
||||
memcpy_fromfs((b), (a), (c)); \
|
||||
}
|
||||
# define IWCOPY(a,b,c) { \
|
||||
error = verify_area(VERIFY_WRITE, \
|
||||
(b) ,sizeof((b))); \
|
||||
if (!error) \
|
||||
memcpy_tofs((b), (a), (c)); \
|
||||
}
|
||||
#else
|
||||
typedef struct tcphdr tcphdr_t;
|
||||
typedef struct udphdr udphdr_t;
|
||||
typedef struct icmp icmphdr_t;
|
||||
typedef struct ip ip_t;
|
||||
#endif /* linux */
|
||||
|
||||
#endif /* __IP_COMPAT_H__ */
|
885
contrib/ipfilter/ip_fil.c
Normal file
885
contrib/ipfilter/ip_fil.c
Normal file
@ -0,0 +1,885 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#ifdef sun
|
||||
#include <net/af.h>
|
||||
#endif
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_var.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <syslog.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_frag.h"
|
||||
#include "ip_nat.h"
|
||||
#include "ip_state.h"
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
|
||||
extern fr_flags, fr_active;
|
||||
extern struct protosw inetsw[];
|
||||
extern int (*fr_checkp)();
|
||||
#if BSD < 199306
|
||||
extern int ipfr_slowtimer();
|
||||
static int (*fr_saveslowtimo)();
|
||||
extern int tcp_ttl;
|
||||
#else
|
||||
extern void ipfr_slowtimer();
|
||||
static void (*fr_saveslowtimo)();
|
||||
#endif
|
||||
|
||||
int ipl_inited = 0;
|
||||
int ipl_unreach = ICMP_UNREACH_FILTER;
|
||||
int send_reset();
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
# define LOGSIZE 8192
|
||||
int ipllog();
|
||||
char iplbuf[LOGSIZE];
|
||||
caddr_t iplh = iplbuf, iplt = iplbuf;
|
||||
static int iplused = 0;
|
||||
#endif /* IPFILTER_LOG */
|
||||
static void frflush();
|
||||
static int frrequest();
|
||||
static int (*fr_savep)();
|
||||
|
||||
#if _BSDI_VERSION >= 199501
|
||||
# include <sys/device.h>
|
||||
# include <sys/conf.h>
|
||||
|
||||
int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
|
||||
int iplopen __P((dev_t, int, int, struct proc *));
|
||||
int iplclose __P((dev_t, int, int, struct proc *));
|
||||
# ifdef IPFILTER_LOG
|
||||
int iplread __P((dev_t, struct uio *, int));
|
||||
# else
|
||||
# define iplread noread
|
||||
# endif
|
||||
int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
|
||||
|
||||
struct cfdriver iplcd = {
|
||||
NULL, "ipl", NULL, NULL, DV_DULL, 0
|
||||
};
|
||||
|
||||
struct devsw iplsw = {
|
||||
&iplcd,
|
||||
iplopen, iplclose, iplread, nowrite, iplioctl, noselect, nommap,
|
||||
nostrat, nodump, nopsize, 0,
|
||||
nostop
|
||||
};
|
||||
#endif /* _BSDI_VERSION >= 199501 */
|
||||
|
||||
#ifdef IPFILTER_LKM
|
||||
int iplidentify(s)
|
||||
char *s;
|
||||
{
|
||||
if (strcmp(s, "ipl") == 0)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
#endif /* IPFILTER_LKM */
|
||||
|
||||
|
||||
int iplattach()
|
||||
{
|
||||
int s;
|
||||
|
||||
SPLNET(s);
|
||||
if (ipl_inited || (fr_checkp == fr_check)) {
|
||||
printf("IP Filter: already initialized\n");
|
||||
SPLX(s);
|
||||
return EBUSY;
|
||||
}
|
||||
ipl_inited = 1;
|
||||
bzero((char *)nat_table, sizeof(nat_t *) * NAT_SIZE * 2);
|
||||
fr_savep = fr_checkp;
|
||||
fr_checkp = fr_check;
|
||||
fr_saveslowtimo = inetsw[0].pr_slowtimo;
|
||||
inetsw[0].pr_slowtimo = ipfr_slowtimer;
|
||||
SPLX(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int ipldetach()
|
||||
{
|
||||
int s, i = FR_INQUE|FR_OUTQUE;
|
||||
|
||||
SPLNET(s);
|
||||
if (!ipl_inited)
|
||||
{
|
||||
printf("IP Filter: not initialized\n");
|
||||
SPLX(s);
|
||||
return EBUSY;
|
||||
}
|
||||
|
||||
fr_checkp = fr_savep;
|
||||
inetsw[0].pr_slowtimo = fr_saveslowtimo;
|
||||
frflush((caddr_t)&i);
|
||||
ipl_inited = 0;
|
||||
|
||||
ipfr_unload();
|
||||
ip_natunload();
|
||||
fr_stateunload();
|
||||
|
||||
SPLX(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static void frzerostats(data)
|
||||
caddr_t data;
|
||||
{
|
||||
struct friostat fio;
|
||||
|
||||
bcopy((char *)frstats, (char *)fio.f_st,
|
||||
sizeof(struct filterstats) * 2);
|
||||
fio.f_fin[0] = ipfilter[0][0];
|
||||
fio.f_fin[1] = ipfilter[0][1];
|
||||
fio.f_fout[0] = ipfilter[1][0];
|
||||
fio.f_fout[1] = ipfilter[1][1];
|
||||
fio.f_acctin[0] = ipacct[0][0];
|
||||
fio.f_acctin[1] = ipacct[0][1];
|
||||
fio.f_acctout[0] = ipacct[1][0];
|
||||
fio.f_acctout[1] = ipacct[1][1];
|
||||
fio.f_active = fr_active;
|
||||
IWCOPY((caddr_t)&fio, data, sizeof(fio));
|
||||
bzero((char *)frstats, sizeof(*frstats) * 2);
|
||||
}
|
||||
|
||||
|
||||
static void frflush(data)
|
||||
caddr_t data;
|
||||
{
|
||||
struct frentry *f, **fp;
|
||||
int flags = *(int *)data, flushed = 0, set = fr_active;
|
||||
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
|
||||
if (flags & FR_INACTIVE)
|
||||
set = 1 - set;
|
||||
if (flags & FR_OUTQUE) {
|
||||
for (fp = &ipfilter[1][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
for (fp = &ipacct[1][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
}
|
||||
if (flags & FR_INQUE) {
|
||||
for (fp = &ipfilter[0][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
for (fp = &ipacct[0][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
}
|
||||
*(int *)data = flushed;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Filter ioctl interface.
|
||||
*/
|
||||
int iplioctl(dev, cmd, data, mode
|
||||
#if _BSDI_VERSION >= 199501
|
||||
, p)
|
||||
struct proc *p;
|
||||
#else
|
||||
)
|
||||
#endif
|
||||
dev_t dev;
|
||||
int cmd;
|
||||
caddr_t data;
|
||||
int mode;
|
||||
{
|
||||
int error = 0, s, unit;
|
||||
|
||||
unit = minor(dev);
|
||||
if (unit != 0)
|
||||
return ENXIO;
|
||||
|
||||
SPLNET(s);
|
||||
switch (cmd) {
|
||||
case FIONREAD :
|
||||
#ifdef IPFILTER_LOG
|
||||
*(int *)data = iplused;
|
||||
#endif
|
||||
break;
|
||||
#ifndef IPFILTER_LKM
|
||||
case SIOCFRENB :
|
||||
{
|
||||
u_int enable;
|
||||
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else {
|
||||
IRCOPY(data, (caddr_t)&enable, sizeof(enable));
|
||||
if (enable)
|
||||
error = iplattach();
|
||||
else
|
||||
error = ipldetach();
|
||||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
case SIOCSETFF :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
IRCOPY(data, (caddr_t)&fr_flags, sizeof(fr_flags));
|
||||
break;
|
||||
case SIOCGETFF :
|
||||
IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
|
||||
break;
|
||||
case SIOCINAFR :
|
||||
case SIOCRMAFR :
|
||||
case SIOCADAFR :
|
||||
case SIOCZRLST :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
error = frrequest(cmd, data, fr_active);
|
||||
break;
|
||||
case SIOCINIFR :
|
||||
case SIOCRMIFR :
|
||||
case SIOCADIFR :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
error = frrequest(cmd, data, 1 - fr_active);
|
||||
break;
|
||||
case SIOCSWAPA :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else {
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
*(u_int *)data = fr_active;
|
||||
fr_active = 1 - fr_active;
|
||||
}
|
||||
break;
|
||||
case SIOCGETFS :
|
||||
{
|
||||
struct friostat fio;
|
||||
|
||||
bcopy((char *)frstats, (char *)fio.f_st,
|
||||
sizeof(struct filterstats) * 2);
|
||||
fio.f_fin[0] = ipfilter[0][0];
|
||||
fio.f_fin[1] = ipfilter[0][1];
|
||||
fio.f_fout[0] = ipfilter[1][0];
|
||||
fio.f_fout[1] = ipfilter[1][1];
|
||||
fio.f_acctin[0] = ipacct[0][0];
|
||||
fio.f_acctin[1] = ipacct[0][1];
|
||||
fio.f_acctout[0] = ipacct[1][0];
|
||||
fio.f_acctout[1] = ipacct[1][1];
|
||||
fio.f_active = fr_active;
|
||||
IWCOPY((caddr_t)&fio, data, sizeof(fio));
|
||||
break;
|
||||
}
|
||||
case SIOCFRZST :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
frzerostats(data);
|
||||
break;
|
||||
case SIOCIPFFL :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else
|
||||
frflush(data);
|
||||
break;
|
||||
#ifdef IPFILTER_LOG
|
||||
case SIOCIPFFB :
|
||||
if (!(mode & FWRITE))
|
||||
error = EPERM;
|
||||
else {
|
||||
*(int *)data = iplused;
|
||||
iplh = iplt = iplbuf;
|
||||
iplused = 0;
|
||||
}
|
||||
break;
|
||||
#endif /* IPFILTER_LOG */
|
||||
case SIOCADNAT :
|
||||
case SIOCRMNAT :
|
||||
case SIOCGNATS :
|
||||
case SIOCGNATL :
|
||||
case SIOCFLNAT :
|
||||
case SIOCCNATL :
|
||||
error = nat_ioctl(data, cmd, mode);
|
||||
break;
|
||||
case SIOCGFRST :
|
||||
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
|
||||
break;
|
||||
case SIOCGIPST :
|
||||
IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
|
||||
break;
|
||||
default :
|
||||
error = EINVAL;
|
||||
break;
|
||||
}
|
||||
SPLX(s);
|
||||
return error;
|
||||
}
|
||||
|
||||
|
||||
static int frrequest(req, data, set)
|
||||
int req, set;
|
||||
caddr_t data;
|
||||
{
|
||||
register frentry_t *fp, *f, **fprev;
|
||||
register frentry_t **ftail;
|
||||
frentry_t fr;
|
||||
frdest_t *fdp;
|
||||
struct frentry frd;
|
||||
int error = 0, in;
|
||||
|
||||
fp = &fr;
|
||||
IRCOPY(data, (caddr_t)fp, sizeof(*fp));
|
||||
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
|
||||
in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
|
||||
if (fp->fr_flags & FR_ACCOUNT) {
|
||||
ftail = fprev = &ipacct[in][set];
|
||||
} else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE))
|
||||
ftail = fprev = &ipfilter[in][set];
|
||||
else
|
||||
return ESRCH;
|
||||
|
||||
IRCOPY((char *)fp, (char *)&frd, sizeof(frd));
|
||||
fp = &frd;
|
||||
if (*fp->fr_ifname) {
|
||||
fp->fr_ifa = GETUNIT(fp->fr_ifname);
|
||||
if (!fp->fr_ifa)
|
||||
fp->fr_ifa = (struct ifnet *)-1;
|
||||
}
|
||||
|
||||
fdp = &fp->fr_dif;
|
||||
fp->fr_flags &= ~FR_DUP;
|
||||
if (*fdp->fd_ifname) {
|
||||
fdp->fd_ifp = GETUNIT(fdp->fd_ifname);
|
||||
if (!fdp->fd_ifp)
|
||||
fdp->fd_ifp = (struct ifnet *)-1;
|
||||
else
|
||||
fp->fr_flags |= FR_DUP;
|
||||
}
|
||||
|
||||
fdp = &fp->fr_tif;
|
||||
if (*fdp->fd_ifname) {
|
||||
fdp->fd_ifp = GETUNIT(fdp->fd_ifname);
|
||||
if (!fdp->fd_ifp)
|
||||
fdp->fd_ifp = (struct ifnet *)-1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Look for a matching filter rule, but don't include the next or
|
||||
* interface pointer in the comparison (fr_next, fr_ifa).
|
||||
*/
|
||||
for (; (f = *ftail); ftail = &f->fr_next)
|
||||
if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
|
||||
FR_CMPSIZ) == 0)
|
||||
break;
|
||||
|
||||
/*
|
||||
* If zero'ing statistics, copy current to caller and zero.
|
||||
*/
|
||||
if (req == SIOCZRLST) {
|
||||
if (!f)
|
||||
return ESRCH;
|
||||
IWCOPY((caddr_t)f, data, sizeof(*f));
|
||||
f->fr_hits = 0;
|
||||
f->fr_bytes = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!f) {
|
||||
ftail = fprev;
|
||||
if (req != SIOCINAFR && req != SIOCINIFR)
|
||||
while ((f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
else if (fp->fr_hits)
|
||||
while (--fp->fr_hits && (f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
f = NULL;
|
||||
}
|
||||
|
||||
if (req == SIOCDELFR || req == SIOCRMIFR) {
|
||||
if (!f)
|
||||
error = ESRCH;
|
||||
else {
|
||||
*ftail = f->fr_next;
|
||||
(void) KFREE(f);
|
||||
}
|
||||
} else {
|
||||
if (f)
|
||||
error = EEXIST;
|
||||
else {
|
||||
if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) {
|
||||
bcopy((char *)fp, (char *)f, sizeof(*f));
|
||||
f->fr_hits = 0;
|
||||
f->fr_next = *ftail;
|
||||
*ftail = f;
|
||||
} else
|
||||
error = ENOMEM;
|
||||
}
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
|
||||
|
||||
#if !defined(linux)
|
||||
/*
|
||||
* routines below for saving IP headers to buffer
|
||||
*/
|
||||
int iplopen(dev, flags
|
||||
#if _BSDI_VERSION >= 199501
|
||||
, devtype, p)
|
||||
int devtype;
|
||||
struct proc *p;
|
||||
#else
|
||||
)
|
||||
#endif
|
||||
dev_t dev;
|
||||
int flags;
|
||||
{
|
||||
u_int min = minor(dev);
|
||||
|
||||
if (min)
|
||||
min = ENXIO;
|
||||
return min;
|
||||
}
|
||||
|
||||
|
||||
int iplclose(dev, flags
|
||||
#if _BSDI_VERSION >= 199501
|
||||
, devtype, p)
|
||||
int devtype;
|
||||
struct proc *p;
|
||||
#else
|
||||
)
|
||||
#endif
|
||||
dev_t dev;
|
||||
int flags;
|
||||
{
|
||||
u_int min = minor(dev);
|
||||
|
||||
if (min)
|
||||
min = ENXIO;
|
||||
return min;
|
||||
}
|
||||
|
||||
# ifdef IPFILTER_LOG
|
||||
/*
|
||||
* iplread/ipllog
|
||||
* both of these must operate with at least splnet() lest they be
|
||||
* called during packet processing and cause an inconsistancy to appear in
|
||||
* the filter lists.
|
||||
*/
|
||||
# if BSD >= 199306
|
||||
int iplread(dev, uio, ioflag)
|
||||
int ioflag;
|
||||
# else
|
||||
int iplread(dev, uio)
|
||||
# endif
|
||||
dev_t dev;
|
||||
register struct uio *uio;
|
||||
{
|
||||
register int ret, s;
|
||||
register size_t sz, sx;
|
||||
int error;
|
||||
|
||||
if (!uio->uio_resid)
|
||||
return 0;
|
||||
while (!iplused) {
|
||||
error = SLEEP(iplbuf, "ipl sleep");
|
||||
if (error)
|
||||
return error;
|
||||
}
|
||||
SPLNET(s);
|
||||
|
||||
sx = sz = MIN(uio->uio_resid, iplused);
|
||||
if (iplh < iplt)
|
||||
sz = MIN(sz, LOGSIZE - (iplt - iplbuf));
|
||||
sx -= sz;
|
||||
|
||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||
uio->uio_rw = UIO_READ;
|
||||
# endif
|
||||
if (!(ret = UIOMOVE(iplt, sz, UIO_READ, uio))) {
|
||||
iplt += sz;
|
||||
iplused -= sz;
|
||||
if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
|
||||
iplt = iplbuf;
|
||||
|
||||
if (sx && !(ret = UIOMOVE(iplt, sx, UIO_READ, uio))) {
|
||||
iplt += sx;
|
||||
iplused -= sx;
|
||||
if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
|
||||
iplt = iplbuf;
|
||||
}
|
||||
if (!iplused) /* minimise wrapping around the end */
|
||||
iplh = iplt = iplbuf;
|
||||
}
|
||||
SPLX(s);
|
||||
return ret;
|
||||
}
|
||||
# endif /* IPFILTER_LOG */
|
||||
#endif /* linux */
|
||||
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
int ipllog(flags, ip, fin, m)
|
||||
u_int flags;
|
||||
ip_t *ip;
|
||||
register fr_info_t *fin;
|
||||
struct mbuf *m;
|
||||
{
|
||||
struct ipl_ci iplci;
|
||||
register int len, mlen, hlen;
|
||||
struct ifnet *ifp = fin->fin_ifp;
|
||||
|
||||
hlen = fin->fin_hlen;
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
|
||||
else if (ip->ip_p == IPPROTO_ICMP) {
|
||||
struct icmp *icmp = (struct icmp *)((char *)ip + hlen);
|
||||
|
||||
switch (icmp->icmp_type) {
|
||||
case ICMP_UNREACH :
|
||||
case ICMP_SOURCEQUENCH :
|
||||
case ICMP_REDIRECT :
|
||||
case ICMP_TIMXCEED :
|
||||
case ICMP_PARAMPROB :
|
||||
hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen);
|
||||
break;
|
||||
default :
|
||||
hlen += MIN(sizeof(struct icmp), fin->fin_dlen);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
mlen = (flags & FR_LOGBODY) ? MIN(ip->ip_len - hlen, 128) : 0;
|
||||
len = hlen + sizeof(iplci) + mlen;
|
||||
if (iplused + len > LOGSIZE)
|
||||
return 0;
|
||||
iplused += len;
|
||||
|
||||
# ifdef sun
|
||||
uniqtime(&iplci);
|
||||
# endif
|
||||
# if BSD >= 199306 || defined(__FreeBSD__)
|
||||
microtime((struct timeval *)&iplci);
|
||||
# endif
|
||||
iplci.flags = flags;
|
||||
iplci.hlen = (u_char)hlen;
|
||||
iplci.plen = (u_char)mlen;
|
||||
iplci.rule = fin->fin_rule;
|
||||
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
|
||||
strncpy(iplci.ifname, ifp->if_xname, IFNAMSIZ);
|
||||
# else
|
||||
iplci.unit = (u_char)ifp->if_unit;
|
||||
if ((iplci.ifname[0] = ifp->if_name[0]))
|
||||
if ((iplci.ifname[1] = ifp->if_name[1]))
|
||||
if ((iplci.ifname[2] = ifp->if_name[2]))
|
||||
iplci.ifname[3] = ifp->if_name[3];
|
||||
# endif
|
||||
/*
|
||||
* Gauranteed to succeed from above
|
||||
*/
|
||||
(void) fr_copytolog(&iplci, sizeof(iplci));
|
||||
|
||||
for (len -= sizeof(iplci); m && len > 0; m = m->m_next, len -= hlen) {
|
||||
hlen = MIN(len, m->m_len);
|
||||
if (fr_copytolog(mtod(m, char *), hlen))
|
||||
break;
|
||||
}
|
||||
|
||||
wakeup(iplbuf);
|
||||
return 1;
|
||||
}
|
||||
#endif /* IPFILTER_LOG */
|
||||
|
||||
/*
|
||||
* send_reset - this could conceivably be a call to tcp_respond(), but that
|
||||
* requires a large amount of setting up and isn't any more efficient.
|
||||
*/
|
||||
int send_reset(ti)
|
||||
struct tcpiphdr *ti;
|
||||
{
|
||||
struct tcpiphdr *tp;
|
||||
struct ip *ip;
|
||||
struct tcphdr *tcp;
|
||||
struct mbuf *m;
|
||||
int tlen = 0;
|
||||
|
||||
if (ti->ti_flags & TH_RST)
|
||||
return -1; /* feedback loop */
|
||||
#if BSD < 199306
|
||||
m = m_get(M_DONTWAIT, MT_HEADER);
|
||||
#else
|
||||
m = m_gethdr(M_DONTWAIT, MT_HEADER);
|
||||
m->m_data += max_linkhdr;
|
||||
#endif
|
||||
if (m == NULL)
|
||||
return -1;
|
||||
|
||||
if (ti->ti_flags & TH_SYN)
|
||||
tlen = 1;
|
||||
m->m_len = sizeof (struct tcpiphdr);
|
||||
#if BSD >= 199306
|
||||
m->m_pkthdr.len = sizeof (struct tcpiphdr);
|
||||
m->m_pkthdr.rcvif = (struct ifnet *)0;
|
||||
#endif
|
||||
bzero(mtod(m, char *), sizeof(struct tcpiphdr));
|
||||
ip = mtod(m, struct ip *);
|
||||
tp = mtod(m, struct tcpiphdr *);
|
||||
tcp = (struct tcphdr *)((char *)ip + sizeof(struct ip));
|
||||
|
||||
ip->ip_src.s_addr = ti->ti_dst.s_addr;
|
||||
ip->ip_dst.s_addr = ti->ti_src.s_addr;
|
||||
tcp->th_dport = ti->ti_sport;
|
||||
tcp->th_sport = ti->ti_dport;
|
||||
tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
|
||||
tcp->th_off = sizeof(struct tcphdr) >> 2;
|
||||
tcp->th_flags = TH_RST|TH_ACK;
|
||||
tp->ti_pr = ((struct ip *)ti)->ip_p;
|
||||
tp->ti_len = htons(sizeof(struct tcphdr));
|
||||
tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr));
|
||||
|
||||
ip->ip_tos = ((struct ip *)ti)->ip_tos;
|
||||
ip->ip_p = ((struct ip *)ti)->ip_p;
|
||||
ip->ip_len = sizeof (struct tcpiphdr);
|
||||
#if BSD < 199306
|
||||
ip->ip_ttl = tcp_ttl;
|
||||
#else
|
||||
ip->ip_ttl = ip_defttl;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* extra 0 in case of multicast
|
||||
*/
|
||||
(void) ip_output(m, (struct mbuf *)0, 0, 0, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
#ifndef IPFILTER_LKM
|
||||
void iplinit()
|
||||
{
|
||||
(void) iplattach();
|
||||
ip_init();
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
void ipfr_fastroute(m0, fin, fdp)
|
||||
struct mbuf *m0;
|
||||
fr_info_t *fin;
|
||||
frdest_t *fdp;
|
||||
{
|
||||
register struct ip *ip, *mhip;
|
||||
register struct mbuf *m = m0;
|
||||
register struct route *ro;
|
||||
struct ifnet *ifp = fdp->fd_ifp;
|
||||
int len, off, error = 0;
|
||||
int hlen = fin->fin_hlen;
|
||||
struct route iproute;
|
||||
struct sockaddr_in *dst;
|
||||
|
||||
ip = mtod(m0, struct ip *);
|
||||
/*
|
||||
* Route packet.
|
||||
*/
|
||||
ro = &iproute;
|
||||
bzero((caddr_t)ro, sizeof (*ro));
|
||||
dst = (struct sockaddr_in *)&ro->ro_dst;
|
||||
dst->sin_family = AF_INET;
|
||||
dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
|
||||
#if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__)
|
||||
# ifdef RTF_CLONING
|
||||
rtalloc_ign(ro, RTF_CLONING);
|
||||
# else
|
||||
rtalloc_ign(ro, RTF_PRCLONING);
|
||||
# endif
|
||||
#else
|
||||
rtalloc(ro);
|
||||
#endif
|
||||
if (!ifp) {
|
||||
if (!(fin->fin_fr->fr_flags & FR_FASTROUTE)) {
|
||||
error = -2;
|
||||
goto bad;
|
||||
}
|
||||
if (ro->ro_rt == 0 || (ifp = ro->ro_rt->rt_ifp) == 0) {
|
||||
if (in_localaddr(ip->ip_dst))
|
||||
error = EHOSTUNREACH;
|
||||
else
|
||||
error = ENETUNREACH;
|
||||
goto bad;
|
||||
}
|
||||
if (ro->ro_rt->rt_flags & RTF_GATEWAY)
|
||||
dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway;
|
||||
}
|
||||
ro->ro_rt->rt_use++;
|
||||
|
||||
/*
|
||||
* For input packets which are being "fastrouted", they won't
|
||||
* go back through output filtering and miss their chance to get
|
||||
* NAT'd.
|
||||
*/
|
||||
(void) ip_natout(ip, hlen, fin);
|
||||
if (fin->fin_out)
|
||||
ip->ip_sum = 0;
|
||||
/*
|
||||
* If small enough for interface, can just send directly.
|
||||
*/
|
||||
if (ip->ip_len <= ifp->if_mtu) {
|
||||
#ifndef sparc
|
||||
ip->ip_id = htons(ip->ip_id);
|
||||
ip->ip_len = htons(ip->ip_len);
|
||||
ip->ip_off = htons(ip->ip_off);
|
||||
#endif
|
||||
if (!ip->ip_sum)
|
||||
ip->ip_sum = in_cksum(m, hlen);
|
||||
#if BSD >= 199306
|
||||
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
|
||||
ro->ro_rt);
|
||||
|
||||
#else
|
||||
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
|
||||
#endif
|
||||
goto done;
|
||||
}
|
||||
/*
|
||||
* Too large for interface; fragment if possible.
|
||||
* Must be able to put at least 8 bytes per fragment.
|
||||
*/
|
||||
if (ip->ip_off & IP_DF) {
|
||||
error = EMSGSIZE;
|
||||
goto bad;
|
||||
}
|
||||
len = (ifp->if_mtu - hlen) &~ 7;
|
||||
if (len < 8) {
|
||||
error = EMSGSIZE;
|
||||
goto bad;
|
||||
}
|
||||
|
||||
{
|
||||
int mhlen, firstlen = len;
|
||||
struct mbuf **mnext = &m->m_act;
|
||||
|
||||
/*
|
||||
* Loop through length of segment after first fragment,
|
||||
* make new header and copy data of each part and link onto chain.
|
||||
*/
|
||||
m0 = m;
|
||||
mhlen = sizeof (struct ip);
|
||||
for (off = hlen + len; off < ip->ip_len; off += len) {
|
||||
MGET(m, M_DONTWAIT, MT_HEADER);
|
||||
if (m == 0) {
|
||||
error = ENOBUFS;
|
||||
goto bad;
|
||||
}
|
||||
#if BSD >= 199306
|
||||
m->m_data += max_linkhdr;
|
||||
#else
|
||||
m->m_off = MMAXOFF - hlen;
|
||||
#endif
|
||||
mhip = mtod(m, struct ip *);
|
||||
bcopy((char *)ip, (char *)mhip, sizeof(*ip));
|
||||
if (hlen > sizeof (struct ip)) {
|
||||
mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip);
|
||||
mhip->ip_hl = mhlen >> 2;
|
||||
}
|
||||
m->m_len = mhlen;
|
||||
mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF);
|
||||
if (ip->ip_off & IP_MF)
|
||||
mhip->ip_off |= IP_MF;
|
||||
if (off + len >= ip->ip_len)
|
||||
len = ip->ip_len - off;
|
||||
else
|
||||
mhip->ip_off |= IP_MF;
|
||||
mhip->ip_len = htons((u_short)(len + mhlen));
|
||||
m->m_next = m_copy(m0, off, len);
|
||||
if (m->m_next == 0) {
|
||||
error = ENOBUFS; /* ??? */
|
||||
goto sendorfree;
|
||||
}
|
||||
#ifndef sparc
|
||||
mhip->ip_off = htons((u_short)mhip->ip_off);
|
||||
#endif
|
||||
mhip->ip_sum = 0;
|
||||
mhip->ip_sum = in_cksum(m, mhlen);
|
||||
*mnext = m;
|
||||
mnext = &m->m_act;
|
||||
}
|
||||
/*
|
||||
* Update first fragment by trimming what's been copied out
|
||||
* and updating header, then send each fragment (in order).
|
||||
*/
|
||||
m_adj(m0, hlen + firstlen - ip->ip_len);
|
||||
ip->ip_len = htons((u_short)(hlen + firstlen));
|
||||
ip->ip_off = htons((u_short)(ip->ip_off | IP_MF));
|
||||
ip->ip_sum = 0;
|
||||
ip->ip_sum = in_cksum(m0, hlen);
|
||||
sendorfree:
|
||||
for (m = m0; m; m = m0) {
|
||||
m0 = m->m_act;
|
||||
m->m_act = 0;
|
||||
if (error == 0)
|
||||
#if BSD >= 199306
|
||||
error = (*ifp->if_output)(ifp, m,
|
||||
(struct sockaddr *)dst, ro->ro_rt);
|
||||
#else
|
||||
error = (*ifp->if_output)(ifp, m,
|
||||
(struct sockaddr *)dst);
|
||||
#endif
|
||||
else
|
||||
m_freem(m);
|
||||
}
|
||||
}
|
||||
done:
|
||||
if (ro->ro_rt) {
|
||||
RTFREE(ro->ro_rt);
|
||||
}
|
||||
return;
|
||||
bad:
|
||||
m_freem(m);
|
||||
goto done;
|
||||
}
|
293
contrib/ipfilter/ip_fil.h
Normal file
293
contrib/ipfilter/ip_fil.h
Normal file
@ -0,0 +1,293 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_fil.h 1.35 6/5/96
|
||||
* $Id: ip_fil.h,v 2.0.1.2 1997/01/10 00:28:15 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_FIL_H__
|
||||
#define __IP_FIL_H__
|
||||
|
||||
#ifndef SOLARIS
|
||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||
#endif
|
||||
|
||||
#if defined(KERNEL) && !defined(_KERNEL)
|
||||
#define _KERNEL
|
||||
#endif
|
||||
#if SOLARIS
|
||||
# include <sys/ioccom.h>
|
||||
# include <sys/sysmacros.h>
|
||||
# ifdef _KERNEL
|
||||
# include <inet/common.h>
|
||||
/*
|
||||
* because Solaris 2 defines these in two places :-/
|
||||
*/
|
||||
#undef IPOPT_EOL
|
||||
#undef IPOPT_NOP
|
||||
#undef IPOPT_LSRR
|
||||
#undef IPOPT_RR
|
||||
#undef IPOPT_SSRR
|
||||
# include <inet/ip.h>
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if defined(__STDC__) || defined(__GNUC__)
|
||||
#define SIOCADAFR _IOW('r', 60, struct frentry)
|
||||
#define SIOCRMAFR _IOW('r', 61, struct frentry)
|
||||
#define SIOCSETFF _IOW('r', 62, u_int)
|
||||
#define SIOCGETFF _IOR('r', 63, u_int)
|
||||
#define SIOCGETFS _IOR('r', 64, struct friostat)
|
||||
#define SIOCIPFFL _IOWR('r', 65, int)
|
||||
#define SIOCIPFFB _IOR('r', 66, int)
|
||||
#define SIOCADIFR _IOW('r', 67, struct frentry)
|
||||
#define SIOCRMIFR _IOW('r', 68, struct frentry)
|
||||
#define SIOCSWAPA _IOR('r', 69, u_int)
|
||||
#define SIOCINAFR _IOW('r', 70, struct frentry)
|
||||
#define SIOCINIFR _IOW('r', 71, struct frentry)
|
||||
#define SIOCFRENB _IOW('r', 72, u_int)
|
||||
#define SIOCFRSYN _IOW('r', 73, u_int)
|
||||
#define SIOCFRZST _IOWR('r', 74, struct friostat)
|
||||
#define SIOCZRLST _IOWR('r', 75, struct frentry)
|
||||
#else
|
||||
#define SIOCADAFR _IOW(r, 60, struct frentry)
|
||||
#define SIOCRMAFR _IOW(r, 61, struct frentry)
|
||||
#define SIOCSETFF _IOW(r, 62, u_int)
|
||||
#define SIOCGETFF _IOR(r, 63, u_int)
|
||||
#define SIOCGETFS _IOR(r, 64, struct friostat)
|
||||
#define SIOCIPFFL _IOWR(r, 65, int)
|
||||
#define SIOCIPFFB _IOR(r, 66, int)
|
||||
#define SIOCADIFR _IOW(r, 67, struct frentry)
|
||||
#define SIOCRMIFR _IOW(r, 68, struct frentry)
|
||||
#define SIOCSWAPA _IOR(r, 69, u_int)
|
||||
#define SIOCINAFR _IOW(r, 70, struct frentry)
|
||||
#define SIOCINIFR _IOW(r, 71, struct frentry)
|
||||
#define SIOCFRENB _IOW(r, 72, u_int)
|
||||
#define SIOCFRSYN _IOW(r, 73, u_int)
|
||||
#define SIOCFRZST _IOWR(r, 74, struct friostat)
|
||||
#define SIOCZRLST _IOWR(r, 75, struct frentry)
|
||||
#endif
|
||||
#define SIOCADDFR SIOCADAFR
|
||||
#define SIOCDELFR SIOCRMAFR
|
||||
#define SIOCINSFR SIOCINAFR
|
||||
|
||||
typedef struct fr_ip {
|
||||
u_char fi_v:4; /* IP version */
|
||||
u_char fi_fl:4; /* packet flags */
|
||||
u_char fi_tos;
|
||||
u_char fi_ttl;
|
||||
u_char fi_p;
|
||||
struct in_addr fi_src;
|
||||
struct in_addr fi_dst;
|
||||
u_long fi_optmsk; /* bitmask composed from IP options */
|
||||
u_short fi_secmsk; /* bitmask composed from IP security options */
|
||||
u_short fi_auth;
|
||||
} fr_ip_t;
|
||||
|
||||
#define FI_OPTIONS 0x01
|
||||
#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */
|
||||
#define FI_FRAG 0x04
|
||||
#define FI_SHORT 0x08
|
||||
|
||||
typedef struct fr_info {
|
||||
struct fr_ip fin_fi;
|
||||
void *fin_ifp;
|
||||
u_short fin_data[2];
|
||||
u_short fin_out;
|
||||
u_char fin_tcpf;
|
||||
u_char fin_icode;
|
||||
u_short fin_rule;
|
||||
u_short fin_hlen;
|
||||
u_short fin_dlen;
|
||||
char *fin_dp; /* start of data past IP header */
|
||||
struct frentry *fin_fr;
|
||||
} fr_info_t;
|
||||
|
||||
#define FI_CSIZE (sizeof(struct fr_ip) + 11)
|
||||
|
||||
typedef struct frdest {
|
||||
void *fd_ifp;
|
||||
struct in_addr fd_ip;
|
||||
char fd_ifname[IFNAMSIZ];
|
||||
} frdest_t;
|
||||
|
||||
typedef struct frentry {
|
||||
struct frentry *fr_next;
|
||||
struct ifnet *fr_ifa;
|
||||
u_long fr_hits;
|
||||
u_long fr_bytes; /* this is only incremented when a packet */
|
||||
/* matches this rule and it is the last match*/
|
||||
/*
|
||||
* Fields after this may not change whilst in the kernel.
|
||||
*/
|
||||
struct fr_ip fr_ip;
|
||||
struct fr_ip fr_mip; /* mask structure */
|
||||
|
||||
u_char fr_tcpfm; /* tcp flags mask */
|
||||
u_char fr_tcpf; /* tcp flags */
|
||||
|
||||
u_short fr_icmpm; /* data for ICMP packets (mask) */
|
||||
u_short fr_icmp;
|
||||
|
||||
u_char fr_scmp; /* data for port comparisons */
|
||||
u_char fr_dcmp;
|
||||
u_short fr_dport;
|
||||
u_short fr_sport;
|
||||
u_short fr_stop; /* top port for <> and >< */
|
||||
u_short fr_dtop; /* top port for <> and >< */
|
||||
u_long fr_flags; /* per-rule flags && options (see below) */
|
||||
int (*fr_func)(); /* call this function */
|
||||
char fr_icode; /* return ICMP code */
|
||||
char fr_ifname[IFNAMSIZ];
|
||||
struct frdest fr_tif; /* "to" interface */
|
||||
struct frdest fr_dif; /* duplicate packet interfaces */
|
||||
} frentry_t;
|
||||
|
||||
#define fr_proto fr_ip.fi_p
|
||||
#define fr_ttl fr_ip.fi_ttl
|
||||
#define fr_tos fr_ip.fi_tos
|
||||
#define fr_dst fr_ip.fi_dst
|
||||
#define fr_src fr_ip.fi_src
|
||||
#define fr_dmsk fr_mip.fi_dst
|
||||
#define fr_smsk fr_mip.fi_src
|
||||
|
||||
#ifndef offsetof
|
||||
#define offsetof(t,m) (int)((&((t *)0L)->m))
|
||||
#endif
|
||||
#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
|
||||
|
||||
/*
|
||||
* fr_flags
|
||||
*/
|
||||
#define FR_BLOCK 0x00001
|
||||
#define FR_PASS 0x00002
|
||||
#define FR_OUTQUE 0x00004
|
||||
#define FR_INQUE 0x00008
|
||||
#define FR_LOG 0x00010 /* Log */
|
||||
#define FR_LOGB 0x00011 /* Log-fail */
|
||||
#define FR_LOGP 0x00012 /* Log-pass */
|
||||
#define FR_LOGBODY 0x00020 /* Log the body */
|
||||
#define FR_LOGFIRST 0x00040 /* Log the first byte if state held */
|
||||
#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */
|
||||
#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */
|
||||
#define FR_NOMATCH 0x00200
|
||||
#define FR_ACCOUNT 0x00400 /* count packet bytes */
|
||||
#define FR_KEEPFRAG 0x00800 /* keep fragment information */
|
||||
#define FR_KEEPSTATE 0x01000 /* keep `connection' state information */
|
||||
#define FR_INACTIVE 0x02000
|
||||
#define FR_QUICK 0x04000 /* match & stop processing list */
|
||||
#define FR_FASTROUTE 0x08000 /* bypass normal routing */
|
||||
#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
|
||||
#define FR_DUP 0x20000 /* duplicate packet */
|
||||
#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
|
||||
|
||||
#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
|
||||
/*
|
||||
* recognized flags for SIOCGETFF and SIOCSETFF
|
||||
*/
|
||||
#define FF_LOGPASS 0x100000
|
||||
#define FF_LOGBLOCK 0x200000
|
||||
#define FF_LOGNOMATCH 0x400000
|
||||
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
|
||||
#define FF_BLOCKNONIP 0x800000 /* Solaris2 Only */
|
||||
|
||||
#define FR_NONE 0
|
||||
#define FR_EQUAL 1
|
||||
#define FR_NEQUAL 2
|
||||
#define FR_LESST 3
|
||||
#define FR_GREATERT 4
|
||||
#define FR_LESSTE 5
|
||||
#define FR_GREATERTE 6
|
||||
#define FR_OUTRANGE 7
|
||||
#define FR_INRANGE 8
|
||||
|
||||
typedef struct filterstats {
|
||||
u_long fr_pass; /* packets allowed */
|
||||
u_long fr_block; /* packets denied */
|
||||
u_long fr_nom; /* packets which don't match any rule */
|
||||
u_long fr_ppkl; /* packets allowed and logged */
|
||||
u_long fr_bpkl; /* packets denied and logged */
|
||||
u_long fr_npkl; /* packets unmatched and logged */
|
||||
u_long fr_pkl; /* packets logged */
|
||||
u_long fr_skip; /* packets to be logged but buffer full */
|
||||
u_long fr_ret; /* packets for which a return is sent */
|
||||
u_long fr_acct; /* packets for which counting was performed */
|
||||
u_long fr_bnfr; /* bad attempts to allocate fragment state */
|
||||
u_long fr_nfr; /* new fragment state kept */
|
||||
u_long fr_cfr; /* add new fragment state but complete pkt */
|
||||
u_long fr_bads; /* bad attempts to allocate packet state */
|
||||
u_long fr_ads; /* new packet state kept */
|
||||
u_long fr_chit; /* cached hit */
|
||||
u_long fr_pull[2]; /* good and bad pullup attempts */
|
||||
#if SOLARIS
|
||||
u_long fr_bad; /* bad IP packets to the filter */
|
||||
u_long fr_notip; /* packets passed through no on ip queue */
|
||||
u_long fr_drop; /* packets dropped - no info for them! */
|
||||
#endif
|
||||
} filterstats_t;
|
||||
|
||||
/*
|
||||
* For SIOCGETFS
|
||||
*/
|
||||
typedef struct friostat {
|
||||
struct filterstats f_st[2];
|
||||
struct frentry *f_fin[2];
|
||||
struct frentry *f_fout[2];
|
||||
struct frentry *f_acctin[2];
|
||||
struct frentry *f_acctout[2];
|
||||
int f_active;
|
||||
} friostat_t;
|
||||
|
||||
typedef struct optlist {
|
||||
u_short ol_val;
|
||||
int ol_bit;
|
||||
} optlist_t;
|
||||
|
||||
/*
|
||||
* Log structure. Each packet header logged is prepended by one of these,
|
||||
* minimize size to make most effective use of log space which should
|
||||
* (ideally) be a muliple of the most common log entry size.
|
||||
*/
|
||||
typedef struct ipl_ci {
|
||||
u_long sec;
|
||||
u_long usec;
|
||||
u_char hlen;
|
||||
u_char plen;
|
||||
u_short rule; /* assume never more than 64k rules, total */
|
||||
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
|
||||
u_long flags;
|
||||
u_char ifname[IFNAMSIZ]; /* = 32 bytes */
|
||||
#else
|
||||
u_long flags:24;
|
||||
u_long unit:8;
|
||||
u_char ifname[4]; /* = 20 bytes */
|
||||
#endif
|
||||
} ipl_ci_t;
|
||||
|
||||
|
||||
#ifndef ICMP_UNREACH_FILTER
|
||||
#define ICMP_UNREACH_FILTER 13
|
||||
#endif
|
||||
|
||||
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
|
||||
#define IPLLOGSIZE 8192
|
||||
|
||||
extern int fr_check();
|
||||
extern int fr_copytolog();
|
||||
extern fr_info_t frcache[];
|
||||
extern char *iplh, *iplt;
|
||||
extern char iplbuf[IPLLOGSIZE];
|
||||
|
||||
#ifdef _KERNEL
|
||||
|
||||
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
|
||||
extern struct filterstats frstats[];
|
||||
# if SOLARIS
|
||||
extern int ipfsync();
|
||||
# endif
|
||||
#endif /* _KERNEL */
|
||||
#endif /* __IP_FIL_H__ */
|
278
contrib/ipfilter/ip_frag.c
Normal file
278
contrib/ipfilter/ip_frag.c
Normal file
@ -0,0 +1,278 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if !defined(_KERNEL) && !defined(KERNEL)
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
#endif
|
||||
#include <sys/errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#ifdef _KERNEL
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
# include <sys/mbuf.h>
|
||||
#else
|
||||
# include <sys/byteorder.h>
|
||||
# include <sys/dditypes.h>
|
||||
# include <sys/stream.h>
|
||||
# include <sys/kmem.h>
|
||||
#endif
|
||||
|
||||
#include <net/if.h>
|
||||
#ifdef sun
|
||||
#include <net/af.h>
|
||||
#endif
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_frag.h"
|
||||
#include "ip_nat.h"
|
||||
#include "ip_state.h"
|
||||
|
||||
ipfr_t *ipfr_heads[IPFT_SIZE];
|
||||
ipfrstat_t ipfr_stats;
|
||||
u_long ipfr_inuse = 0,
|
||||
fr_ipfrttl = 120; /* 60 seconds */
|
||||
#ifdef _KERNEL
|
||||
extern int ipfr_timer_id;
|
||||
#endif
|
||||
#if SOLARIS
|
||||
# ifdef _KERNEL
|
||||
extern kmutex_t ipf_frag;
|
||||
# else
|
||||
#define bcmp(a,b,c) memcmp(a,b,c)
|
||||
#define bcopy(a,b,c) memmove(b,a,c)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
|
||||
ipfrstat_t *ipfr_fragstats()
|
||||
{
|
||||
ipfr_stats.ifs_table = ipfr_heads;
|
||||
ipfr_stats.ifs_inuse = ipfr_inuse;
|
||||
return &ipfr_stats;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* add a new entry to the fragment cache, registering it as having come
|
||||
* through this box, with the result of the filter operation.
|
||||
*/
|
||||
int ipfr_newfrag(ip, fin, pass)
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
int pass;
|
||||
{
|
||||
ipfr_t **fp, *fr, frag;
|
||||
u_int idx;
|
||||
|
||||
frag.ipfr_p = ip->ip_p;
|
||||
idx = ip->ip_p;
|
||||
frag.ipfr_id = ip->ip_id;
|
||||
idx += ip->ip_id;
|
||||
frag.ipfr_tos = ip->ip_tos;
|
||||
frag.ipfr_src.s_addr = ip->ip_src.s_addr;
|
||||
idx += ip->ip_src.s_addr;
|
||||
frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
|
||||
idx += ip->ip_dst.s_addr;
|
||||
idx *= 127;
|
||||
idx %= IPFT_SIZE;
|
||||
|
||||
/*
|
||||
* first, make sure it isn't already there...
|
||||
*/
|
||||
MUTEX_ENTER(&ipf_frag);
|
||||
for (fp = &ipfr_heads[idx]; (fr = *fp); fp = &fr->ipfr_next)
|
||||
if (!bcmp((char *)&frag.ipfr_src, (char *)&fr->ipfr_src,
|
||||
IPFR_CMPSZ)) {
|
||||
ipfr_stats.ifs_exists++;
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!(fr = (ipfr_t *)KMALLOC(sizeof(*fr)))) {
|
||||
ipfr_stats.ifs_nomem++;
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
return -1;
|
||||
}
|
||||
if ((fr->ipfr_next = ipfr_heads[idx]))
|
||||
ipfr_heads[idx]->ipfr_prev = fr;
|
||||
fr->ipfr_prev = NULL;
|
||||
ipfr_heads[idx] = fr;
|
||||
bcopy((char *)&frag.ipfr_src, (char *)&fr->ipfr_src, IPFR_CMPSZ);
|
||||
fr->ipfr_ttl = fr_ipfrttl;
|
||||
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
|
||||
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
|
||||
*fp = fr;
|
||||
ipfr_stats.ifs_new++;
|
||||
ipfr_inuse++;
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* check the fragment cache to see if there is already a record of this packet
|
||||
* with its filter result known.
|
||||
*/
|
||||
int ipfr_knownfrag(ip, fin)
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
{
|
||||
ipfr_t *f, frag;
|
||||
u_int idx;
|
||||
int ret;
|
||||
|
||||
/*
|
||||
* For fragments, we record protocol, packet id, TOS and both IP#'s
|
||||
* (these should all be the same for all fragments of a packet).
|
||||
*/
|
||||
frag.ipfr_p = ip->ip_p;
|
||||
idx = ip->ip_p;
|
||||
frag.ipfr_id = ip->ip_id;
|
||||
idx += ip->ip_id;
|
||||
frag.ipfr_tos = ip->ip_tos;
|
||||
frag.ipfr_src.s_addr = ip->ip_src.s_addr;
|
||||
idx += ip->ip_src.s_addr;
|
||||
frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
|
||||
idx += ip->ip_dst.s_addr;
|
||||
idx *= 127;
|
||||
idx %= IPFT_SIZE;
|
||||
|
||||
MUTEX_ENTER(&ipf_frag);
|
||||
for (f = ipfr_heads[idx]; f; f = f->ipfr_next)
|
||||
if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src,
|
||||
IPFR_CMPSZ)) {
|
||||
u_short atoff, off;
|
||||
|
||||
if (f != ipfr_heads[idx]) {
|
||||
/*
|
||||
* move fragment info. to the top of the list
|
||||
* to speed up searches.
|
||||
*/
|
||||
if ((f->ipfr_prev->ipfr_next = f->ipfr_next))
|
||||
f->ipfr_next->ipfr_prev = f->ipfr_prev;
|
||||
f->ipfr_next = ipfr_heads[idx];
|
||||
ipfr_heads[idx]->ipfr_prev = f;
|
||||
f->ipfr_prev = NULL;
|
||||
ipfr_heads[idx] = f;
|
||||
}
|
||||
ret = f->ipfr_pass;
|
||||
off = ip->ip_off;
|
||||
atoff = (off & 0x1fff) - (fin->fin_dlen >> 3);
|
||||
/*
|
||||
* If we've follwed the fragments, and this is the
|
||||
* last (in order), shrink expiration time.
|
||||
*/
|
||||
if (atoff == f->ipfr_off) {
|
||||
if (!(off & IP_MF))
|
||||
f->ipfr_ttl = 1;
|
||||
else
|
||||
f->ipfr_off = off;
|
||||
}
|
||||
ipfr_stats.ifs_hits++;
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
return ret;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Free memory in use by fragment state info. kept.
|
||||
*/
|
||||
void ipfr_unload()
|
||||
{
|
||||
ipfr_t **fp, *fr;
|
||||
int idx;
|
||||
#if !SOLARIS && defined(_KERNEL)
|
||||
int s;
|
||||
#endif
|
||||
|
||||
MUTEX_ENTER(&ipf_frag);
|
||||
SPLNET(s);
|
||||
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
||||
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
|
||||
*fp = fr->ipfr_next;
|
||||
KFREE(fr);
|
||||
}
|
||||
SPLX(s);
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
}
|
||||
|
||||
|
||||
#ifdef _KERNEL
|
||||
/*
|
||||
* Slowly expire held state for fragments. Timeouts are set * in expectation
|
||||
* of this being called twice per second.
|
||||
*/
|
||||
# if BSD < 199306
|
||||
int ipfr_slowtimer()
|
||||
# else
|
||||
void ipfr_slowtimer()
|
||||
# endif
|
||||
{
|
||||
ipfr_t **fp, *fr;
|
||||
int s, idx;
|
||||
|
||||
MUTEX_ENTER(&ipf_frag);
|
||||
SPLNET(s);
|
||||
|
||||
for (idx = IPFT_SIZE - 1; idx >= 0; idx--)
|
||||
for (fp = &ipfr_heads[idx]; (fr = *fp); ) {
|
||||
--fr->ipfr_ttl;
|
||||
if (fr->ipfr_ttl == 0) {
|
||||
if (fr->ipfr_prev)
|
||||
fr->ipfr_prev->ipfr_next =
|
||||
fr->ipfr_next;
|
||||
if (fr->ipfr_next)
|
||||
fr->ipfr_next->ipfr_prev =
|
||||
fr->ipfr_prev;
|
||||
*fp = fr->ipfr_next;
|
||||
ipfr_stats.ifs_expire++;
|
||||
ipfr_inuse--;
|
||||
KFREE(fr);
|
||||
} else
|
||||
fp = &fr->ipfr_next;
|
||||
}
|
||||
SPLX(s);
|
||||
# if SOLARIS
|
||||
MUTEX_EXIT(&ipf_frag);
|
||||
fr_timeoutstate();
|
||||
ip_natexpire();
|
||||
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2);
|
||||
# else
|
||||
fr_timeoutstate();
|
||||
ip_natexpire();
|
||||
ip_slowtimo();
|
||||
# if BSD < 199306
|
||||
return 0;
|
||||
# endif
|
||||
# endif
|
||||
}
|
||||
#endif /* defined(_KERNEL) */
|
47
contrib/ipfilter/ip_frag.h
Normal file
47
contrib/ipfilter/ip_frag.h
Normal file
@ -0,0 +1,47 @@
|
||||
/*
|
||||
* (C)opyright 1993, 1994, 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_frag.h 1.5 3/24/96
|
||||
* $Id: ip_frag.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_FRAG_H_
|
||||
#define __IP_FRAG_H__
|
||||
|
||||
#define IPFT_SIZE 257
|
||||
|
||||
typedef struct ipfr {
|
||||
struct ipfr *ipfr_next, *ipfr_prev;
|
||||
struct in_addr ipfr_src;
|
||||
struct in_addr ipfr_dst;
|
||||
u_short ipfr_id;
|
||||
u_char ipfr_p;
|
||||
u_char ipfr_tos;
|
||||
u_short ipfr_off;
|
||||
u_short ipfr_ttl;
|
||||
u_char ipfr_pass;
|
||||
} ipfr_t;
|
||||
|
||||
|
||||
typedef struct ipfrstat {
|
||||
u_long ifs_exists; /* add & already exists */
|
||||
u_long ifs_nomem;
|
||||
u_long ifs_new;
|
||||
u_long ifs_hits;
|
||||
u_long ifs_expire;
|
||||
u_long ifs_inuse;
|
||||
struct ipfr **ifs_table;
|
||||
} ipfrstat_t;
|
||||
|
||||
#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1)
|
||||
|
||||
extern ipfrstat_t *ipfr_fragstats();
|
||||
extern int ipfr_newfrag(), ipfr_knownfrag();
|
||||
# ifdef _KERNEL
|
||||
extern void ipfr_unload();
|
||||
# endif
|
||||
#endif /* __IP_FIL_H__ */
|
886
contrib/ipfilter/ip_nat.c
Normal file
886
contrib/ipfilter/ip_nat.c
Normal file
@ -0,0 +1,886 @@
|
||||
/*
|
||||
* (C)opyright 1995-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com)
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if !defined(_KERNEL) && !defined(KERNEL)
|
||||
# include <stdio.h>
|
||||
# include <string.h>
|
||||
# include <stdlib.h>
|
||||
#endif
|
||||
#include <sys/errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#ifdef _KERNEL
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
# include <sys/mbuf.h>
|
||||
#else
|
||||
# include <sys/byteorder.h>
|
||||
# include <sys/dditypes.h>
|
||||
# include <sys/stream.h>
|
||||
# include <sys/kmem.h>
|
||||
#endif
|
||||
|
||||
#include <net/if.h>
|
||||
#ifdef sun
|
||||
#include <net/af.h>
|
||||
#endif
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
|
||||
#ifdef RFC1825
|
||||
#include <vpn/md5.h>
|
||||
#include <vpn/ipsec.h>
|
||||
extern struct ifnet vpnif;
|
||||
#endif
|
||||
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_nat.h"
|
||||
#include "ip_state.h"
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
|
||||
nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL;
|
||||
ipnat_t *nat_list = NULL;
|
||||
u_long nat_inuse = 0,
|
||||
fr_defnatage = 1200;
|
||||
natstat_t nat_stats;
|
||||
#if SOLARIS
|
||||
# ifndef _KERNEL
|
||||
#define bzero(a,b) memset(a,0,b)
|
||||
#define bcmp(a,b,c) memcpy(a,b,c)
|
||||
#define bcopy(a,b,c) memmove(b,a,c)
|
||||
# else
|
||||
extern kmutex_t ipf_nat;
|
||||
# endif
|
||||
#endif
|
||||
|
||||
static int flush_nattable(), clear_natlist();
|
||||
static void nattable_sync();
|
||||
|
||||
void fix_outcksum(sp, n)
|
||||
u_short *sp;
|
||||
u_long n;
|
||||
{
|
||||
register u_short sumshort;
|
||||
register u_long sum1;
|
||||
|
||||
#ifdef sparc
|
||||
sum1 = (~(*sp)) & 0xffff;
|
||||
#else
|
||||
sum1 = (~ntohs(*sp)) & 0xffff;
|
||||
#endif
|
||||
sum1 += (n);
|
||||
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
|
||||
/* Again */
|
||||
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
|
||||
sumshort = ~(u_short)sum1;
|
||||
*(sp) = htons(sumshort);
|
||||
}
|
||||
|
||||
|
||||
void fix_incksum(sp, n)
|
||||
u_short *sp;
|
||||
u_long n;
|
||||
{
|
||||
register u_short sumshort;
|
||||
register u_long sum1;
|
||||
|
||||
#ifdef sparc
|
||||
sum1 = (~(*sp)) & 0xffff;
|
||||
#else
|
||||
sum1 = (~ntohs(*sp)) & 0xffff;
|
||||
#endif
|
||||
sum1 += ~(n) & 0xffff;
|
||||
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
|
||||
/* Again */
|
||||
sum1 = (sum1 >> 16) + (sum1 & 0xffff);
|
||||
sumshort = ~(u_short)sum1;
|
||||
*(sp) = htons(sumshort);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* How the NAT is organised and works.
|
||||
*
|
||||
* Inside (interface y) NAT Outside (interface x)
|
||||
* -------------------- -+- -------------------------------------
|
||||
* Packet going | out, processsed by ip_natout() for x
|
||||
* ------------> | ------------>
|
||||
* src=10.1.1.1 | src=192.1.1.1
|
||||
* |
|
||||
* | in, processed by ip_natin() for x
|
||||
* <------------ | <------------
|
||||
* dst=10.1.1.1 | dst=192.1.1.1
|
||||
* -------------------- -+- -------------------------------------
|
||||
* ip_natout() - changes ip_src and if required, sport
|
||||
* - creates a new mapping, if required.
|
||||
* ip_natin() - changes ip_dst and if required, dport
|
||||
*
|
||||
* In the NAT table, internal source is recorded as "in" and externally
|
||||
* seen as "out".
|
||||
*/
|
||||
|
||||
/*
|
||||
* Handle ioctls which manipulate the NAT.
|
||||
*/
|
||||
int nat_ioctl(data, cmd, mode)
|
||||
caddr_t data;
|
||||
int cmd, mode;
|
||||
{
|
||||
register ipnat_t *nat, *n = NULL, **np = NULL;
|
||||
ipnat_t natd;
|
||||
int error = 0, ret;
|
||||
|
||||
/*
|
||||
* For add/delete, look to see if the NAT entry is already present
|
||||
*/
|
||||
MUTEX_ENTER(&ipf_nat);
|
||||
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
|
||||
IRCOPY(data, (char *)&natd, sizeof(natd));
|
||||
nat = &natd;
|
||||
for (np = &nat_list; (n = *np); np = &n->in_next)
|
||||
if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
|
||||
IPN_CMPSIZ))
|
||||
break;
|
||||
}
|
||||
|
||||
switch (cmd)
|
||||
{
|
||||
case SIOCADNAT :
|
||||
if (!(mode & FWRITE)) {
|
||||
error = EPERM;
|
||||
break;
|
||||
}
|
||||
if (n) {
|
||||
error = EEXIST;
|
||||
break;
|
||||
}
|
||||
if (!(n = (ipnat_t *)KMALLOC(sizeof(*n)))) {
|
||||
error = ENOMEM;
|
||||
break;
|
||||
}
|
||||
IRCOPY((char *)data, (char *)n, sizeof(*n));
|
||||
n->in_ifp = (void *)GETUNIT(n->in_ifname);
|
||||
n->in_next = *np;
|
||||
n->in_use = 0;
|
||||
n->in_space = ~(0xffffffff & ntohl(n->in_outmsk));
|
||||
if (n->in_space) /* lose 2: broadcast + network address */
|
||||
n->in_space -= 2;
|
||||
else
|
||||
n->in_space = 1; /* single IP# mapping */
|
||||
if (n->in_outmsk != 0xffffffff)
|
||||
n->in_nip = ntohl(n->in_outip) + 1;
|
||||
else
|
||||
n->in_nip = ntohl(n->in_outip);
|
||||
if (n->in_redir == NAT_MAP) {
|
||||
n->in_pnext = ntohs(n->in_pmin);
|
||||
/*
|
||||
* Multiply by the number of ports made available.
|
||||
*/
|
||||
if (ntohs(n->in_pmax) > ntohs(n->in_pmin))
|
||||
n->in_space *= (ntohs(n->in_pmax) -
|
||||
ntohs(n->in_pmin));
|
||||
}
|
||||
/* Otherwise, these fields are preset */
|
||||
*np = n;
|
||||
break;
|
||||
case SIOCRMNAT :
|
||||
if (!(mode & FWRITE)) {
|
||||
error = EPERM;
|
||||
break;
|
||||
}
|
||||
if (!n) {
|
||||
error = ESRCH;
|
||||
break;
|
||||
}
|
||||
*np = n->in_next;
|
||||
|
||||
KFREE(n);
|
||||
nattable_sync();
|
||||
break;
|
||||
case SIOCGNATS :
|
||||
nat_stats.ns_table[0] = nat_table[0];
|
||||
nat_stats.ns_table[1] = nat_table[1];
|
||||
nat_stats.ns_list = nat_list;
|
||||
nat_stats.ns_inuse = nat_inuse;
|
||||
IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats));
|
||||
break;
|
||||
case SIOCGNATL :
|
||||
{
|
||||
natlookup_t nl;
|
||||
|
||||
IRCOPY((char *)data, (char *)&nl, sizeof(nl));
|
||||
|
||||
if (nat_lookupredir(&nl))
|
||||
IWCOPY((char *)&nl, (char *)data, sizeof(nl));
|
||||
else
|
||||
error = ESRCH;
|
||||
break;
|
||||
}
|
||||
case SIOCFLNAT :
|
||||
if (!(mode & FWRITE)) {
|
||||
error = EPERM;
|
||||
break;
|
||||
}
|
||||
ret = flush_nattable();
|
||||
IWCOPY((caddr_t)&ret, data, sizeof(ret));
|
||||
break;
|
||||
case SIOCCNATL :
|
||||
if (!(mode & FWRITE)) {
|
||||
error = EPERM;
|
||||
break;
|
||||
}
|
||||
ret = clear_natlist();
|
||||
IWCOPY((caddr_t)&ret, data, sizeof(ret));
|
||||
break;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return error;
|
||||
}
|
||||
|
||||
|
||||
static void nat_delete(natd)
|
||||
struct nat *natd;
|
||||
{
|
||||
register struct nat **natp, *nat;
|
||||
|
||||
for (natp = natd->nat_hstart[0]; (nat = *natp);
|
||||
natp = &nat->nat_hnext[0])
|
||||
if (nat == natd) {
|
||||
*natp = nat->nat_hnext[0];
|
||||
break;
|
||||
}
|
||||
|
||||
for (natp = natd->nat_hstart[1]; (nat = *natp);
|
||||
natp = &nat->nat_hnext[1])
|
||||
if (nat == natd) {
|
||||
*natp = nat->nat_hnext[1];
|
||||
break;
|
||||
}
|
||||
|
||||
if (natd->nat_ptr) {
|
||||
natd->nat_ptr->in_space++;
|
||||
natd->nat_ptr->in_use--;
|
||||
}
|
||||
KFREE(natd);
|
||||
nat_inuse--;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* flush_nattable - clear the NAT table of all mapping entries.
|
||||
*/
|
||||
static int flush_nattable()
|
||||
{
|
||||
register nat_t *nat, **natp;
|
||||
register int j = 0;
|
||||
|
||||
/*
|
||||
* Everything will be deleted, so lets just make it the deletions
|
||||
* quicker.
|
||||
*/
|
||||
bzero((char *)nat_table[0], sizeof(nat_table[0]));
|
||||
bzero((char *)nat_table[1], sizeof(nat_table[1]));
|
||||
|
||||
for (natp = &nat_instances; (nat = *natp); ) {
|
||||
*natp = nat->nat_next;
|
||||
nat_delete(nat);
|
||||
j++;
|
||||
}
|
||||
|
||||
return j;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* I know this is O(N*M), but it can't be avoided.
|
||||
*/
|
||||
static void nattable_sync()
|
||||
{
|
||||
register nat_t *nat;
|
||||
register ipnat_t *np;
|
||||
int i;
|
||||
|
||||
for (i = NAT_SIZE - 1; i >= 0; i--)
|
||||
for (nat = nat_instances; nat; nat = nat->nat_next) {
|
||||
for (np = nat_list; np; np = np->in_next)
|
||||
if (nat->nat_ptr == np)
|
||||
break;
|
||||
/*
|
||||
* XXX - is it better to remove this if ? works the
|
||||
* same if it is just "nat->nat_ptr = np".
|
||||
*/
|
||||
if (!np)
|
||||
nat->nat_ptr = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* clear_natlist - delete all entries in the active NAT mapping list.
|
||||
*/
|
||||
static int clear_natlist()
|
||||
{
|
||||
register ipnat_t *n, **np;
|
||||
int i = 0;
|
||||
|
||||
for (np = &nat_list; (n = *np); i++) {
|
||||
*np = n->in_next;
|
||||
KFREE(n);
|
||||
}
|
||||
|
||||
nattable_sync();
|
||||
return i;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Create a new NAT table entry.
|
||||
*/
|
||||
nat_t *nat_new(np, ip, fin, flags, direction)
|
||||
ipnat_t *np;
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
u_short flags;
|
||||
int direction;
|
||||
{
|
||||
register u_long sum1, sum2, sumd;
|
||||
u_short port = 0, sport = 0, dport = 0, nport = 0;
|
||||
struct in_addr in;
|
||||
tcphdr_t *tcp = NULL;
|
||||
nat_t *nat, **natp;
|
||||
u_short nflags;
|
||||
|
||||
nflags = flags & np->in_flags;
|
||||
if (flags & IPN_TCPUDP) {
|
||||
tcp = (tcphdr_t *)fin->fin_dp;
|
||||
sport = tcp->th_sport;
|
||||
dport = tcp->th_dport;
|
||||
}
|
||||
|
||||
/* Give me a new nat */
|
||||
if (!(nat = (nat_t *)KMALLOC(sizeof(*nat))))
|
||||
return NULL;
|
||||
|
||||
bzero((char *)nat, sizeof(*nat));
|
||||
|
||||
/*
|
||||
* Search the current table for a match.
|
||||
*/
|
||||
if (direction == NAT_OUTBOUND) {
|
||||
/*
|
||||
* If it's an outbound packet which doesn't match any existing
|
||||
* record, then create a new port
|
||||
*/
|
||||
do {
|
||||
port = 0;
|
||||
in.s_addr = np->in_nip;
|
||||
if (nflags & IPN_TCPUDP) {
|
||||
port = htons(np->in_pnext++);
|
||||
if (np->in_pnext >= ntohs(np->in_pmax)) {
|
||||
np->in_pnext = ntohs(np->in_pmin);
|
||||
np->in_space--;
|
||||
if (np->in_outmsk != 0xffffffff)
|
||||
np->in_nip++;
|
||||
}
|
||||
} else if (np->in_outmsk != 0xffffffff) {
|
||||
np->in_space--;
|
||||
np->in_nip++;
|
||||
}
|
||||
|
||||
if (!port && (flags & IPN_TCPUDP))
|
||||
port = sport;
|
||||
if ((np->in_nip & ntohl(np->in_outmsk)) >
|
||||
ntohl(np->in_outip))
|
||||
np->in_nip = ntohl(np->in_outip) + 1;
|
||||
} while (nat_inlookup(flags, ip->ip_dst, dport, in, port));
|
||||
|
||||
/* Setup the NAT table */
|
||||
nat->nat_inip = ip->ip_src;
|
||||
nat->nat_outip.s_addr = htonl(in.s_addr);
|
||||
nat->nat_oip = ip->ip_dst;
|
||||
|
||||
sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) +
|
||||
(ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport);
|
||||
|
||||
sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(port);
|
||||
|
||||
if (flags & IPN_TCPUDP) {
|
||||
nat->nat_inport = sport;
|
||||
nat->nat_outport = port;
|
||||
nat->nat_oport = dport;
|
||||
}
|
||||
} else {
|
||||
|
||||
/*
|
||||
* Otherwise, it's an inbound packet. Most likely, we don't
|
||||
* want to rewrite source ports and source addresses. Instead,
|
||||
* we want to rewrite to a fixed internal address and fixed
|
||||
* internal port.
|
||||
*/
|
||||
in.s_addr = ntohl(np->in_inip);
|
||||
if (!(nport = np->in_pnext))
|
||||
nport = dport;
|
||||
|
||||
nat->nat_inip.s_addr = htonl(in.s_addr);
|
||||
nat->nat_outip = ip->ip_dst;
|
||||
nat->nat_oip = ip->ip_src;
|
||||
|
||||
sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) +
|
||||
(ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport);
|
||||
|
||||
sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport);
|
||||
|
||||
if (flags & IPN_TCPUDP) {
|
||||
nat->nat_inport = nport;
|
||||
nat->nat_outport = dport;
|
||||
nat->nat_oport = sport;
|
||||
}
|
||||
}
|
||||
|
||||
/* Do it twice */
|
||||
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
|
||||
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
|
||||
|
||||
/* Do it twice */
|
||||
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
|
||||
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
|
||||
|
||||
if (sum1 > sum2)
|
||||
sum2--; /* Because ~1 == -2, We really need ~1 == -1 */
|
||||
sumd = sum2 - sum1;
|
||||
sumd = (sumd & 0xffff) + (sumd >> 16);
|
||||
nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16);
|
||||
|
||||
if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) {
|
||||
if (direction == NAT_OUTBOUND)
|
||||
sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) +
|
||||
(ntohl(ip->ip_src.s_addr) >> 16);
|
||||
else
|
||||
sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) +
|
||||
(ntohl(ip->ip_dst.s_addr) >> 16);
|
||||
|
||||
sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16);
|
||||
|
||||
/* Do it twice */
|
||||
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
|
||||
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
|
||||
|
||||
/* Do it twice */
|
||||
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
|
||||
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
|
||||
|
||||
if (sum1 > sum2)
|
||||
sum2--; /* Because ~1 == -2, We really need ~1 == -1 */
|
||||
sumd = sum2 - sum1;
|
||||
sumd = (sumd & 0xffff) + (sumd >> 16);
|
||||
nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16);
|
||||
} else
|
||||
nat->nat_ipsumd = nat->nat_sumd;
|
||||
|
||||
in.s_addr = htonl(in.s_addr);
|
||||
nat->nat_next = nat_instances;
|
||||
nat_instances = nat;
|
||||
natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE];
|
||||
nat->nat_hstart[0] = natp;
|
||||
nat->nat_hnext[0] = *natp;
|
||||
*natp = nat;
|
||||
natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE];
|
||||
nat->nat_hstart[1] = natp;
|
||||
nat->nat_hnext[1] = *natp;
|
||||
*natp = nat;
|
||||
nat->nat_ptr = np;
|
||||
np->in_use++;
|
||||
if (direction == NAT_OUTBOUND) {
|
||||
if (flags & IPN_TCPUDP)
|
||||
tcp->th_sport = htons(port);
|
||||
} else {
|
||||
if (flags & IPN_TCPUDP)
|
||||
tcp->th_dport = htons(nport);
|
||||
}
|
||||
nat_stats.ns_added++;
|
||||
nat_inuse++;
|
||||
return nat;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* NB: these lookups don't lock access to the list, it assume it has already
|
||||
* been done!
|
||||
*/
|
||||
/*
|
||||
* Lookup a nat entry based on the mapped destination ip address/port and
|
||||
* real source address/port. We use this lookup when receiving a packet,
|
||||
* we're looking for a table entry, based on the destination address.
|
||||
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
|
||||
*/
|
||||
nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport)
|
||||
register int flags;
|
||||
struct in_addr src , mapdst;
|
||||
u_short sport, mapdport;
|
||||
{
|
||||
register nat_t *nat;
|
||||
|
||||
flags &= IPN_TCPUDP;
|
||||
|
||||
nat = nat_table[1][mapdst.s_addr % NAT_SIZE];
|
||||
for (; nat; nat = nat->nat_hnext[1])
|
||||
if (nat->nat_oip.s_addr == src.s_addr &&
|
||||
nat->nat_outip.s_addr == mapdst.s_addr &&
|
||||
(!flags || (nat->nat_oport == sport &&
|
||||
nat->nat_outport == mapdport)))
|
||||
return nat;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Lookup a nat entry based on the source 'real' ip address/port and
|
||||
* destination address/port. We use this lookup when sending a packet out,
|
||||
* we're looking for a table entry, based on the source address.
|
||||
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
|
||||
*/
|
||||
nat_t *nat_outlookup(flags, src, sport, dst, dport)
|
||||
register int flags;
|
||||
struct in_addr src , dst;
|
||||
u_short sport, dport;
|
||||
{
|
||||
register nat_t *nat;
|
||||
|
||||
flags &= IPN_TCPUDP;
|
||||
|
||||
nat = nat_table[0][src.s_addr % NAT_SIZE];
|
||||
for (; nat; nat = nat->nat_hnext[0])
|
||||
if (nat->nat_inip.s_addr == src.s_addr &&
|
||||
nat->nat_oip.s_addr == dst.s_addr &&
|
||||
(!flags || (nat->nat_inport == sport &&
|
||||
nat->nat_oport == dport)))
|
||||
return nat;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Lookup a nat entry based on the mapped source ip address/port and
|
||||
* real destination address/port. We use this lookup when sending a packet
|
||||
* out, we're looking for a table entry, based on the source address.
|
||||
*/
|
||||
nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport)
|
||||
register int flags;
|
||||
struct in_addr mapsrc , dst;
|
||||
u_short mapsport, dport;
|
||||
{
|
||||
register nat_t *nat;
|
||||
|
||||
flags &= IPN_TCPUDP;
|
||||
|
||||
nat = nat_table[1][mapsrc.s_addr % NAT_SIZE];
|
||||
for (; nat; nat = nat->nat_hnext[0])
|
||||
if (nat->nat_outip.s_addr == mapsrc.s_addr &&
|
||||
nat->nat_oip.s_addr == dst.s_addr &&
|
||||
(!flags || (nat->nat_outport == mapsport &&
|
||||
nat->nat_oport == dport)))
|
||||
return nat;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Lookup the NAT tables to search for a matching redirect
|
||||
*/
|
||||
nat_t *nat_lookupredir(np)
|
||||
register natlookup_t *np;
|
||||
{
|
||||
nat_t *nat;
|
||||
|
||||
/*
|
||||
* If nl_inip is non null, this is a lookup based on the real
|
||||
* ip address. Else, we use the fake.
|
||||
*/
|
||||
if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport,
|
||||
np->nl_outip, np->nl_outport))) {
|
||||
np->nl_inip = nat->nat_outip;
|
||||
np->nl_inport = nat->nat_outport;
|
||||
}
|
||||
return nat;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Packets going out on the external interface go through this.
|
||||
* Here, the source address requires alteration, if anything.
|
||||
*/
|
||||
int ip_natout(ip, hlen, fin)
|
||||
ip_t *ip;
|
||||
int hlen;
|
||||
fr_info_t *fin;
|
||||
{
|
||||
register ipnat_t *np;
|
||||
register u_long ipa;
|
||||
tcphdr_t *tcp = NULL;
|
||||
nat_t *nat;
|
||||
u_short nflags = 0, sport = 0, dport = 0, *csump = NULL;
|
||||
struct ifnet *ifp;
|
||||
frentry_t *fr;
|
||||
|
||||
if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) &&
|
||||
fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1)
|
||||
ifp = fr->fr_tif.fd_ifp;
|
||||
else
|
||||
ifp = fin->fin_ifp;
|
||||
|
||||
if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
|
||||
if (ip->ip_p == IPPROTO_TCP)
|
||||
nflags = IPN_TCP;
|
||||
else if (ip->ip_p == IPPROTO_UDP)
|
||||
nflags = IPN_UDP;
|
||||
if (nflags) {
|
||||
tcp = (tcphdr_t *)fin->fin_dp;
|
||||
sport = tcp->th_sport;
|
||||
dport = tcp->th_dport;
|
||||
}
|
||||
}
|
||||
|
||||
ipa = ip->ip_src.s_addr;
|
||||
|
||||
MUTEX_ENTER(&ipf_nat);
|
||||
for (np = nat_list; np; np = np->in_next)
|
||||
if ((np->in_ifp == ifp) && np->in_space &&
|
||||
(!np->in_flags || (np->in_flags & nflags)) &&
|
||||
((ipa & np->in_inmsk) == np->in_inip) &&
|
||||
((np->in_redir == NAT_MAP) ||
|
||||
(np->in_pnext == sport))) {
|
||||
/*
|
||||
* If there is no current entry in the nat table for
|
||||
* this IP#, create one for it.
|
||||
*/
|
||||
if (!(nat = nat_outlookup(nflags, ip->ip_src, sport,
|
||||
ip->ip_dst, dport))) {
|
||||
if (np->in_redir == NAT_REDIRECT)
|
||||
continue;
|
||||
/*
|
||||
* if it's a redirection, then we don't want
|
||||
* to create new outgoing port stuff.
|
||||
* Redirections are only for incoming
|
||||
* connections.
|
||||
*/
|
||||
if (!(nat = nat_new(np, ip, fin, nflags,
|
||||
NAT_OUTBOUND)))
|
||||
break;
|
||||
}
|
||||
ip->ip_src = nat->nat_outip;
|
||||
|
||||
nat->nat_age = fr_defnatage; /* 5 mins */
|
||||
|
||||
/*
|
||||
* Fix up checksums, not by recalculating them, but
|
||||
* simply computing adjustments.
|
||||
*/
|
||||
#if SOLARIS
|
||||
if (np->in_redir == NAT_MAP)
|
||||
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||
else
|
||||
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||
#endif
|
||||
|
||||
if (nflags && !(ip->ip_off & 0x1fff) &&
|
||||
!(fin->fin_fi.fi_fl & FI_SHORT)) {
|
||||
|
||||
if (nat->nat_outport)
|
||||
tcp->th_sport = nat->nat_outport;
|
||||
|
||||
if (ip->ip_p == IPPROTO_TCP) {
|
||||
csump = &tcp->th_sum;
|
||||
set_tcp_age(&nat->nat_age,
|
||||
nat->nat_state, ip, fin,1);
|
||||
} else if (ip->ip_p == IPPROTO_UDP) {
|
||||
udphdr_t *udp = (udphdr_t *)tcp;
|
||||
|
||||
if (udp->uh_sum)
|
||||
csump = &udp->uh_sum;
|
||||
} else if (ip->ip_p == IPPROTO_ICMP) {
|
||||
icmphdr_t *ic = (icmphdr_t *)tcp;
|
||||
|
||||
csump = &ic->icmp_cksum;
|
||||
}
|
||||
if (csump) {
|
||||
if (np->in_redir == NAT_MAP)
|
||||
fix_outcksum(csump,
|
||||
nat->nat_sumd);
|
||||
else
|
||||
fix_incksum(csump,
|
||||
nat->nat_sumd);
|
||||
}
|
||||
}
|
||||
nat_stats.ns_mapped[1]++;
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 1;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Packets coming in from the external interface go through this.
|
||||
* Here, the destination address requires alteration, if anything.
|
||||
*/
|
||||
int ip_natin(ip, hlen, fin)
|
||||
ip_t *ip;
|
||||
int hlen;
|
||||
fr_info_t *fin;
|
||||
{
|
||||
register ipnat_t *np;
|
||||
register struct in_addr in;
|
||||
struct ifnet *ifp = fin->fin_ifp;
|
||||
tcphdr_t *tcp = NULL;
|
||||
u_short sport = 0, dport = 0, nflags = 0, *csump = NULL;
|
||||
nat_t *nat;
|
||||
|
||||
if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) {
|
||||
if (ip->ip_p == IPPROTO_TCP)
|
||||
nflags = IPN_TCP;
|
||||
else if (ip->ip_p == IPPROTO_UDP)
|
||||
nflags = IPN_UDP;
|
||||
if (nflags) {
|
||||
tcp = (tcphdr_t *)((char *)ip + hlen);
|
||||
dport = tcp->th_dport;
|
||||
sport = tcp->th_sport;
|
||||
}
|
||||
}
|
||||
|
||||
in = ip->ip_dst;
|
||||
|
||||
MUTEX_ENTER(&ipf_nat);
|
||||
for (np = nat_list; np; np = np->in_next)
|
||||
if ((np->in_ifp == ifp) &&
|
||||
(!np->in_flags || (nflags & np->in_flags)) &&
|
||||
((in.s_addr & np->in_outmsk) == np->in_outip) &&
|
||||
(np->in_redir == NAT_MAP || np->in_pmin == dport)) {
|
||||
if (!(nat = nat_inlookup(nflags, ip->ip_src, sport,
|
||||
ip->ip_dst, dport))) {
|
||||
if (np->in_redir == NAT_MAP)
|
||||
continue;
|
||||
else {
|
||||
/*
|
||||
* If this rule (np) is a redirection,
|
||||
* rather than a mapping, then do a
|
||||
* nat_new. Otherwise, if it's just a
|
||||
* mapping, do a continue;
|
||||
*/
|
||||
if (!(nat = nat_new(np, ip, fin,
|
||||
nflags,
|
||||
NAT_INBOUND)))
|
||||
break;
|
||||
}
|
||||
}
|
||||
ip->ip_dst = nat->nat_inip;
|
||||
|
||||
nat->nat_age = fr_defnatage;
|
||||
|
||||
/*
|
||||
* Fix up checksums, not by recalculating them, but
|
||||
* simply computing adjustments.
|
||||
*/
|
||||
#if SOLARIS
|
||||
if (np->in_redir == NAT_MAP)
|
||||
fix_incksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||
else
|
||||
fix_outcksum(&ip->ip_sum, nat->nat_ipsumd);
|
||||
#endif
|
||||
if (nflags && !(ip->ip_off & 0x1fff) &&
|
||||
!(fin->fin_fi.fi_fl & FI_SHORT)) {
|
||||
|
||||
if (nat->nat_inport)
|
||||
tcp->th_dport = nat->nat_inport;
|
||||
|
||||
if (ip->ip_p == IPPROTO_TCP) {
|
||||
csump = &tcp->th_sum;
|
||||
set_tcp_age(&nat->nat_age,
|
||||
nat->nat_state, ip, fin,0);
|
||||
} else if (ip->ip_p == IPPROTO_UDP) {
|
||||
udphdr_t *udp = (udphdr_t *)tcp;
|
||||
|
||||
if (udp->uh_sum)
|
||||
csump = &udp->uh_sum;
|
||||
} else if (ip->ip_p == IPPROTO_ICMP) {
|
||||
icmphdr_t *ic = (icmphdr_t *)tcp;
|
||||
|
||||
csump = &ic->icmp_cksum;
|
||||
}
|
||||
if (csump) {
|
||||
if (np->in_redir == NAT_MAP)
|
||||
fix_incksum(csump,
|
||||
nat->nat_sumd);
|
||||
else
|
||||
fix_outcksum(csump,
|
||||
nat->nat_sumd);
|
||||
}
|
||||
}
|
||||
nat_stats.ns_mapped[0]++;
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 1;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Free all memory used by NAT structures allocated at runtime.
|
||||
*/
|
||||
void ip_natunload()
|
||||
{
|
||||
MUTEX_ENTER(&ipf_nat);
|
||||
|
||||
(void) clear_natlist();
|
||||
(void) flush_nattable();
|
||||
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Slowly expire held state for NAT entries. Timeouts are set in
|
||||
* expectation of this being called twice per second.
|
||||
*/
|
||||
void ip_natexpire()
|
||||
{
|
||||
register struct nat *nat, **natp;
|
||||
|
||||
MUTEX_ENTER(&ipf_nat);
|
||||
for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) {
|
||||
if (--nat->nat_age)
|
||||
continue;
|
||||
*natp = nat->nat_next;
|
||||
nat_delete(nat);
|
||||
nat_stats.ns_expire++;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_nat);
|
||||
}
|
118
contrib/ipfilter/ip_nat.h
Normal file
118
contrib/ipfilter/ip_nat.h
Normal file
@ -0,0 +1,118 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_nat.h 1.5 2/4/96
|
||||
* $Id: ip_nat.h,v 2.0.1.7 1997/01/30 12:39:41 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef __IP_NAT_H_
|
||||
#define __IP_NAT_H__
|
||||
|
||||
#ifndef SOLARIS
|
||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||
#endif
|
||||
|
||||
#if defined(__STDC__) || defined(__GNUC__)
|
||||
#define SIOCADNAT _IOW('r', 80, struct ipnat)
|
||||
#define SIOCRMNAT _IOW('r', 81, struct ipnat)
|
||||
#define SIOCGNATS _IOR('r', 82, struct natstat)
|
||||
#define SIOCGNATL _IOWR('r', 83, struct natlookup)
|
||||
#define SIOCGFRST _IOR('r', 84, struct ipfrstat)
|
||||
#define SIOCGIPST _IOR('r', 85, struct ips_stat)
|
||||
#define SIOCFLNAT _IOWR('r', 86, int)
|
||||
#define SIOCCNATL _IOWR('r', 87, int)
|
||||
|
||||
#else
|
||||
#define SIOCADNAT _IOW(r, 80, struct ipnat)
|
||||
#define SIOCRMNAT _IOW(r, 81, struct ipnat)
|
||||
#define SIOCGNATS _IOR(r, 82, struct natstat)
|
||||
#define SIOCGNATL _IOWR(r, 83, struct natlookup)
|
||||
#define SIOCGFRST _IOR(r, 84, struct ipfrstat)
|
||||
#define SIOCGIPST _IOR(r, 85, struct ips_stat)
|
||||
#define SIOCFLNAT _IOWR(r, 86, int)
|
||||
#define SIOCCNATL _IOWR(r, 87, int)
|
||||
#endif
|
||||
|
||||
#define NAT_SIZE 367
|
||||
|
||||
typedef struct nat {
|
||||
int nat_age;
|
||||
u_long nat_sumd;
|
||||
u_long nat_ipsumd;
|
||||
struct in_addr nat_inip;
|
||||
struct in_addr nat_outip;
|
||||
struct in_addr nat_oip; /* other ip */
|
||||
u_short nat_oport; /* other port */
|
||||
u_short nat_inport;
|
||||
u_short nat_outport;
|
||||
u_short nat_use;
|
||||
u_char nat_state[2];
|
||||
struct ipnat *nat_ptr;
|
||||
struct nat *nat_next;
|
||||
struct nat *nat_hnext[2];
|
||||
struct nat **nat_hstart[2];
|
||||
} nat_t;
|
||||
|
||||
typedef struct ipnat {
|
||||
struct ipnat *in_next;
|
||||
void *in_ifp;
|
||||
u_int in_space;
|
||||
u_int in_use;
|
||||
struct in_addr in_nextip;
|
||||
u_short in_pnext;
|
||||
u_short in_flags;
|
||||
u_short in_port[2];
|
||||
struct in_addr in_in[2];
|
||||
struct in_addr in_out[2];
|
||||
int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
|
||||
char in_ifname[IFNAMSIZ];
|
||||
} ipnat_t;
|
||||
|
||||
#define in_pmin in_port[0] /* Also holds static redir port */
|
||||
#define in_pmax in_port[1]
|
||||
#define in_nip in_nextip.s_addr
|
||||
#define in_inip in_in[0].s_addr
|
||||
#define in_inmsk in_in[1].s_addr
|
||||
#define in_outip in_out[0].s_addr
|
||||
#define in_outmsk in_out[1].s_addr
|
||||
|
||||
#define NAT_INBOUND 0
|
||||
#define NAT_OUTBOUND 1
|
||||
|
||||
#define NAT_MAP 0
|
||||
#define NAT_REDIRECT 1
|
||||
|
||||
#define IPN_CMPSIZ (sizeof(struct in_addr) * 4 + sizeof(u_short) * 3 + \
|
||||
sizeof(int))
|
||||
|
||||
typedef struct natlookup {
|
||||
struct in_addr nl_inip;
|
||||
struct in_addr nl_outip;
|
||||
u_short nl_inport;
|
||||
u_short nl_outport;
|
||||
} natlookup_t;
|
||||
|
||||
typedef struct natstat {
|
||||
u_long ns_mapped[2];
|
||||
u_long ns_added;
|
||||
u_long ns_expire;
|
||||
u_long ns_inuse;
|
||||
nat_t **ns_table[2];
|
||||
ipnat_t *ns_list;
|
||||
} natstat_t;
|
||||
|
||||
#define IPN_ANY 0
|
||||
#define IPN_TCP 1
|
||||
#define IPN_UDP 2
|
||||
#define IPN_TCPUDP 3
|
||||
|
||||
extern nat_t *nat_table[2][NAT_SIZE];
|
||||
extern int nat_ioctl();
|
||||
extern nat_t *nat_outlookup(), *nat_inlookup(), *nat_lookupredir();
|
||||
extern int ip_natout(), ip_natin();
|
||||
extern void ip_natunload(), ip_natexpire();
|
||||
#endif /* __IP_NAT_H__ */
|
731
contrib/ipfilter/ip_sfil.c
Normal file
731
contrib/ipfilter/ip_sfil.c
Normal file
@ -0,0 +1,731 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* I hate legaleese, don't you ?
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.3 1997/02/04 14:49:15 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/cpuvar.h>
|
||||
#include <sys/open.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/cred.h>
|
||||
#include <sys/ddi.h>
|
||||
#include <sys/sunddi.h>
|
||||
#include <sys/ksynch.h>
|
||||
#include <sys/kmem.h>
|
||||
#include <sys/mkdev.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/dditypes.h>
|
||||
#include <sys/cmn_err.h>
|
||||
#include <net/if.h>
|
||||
#include <net/af.h>
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_state.h"
|
||||
#include "ip_frag.h"
|
||||
#include "ip_nat.h"
|
||||
#include <inet/ip_ire.h>
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
|
||||
extern fr_flags, fr_active;
|
||||
|
||||
int ipfr_timer_id = 0;
|
||||
int ipl_unreach = ICMP_UNREACH_HOST;
|
||||
int send_reset();
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
int ipllog();
|
||||
static void frflush();
|
||||
char iplbuf[IPLLOGSIZE];
|
||||
caddr_t iplh = iplbuf, iplt = iplbuf;
|
||||
static int iplused = 0;
|
||||
#endif /* IPFILTER_LOG */
|
||||
static int frrequest();
|
||||
kmutex_t ipl_mutex, ipf_mutex, ipfs_mutex;
|
||||
kmutex_t ipf_frag, ipf_state, ipf_nat;
|
||||
kcondvar_t iplwait;
|
||||
|
||||
extern void ipfr_slowtimer();
|
||||
|
||||
|
||||
int ipldetach()
|
||||
{
|
||||
int i = FR_INQUE|FR_OUTQUE;
|
||||
|
||||
untimeout(ipfr_timer_id);
|
||||
frflush((caddr_t)&i);
|
||||
ipfr_unload();
|
||||
fr_stateunload();
|
||||
ip_natunload();
|
||||
cv_destroy(&iplwait);
|
||||
mutex_destroy(&ipl_mutex);
|
||||
mutex_destroy(&ipf_mutex);
|
||||
mutex_destroy(&ipfs_mutex);
|
||||
mutex_destroy(&ipf_frag);
|
||||
mutex_destroy(&ipf_state);
|
||||
mutex_destroy(&ipf_nat);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int iplattach()
|
||||
{
|
||||
bzero((char *)nat_table, sizeof(nat_t *) * NAT_SIZE * 2);
|
||||
mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL);
|
||||
mutex_init(&ipf_mutex, "ipf filter mutex", MUTEX_DRIVER, NULL);
|
||||
mutex_init(&ipfs_mutex, "ipf solaris mutex", MUTEX_DRIVER, NULL);
|
||||
mutex_init(&ipf_frag, "ipf fragment mutex", MUTEX_DRIVER, NULL);
|
||||
mutex_init(&ipf_state, "ipf IP state mutex", MUTEX_DRIVER, NULL);
|
||||
mutex_init(&ipf_nat, "ipf IP NAT mutex", MUTEX_DRIVER, NULL);
|
||||
cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL);
|
||||
ipfr_timer_id = timeout(ipfr_slowtimer, NULL, HZ/2);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static void frzerostats(data)
|
||||
caddr_t data;
|
||||
{
|
||||
struct friostat fio;
|
||||
|
||||
bcopy((char *)frstats, (char *)fio.f_st,
|
||||
sizeof(struct filterstats) * 2);
|
||||
fio.f_fin[0] = ipfilter[0][0];
|
||||
fio.f_fin[1] = ipfilter[0][1];
|
||||
fio.f_fout[0] = ipfilter[1][0];
|
||||
fio.f_fout[1] = ipfilter[1][1];
|
||||
fio.f_acctin[0] = ipacct[0][0];
|
||||
fio.f_acctin[1] = ipacct[0][1];
|
||||
fio.f_acctout[0] = ipacct[1][0];
|
||||
fio.f_acctout[1] = ipacct[1][1];
|
||||
fio.f_active = fr_active;
|
||||
IWCOPY((caddr_t)&fio, data, sizeof(fio));
|
||||
bzero((char *)frstats, sizeof(*frstats) * 2);
|
||||
}
|
||||
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
static void frflush(data)
|
||||
caddr_t data;
|
||||
{
|
||||
struct frentry *f, **fp;
|
||||
int flags, flushed = 0, set = fr_active;
|
||||
|
||||
IRCOPY(data, (caddr_t)&flags, sizeof(flags));
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
|
||||
if (flags & FR_INACTIVE)
|
||||
set = 1 - set;
|
||||
if (flags & FR_OUTQUE) {
|
||||
for (fp = &ipfilter[1][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
for (fp = &ipacct[1][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
}
|
||||
if (flags & FR_INQUE) {
|
||||
for (fp = &ipfilter[0][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
for (fp = &ipacct[0][set]; (f = *fp); ) {
|
||||
*fp = f->fr_next;
|
||||
KFREE(f);
|
||||
flushed++;
|
||||
}
|
||||
}
|
||||
|
||||
IWCOPY((caddr_t)&flushed, data, sizeof(flushed));
|
||||
}
|
||||
#endif /* IPFILTER_LOG */
|
||||
|
||||
|
||||
/*
|
||||
* Filter ioctl interface.
|
||||
*/
|
||||
int iplioctl(dev, cmd, data, mode, cp, rp)
|
||||
dev_t dev;
|
||||
int cmd;
|
||||
caddr_t data;
|
||||
int mode;
|
||||
cred_t *cp;
|
||||
int *rp;
|
||||
{
|
||||
int error = 0;
|
||||
|
||||
switch (cmd) {
|
||||
case SIOCFRENB :
|
||||
{
|
||||
u_int enable;
|
||||
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
IRCOPY(data, (caddr_t)&enable, sizeof(enable));
|
||||
break;
|
||||
}
|
||||
case SIOCSETFF :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
mutex_enter(&ipf_mutex);
|
||||
IRCOPY(data, (caddr_t)&fr_flags, sizeof(fr_flags));
|
||||
mutex_exit(&ipf_mutex);
|
||||
break;
|
||||
case SIOCGETFF :
|
||||
IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags));
|
||||
break;
|
||||
case SIOCINAFR :
|
||||
case SIOCRMAFR :
|
||||
case SIOCADAFR :
|
||||
case SIOCZRLST :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
mutex_enter(&ipf_mutex);
|
||||
error = frrequest(cmd, data, fr_active);
|
||||
mutex_exit(&ipf_mutex);
|
||||
break;
|
||||
case SIOCINIFR :
|
||||
case SIOCRMIFR :
|
||||
case SIOCADIFR :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
mutex_enter(&ipf_mutex);
|
||||
error = frrequest(cmd, data, 1 - fr_active);
|
||||
mutex_exit(&ipf_mutex);
|
||||
break;
|
||||
case SIOCSWAPA :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
mutex_enter(&ipf_mutex);
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
IWCOPY((caddr_t)&fr_active, (caddr_t)data, sizeof(fr_active));
|
||||
fr_active = 1 - fr_active;
|
||||
mutex_exit(&ipf_mutex);
|
||||
break;
|
||||
case SIOCGETFS :
|
||||
{
|
||||
struct friostat fio;
|
||||
|
||||
mutex_enter(&ipf_mutex);
|
||||
bcopy((char *)frstats, (char *)fio.f_st,
|
||||
sizeof(struct filterstats) * 2);
|
||||
fio.f_fin[0] = ipfilter[0][0];
|
||||
fio.f_fin[1] = ipfilter[0][1];
|
||||
fio.f_fout[0] = ipfilter[1][0];
|
||||
fio.f_fout[1] = ipfilter[1][1];
|
||||
fio.f_acctin[0] = ipacct[0][0];
|
||||
fio.f_acctin[1] = ipacct[0][1];
|
||||
fio.f_acctout[0] = ipacct[1][0];
|
||||
fio.f_acctout[1] = ipacct[1][1];
|
||||
fio.f_active = fr_active;
|
||||
mutex_exit(&ipf_mutex);
|
||||
IWCOPY((caddr_t)&fio, data, sizeof(fio));
|
||||
break;
|
||||
}
|
||||
case SIOCFRZST :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
frzerostats(data);
|
||||
break;
|
||||
#ifdef IPFILTER_LOG
|
||||
case SIOCIPFFL :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
mutex_enter(&ipf_mutex);
|
||||
frflush(data);
|
||||
mutex_exit(&ipf_mutex);
|
||||
break;
|
||||
case SIOCIPFFB :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
mutex_enter(&ipl_mutex);
|
||||
IWCOPY((caddr_t)&iplused, data, sizeof(iplused));
|
||||
iplh = iplt = iplbuf;
|
||||
iplused = 0;
|
||||
mutex_exit(&ipl_mutex);
|
||||
break;
|
||||
#endif /* IPFILTER_LOG */
|
||||
case SIOCFRSYN :
|
||||
if (!(mode & FWRITE))
|
||||
return EPERM;
|
||||
error = ipfsync();
|
||||
break;
|
||||
case SIOCADNAT :
|
||||
case SIOCRMNAT :
|
||||
case SIOCGNATS :
|
||||
case SIOCGNATL :
|
||||
case SIOCFLNAT :
|
||||
case SIOCCNATL :
|
||||
error = nat_ioctl(data, cmd, mode);
|
||||
break;
|
||||
case SIOCGFRST :
|
||||
IWCOPY((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t));
|
||||
break;
|
||||
case SIOCGIPST :
|
||||
IWCOPY((caddr_t)fr_statetstats(), data, sizeof(ips_stat_t));
|
||||
break;
|
||||
default :
|
||||
error = EINVAL;
|
||||
break;
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
|
||||
ill_t *get_unit(name)
|
||||
char *name;
|
||||
{
|
||||
ill_t *il;
|
||||
int len = strlen(name) + 1; /* includes \0 */
|
||||
|
||||
for (il = ill_g_head; il; il = il->ill_next)
|
||||
if ((len == il->ill_name_length) &&
|
||||
!strncmp(il->ill_name, name, len))
|
||||
return il;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
static int frrequest(req, data, set)
|
||||
int req, set;
|
||||
caddr_t data;
|
||||
{
|
||||
register frentry_t *fp, *f, **fprev;
|
||||
register frentry_t **ftail;
|
||||
frentry_t fr;
|
||||
frdest_t *fdp;
|
||||
int error = 0, in;
|
||||
ill_t *ill;
|
||||
ipif_t *ipif;
|
||||
ire_t *ire;
|
||||
|
||||
fp = &fr;
|
||||
IRCOPY(data, (caddr_t)fp, sizeof(*fp));
|
||||
|
||||
bzero((char *)frcache, sizeof(frcache[0]) * 2);
|
||||
|
||||
in = (fp->fr_flags & FR_INQUE) ? 0 : 1;
|
||||
if (fp->fr_flags & FR_ACCOUNT)
|
||||
ftail = fprev = &ipacct[in][set];
|
||||
else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE))
|
||||
ftail = fprev = &ipfilter[in][set];
|
||||
else
|
||||
return ESRCH;
|
||||
|
||||
if (*fp->fr_ifname) {
|
||||
fp->fr_ifa = (struct ifnet *)get_unit((char *)fp->fr_ifname);
|
||||
if (!fp->fr_ifa)
|
||||
fp->fr_ifa = (struct ifnet *)-1;
|
||||
}
|
||||
|
||||
fdp = &fp->fr_dif;
|
||||
fp->fr_flags &= ~FR_DUP;
|
||||
if (*fdp->fd_ifname) {
|
||||
ill = get_unit(fdp->fd_ifname);
|
||||
if (!ill)
|
||||
ire = (ire_t *)-1;
|
||||
else if ((ipif = ill->ill_ipif)) {
|
||||
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
|
||||
if (!ire)
|
||||
ire = (ire_t *)-1;
|
||||
else
|
||||
fp->fr_flags |= FR_DUP;
|
||||
}
|
||||
fdp->fd_ifp = (struct ifnet *)ire;
|
||||
}
|
||||
|
||||
fdp = &fp->fr_tif;
|
||||
if (*fdp->fd_ifname) {
|
||||
ill = get_unit(fdp->fd_ifname);
|
||||
if (!ill)
|
||||
ire = (ire_t *)-1;
|
||||
else if ((ipif = ill->ill_ipif)) {
|
||||
ire = ire_lookup_myaddr(ipif->ipif_local_addr);
|
||||
if (!ire)
|
||||
ire = (ire_t *)-1;
|
||||
}
|
||||
fdp->fd_ifp = (struct ifnet *)ire;
|
||||
}
|
||||
|
||||
/*
|
||||
* Look for a matching filter rule, but don't include the next or
|
||||
* interface pointer in the comparison (fr_next, fr_ifa).
|
||||
*/
|
||||
for (; (f = *ftail); ftail = &f->fr_next)
|
||||
if (bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip,
|
||||
FR_CMPSIZ) == 0)
|
||||
break;
|
||||
|
||||
/*
|
||||
* If zero'ing statistics, copy current to caller and zero.
|
||||
*/
|
||||
if (req == SIOCZRLST) {
|
||||
if (!f)
|
||||
return ESRCH;
|
||||
IWCOPY((caddr_t)f, data, sizeof(*f));
|
||||
f->fr_hits = 0;
|
||||
f->fr_bytes = 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!f) {
|
||||
ftail = fprev;
|
||||
if (req != SIOCINAFR && req != SIOCINIFR)
|
||||
while ((f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
else if (fp->fr_hits)
|
||||
while (--fp->fr_hits && (f = *ftail))
|
||||
ftail = &f->fr_next;
|
||||
f = NULL;
|
||||
}
|
||||
|
||||
if (req == SIOCDELFR || req == SIOCRMIFR) {
|
||||
if (!f)
|
||||
error = ESRCH;
|
||||
else {
|
||||
*ftail = f->fr_next;
|
||||
KFREE(f);
|
||||
}
|
||||
} else {
|
||||
if (f)
|
||||
error = EEXIST;
|
||||
else {
|
||||
if ((f = (struct frentry *)KMALLOC(sizeof(*f)))) {
|
||||
bcopy((char *)fp, (char *)f, sizeof(*f));
|
||||
f->fr_hits = 0;
|
||||
f->fr_next = *ftail;
|
||||
*ftail = f;
|
||||
} else
|
||||
error = ENOMEM;
|
||||
}
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* routines below for saving IP headers to buffer
|
||||
*/
|
||||
int iplopen(devp, flags, otype, cred)
|
||||
dev_t *devp;
|
||||
int flags, otype;
|
||||
cred_t *cred;
|
||||
{
|
||||
u_int min = getminor(*devp);
|
||||
|
||||
if (!(otype & OTYP_CHR))
|
||||
return ENXIO;
|
||||
if (min)
|
||||
min = ENXIO;
|
||||
return min;
|
||||
}
|
||||
|
||||
|
||||
int iplclose(dev, flags, otype, cred)
|
||||
dev_t dev;
|
||||
int flags, otype;
|
||||
cred_t *cred;
|
||||
{
|
||||
u_int min = getminor(dev);
|
||||
|
||||
if (min)
|
||||
min = ENXIO;
|
||||
return min;
|
||||
}
|
||||
|
||||
#ifdef IPFILTER_LOG
|
||||
/*
|
||||
* iplread/ipllog
|
||||
* both of these must operate with at least splnet() lest they be
|
||||
* called during packet processing and cause an inconsistancy to appear in
|
||||
* the filter lists.
|
||||
*/
|
||||
int iplread(dev, uio, cp)
|
||||
dev_t dev;
|
||||
register struct uio *uio;
|
||||
cred_t *cp;
|
||||
{
|
||||
register int ret;
|
||||
register size_t sz, sx;
|
||||
char *h, *t;
|
||||
int error, used, usedo, copied;
|
||||
|
||||
if (!uio->uio_resid)
|
||||
return 0;
|
||||
if ((uio->uio_resid < 0) || (uio->uio_resid > IPLLOGSIZE))
|
||||
return EINVAL;
|
||||
|
||||
/*
|
||||
* Lock the log so we can snapshot the variables. Wait for a signal
|
||||
* if the log is empty.
|
||||
*/
|
||||
mutex_enter(&ipl_mutex);
|
||||
while (!iplused) {
|
||||
error = cv_wait_sig(&iplwait, &ipl_mutex);
|
||||
if (!error) {
|
||||
mutex_exit(&ipl_mutex);
|
||||
return EINTR;
|
||||
}
|
||||
}
|
||||
h = iplh;
|
||||
t = iplt;
|
||||
used = iplused;
|
||||
mutex_exit(&ipl_mutex);
|
||||
usedo = used;
|
||||
|
||||
/*
|
||||
* Given up the mutex, the log can grow more, but we can't hold the
|
||||
* mutex across the uiomove's.
|
||||
*/
|
||||
sx = sz = MIN(uio->uio_resid, used);
|
||||
if (h <= t)
|
||||
sz = MIN(sz, IPLLOGSIZE + iplbuf - t);
|
||||
|
||||
if (!(ret = uiomove(t, sz, UIO_READ, uio))) {
|
||||
t += sz;
|
||||
sx -= sz;
|
||||
used -= sz;
|
||||
if ((h < t) && (t >= iplbuf + IPLLOGSIZE))
|
||||
t = iplbuf;
|
||||
|
||||
if (sx && !(ret = uiomove(t, sx, UIO_READ, uio)))
|
||||
used -= sx;
|
||||
}
|
||||
|
||||
/*
|
||||
* copied all the data, now adjust variables to match this.
|
||||
*/
|
||||
mutex_enter(&ipl_mutex);
|
||||
copied = usedo - used;
|
||||
iplused -= copied;
|
||||
|
||||
if (!iplused) /* minimise wrapping around the end */
|
||||
iplh = iplt = iplbuf;
|
||||
else {
|
||||
iplt += copied;
|
||||
if (iplt >= iplbuf + IPLLOGSIZE)
|
||||
iplt -= IPLLOGSIZE;
|
||||
if (iplt == iplbuf + IPLLOGSIZE)
|
||||
iplt = iplbuf;
|
||||
}
|
||||
mutex_exit(&ipl_mutex);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
int ipllog(flags, ip, fin, m)
|
||||
u_int flags;
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
mblk_t *m;
|
||||
{
|
||||
struct ipl_ci iplci;
|
||||
register int len, mlen, hlen;
|
||||
register u_char *s = (u_char *)ip;
|
||||
ill_t *il = fin->fin_ifp;
|
||||
|
||||
hlen = fin->fin_hlen;
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen);
|
||||
else if (ip->ip_p == IPPROTO_ICMP) {
|
||||
struct icmp *icmp = (struct icmp *)(s + hlen);
|
||||
|
||||
switch (icmp->icmp_type) {
|
||||
case ICMP_UNREACH :
|
||||
case ICMP_SOURCEQUENCH :
|
||||
case ICMP_REDIRECT :
|
||||
case ICMP_TIMXCEED :
|
||||
case ICMP_PARAMPROB :
|
||||
hlen += MIN(sizeof(struct icmp) + 8, fin->fin_dlen);
|
||||
break;
|
||||
default :
|
||||
hlen += MIN(sizeof(struct icmp), fin->fin_dlen);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0;
|
||||
len = hlen + sizeof(iplci) + mlen;
|
||||
mutex_enter(&ipl_mutex);
|
||||
if ((iplused + len) > IPLLOGSIZE) {
|
||||
mutex_exit(&ipl_mutex);
|
||||
return 0;
|
||||
}
|
||||
iplused += len;
|
||||
|
||||
uniqtime((struct timeval *)&iplci);
|
||||
iplci.flags = flags;
|
||||
iplci.hlen = (u_char)hlen;
|
||||
iplci.plen = (u_char)mlen;
|
||||
iplci.rule = fin->fin_rule;
|
||||
iplci.unit = (u_char)il->ill_ppa;
|
||||
bcopy(il->ill_name, (char *)iplci.ifname, MIN(il->ill_name_length, 4));
|
||||
|
||||
/*
|
||||
* Gauranteed to succeed from above
|
||||
*/
|
||||
(void) fr_copytolog(&iplci, sizeof(iplci));
|
||||
len -= sizeof(iplci);
|
||||
|
||||
if (len && m) {
|
||||
s = m->b_rptr;
|
||||
do {
|
||||
if ((hlen = MIN(m->b_wptr - s, len))) {
|
||||
if (fr_copytolog(s, hlen))
|
||||
break;
|
||||
len -= hlen;
|
||||
}
|
||||
if ((m = m->b_cont))
|
||||
s = m->b_rptr;
|
||||
} while (m && len);
|
||||
}
|
||||
|
||||
cv_signal(&iplwait);
|
||||
mutex_exit(&ipl_mutex);
|
||||
return 1;
|
||||
}
|
||||
#endif /* IPFILTER_LOG */
|
||||
|
||||
|
||||
u_short ipf_cksum(addr, len)
|
||||
register u_short *addr;
|
||||
register int len;
|
||||
{
|
||||
register u_long sum = 0;
|
||||
|
||||
for (sum = 0; len > 1; len -= 2)
|
||||
sum += *addr++;
|
||||
|
||||
/* mop up an odd byte, if necessary */
|
||||
if (len == 1)
|
||||
sum += *(u_char *)addr;
|
||||
|
||||
/*
|
||||
* add back carry outs from top 16 bits to low 16 bits
|
||||
*/
|
||||
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
|
||||
sum += (sum >> 16); /* add carry */
|
||||
return (u_short)(~sum);
|
||||
}
|
||||
|
||||
/*
|
||||
* send_reset - this could conceivably be a call to tcp_respond(), but that
|
||||
* requires a large amount of setting up and isn't any more efficient.
|
||||
*/
|
||||
int send_reset(ti, qif, q)
|
||||
struct tcpiphdr *ti;
|
||||
qif_t *qif;
|
||||
queue_t *q;
|
||||
{
|
||||
struct ip *ip;
|
||||
struct tcphdr *tcp;
|
||||
mblk_t *m;
|
||||
int tlen = 0;
|
||||
|
||||
if (ti->ti_flags & TH_RST)
|
||||
return -1;
|
||||
if (ti->ti_flags & TH_SYN)
|
||||
tlen = 1;
|
||||
if ((m = (mblk_t *)allocb(sizeof(struct tcpiphdr), BPRI_HI)) == NULL)
|
||||
return -1;
|
||||
|
||||
MTYPE(m) = M_DATA;
|
||||
m->b_wptr += sizeof(struct tcpiphdr);
|
||||
bzero((char *)m->b_rptr, sizeof(struct tcpiphdr));
|
||||
ip = (ip_t *)m->b_rptr;
|
||||
tcp = (struct tcphdr *)(m->b_rptr + sizeof(*ip));
|
||||
|
||||
ip->ip_src.s_addr = ti->ti_dst.s_addr;
|
||||
ip->ip_dst.s_addr = ti->ti_src.s_addr;
|
||||
tcp->th_dport = ti->ti_sport;
|
||||
tcp->th_sport = ti->ti_dport;
|
||||
tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen);
|
||||
tcp->th_off = sizeof(struct tcphdr) >> 2;
|
||||
tcp->th_flags = TH_RST|TH_ACK;
|
||||
/*
|
||||
* This is to get around a bug in the Solaris 2.4/2.5 TCP checksum
|
||||
* computation that is done by their put routine.
|
||||
*/
|
||||
tcp->th_sum = htons(0x14);
|
||||
ip->ip_hl = sizeof(*ip) >> 2;
|
||||
ip->ip_v = IPVERSION;
|
||||
ip->ip_p = IPPROTO_TCP;
|
||||
ip->ip_len = htons(sizeof(struct tcpiphdr));
|
||||
ip->ip_tos = ((struct ip *)ti)->ip_tos;
|
||||
ip->ip_off = 0;
|
||||
ip->ip_ttl = 60;
|
||||
ip->ip_sum = 0;
|
||||
ip_wput(qif->qf_ill->ill_wq, m);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int icmp_error(q, ip, type, code, qif, src)
|
||||
queue_t *q;
|
||||
ip_t *ip;
|
||||
int type, code;
|
||||
qif_t *qif;
|
||||
struct in_addr src;
|
||||
{
|
||||
mblk_t *mb;
|
||||
struct icmp *icmp;
|
||||
ip_t *nip;
|
||||
int sz = sizeof(*nip) + sizeof(*icmp) + 8;
|
||||
|
||||
if ((mb = (mblk_t *)allocb(sz, BPRI_HI)) == NULL)
|
||||
return -1;
|
||||
MTYPE(mb) = M_DATA;
|
||||
mb->b_wptr += sz;
|
||||
bzero((char *)mb->b_rptr, sz);
|
||||
nip = (ip_t *)mb->b_rptr;
|
||||
icmp = (struct icmp *)(nip + 1);
|
||||
|
||||
nip->ip_v = IPVERSION;
|
||||
nip->ip_hl = (sizeof(*nip) >> 2);
|
||||
nip->ip_p = IPPROTO_ICMP;
|
||||
nip->ip_id = ip->ip_id;
|
||||
nip->ip_sum = 0;
|
||||
nip->ip_ttl = 60;
|
||||
nip->ip_tos = ip->ip_tos;
|
||||
nip->ip_len = htons(sz);
|
||||
nip->ip_src.s_addr = ip->ip_dst.s_addr;
|
||||
nip->ip_dst.s_addr = ip->ip_src.s_addr;
|
||||
|
||||
icmp->icmp_type = type;
|
||||
icmp->icmp_code = code;
|
||||
icmp->icmp_cksum = 0;
|
||||
bcopy((char *)ip, (char *)&icmp->icmp_ip, sizeof(*ip));
|
||||
bcopy((char *)ip + (ip->ip_hl << 2),
|
||||
(char *)&icmp->icmp_ip + sizeof(*ip), 8); /* 64 bits */
|
||||
icmp->icmp_cksum = ipf_cksum(icmp, sizeof(*icmp) + 8);
|
||||
ip_wput(qif->qf_ill->ill_wq, mb);
|
||||
return 0;
|
||||
}
|
536
contrib/ipfilter/ip_state.c
Normal file
536
contrib/ipfilter/ip_state.c
Normal file
@ -0,0 +1,536 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ip_state.c,v 2.0.1.2 1997/01/09 15:22:45 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if !defined(_KERNEL) && !defined(KERNEL)
|
||||
# include <stdlib.h>
|
||||
# include <string.h>
|
||||
#endif
|
||||
#include <sys/errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#ifdef _KERNEL
|
||||
# include <sys/systm.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
# include <sys/mbuf.h>
|
||||
#else
|
||||
# include <sys/byteorder.h>
|
||||
# include <sys/dditypes.h>
|
||||
# include <sys/stream.h>
|
||||
# include <sys/kmem.h>
|
||||
#endif
|
||||
|
||||
#include <net/if.h>
|
||||
#ifdef sun
|
||||
#include <net/af.h>
|
||||
#endif
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcp_fsm.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include "ip_fil.h"
|
||||
#include "ip_compat.h"
|
||||
#include "ip_state.h"
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
|
||||
void set_tcp_age();
|
||||
|
||||
#define TCP_CLOSE (TH_FIN|TH_RST)
|
||||
|
||||
ipstate_t *ips_table[IPSTATE_SIZE];
|
||||
int ips_num = 0;
|
||||
ips_stat_t ips_stats;
|
||||
#if SOLARIS
|
||||
extern kmutex_t ipf_state;
|
||||
# if !defined(_KERNEL)
|
||||
#define bcopy(a,b,c) memmove(b,a,c)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
|
||||
#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */
|
||||
|
||||
u_long fr_tcpidletimeout = FIVE_DAYS,
|
||||
fr_tcpclosewait = 60,
|
||||
fr_tcplastack = 20,
|
||||
fr_tcptimeout = 120,
|
||||
fr_tcpclosed = 1,
|
||||
fr_udptimeout = 120,
|
||||
fr_icmptimeout = 120;
|
||||
|
||||
|
||||
ips_stat_t *fr_statetstats()
|
||||
{
|
||||
ips_stats.iss_active = ips_num;
|
||||
ips_stats.iss_table = ips_table;
|
||||
return &ips_stats;
|
||||
}
|
||||
|
||||
|
||||
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
|
||||
(((s1) == (d2)) && ((d1) == (s2))))
|
||||
#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
|
||||
(s2).s_addr, (d2).s_addr)
|
||||
|
||||
/*
|
||||
* Create a new ipstate structure and hang it off the hash table.
|
||||
*/
|
||||
int fr_addstate(ip, fin, pass)
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
u_int pass;
|
||||
{
|
||||
ipstate_t ips;
|
||||
register ipstate_t *is = &ips;
|
||||
register u_int hv;
|
||||
|
||||
if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT))
|
||||
return -1;
|
||||
if (ips_num == IPSTATE_MAX) {
|
||||
ips_stats.iss_max++;
|
||||
return -1;
|
||||
}
|
||||
ips.is_age = 1;
|
||||
ips.is_state[0] = 0;
|
||||
ips.is_state[1] = 0;
|
||||
/*
|
||||
* Copy and calculate...
|
||||
*/
|
||||
hv = (is->is_p = ip->ip_p);
|
||||
hv += (is->is_src.s_addr = ip->ip_src.s_addr);
|
||||
hv += (is->is_dst.s_addr = ip->ip_dst.s_addr);
|
||||
|
||||
switch (ip->ip_p)
|
||||
{
|
||||
case IPPROTO_ICMP :
|
||||
{
|
||||
struct icmp *ic = (struct icmp *)fin->fin_dp;
|
||||
|
||||
switch (ic->icmp_type)
|
||||
{
|
||||
case ICMP_ECHO :
|
||||
is->is_icmp.ics_type = 0;
|
||||
hv += (is->is_icmp.ics_id = ic->icmp_id);
|
||||
hv += (is->is_icmp.ics_seq = ic->icmp_seq);
|
||||
break;
|
||||
case ICMP_TSTAMP :
|
||||
case ICMP_IREQ :
|
||||
case ICMP_MASKREQ :
|
||||
is->is_icmp.ics_type = ic->icmp_type + 1;
|
||||
break;
|
||||
default :
|
||||
return -1;
|
||||
}
|
||||
ips_stats.iss_icmp++;
|
||||
is->is_age = fr_icmptimeout;
|
||||
break;
|
||||
}
|
||||
case IPPROTO_TCP :
|
||||
{
|
||||
register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
|
||||
|
||||
/*
|
||||
* The endian of the ports doesn't matter, but the ack and
|
||||
* sequence numbers do as we do mathematics on them later.
|
||||
*/
|
||||
hv += (is->is_dport = tcp->th_dport);
|
||||
hv += (is->is_sport = tcp->th_sport);
|
||||
is->is_seq = ntohl(tcp->th_seq);
|
||||
is->is_ack = ntohl(tcp->th_ack);
|
||||
is->is_swin = ntohs(tcp->th_win);
|
||||
is->is_dwin = is->is_swin; /* start them the same */
|
||||
ips_stats.iss_tcp++;
|
||||
/*
|
||||
* If we're creating state for a starting connectoin, start the
|
||||
* timer on it as we'll never see an error if it fails to
|
||||
* connect.
|
||||
*/
|
||||
if ((tcp->th_flags & (TH_SYN|TH_ACK)) == TH_SYN)
|
||||
is->is_ack = 0; /* Trumpet WinSock 'ism */
|
||||
set_tcp_age(&is->is_age, is->is_state, ip, fin,
|
||||
tcp->th_sport == is->is_sport);
|
||||
break;
|
||||
}
|
||||
case IPPROTO_UDP :
|
||||
{
|
||||
register tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
|
||||
|
||||
hv += (is->is_dport = tcp->th_dport);
|
||||
hv += (is->is_sport = tcp->th_sport);
|
||||
ips_stats.iss_udp++;
|
||||
is->is_age = fr_udptimeout;
|
||||
break;
|
||||
}
|
||||
default :
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!(is = (ipstate_t *)KMALLOC(sizeof(*is)))) {
|
||||
ips_stats.iss_nomem++;
|
||||
return -1;
|
||||
}
|
||||
bcopy((char *)&ips, (char *)is, sizeof(*is));
|
||||
hv %= IPSTATE_SIZE;
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
is->is_next = ips_table[hv];
|
||||
ips_table[hv] = is;
|
||||
is->is_pass = pass;
|
||||
if (pass & FR_LOGFIRST)
|
||||
is->is_pass &= ~(FR_LOGFIRST|FR_LOG);
|
||||
ips_num++;
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* check to see if a packet with TCP headers fits within the TCP window.
|
||||
* change timeout depending on whether new packet is a SYN-ACK returning for a
|
||||
* SYN or a RST or FIN which indicate time to close up shop.
|
||||
*/
|
||||
int fr_tcpstate(is, fin, ip, tcp, sport
|
||||
#ifndef _KERNEL
|
||||
,isp)
|
||||
ipstate_t **isp;
|
||||
#else
|
||||
)
|
||||
#endif
|
||||
register ipstate_t *is;
|
||||
fr_info_t *fin;
|
||||
ip_t *ip;
|
||||
tcphdr_t *tcp;
|
||||
u_short sport;
|
||||
{
|
||||
register int seqskew, ackskew;
|
||||
register u_short swin, dwin;
|
||||
register tcp_seq seq, ack;
|
||||
int source;
|
||||
|
||||
/*
|
||||
* Find difference between last checked packet and this packet.
|
||||
*/
|
||||
seq = ntohl(tcp->th_seq);
|
||||
ack = ntohl(tcp->th_ack);
|
||||
if (sport == is->is_sport) {
|
||||
seqskew = seq - is->is_seq;
|
||||
ackskew = ack - is->is_ack;
|
||||
} else {
|
||||
seqskew = ack - is->is_seq;
|
||||
if (!is->is_ack)
|
||||
/*
|
||||
* Must be a SYN-ACK in reply to a SYN.
|
||||
*/
|
||||
is->is_ack = seq;
|
||||
ackskew = seq - is->is_ack;
|
||||
}
|
||||
|
||||
/*
|
||||
* Make skew values absolute
|
||||
*/
|
||||
if (seqskew < 0)
|
||||
seqskew = -seqskew;
|
||||
if (ackskew < 0)
|
||||
ackskew = -ackskew;
|
||||
|
||||
/*
|
||||
* If the difference in sequence and ack numbers is within the
|
||||
* window size of the connection, store these values and match
|
||||
* the packet.
|
||||
*/
|
||||
if ((source = (sport == is->is_sport))) {
|
||||
swin = is->is_swin;
|
||||
dwin = is->is_dwin;
|
||||
} else {
|
||||
dwin = is->is_swin;
|
||||
swin = is->is_dwin;
|
||||
}
|
||||
|
||||
if ((seqskew <= swin) && (ackskew <= dwin)) {
|
||||
if (source) {
|
||||
is->is_seq = seq;
|
||||
is->is_ack = ack;
|
||||
is->is_swin = ntohs(tcp->th_win);
|
||||
} else {
|
||||
is->is_seq = ack;
|
||||
is->is_ack = seq;
|
||||
is->is_dwin = ntohs(tcp->th_win);
|
||||
}
|
||||
ips_stats.iss_hits++;
|
||||
/*
|
||||
* Nearing end of connection, start timeout.
|
||||
*/
|
||||
set_tcp_age(&is->is_age, is->is_state, ip, fin,
|
||||
tcp->th_sport == is->is_sport);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Check if a packet has a registered state.
|
||||
*/
|
||||
int fr_checkstate(ip, fin)
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
{
|
||||
register struct in_addr dst, src;
|
||||
register ipstate_t *is, **isp;
|
||||
register u_char pr;
|
||||
struct icmp *ic;
|
||||
tcphdr_t *tcp;
|
||||
u_int hv, hlen;
|
||||
|
||||
if ((ip->ip_off & 0x1fff) || (fin->fin_fi.fi_fl & FI_SHORT))
|
||||
return 0;
|
||||
|
||||
hlen = fin->fin_hlen;
|
||||
tcp = (tcphdr_t *)((char *)ip + hlen);
|
||||
ic = (struct icmp *)tcp;
|
||||
hv = (pr = ip->ip_p);
|
||||
hv += (src.s_addr = ip->ip_src.s_addr);
|
||||
hv += (dst.s_addr = ip->ip_dst.s_addr);
|
||||
|
||||
/*
|
||||
* Search the hash table for matching packet header info.
|
||||
*/
|
||||
switch (ip->ip_p)
|
||||
{
|
||||
case IPPROTO_ICMP :
|
||||
hv += ic->icmp_id;
|
||||
hv += ic->icmp_seq;
|
||||
hv %= IPSTATE_SIZE;
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
|
||||
if ((is->is_p == pr) &&
|
||||
(ic->icmp_id == is->is_icmp.ics_id) &&
|
||||
(ic->icmp_seq == is->is_icmp.ics_seq) &&
|
||||
IPPAIR(src, dst, is->is_src, is->is_dst)) {
|
||||
/*
|
||||
* If we have type 0 stored, allow any icmp
|
||||
* replies through.
|
||||
*/
|
||||
if (is->is_icmp.ics_type &&
|
||||
is->is_icmp.ics_type != ic->icmp_type)
|
||||
continue;
|
||||
is->is_age = fr_icmptimeout;
|
||||
ips_stats.iss_hits++;
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
return is->is_pass;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
break;
|
||||
case IPPROTO_TCP :
|
||||
{
|
||||
register u_short dport = tcp->th_dport, sport = tcp->th_sport;
|
||||
|
||||
hv += dport;
|
||||
hv += sport;
|
||||
hv %= IPSTATE_SIZE;
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) {
|
||||
if ((is->is_p == pr) &&
|
||||
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
|
||||
IPPAIR(src, dst, is->is_src, is->is_dst))
|
||||
if (fr_tcpstate(is, fin, ip, tcp, sport)) {
|
||||
#ifdef _KERNEL
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
return is->is_pass;
|
||||
#else
|
||||
int pass = is->is_pass;
|
||||
|
||||
if (tcp->th_flags & TCP_CLOSE) {
|
||||
*isp = is->is_next;
|
||||
isp = &ips_table[hv];
|
||||
KFREE(is);
|
||||
}
|
||||
return pass;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
break;
|
||||
}
|
||||
case IPPROTO_UDP :
|
||||
{
|
||||
register u_short dport = tcp->th_dport, sport = tcp->th_sport;
|
||||
|
||||
hv += dport;
|
||||
hv += sport;
|
||||
hv %= IPSTATE_SIZE;
|
||||
/*
|
||||
* Nothing else to match on but ports. and IP#'s
|
||||
*/
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
for (is = ips_table[hv]; is; is = is->is_next)
|
||||
if ((is->is_p == pr) &&
|
||||
PAIRS(sport, dport, is->is_sport, is->is_dport) &&
|
||||
IPPAIR(src, dst, is->is_src, is->is_dst)) {
|
||||
ips_stats.iss_hits++;
|
||||
is->is_age = fr_udptimeout;
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
return is->is_pass;
|
||||
}
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
break;
|
||||
}
|
||||
default :
|
||||
break;
|
||||
}
|
||||
ips_stats.iss_miss++;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Free memory in use by all state info. kept.
|
||||
*/
|
||||
void fr_stateunload()
|
||||
{
|
||||
register int i;
|
||||
register ipstate_t *is, **isp;
|
||||
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
for (i = 0; i < IPSTATE_SIZE; i++)
|
||||
for (isp = &ips_table[i]; (is = *isp); ) {
|
||||
*isp = is->is_next;
|
||||
KFREE(is);
|
||||
}
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Slowly expire held state for thingslike UDP and ICMP. Timeouts are set
|
||||
* in expectation of this being called twice per second.
|
||||
*/
|
||||
void fr_timeoutstate()
|
||||
{
|
||||
register int i;
|
||||
register ipstate_t *is, **isp;
|
||||
|
||||
MUTEX_ENTER(&ipf_state);
|
||||
for (i = 0; i < IPSTATE_SIZE; i++)
|
||||
for (isp = &ips_table[i]; (is = *isp); )
|
||||
if (is->is_age && !--is->is_age) {
|
||||
*isp = is->is_next;
|
||||
if (is->is_p == IPPROTO_TCP)
|
||||
ips_stats.iss_fin++;
|
||||
else
|
||||
ips_stats.iss_expire++;
|
||||
KFREE(is);
|
||||
ips_num--;
|
||||
} else
|
||||
isp = &is->is_next;
|
||||
MUTEX_EXIT(&ipf_state);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Original idea freom Pradeep Krishnan for use primarily with NAT code.
|
||||
* (pkrishna@netcom.com)
|
||||
*/
|
||||
void set_tcp_age(age, state, ip, fin, dir)
|
||||
int *age;
|
||||
u_char *state;
|
||||
ip_t *ip;
|
||||
fr_info_t *fin;
|
||||
int dir;
|
||||
{
|
||||
tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
|
||||
u_char flags = tcp->th_flags;
|
||||
int dlen, ostate;
|
||||
|
||||
ostate = state[1 - dir];
|
||||
|
||||
dlen = ip->ip_len - fin->fin_hlen - (tcp->th_off << 2);
|
||||
|
||||
if (flags & TH_RST) {
|
||||
if (!(tcp->th_flags & TH_PUSH) && !dlen) {
|
||||
*age = fr_tcpclosed;
|
||||
state[dir] = TCPS_CLOSED;
|
||||
} else {
|
||||
*age = fr_tcpclosewait;
|
||||
state[dir] = TCPS_CLOSE_WAIT;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
*age = fr_tcptimeout; /* 1 min */
|
||||
|
||||
switch(state[dir])
|
||||
{
|
||||
case TCPS_FIN_WAIT_2:
|
||||
case TCPS_CLOSED:
|
||||
if ((flags & TH_OPENING) == TH_OPENING)
|
||||
state[dir] = TCPS_SYN_RECEIVED;
|
||||
else if (flags & TH_SYN)
|
||||
state[dir] = TCPS_SYN_SENT;
|
||||
break;
|
||||
case TCPS_SYN_RECEIVED:
|
||||
if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) {
|
||||
state[dir] = TCPS_ESTABLISHED;
|
||||
*age = fr_tcpidletimeout;
|
||||
}
|
||||
break;
|
||||
case TCPS_SYN_SENT:
|
||||
if ((flags & (TH_FIN|TH_ACK)) == TH_ACK) {
|
||||
state[dir] = TCPS_ESTABLISHED;
|
||||
*age = fr_tcpidletimeout;
|
||||
}
|
||||
break;
|
||||
case TCPS_ESTABLISHED:
|
||||
if (flags & TH_FIN) {
|
||||
state[dir] = TCPS_CLOSE_WAIT;
|
||||
if (!(flags & TH_PUSH) && !dlen &&
|
||||
ostate > TCPS_ESTABLISHED)
|
||||
*age = fr_tcplastack;
|
||||
else
|
||||
*age = fr_tcpclosewait;
|
||||
} else
|
||||
*age = fr_tcpidletimeout;
|
||||
break;
|
||||
case TCPS_CLOSE_WAIT:
|
||||
if ((flags & TH_FIN) && !(flags & TH_PUSH) && !dlen &&
|
||||
ostate > TCPS_ESTABLISHED) {
|
||||
*age = fr_tcplastack;
|
||||
state[dir] = TCPS_LAST_ACK;
|
||||
} else
|
||||
*age = fr_tcpclosewait;
|
||||
break;
|
||||
case TCPS_LAST_ACK:
|
||||
if (flags & TH_ACK) {
|
||||
state[dir] = TCPS_FIN_WAIT_2;
|
||||
if (!(flags & TH_PUSH) && !dlen &&
|
||||
ostate > TCPS_ESTABLISHED)
|
||||
*age = fr_tcplastack;
|
||||
else {
|
||||
*age = fr_tcpclosewait;
|
||||
state[dir] = TCPS_CLOSE_WAIT;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
86
contrib/ipfilter/ip_state.h
Normal file
86
contrib/ipfilter/ip_state.h
Normal file
@ -0,0 +1,86 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
|
||||
* $Id: ip_state.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
|
||||
*/
|
||||
#ifndef __IP_STATE_H__
|
||||
#define __IP_STATE_H__
|
||||
|
||||
#define IPSTATE_SIZE 257
|
||||
#define IPSTATE_MAX 2048 /* Maximum number of states held */
|
||||
|
||||
typedef struct udpstate {
|
||||
u_short us_sport;
|
||||
u_short us_dport;
|
||||
} udpstate_t;
|
||||
|
||||
typedef struct icmpstate {
|
||||
u_short ics_id;
|
||||
u_short ics_seq;
|
||||
u_char ics_type;
|
||||
} icmpstate_t;
|
||||
|
||||
typedef struct tcpstate {
|
||||
u_short ts_sport;
|
||||
u_short ts_dport;
|
||||
u_long ts_seq;
|
||||
u_long ts_ack;
|
||||
u_short ts_swin;
|
||||
u_short ts_dwin;
|
||||
u_char ts_state[2];
|
||||
} tcpstate_t;
|
||||
|
||||
typedef struct ipstate {
|
||||
struct ipstate *is_next;
|
||||
int is_age;
|
||||
u_int is_pass;
|
||||
struct in_addr is_src;
|
||||
struct in_addr is_dst;
|
||||
u_char is_p;
|
||||
u_char is_flags;
|
||||
union {
|
||||
icmpstate_t is_ics;
|
||||
tcpstate_t is_ts;
|
||||
udpstate_t is_us;
|
||||
} is_ps;
|
||||
} ipstate_t;
|
||||
|
||||
#define is_icmp is_ps.is_ics
|
||||
#define is_tcp is_ps.is_ts
|
||||
#define is_udp is_ps.is_us
|
||||
#define is_seq is_tcp.ts_seq
|
||||
#define is_ack is_tcp.ts_ack
|
||||
#define is_dwin is_tcp.ts_dwin
|
||||
#define is_swin is_tcp.ts_swin
|
||||
#define is_sport is_tcp.ts_sport
|
||||
#define is_dport is_tcp.ts_dport
|
||||
#define is_state is_tcp.ts_state
|
||||
|
||||
#define TH_OPENING (TH_SYN|TH_ACK)
|
||||
|
||||
typedef struct ips_stat {
|
||||
u_long iss_hits;
|
||||
u_long iss_miss;
|
||||
u_long iss_max;
|
||||
u_long iss_tcp;
|
||||
u_long iss_udp;
|
||||
u_long iss_icmp;
|
||||
u_long iss_nomem;
|
||||
u_long iss_expire;
|
||||
u_long iss_fin;
|
||||
u_long iss_active;
|
||||
ipstate_t **iss_table;
|
||||
} ips_stat_t;
|
||||
|
||||
extern ips_stat_t *fr_statetstats();
|
||||
extern int fr_addstate(), fr_checkstate();
|
||||
extern void fr_timeoutstate(), set_tcp_age();
|
||||
# ifdef _KERNEL
|
||||
extern void fr_stateunload();
|
||||
# endif
|
||||
#endif /* __IP_STATE_H__ */
|
434
contrib/ipfilter/ipf.c
Normal file
434
contrib/ipfilter/ipf.c
Normal file
@ -0,0 +1,434 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#if !defined(__SVR4) && defined(__GNUC__)
|
||||
extern char *index();
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/ip.h>
|
||||
#include "ip_fil.h"
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
#include "ipf.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipf.c,v 2.0.1.2 1997/02/04 14:37:46 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if SOLARIS
|
||||
void frsync(), blockunknown();
|
||||
#endif
|
||||
void zerostats();
|
||||
|
||||
extern char *optarg;
|
||||
|
||||
int opts = 0;
|
||||
|
||||
static int fd = -1;
|
||||
|
||||
static void procfile(), flushfilter(), set_state();
|
||||
static void packetlogon(), swapactive(), showstats();
|
||||
static char *getline();
|
||||
|
||||
int main(argc,argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
char c;
|
||||
|
||||
while ((c = getopt(argc, argv, "AdDEf:F:Il:noprsUvyzZ")) != -1) {
|
||||
switch (c)
|
||||
{
|
||||
case 'E' :
|
||||
set_state(1);
|
||||
break;
|
||||
case 'D' :
|
||||
set_state(0);
|
||||
break;
|
||||
case 'A' :
|
||||
opts &= ~OPT_INACTIVE;
|
||||
break;
|
||||
case 'd' :
|
||||
opts |= OPT_DEBUG;
|
||||
break;
|
||||
case 'f' :
|
||||
procfile(argv[0], optarg);
|
||||
break;
|
||||
case 'F' :
|
||||
flushfilter(optarg);
|
||||
break;
|
||||
case 'I' :
|
||||
opts |= OPT_INACTIVE;
|
||||
break;
|
||||
case 'l' :
|
||||
packetlogon(optarg);
|
||||
break;
|
||||
case 'n' :
|
||||
opts |= OPT_DONOTHING;
|
||||
break;
|
||||
case 'o' :
|
||||
opts |= OPT_OUTQUE;
|
||||
break;
|
||||
case 'p' :
|
||||
opts |= OPT_PRINTFR;
|
||||
break;
|
||||
case 'r' :
|
||||
opts |= OPT_REMOVE;
|
||||
break;
|
||||
case 's' :
|
||||
swapactive();
|
||||
break;
|
||||
#if SOLARIS
|
||||
case 'U' :
|
||||
blockunknown();
|
||||
break;
|
||||
#endif
|
||||
case 'v' :
|
||||
opts |= OPT_VERBOSE;
|
||||
break;
|
||||
#if SOLARIS
|
||||
case 'y' :
|
||||
frsync();
|
||||
break;
|
||||
#endif
|
||||
case 'z' :
|
||||
opts |= OPT_ZERORULEST;
|
||||
break;
|
||||
case 'Z' :
|
||||
zerostats();
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (fd != -1)
|
||||
(void) close(fd);
|
||||
|
||||
exit(0);
|
||||
/* NOTREACHED */
|
||||
}
|
||||
|
||||
|
||||
static int opendevice()
|
||||
{
|
||||
if (opts & OPT_DONOTHING)
|
||||
return -2;
|
||||
|
||||
if (!(opts & OPT_DONOTHING) && fd == -1)
|
||||
if ((fd = open(IPL_NAME, O_RDWR)) == -1)
|
||||
if ((fd = open(IPL_NAME, O_RDONLY)) == -1)
|
||||
perror("open device");
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
static void set_state(enable)
|
||||
u_int enable;
|
||||
{
|
||||
if (opendevice() != -2)
|
||||
if (ioctl(fd, SIOCFRENB, &enable) == -1)
|
||||
perror("SIOCFRENB");
|
||||
return;
|
||||
}
|
||||
|
||||
static void procfile(name, file)
|
||||
char *name, *file;
|
||||
{
|
||||
FILE *fp;
|
||||
char line[513], *s;
|
||||
struct frentry *fr;
|
||||
u_int add = SIOCADAFR, del = SIOCRMAFR;
|
||||
|
||||
(void) opendevice();
|
||||
|
||||
if (opts & OPT_INACTIVE) {
|
||||
add = SIOCADIFR;
|
||||
del = SIOCRMIFR;
|
||||
}
|
||||
if (opts & OPT_DEBUG)
|
||||
printf("add %x del %x\n", add, del);
|
||||
|
||||
initparse();
|
||||
|
||||
if (!strcmp(file, "-"))
|
||||
fp = stdin;
|
||||
else if (!(fp = fopen(file, "r"))) {
|
||||
fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
|
||||
STRERROR(errno));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
while (getline(line, sizeof(line)-1, fp)) {
|
||||
/*
|
||||
* treat both CR and LF as EOL
|
||||
*/
|
||||
if ((s = index(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = index(line, '\r')))
|
||||
*s = '\0';
|
||||
/*
|
||||
* # is comment marker, everything after is a ignored
|
||||
*/
|
||||
if ((s = index(line, '#')))
|
||||
*s = '\0';
|
||||
|
||||
if (!*line)
|
||||
continue;
|
||||
|
||||
if (opts & OPT_VERBOSE)
|
||||
(void)fprintf(stderr, "[%s]\n",line);
|
||||
|
||||
fr = parse(line);
|
||||
(void)fflush(stdout);
|
||||
|
||||
if (fr) {
|
||||
if (opts & OPT_ZERORULEST)
|
||||
add = SIOCZRLST;
|
||||
else if (opts & OPT_INACTIVE)
|
||||
add = fr->fr_hits ? SIOCINIFR : SIOCADIFR;
|
||||
else
|
||||
add = fr->fr_hits ? SIOCINAFR : SIOCADAFR;
|
||||
if (fr->fr_hits)
|
||||
fr->fr_hits--;
|
||||
if (fr && (opts & OPT_VERBOSE))
|
||||
printfr(fr);
|
||||
if (fr && (opts & OPT_OUTQUE))
|
||||
fr->fr_flags |= FR_OUTQUE;
|
||||
|
||||
if (opts & OPT_DEBUG)
|
||||
binprint(fr);
|
||||
|
||||
if ((opts & OPT_ZERORULEST) &&
|
||||
!(opts & OPT_DONOTHING)) {
|
||||
if (ioctl(fd, add, fr) == -1)
|
||||
perror("ioctl(SIOCZRLST)");
|
||||
else {
|
||||
printf("hits %ld bytes %ld ",
|
||||
fr->fr_hits, fr->fr_bytes);
|
||||
printfr(fr);
|
||||
}
|
||||
} else if ((opts & OPT_REMOVE) &&
|
||||
!(opts & OPT_DONOTHING)) {
|
||||
if (ioctl(fd, del, fr) == -1)
|
||||
perror("ioctl(SIOCDELFR)");
|
||||
} else if (!(opts & OPT_DONOTHING)) {
|
||||
if (ioctl(fd, add, fr) == -1)
|
||||
perror("ioctl(SIOCADDFR)");
|
||||
}
|
||||
}
|
||||
}
|
||||
(void)fclose(fp);
|
||||
}
|
||||
|
||||
/*
|
||||
* Similar to fgets(3) but can handle '\\'
|
||||
*/
|
||||
static char *getline(str, size, file)
|
||||
register char *str;
|
||||
size_t size;
|
||||
FILE *file;
|
||||
{
|
||||
register char *p;
|
||||
|
||||
do {
|
||||
for (p = str;; p+= strlen(p) - 1) {
|
||||
if (!fgets(p, size, file))
|
||||
return(NULL);
|
||||
p[strlen(p) -1] = '\0';
|
||||
if (p[strlen(p) - 1] != '\\')
|
||||
break;
|
||||
}
|
||||
} while (*str == '\0' || *str == '\n');
|
||||
return(str);
|
||||
}
|
||||
|
||||
|
||||
static void packetlogon(opt)
|
||||
char *opt;
|
||||
{
|
||||
int err, flag = 0;
|
||||
|
||||
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
|
||||
if ((err = ioctl(fd, SIOCGETFF, &flag)))
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
|
||||
printf("log flag is currently %#x\n", flag);
|
||||
}
|
||||
|
||||
flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
|
||||
|
||||
if (index(opt, 'p')) {
|
||||
flag |= FF_LOGPASS;
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf("set log flag: pass\n");
|
||||
}
|
||||
if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) {
|
||||
flag |= FF_LOGNOMATCH;
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf("set log flag: nomatch\n");
|
||||
}
|
||||
if (index(opt, 'b') || index(opt, 'd')) {
|
||||
flag |= FF_LOGBLOCK;
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf("set log flag: block\n");
|
||||
}
|
||||
|
||||
if (opendevice() != -2 && (err = ioctl(fd, SIOCSETFF, &flag)))
|
||||
perror("ioctl(SIOCSETFF)");
|
||||
|
||||
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
|
||||
if ((err = ioctl(fd, SIOCGETFF, &flag)))
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
|
||||
printf("log flag is now %#x\n", flag);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void flushfilter(arg)
|
||||
char *arg;
|
||||
{
|
||||
int fl = 0, rem;
|
||||
|
||||
if (!arg || !*arg)
|
||||
return;
|
||||
if (strchr(arg, 'i') || strchr(arg, 'I'))
|
||||
fl = FR_INQUE;
|
||||
if (strchr(arg, 'o') || strchr(arg, 'O'))
|
||||
fl = FR_OUTQUE;
|
||||
if (strchr(arg, 'a') || strchr(arg, 'A'))
|
||||
fl = FR_OUTQUE|FR_INQUE;
|
||||
fl |= (opts & FR_INACTIVE);
|
||||
rem = fl;
|
||||
|
||||
if (opendevice() != -2 && ioctl(fd, SIOCIPFFL, &fl) == -1)
|
||||
perror("ioctl(SIOCIPFFL)");
|
||||
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
|
||||
printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
|
||||
(rem & FR_OUTQUE) ? "O" : "", rem);
|
||||
printf("removed %d filter rules\n", fl);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
static void swapactive()
|
||||
{
|
||||
int in = 2;
|
||||
|
||||
if (opendevice() != -2 && ioctl(fd, SIOCSWAPA, &in) == -1)
|
||||
perror("ioctl(SIOCSWAPA)");
|
||||
else
|
||||
printf("Set %d now inactive\n", in);
|
||||
}
|
||||
|
||||
|
||||
#if defined(sun) && (defined(__SVR4) || defined(__svr4__))
|
||||
void frsync()
|
||||
{
|
||||
if (opendevice() != -2 && ioctl(fd, SIOCFRSYN, 0) == -1)
|
||||
perror("SIOCFRSYN");
|
||||
else
|
||||
printf("filter sync'd\n");
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
void zerostats()
|
||||
{
|
||||
friostat_t fio;
|
||||
|
||||
if (opendevice() != -2) {
|
||||
if (ioctl(fd, SIOCFRZST, &fio) == -1) {
|
||||
perror("ioctl(SIOCFRZST)");
|
||||
exit(-1);
|
||||
}
|
||||
showstats(&fio);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* read the kernel stats for packets blocked and passed
|
||||
*/
|
||||
static void showstats(fp)
|
||||
friostat_t *fp;
|
||||
{
|
||||
#if SOLARIS
|
||||
printf("dropped packets:\tin %lu\tout %lu\n",
|
||||
fp->f_st[0].fr_drop, fp->f_st[1].fr_drop);
|
||||
printf("non-ip packets:\t\tin %lu\tout %lu\n",
|
||||
fp->f_st[0].fr_notip, fp->f_st[1].fr_notip);
|
||||
printf(" bad packets:\t\tin %lu\tout %lu\n",
|
||||
fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
|
||||
#endif
|
||||
printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
|
||||
fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
|
||||
fp->f_st[0].fr_nom);
|
||||
printf(" counted %lu\n", fp->f_st[0].fr_acct);
|
||||
printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
|
||||
fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
|
||||
fp->f_st[1].fr_nom);
|
||||
printf(" counted %lu\n", fp->f_st[0].fr_acct);
|
||||
printf(" input packets logged:\tblocked %lu passed %lu\n",
|
||||
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
|
||||
printf("output packets logged:\tblocked %lu passed %lu\n",
|
||||
fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
|
||||
printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
|
||||
fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
|
||||
fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
|
||||
}
|
||||
|
||||
|
||||
#if SOLARIS
|
||||
void blockunknown()
|
||||
{
|
||||
int flag;
|
||||
|
||||
if (opendevice() == -1)
|
||||
return;
|
||||
|
||||
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
|
||||
if (ioctl(fd, SIOCGETFF, &flag))
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
|
||||
printf("log flag is currently %#x\n", flag);
|
||||
}
|
||||
|
||||
flag ^= FF_BLOCKNONIP;
|
||||
|
||||
if (opendevice() != -2 && ioctl(fd, SIOCSETFF, &flag))
|
||||
perror("ioctl(SIOCSETFF)");
|
||||
|
||||
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
|
||||
if (ioctl(fd, SIOCGETFF, &flag))
|
||||
perror("ioctl(SIOCGETFF)");
|
||||
|
||||
printf("log flag is now %#x\n", flag);
|
||||
}
|
||||
}
|
||||
#endif
|
67
contrib/ipfilter/ipf.h
Normal file
67
contrib/ipfilter/ipf.h
Normal file
@ -0,0 +1,67 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ipf.h 1.12 6/5/96
|
||||
* $Id: ipf.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
|
||||
*/
|
||||
|
||||
#ifndef SOLARIS
|
||||
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
|
||||
#endif
|
||||
#define OPT_REMOVE 0x00001
|
||||
#define OPT_DEBUG 0x00002
|
||||
#define OPT_OUTQUE FR_OUTQUE /* 0x0004 */
|
||||
#define OPT_INQUE FR_INQUE /* 0x0008 */
|
||||
#define OPT_LOG FR_LOG /* 0x0010 */
|
||||
#define OPT_SHOWLIST 0x00020
|
||||
#define OPT_VERBOSE 0x00040
|
||||
#define OPT_DONOTHING 0x00080
|
||||
#define OPT_HITS 0x00100
|
||||
#define OPT_BRIEF 0x00200
|
||||
#define OPT_ACCNT FR_ACCOUNT /* 0x0400 */
|
||||
#define OPT_FRSTATES FR_KEEPFRAG /* 0x0800 */
|
||||
#define OPT_IPSTATES FR_KEEPSTATE /* 0x1000 */
|
||||
#define OPT_INACTIVE FR_INACTIVE /* 0x2000 */
|
||||
#define OPT_SHOWLINENO 0x04000
|
||||
#define OPT_PRINTFR 0x08000
|
||||
#define OPT_ZERORULEST 0x10000
|
||||
|
||||
extern struct frentry *parse();
|
||||
|
||||
extern void printfr(), binprint(), initparse();
|
||||
|
||||
#if defined(__SVR4) || defined(__svr4__)
|
||||
#define index strchr
|
||||
#define bzero(a,b) memset(a, 0, b)
|
||||
#define bcopy(a,b,c) memmove(b,a,c)
|
||||
#endif
|
||||
|
||||
struct ipopt_names {
|
||||
int on_value;
|
||||
int on_bit;
|
||||
int on_siz;
|
||||
char *on_name;
|
||||
};
|
||||
|
||||
|
||||
extern u_long hostnum(), optname();
|
||||
extern void printpacket();
|
||||
#if SOLARIS
|
||||
extern int inet_aton();
|
||||
#endif
|
||||
|
||||
#ifdef sun
|
||||
#define STRERROR(x) sys_errlist[x]
|
||||
extern char *sys_errlist[];
|
||||
#else
|
||||
#define STRERROR(x) strerror(x)
|
||||
#endif
|
||||
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) ((a) > (b) ? (b) : (a))
|
||||
#endif
|
||||
|
148
contrib/ipfilter/ipft_ef.c
Normal file
148
contrib/ipfilter/ipft_ef.c
Normal file
@ -0,0 +1,148 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
|
||||
/*
|
||||
icmp type
|
||||
lnth proto source destination src port dst port
|
||||
|
||||
etherfind -n
|
||||
|
||||
60 tcp 128.250.20.20 128.250.133.13 2419 telnet
|
||||
|
||||
etherfind -n -t
|
||||
|
||||
0.32 91 04 131.170.1.10 128.250.133.13
|
||||
0.33 566 udp 128.250.37.155 128.250.133.3 901 901
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/param.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include <netdb.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_ef.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static int etherf_open(), etherf_close(), etherf_readip();
|
||||
|
||||
struct ipread etherf = { etherf_open, etherf_close, etherf_readip };
|
||||
|
||||
static FILE *efp = NULL;
|
||||
static int efd = -1;
|
||||
|
||||
|
||||
static int etherf_open(fname)
|
||||
char *fname;
|
||||
{
|
||||
if (efd != -1)
|
||||
return efd;
|
||||
|
||||
if (!strcmp(fname, "-")) {
|
||||
efd = 0;
|
||||
efp = stdin;
|
||||
} else {
|
||||
efd = open(fname, O_RDONLY);
|
||||
efp = fdopen(efd, "r");
|
||||
}
|
||||
return efd;
|
||||
}
|
||||
|
||||
|
||||
static int etherf_close()
|
||||
{
|
||||
return close(efd);
|
||||
}
|
||||
|
||||
|
||||
static int etherf_readip(buf, cnt, ifn, dir)
|
||||
char *buf, **ifn;
|
||||
int cnt, *dir;
|
||||
{
|
||||
struct tcpiphdr pkt;
|
||||
struct ip *ip = (struct ip *)&pkt;
|
||||
struct protoent *p = NULL;
|
||||
char src[16], dst[16], sprt[16], dprt[16];
|
||||
char lbuf[128], len[8], prot[8], time[8], *s;
|
||||
int slen, extra = 0, i, n;
|
||||
|
||||
if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
|
||||
return 0;
|
||||
|
||||
if ((s = strchr(lbuf, '\n')))
|
||||
*s = '\0';
|
||||
lbuf[sizeof(lbuf)-1] = '\0';
|
||||
|
||||
bzero(&pkt, sizeof(pkt));
|
||||
|
||||
if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
|
||||
sprt, dprt)) != 6)
|
||||
if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time,
|
||||
len, prot, src, dst, sprt, dprt)) != 7)
|
||||
return -1;
|
||||
|
||||
ip->ip_p = atoi(prot);
|
||||
if (ip->ip_p == 0) {
|
||||
if (!(p = getprotobyname(prot)))
|
||||
return -1;
|
||||
ip->ip_p = p->p_proto;
|
||||
}
|
||||
|
||||
switch (ip->ip_p) {
|
||||
case IPPROTO_TCP :
|
||||
case IPPROTO_UDP :
|
||||
s = strtok(NULL, " :");
|
||||
ip->ip_len += atoi(s);
|
||||
if (p->p_proto == IPPROTO_TCP)
|
||||
extra = sizeof(struct tcphdr);
|
||||
else if (p->p_proto == IPPROTO_UDP)
|
||||
extra = sizeof(struct udphdr);
|
||||
break;
|
||||
#ifdef IGMP
|
||||
case IPPROTO_IGMP :
|
||||
extra = sizeof(struct igmp);
|
||||
break;
|
||||
#endif
|
||||
case IPPROTO_ICMP :
|
||||
extra = sizeof(struct icmp);
|
||||
break;
|
||||
default :
|
||||
break;
|
||||
}
|
||||
|
||||
(void) inet_aton(src, &ip->ip_src);
|
||||
(void) inet_aton(dst, &ip->ip_dst);
|
||||
ip->ip_len = atoi(len);
|
||||
ip->ip_hl = sizeof(struct ip);
|
||||
|
||||
slen = ip->ip_hl + extra;
|
||||
i = MIN(cnt, slen);
|
||||
bcopy((char *)&pkt, buf, i);
|
||||
return i;
|
||||
}
|
140
contrib/ipfilter/ipft_hx.c
Normal file
140
contrib/ipfilter/ipft_hx.c
Normal file
@ -0,0 +1,140 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <assert.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
#else
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_hx.c,v 2.0.1.2 1997/02/04 13:57:56 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
extern u_short portnum();
|
||||
extern u_long buildopts();
|
||||
|
||||
static int hex_open(), hex_close(), hex_readip();
|
||||
static char *readhex();
|
||||
|
||||
struct ipread iphex = { hex_open, hex_close, hex_readip };
|
||||
static FILE *tfp = NULL;
|
||||
static int tfd = -1;
|
||||
|
||||
static int hex_open(fname)
|
||||
char *fname;
|
||||
{
|
||||
if (tfp && tfd != -1) {
|
||||
rewind(tfp);
|
||||
return tfd;
|
||||
}
|
||||
|
||||
if (!strcmp(fname, "-")) {
|
||||
tfd = 0;
|
||||
tfp = stdin;
|
||||
} else {
|
||||
tfd = open(fname, O_RDONLY);
|
||||
if (tfd != -1)
|
||||
tfp = fdopen(tfd, "r");
|
||||
}
|
||||
return tfd;
|
||||
}
|
||||
|
||||
|
||||
static int hex_close()
|
||||
{
|
||||
int cfd = tfd;
|
||||
|
||||
tfd = -1;
|
||||
return close(cfd);
|
||||
}
|
||||
|
||||
|
||||
static int hex_readip(buf, cnt, ifn, dir)
|
||||
char *buf, **ifn;
|
||||
int cnt, *dir;
|
||||
{
|
||||
register char *s;
|
||||
struct ip *ip;
|
||||
char line[513];
|
||||
|
||||
ip = (struct ip *)buf;
|
||||
while (fgets(line, sizeof(line)-1, tfp)) {
|
||||
if ((s = index(line, '\n'))) {
|
||||
if (s == line)
|
||||
return (char *)ip - buf;
|
||||
*s = '\0';
|
||||
}
|
||||
if ((s = index(line, '#')))
|
||||
*s = '\0';
|
||||
if (!*line)
|
||||
continue;
|
||||
if (!(opts & OPT_BRIEF)) {
|
||||
printf("input: %s\n", line);
|
||||
fflush(stdout);
|
||||
}
|
||||
ip = (struct ip *)readhex(line, (char *)ip);
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
static char *readhex(src, dst)
|
||||
register char *src, *dst;
|
||||
{
|
||||
int state = 0;
|
||||
char c;
|
||||
|
||||
while ((c = *src++)) {
|
||||
if (isspace(c)) {
|
||||
if (state) {
|
||||
dst++;
|
||||
state = 0;
|
||||
}
|
||||
continue;
|
||||
} else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
|
||||
(c >= 'A' && c <= 'F')) {
|
||||
c = isdigit(c) ? (c - '0') : (toupper(c) - 55);
|
||||
if (state == 0) {
|
||||
*dst = (c << 4);
|
||||
state++;
|
||||
} else {
|
||||
*dst++ |= c;
|
||||
state = 0;
|
||||
}
|
||||
} else
|
||||
break;
|
||||
}
|
||||
return dst;
|
||||
}
|
224
contrib/ipfilter/ipft_pc.c
Normal file
224
contrib/ipfilter/ipft_pc.c
Normal file
@ -0,0 +1,224 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/param.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
#include "pcap.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char rcsid[] = "$Id: ipft_pc.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
struct llc {
|
||||
int lc_sz; /* LLC header length */
|
||||
int lc_to; /* LLC Type offset */
|
||||
int lc_tl; /* LLC Type length */
|
||||
};
|
||||
|
||||
/*
|
||||
* While many of these maybe the same, some do have different header formats
|
||||
* which make this useful.
|
||||
*/
|
||||
#define DLT_MAX 10
|
||||
|
||||
static struct llc llcs[DLT_MAX+1] = {
|
||||
{ 0, 0, 0 }, /* DLT_NULL */
|
||||
{ 14, 12, 2 }, /* DLT_E10MB */
|
||||
{ 0, 0, 0 }, /* DLT_EN3MB */
|
||||
{ 0, 0, 0 }, /* DLT_AX25 */
|
||||
{ 0, 0, 0 }, /* DLT_PRONET */
|
||||
{ 0, 0, 0 }, /* DLT_CHAOS */
|
||||
{ 0, 0, 0 }, /* DLT_IEEE802 */
|
||||
{ 0, 0, 0 }, /* DLT_ARCNET */
|
||||
{ 0, 0, 0 }, /* DLT_SLIP */
|
||||
{ 0, 0, 0 }, /* DLT_PPP */
|
||||
{ 0, 0, 0 } /* DLT_FDDI */
|
||||
};
|
||||
|
||||
static int pcap_open(), pcap_close(), pcap_readip();
|
||||
|
||||
static int pfd = -1, s_type = -1, swapped = 0;
|
||||
|
||||
struct ipread pcap = { pcap_open, pcap_close, pcap_readip };
|
||||
|
||||
#define SWAPLONG(y) \
|
||||
((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
|
||||
#define SWAPSHORT(y) \
|
||||
( (((y)&0xff)<<8) | (((y)&0xff00)>>8) )
|
||||
|
||||
static void swap_hdr(p)
|
||||
pcaphdr_t *p;
|
||||
{
|
||||
p->pc_v_maj = SWAPSHORT(p->pc_v_maj);
|
||||
p->pc_v_min = SWAPSHORT(p->pc_v_min);
|
||||
p->pc_zone = SWAPLONG(p->pc_zone);
|
||||
p->pc_sigfigs = SWAPLONG(p->pc_sigfigs);
|
||||
p->pc_slen = SWAPLONG(p->pc_slen);
|
||||
p->pc_type = SWAPLONG(p->pc_type);
|
||||
}
|
||||
|
||||
static int pcap_open(fname)
|
||||
char *fname;
|
||||
{
|
||||
pcaphdr_t ph;
|
||||
int fd;
|
||||
|
||||
if (pfd != -1)
|
||||
return pfd;
|
||||
|
||||
if (!strcmp(fname, "-"))
|
||||
fd = 0;
|
||||
else if ((fd = open(fname, O_RDONLY)) == -1)
|
||||
return -1;
|
||||
|
||||
if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph))
|
||||
return -2;
|
||||
|
||||
if (ph.pc_id != TCPDUMP_MAGIC) {
|
||||
if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) {
|
||||
(void) close(fd);
|
||||
return -2;
|
||||
}
|
||||
swapped = 1;
|
||||
swap_hdr(&ph);
|
||||
}
|
||||
|
||||
if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type > DLT_MAX) {
|
||||
(void) close(fd);
|
||||
return -2;
|
||||
}
|
||||
|
||||
pfd = fd;
|
||||
s_type = ph.pc_type;
|
||||
printf("opened pcap file %s:\n", fname);
|
||||
printf("\tid: %08x version: %d.%d type: %d snap %d\n",
|
||||
ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen);
|
||||
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
static int pcap_close()
|
||||
{
|
||||
return close(pfd);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* read in the header (and validate) which should be the first record
|
||||
* in a pcap file.
|
||||
*/
|
||||
static int pcap_read_rec(rec)
|
||||
struct pcap_pkthdr *rec;
|
||||
{
|
||||
int n, p;
|
||||
|
||||
if (read(pfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
|
||||
return -2;
|
||||
|
||||
if (swapped) {
|
||||
rec->ph_clen = SWAPLONG(rec->ph_clen);
|
||||
rec->ph_len = SWAPLONG(rec->ph_len);
|
||||
rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec);
|
||||
rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec);
|
||||
}
|
||||
p = rec->ph_clen;
|
||||
n = MIN(p, rec->ph_len);
|
||||
if (!n || n < 0)
|
||||
return -3;
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
|
||||
#ifdef notyet
|
||||
/*
|
||||
* read an entire pcap packet record. only the data part is copied into
|
||||
* the available buffer, with the number of bytes copied returned.
|
||||
*/
|
||||
static int pcap_read(buf, cnt)
|
||||
char *buf;
|
||||
int cnt;
|
||||
{
|
||||
struct pcap_pkthdr rec;
|
||||
static char *bufp = NULL;
|
||||
int i, n;
|
||||
|
||||
if ((i = pcap_read_rec(&rec)) <= 0)
|
||||
return i;
|
||||
|
||||
if (!bufp)
|
||||
bufp = malloc(i);
|
||||
else
|
||||
bufp = realloc(bufp, i);
|
||||
|
||||
if (read(pfd, bufp, i) != i)
|
||||
return -2;
|
||||
|
||||
n = MIN(i, cnt);
|
||||
bcopy(bufp, buf, n);
|
||||
return n;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* return only an IP packet read into buf
|
||||
*/
|
||||
static int pcap_readip(buf, cnt, ifn, dir)
|
||||
char *buf, **ifn;
|
||||
int cnt, *dir;
|
||||
{
|
||||
static char *bufp = NULL;
|
||||
struct pcap_pkthdr rec;
|
||||
struct llc *l;
|
||||
char *s, ty[4];
|
||||
int i, n;
|
||||
|
||||
do {
|
||||
if ((i = pcap_read_rec(&rec)) <= 0)
|
||||
return i;
|
||||
|
||||
if (!bufp)
|
||||
bufp = malloc(i);
|
||||
else
|
||||
bufp = realloc(bufp, i);
|
||||
s = bufp;
|
||||
|
||||
if (read(pfd, s, i) != i)
|
||||
return -2;
|
||||
|
||||
l = &llcs[s_type];
|
||||
i -= l->lc_sz;
|
||||
s += l->lc_to;
|
||||
bcopy(s, ty, l->lc_tl);
|
||||
s += l->lc_tl;
|
||||
} while (ty[0] != 0x8 && ty[1] != 0);
|
||||
n = MIN(i, cnt);
|
||||
bcopy(s, buf, n);
|
||||
return n;
|
||||
}
|
206
contrib/ipfilter/ipft_sn.c
Normal file
206
contrib/ipfilter/ipft_sn.c
Normal file
@ -0,0 +1,206 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Written to comply with the recent RFC 1761 from Sun.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/param.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
#include "snoop.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char rcsid[] = "$Id: ipft_sn.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
struct llc {
|
||||
int lc_sz; /* LLC header length */
|
||||
int lc_to; /* LLC Type offset */
|
||||
int lc_tl; /* LLC Type length */
|
||||
};
|
||||
|
||||
/*
|
||||
* While many of these maybe the same, some do have different header formats
|
||||
* which make this useful.
|
||||
*/
|
||||
static struct llc llcs[SDL_MAX+1] = {
|
||||
{ 0, 0, 0 }, /* SDL_8023 */
|
||||
{ 0, 0, 0 }, /* SDL_8024 */
|
||||
{ 0, 0, 0 }, /* SDL_8025 */
|
||||
{ 0, 0, 0 }, /* SDL_8026 */
|
||||
{ 14, 12, 2 }, /* SDL_ETHER */
|
||||
{ 0, 0, 0 }, /* SDL_HDLC */
|
||||
{ 0, 0, 0 }, /* SDL_CHSYNC */
|
||||
{ 0, 0, 0 }, /* SDL_IBMCC */
|
||||
{ 0, 0, 0 }, /* SDL_FDDI */
|
||||
{ 0, 0, 0 }, /* SDL_OTHER */
|
||||
};
|
||||
|
||||
static int snoop_open(), snoop_close(), snoop_readip();
|
||||
|
||||
static int sfd = -1, s_type = -1;
|
||||
|
||||
struct ipread snoop = { snoop_open, snoop_close, snoop_readip };
|
||||
|
||||
|
||||
static int snoop_open(fname)
|
||||
char *fname;
|
||||
{
|
||||
struct snoophdr sh;
|
||||
int fd;
|
||||
|
||||
if (sfd != -1)
|
||||
return sfd;
|
||||
|
||||
if (!strcmp(fname, "-"))
|
||||
fd = 0;
|
||||
else if ((fd = open(fname, O_RDONLY)) == -1)
|
||||
return -1;
|
||||
|
||||
if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh))
|
||||
return -2;
|
||||
|
||||
if (sh.s_v != SNOOP_VERSION ||
|
||||
sh.s_type < 0 || sh.s_type > SDL_MAX) {
|
||||
(void) close(fd);
|
||||
return -2;
|
||||
}
|
||||
|
||||
sfd = fd;
|
||||
s_type = sh.s_type;
|
||||
printf("opened snoop file %s:\n", fname);
|
||||
printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, sh.s_v, s_type);
|
||||
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
static int snoop_close()
|
||||
{
|
||||
return close(sfd);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* read in the header (and validate) which should be the first record
|
||||
* in a snoop file.
|
||||
*/
|
||||
static int snoop_read_rec(rec)
|
||||
struct snooppkt *rec;
|
||||
{
|
||||
int n, p;
|
||||
|
||||
if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec))
|
||||
return -2;
|
||||
|
||||
if (rec->sp_ilen > rec->sp_plen || rec->sp_plen < sizeof(*rec))
|
||||
return -2;
|
||||
|
||||
p = rec->sp_plen - sizeof(*rec);
|
||||
n = MIN(p, rec->sp_ilen);
|
||||
if (!n || n < 0)
|
||||
return -3;
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
|
||||
#ifdef notyet
|
||||
/*
|
||||
* read an entire snoop packet record. only the data part is copied into
|
||||
* the available buffer, with the number of bytes copied returned.
|
||||
*/
|
||||
static int snoop_read(buf, cnt)
|
||||
char *buf;
|
||||
int cnt;
|
||||
{
|
||||
struct snooppkt rec;
|
||||
static char *bufp = NULL;
|
||||
int i, n;
|
||||
|
||||
if ((i = snoop_read_rec(&rec)) <= 0)
|
||||
return i;
|
||||
|
||||
if (!bufp)
|
||||
bufp = malloc(i);
|
||||
else
|
||||
bufp = realloc(bufp, i);
|
||||
|
||||
if (read(sfd, bufp, i) != i)
|
||||
return -2;
|
||||
|
||||
n = MIN(i, cnt);
|
||||
bcopy(bufp, buf, n);
|
||||
return n;
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* return only an IP packet read into buf
|
||||
*/
|
||||
static int snoop_readip(buf, cnt, ifn, dir)
|
||||
char *buf, **ifn;
|
||||
int cnt, *dir;
|
||||
{
|
||||
static char *bufp = NULL;
|
||||
struct snooppkt rec;
|
||||
struct llc *l;
|
||||
char ty[4], *s;
|
||||
int i, n;
|
||||
|
||||
do {
|
||||
if ((i = snoop_read_rec(&rec)) <= 0)
|
||||
return i;
|
||||
|
||||
if (!bufp)
|
||||
bufp = malloc(i);
|
||||
else
|
||||
bufp = realloc(bufp, i);
|
||||
s = bufp;
|
||||
|
||||
if (read(sfd, s, i) != i)
|
||||
return -2;
|
||||
|
||||
l = &llcs[s_type];
|
||||
i -= l->lc_to;
|
||||
s += l->lc_to;
|
||||
/*
|
||||
* XXX - bogus assumption here on the part of the time field
|
||||
* that it won't be greater than 4 bytes and the 1st two will
|
||||
* have the values 8 and 0 for IP. Should be a table of
|
||||
* these too somewhere. Really only works for SDL_ETHER.
|
||||
*/
|
||||
bcopy(s, ty, l->lc_tl);
|
||||
} while (ty[0] != 0x8 && ty[1] != 0);
|
||||
|
||||
i -= l->lc_tl;
|
||||
s += l->lc_tl;
|
||||
n = MIN(i, cnt);
|
||||
bcopy(s, buf, n);
|
||||
|
||||
return n;
|
||||
}
|
184
contrib/ipfilter/ipft_td.c
Normal file
184
contrib/ipfilter/ipft_td.c
Normal file
@ -0,0 +1,184 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
|
||||
/*
|
||||
tcpdump -n
|
||||
|
||||
00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap)
|
||||
|
||||
tcpdump -nq
|
||||
|
||||
00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap)
|
||||
|
||||
tcpdump -nqt
|
||||
|
||||
128.250.133.13.23 > 128.250.20.20.2419: tcp 27
|
||||
|
||||
tcpdump -nqtt
|
||||
|
||||
123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
|
||||
|
||||
tcpdump -nqte
|
||||
|
||||
8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27
|
||||
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__GNUC__)
|
||||
#include <strings.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include <netdb.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_td.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static int tcpd_open(), tcpd_close(), tcpd_readip();
|
||||
|
||||
struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip };
|
||||
|
||||
static FILE *tfp = NULL;
|
||||
static int tfd = -1;
|
||||
|
||||
|
||||
static int tcpd_open(fname)
|
||||
char *fname;
|
||||
{
|
||||
if (tfd != -1)
|
||||
return tfd;
|
||||
|
||||
if (!strcmp(fname, "-")) {
|
||||
tfd = 0;
|
||||
tfp = stdin;
|
||||
} else {
|
||||
tfd = open(fname, O_RDONLY);
|
||||
tfp = fdopen(tfd, "r");
|
||||
}
|
||||
return tfd;
|
||||
}
|
||||
|
||||
|
||||
static int tcpd_close()
|
||||
{
|
||||
(void) fclose(tfp);
|
||||
return close(tfd);
|
||||
}
|
||||
|
||||
|
||||
static int count_dots(str)
|
||||
char *str;
|
||||
{
|
||||
int i = 0;
|
||||
|
||||
while (*str)
|
||||
if (*str++ == '.')
|
||||
i++;
|
||||
return i;
|
||||
}
|
||||
|
||||
|
||||
static int tcpd_readip(buf, cnt, ifn, dir)
|
||||
char *buf, **ifn;
|
||||
int cnt, *dir;
|
||||
{
|
||||
struct tcpiphdr pkt;
|
||||
struct ip *ip = (struct ip *)&pkt;
|
||||
struct protoent *p;
|
||||
char src[32], dst[32], misc[256], time[32], link1[32], link2[32];
|
||||
char lbuf[160], *s;
|
||||
int n, dots, slen, extra = 0;
|
||||
|
||||
if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
|
||||
return 0;
|
||||
|
||||
if ((s = strchr(lbuf, '\n')))
|
||||
*s = '\0';
|
||||
lbuf[sizeof(lbuf)-1] = '\0';
|
||||
|
||||
bzero(&pkt, sizeof(pkt));
|
||||
|
||||
if ((n = sscanf(lbuf, "%s > %s: %s", src, dst, misc)) != 3)
|
||||
if ((n = sscanf(lbuf, "%s %s > %s: %s",
|
||||
time, src, dst, misc)) != 4)
|
||||
if ((n = sscanf(lbuf, "%s %s: %s > %s: %s",
|
||||
link1, link2, src, dst, misc)) != 5) {
|
||||
n = sscanf(lbuf, "%s %s %s: %s > %s: %s",
|
||||
time, link1, link2, src, dst, misc);
|
||||
if (n != 6)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if ((dots = count_dots(dst)) == 4) {
|
||||
s = strrchr(src, '.');
|
||||
*s++ = '\0';
|
||||
(void) inet_aton(src, &ip->ip_src);
|
||||
pkt.ti_sport = htons(atoi(s));
|
||||
*--s = '.';
|
||||
s = strrchr(dst, '.');
|
||||
|
||||
*s++ = '\0';
|
||||
(void) inet_aton(src, &ip->ip_dst);
|
||||
pkt.ti_dport = htons(atoi(s));
|
||||
*--s = '.';
|
||||
|
||||
} else {
|
||||
(void) inet_aton(src, &ip->ip_src);
|
||||
(void) inet_aton(src, &ip->ip_dst);
|
||||
}
|
||||
ip->ip_len = ip->ip_hl = sizeof(struct ip);
|
||||
|
||||
s = strtok(misc, " :");
|
||||
if ((p = getprotobyname(s))) {
|
||||
ip->ip_p = p->p_proto;
|
||||
|
||||
switch (p->p_proto) {
|
||||
case IPPROTO_TCP :
|
||||
case IPPROTO_UDP :
|
||||
s = strtok(NULL, " :");
|
||||
ip->ip_len += atoi(s);
|
||||
if (p->p_proto == IPPROTO_TCP)
|
||||
extra = sizeof(struct tcphdr);
|
||||
else if (p->p_proto == IPPROTO_UDP)
|
||||
extra = sizeof(struct udphdr);
|
||||
break;
|
||||
#ifdef IGMP
|
||||
case IPPROTO_IGMP :
|
||||
extra = sizeof(struct igmp);
|
||||
break;
|
||||
#endif
|
||||
case IPPROTO_ICMP :
|
||||
extra = sizeof(struct icmp);
|
||||
break;
|
||||
default :
|
||||
break;
|
||||
}
|
||||
}
|
||||
slen = ip->ip_hl + extra + ip->ip_len;
|
||||
return slen;
|
||||
}
|
338
contrib/ipfilter/ipft_tx.c
Normal file
338
contrib/ipfilter/ipft_tx.c
Normal file
@ -0,0 +1,338 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <assert.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
#else
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <net/if.h>
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
#include "ip_compat.h"
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipft_tx.c,v 2.0.1.2 1997/01/19 04:52:25 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int opts;
|
||||
extern u_long buildopts();
|
||||
|
||||
static char *tx_proto = "";
|
||||
|
||||
static int text_open(), text_close(), text_readip(), parseline();
|
||||
|
||||
static char tcp_flagset[] = "FSRPAU";
|
||||
static u_char tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
|
||||
TH_ACK, TH_URG };
|
||||
|
||||
struct ipread iptext = { text_open, text_close, text_readip };
|
||||
static FILE *tfp = NULL;
|
||||
static int tfd = -1;
|
||||
|
||||
static u_long tx_hostnum();
|
||||
static u_short tx_portnum();
|
||||
|
||||
|
||||
/*
|
||||
* returns an ip address as a long var as a result of either a DNS lookup or
|
||||
* straight inet_addr() call
|
||||
*/
|
||||
static u_long tx_hostnum(host, resolved)
|
||||
char *host;
|
||||
int *resolved;
|
||||
{
|
||||
struct hostent *hp;
|
||||
struct netent *np;
|
||||
|
||||
*resolved = 0;
|
||||
if (!strcasecmp("any",host))
|
||||
return 0L;
|
||||
if (isdigit(*host))
|
||||
return inet_addr(host);
|
||||
|
||||
if (!(hp = gethostbyname(host))) {
|
||||
if (!(np = getnetbyname(host))) {
|
||||
*resolved = -1;
|
||||
fprintf(stderr, "can't resolve hostname: %s\n", host);
|
||||
return 0;
|
||||
}
|
||||
return np->n_net;
|
||||
}
|
||||
return *(u_long *)hp->h_addr;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* find the port number given by the name, either from getservbyname() or
|
||||
* straight atoi()
|
||||
*/
|
||||
static u_short tx_portnum(name)
|
||||
char *name;
|
||||
{
|
||||
struct servent *sp, *sp2;
|
||||
u_short p1 = 0;
|
||||
|
||||
if (isdigit(*name))
|
||||
return (u_short)atoi(name);
|
||||
if (!tx_proto)
|
||||
tx_proto = "tcp/udp";
|
||||
if (strcasecmp(tx_proto, "tcp/udp")) {
|
||||
sp = getservbyname(name, tx_proto);
|
||||
if (sp)
|
||||
return ntohs(sp->s_port);
|
||||
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
|
||||
return 0;
|
||||
}
|
||||
sp = getservbyname(name, "tcp");
|
||||
if (sp)
|
||||
p1 = sp->s_port;
|
||||
sp2 = getservbyname(name, "udp");
|
||||
if (!sp || !sp2) {
|
||||
(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
|
||||
name);
|
||||
return 0;
|
||||
}
|
||||
if (p1 != sp2->s_port) {
|
||||
(void) fprintf(stderr, "%s %d/tcp is a different port to ",
|
||||
name, p1);
|
||||
(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
|
||||
return 0;
|
||||
}
|
||||
return ntohs(p1);
|
||||
}
|
||||
|
||||
|
||||
char *tx_icmptypes[] = {
|
||||
"echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
|
||||
"redir", (char *)NULL, (char *)NULL, "echo", (char *)NULL,
|
||||
(char *)NULL, "timex", "paramprob", "timest", "timestrep",
|
||||
"inforeq", "inforep", "maskreq", "maskrep", "END"
|
||||
};
|
||||
|
||||
static int text_open(fname)
|
||||
char *fname;
|
||||
{
|
||||
if (tfp && tfd != -1) {
|
||||
rewind(tfp);
|
||||
return tfd;
|
||||
}
|
||||
|
||||
if (!strcmp(fname, "-")) {
|
||||
tfd = 0;
|
||||
tfp = stdin;
|
||||
} else {
|
||||
tfd = open(fname, O_RDONLY);
|
||||
if (tfd != -1)
|
||||
tfp = fdopen(tfd, "r");
|
||||
}
|
||||
return tfd;
|
||||
}
|
||||
|
||||
|
||||
static int text_close()
|
||||
{
|
||||
int cfd = tfd;
|
||||
|
||||
tfd = -1;
|
||||
return close(cfd);
|
||||
}
|
||||
|
||||
|
||||
static int text_readip(buf, cnt, ifn, dir)
|
||||
char *buf, **ifn;
|
||||
int cnt, *dir;
|
||||
{
|
||||
register char *s;
|
||||
struct ip *ip;
|
||||
char line[513];
|
||||
|
||||
ip = (struct ip *)buf;
|
||||
*ifn = NULL;
|
||||
while (fgets(line, sizeof(line)-1, tfp)) {
|
||||
if ((s = index(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = index(line, '\r')))
|
||||
*s = '\0';
|
||||
if ((s = index(line, '#')))
|
||||
*s = '\0';
|
||||
if (!*line)
|
||||
continue;
|
||||
if (!(opts & OPT_BRIEF))
|
||||
printf("input: %s\n", line);
|
||||
*ifn = NULL;
|
||||
*dir = 0;
|
||||
if (!parseline(line, buf, ifn, dir))
|
||||
#if 0
|
||||
return sizeof(struct tcpiphdr);
|
||||
#else
|
||||
return sizeof(struct ip);
|
||||
#endif
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int parseline(line, ip, ifn, out)
|
||||
char *line;
|
||||
struct ip *ip;
|
||||
char **ifn;
|
||||
int *out;
|
||||
{
|
||||
tcphdr_t th, *tcp = &th;
|
||||
struct icmp icmp, *ic = &icmp;
|
||||
char *cps[20], **cpp, c, ipopts[68];
|
||||
int i, r;
|
||||
|
||||
bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
|
||||
bzero((char *)tcp, sizeof(*tcp));
|
||||
bzero((char *)ic, sizeof(*ic));
|
||||
bzero(ipopts, sizeof(ipopts));
|
||||
ip->ip_hl = sizeof(*ip) >> 2;
|
||||
ip->ip_v = IPVERSION;
|
||||
for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; )
|
||||
cps[++i] = strtok(NULL, " \b\t\r\n");
|
||||
if (i < 2)
|
||||
return 1;
|
||||
|
||||
cpp = cps;
|
||||
|
||||
c = **cpp;
|
||||
if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) {
|
||||
fprintf(stderr, "bad direction \"%s\"\n", *cpp);
|
||||
return 1;
|
||||
}
|
||||
*out = (tolower(c) == 'o') ? 1 : 0;
|
||||
cpp++;
|
||||
|
||||
if (!strcasecmp(*cpp, "on")) {
|
||||
cpp++;
|
||||
if (!*cpp)
|
||||
return 1;
|
||||
*ifn = *cpp++;
|
||||
}
|
||||
|
||||
c = **cpp;
|
||||
ip->ip_len = sizeof(struct ip);
|
||||
if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") ||
|
||||
!strcasecmp(*cpp, "icmp")) {
|
||||
if (c == 't') {
|
||||
ip->ip_p = IPPROTO_TCP;
|
||||
ip->ip_len += sizeof(struct tcphdr);
|
||||
tx_proto = "tcp";
|
||||
} else if (c == 'u') {
|
||||
ip->ip_p = IPPROTO_UDP;
|
||||
ip->ip_len += sizeof(struct udphdr);
|
||||
tx_proto = "udp";
|
||||
} else {
|
||||
ip->ip_p = IPPROTO_ICMP;
|
||||
ip->ip_len += sizeof(struct icmp);
|
||||
tx_proto = "icmp";
|
||||
}
|
||||
cpp++;
|
||||
} else
|
||||
ip->ip_p = IPPROTO_IP;
|
||||
|
||||
if (!*cpp)
|
||||
return 1;
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
|
||||
char *last;
|
||||
|
||||
last = index(*cpp, ',');
|
||||
if (!last) {
|
||||
fprintf(stderr, "tcp/udp with no source port\n");
|
||||
return 1;
|
||||
}
|
||||
*last++ = '\0';
|
||||
tcp->th_sport = htons(tx_portnum(last));
|
||||
}
|
||||
ip->ip_src.s_addr = tx_hostnum(*cpp, &r);
|
||||
cpp++;
|
||||
if (!*cpp)
|
||||
return 1;
|
||||
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) {
|
||||
char *last;
|
||||
|
||||
last = index(*cpp, ',');
|
||||
if (!last) {
|
||||
fprintf(stderr, "tcp/udp with no destination port\n");
|
||||
return 1;
|
||||
}
|
||||
*last++ = '\0';
|
||||
tcp->th_dport = htons(tx_portnum(last));
|
||||
}
|
||||
ip->ip_dst.s_addr = tx_hostnum(*cpp, &r);
|
||||
cpp++;
|
||||
if (*cpp && ip->ip_p == IPPROTO_TCP) {
|
||||
extern char tcp_flagset[];
|
||||
extern u_char tcp_flags[];
|
||||
char *s, *t;
|
||||
|
||||
for (s = *cpp; *s; s++)
|
||||
if ((t = index(tcp_flagset, *s)))
|
||||
tcp->th_flags |= tcp_flags[t - tcp_flagset];
|
||||
if (tcp->th_flags)
|
||||
cpp++;
|
||||
assert(tcp->th_flags != 0);
|
||||
} else if (*cpp && ip->ip_p == IPPROTO_ICMP) {
|
||||
extern char *tx_icmptypes[];
|
||||
char **s, *t;
|
||||
int i;
|
||||
|
||||
for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END");
|
||||
s++, i++)
|
||||
if (*s && !strncasecmp(*cpp, *s, strlen(*s))) {
|
||||
ic->icmp_type = i;
|
||||
if ((t = index(*cpp, ',')))
|
||||
ic->icmp_code = atoi(t+1);
|
||||
cpp++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (*cpp && !strcasecmp(*cpp, "opt")) {
|
||||
u_long olen;
|
||||
|
||||
cpp++;
|
||||
olen = buildopts(*cpp, ipopts);
|
||||
if (olen) {
|
||||
bcopy(ipopts, (char *)(ip + 1), olen);
|
||||
ip->ip_hl += olen >> 2;
|
||||
}
|
||||
}
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
bcopy((char *)tcp, ((char *)ip) + (ip->ip_hl << 2),
|
||||
sizeof(*tcp));
|
||||
else if (ip->ip_p == IPPROTO_ICMP)
|
||||
bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2),
|
||||
sizeof(*ic));
|
||||
return 0;
|
||||
}
|
16
contrib/ipfilter/ipl.h
Normal file
16
contrib/ipfilter/ipl.h
Normal file
@ -0,0 +1,16 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* @(#)ipl.h 1.21 6/5/96
|
||||
*/
|
||||
|
||||
#ifndef __IPL_H_
|
||||
#define __IPL_H__
|
||||
|
||||
#define IPL_VERSION "IP Filter v3.1.7 - 8/2/97"
|
||||
|
||||
#endif
|
83
contrib/ipfilter/ipl_ldev.c
Normal file
83
contrib/ipfilter/ipl_ldev.c
Normal file
@ -0,0 +1,83 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
|
||||
/*
|
||||
* routines below for saving IP headers to buffer
|
||||
*/
|
||||
int iplopen(struct inode * inode, struct file * filp)
|
||||
{
|
||||
u_int min = MINOR(inode->i_rdev);
|
||||
|
||||
if (flags & FWRITE)
|
||||
return ENXIO;
|
||||
if (min)
|
||||
return ENXIO;
|
||||
iplbusy++;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int iplclose(struct inode * inode, struct file * filp)
|
||||
{
|
||||
u_int min = MINOR(inode->i_rdev);
|
||||
|
||||
if (min)
|
||||
return ENXIO;
|
||||
iplbusy--;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* iplread/ipllog
|
||||
* all three of these must operate with at least splnet() lest they be
|
||||
* called during packet processing and cause an inconsistancy to appear in
|
||||
* the filter lists.
|
||||
*/
|
||||
int iplread(struct inode *inode, struct file *file, char *buf, int count)
|
||||
{
|
||||
register int ret, s;
|
||||
register size_t sz, sx;
|
||||
int error;
|
||||
|
||||
if (!uio->uio_resid)
|
||||
return 0;
|
||||
while (!iplused) {
|
||||
error = SLEEP(iplbuf, "ipl sleep");
|
||||
if (error)
|
||||
return error;
|
||||
}
|
||||
|
||||
SPLNET(s);
|
||||
|
||||
ret = sx = sz = MIN(count, iplused);
|
||||
if (iplh < iplt)
|
||||
sz = MIN(sz, LOGSIZE - (iplt - iplbuf));
|
||||
sx -= sz;
|
||||
|
||||
memcpy_tofs(buf, iplt, sz);
|
||||
buf += sz;
|
||||
iplt += sz;
|
||||
iplused -= sz;
|
||||
if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
|
||||
iplt = iplbuf;
|
||||
|
||||
if (sx) {
|
||||
memcpy_tofs(buf, iplt, sx);
|
||||
ret += sx;
|
||||
iplt += sx;
|
||||
iplused -= sx;
|
||||
if ((iplh < iplt) && (iplt == iplbuf + LOGSIZE))
|
||||
iplt = iplbuf;
|
||||
}
|
||||
if (!iplused) /* minimise wrapping around the end */
|
||||
iplh = iplt = iplbuf;
|
||||
|
||||
SPLX(s);
|
||||
return ret;
|
||||
}
|
582
contrib/ipfilter/ipmon.c
Normal file
582
contrib/ipfilter/ipmon.c
Normal file
@ -0,0 +1,582 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/uio.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <sys/dir.h>
|
||||
#include <sys/mbuf.h>
|
||||
#else
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <sys/protosw.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/user.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netdb.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <ctype.h>
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char rcsid[] = "$Id: ipmon.c,v 2.0.1.2 1997/02/04 14:49:19 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#include "ip_fil.h"
|
||||
|
||||
|
||||
struct flags {
|
||||
int value;
|
||||
char flag;
|
||||
};
|
||||
|
||||
struct flags tcpfl[] = {
|
||||
{ TH_ACK, 'A' },
|
||||
{ TH_RST, 'R' },
|
||||
{ TH_SYN, 'S' },
|
||||
{ TH_FIN, 'F' },
|
||||
{ TH_URG, 'U' },
|
||||
{ TH_PUSH,'P' },
|
||||
{ 0, '\0' }
|
||||
};
|
||||
|
||||
|
||||
static char line[2048];
|
||||
static void printpacket(), dumphex();
|
||||
static int opts = 0;
|
||||
|
||||
#define OPT_SYSLOG 0x01
|
||||
#define OPT_RESOLVE 0x02
|
||||
#define OPT_HEXBODY 0x04
|
||||
#define OPT_VERBOSE 0x08
|
||||
#define OPT_HEXHDR 0x10
|
||||
|
||||
#ifndef LOGFAC
|
||||
#define LOGFAC LOG_LOCAL0
|
||||
#endif
|
||||
|
||||
void printiplci(icp)
|
||||
struct ipl_ci *icp;
|
||||
{
|
||||
printf("sec %ld usec %ld hlen %d plen %d\n", icp->sec, icp->usec,
|
||||
icp->hlen, icp->plen);
|
||||
}
|
||||
|
||||
|
||||
void resynclog(fd, iplcp, log)
|
||||
int fd;
|
||||
struct ipl_ci *iplcp;
|
||||
FILE *log;
|
||||
{
|
||||
time_t now;
|
||||
char *s = NULL;
|
||||
int len, nr = 0;
|
||||
|
||||
do {
|
||||
if (s) {
|
||||
s = (char *)&iplcp->sec;
|
||||
if (opts & OPT_SYSLOG) {
|
||||
syslog(LOG_INFO, "Sync bytes:");
|
||||
syslog(LOG_INFO, " %02x %02x %02x %02x",
|
||||
*s, *(s+1), *(s+2), *(s+3));
|
||||
syslog(LOG_INFO, " %02x %02x %02x %02x\n",
|
||||
*(s+4), *(s+5), *(s+6), *(s+7));
|
||||
} else {
|
||||
fprintf(log, "Sync bytes:");
|
||||
fprintf(log, " %02x %02x %02x %02x",
|
||||
*s, *(s+1), *(s+2), *(s+3));
|
||||
fprintf(log, " %02x %02x %02x %02x\n",
|
||||
*(s+4), *(s+5), *(s+6), *(s+7));
|
||||
}
|
||||
}
|
||||
do {
|
||||
s = (char *)&iplcp->sec;
|
||||
len = sizeof(iplcp->sec);
|
||||
while (len) {
|
||||
switch ((nr = read(fd, s, len)))
|
||||
{
|
||||
case -1:
|
||||
case 0:
|
||||
return;
|
||||
default :
|
||||
s += nr;
|
||||
len -= nr;
|
||||
now = time(NULL);
|
||||
break;
|
||||
}
|
||||
}
|
||||
} while ((now < iplcp->sec) ||
|
||||
((iplcp->sec - now) > (86400*5)));
|
||||
|
||||
len = sizeof(iplcp->usec);
|
||||
while (len) {
|
||||
switch ((nr = read(fd, s, len)))
|
||||
{
|
||||
case -1:
|
||||
case 0:
|
||||
return;
|
||||
default :
|
||||
s += nr;
|
||||
len -= nr;
|
||||
break;
|
||||
}
|
||||
}
|
||||
} while (iplcp->usec > 1000000);
|
||||
|
||||
len = sizeof(*iplcp) - sizeof(iplcp->sec) - sizeof(iplcp->usec);
|
||||
while (len) {
|
||||
switch ((nr = read(fd, s, len)))
|
||||
{
|
||||
case -1:
|
||||
case 0:
|
||||
return;
|
||||
default :
|
||||
s += nr;
|
||||
len -= nr;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
int readlogentry(fd, lenp, buf, bufsize, log)
|
||||
int fd, bufsize, *lenp;
|
||||
char *buf;
|
||||
FILE *log;
|
||||
{
|
||||
struct ipl_ci *icp = (struct ipl_ci *)buf;
|
||||
time_t now;
|
||||
char *s;
|
||||
int len, n = bufsize, tr = sizeof(struct ipl_ci), nr;
|
||||
|
||||
if (bufsize < tr)
|
||||
return 1;
|
||||
for (s = buf; (n > 0) && (tr > 0); s += nr, n -= nr) {
|
||||
nr = read(fd, s, tr);
|
||||
if (nr > 0)
|
||||
tr -= nr;
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
|
||||
now = time(NULL);
|
||||
if ((icp->hlen > 92) || (now < icp->sec) ||
|
||||
((now - icp->sec) > (86400*5))) {
|
||||
if (opts & OPT_SYSLOG)
|
||||
syslog(LOG_INFO, "Out of sync! (1,%x)\n", now);
|
||||
else
|
||||
fprintf(log, "Out of sync! (1,%x)\n", now);
|
||||
dumphex(log, buf, sizeof(struct ipl_ci));
|
||||
resynclog(fd, icp, log);
|
||||
}
|
||||
|
||||
|
||||
len = (int)((u_int)icp->plen);
|
||||
if (len > 128 || len < 0) {
|
||||
if (opts & OPT_SYSLOG)
|
||||
syslog(LOG_INFO, "Out of sync! (2,%d)\n", len);
|
||||
else
|
||||
fprintf(log, "Out of sync! (2,%d)\n", len);
|
||||
dumphex(log, buf, sizeof(struct ipl_ci));
|
||||
resynclog(fd, icp, log);
|
||||
}
|
||||
|
||||
|
||||
tr = icp->hlen + icp->plen;
|
||||
if (n < tr)
|
||||
return 1;
|
||||
|
||||
for (; (n > 0) && (tr > 0); s += nr, n-= nr) {
|
||||
nr = read(fd, s, tr);
|
||||
if (nr > 0)
|
||||
tr -= nr;
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
*lenp = s - buf;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
char *hostname(res, ip)
|
||||
int res;
|
||||
struct in_addr ip;
|
||||
{
|
||||
struct hostent *hp;
|
||||
|
||||
if (!res)
|
||||
return inet_ntoa(ip);
|
||||
hp = gethostbyaddr((char *)&ip, sizeof(ip), AF_INET);
|
||||
if (!hp)
|
||||
return inet_ntoa(ip);
|
||||
return hp->h_name;
|
||||
}
|
||||
|
||||
|
||||
char *portname(res, proto, port)
|
||||
int res;
|
||||
char *proto;
|
||||
u_short port;
|
||||
{
|
||||
static char pname[8];
|
||||
struct servent *serv;
|
||||
|
||||
(void) sprintf(pname, "%hu", htons(port));
|
||||
if (!res)
|
||||
return pname;
|
||||
serv = getservbyport((int)port, proto);
|
||||
if (!serv)
|
||||
return pname;
|
||||
return serv->s_name;
|
||||
}
|
||||
|
||||
|
||||
static void dumphex(log, buf, len)
|
||||
FILE *log;
|
||||
u_char *buf;
|
||||
int len;
|
||||
{
|
||||
char line[80];
|
||||
int i, j, k;
|
||||
u_char *s = buf, *t = (u_char *)line;
|
||||
|
||||
for (i = len, j = 0; i; i--, j++, s++) {
|
||||
if (j && !(j & 0xf)) {
|
||||
*t++ = '\n';
|
||||
*t = '\0';
|
||||
fputs(line, stdout);
|
||||
t = (u_char *)line;
|
||||
*t = '\0';
|
||||
}
|
||||
sprintf(t, "%02x", *s & 0xff);
|
||||
t += 2;
|
||||
if (!((j + 1) & 0xf)) {
|
||||
s -= 15;
|
||||
sprintf(t, " ");
|
||||
t += 8;
|
||||
for (k = 16; k; k--, s++)
|
||||
*t++ = (isprint(*s) ? *s : '.');
|
||||
s--;
|
||||
}
|
||||
|
||||
if ((j + 1) & 0xf)
|
||||
*t++ = ' ';;
|
||||
}
|
||||
|
||||
if (j & 0xf) {
|
||||
for (k = 16 - (j & 0xf); k; k--) {
|
||||
*t++ = ' ';
|
||||
*t++ = ' ';
|
||||
*t++ = ' ';
|
||||
}
|
||||
sprintf(t, " ");
|
||||
t += 7;
|
||||
s -= j & 0xf;
|
||||
for (k = j & 0xf; k; k--, s++)
|
||||
*t++ = (isprint(*s) ? *s : '.');
|
||||
*t++ = '\n';
|
||||
*t = '\0';
|
||||
}
|
||||
fputs(line, stdout);
|
||||
fflush(stdout);
|
||||
}
|
||||
|
||||
|
||||
static void printpacket(log, buf, blen)
|
||||
FILE *log;
|
||||
char *buf;
|
||||
int blen;
|
||||
{
|
||||
struct protoent *pr;
|
||||
struct tcphdr *tp;
|
||||
struct icmp *ic;
|
||||
struct ip *ipc;
|
||||
struct tm *tm;
|
||||
char c[3], pname[8], *t, *proto;
|
||||
u_short hl, p;
|
||||
int i, lvl, res;
|
||||
#if !SOLARIS && !(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
|
||||
int len;
|
||||
#endif
|
||||
struct ip *ip;
|
||||
struct ipl_ci *lp;
|
||||
|
||||
lp = (struct ipl_ci *)buf;
|
||||
ip = (struct ip *)(buf + sizeof(*lp));
|
||||
res = (opts & OPT_RESOLVE) ? 1 : 0;
|
||||
t = line;
|
||||
*t = '\0';
|
||||
hl = (ip->ip_hl << 2);
|
||||
p = (u_short)ip->ip_p;
|
||||
tm = localtime((time_t *)&lp->sec);
|
||||
if (!(opts & OPT_SYSLOG)) {
|
||||
(void) sprintf(t, "%2d/%02d/%4d ",
|
||||
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
|
||||
t += strlen(t);
|
||||
}
|
||||
#if SOLARIS || (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603))
|
||||
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld %.*s @%hd ",
|
||||
tm->tm_hour, tm->tm_min, tm->tm_sec, lp->usec,
|
||||
(int)sizeof(lp->ifname), lp->ifname, lp->rule);
|
||||
#else
|
||||
for (len = 0; len < 3; len++)
|
||||
if (!lp->ifname[len])
|
||||
break;
|
||||
if (lp->ifname[len])
|
||||
len++;
|
||||
(void) sprintf(t, "%02d:%02d:%02d.%-.6ld %*.*s%ld @%hd ",
|
||||
tm->tm_hour, tm->tm_min, tm->tm_sec, lp->usec,
|
||||
len, len, lp->ifname, lp->unit, lp->rule);
|
||||
#endif
|
||||
pr = getprotobynumber((int)p);
|
||||
if (!pr) {
|
||||
proto = pname;
|
||||
sprintf(proto, "%d", (u_int)p);
|
||||
} else
|
||||
proto = pr->p_name;
|
||||
|
||||
if (lp->flags & (FI_SHORT << 20)) {
|
||||
c[0] = 'S';
|
||||
lvl = LOG_ERR;
|
||||
} else if (lp->flags & FR_PASS) {
|
||||
if (lp->flags & FR_LOGP)
|
||||
c[0] = 'p';
|
||||
else
|
||||
c[0] = 'P';
|
||||
lvl = LOG_NOTICE;
|
||||
} else if (lp->flags & FR_BLOCK) {
|
||||
if (lp->flags & FR_LOGB)
|
||||
c[0] = 'b';
|
||||
else
|
||||
c[0] = 'B';
|
||||
lvl = LOG_WARNING;
|
||||
} else if (lp->flags & FF_LOGNOMATCH) {
|
||||
c[0] = 'n';
|
||||
lvl = LOG_NOTICE;
|
||||
} else {
|
||||
c[0] = 'L';
|
||||
lvl = LOG_INFO;
|
||||
}
|
||||
c[1] = ' ';
|
||||
c[2] = '\0';
|
||||
(void) strcat(line, c);
|
||||
t = line + strlen(line);
|
||||
|
||||
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) {
|
||||
tp = (struct tcphdr *)((char *)ip + hl);
|
||||
if (!(lp->flags & (FI_SHORT << 16))) {
|
||||
(void) sprintf(t, "%s,%s -> ",
|
||||
hostname(res, ip->ip_src),
|
||||
portname(res, proto, tp->th_sport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s,%s PR %s len %hu %hu ",
|
||||
hostname(res, ip->ip_dst),
|
||||
portname(res, proto, tp->th_dport),
|
||||
proto, hl, ip->ip_len);
|
||||
t += strlen(t);
|
||||
|
||||
if (p == IPPROTO_TCP) {
|
||||
*t++ = '-';
|
||||
for (i = 0; tcpfl[i].value; i++)
|
||||
if (tp->th_flags & tcpfl[i].value)
|
||||
*t++ = tcpfl[i].flag;
|
||||
}
|
||||
if (opts & OPT_VERBOSE) {
|
||||
(void) sprintf(t, " %lu %lu %hu",
|
||||
(u_long)tp->th_seq,
|
||||
(u_long)tp->th_ack, tp->th_win);
|
||||
t += strlen(t);
|
||||
}
|
||||
*t = '\0';
|
||||
} else {
|
||||
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s PR %s len %hu %hu",
|
||||
hostname(res, ip->ip_dst), proto,
|
||||
hl, ip->ip_len);
|
||||
}
|
||||
} else if (p == IPPROTO_ICMP) {
|
||||
ic = (struct icmp *)((char *)ip + hl);
|
||||
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s PR icmp len %hu (%hu) icmp %d/%d",
|
||||
hostname(res, ip->ip_dst), hl,
|
||||
ip->ip_len, ic->icmp_type, ic->icmp_code);
|
||||
if (ic->icmp_type == ICMP_UNREACH ||
|
||||
ic->icmp_type == ICMP_SOURCEQUENCH ||
|
||||
ic->icmp_type == ICMP_PARAMPROB ||
|
||||
ic->icmp_type == ICMP_REDIRECT ||
|
||||
ic->icmp_type == ICMP_TIMXCEED) {
|
||||
ipc = &ic->icmp_ip;
|
||||
tp = (struct tcphdr *)((char *)ipc + hl);
|
||||
|
||||
p = (u_short)ipc->ip_p;
|
||||
pr = getprotobynumber((int)p);
|
||||
if (!pr) {
|
||||
proto = pname;
|
||||
(void) sprintf(proto, "%d", (int)p);
|
||||
} else
|
||||
proto = pr->p_name;
|
||||
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, " for %s,%s -",
|
||||
hostname(res, ipc->ip_src),
|
||||
portname(res, proto, tp->th_sport));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, " %s,%s PR %s len %hu %hu",
|
||||
hostname(res, ipc->ip_dst),
|
||||
portname(res, proto, tp->th_dport),
|
||||
proto, ipc->ip_hl << 2, ipc->ip_len);
|
||||
}
|
||||
} else {
|
||||
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
|
||||
t += strlen(t);
|
||||
(void) sprintf(t, "%s PR %s len %hu (%hu)",
|
||||
hostname(res, ip->ip_dst), proto, hl, ip->ip_len);
|
||||
t += strlen(t);
|
||||
if (ip->ip_off & 0x1fff)
|
||||
(void) sprintf(t, " frag %s%s%hu@%hu",
|
||||
ip->ip_off & IP_MF ? "+" : "",
|
||||
ip->ip_off & IP_DF ? "-" : "",
|
||||
ip->ip_len - hl, (ip->ip_off & 0x1fff) << 3);
|
||||
}
|
||||
t += strlen(t);
|
||||
|
||||
if (lp->flags & FR_KEEPSTATE) {
|
||||
(void) strcpy(t, " K-S");
|
||||
t += strlen(t);
|
||||
}
|
||||
|
||||
if (lp->flags & FR_KEEPFRAG) {
|
||||
(void) strcpy(t, " K-F");
|
||||
t += strlen(t);
|
||||
}
|
||||
|
||||
*t++ = '\n';
|
||||
*t++ = '\0';
|
||||
if (opts & OPT_SYSLOG)
|
||||
syslog(lvl, "%s", line);
|
||||
else
|
||||
(void) fprintf(log, "%s", line);
|
||||
if (opts & OPT_HEXHDR)
|
||||
dumphex(log, buf, sizeof(struct ipl_ci));
|
||||
if (opts & OPT_HEXBODY)
|
||||
dumphex(log, ip, lp->plen + lp->hlen);
|
||||
fflush(log);
|
||||
}
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
FILE *log = NULL;
|
||||
int fd = -1, flushed = 0, doread, n;
|
||||
char buf[512], c, *iplfile = IPL_NAME;
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
|
||||
while ((c = getopt(argc, argv, "Nf:FsvxX")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'f' :
|
||||
iplfile = optarg;
|
||||
break;
|
||||
case 'F' :
|
||||
if ((fd == -1) &&
|
||||
(fd = open(iplfile, O_RDWR)) == -1) {
|
||||
(void) fprintf(stderr, "%s: ", IPL_NAME);
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
|
||||
printf("%d bytes flushed from log buffer\n",
|
||||
flushed);
|
||||
fflush(stdout);
|
||||
} else
|
||||
perror("SIOCIPFFB");
|
||||
break;
|
||||
case 'N' :
|
||||
opts |= OPT_RESOLVE;
|
||||
break;
|
||||
case 's' :
|
||||
openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC);
|
||||
opts |= OPT_SYSLOG;
|
||||
break;
|
||||
case 'v' :
|
||||
opts |= OPT_VERBOSE;
|
||||
break;
|
||||
case 'x' :
|
||||
opts |= OPT_HEXBODY;
|
||||
break;
|
||||
case 'X' :
|
||||
opts |= OPT_HEXHDR;
|
||||
break;
|
||||
}
|
||||
|
||||
if ((fd == -1) && (fd = open(iplfile, O_RDONLY)) == -1) {
|
||||
(void) fprintf(stderr, "%s: ", IPL_NAME);
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (!(opts & OPT_SYSLOG)) {
|
||||
log = argv[optind] ? fopen(argv[optind], "a") : stdout;
|
||||
setvbuf(log, NULL, _IONBF, 0);
|
||||
}
|
||||
|
||||
if (flushed) {
|
||||
if (opts & OPT_SYSLOG)
|
||||
syslog(LOG_INFO, "%d bytes flushed from log\n",
|
||||
flushed);
|
||||
else
|
||||
fprintf(log, "%d bytes flushed from log\n", flushed);
|
||||
}
|
||||
|
||||
for (doread = 1; doread; )
|
||||
switch (readlogentry(fd, &n, buf, sizeof(buf), log))
|
||||
{
|
||||
case -1 :
|
||||
if (opts & OPT_SYSLOG)
|
||||
syslog(LOG_ERR, "read: %m\n");
|
||||
else
|
||||
perror("read");
|
||||
doread = 0;
|
||||
break;
|
||||
case 1 :
|
||||
if (opts & OPT_SYSLOG)
|
||||
syslog(LOG_ERR, "aborting logging\n");
|
||||
else
|
||||
fprintf(log, "aborting logging\n");
|
||||
doread = 0;
|
||||
break;
|
||||
case 2 :
|
||||
break;
|
||||
case 0 :
|
||||
printpacket(log, buf, n, opts);
|
||||
break;
|
||||
}
|
||||
exit(0);
|
||||
/* NOTREACHED */
|
||||
}
|
692
contrib/ipfilter/ipnat.c
Normal file
692
contrib/ipfilter/ipnat.c
Normal file
@ -0,0 +1,692 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*
|
||||
* Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com)
|
||||
*
|
||||
* Broken still:
|
||||
* Displaying the nat with redirect entries is way confusing
|
||||
*
|
||||
* Example redirection line:
|
||||
* rdr le1 0.0.0.0/0 port 79 -> 199.165.219.129 port 9901
|
||||
*
|
||||
* Will redirect all incoming packets on le1 to any machine, port 79 to
|
||||
* host 199.165.219.129, port 9901
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <fcntl.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
#else
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#if defined(sun) && (defined(__svr4__) || defined(__SVR4))
|
||||
# include <sys/ioccom.h>
|
||||
# include <sys/sysmacros.h>
|
||||
#endif
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <net/if.h>
|
||||
#include "ip_compat.h"
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <resolv.h>
|
||||
#include "ip_nat.h"
|
||||
#include <ctype.h>
|
||||
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipnat.c,v 2.0.1.7 1997/01/30 12:02:32 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
#if SOLARIS
|
||||
#define bzero(a,b) memset(a,0,b)
|
||||
#endif
|
||||
|
||||
extern char *optarg;
|
||||
extern int kmemcpy();
|
||||
|
||||
void dostats(), printnat(), parsefile(), flushtable();
|
||||
|
||||
#define OPT_REM 1
|
||||
#define OPT_NODO 2
|
||||
#define OPT_STAT 4
|
||||
#define OPT_LIST 8
|
||||
#define OPT_VERBOSE 16
|
||||
#define OPT_FLUSH 32
|
||||
#define OPT_CLEAR 64
|
||||
|
||||
|
||||
void usage(name)
|
||||
char *name;
|
||||
{
|
||||
fprintf(stderr, "%s: [-CFlnrsv] [-f filename]\n", name);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
char *file = NULL, c;
|
||||
int fd, opts = 1;
|
||||
|
||||
while ((c = getopt(argc, argv, "CFf:lnrsv")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'C' :
|
||||
opts |= OPT_CLEAR;
|
||||
break;
|
||||
case 'f' :
|
||||
file = optarg;
|
||||
break;
|
||||
case 'F' :
|
||||
opts |= OPT_FLUSH;
|
||||
break;
|
||||
case 'l' :
|
||||
opts |= OPT_LIST;
|
||||
break;
|
||||
case 'n' :
|
||||
opts |= OPT_NODO;
|
||||
break;
|
||||
case 'r' :
|
||||
opts &= ~OPT_REM;
|
||||
break;
|
||||
case 's' :
|
||||
opts |= OPT_STAT;
|
||||
break;
|
||||
case 'v' :
|
||||
opts |= OPT_VERBOSE;
|
||||
break;
|
||||
default :
|
||||
usage(argv[0]);
|
||||
}
|
||||
|
||||
if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) &&
|
||||
((fd = open(IPL_NAME, O_RDONLY)) == -1)) {
|
||||
perror("open");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (opts & (OPT_FLUSH|OPT_CLEAR))
|
||||
flushtable(fd, opts);
|
||||
if (file)
|
||||
parsefile(fd, file, opts);
|
||||
if (opts & (OPT_LIST|OPT_STAT))
|
||||
dostats(fd, opts);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* count consecutive 1's in bit mask. If the mask generated by counting
|
||||
* consecutive 1's is different to that passed, return -1, else return #
|
||||
* of bits.
|
||||
*/
|
||||
int countbits(ip)
|
||||
u_long ip;
|
||||
{
|
||||
u_long ipn;
|
||||
int cnt = 0, i, j;
|
||||
|
||||
ip = ipn = ntohl(ip);
|
||||
for (i = 32; i; i--, ipn *= 2)
|
||||
if (ipn & 0x80000000)
|
||||
cnt++;
|
||||
else
|
||||
break;
|
||||
ipn = 0;
|
||||
for (i = 32, j = cnt; i; i--, j--) {
|
||||
ipn *= 2;
|
||||
if (j > 0)
|
||||
ipn++;
|
||||
}
|
||||
if (ipn == ip)
|
||||
return cnt;
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
void printnat(np, verbose, ptr)
|
||||
ipnat_t *np;
|
||||
int verbose;
|
||||
void *ptr;
|
||||
{
|
||||
int bits;
|
||||
|
||||
if (np->in_redir == NAT_REDIRECT) {
|
||||
printf("rdr %s %s", np->in_ifname, inet_ntoa(np->in_out[0]));
|
||||
bits = countbits(np->in_out[1].s_addr);
|
||||
if (bits != -1)
|
||||
printf("/%d ", bits);
|
||||
else
|
||||
printf("/%s ", inet_ntoa(np->in_out[1]));
|
||||
if (np->in_pmin)
|
||||
printf("port %d ", ntohs(np->in_pmin));
|
||||
printf("-> %s", inet_ntoa(np->in_in[0]));
|
||||
if (np->in_pnext)
|
||||
printf(" port %d", ntohs(np->in_pnext));
|
||||
if (np->in_flags & IPN_TCPUDP)
|
||||
printf(" tcp/udp");
|
||||
else if (np->in_flags & IPN_TCP)
|
||||
printf(" tcp");
|
||||
else if (np->in_flags & IPN_UDP)
|
||||
printf(" udp");
|
||||
printf("\n");
|
||||
if (verbose)
|
||||
printf("\t%x %u %x %u %x %d\n", (u_int)np->in_ifp,
|
||||
np->in_space, np->in_flags, np->in_pnext, np,
|
||||
np->in_use);
|
||||
} else {
|
||||
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
|
||||
printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
|
||||
bits = countbits(np->in_in[1].s_addr);
|
||||
if (bits != -1)
|
||||
printf("%d ", bits);
|
||||
else
|
||||
printf("%s", inet_ntoa(np->in_in[1]));
|
||||
printf(" -> %s/", inet_ntoa(np->in_out[0]));
|
||||
bits = countbits(ntohl(np->in_out[1].s_addr));
|
||||
if (bits != -1)
|
||||
printf("%d ", bits);
|
||||
else
|
||||
printf("%s", inet_ntoa(np->in_out[1]));
|
||||
if (np->in_pmin || np->in_pmax) {
|
||||
printf(" portmap");
|
||||
if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
|
||||
printf(" tcp/udp");
|
||||
else if (np->in_flags & IPN_TCP)
|
||||
printf(" tcp");
|
||||
else if (np->in_flags & IPN_UDP)
|
||||
printf(" udp");
|
||||
printf(" %d:%d", ntohs(np->in_pmin),
|
||||
ntohs(np->in_pmax));
|
||||
}
|
||||
printf("\n");
|
||||
if (verbose)
|
||||
printf("\t%x %u %s %d %x\n", (u_int)np->in_ifp,
|
||||
np->in_space, inet_ntoa(np->in_nextip),
|
||||
np->in_pnext, np->in_flags);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Get a nat filter type given its kernel address.
|
||||
*/
|
||||
char *getnattype(ipnat)
|
||||
ipnat_t *ipnat;
|
||||
{
|
||||
ipnat_t ipnatbuff;
|
||||
|
||||
if (ipnat && kmemcpy(&ipnatbuff, ipnat, sizeof(ipnatbuff)))
|
||||
return "???";
|
||||
|
||||
return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR";
|
||||
}
|
||||
|
||||
|
||||
void dostats(fd, opts)
|
||||
int fd, opts;
|
||||
{
|
||||
natstat_t ns;
|
||||
ipnat_t ipn;
|
||||
nat_t **nt[2], *np, nat;
|
||||
int i = 0;
|
||||
|
||||
bzero((char *)&ns, sizeof(ns));
|
||||
|
||||
if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &ns) == -1) {
|
||||
perror("ioctl(SIOCGNATS)");
|
||||
return;
|
||||
}
|
||||
|
||||
if (opts & OPT_STAT) {
|
||||
printf("mapped\tin\t%lu\tout\t%lu\n",
|
||||
ns.ns_mapped[0], ns.ns_mapped[1]);
|
||||
printf("added\t%lu\texpired\t%lu\n",
|
||||
ns.ns_added, ns.ns_expire);
|
||||
printf("inuse\t%lu\n", ns.ns_inuse);
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf("table %#x list %#x\n",
|
||||
(u_int)ns.ns_table, (u_int)ns.ns_list);
|
||||
}
|
||||
if (opts & OPT_LIST) {
|
||||
printf("List of active MAP/Redirect filters:\n");
|
||||
while (ns.ns_list) {
|
||||
if (kmemcpy(&ipn, ns.ns_list, sizeof(ipn))) {
|
||||
perror("kmemcpy");
|
||||
break;
|
||||
}
|
||||
printnat(&ipn, opts & OPT_VERBOSE, (void *)ns.ns_list);
|
||||
ns.ns_list = ipn.in_next;
|
||||
}
|
||||
|
||||
nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
|
||||
if (kmemcpy(nt[0], ns.ns_table[0], sizeof(**nt) * NAT_SIZE)) {
|
||||
perror("kmemcpy");
|
||||
return;
|
||||
}
|
||||
|
||||
printf("\nList of active sessions:\n");
|
||||
|
||||
for (i = 0; i < NAT_SIZE; i++)
|
||||
for (np = nt[0][i]; np; np = nat.nat_hnext[0]) {
|
||||
if (kmemcpy(&nat, np, sizeof(nat)))
|
||||
break;
|
||||
|
||||
printf("%s %-15s %-5hu <- ->",
|
||||
getnattype(nat.nat_ptr),
|
||||
inet_ntoa(nat.nat_inip),
|
||||
ntohs(nat.nat_inport));
|
||||
printf(" %-15s %-5hu",
|
||||
inet_ntoa(nat.nat_outip),
|
||||
ntohs(nat.nat_outport));
|
||||
printf(" [%s %hu]", inet_ntoa(nat.nat_oip),
|
||||
ntohs(nat.nat_oport));
|
||||
printf(" %d %hu %lx", nat.nat_age,
|
||||
nat.nat_use, nat.nat_sumd);
|
||||
#if SOLARIS
|
||||
printf(" %lx", nat.nat_ipsumd);
|
||||
#endif
|
||||
putchar('\n');
|
||||
}
|
||||
free(nt[0]);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
u_short portnum(name, proto)
|
||||
char *name, *proto;
|
||||
{
|
||||
struct servent *sp, *sp2;
|
||||
u_short p1 = 0;
|
||||
|
||||
if (isdigit(*name))
|
||||
return htons((u_short)atoi(name));
|
||||
if (!proto)
|
||||
proto = "tcp/udp";
|
||||
if (strcasecmp(proto, "tcp/udp")) {
|
||||
sp = getservbyname(name, proto);
|
||||
if (sp)
|
||||
return sp->s_port;
|
||||
(void) fprintf(stderr, "unknown service \"%s\".\n", name);
|
||||
return 0;
|
||||
}
|
||||
sp = getservbyname(name, "tcp");
|
||||
if (sp)
|
||||
p1 = sp->s_port;
|
||||
sp2 = getservbyname(name, "udp");
|
||||
if (!sp || !sp2) {
|
||||
(void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n",
|
||||
name);
|
||||
return 0;
|
||||
}
|
||||
if (p1 != sp2->s_port) {
|
||||
(void) fprintf(stderr, "%s %d/tcp is a different port to ",
|
||||
name, p1);
|
||||
(void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port);
|
||||
return 0;
|
||||
}
|
||||
return p1;
|
||||
}
|
||||
|
||||
|
||||
u_long hostmask(msk)
|
||||
char *msk;
|
||||
{
|
||||
int bits = -1;
|
||||
u_long mask;
|
||||
|
||||
if (!isdigit(*msk))
|
||||
return (u_long)-1;
|
||||
if (strchr(msk, '.'))
|
||||
return inet_addr(msk);
|
||||
if (strchr(msk, 'x'))
|
||||
return (u_long)strtol(msk, NULL, 0);
|
||||
/*
|
||||
* set x most significant bits
|
||||
*/
|
||||
for (mask = 0, bits = atoi(msk); bits; bits--) {
|
||||
mask /= 2;
|
||||
mask |= ntohl(inet_addr("128.0.0.0"));
|
||||
}
|
||||
mask = htonl(mask);
|
||||
return mask;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* returns an ip address as a long var as a result of either a DNS lookup or
|
||||
* straight inet_addr() call
|
||||
*/
|
||||
u_long hostnum(host, resolved)
|
||||
char *host;
|
||||
int *resolved;
|
||||
{
|
||||
struct hostent *hp;
|
||||
struct netent *np;
|
||||
|
||||
*resolved = 0;
|
||||
if (!strcasecmp("any",host))
|
||||
return 0L;
|
||||
if (isdigit(*host))
|
||||
return inet_addr(host);
|
||||
|
||||
if (!(hp = gethostbyname(host))) {
|
||||
if (!(np = getnetbyname(host))) {
|
||||
*resolved = -1;
|
||||
fprintf(stderr, "can't resolve hostname: %s\n", host);
|
||||
return 0;
|
||||
}
|
||||
return np->n_net;
|
||||
}
|
||||
return *(u_long *)hp->h_addr;
|
||||
}
|
||||
|
||||
|
||||
ipnat_t *parse(line)
|
||||
char *line;
|
||||
{
|
||||
static ipnat_t ipn;
|
||||
char *s, *t;
|
||||
char *shost, *snetm, *dhost, *proto;
|
||||
char *dnetm = NULL, *dport = NULL, *tport = NULL;
|
||||
int resolved;
|
||||
|
||||
bzero((char *)&ipn, sizeof(ipn));
|
||||
if ((s = strchr(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = strchr(line, '#')))
|
||||
*s = '\0';
|
||||
if (!*line)
|
||||
return NULL;
|
||||
if (!(s = strtok(line, " \t")))
|
||||
return NULL;
|
||||
if (!strcasecmp(s, "map"))
|
||||
ipn.in_redir = NAT_MAP;
|
||||
else if (!strcasecmp(s, "rdr"))
|
||||
ipn.in_redir = NAT_REDIRECT;
|
||||
else {
|
||||
(void)fprintf(stderr,
|
||||
"expected \"map\" or \"rdr\", got \"%s\"\n", s);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (interface)\n");
|
||||
return NULL;
|
||||
}
|
||||
strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1);
|
||||
ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0';
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (%s)\n",
|
||||
ipn.in_redir ? "destination": "source");
|
||||
return NULL;
|
||||
}
|
||||
shost = s;
|
||||
|
||||
if (ipn.in_redir == NAT_REDIRECT) {
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (destination port)\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (strcasecmp(s, "port")) {
|
||||
fprintf(stderr, "missing fields (port)\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (destination port)\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
dport = s;
|
||||
}
|
||||
|
||||
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (->)\n");
|
||||
return NULL;
|
||||
}
|
||||
if (!strcmp(s, "->")) {
|
||||
snetm = strrchr(shost, '/');
|
||||
if (!snetm) {
|
||||
fprintf(stderr, "missing fields (%s netmask)\n",
|
||||
ipn.in_redir ? "destination":"source");
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
if (strcasecmp(s, "netmask")) {
|
||||
fprintf(stderr, "missing fields (netmask)\n");
|
||||
return NULL;
|
||||
}
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (%s netmask)\n",
|
||||
ipn.in_redir ? "destination":"source");
|
||||
return NULL;
|
||||
}
|
||||
snetm = s;
|
||||
}
|
||||
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (%s)\n",
|
||||
ipn.in_redir ? "destination":"target");
|
||||
return NULL;
|
||||
}
|
||||
dhost = s;
|
||||
|
||||
if (ipn.in_redir == NAT_MAP) {
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
dnetm = strrchr(dhost, '/');
|
||||
if (!dnetm) {
|
||||
fprintf(stderr,
|
||||
"missing fields (dest netmask)\n");
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
if (!s || !strcasecmp(s, "portmap")) {
|
||||
dnetm = strrchr(dhost, '/');
|
||||
if (!dnetm) {
|
||||
fprintf(stderr,
|
||||
"missing fields (dest netmask)\n");
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
if (strcasecmp(s, "netmask")) {
|
||||
fprintf(stderr,
|
||||
"missing fields (dest netmask)\n");
|
||||
return NULL;
|
||||
}
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr,
|
||||
"missing fields (dest netmask)\n");
|
||||
return NULL;
|
||||
}
|
||||
dnetm = s;
|
||||
}
|
||||
if (*dnetm == '/')
|
||||
*dnetm++ = '\0';
|
||||
} else {
|
||||
/* If it's a in_redir, expect target port */
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (destination port)\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (strcasecmp(s, "port")) {
|
||||
fprintf(stderr, "missing fields (port)\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "missing fields (destination port)\n");
|
||||
return NULL;
|
||||
}
|
||||
tport = s;
|
||||
}
|
||||
|
||||
|
||||
if (*snetm == '/')
|
||||
*snetm++ = '\0';
|
||||
|
||||
if (ipn.in_redir == NAT_MAP) {
|
||||
ipn.in_inip = hostnum(shost, &resolved);
|
||||
if (resolved == -1)
|
||||
return NULL;
|
||||
ipn.in_inmsk = hostmask(snetm);
|
||||
ipn.in_outip = hostnum(dhost, &resolved);
|
||||
if (resolved == -1)
|
||||
return NULL;
|
||||
ipn.in_outmsk = hostmask(dnetm);
|
||||
} else {
|
||||
ipn.in_inip = hostnum(dhost, &resolved); /* Inside is target */
|
||||
if (resolved == -1)
|
||||
return NULL;
|
||||
ipn.in_inmsk = hostmask("255.255.255.255");
|
||||
ipn.in_outip = hostnum(shost, &resolved);
|
||||
if (resolved == -1)
|
||||
return NULL;
|
||||
ipn.in_outmsk = hostmask(snetm);
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */
|
||||
proto = "tcp";
|
||||
} else {
|
||||
if (!strcasecmp(s, "tcp"))
|
||||
ipn.in_flags = IPN_TCP;
|
||||
else if (!strcasecmp(s, "udp"))
|
||||
ipn.in_flags = IPN_UDP;
|
||||
else if (!strcasecmp(s, "tcp/udp"))
|
||||
ipn.in_flags = IPN_TCPUDP;
|
||||
else if (!strcasecmp(s, "tcpudp"))
|
||||
ipn.in_flags = IPN_TCPUDP;
|
||||
else {
|
||||
fprintf(stderr,
|
||||
"expected protocol - got \"%s\"\n", s);
|
||||
return NULL;
|
||||
}
|
||||
proto = s;
|
||||
if ((s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr,
|
||||
"extra junk at the end of rdr: %s\n",
|
||||
s);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
ipn.in_pmin = portnum(dport, proto); /* dest port */
|
||||
ipn.in_pmax = ipn.in_pmin; /* NECESSARY of removing nats */
|
||||
ipn.in_pnext = portnum(tport, proto); /* target port */
|
||||
s = NULL; /* That's all she wrote! */
|
||||
}
|
||||
if (!s)
|
||||
return &ipn;
|
||||
if (strcasecmp(s, "portmap")) {
|
||||
fprintf(stderr, "expected \"portmap\" - got \"%s\"\n", s);
|
||||
return NULL;
|
||||
}
|
||||
if (!(s = strtok(NULL, " \t")))
|
||||
return NULL;
|
||||
if (!strcasecmp(s, "tcp"))
|
||||
ipn.in_flags = IPN_TCP;
|
||||
else if (!strcasecmp(s, "udp"))
|
||||
ipn.in_flags = IPN_UDP;
|
||||
else if (!strcasecmp(s, "tcpudp"))
|
||||
ipn.in_flags = IPN_TCPUDP;
|
||||
else if (!strcasecmp(s, "tcp/udp"))
|
||||
ipn.in_flags = IPN_TCPUDP;
|
||||
else {
|
||||
fprintf(stderr, "expected protocol name - got \"%s\"\n", s);
|
||||
return NULL;
|
||||
}
|
||||
proto = s;
|
||||
if (!(s = strtok(NULL, " \t"))) {
|
||||
fprintf(stderr, "no port range found\n");
|
||||
return NULL;
|
||||
}
|
||||
if (!(t = strchr(s, ':'))) {
|
||||
fprintf(stderr, "no port range in \"%s\"\n", s);
|
||||
return NULL;
|
||||
}
|
||||
*t++ = '\0';
|
||||
ipn.in_pmin = portnum(s, proto);
|
||||
ipn.in_pmax = portnum(t, proto);
|
||||
return &ipn;
|
||||
}
|
||||
|
||||
|
||||
void parsefile(fd, file, opts)
|
||||
int fd;
|
||||
char *file;
|
||||
int opts;
|
||||
{
|
||||
char line[512], *s;
|
||||
ipnat_t *np;
|
||||
FILE *fp;
|
||||
int linenum = 1;
|
||||
|
||||
if (strcmp(file, "-"))
|
||||
fp = fopen(file, "r");
|
||||
else
|
||||
fp = stdin;
|
||||
|
||||
while (fgets(line, sizeof(line) - 1, fp)) {
|
||||
line[sizeof(line) - 1] = '\0';
|
||||
if ((s = strchr(line, '\n')))
|
||||
*s = '\0';
|
||||
if (!(np = parse(line))) {
|
||||
if (*line)
|
||||
fprintf(stderr, "%d: syntax error in \"%s\"\n",
|
||||
linenum, line);
|
||||
} else if (!(opts & OPT_NODO)) {
|
||||
if ((opts & OPT_VERBOSE) && np)
|
||||
printnat(np, opts & OPT_VERBOSE, NULL);
|
||||
if (opts & OPT_REM) {
|
||||
if (ioctl(fd, SIOCADNAT, np) == -1)
|
||||
perror("ioctl(SIOCADNAT)");
|
||||
} else if (ioctl(fd, SIOCRMNAT, np) == -1)
|
||||
perror("ioctl(SIOCRMNAT)");
|
||||
}
|
||||
linenum++;
|
||||
}
|
||||
fclose(stdin);
|
||||
}
|
||||
|
||||
|
||||
void flushtable(fd, opts)
|
||||
int fd, opts;
|
||||
{
|
||||
int n = 0;
|
||||
|
||||
if (opts & OPT_FLUSH) {
|
||||
n = 0;
|
||||
if (!(opts & OPT_NODO) && ioctl(fd, SIOCFLNAT, &n) == -1)
|
||||
perror("ioctl(SIOCFLNAT)");
|
||||
else
|
||||
printf("%d entries flushed from NAT table\n", n);
|
||||
}
|
||||
|
||||
if (opts & OPT_CLEAR) {
|
||||
n = 0;
|
||||
if (!(opts & OPT_NODO) && ioctl(fd, SIOCCNATL, &n) == -1)
|
||||
perror("ioctl(SIOCCNATL)");
|
||||
else
|
||||
printf("%d entries flushed from NAT list\n", n);
|
||||
}
|
||||
}
|
63
contrib/ipfilter/ipsd/Makefile
Normal file
63
contrib/ipfilter/ipsd/Makefile
Normal file
@ -0,0 +1,63 @@
|
||||
#
|
||||
# (C)opyright 1993-1996 by Darren Reed.
|
||||
#
|
||||
# This code may be freely distributed as long as it retains this notice
|
||||
# and is not changed in any way. The author accepts no responsibility
|
||||
# for the use of this software. I hate legaleese, don't you ?
|
||||
#
|
||||
OBJS=ipsd.o
|
||||
BINDEST=/usr/local/bin
|
||||
SBINDEST=/sbin
|
||||
MANDIR=/usr/share/man
|
||||
BPF=sbpf.o
|
||||
NIT=snit.o
|
||||
SUNOS4=
|
||||
BSD=
|
||||
LINUX=slinux.o
|
||||
SUNOS5=dlcommon.o sdlpi.o
|
||||
|
||||
CC=gcc
|
||||
CFLAGS=-g -I..
|
||||
|
||||
all:
|
||||
@echo "Use one of these targets:"
|
||||
@echo " sunos4-nit (standard SunOS 4.1.x)"
|
||||
@echo " sunos4-bpf (SunOS4.1.x with BPF in the kernel)"
|
||||
@echo " bsd-bpf (4.4BSD variant with BPF in the kernel)"
|
||||
@echo " linux (Linux kernels)"
|
||||
@echo " sunos5 (Solaris 2.x)"
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) -c $< -o $@
|
||||
|
||||
ipsdr: ipsdr.o
|
||||
$(CC) ipsdr.o -o $@ $(LIBS)
|
||||
|
||||
bpf sunos4-bpf :
|
||||
make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS)"
|
||||
|
||||
nit sunos4 sunos4-nit :
|
||||
make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS)"
|
||||
|
||||
sunos5 :
|
||||
make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
|
||||
|
||||
bsd-bpf :
|
||||
make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS)"
|
||||
|
||||
linux :
|
||||
make ipsd "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -I /usr/src/linux"
|
||||
|
||||
ipsd: $(OBJS) $(UNIXOBJS)
|
||||
$(CC) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS)
|
||||
|
||||
../ipft_sn.o ../ipft_pc.o:
|
||||
(cd ..; make $(@:../%=%))
|
||||
|
||||
clean:
|
||||
rm -rf *.o core a.out ipsd ipsdr
|
32
contrib/ipfilter/ipsd/README
Normal file
32
contrib/ipfilter/ipsd/README
Normal file
@ -0,0 +1,32 @@
|
||||
|
||||
IP Scan Detetor.
|
||||
----------------
|
||||
|
||||
This program is designed to be a passive listener for TCP packets sent to
|
||||
the host. It does not exercise the promiscous mode of interfaces. For
|
||||
routing Unix boxes (and firewalls which route/proxy) this is sufficient to
|
||||
detect all packets going to/through them.
|
||||
|
||||
Upon compiling, a predefined set of "sensitive" ports are configured into
|
||||
the program. Any TCP packets which are seen sent to these ports are counted
|
||||
and the IP# of the sending host recorded, along with the time of the first
|
||||
packet to that port for that IP#.
|
||||
|
||||
After a given number of "hits", it will write the current table of packets
|
||||
out to disk. This number defaults to 10,000.
|
||||
|
||||
To analyze the information written to disk, a sample program called "ipsdr"
|
||||
is used (should but doesn't implement a tree algorithm for storing data)
|
||||
which reads all log files it recognises and totals up the number of ports
|
||||
each host hit. By default, all ports have the same weighting (1). Another
|
||||
group of passes is then made over this table using a netmask of 0xfffffffe,
|
||||
grouping all results which fall under the same resulting IP#. This netmask
|
||||
is then shrunk back to 0, with a output for each level given. This is aimed
|
||||
at detecting port scans done from different hosts on the same subnet (although
|
||||
I've not seen this done, if one was trying to do it obscurely...)
|
||||
|
||||
Lastly, being passive means that no action is taken to stop port scans being
|
||||
done or discourage them.
|
||||
|
||||
Darren
|
||||
darrenr@cyber.com.au
|
201
contrib/ipfilter/ipsd/ip_compat.h
Normal file
201
contrib/ipfilter/ipsd/ip_compat.h
Normal file
@ -0,0 +1,201 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* This code may be freely distributed as long as it retains this notice
|
||||
* and is not changed in any way. The author accepts no responsibility
|
||||
* for the use of this software. I hate legaleese, don't you ?
|
||||
*
|
||||
* @(#)ip_compat.h 1.1 9/14/95
|
||||
*/
|
||||
|
||||
/*
|
||||
* These #ifdef's are here mainly for linux, but who knows, they may
|
||||
* not be in other places or maybe one day linux will grow up and some
|
||||
* of these will turn up there too.
|
||||
*/
|
||||
#ifndef ICMP_UNREACH
|
||||
# define ICMP_UNREACH ICMP_DEST_UNREACH
|
||||
#endif
|
||||
#ifndef ICMP_SOURCEQUENCH
|
||||
# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH
|
||||
#endif
|
||||
#ifndef ICMP_TIMXCEED
|
||||
# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED
|
||||
#endif
|
||||
#ifndef ICMP_PARAMPROB
|
||||
# define ICMP_PARAMPROB ICMP_PARAMETERPROB
|
||||
#endif
|
||||
#ifndef IPVERSION
|
||||
# define IPVERSION 4
|
||||
#endif
|
||||
#ifndef IPOPT_MINOFF
|
||||
# define IPOPT_MINOFF 4
|
||||
#endif
|
||||
#ifndef IPOPT_COPIED
|
||||
# define IPOPT_COPIED(x) ((x)&0x80)
|
||||
#endif
|
||||
#ifndef IPOPT_EOL
|
||||
# define IPOPT_EOL 0
|
||||
#endif
|
||||
#ifndef IPOPT_NOP
|
||||
# define IPOPT_NOP 1
|
||||
#endif
|
||||
#ifndef IP_MF
|
||||
# define IP_MF ((u_short)0x2000)
|
||||
#endif
|
||||
#ifndef ETHERTYPE_IP
|
||||
# define ETHERTYPE_IP ((u_short)0x0800)
|
||||
#endif
|
||||
#ifndef TH_FIN
|
||||
# define TH_FIN 0x01
|
||||
#endif
|
||||
#ifndef TH_SYN
|
||||
# define TH_SYN 0x02
|
||||
#endif
|
||||
#ifndef TH_RST
|
||||
# define TH_RST 0x04
|
||||
#endif
|
||||
#ifndef TH_PUSH
|
||||
# define TH_PUSH 0x08
|
||||
#endif
|
||||
#ifndef TH_ACK
|
||||
# define TH_ACK 0x10
|
||||
#endif
|
||||
#ifndef TH_URG
|
||||
# define TH_URG 0x20
|
||||
#endif
|
||||
#ifndef IPOPT_EOL
|
||||
# define IPOPT_EOL 0
|
||||
#endif
|
||||
#ifndef IPOPT_NOP
|
||||
# define IPOPT_NOP 1
|
||||
#endif
|
||||
#ifndef IPOPT_RR
|
||||
# define IPOPT_RR 7
|
||||
#endif
|
||||
#ifndef IPOPT_TS
|
||||
# define IPOPT_TS 68
|
||||
#endif
|
||||
#ifndef IPOPT_SECURITY
|
||||
# define IPOPT_SECURITY 130
|
||||
#endif
|
||||
#ifndef IPOPT_LSRR
|
||||
# define IPOPT_LSRR 131
|
||||
#endif
|
||||
#ifndef IPOPT_SATID
|
||||
# define IPOPT_SATID 136
|
||||
#endif
|
||||
#ifndef IPOPT_SSRR
|
||||
# define IPOPT_SSRR 137
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_UNCLASS
|
||||
# define IPOPT_SECUR_UNCLASS ((u_short)0x0000)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_CONFID
|
||||
# define IPOPT_SECUR_CONFID ((u_short)0xf135)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_EFTO
|
||||
# define IPOPT_SECUR_EFTO ((u_short)0x789a)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_MMMM
|
||||
# define IPOPT_SECUR_MMMM ((u_short)0xbc4d)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_RESTR
|
||||
# define IPOPT_SECUR_RESTR ((u_short)0xaf13)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_SECRET
|
||||
# define IPOPT_SECUR_SECRET ((u_short)0xd788)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_TOPSECRET
|
||||
# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5)
|
||||
#endif
|
||||
|
||||
#ifdef linux
|
||||
# define icmp icmphdr
|
||||
# define icmp_type type
|
||||
# define icmp_code code
|
||||
|
||||
/*
|
||||
* From /usr/include/netinet/ip_var.h
|
||||
* !%@#!$@# linux...
|
||||
*/
|
||||
struct ipovly {
|
||||
caddr_t ih_next, ih_prev; /* for protocol sequence q's */
|
||||
u_char ih_x1; /* (unused) */
|
||||
u_char ih_pr; /* protocol */
|
||||
short ih_len; /* protocol length */
|
||||
struct in_addr ih_src; /* source internet address */
|
||||
struct in_addr ih_dst; /* destination internet address */
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
__u16 th_sport;
|
||||
__u16 th_dport;
|
||||
__u32 th_seq;
|
||||
__u32 th_ack;
|
||||
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
|
||||
defined(vax)
|
||||
__u8 th_res:4;
|
||||
__u8 th_off:4;
|
||||
#else
|
||||
__u8 th_off:4;
|
||||
__u8 th_res:4;
|
||||
#endif
|
||||
__u8 th_flags;
|
||||
__u16 th_win;
|
||||
__u16 th_sum;
|
||||
__u16 th_urp;
|
||||
} tcphdr_t;
|
||||
|
||||
typedef struct {
|
||||
__u16 uh_sport;
|
||||
__u16 uh_dport;
|
||||
__s16 uh_ulen;
|
||||
__u16 uh_sum;
|
||||
} udphdr_t;
|
||||
|
||||
typedef struct {
|
||||
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
|
||||
defined(vax)
|
||||
__u8 ip_hl:4;
|
||||
__u8 ip_v:4;
|
||||
# else
|
||||
__u8 ip_hl:4;
|
||||
__u8 ip_v:4;
|
||||
# endif
|
||||
__u8 ip_tos;
|
||||
__u16 ip_len;
|
||||
__u16 ip_id;
|
||||
__u16 ip_off;
|
||||
__u8 ip_ttl;
|
||||
__u8 ip_p;
|
||||
__u16 ip_sum;
|
||||
struct in_addr ip_src;
|
||||
struct in_addr ip_dst;
|
||||
} ip_t;
|
||||
|
||||
typedef struct {
|
||||
__u8 ether_dhost[6];
|
||||
__u8 ether_shost[6];
|
||||
__u16 ether_type;
|
||||
} ether_header_t;
|
||||
|
||||
# define bcopy(a,b,c) memmove(b,a,c)
|
||||
# define bcmp(a,b,c) memcmp(a,b,c)
|
||||
|
||||
# define ifnet device
|
||||
|
||||
#else
|
||||
|
||||
typedef struct udphdr udphdr_t;
|
||||
typedef struct tcphdr tcphdr_t;
|
||||
typedef struct ip ip_t;
|
||||
typedef struct ether_header ether_header_t;
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef solaris
|
||||
# define bcopy(a,b,c) memmove(b,a,c)
|
||||
# define bcmp(a,b,c) memcmp(a,b,c)
|
||||
# define bzero(a,b) memset(a,0,b)
|
||||
#endif
|
297
contrib/ipfilter/ipsd/ipsd.c
Normal file
297
contrib/ipfilter/ipsd/ipsd.c
Normal file
@ -0,0 +1,297 @@
|
||||
/*
|
||||
* (C)opyright December 1995 Darren Reed.
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <stdlib.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include <linux/sockios.h>
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
#include "ipsd.h"
|
||||
|
||||
#ifndef lint
|
||||
static char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
|
||||
#ifdef linux
|
||||
char default_device[] = "eth0";
|
||||
#else
|
||||
# ifdef sun
|
||||
char default_device[] = "le0";
|
||||
# else
|
||||
# ifdef ultrix
|
||||
char default_device[] = "ln0";
|
||||
# else
|
||||
char default_device[] = "lan0";
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#define NPORTS 21
|
||||
|
||||
u_short defports[NPORTS] = {
|
||||
7, 9, 20, 21, 23, 25, 53, 69, 79, 111,
|
||||
123, 161, 162, 512, 513, 514, 515, 520, 540, 6000, 0
|
||||
};
|
||||
|
||||
ipsd_t *iphits[NPORTS];
|
||||
int writes = 0;
|
||||
|
||||
|
||||
int ipcmp(sh1, sh2)
|
||||
sdhit_t *sh1, *sh2;
|
||||
{
|
||||
return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Check to see if we've already received a packet from this host for this
|
||||
* port.
|
||||
*/
|
||||
int findhit(ihp, src, dport)
|
||||
ipsd_t *ihp;
|
||||
struct in_addr src;
|
||||
u_short dport;
|
||||
{
|
||||
int i, j, k;
|
||||
sdhit_t *sh;
|
||||
|
||||
sh = NULL;
|
||||
|
||||
if (ihp->sd_sz == 4) {
|
||||
for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++)
|
||||
if (src.s_addr == sh->sh_ip.s_addr)
|
||||
return 1;
|
||||
} else {
|
||||
for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) {
|
||||
k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr;
|
||||
if (!k)
|
||||
return 1;
|
||||
else if (k < 0)
|
||||
i -= j;
|
||||
else
|
||||
i += j;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Search for port number amongst the sorted array of targets we're
|
||||
* interested in.
|
||||
*/
|
||||
int detect(ip, tcp)
|
||||
ip_t *ip;
|
||||
tcphdr_t *tcp;
|
||||
{
|
||||
ipsd_t *ihp;
|
||||
sdhit_t *sh;
|
||||
int i, j, k;
|
||||
|
||||
for (i = 10, j = 4; j >= 0; j--) {
|
||||
k = tcp->th_dport - defports[i];
|
||||
if (!k) {
|
||||
ihp = iphits[i];
|
||||
if (findhit(ihp, ip->ip_src, tcp->th_dport))
|
||||
return 0;
|
||||
sh = ihp->sd_hit + ihp->sd_cnt;
|
||||
sh->sh_date = time(NULL);
|
||||
sh->sh_ip.s_addr = ip->ip_src.s_addr;
|
||||
if (++ihp->sd_cnt == ihp->sd_sz)
|
||||
{
|
||||
ihp->sd_sz += 8;
|
||||
sh = realloc(sh, ihp->sd_sz * sizeof(*sh));
|
||||
ihp->sd_hit = sh;
|
||||
}
|
||||
qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp);
|
||||
return 0;
|
||||
}
|
||||
if (k < 0)
|
||||
i -= j;
|
||||
else
|
||||
i += j;
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Allocate initial storage for hosts
|
||||
*/
|
||||
setuphits()
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < NPORTS; i++) {
|
||||
if (iphits[i]) {
|
||||
if (iphits[i]->sd_hit)
|
||||
free(iphits[i]->sd_hit);
|
||||
free(iphits[i]);
|
||||
}
|
||||
iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t));
|
||||
iphits[i]->sd_port = defports[i];
|
||||
iphits[i]->sd_cnt = 0;
|
||||
iphits[i]->sd_sz = 4;
|
||||
iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* cleanup exits
|
||||
*/
|
||||
waiter()
|
||||
{
|
||||
wait(0);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Write statistics out to a file
|
||||
*/
|
||||
writestats(nwrites)
|
||||
int nwrites;
|
||||
{
|
||||
ipsd_t **ipsd, *ips;
|
||||
char fname[32];
|
||||
int i, fd;
|
||||
|
||||
(void) sprintf(fname, "/var/log/ipsd/ipsd-hits.%d", nwrites);
|
||||
fd = open(fname, O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0644);
|
||||
for (i = 0, ipsd = iphits; i < NPORTS; i++, ipsd++) {
|
||||
ips = *ipsd;
|
||||
if (ips->sd_cnt) {
|
||||
write(fd, ips, sizeof(ipsd_t));
|
||||
write(fd, ips->sd_hit, sizeof(sdhit_t) * ips->sd_sz);
|
||||
}
|
||||
}
|
||||
(void) close(fd);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
void writenow()
|
||||
{
|
||||
signal(SIGCHLD, waiter);
|
||||
switch (fork())
|
||||
{
|
||||
case 0 :
|
||||
writestats(writes);
|
||||
exit(0);
|
||||
case -1 :
|
||||
perror("vfork");
|
||||
break;
|
||||
default :
|
||||
writes++;
|
||||
setuphits();
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void usage(prog)
|
||||
char *prog;
|
||||
{
|
||||
fprintf(stderr, "Usage: %s [-d device]\n", prog);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
void detecthits(fd, writecount)
|
||||
int fd, writecount;
|
||||
{
|
||||
struct in_addr ip;
|
||||
int hits = 0;
|
||||
|
||||
while (1) {
|
||||
hits += readloop(fd, ip);
|
||||
if (hits > writecount) {
|
||||
writenow();
|
||||
hits = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
char c, *name = argv[0], *dev = NULL;
|
||||
int fd, writeafter = 10000, angelic = 0;
|
||||
|
||||
while ((c = getopt(argc, argv, "ad:n:")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'a' :
|
||||
angelic = 1;
|
||||
break;
|
||||
case 'd' :
|
||||
dev = optarg;
|
||||
break;
|
||||
case 'n' :
|
||||
writeafter = atoi(optarg);
|
||||
break;
|
||||
default :
|
||||
fprintf(stderr, "Unknown option \"%c\"\n", c);
|
||||
usage(name);
|
||||
}
|
||||
|
||||
bzero(iphits, sizeof(iphits));
|
||||
setuphits();
|
||||
|
||||
if (!dev)
|
||||
dev = default_device;
|
||||
printf("Device: %s\n", dev);
|
||||
fd = initdevice(dev, 60);
|
||||
|
||||
if (!angelic) {
|
||||
switch (fork())
|
||||
{
|
||||
case 0 :
|
||||
(void) close(0);
|
||||
(void) close(1);
|
||||
(void) close(2);
|
||||
(void) setpgrp(0, getpgrp());
|
||||
(void) setsid();
|
||||
break;
|
||||
case -1:
|
||||
perror("fork");
|
||||
exit(-1);
|
||||
default:
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
signal(SIGUSR1, writenow);
|
||||
detecthits(fd, writeafter);
|
||||
}
|
30
contrib/ipfilter/ipsd/ipsd.h
Normal file
30
contrib/ipfilter/ipsd/ipsd.h
Normal file
@ -0,0 +1,30 @@
|
||||
/*
|
||||
* (C)opyright December 1995 Darren Reed.
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
* @(#)ipsd.h 1.3 12/3/95
|
||||
*/
|
||||
|
||||
typedef struct {
|
||||
time_t sh_date;
|
||||
struct in_addr sh_ip;
|
||||
} sdhit_t;
|
||||
|
||||
typedef struct {
|
||||
u_int sd_sz;
|
||||
u_int sd_cnt;
|
||||
u_short sd_port;
|
||||
sdhit_t *sd_hit;
|
||||
} ipsd_t;
|
||||
|
||||
typedef struct {
|
||||
struct in_addr ss_ip;
|
||||
int ss_hits;
|
||||
u_long ss_ports;
|
||||
} ipss_t;
|
||||
|
315
contrib/ipfilter/ipsd/ipsdr.c
Normal file
315
contrib/ipfilter/ipsd/ipsdr.c
Normal file
@ -0,0 +1,315 @@
|
||||
/*
|
||||
* (C)opyright December 1995 Darren Reed.
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <malloc.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <sys/dir.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include <linux/sockios.h>
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
#include "ipsd.h"
|
||||
|
||||
#ifndef lint
|
||||
static char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
|
||||
#define NPORTS 21
|
||||
|
||||
u_short defports[NPORTS] = {
|
||||
7, 9, 20, 21, 23, 25, 53, 69, 79, 111,
|
||||
123, 161, 162, 512, 513, 513, 515, 520, 540, 6000, 0
|
||||
};
|
||||
u_short pweights[NPORTS] = {
|
||||
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
||||
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
|
||||
};
|
||||
|
||||
ipsd_t *iphits[NPORTS];
|
||||
int pkts;
|
||||
|
||||
|
||||
int ipcmp(sh1, sh2)
|
||||
sdhit_t *sh1, *sh2;
|
||||
{
|
||||
return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr;
|
||||
}
|
||||
|
||||
|
||||
int ssipcmp(sh1, sh2)
|
||||
ipss_t *sh1, *sh2;
|
||||
{
|
||||
return sh1->ss_ip.s_addr - sh2->ss_ip.s_addr;
|
||||
}
|
||||
|
||||
|
||||
int countpbits(num)
|
||||
u_long num;
|
||||
{
|
||||
int i, j;
|
||||
|
||||
for (i = 1, j = 0; i; i <<= 1)
|
||||
if (num & i)
|
||||
j++;
|
||||
return j;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Check to see if we've already received a packet from this host for this
|
||||
* port.
|
||||
*/
|
||||
int findhit(ihp, src, dport)
|
||||
ipsd_t *ihp;
|
||||
struct in_addr src;
|
||||
u_short dport;
|
||||
{
|
||||
int i, j, k;
|
||||
sdhit_t *sh;
|
||||
|
||||
sh = NULL;
|
||||
|
||||
if (ihp->sd_sz == 4) {
|
||||
for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++)
|
||||
if (src.s_addr == sh->sh_ip.s_addr)
|
||||
return 1;
|
||||
} else {
|
||||
for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) {
|
||||
k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr;
|
||||
if (!k)
|
||||
return 1;
|
||||
else if (k < 0)
|
||||
i -= j;
|
||||
else
|
||||
i += j;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Search for port number amongst the sorted array of targets we're
|
||||
* interested in.
|
||||
*/
|
||||
int detect(srcip, dport, date)
|
||||
struct in_addr srcip;
|
||||
u_short dport;
|
||||
time_t date;
|
||||
{
|
||||
ipsd_t *ihp;
|
||||
sdhit_t *sh;
|
||||
int i, j, k;
|
||||
|
||||
for (i = 10, j = 4; j >= 0; j--) {
|
||||
k = dport - defports[i];
|
||||
if (!k) {
|
||||
ihp = iphits[i];
|
||||
if (findhit(ihp, srcip, dport))
|
||||
return 0;
|
||||
sh = ihp->sd_hit + ihp->sd_cnt;
|
||||
sh->sh_date = date;
|
||||
sh->sh_ip = srcip;
|
||||
if (++ihp->sd_cnt == ihp->sd_sz)
|
||||
{
|
||||
ihp->sd_sz += 8;
|
||||
sh = realloc(sh, ihp->sd_sz * sizeof(*sh));
|
||||
ihp->sd_hit = sh;
|
||||
}
|
||||
qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp);
|
||||
return 0;
|
||||
}
|
||||
if (k < 0)
|
||||
i -= j;
|
||||
else
|
||||
i += j;
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Allocate initial storage for hosts
|
||||
*/
|
||||
setuphits()
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < NPORTS; i++) {
|
||||
if (iphits[i]) {
|
||||
if (iphits[i]->sd_hit)
|
||||
free(iphits[i]->sd_hit);
|
||||
free(iphits[i]);
|
||||
}
|
||||
iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t));
|
||||
iphits[i]->sd_port = defports[i];
|
||||
iphits[i]->sd_cnt = 0;
|
||||
iphits[i]->sd_sz = 4;
|
||||
iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Write statistics out to a file
|
||||
*/
|
||||
addfile(file)
|
||||
char *file;
|
||||
{
|
||||
ipsd_t ipsd, *ips = &ipsd;
|
||||
sdhit_t hit, *hp;
|
||||
char fname[32];
|
||||
int i, fd, sz;
|
||||
|
||||
if ((fd = open(file, O_RDONLY)) == -1) {
|
||||
perror("open");
|
||||
return;
|
||||
}
|
||||
|
||||
printf("opened %s\n", file);
|
||||
do {
|
||||
if (read(fd, ips, sizeof(*ips)) != sizeof(*ips))
|
||||
break;
|
||||
sz = ips->sd_sz * sizeof(*hp);
|
||||
hp = (sdhit_t *)malloc(sz);
|
||||
if (read(fd, hp, sz) != sz)
|
||||
break;
|
||||
for (i = 0; i < ips->sd_cnt; i++)
|
||||
detect(hp[i].sh_ip, ips->sd_port, hp[i].sh_date);
|
||||
} while (1);
|
||||
(void) close(fd);
|
||||
}
|
||||
|
||||
|
||||
readfiles(dir)
|
||||
char *dir;
|
||||
{
|
||||
struct direct **d;
|
||||
int i, j;
|
||||
|
||||
d = NULL;
|
||||
i = scandir(dir, &d, NULL, NULL);
|
||||
|
||||
for (j = 0; j < i; j++) {
|
||||
if (strncmp(d[j]->d_name, "ipsd-hits.", 10))
|
||||
continue;
|
||||
addfile(d[j]->d_name);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
void printreport(ss, num)
|
||||
ipss_t *ss;
|
||||
int num;
|
||||
{
|
||||
struct in_addr ip;
|
||||
ipss_t *sp;
|
||||
int i, j, mask;
|
||||
u_long ports;
|
||||
|
||||
printf("Hosts detected: %d\n", num);
|
||||
if (!num)
|
||||
return;
|
||||
for (i = 0; i < num; i++)
|
||||
printf("%s %d %d\n", inet_ntoa(ss[i].ss_ip), ss[i].ss_hits,
|
||||
countpbits(ss[i].ss_ports));
|
||||
|
||||
printf("--------------------------\n");
|
||||
for (mask = 0xfffffffe, j = 32; j; j--, mask <<= 1) {
|
||||
ip.s_addr = ss[0].ss_ip.s_addr & mask;
|
||||
ports = ss[0].ss_ports;
|
||||
for (i = 1; i < num; i++) {
|
||||
sp = ss + i;
|
||||
if (ip.s_addr != (sp->ss_ip.s_addr & mask)) {
|
||||
printf("Netmask: 0x%08x\n", mask);
|
||||
printf("%s %d\n", inet_ntoa(ip),
|
||||
countpbits(ports));
|
||||
ip.s_addr = sp->ss_ip.s_addr & mask;
|
||||
ports = 0;
|
||||
}
|
||||
ports |= sp->ss_ports;
|
||||
}
|
||||
if (ports) {
|
||||
printf("Netmask: 0x%08x\n", mask);
|
||||
printf("%s %d\n", inet_ntoa(ip), countpbits(ports));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
collectips()
|
||||
{
|
||||
ipsd_t *ips;
|
||||
ipss_t *ss;
|
||||
int i, num, nip, in, j, k;
|
||||
|
||||
for (i = 0; i < NPORTS; i++)
|
||||
nip += iphits[i]->sd_cnt;
|
||||
|
||||
ss = (ipss_t *)malloc(sizeof(ipss_t) * nip);
|
||||
|
||||
for (in = 0, i = 0, num = 0; i < NPORTS; i++) {
|
||||
ips = iphits[i];
|
||||
for (j = 0; j < ips->sd_cnt; j++) {
|
||||
for (k = 0; k < num; k++)
|
||||
if (!bcmp(&ss[k].ss_ip, &ips->sd_hit[j].sh_ip,
|
||||
sizeof(struct in_addr))) {
|
||||
ss[k].ss_hits += pweights[i];
|
||||
ss[k].ss_ports |= (1 << i);
|
||||
break;
|
||||
}
|
||||
if (k == num) {
|
||||
ss[num].ss_ip = ips->sd_hit[j].sh_ip;
|
||||
ss[num].ss_hits = pweights[i];
|
||||
ss[k].ss_ports |= (1 << i);
|
||||
num++;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
qsort(ss, num, sizeof(*ss), ssipcmp);
|
||||
|
||||
printreport(ss, num);
|
||||
}
|
||||
|
||||
|
||||
main(argc, argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
char c, *name = argv[0], *dir = NULL;
|
||||
int fd;
|
||||
|
||||
setuphits();
|
||||
dir = dir ? dir : ".";
|
||||
readfiles(dir);
|
||||
collectips();
|
||||
}
|
17
contrib/ipfilter/ipsd/linux.h
Normal file
17
contrib/ipfilter/ipsd/linux.h
Normal file
@ -0,0 +1,17 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* This code may be freely distributed as long as it retains this notice
|
||||
* and is not changed in any way. The author accepts no responsibility
|
||||
* for the use of this software. I hate legaleese, don't you ?
|
||||
*
|
||||
* @(#)linux.h 1.1 8/19/95
|
||||
*/
|
||||
|
||||
#include <linux/config.h>
|
||||
#ifdef MODULE
|
||||
#include <linux/module.h>
|
||||
#include <linux/version.h>
|
||||
#endif /* MODULE */
|
||||
|
||||
#include "ip_compat.h"
|
195
contrib/ipfilter/ipsd/sbpf.c
Normal file
195
contrib/ipfilter/ipsd/sbpf.c
Normal file
@ -0,0 +1,195 @@
|
||||
/*
|
||||
* (C)opyright October 1995 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#if BSD < 199103
|
||||
#include <sys/fcntlcom.h>
|
||||
#endif
|
||||
#include <sys/dir.h>
|
||||
#include <net/bpf.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include "ip_compat.h"
|
||||
|
||||
#ifndef lint
|
||||
static char sbpf[] = "@(#)sbpf.c 1.2 12/3/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
/*
|
||||
(000) ldh [12]
|
||||
(001) jeq #0x800 jt 2 jf 5
|
||||
(002) ldb [23]
|
||||
(003) jeq #0x6 jt 4 jf 5
|
||||
(004) ret #68
|
||||
(005) ret #0
|
||||
*/
|
||||
struct bpf_insn filter[] = {
|
||||
/* 0. */ { BPF_LD|BPF_H|BPF_ABS, 0, 0, 12 },
|
||||
/* 1. */ { BPF_JMP|BPF_JEQ, 0, 3, 0x0800 },
|
||||
/* 2. */ { BPF_LD|BPF_B|BPF_ABS, 0, 0, 23 },
|
||||
/* 3. */ { BPF_JMP|BPF_JEQ, 0, 1, 0x06 },
|
||||
/* 4. */ { BPF_RET, 0, 0, 68 },
|
||||
/* 5. */ { BPF_RET, 0, 0, 0 }
|
||||
};
|
||||
/*
|
||||
* the code herein is dervied from libpcap.
|
||||
*/
|
||||
static u_char *buf = NULL;
|
||||
static u_int bufsize = 32768, timeout = 1;
|
||||
|
||||
|
||||
int ack_recv(ep)
|
||||
char *ep;
|
||||
{
|
||||
struct tcpiphdr tip;
|
||||
tcphdr_t *tcp;
|
||||
ip_t *ip;
|
||||
|
||||
ip = (ip_t *)&tip;
|
||||
tcp = (tcphdr_t *)(ip + 1);
|
||||
bcopy(ep + 14, (char *)ip, sizeof(*ip));
|
||||
bcopy(ep + 14 + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp));
|
||||
if (ip->ip_p != IPPROTO_TCP && ip->ip_p != IPPROTO_UDP)
|
||||
return -1;
|
||||
if (ip->ip_p & 0x1fff != 0)
|
||||
return 0;
|
||||
if (0 == detect(ip, tcp))
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int readloop(fd, port, dst)
|
||||
int fd, port;
|
||||
struct in_addr dst;
|
||||
{
|
||||
register u_char *bp, *cp, *bufend;
|
||||
register struct bpf_hdr *bh;
|
||||
register int cc;
|
||||
time_t in = time(NULL);
|
||||
int done = 0;
|
||||
|
||||
while ((cc = read(fd, buf, bufsize)) >= 0) {
|
||||
if (!cc && (time(NULL) - in) > timeout)
|
||||
return done;
|
||||
bp = buf;
|
||||
bufend = buf + cc;
|
||||
/*
|
||||
* loop through each snapshot in the chunk
|
||||
*/
|
||||
while (bp < bufend) {
|
||||
bh = (struct bpf_hdr *)bp;
|
||||
cp = bp + bh->bh_hdrlen;
|
||||
done += ack_recv(cp);
|
||||
bp += BPF_WORDALIGN(bh->bh_caplen + bh->bh_hdrlen);
|
||||
}
|
||||
return done;
|
||||
}
|
||||
perror("read");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
int initdevice(device, tout)
|
||||
char *device;
|
||||
int tout;
|
||||
{
|
||||
struct bpf_program prog;
|
||||
struct bpf_version bv;
|
||||
struct timeval to;
|
||||
struct ifreq ifr;
|
||||
char bpfname[16];
|
||||
int fd, i;
|
||||
|
||||
for (i = 0; i < 16; i++)
|
||||
{
|
||||
(void) sprintf(bpfname, "/dev/bpf%d", i);
|
||||
if ((fd = open(bpfname, O_RDWR)) >= 0)
|
||||
break;
|
||||
}
|
||||
if (i == 16)
|
||||
{
|
||||
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
|
||||
{
|
||||
perror("BIOCVERSION");
|
||||
return -1;
|
||||
}
|
||||
if (bv.bv_major != BPF_MAJOR_VERSION ||
|
||||
bv.bv_minor < BPF_MINOR_VERSION)
|
||||
{
|
||||
fprintf(stderr, "kernel bpf (v%d.%d) filter out of date:\n",
|
||||
bv.bv_major, bv.bv_minor);
|
||||
fprintf(stderr, "current version: %d.%d\n",
|
||||
BPF_MAJOR_VERSION, BPF_MINOR_VERSION);
|
||||
return -1;
|
||||
}
|
||||
|
||||
(void) strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
|
||||
if (ioctl(fd, BIOCSETIF, &ifr) == -1)
|
||||
{
|
||||
fprintf(stderr, "%s(%d):", ifr.ifr_name, fd);
|
||||
perror("BIOCSETIF");
|
||||
exit(1);
|
||||
}
|
||||
/*
|
||||
* set the timeout
|
||||
*/
|
||||
timeout = tout;
|
||||
to.tv_sec = 1;
|
||||
to.tv_usec = 0;
|
||||
if (ioctl(fd, BIOCSRTIMEOUT, (caddr_t)&to) == -1)
|
||||
{
|
||||
perror("BIOCSRTIMEOUT");
|
||||
exit(-1);
|
||||
}
|
||||
/*
|
||||
* get kernel buffer size
|
||||
*/
|
||||
if (ioctl(fd, BIOCSBLEN, &bufsize) == -1)
|
||||
perror("BIOCSBLEN");
|
||||
if (ioctl(fd, BIOCGBLEN, &bufsize) == -1)
|
||||
{
|
||||
perror("BIOCGBLEN");
|
||||
exit(-1);
|
||||
}
|
||||
printf("BPF buffer size: %d\n", bufsize);
|
||||
buf = (u_char*)malloc(bufsize);
|
||||
|
||||
prog.bf_len = sizeof(filter) / sizeof(struct bpf_insn);
|
||||
prog.bf_insns = filter;
|
||||
if (ioctl(fd, BIOCSETF, (caddr_t)&prog) == -1)
|
||||
{
|
||||
perror("BIOCSETF");
|
||||
exit(-1);
|
||||
}
|
||||
(void) ioctl(fd, BIOCFLUSH, 0);
|
||||
return fd;
|
||||
}
|
263
contrib/ipfilter/ipsd/sdlpi.c
Normal file
263
contrib/ipfilter/ipsd/sdlpi.c
Normal file
@ -0,0 +1,263 @@
|
||||
/*
|
||||
* (C)opyright October 1992 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/stropts.h>
|
||||
|
||||
#include <sys/pfmod.h>
|
||||
#include <sys/bufmod.h>
|
||||
#include <sys/dlpi.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
|
||||
#include "ip_compat.h"
|
||||
|
||||
#ifndef lint
|
||||
static char snitid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
#define BUFSPACE 32768
|
||||
|
||||
static int solfd;
|
||||
|
||||
/*
|
||||
* Be careful to only include those defined in the flags option for the
|
||||
* interface are included in the header size.
|
||||
*/
|
||||
static int timeout;
|
||||
|
||||
|
||||
void nullbell()
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int ack_recv(ep)
|
||||
char *ep;
|
||||
{
|
||||
struct tcpiphdr tip;
|
||||
tcphdr_t *tcp;
|
||||
ip_t *ip;
|
||||
|
||||
ip = (ip_t *)&tip;
|
||||
tcp = (tcphdr_t *)(ip + 1);
|
||||
bcopy(ep, (char *)ip, sizeof(*ip));
|
||||
bcopy(ep + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp));
|
||||
|
||||
if (ip->ip_off & 0x1fff != 0)
|
||||
return 0;
|
||||
if (0 == detect(ip, tcp))
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int readloop(fd, port, dst)
|
||||
int fd, port;
|
||||
struct in_addr dst;
|
||||
{
|
||||
static u_char buf[BUFSPACE];
|
||||
register u_char *bp, *cp, *bufend;
|
||||
register struct sb_hdr *hp;
|
||||
register int cc;
|
||||
struct strbuf dbuf;
|
||||
ether_header_t eh;
|
||||
time_t now = time(NULL);
|
||||
int flags = 0, i, done = 0;
|
||||
|
||||
fd = solfd;
|
||||
dbuf.len = 0;
|
||||
dbuf.buf = buf;
|
||||
dbuf.maxlen = sizeof(buf);
|
||||
/*
|
||||
* no control data buffer...
|
||||
*/
|
||||
while (1) {
|
||||
(void) signal(SIGALRM, nullbell);
|
||||
alarm(1);
|
||||
i = getmsg(fd, NULL, &dbuf, &flags);
|
||||
alarm(0);
|
||||
(void) signal(SIGALRM, nullbell);
|
||||
|
||||
cc = dbuf.len;
|
||||
if ((time(NULL) - now) > timeout)
|
||||
return done;
|
||||
if (i == -1)
|
||||
if (errno == EINTR)
|
||||
continue;
|
||||
else
|
||||
break;
|
||||
bp = buf;
|
||||
bufend = buf + cc;
|
||||
/*
|
||||
* loop through each snapshot in the chunk
|
||||
*/
|
||||
while (bp < bufend) {
|
||||
/*
|
||||
* get past bufmod header
|
||||
*/
|
||||
hp = (struct sb_hdr *)bp;
|
||||
cp = (u_char *)((char *)bp + sizeof(*hp));
|
||||
bcopy(cp, (char *)&eh, sizeof(eh));
|
||||
/*
|
||||
* next snapshot
|
||||
*/
|
||||
bp += hp->sbh_totlen;
|
||||
cc -= hp->sbh_totlen;
|
||||
|
||||
if (eh.ether_type != ETHERTYPE_IP)
|
||||
continue;
|
||||
|
||||
cp += sizeof(eh);
|
||||
done += ack_recv(cp);
|
||||
}
|
||||
alarm(1);
|
||||
}
|
||||
perror("getmsg");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
int initdevice(device, tout)
|
||||
char *device;
|
||||
int tout;
|
||||
{
|
||||
struct strioctl si;
|
||||
struct timeval to;
|
||||
struct ifreq ifr;
|
||||
struct packetfilt pfil;
|
||||
u_long if_flags;
|
||||
u_short *fwp = pfil.Pf_Filter;
|
||||
char devname[16], *s, buf[256];
|
||||
int i, offset, fd, snaplen= 58, chunksize = BUFSPACE;
|
||||
|
||||
(void) sprintf(devname, "/dev/%s", device);
|
||||
|
||||
s = devname + 5;
|
||||
while (*s && !isdigit(*s))
|
||||
s++;
|
||||
if (!*s)
|
||||
{
|
||||
fprintf(stderr, "bad device name %s\n", devname);
|
||||
exit(-1);
|
||||
}
|
||||
i = atoi(s);
|
||||
*s = '\0';
|
||||
/*
|
||||
* For reading
|
||||
*/
|
||||
if ((fd = open(devname, O_RDWR)) < 0)
|
||||
{
|
||||
fprintf(stderr, "O_RDWR(0) ");
|
||||
perror(devname);
|
||||
exit(-1);
|
||||
}
|
||||
if (dlattachreq(fd, i) == -1 || dlokack(fd, buf) == -1)
|
||||
{
|
||||
fprintf(stderr, "DLPI error\n");
|
||||
exit(-1);
|
||||
}
|
||||
dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0);
|
||||
dlbindack(fd, buf);
|
||||
/*
|
||||
* read full headers
|
||||
*/
|
||||
if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1)
|
||||
{
|
||||
fprintf(stderr, "DLIOCRAW error\n");
|
||||
exit(-1);
|
||||
}
|
||||
/*
|
||||
* Create some filter rules for our TCP watcher. We only want ethernet
|
||||
* pacets which are IP protocol and only the TCP packets from IP.
|
||||
*/
|
||||
offset = 6;
|
||||
*fwp++ = ENF_PUSHWORD + offset;
|
||||
*fwp++ = ENF_PUSHLIT | ENF_CAND;
|
||||
*fwp++ = htons(ETHERTYPE_IP);
|
||||
*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
|
||||
*fwp++ = ENF_PUSHLIT | ENF_AND;
|
||||
*fwp++ = htons(0x00ff);
|
||||
*fwp++ = ENF_PUSHLIT | ENF_COR;
|
||||
*fwp++ = htons(IPPROTO_TCP);
|
||||
*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
|
||||
*fwp++ = ENF_PUSHLIT | ENF_AND;
|
||||
*fwp++ = htons(0x00ff);
|
||||
*fwp++ = ENF_PUSHLIT | ENF_CAND;
|
||||
*fwp++ = htons(IPPROTO_UDP);
|
||||
pfil.Pf_FilterLen = (fwp - &pfil.Pf_Filter[0]);
|
||||
/*
|
||||
* put filter in place.
|
||||
*/
|
||||
|
||||
if (ioctl(fd, I_PUSH, "pfmod") == -1)
|
||||
{
|
||||
perror("ioctl: I_PUSH pf");
|
||||
exit(1);
|
||||
}
|
||||
if (strioctl(fd, PFIOCSETF, -1, sizeof(pfil), (char *)&pfil) == -1)
|
||||
{
|
||||
perror("ioctl: PFIOCSETF");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/*
|
||||
* arrange to get messages from the NIT STREAM and use NIT_BUF option
|
||||
*/
|
||||
if (ioctl(fd, I_PUSH, "bufmod") == -1)
|
||||
{
|
||||
perror("ioctl: I_PUSH bufmod");
|
||||
exit(1);
|
||||
}
|
||||
i = 128;
|
||||
strioctl(fd, SBIOCSSNAP, -1, sizeof(i), (char *)&i);
|
||||
/*
|
||||
* set the timeout
|
||||
*/
|
||||
to.tv_sec = 1;
|
||||
to.tv_usec = 0;
|
||||
if (strioctl(fd, SBIOCSTIME, -1, sizeof(to), (char *)&to) == -1)
|
||||
{
|
||||
perror("strioctl(SBIOCSTIME)");
|
||||
exit(-1);
|
||||
}
|
||||
/*
|
||||
* flush read queue
|
||||
*/
|
||||
if (ioctl(fd, I_FLUSH, FLUSHR) == -1)
|
||||
{
|
||||
perror("I_FLUSHR");
|
||||
exit(-1);
|
||||
}
|
||||
timeout = tout;
|
||||
solfd = fd;
|
||||
return fd;
|
||||
}
|
120
contrib/ipfilter/ipsd/slinux.c
Normal file
120
contrib/ipfilter/ipsd/slinux.c
Normal file
@ -0,0 +1,120 @@
|
||||
/*
|
||||
* (C)opyright October 1992 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/dir.h>
|
||||
#include <linux/netdevice.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include "ip_compat.h"
|
||||
#include "tcpip.h"
|
||||
|
||||
#ifndef lint
|
||||
static char sccsid[] = "@(#)slinux.c 1.1 12/3/95 (C) 1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
#define BUFSPACE 32768
|
||||
|
||||
/*
|
||||
* Be careful to only include those defined in the flags option for the
|
||||
* interface are included in the header size.
|
||||
*/
|
||||
|
||||
static int timeout;
|
||||
static char *eth_dev = NULL;
|
||||
|
||||
|
||||
int ack_recv(bp)
|
||||
char *bp;
|
||||
{
|
||||
struct tcpip tip;
|
||||
tcphdr_t *tcp;
|
||||
ip_t *ip;
|
||||
|
||||
ip = (struct ip *)&tip;
|
||||
tcp = (tcphdr_t *)(ip + 1);
|
||||
|
||||
bcopy(bp, (char *)&tip, sizeof(tip));
|
||||
bcopy(bp + (ip.ip_hl << 2), (char *)tcp, sizeof(*tcp));
|
||||
if (0 == detect(ip, tcp))
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
void readloop(fd, port, dst)
|
||||
int fd, port;
|
||||
struct in_addr dst;
|
||||
{
|
||||
static u_char buf[BUFSPACE];
|
||||
struct sockaddr dest;
|
||||
register u_char *bp = buf;
|
||||
register int cc;
|
||||
int dlen, done = 0;
|
||||
time_t now = time(NULL);
|
||||
|
||||
do {
|
||||
fflush(stdout);
|
||||
dlen = sizeof(dest);
|
||||
bzero((char *)&dest, dlen);
|
||||
cc = recvfrom(fd, buf, BUFSPACE, 0, &dest, &dlen);
|
||||
if (!cc)
|
||||
if ((time(NULL) - now) > timeout)
|
||||
return done;
|
||||
else
|
||||
continue;
|
||||
|
||||
if (bp[12] != 0x8 || bp[13] != 0)
|
||||
continue; /* not ip */
|
||||
|
||||
/*
|
||||
* get rid of non-tcp or fragmented packets here.
|
||||
*/
|
||||
if (cc >= sizeof(struct tcpiphdr))
|
||||
{
|
||||
if (((bp[14+9] != IPPROTO_TCP) &&
|
||||
(bp[14+9] != IPPROTO_UDP)) ||
|
||||
(bp[14+6] & 0x1f) || (bp[14+6] & 0xff))
|
||||
continue;
|
||||
done += ack_recv(bp + 14);
|
||||
}
|
||||
} while (cc >= 0);
|
||||
perror("read");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
int initdevice(dev, tout)
|
||||
char *dev;
|
||||
int tout;
|
||||
{
|
||||
int fd;
|
||||
|
||||
eth_dev = strdup(dev);
|
||||
if ((fd = socket(AF_INET, SOCK_PACKET, htons(ETHERTYPE_IP))) == -1)
|
||||
{
|
||||
perror("socket(SOCK_PACKET)");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
return fd;
|
||||
}
|
230
contrib/ipfilter/ipsd/snit.c
Normal file
230
contrib/ipfilter/ipsd/snit.c
Normal file
@ -0,0 +1,230 @@
|
||||
/*
|
||||
* (C)opyright October 1992 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <net/nit.h>
|
||||
#include <sys/fcntlcom.h>
|
||||
#include <sys/dir.h>
|
||||
#include <net/nit_if.h>
|
||||
#include <net/nit_pf.h>
|
||||
#include <net/nit_buf.h>
|
||||
#include <net/packetfilt.h>
|
||||
#include <sys/stropts.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
|
||||
#ifndef lint
|
||||
static char snitid[] = "@(#)snit.c 1.2 12/3/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
#define BUFSPACE 32768
|
||||
|
||||
/*
|
||||
* Be careful to only include those defined in the flags option for the
|
||||
* interface are included in the header size.
|
||||
*/
|
||||
#define BUFHDR_SIZE (sizeof(struct nit_bufhdr))
|
||||
#define NIT_HDRSIZE (BUFHDR_SIZE)
|
||||
|
||||
static int timeout;
|
||||
|
||||
|
||||
int ack_recv(ep)
|
||||
char *ep;
|
||||
{
|
||||
struct tcpiphdr tip;
|
||||
struct tcphdr *tcp;
|
||||
struct ip *ip;
|
||||
|
||||
ip = (struct ip *)&tip;
|
||||
tcp = (struct tcphdr *)(ip + 1);
|
||||
bcopy(ep + 14, (char *)ip, sizeof(*ip));
|
||||
bcopy(ep + 14 + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp));
|
||||
if (ip->ip_off & 0x1fff != 0)
|
||||
return 0;
|
||||
if (0 == detect(ip, tcp))
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int readloop(fd, dst)
|
||||
int fd;
|
||||
struct in_addr dst;
|
||||
{
|
||||
static u_char buf[BUFSPACE];
|
||||
register u_char *bp, *cp, *bufend;
|
||||
register struct nit_bufhdr *hp;
|
||||
register int cc;
|
||||
time_t now = time(NULL);
|
||||
int done = 0;
|
||||
|
||||
while ((cc = read(fd, buf, BUFSPACE-1)) >= 0) {
|
||||
if (!cc)
|
||||
if ((time(NULL) - now) > timeout)
|
||||
return done;
|
||||
else
|
||||
continue;
|
||||
bp = buf;
|
||||
bufend = buf + cc;
|
||||
/*
|
||||
* loop through each snapshot in the chunk
|
||||
*/
|
||||
while (bp < bufend) {
|
||||
cp = (u_char *)((char *)bp + NIT_HDRSIZE);
|
||||
/*
|
||||
* get past NIT buffer
|
||||
*/
|
||||
hp = (struct nit_bufhdr *)bp;
|
||||
/*
|
||||
* next snapshot
|
||||
*/
|
||||
bp += hp->nhb_totlen;
|
||||
done += ack_recv(cp);
|
||||
}
|
||||
return done;
|
||||
}
|
||||
perror("read");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
int initdevice(device, tout)
|
||||
char *device;
|
||||
int tout;
|
||||
{
|
||||
struct strioctl si;
|
||||
struct timeval to;
|
||||
struct ifreq ifr;
|
||||
struct packetfilt pfil;
|
||||
u_long if_flags;
|
||||
u_short *fwp = pfil.Pf_Filter;
|
||||
int ret, offset, fd, snaplen= 76, chunksize = BUFSPACE;
|
||||
|
||||
if ((fd = open("/dev/nit", O_RDWR)) < 0)
|
||||
{
|
||||
perror("/dev/nit");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Create some filter rules for our TCP watcher. We only want ethernet
|
||||
* pacets which are IP protocol and only the TCP packets from IP.
|
||||
*/
|
||||
offset = 6;
|
||||
*fwp++ = ENF_PUSHWORD + offset;
|
||||
*fwp++ = ENF_PUSHLIT | ENF_CAND;
|
||||
*fwp++ = htons(ETHERTYPE_IP);
|
||||
*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
|
||||
*fwp++ = ENF_PUSHLIT | ENF_AND;
|
||||
*fwp++ = htons(0x00ff);
|
||||
*fwp++ = ENF_PUSHLIT | ENF_COR;
|
||||
*fwp++ = htons(IPPROTO_TCP);
|
||||
*fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4;
|
||||
*fwp++ = ENF_PUSHLIT | ENF_AND;
|
||||
*fwp++ = htons(0x00ff);
|
||||
*fwp++ = ENF_PUSHLIT | ENF_CAND;
|
||||
*fwp++ = htons(IPPROTO_UDP);
|
||||
pfil.Pf_FilterLen = fwp - &pfil.Pf_Filter[0];
|
||||
/*
|
||||
* put filter in place.
|
||||
*/
|
||||
if (ioctl(fd, I_PUSH, "pf") == -1)
|
||||
{
|
||||
perror("ioctl: I_PUSH pf");
|
||||
exit(1);
|
||||
}
|
||||
if (ioctl(fd, NIOCSETF, &pfil) == -1)
|
||||
{
|
||||
perror("ioctl: NIOCSETF");
|
||||
exit(1);
|
||||
}
|
||||
/*
|
||||
* arrange to get messages from the NIT STREAM and use NIT_BUF option
|
||||
*/
|
||||
ioctl(fd, I_SRDOPT, (char*)RMSGD);
|
||||
ioctl(fd, I_PUSH, "nbuf");
|
||||
/*
|
||||
* set the timeout
|
||||
*/
|
||||
timeout = tout;
|
||||
si.ic_timout = 1;
|
||||
to.tv_sec = 1;
|
||||
to.tv_usec = 0;
|
||||
si.ic_cmd = NIOCSTIME;
|
||||
si.ic_len = sizeof(to);
|
||||
si.ic_dp = (char*)&to;
|
||||
if (ioctl(fd, I_STR, (char*)&si) == -1)
|
||||
{
|
||||
perror("ioctl: NIT timeout");
|
||||
exit(-1);
|
||||
}
|
||||
/*
|
||||
* set the chunksize
|
||||
*/
|
||||
si.ic_cmd = NIOCSCHUNK;
|
||||
si.ic_len = sizeof(chunksize);
|
||||
si.ic_dp = (char*)&chunksize;
|
||||
if (ioctl(fd, I_STR, (char*)&si) == -1)
|
||||
perror("ioctl: NIT chunksize");
|
||||
if (ioctl(fd, NIOCGCHUNK, (char*)&chunksize) == -1)
|
||||
{
|
||||
perror("ioctl: NIT chunksize");
|
||||
exit(-1);
|
||||
}
|
||||
printf("NIT buffer size: %d\n", chunksize);
|
||||
|
||||
/*
|
||||
* request the interface
|
||||
*/
|
||||
strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
|
||||
ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = ' ';
|
||||
si.ic_cmd = NIOCBIND;
|
||||
si.ic_len = sizeof(ifr);
|
||||
si.ic_dp = (char*)𝔦
|
||||
if (ioctl(fd, I_STR, (char*)&si) == -1)
|
||||
{
|
||||
perror(ifr.ifr_name);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
/*
|
||||
* set the snapshot length
|
||||
*/
|
||||
si.ic_cmd = NIOCSSNAP;
|
||||
si.ic_len = sizeof(snaplen);
|
||||
si.ic_dp = (char*)&snaplen;
|
||||
if (ioctl(fd, I_STR, (char*)&si) == -1)
|
||||
{
|
||||
perror("ioctl: NIT snaplen");
|
||||
exit(1);
|
||||
}
|
||||
(void) ioctl(fd, I_FLUSH, (char*)FLUSHR);
|
||||
return fd;
|
||||
}
|
95
contrib/ipfilter/ipsend/44arp.c
Normal file
95
contrib/ipfilter/ipsend/44arp.c
Normal file
@ -0,0 +1,95 @@
|
||||
/*
|
||||
* Based upon 4.4BSD's /usr/sbin/arp
|
||||
*/
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <net/if.h>
|
||||
#include <net/if_dl.h>
|
||||
#include <net/if_types.h>
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netdb.h>
|
||||
#include <errno.h>
|
||||
#include <nlist.h>
|
||||
#include <stdio.h>
|
||||
|
||||
/*
|
||||
* lookup host and return
|
||||
* its IP address in address
|
||||
* (4 bytes)
|
||||
*/
|
||||
int resolve(host, address)
|
||||
char *host, *address;
|
||||
{
|
||||
struct hostent *hp;
|
||||
u_long add;
|
||||
|
||||
add = inet_addr(host);
|
||||
if (add == -1)
|
||||
{
|
||||
if (!(hp = gethostbyname(host)))
|
||||
{
|
||||
fprintf(stderr, "unknown host: %s\n", host);
|
||||
return -1;
|
||||
}
|
||||
bcopy((char *)hp->h_addr, (char *)address, 4);
|
||||
return 0;
|
||||
}
|
||||
bcopy((char*)&add, address, 4);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int arp(addr, eaddr)
|
||||
char *addr, *eaddr;
|
||||
{
|
||||
int mib[6];
|
||||
size_t needed;
|
||||
char *malloc(), *lim, *buf, *next;
|
||||
struct rt_msghdr *rtm;
|
||||
struct sockaddr_inarp *sin;
|
||||
struct sockaddr_dl *sdl;
|
||||
|
||||
mib[0] = CTL_NET;
|
||||
mib[1] = PF_ROUTE;
|
||||
mib[2] = 0;
|
||||
mib[3] = AF_INET;
|
||||
mib[4] = NET_RT_FLAGS;
|
||||
mib[5] = RTF_LLINFO;
|
||||
if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1)
|
||||
{
|
||||
perror("route-sysctl-estimate");
|
||||
exit(-1);
|
||||
}
|
||||
if ((buf = malloc(needed)) == NULL)
|
||||
{
|
||||
perror("malloc");
|
||||
exit(-1);
|
||||
}
|
||||
if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1)
|
||||
{
|
||||
perror("actual retrieval of routing table");
|
||||
exit(-1);
|
||||
}
|
||||
lim = buf + needed;
|
||||
for (next = buf; next < lim; next += rtm->rtm_msglen)
|
||||
{
|
||||
rtm = (struct rt_msghdr *)next;
|
||||
sin = (struct sockaddr_inarp *)(rtm + 1);
|
||||
sdl = (struct sockaddr_dl *)(sin + 1);
|
||||
if (addr && !bcmp(addr, (char *)&sin->sin_addr,
|
||||
sizeof(struct in_addr)))
|
||||
{
|
||||
bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return -1;
|
||||
}
|
20
contrib/ipfilter/ipsend/Crashable
Normal file
20
contrib/ipfilter/ipsend/Crashable
Normal file
@ -0,0 +1,20 @@
|
||||
Test 1:
|
||||
Solaris 2.4 - upto and including 101945-34, > 34 ?
|
||||
Solaris 2.5 - 11/95
|
||||
Linux 1.2.13, < 1.3.45(?)
|
||||
3com/sonix bridge
|
||||
Instant Internet
|
||||
KA9Q NOS
|
||||
Netblazer 40i, Version 3.2 OS
|
||||
Irix 6.x
|
||||
HP-UX 9.0
|
||||
HP-UX 10.1
|
||||
LivingstonsComOS
|
||||
|
||||
Test 6:
|
||||
SunOS 4.1.x
|
||||
ULtrix 4.3
|
||||
|
||||
Test 7:
|
||||
SunOS 4.1.x
|
||||
Linux <= 1.3.84
|
91
contrib/ipfilter/ipsend/Makefile
Normal file
91
contrib/ipfilter/ipsend/Makefile
Normal file
@ -0,0 +1,91 @@
|
||||
#
|
||||
# (C)opyright 1993-1996 by Darren Reed.
|
||||
#
|
||||
# This code may be freely distributed as long as it retains this notice
|
||||
# and is not changed in any way. The author accepts no responsibility
|
||||
# for the use of this software. I hate legaleese, don't you ?
|
||||
#
|
||||
OBJS=ipsend.o ip.o ipsopt.o
|
||||
ROBJS=ipresend.o ip.o resend.o
|
||||
TOBJS=iptest.o iptests.o ip.o
|
||||
BPF=sbpf.o
|
||||
NIT=snit.o
|
||||
SUNOS4=sock.o arp.o
|
||||
BSD=sock.o 44arp.o
|
||||
LINUX=lsock.o slinux.o larp.o
|
||||
LINUXK=
|
||||
TOP=..
|
||||
SUNOS5=dlcommon.o sdlpi.o arp.o
|
||||
|
||||
CC=gcc
|
||||
CFLAGS=-g -I.. -DNO_IPF
|
||||
|
||||
all:
|
||||
@echo "Use one of these targets:"
|
||||
@echo " sunos4-nit (standard SunOS 4.1.x)"
|
||||
@echo " sunos4-bpf (SunOS4.1.x with BPF in the kernel)"
|
||||
@echo " bsd-bpf (4.4BSD variant with BPF in the kernel)"
|
||||
@echo " linux10 (Linux 1.0 kernels)"
|
||||
@echo " linux20 (Linux 2.0 kernels)"
|
||||
@echo " sunos5 (Solaris 2.x)"
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(LINUXK) -c $< -o $@
|
||||
|
||||
bpf sunos4-bpf :
|
||||
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
|
||||
nit sunos4 sunos4-nit :
|
||||
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(NIT) $(SUNOS4)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
|
||||
dlpi sunos5 :
|
||||
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
|
||||
make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
|
||||
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(SUNOS5)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -Dsolaris" "LIBS=-lsocket -lnsl"
|
||||
|
||||
bsd-bpf :
|
||||
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(BPF) $(BSD)" "CC=$(CC)" \
|
||||
"CFLAGS=$(CFLAGS) -DDOSOCKET"
|
||||
|
||||
linuxrev :
|
||||
make ipsend "OBJS=$(OBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -I/usr/src/linux/include -DDOSOCKET" $(LINUXK)
|
||||
make ipresend "ROBJS=$(ROBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -I/usr/src/linux/include -DDOSOCKET" $(LINUXK)
|
||||
make iptest "TOBJS=$(TOBJS)" "UNIXOBJS=$(LINUX)" "CC=$(CC)" \
|
||||
CFLAGS="$(CFLAGS) -I/usr/src/linux/include -DDOSOCKET" $(LINUXK)
|
||||
|
||||
linux10:
|
||||
make linuxrev 'LINUXK="LINUXK=-DLINUX=0100"'
|
||||
|
||||
linux20:
|
||||
make linuxrev 'LINUXK="LINUXK=-DLINUX=0200"'
|
||||
|
||||
ipsend: $(OBJS) $(UNIXOBJS)
|
||||
$(CC) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS)
|
||||
|
||||
ipresend: $(ROBJS) $(UNIXOBJS)
|
||||
$(CC) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS)
|
||||
|
||||
iptest: $(TOBJS) $(UNIXOBJS)
|
||||
$(CC) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS)
|
||||
|
||||
clean:
|
||||
rm -rf *.o *core a.out ipsend ipresend iptest
|
119
contrib/ipfilter/ipsend/arp.c
Normal file
119
contrib/ipfilter/ipsend/arp.c
Normal file
@ -0,0 +1,119 @@
|
||||
/*
|
||||
* arp.c (C) 1995 Darren Reed
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/sockio.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netdb.h>
|
||||
#include <netinet/in.h>
|
||||
#include <net/if.h>
|
||||
#include <net/if_arp.h>
|
||||
|
||||
#if defined(__SVR4) || defined(__svr4__)
|
||||
#define bcopy(a,b,c) memmove(b,a,c)
|
||||
#define bzero(a,c) memset(a,0,c)
|
||||
#define bcmp(a,b,c) memcmp(a,b,c)
|
||||
#endif
|
||||
|
||||
/*
|
||||
* lookup host and return
|
||||
* its IP address in address
|
||||
* (4 bytes)
|
||||
*/
|
||||
int resolve(host, address)
|
||||
char *host, *address;
|
||||
{
|
||||
struct hostent *hp;
|
||||
u_long add;
|
||||
|
||||
add = inet_addr(host);
|
||||
if (add == -1)
|
||||
{
|
||||
if (!(hp = gethostbyname(host)))
|
||||
{
|
||||
fprintf(stderr, "unknown host: %s\n", host);
|
||||
return -1;
|
||||
}
|
||||
bcopy((char *)hp->h_addr, (char *)address, 4);
|
||||
return 0;
|
||||
}
|
||||
bcopy((char*)&add, address, 4);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* ARP for the MAC address corresponding
|
||||
* to the IP address. This taken from
|
||||
* some BSD program, I cant remember which.
|
||||
*/
|
||||
int arp(ip, ether)
|
||||
char *ip;
|
||||
char *ether;
|
||||
{
|
||||
static int sfd = -1;
|
||||
static char ethersave[6], ipsave[4];
|
||||
struct arpreq ar;
|
||||
struct sockaddr_in *sin, san;
|
||||
struct hostent *hp;
|
||||
char *inet_ntoa();
|
||||
int fd;
|
||||
|
||||
if (!bcmp(ipsave, ip, 4)) {
|
||||
bcopy(ethersave, ether, 6);
|
||||
return 0;
|
||||
}
|
||||
fd = -1;
|
||||
bzero((char *)&ar, sizeof(ar));
|
||||
sin = (struct sockaddr_in *)&ar.arp_pa;
|
||||
sin->sin_family = AF_INET;
|
||||
bcopy(ip, (char *)&sin->sin_addr.s_addr, 4);
|
||||
if ((hp = gethostbyaddr(ip, 4, AF_INET)))
|
||||
if (!(ether_hostton(hp->h_name, ether)))
|
||||
goto savearp;
|
||||
|
||||
if (sfd == -1)
|
||||
if ((sfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
|
||||
{
|
||||
perror("arp: socket");
|
||||
return -1;
|
||||
}
|
||||
tryagain:
|
||||
if (ioctl(sfd, SIOCGARP, (caddr_t)&ar) == -1)
|
||||
{
|
||||
if (fd == -1)
|
||||
{
|
||||
bzero((char *)&san, sizeof(san));
|
||||
san.sin_family = AF_INET;
|
||||
san.sin_port = htons(1);
|
||||
bcopy(ip, &san.sin_addr.s_addr, 4);
|
||||
fd = socket(AF_INET, SOCK_DGRAM, 0);
|
||||
(void) sendto(fd, ip, 4, 0,
|
||||
(struct sockaddr *)&san, sizeof(san));
|
||||
sleep(1);
|
||||
(void) close(fd);
|
||||
goto tryagain;
|
||||
}
|
||||
fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
|
||||
if (errno != ENXIO)
|
||||
perror("SIOCGARP");
|
||||
return -1;
|
||||
}
|
||||
|
||||
bcopy(ar.arp_ha.sa_data, ether, 6);
|
||||
savearp:
|
||||
bcopy(ether, ethersave, 6);
|
||||
bcopy(ip, ipsave, 4);
|
||||
return 0;
|
||||
}
|
1359
contrib/ipfilter/ipsend/dlcommon.c
Normal file
1359
contrib/ipfilter/ipsend/dlcommon.c
Normal file
File diff suppressed because it is too large
Load Diff
32
contrib/ipfilter/ipsend/dltest.h
Normal file
32
contrib/ipfilter/ipsend/dltest.h
Normal file
@ -0,0 +1,32 @@
|
||||
/*
|
||||
* Common DLPI Test Suite header file
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* Maximum control/data buffer size (in long's !!) for getmsg().
|
||||
*/
|
||||
#define MAXDLBUF 8192
|
||||
|
||||
/*
|
||||
* Maximum number of seconds we'll wait for any
|
||||
* particular DLPI acknowledgment from the provider
|
||||
* after issuing a request.
|
||||
*/
|
||||
#define MAXWAIT 15
|
||||
|
||||
/*
|
||||
* Maximum address buffer length.
|
||||
*/
|
||||
#define MAXDLADDR 1024
|
||||
|
||||
|
||||
/*
|
||||
* Handy macro.
|
||||
*/
|
||||
#define OFFADDR(s, n) (u_char*)((char*)(s) + (int)(n))
|
||||
|
||||
/*
|
||||
* externs go here
|
||||
*/
|
||||
extern void sigalrm();
|
177
contrib/ipfilter/ipsend/in_var.h
Normal file
177
contrib/ipfilter/ipsend/in_var.h
Normal file
@ -0,0 +1,177 @@
|
||||
/* @(#)in_var.h 1.3 88/08/19 SMI; from UCB 7.1 6/5/86 */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1985, 1986 Regents of the University of California.
|
||||
* All rights reserved. The Berkeley software License Agreement
|
||||
* specifies the terms and conditions for redistribution.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Interface address, Internet version. One of these structures
|
||||
* is allocated for each interface with an Internet address.
|
||||
* The ifaddr structure contains the protocol-independent part
|
||||
* of the structure and is assumed to be first.
|
||||
*/
|
||||
|
||||
#ifndef _netinet_in_var_h
|
||||
#define _netinet_in_var_h
|
||||
|
||||
struct in_ifaddr {
|
||||
struct ifaddr ia_ifa; /* protocol-independent info */
|
||||
#define ia_addr ia_ifa.ifa_addr
|
||||
#define ia_broadaddr ia_ifa.ifa_broadaddr
|
||||
#define ia_dstaddr ia_ifa.ifa_dstaddr
|
||||
#define ia_ifp ia_ifa.ifa_ifp
|
||||
u_long ia_net; /* network number of interface */
|
||||
u_long ia_netmask; /* mask of net part */
|
||||
u_long ia_subnet; /* subnet number, including net */
|
||||
u_long ia_subnetmask; /* mask of net + subnet */
|
||||
struct in_addr ia_netbroadcast; /* broadcast addr for (logical) net */
|
||||
int ia_flags;
|
||||
struct in_ifaddr *ia_next; /* next in list of internet addresses */
|
||||
struct in_multi *ia_multiaddrs;/* list of multicast addresses */
|
||||
};
|
||||
/*
|
||||
* Given a pointer to an in_ifaddr (ifaddr),
|
||||
* return a pointer to the addr as a sockadd_in.
|
||||
*/
|
||||
#define IA_SIN(ia) ((struct sockaddr_in *)(&((struct in_ifaddr *)ia)->ia_addr))
|
||||
/*
|
||||
* ia_flags
|
||||
*/
|
||||
#define IFA_ROUTE 0x01 /* routing entry installed */
|
||||
|
||||
#ifdef KERNEL
|
||||
struct in_ifaddr *in_ifaddr;
|
||||
struct in_ifaddr *in_iaonnetof();
|
||||
struct ifqueue ipintrq; /* ip packet input queue */
|
||||
#endif
|
||||
|
||||
#ifdef KERNEL
|
||||
/*
|
||||
* Macro for finding the interface (ifnet structure) corresponding to one
|
||||
* of our IP addresses.
|
||||
*/
|
||||
#define INADDR_TO_IFP(addr, ifp) \
|
||||
/* struct in_addr addr; */ \
|
||||
/* struct ifnet *ifp; */ \
|
||||
{ \
|
||||
register struct in_ifaddr *ia; \
|
||||
\
|
||||
for (ia = in_ifaddr; \
|
||||
ia != NULL && IA_SIN(ia)->sin_addr.s_addr != (addr).s_addr; \
|
||||
ia = ia->ia_next); \
|
||||
(ifp) = (ia == NULL) ? NULL : ia->ia_ifp; \
|
||||
}
|
||||
|
||||
/*
|
||||
* Macro for finding the internet address structure (in_ifaddr) corresponding
|
||||
* to a given interface (ifnet structure).
|
||||
*/
|
||||
#define IFP_TO_IA(ifp, ia) \
|
||||
/* struct ifnet *ifp; */ \
|
||||
/* struct in_ifaddr *ia; */ \
|
||||
{ \
|
||||
for ((ia) = in_ifaddr; \
|
||||
(ia) != NULL && (ia)->ia_ifp != (ifp); \
|
||||
(ia) = (ia)->ia_next); \
|
||||
}
|
||||
#endif KERNEL
|
||||
|
||||
/*
|
||||
* Per-interface router version information is kept in this list.
|
||||
* This information should be part of the ifnet structure but we don't wish
|
||||
* to change that - as it might break a number of things
|
||||
*/
|
||||
|
||||
struct router_info {
|
||||
struct ifnet *ifp;
|
||||
int type; /* type of router which is querier on this interface */
|
||||
int time; /* # of slow timeouts since last old query */
|
||||
struct router_info *next;
|
||||
};
|
||||
|
||||
/*
|
||||
* Internet multicast address structure. There is one of these for each IP
|
||||
* multicast group to which this host belongs on a given network interface.
|
||||
* They are kept in a linked list, rooted in the interface's in_ifaddr
|
||||
* structure.
|
||||
*/
|
||||
|
||||
struct in_multi {
|
||||
struct in_addr inm_addr; /* IP multicast address */
|
||||
struct ifnet *inm_ifp; /* back pointer to ifnet */
|
||||
struct in_ifaddr *inm_ia; /* back pointer to in_ifaddr */
|
||||
u_int inm_refcount;/* no. membership claims by sockets */
|
||||
u_int inm_timer; /* IGMP membership report timer */
|
||||
struct in_multi *inm_next; /* ptr to next multicast address */
|
||||
u_int inm_state; /* state of the membership */
|
||||
struct router_info *inm_rti; /* router info*/
|
||||
};
|
||||
|
||||
#ifdef KERNEL
|
||||
/*
|
||||
* Structure used by macros below to remember position when stepping through
|
||||
* all of the in_multi records.
|
||||
*/
|
||||
struct in_multistep {
|
||||
struct in_ifaddr *i_ia;
|
||||
struct in_multi *i_inm;
|
||||
};
|
||||
|
||||
/*
|
||||
* Macro for looking up the in_multi record for a given IP multicast address
|
||||
* on a given interface. If no matching record is found, "inm" returns NULL.
|
||||
*/
|
||||
#define IN_LOOKUP_MULTI(addr, ifp, inm) \
|
||||
/* struct in_addr addr; */ \
|
||||
/* struct ifnet *ifp; */ \
|
||||
/* struct in_multi *inm; */ \
|
||||
{ \
|
||||
register struct in_ifaddr *ia; \
|
||||
\
|
||||
IFP_TO_IA((ifp), ia); \
|
||||
if (ia == NULL) \
|
||||
(inm) = NULL; \
|
||||
else \
|
||||
for ((inm) = ia->ia_multiaddrs; \
|
||||
(inm) != NULL && (inm)->inm_addr.s_addr != (addr).s_addr; \
|
||||
(inm) = inm->inm_next); \
|
||||
}
|
||||
|
||||
/*
|
||||
* Macro to step through all of the in_multi records, one at a time.
|
||||
* The current position is remembered in "step", which the caller must
|
||||
* provide. IN_FIRST_MULTI(), below, must be called to initialize "step"
|
||||
* and get the first record. Both macros return a NULL "inm" when there
|
||||
* are no remaining records.
|
||||
*/
|
||||
#define IN_NEXT_MULTI(step, inm) \
|
||||
/* struct in_multistep step; */ \
|
||||
/* struct in_multi *inm; */ \
|
||||
{ \
|
||||
if (((inm) = (step).i_inm) != NULL) { \
|
||||
(step).i_inm = (inm)->inm_next; \
|
||||
} \
|
||||
else while ((step).i_ia != NULL) { \
|
||||
(inm) = (step).i_ia->ia_multiaddrs; \
|
||||
(step).i_ia = (step).i_ia->ia_next; \
|
||||
if ((inm) != NULL) { \
|
||||
(step).i_inm = (inm)->inm_next; \
|
||||
break; \
|
||||
} \
|
||||
} \
|
||||
}
|
||||
|
||||
#define IN_FIRST_MULTI(step, inm) \
|
||||
/* struct in_multistep step; */ \
|
||||
/* struct in_multi *inm; */ \
|
||||
{ \
|
||||
(step).i_ia = in_ifaddr; \
|
||||
(step).i_inm = NULL; \
|
||||
IN_NEXT_MULTI((step), (inm)); \
|
||||
}
|
||||
|
||||
struct in_multi *in_addmulti();
|
||||
#endif KERNEL
|
||||
#endif /*!_netinet_in_var_h*/
|
346
contrib/ipfilter/ipsend/ip.c
Normal file
346
contrib/ipfilter/ipsend/ip.c
Normal file
@ -0,0 +1,346 @@
|
||||
/*
|
||||
* ip.c (C) 1995 Darren Reed
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "%W% %G% (C)1995";
|
||||
#endif
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
|
||||
|
||||
static char *ipbuf = NULL, *ethbuf = NULL;
|
||||
|
||||
extern int arp(), sendip();
|
||||
|
||||
u_short chksum(buf,len)
|
||||
u_short *buf;
|
||||
int len;
|
||||
{
|
||||
u_long sum = 0;
|
||||
int nwords = len >> 1;
|
||||
|
||||
for(; nwords > 0; nwords--)
|
||||
sum += *buf++;
|
||||
sum = (sum>>16) + (sum & 0xffff);
|
||||
sum += (sum >>16);
|
||||
return (~sum);
|
||||
}
|
||||
|
||||
|
||||
int send_ether(nfd, buf, len, gwip)
|
||||
int nfd, len;
|
||||
char *buf;
|
||||
struct in_addr gwip;
|
||||
{
|
||||
static struct in_addr last_gw;
|
||||
static char last_arp[6] = { 0, 0, 0, 0, 0, 0};
|
||||
ether_header_t *eh;
|
||||
char *s;
|
||||
int err;
|
||||
|
||||
if (!ethbuf)
|
||||
ethbuf = (char *)calloc(1, 65536+1024);
|
||||
s = ethbuf;
|
||||
eh = (ether_header_t *)s;
|
||||
|
||||
bcopy((char *)buf, s + sizeof(*eh), len);
|
||||
if (gwip.s_addr == last_gw.s_addr)
|
||||
bcopy(last_arp, (char *)&eh->ether_dhost, 6);
|
||||
else if (arp((char *)&gwip, &eh->ether_dhost) == -1)
|
||||
{
|
||||
perror("arp");
|
||||
return -2;
|
||||
}
|
||||
eh->ether_type = ETHERTYPE_IP;
|
||||
last_gw.s_addr = gwip.s_addr;
|
||||
err = sendip(nfd, s, sizeof(*eh) + len);
|
||||
return err;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
*/
|
||||
int send_ip(nfd, mtu, ip, gwip, frag)
|
||||
int nfd, mtu;
|
||||
ip_t *ip;
|
||||
struct in_addr gwip;
|
||||
int frag;
|
||||
{
|
||||
static struct in_addr last_gw;
|
||||
static char last_arp[6] = { 0, 0, 0, 0, 0, 0};
|
||||
static u_short id = 0;
|
||||
ether_header_t *eh;
|
||||
ip_t ipsv;
|
||||
int err;
|
||||
|
||||
if (!ipbuf)
|
||||
ipbuf = (char *)malloc(65536);
|
||||
eh = (ether_header_t *)ipbuf;
|
||||
|
||||
bzero((char *)&eh->ether_shost, sizeof(eh->ether_shost));
|
||||
if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr))
|
||||
bcopy(last_arp, (char *)&eh->ether_dhost, 6);
|
||||
else if (arp((char *)&gwip, &eh->ether_dhost) == -1)
|
||||
{
|
||||
perror("arp");
|
||||
return -2;
|
||||
}
|
||||
bcopy((char *)&eh->ether_dhost, last_arp, sizeof(last_arp));
|
||||
eh->ether_type = ETHERTYPE_IP;
|
||||
|
||||
bcopy((char *)ip, (char *)&ipsv, sizeof(*ip));
|
||||
last_gw.s_addr = gwip.s_addr;
|
||||
ip->ip_len = htons(ip->ip_len);
|
||||
ip->ip_off = htons(ip->ip_off);
|
||||
if (!ip->ip_v)
|
||||
ip->ip_v = IPVERSION;
|
||||
if (!ip->ip_id)
|
||||
ip->ip_id = htons(id++);
|
||||
if (!ip->ip_ttl)
|
||||
ip->ip_ttl = 60;
|
||||
|
||||
if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu))
|
||||
{
|
||||
ip->ip_sum = 0;
|
||||
ip->ip_sum = chksum(ip, ip->ip_hl << 2);
|
||||
|
||||
bcopy((char *)ip, ipbuf + sizeof(*eh), ntohs(ip->ip_len));
|
||||
err = sendip(nfd, ipbuf, sizeof(*eh) + ntohs(ip->ip_len));
|
||||
}
|
||||
else
|
||||
{
|
||||
/*
|
||||
* Actually, this is bogus because we're putting all IP
|
||||
* options in every packet, which isn't always what should be
|
||||
* done. Will do for now.
|
||||
*/
|
||||
ether_header_t eth;
|
||||
char optcpy[48], ol;
|
||||
char *s;
|
||||
int i, iplen, sent = 0, ts, hlen, olen;
|
||||
|
||||
hlen = ip->ip_hl << 2;
|
||||
if (mtu < (hlen + 8)) {
|
||||
fprintf(stderr, "mtu (%d) < ip header size (%d) + 8\n",
|
||||
mtu, hlen);
|
||||
fprintf(stderr, "can't fragment data\n");
|
||||
return -2;
|
||||
}
|
||||
ol = (ip->ip_hl << 2) - sizeof(*ip);
|
||||
for (i = 0, s = (char*)(ip + 1); ol > 0; )
|
||||
if (*s == IPOPT_EOL) {
|
||||
optcpy[i++] = *s;
|
||||
break;
|
||||
} else if (*s == IPOPT_NOP) {
|
||||
s++;
|
||||
ol--;
|
||||
} else
|
||||
{
|
||||
olen = (int)(*(u_char *)(s + 1));
|
||||
ol -= olen;
|
||||
if (IPOPT_COPIED(*s))
|
||||
{
|
||||
bcopy(s, optcpy + i, olen);
|
||||
i += olen;
|
||||
s += olen;
|
||||
}
|
||||
}
|
||||
if (i)
|
||||
{
|
||||
/*
|
||||
* pad out
|
||||
*/
|
||||
while ((i & 3) && (i & 3) != 3)
|
||||
optcpy[i++] = IPOPT_NOP;
|
||||
if ((i & 3) == 3)
|
||||
optcpy[i++] = IPOPT_EOL;
|
||||
}
|
||||
|
||||
bcopy((char *)eh, (char *)ð, sizeof(eth));
|
||||
s = (char *)ip + hlen;
|
||||
iplen = ntohs(ip->ip_len) - hlen;
|
||||
ip->ip_off |= htons(IP_MF);
|
||||
|
||||
while (1)
|
||||
{
|
||||
if ((sent + (mtu - hlen)) >= iplen)
|
||||
{
|
||||
ip->ip_off ^= htons(IP_MF);
|
||||
ts = iplen - sent;
|
||||
}
|
||||
else
|
||||
ts = (mtu - hlen);
|
||||
ip->ip_off &= htons(0xe000);
|
||||
ip->ip_off |= htons(sent >> 3);
|
||||
ts += hlen;
|
||||
ip->ip_len = htons(ts);
|
||||
ip->ip_sum = 0;
|
||||
ip->ip_sum = chksum(ip, hlen);
|
||||
bcopy((char *)ip, ipbuf + sizeof(*eh), hlen);
|
||||
bcopy(s + sent, ipbuf + sizeof(*eh) + hlen, ts - hlen);
|
||||
err = sendip(nfd, ipbuf, sizeof(*eh) + ts);
|
||||
|
||||
bcopy((char *)ð, ipbuf, sizeof(eth));
|
||||
sent += (ts - hlen);
|
||||
if (!(ntohs(ip->ip_off) & IP_MF))
|
||||
break;
|
||||
else if (!(ip->ip_off & htons(0x1fff)))
|
||||
{
|
||||
hlen = i + sizeof(*ip);
|
||||
ip->ip_hl = (sizeof(*ip) + i) >> 2;
|
||||
bcopy(optcpy, (char *)(ip + 1), i);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
bcopy((char *)&ipsv, (char *)ip, sizeof(*ip));
|
||||
return err;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* send a tcp packet.
|
||||
*/
|
||||
int send_tcp(nfd, mtu, ip, gwip)
|
||||
int nfd, mtu;
|
||||
ip_t *ip;
|
||||
struct in_addr gwip;
|
||||
{
|
||||
static tcp_seq iss = 2;
|
||||
struct tcpiphdr *ti;
|
||||
int thlen, i;
|
||||
u_long lbuf[20];
|
||||
|
||||
ti = (struct tcpiphdr *)lbuf;
|
||||
bzero((char *)ti, sizeof(*ti));
|
||||
thlen = sizeof(tcphdr_t);
|
||||
ip->ip_p = IPPROTO_TCP;
|
||||
ti->ti_pr = ip->ip_p;
|
||||
ti->ti_src = ip->ip_src;
|
||||
ti->ti_dst = ip->ip_dst;
|
||||
bcopy((char *)ip + (ip->ip_hl << 2),
|
||||
(char *)&ti->ti_sport, sizeof(tcphdr_t));
|
||||
|
||||
if (!ti->ti_win)
|
||||
ti->ti_win = htons(4096);
|
||||
if (!ti->ti_seq)
|
||||
ti->ti_seq = htonl(iss);
|
||||
iss += 64;
|
||||
|
||||
if ((ti->ti_flags == TH_SYN) && !ip->ip_off)
|
||||
{
|
||||
ip = (ip_t *)realloc((char *)ip, ntohs(ip->ip_len) + 4);
|
||||
i = sizeof(struct tcpiphdr) / sizeof(long);
|
||||
lbuf[i] = htonl(0x020405b4);
|
||||
bcopy((char *)(lbuf + i), (char*)ip + ntohs(ip->ip_len),
|
||||
sizeof(u_long));
|
||||
thlen += 4;
|
||||
}
|
||||
if (!ti->ti_off)
|
||||
ti->ti_off = thlen >> 2;
|
||||
ti->ti_len = htons(thlen);
|
||||
ip->ip_len = (ip->ip_hl << 2) + thlen;
|
||||
ti->ti_sum = 0;
|
||||
ti->ti_sum = chksum(ti, thlen + sizeof(ip_t));
|
||||
|
||||
bcopy((char *)&ti->ti_sport,
|
||||
(char *)ip + (ip->ip_hl << 2), thlen);
|
||||
return send_ip(nfd, mtu, ip, gwip, 1);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* send a udp packet.
|
||||
*/
|
||||
int send_udp(nfd, mtu, ip, gwip)
|
||||
int nfd, mtu;
|
||||
ip_t *ip;
|
||||
struct in_addr gwip;
|
||||
{
|
||||
struct tcpiphdr *ti;
|
||||
int thlen;
|
||||
u_long lbuf[20];
|
||||
|
||||
ti = (struct tcpiphdr *)lbuf;
|
||||
bzero((char *)ti, sizeof(*ti));
|
||||
thlen = sizeof(udphdr_t);
|
||||
ti->ti_pr = ip->ip_p;
|
||||
ti->ti_src = ip->ip_src;
|
||||
ti->ti_dst = ip->ip_dst;
|
||||
bcopy((char *)ip + (ip->ip_hl << 2),
|
||||
(char *)&ti->ti_sport, sizeof(udphdr_t));
|
||||
|
||||
ti->ti_len = htons(thlen);
|
||||
ip->ip_len = (ip->ip_hl << 2) + thlen;
|
||||
ti->ti_sum = 0;
|
||||
ti->ti_sum = chksum(ti, thlen + sizeof(ip_t));
|
||||
|
||||
bcopy((char *)&ti->ti_sport,
|
||||
(char *)ip + (ip->ip_hl << 2), sizeof(udphdr_t));
|
||||
return send_ip(nfd, mtu, ip, gwip, 1);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* send an icmp packet.
|
||||
*/
|
||||
int send_icmp(nfd, mtu, ip, gwip)
|
||||
int nfd, mtu;
|
||||
ip_t *ip;
|
||||
struct in_addr gwip;
|
||||
{
|
||||
struct icmp *ic;
|
||||
|
||||
ic = (struct icmp *)((char *)ip + (ip->ip_hl << 2));
|
||||
|
||||
ic->icmp_cksum = 0;
|
||||
ic->icmp_cksum = chksum((char *)ic, sizeof(struct icmp));
|
||||
|
||||
return send_ip(nfd, mtu, ip, gwip, 1);
|
||||
}
|
||||
|
||||
|
||||
int send_packet(nfd, mtu, ip, gwip)
|
||||
int nfd, mtu;
|
||||
ip_t *ip;
|
||||
struct in_addr gwip;
|
||||
{
|
||||
switch (ip->ip_p)
|
||||
{
|
||||
case IPPROTO_TCP :
|
||||
return send_tcp(nfd, mtu, ip, gwip);
|
||||
case IPPROTO_UDP :
|
||||
return send_udp(nfd, mtu, ip, gwip);
|
||||
case IPPROTO_ICMP :
|
||||
return send_icmp(nfd, mtu, ip, gwip);
|
||||
default :
|
||||
return send_ip(nfd, mtu, ip, gwip, 1);
|
||||
}
|
||||
}
|
242
contrib/ipfilter/ipsend/ip_compat.h
Normal file
242
contrib/ipfilter/ipsend/ip_compat.h
Normal file
@ -0,0 +1,242 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* This code may be freely distributed as long as it retains this notice
|
||||
* and is not changed in any way. The author accepts no responsibility
|
||||
* for the use of this software. I hate legaleese, don't you ?
|
||||
*
|
||||
* @(#)ip_compat.h 1.2 12/7/95
|
||||
*/
|
||||
|
||||
/*
|
||||
* These #ifdef's are here mainly for linux, but who knows, they may
|
||||
* not be in other places or maybe one day linux will grow up and some
|
||||
* of these will turn up there too.
|
||||
*/
|
||||
#ifndef ICMP_UNREACH
|
||||
# define ICMP_UNREACH ICMP_DEST_UNREACH
|
||||
#endif
|
||||
#ifndef ICMP_SOURCEQUENCH
|
||||
# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH
|
||||
#endif
|
||||
#ifndef ICMP_TIMXCEED
|
||||
# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED
|
||||
#endif
|
||||
#ifndef ICMP_PARAMPROB
|
||||
# define ICMP_PARAMPROB ICMP_PARAMETERPROB
|
||||
#endif
|
||||
#ifndef IPVERSION
|
||||
# define IPVERSION 4
|
||||
#endif
|
||||
#ifndef IPOPT_MINOFF
|
||||
# define IPOPT_MINOFF 4
|
||||
#endif
|
||||
#ifndef IPOPT_COPIED
|
||||
# define IPOPT_COPIED(x) ((x)&0x80)
|
||||
#endif
|
||||
#ifndef IPOPT_EOL
|
||||
# define IPOPT_EOL 0
|
||||
#endif
|
||||
#ifndef IPOPT_NOP
|
||||
# define IPOPT_NOP 1
|
||||
#endif
|
||||
#ifndef IP_MF
|
||||
# define IP_MF ((u_short)0x2000)
|
||||
#endif
|
||||
#ifndef ETHERTYPE_IP
|
||||
# define ETHERTYPE_IP ((u_short)0x0800)
|
||||
#endif
|
||||
#ifndef TH_FIN
|
||||
# define TH_FIN 0x01
|
||||
#endif
|
||||
#ifndef TH_SYN
|
||||
# define TH_SYN 0x02
|
||||
#endif
|
||||
#ifndef TH_RST
|
||||
# define TH_RST 0x04
|
||||
#endif
|
||||
#ifndef TH_PUSH
|
||||
# define TH_PUSH 0x08
|
||||
#endif
|
||||
#ifndef TH_ACK
|
||||
# define TH_ACK 0x10
|
||||
#endif
|
||||
#ifndef TH_URG
|
||||
# define TH_URG 0x20
|
||||
#endif
|
||||
#ifndef IPOPT_EOL
|
||||
# define IPOPT_EOL 0
|
||||
#endif
|
||||
#ifndef IPOPT_NOP
|
||||
# define IPOPT_NOP 1
|
||||
#endif
|
||||
#ifndef IPOPT_RR
|
||||
# define IPOPT_RR 7
|
||||
#endif
|
||||
#ifndef IPOPT_TS
|
||||
# define IPOPT_TS 68
|
||||
#endif
|
||||
#ifndef IPOPT_SECURITY
|
||||
# define IPOPT_SECURITY 130
|
||||
#endif
|
||||
#ifndef IPOPT_LSRR
|
||||
# define IPOPT_LSRR 131
|
||||
#endif
|
||||
#ifndef IPOPT_SATID
|
||||
# define IPOPT_SATID 136
|
||||
#endif
|
||||
#ifndef IPOPT_SSRR
|
||||
# define IPOPT_SSRR 137
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_UNCLASS
|
||||
# define IPOPT_SECUR_UNCLASS ((u_short)0x0000)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_CONFID
|
||||
# define IPOPT_SECUR_CONFID ((u_short)0xf135)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_EFTO
|
||||
# define IPOPT_SECUR_EFTO ((u_short)0x789a)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_MMMM
|
||||
# define IPOPT_SECUR_MMMM ((u_short)0xbc4d)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_RESTR
|
||||
# define IPOPT_SECUR_RESTR ((u_short)0xaf13)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_SECRET
|
||||
# define IPOPT_SECUR_SECRET ((u_short)0xd788)
|
||||
#endif
|
||||
#ifndef IPOPT_SECUR_TOPSECRET
|
||||
# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5)
|
||||
#endif
|
||||
|
||||
#ifdef linux
|
||||
# if LINUX < 0200
|
||||
# define icmp icmphdr
|
||||
# define icmp_type type
|
||||
# define icmp_code code
|
||||
# endif
|
||||
|
||||
/*
|
||||
* From /usr/include/netinet/ip_var.h
|
||||
* !%@#!$@# linux...
|
||||
*/
|
||||
struct ipovly {
|
||||
caddr_t ih_next, ih_prev; /* for protocol sequence q's */
|
||||
u_char ih_x1; /* (unused) */
|
||||
u_char ih_pr; /* protocol */
|
||||
short ih_len; /* protocol length */
|
||||
struct in_addr ih_src; /* source internet address */
|
||||
struct in_addr ih_dst; /* destination internet address */
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
__u16 th_sport;
|
||||
__u16 th_dport;
|
||||
__u32 th_seq;
|
||||
__u32 th_ack;
|
||||
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
|
||||
defined(vax)
|
||||
__u8 th_res:4;
|
||||
__u8 th_off:4;
|
||||
#else
|
||||
__u8 th_off:4;
|
||||
__u8 th_res:4;
|
||||
#endif
|
||||
__u8 th_flags;
|
||||
__u16 th_win;
|
||||
__u16 th_sum;
|
||||
__u16 th_urp;
|
||||
} tcphdr_t;
|
||||
|
||||
typedef struct {
|
||||
__u16 uh_sport;
|
||||
__u16 uh_dport;
|
||||
__s16 uh_ulen;
|
||||
__u16 uh_sum;
|
||||
} udphdr_t;
|
||||
|
||||
typedef struct {
|
||||
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
|
||||
defined(vax)
|
||||
__u8 ip_hl:4;
|
||||
__u8 ip_v:4;
|
||||
# else
|
||||
__u8 ip_hl:4;
|
||||
__u8 ip_v:4;
|
||||
# endif
|
||||
__u8 ip_tos;
|
||||
__u16 ip_len;
|
||||
__u16 ip_id;
|
||||
__u16 ip_off;
|
||||
__u8 ip_ttl;
|
||||
__u8 ip_p;
|
||||
__u16 ip_sum;
|
||||
struct in_addr ip_src;
|
||||
struct in_addr ip_dst;
|
||||
} ip_t;
|
||||
|
||||
typedef struct {
|
||||
__u8 ether_dhost[6];
|
||||
__u8 ether_shost[6];
|
||||
__u16 ether_type;
|
||||
} ether_header_t;
|
||||
|
||||
typedef struct icmp {
|
||||
u_char icmp_type; /* type of message, see below */
|
||||
u_char icmp_code; /* type sub code */
|
||||
u_short icmp_cksum; /* ones complement cksum of struct */
|
||||
union {
|
||||
u_char ih_pptr; /* ICMP_PARAMPROB */
|
||||
struct in_addr ih_gwaddr; /* ICMP_REDIRECT */
|
||||
struct ih_idseq {
|
||||
n_short icd_id;
|
||||
n_short icd_seq;
|
||||
} ih_idseq;
|
||||
int ih_void;
|
||||
} icmp_hun;
|
||||
#define icmp_pptr icmp_hun.ih_pptr
|
||||
#define icmp_gwaddr icmp_hun.ih_gwaddr
|
||||
#define icmp_id icmp_hun.ih_idseq.icd_id
|
||||
#define icmp_seq icmp_hun.ih_idseq.icd_seq
|
||||
#define icmp_void icmp_hun.ih_void
|
||||
union {
|
||||
struct id_ts {
|
||||
n_time its_otime;
|
||||
n_time its_rtime;
|
||||
n_time its_ttime;
|
||||
} id_ts;
|
||||
struct id_ip {
|
||||
ip_t idi_ip;
|
||||
/* options and then 64 bits of data */
|
||||
} id_ip;
|
||||
u_long id_mask;
|
||||
char id_data[1];
|
||||
} icmp_dun;
|
||||
#define icmp_otime icmp_dun.id_ts.its_otime
|
||||
#define icmp_rtime icmp_dun.id_ts.its_rtime
|
||||
#define icmp_ttime icmp_dun.id_ts.its_ttime
|
||||
#define icmp_ip icmp_dun.id_ip.idi_ip
|
||||
#define icmp_mask icmp_dun.id_mask
|
||||
#define icmp_data icmp_dun.id_data
|
||||
} icmphdr_t;
|
||||
|
||||
# define bcopy(a,b,c) memmove(b,a,c)
|
||||
# define bcmp(a,b,c) memcmp(a,b,c)
|
||||
|
||||
# define ifnet device
|
||||
|
||||
#else
|
||||
|
||||
typedef struct udphdr udphdr_t;
|
||||
typedef struct tcphdr tcphdr_t;
|
||||
typedef struct ip ip_t;
|
||||
typedef struct ether_header ether_header_t;
|
||||
|
||||
#endif
|
||||
|
||||
#if defined(__SVR4) || defined(__svr4__)
|
||||
# define bcopy(a,b,c) memmove(b,a,c)
|
||||
# define bcmp(a,b,c) memcmp(a,b,c)
|
||||
# define bzero(a,b) memset(a,0,b)
|
||||
#endif
|
123
contrib/ipfilter/ipsend/ip_var.h
Normal file
123
contrib/ipfilter/ipsend/ip_var.h
Normal file
@ -0,0 +1,123 @@
|
||||
/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1982, 1986 Regents of the University of California.
|
||||
* All rights reserved. The Berkeley software License Agreement
|
||||
* specifies the terms and conditions for redistribution.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Overlay for ip header used by other protocols (tcp, udp).
|
||||
*/
|
||||
|
||||
#ifndef _netinet_ip_var_h
|
||||
#define _netinet_ip_var_h
|
||||
|
||||
struct ipovly {
|
||||
caddr_t ih_next, ih_prev; /* for protocol sequence q's */
|
||||
u_char ih_x1; /* (unused) */
|
||||
u_char ih_pr; /* protocol */
|
||||
short ih_len; /* protocol length */
|
||||
struct in_addr ih_src; /* source internet address */
|
||||
struct in_addr ih_dst; /* destination internet address */
|
||||
};
|
||||
|
||||
/*
|
||||
* Ip reassembly queue structure. Each fragment
|
||||
* being reassembled is attached to one of these structures.
|
||||
* They are timed out after ipq_ttl drops to 0, and may also
|
||||
* be reclaimed if memory becomes tight.
|
||||
*/
|
||||
struct ipq {
|
||||
struct ipq *next,*prev; /* to other reass headers */
|
||||
u_char ipq_ttl; /* time for reass q to live */
|
||||
u_char ipq_p; /* protocol of this fragment */
|
||||
u_short ipq_id; /* sequence id for reassembly */
|
||||
struct ipasfrag *ipq_next,*ipq_prev;
|
||||
/* to ip headers of fragments */
|
||||
struct in_addr ipq_src,ipq_dst;
|
||||
};
|
||||
|
||||
/*
|
||||
* Ip header, when holding a fragment.
|
||||
*
|
||||
* Note: ipf_next must be at same offset as ipq_next above
|
||||
*/
|
||||
struct ipasfrag {
|
||||
#if defined(vax) || defined(i386)
|
||||
u_char ip_hl:4,
|
||||
ip_v:4;
|
||||
#endif
|
||||
#if defined(mc68000) || defined(sparc)
|
||||
u_char ip_v:4,
|
||||
ip_hl:4;
|
||||
#endif
|
||||
u_char ipf_mff; /* copied from (ip_off&IP_MF) */
|
||||
short ip_len;
|
||||
u_short ip_id;
|
||||
short ip_off;
|
||||
u_char ip_ttl;
|
||||
u_char ip_p;
|
||||
u_short ip_sum;
|
||||
struct ipasfrag *ipf_next; /* next fragment */
|
||||
struct ipasfrag *ipf_prev; /* previous fragment */
|
||||
};
|
||||
|
||||
/*
|
||||
* Structure stored in mbuf in inpcb.ip_options
|
||||
* and passed to ip_output when ip options are in use.
|
||||
* The actual length of the options (including ipopt_dst)
|
||||
* is in m_len.
|
||||
*/
|
||||
#define MAX_IPOPTLEN 40
|
||||
|
||||
struct ipoption {
|
||||
struct in_addr ipopt_dst; /* first-hop dst if source routed */
|
||||
char ipopt_list[MAX_IPOPTLEN]; /* options proper */
|
||||
};
|
||||
|
||||
/*
|
||||
* Structure stored in an mbuf attached to inpcb.ip_moptions and
|
||||
* passed to ip_output when IP multicast options are in use.
|
||||
*/
|
||||
struct ip_moptions {
|
||||
struct ifnet *imo_multicast_ifp; /* ifp for outgoing multicasts */
|
||||
u_char imo_multicast_ttl; /* TTL for outgoing multicasts */
|
||||
u_char imo_multicast_loop; /* 1 => hear sends if a member */
|
||||
u_short imo_num_memberships;/* no. memberships this socket */
|
||||
struct in_multi *imo_membership[IP_MAX_MEMBERSHIPS];
|
||||
#ifdef RSVP_ISI
|
||||
long imo_multicast_vif; /* vif for outgoing multicasts */
|
||||
#endif /* RSVP_ISI */
|
||||
};
|
||||
|
||||
struct ipstat {
|
||||
long ips_total; /* total packets received */
|
||||
long ips_badsum; /* checksum bad */
|
||||
long ips_tooshort; /* packet too short */
|
||||
long ips_toosmall; /* not enough data */
|
||||
long ips_badhlen; /* ip header length < data size */
|
||||
long ips_badlen; /* ip length < ip header length */
|
||||
long ips_fragments; /* fragments received */
|
||||
long ips_fragdropped; /* frags dropped (dups, out of space) */
|
||||
long ips_fragtimeout; /* fragments timed out */
|
||||
long ips_forward; /* packets forwarded */
|
||||
long ips_cantforward; /* packets rcvd for unreachable dest */
|
||||
long ips_redirectsent; /* packets forwarded on same net */
|
||||
};
|
||||
|
||||
#ifdef KERNEL
|
||||
/* flags passed to ip_output as last parameter */
|
||||
#define IP_FORWARDING 0x1 /* most of ip header exists */
|
||||
#define IP_MULTICASTOPTS 0x2 /* multicast opts present */
|
||||
#define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */
|
||||
#define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */
|
||||
|
||||
struct ipstat ipstat;
|
||||
struct ipq ipq; /* ip reass. queue */
|
||||
u_short ip_id; /* ip packet ctr, for ids */
|
||||
|
||||
struct mbuf *ip_srcroute();
|
||||
#endif
|
||||
|
||||
#endif /*!_netinet_ip_var_h*/
|
165
contrib/ipfilter/ipsend/ipresend.c
Normal file
165
contrib/ipfilter/ipsend/ipresend.c
Normal file
@ -0,0 +1,165 @@
|
||||
/*
|
||||
* ipsend.c (C) 1995 Darren Reed
|
||||
*
|
||||
* This was written to test what size TCP fragments would get through
|
||||
* various TCP/IP packet filters, as used in IP firewalls. In certain
|
||||
* conditions, enough of the TCP header is missing for unpredictable
|
||||
* results unless the filter is aware that this can happen.
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*
|
||||
* This was written and tested (successfully) on SunOS 4.1.x.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include <linux/sockios.h>
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
#include "ipt.h"
|
||||
|
||||
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
#ifndef NO_IPF
|
||||
extern struct ipread snoop, pcap, etherf, iphex, tcpd, iptext;
|
||||
#endif
|
||||
extern int resolve(), ip_resend();
|
||||
|
||||
int opts = 0;
|
||||
#ifndef DEFAULT_DEVICE
|
||||
# ifdef linux
|
||||
char default_device[] = "eth0";
|
||||
# else
|
||||
# ifdef sun
|
||||
char default_device[] = "le0";
|
||||
# else
|
||||
# ifdef ultrix
|
||||
char default_device[] = "ln0";
|
||||
# else
|
||||
# ifdef __bsdi__
|
||||
char default_device[] = "ef0";
|
||||
# else
|
||||
char default_device[] = "lan0";
|
||||
# endif
|
||||
# endif
|
||||
# endif
|
||||
# endif
|
||||
#else
|
||||
char default_device[] = DEFAULT_DEVICE;
|
||||
#endif
|
||||
|
||||
|
||||
void usage(prog)
|
||||
char *prog;
|
||||
{
|
||||
fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\
|
||||
\t\t-r filename\tsnoop data file to resend\n\
|
||||
\t\t-R filename\tlibpcap data file to resend\n\
|
||||
\toptions:\n\
|
||||
\t\t-d device\tSend out on this device\n\
|
||||
\t\t-g gateway\tIP gateway to use if non-local dest.\n\
|
||||
\t\t-m mtu\t\tfake MTU to use when sending out\n\
|
||||
", prog);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
struct in_addr gwip;
|
||||
struct ipread *ipr = NULL;
|
||||
char *name = argv[0], *gateway = NULL, *dev = NULL;
|
||||
char c, *resend = NULL;
|
||||
int mtu = 1500;
|
||||
|
||||
while ((c = getopt(argc, argv, "EHPSTXd:g:m:r:")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'd' :
|
||||
dev = optarg;
|
||||
break;
|
||||
case 'g' :
|
||||
gateway = optarg;
|
||||
break;
|
||||
case 'm' :
|
||||
mtu = atoi(optarg);
|
||||
if (mtu < 28)
|
||||
{
|
||||
fprintf(stderr, "mtu must be > 28\n");
|
||||
exit(1);
|
||||
}
|
||||
case 'r' :
|
||||
resend = optarg;
|
||||
break;
|
||||
#ifndef NO_IPF
|
||||
case 'E' :
|
||||
ipr = ðerf;
|
||||
break;
|
||||
case 'H' :
|
||||
ipr = &iphex;
|
||||
break;
|
||||
case 'P' :
|
||||
ipr = &pcap;
|
||||
break;
|
||||
case 'S' :
|
||||
ipr = &snoop;
|
||||
break;
|
||||
case 'T' :
|
||||
ipr = &tcpd;
|
||||
break;
|
||||
case 'X' :
|
||||
ipr = &iptext;
|
||||
break;
|
||||
#endif
|
||||
default :
|
||||
fprintf(stderr, "Unknown option \"%c\"\n", c);
|
||||
usage(name);
|
||||
}
|
||||
|
||||
if (!ipr || !resend)
|
||||
usage(name);
|
||||
|
||||
gwip.s_addr = 0;
|
||||
if (gateway && resolve(gateway, (char *)&gwip) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", gateway);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (!dev)
|
||||
dev = default_device;
|
||||
|
||||
printf("Device: %s\n", dev);
|
||||
printf("Gateway: %s\n", inet_ntoa(gwip));
|
||||
printf("mtu: %d\n", mtu);
|
||||
|
||||
return ip_resend(dev, mtu, ipr, gwip, resend);
|
||||
}
|
350
contrib/ipfilter/ipsend/ipsend.c
Normal file
350
contrib/ipfilter/ipsend/ipsend.c
Normal file
@ -0,0 +1,350 @@
|
||||
/*
|
||||
* ipsend.c (C) 1995 Darren Reed
|
||||
*
|
||||
* This was written to test what size TCP fragments would get through
|
||||
* various TCP/IP packet filters, as used in IP firewalls. In certain
|
||||
* conditions, enough of the TCP header is missing for unpredictable
|
||||
* results unless the filter is aware that this can happen.
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*
|
||||
* This was written and tested (successfully) on SunOS 4.1.x.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include <linux/sockios.h>
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
#include "ipt.h"
|
||||
|
||||
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
|
||||
extern int resolve(), optname(), initdevice(), send_packet();
|
||||
|
||||
char options[68];
|
||||
#ifdef linux
|
||||
char default_device[] = "eth0";
|
||||
#else
|
||||
# ifdef sun
|
||||
char default_device[] = "le0";
|
||||
# else
|
||||
# ifdef ultrix
|
||||
char default_device[] = "ln0";
|
||||
# else
|
||||
# ifdef __bsdi__
|
||||
char default_device[] = "ef0";
|
||||
# else
|
||||
char default_device[] = "lan0";
|
||||
# endif
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
|
||||
|
||||
void usage(prog)
|
||||
char *prog;
|
||||
{
|
||||
fprintf(stderr, "Usage: %s [options] dest [flags]\n\
|
||||
\toptions:\n\
|
||||
\t\t-d device\tSend out on this device\n\
|
||||
\t\t-f fragflags\tcan set IP_MF or IP_DF\n\
|
||||
\t\t-g gateway\tIP gateway to use if non-local dest.\n\
|
||||
\t\t-I code,type[,gw[,dst[,src]]]\tSet ICMP protocol\n\
|
||||
\t\t-m mtu\t\tfake MTU to use when sending out\n\
|
||||
\t\t-P protocol\tSet protocol by name\n\
|
||||
\t\t-s src\t\tsource address for IP packet\n\
|
||||
\t\t-T\t\tSet TCP protocol\n\
|
||||
\t\t-t port\t\tdestination port\n\
|
||||
\t\t-U\t\tSet UDP protocol\n\
|
||||
", prog);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
void do_icmp(ip, args)
|
||||
ip_t *ip;
|
||||
char *args;
|
||||
{
|
||||
struct icmp *ic;
|
||||
char *s;
|
||||
|
||||
ip->ip_p = IPPROTO_ICMP;
|
||||
ip->ip_len += sizeof(*ic);
|
||||
ic = (struct icmp *)(ip + 1);
|
||||
bzero((char *)ic, sizeof(*ic));
|
||||
if (!(s = strchr(args, ',')))
|
||||
{
|
||||
fprintf(stderr, "ICMP args missing: ,\n");
|
||||
return;
|
||||
}
|
||||
*s++ = '\0';
|
||||
ic->icmp_type = atoi(args);
|
||||
ic->icmp_code = atoi(s);
|
||||
if (ic->icmp_type == ICMP_REDIRECT && strchr(s, ','))
|
||||
{
|
||||
char *t;
|
||||
|
||||
t = strtok(s, ",");
|
||||
t = strtok(NULL, ",");
|
||||
if (resolve(t, (char *)&ic->icmp_gwaddr) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", t);
|
||||
exit(2);
|
||||
}
|
||||
if ((t = strtok(NULL, ",")))
|
||||
{
|
||||
if (resolve(t, (char *)&ic->icmp_ip.ip_dst) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", t);
|
||||
exit(2);
|
||||
}
|
||||
if ((t = strtok(NULL, ",")))
|
||||
{
|
||||
if (resolve(t,
|
||||
(char *)&ic->icmp_ip.ip_src) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", t);
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
int send_packets(dev, mtu, ip, gwip)
|
||||
char *dev;
|
||||
int mtu;
|
||||
ip_t *ip;
|
||||
struct in_addr gwip;
|
||||
{
|
||||
u_short sport = 0;
|
||||
int wfd;
|
||||
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
sport = ((struct tcpiphdr *)ip)->ti_sport;
|
||||
wfd = initdevice(dev, sport, 5);
|
||||
|
||||
return send_packet(wfd, mtu, ip, gwip);
|
||||
}
|
||||
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
struct tcpiphdr *ti;
|
||||
struct in_addr gwip;
|
||||
tcphdr_t *tcp;
|
||||
ip_t *ip;
|
||||
char *name = argv[0], host[64], *gateway = NULL, *dev = NULL;
|
||||
char *src = NULL, *dst, c, *s;
|
||||
int mtu = 1500, olen = 0;
|
||||
|
||||
/*
|
||||
* 65535 is maximum packet size...you never know...
|
||||
*/
|
||||
ip = (ip_t *)calloc(1, 65536);
|
||||
ti = (struct tcpiphdr *)ip;
|
||||
tcp = (tcphdr_t *)&ti->ti_sport;
|
||||
ip->ip_len = sizeof(*ip);
|
||||
ip->ip_hl = sizeof(*ip) >> 2;
|
||||
|
||||
while ((c = getopt(argc, argv, "IP:TUd:f:g:m:o:s:t:")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'I' :
|
||||
if (ip->ip_p)
|
||||
{
|
||||
fprintf(stderr, "Protocol already set: %d\n",
|
||||
ip->ip_p);
|
||||
break;
|
||||
}
|
||||
do_icmp(ip, optarg);
|
||||
break;
|
||||
case 'P' :
|
||||
{
|
||||
struct protoent *p;
|
||||
|
||||
if (ip->ip_p)
|
||||
{
|
||||
fprintf(stderr, "Protocol already set: %d\n",
|
||||
ip->ip_p);
|
||||
break;
|
||||
}
|
||||
if ((p = getprotobyname(optarg)))
|
||||
ip->ip_p = p->p_proto;
|
||||
else
|
||||
fprintf(stderr, "Unknown protocol: %s\n",
|
||||
optarg);
|
||||
break;
|
||||
}
|
||||
case 'T' :
|
||||
if (ip->ip_p)
|
||||
{
|
||||
fprintf(stderr, "Protocol already set: %d\n",
|
||||
ip->ip_p);
|
||||
break;
|
||||
}
|
||||
ip->ip_p = IPPROTO_TCP;
|
||||
ip->ip_len += sizeof(tcphdr_t);
|
||||
break;
|
||||
case 'U' :
|
||||
if (ip->ip_p)
|
||||
{
|
||||
fprintf(stderr, "Protocol already set: %d\n",
|
||||
ip->ip_p);
|
||||
break;
|
||||
}
|
||||
ip->ip_p = IPPROTO_UDP;
|
||||
ip->ip_len += sizeof(udphdr_t);
|
||||
break;
|
||||
case 'd' :
|
||||
dev = optarg;
|
||||
break;
|
||||
case 'f' :
|
||||
ip->ip_off = strtol(optarg, NULL, 0);
|
||||
break;
|
||||
case 'g' :
|
||||
gateway = optarg;
|
||||
break;
|
||||
case 'm' :
|
||||
mtu = atoi(optarg);
|
||||
if (mtu < 28)
|
||||
{
|
||||
fprintf(stderr, "mtu must be > 28\n");
|
||||
exit(1);
|
||||
}
|
||||
break;
|
||||
case 'o' :
|
||||
olen = optname(optarg, options);
|
||||
break;
|
||||
case 's' :
|
||||
src = optarg;
|
||||
break;
|
||||
case 't' :
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
tcp->th_dport = htons(atoi(optarg));
|
||||
break;
|
||||
case 'w' :
|
||||
if (ip->ip_p == IPPROTO_TCP)
|
||||
tcp->th_win = atoi(optarg);
|
||||
else
|
||||
fprintf(stderr, "set protocol to TCP first\n");
|
||||
break;
|
||||
default :
|
||||
fprintf(stderr, "Unknown option \"%c\"\n", c);
|
||||
usage(name);
|
||||
}
|
||||
|
||||
if (argc - optind < 2)
|
||||
usage(name);
|
||||
dst = argv[optind++];
|
||||
|
||||
if (!src)
|
||||
{
|
||||
gethostname(host, sizeof(host));
|
||||
src = host;
|
||||
}
|
||||
|
||||
if (resolve(src, (char *)&ip->ip_src) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", src);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (resolve(dst, (char *)&ip->ip_dst) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", dst);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (!gateway)
|
||||
gwip = ip->ip_dst;
|
||||
else if (resolve(gateway, (char *)&gwip) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", gateway);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (ip->ip_p == IPPROTO_TCP)
|
||||
for (s = argv[optind]; (c = *s); s++)
|
||||
switch(c)
|
||||
{
|
||||
case 'S' : case 's' :
|
||||
tcp->th_flags |= TH_SYN;
|
||||
break;
|
||||
case 'A' : case 'a' :
|
||||
tcp->th_flags |= TH_ACK;
|
||||
break;
|
||||
case 'F' : case 'f' :
|
||||
tcp->th_flags |= TH_FIN;
|
||||
break;
|
||||
case 'R' : case 'r' :
|
||||
tcp->th_flags |= TH_RST;
|
||||
break;
|
||||
case 'P' : case 'p' :
|
||||
tcp->th_flags |= TH_PUSH;
|
||||
break;
|
||||
case 'U' : case 'u' :
|
||||
tcp->th_flags |= TH_URG;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!dev)
|
||||
dev = default_device;
|
||||
printf("Device: %s\n", dev);
|
||||
printf("Source: %s\n", inet_ntoa(ip->ip_src));
|
||||
printf("Dest: %s\n", inet_ntoa(ip->ip_dst));
|
||||
printf("Gateway: %s\n", inet_ntoa(gwip));
|
||||
if (ip->ip_p == IPPROTO_TCP && tcp->th_flags)
|
||||
printf("Flags: %#x\n", tcp->th_flags);
|
||||
printf("mtu: %d\n", mtu);
|
||||
|
||||
if (olen)
|
||||
{
|
||||
printf("Options: %d\n", olen);
|
||||
ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
|
||||
bcopy((char *)ip, (char *)ti, sizeof(*ip));
|
||||
ip = (ip_t *)ti;
|
||||
ip->ip_hl += (olen >> 2);
|
||||
bcopy(options, (char *)(ip + 1), olen);
|
||||
bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp));
|
||||
tcp = (tcphdr_t *)((char *)(ip + 1) + olen);
|
||||
ip->ip_len += olen;
|
||||
}
|
||||
|
||||
#ifdef DOSOCKET
|
||||
if (tcp->th_dport)
|
||||
return do_socket(dev, mtu, ti, gwip);
|
||||
#endif
|
||||
return send_packets(dev, mtu, ti, gwip);
|
||||
}
|
111
contrib/ipfilter/ipsend/ipsopt.c
Normal file
111
contrib/ipfilter/ipsend/ipsopt.c
Normal file
@ -0,0 +1,111 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* This code may be freely distributed as long as it retains this notice
|
||||
* and is not changed in any way. The author accepts no responsibility
|
||||
* for the use of this software. I hate legaleese, don't you ?
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include "ip_compat.h"
|
||||
|
||||
struct ipopt_names {
|
||||
int on_value;
|
||||
int on_bit;
|
||||
int on_siz;
|
||||
char *on_name;
|
||||
};
|
||||
|
||||
struct ipopt_names ionames[] = {
|
||||
{ IPOPT_EOL, 0x01, 1, "eol" },
|
||||
{ IPOPT_NOP, 0x02, 1, "nop" },
|
||||
{ IPOPT_RR, 0x04, 7, "rr" }, /* 1 route */
|
||||
{ IPOPT_TS, 0x08, 8, "ts" }, /* 1 TS */
|
||||
{ IPOPT_SECURITY, 0x08, 11, "sec-level" },
|
||||
{ IPOPT_LSRR, 0x10, 7, "lsrr" }, /* 1 route */
|
||||
{ IPOPT_SATID, 0x20, 4, "satid" },
|
||||
{ IPOPT_SSRR, 0x40, 7, "ssrr" }, /* 1 route */
|
||||
{ 0, 0, 0, NULL } /* must be last */
|
||||
};
|
||||
|
||||
struct ipopt_names secnames[] = {
|
||||
{ IPOPT_SECUR_UNCLASS, 0x0100, 0, "unclass" },
|
||||
{ IPOPT_SECUR_CONFID, 0x0200, 0, "confid" },
|
||||
{ IPOPT_SECUR_EFTO, 0x0400, 0, "efto" },
|
||||
{ IPOPT_SECUR_MMMM, 0x0800, 0, "mmmm" },
|
||||
{ IPOPT_SECUR_RESTR, 0x1000, 0, "restr" },
|
||||
{ IPOPT_SECUR_SECRET, 0x2000, 0, "secret" },
|
||||
{ IPOPT_SECUR_TOPSECRET, 0x4000,0, "topsecret" },
|
||||
{ 0, 0, 0, NULL } /* must be last */
|
||||
};
|
||||
|
||||
|
||||
u_short seclevel(slevel)
|
||||
char *slevel;
|
||||
{
|
||||
struct ipopt_names *so;
|
||||
|
||||
for (so = secnames; so->on_name; so++)
|
||||
if (!strcasecmp(slevel, so->on_name))
|
||||
break;
|
||||
|
||||
if (!so->on_name) {
|
||||
fprintf(stderr, "no such security level: %s\n", slevel);
|
||||
return 0;
|
||||
}
|
||||
return so->on_value;
|
||||
}
|
||||
|
||||
|
||||
u_long optname(cp, op)
|
||||
char *cp, *op;
|
||||
{
|
||||
struct ipopt_names *io;
|
||||
u_short lvl;
|
||||
u_long msk = 0;
|
||||
char *s, *t;
|
||||
int len = 0;
|
||||
|
||||
for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) {
|
||||
if ((t = strchr(s, '=')))
|
||||
*t++ = '\0';
|
||||
for (io = ionames; io->on_name; io++) {
|
||||
if (strcasecmp(s, io->on_name) || (msk & io->on_bit))
|
||||
continue;
|
||||
if ((len + io->on_siz) > 48) {
|
||||
fprintf(stderr, "options too long\n");
|
||||
return 0;
|
||||
}
|
||||
len += io->on_siz;
|
||||
*op++ = io->on_value;
|
||||
if (io->on_siz > 1) {
|
||||
*op++ = io->on_siz;
|
||||
*op++ = IPOPT_MINOFF;
|
||||
|
||||
if (t && !strcasecmp(s, "sec-level")) {
|
||||
lvl = seclevel(t);
|
||||
bcopy(&lvl, op, sizeof(lvl));
|
||||
}
|
||||
op += io->on_siz - 3;
|
||||
}
|
||||
msk |= io->on_bit;
|
||||
break;
|
||||
}
|
||||
if (!io->on_name) {
|
||||
fprintf(stderr, "unknown IP option name %s\n", s);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
*op++ = IPOPT_EOL;
|
||||
len++;
|
||||
return len;
|
||||
}
|
211
contrib/ipfilter/ipsend/iptest.c
Normal file
211
contrib/ipfilter/ipsend/iptest.c
Normal file
@ -0,0 +1,211 @@
|
||||
/*
|
||||
* ipsend.c (C) 1995 Darren Reed
|
||||
*
|
||||
* This was written to test what size TCP fragments would get through
|
||||
* various TCP/IP packet filters, as used in IP firewalls. In certain
|
||||
* conditions, enough of the TCP header is missing for unpredictable
|
||||
* results unless the filter is aware that this can happen.
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*
|
||||
* This was written and tested (successfully) on SunOS 4.1.x.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "%W% %G% (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include <linux/sockios.h>
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
#include "ipt.h"
|
||||
|
||||
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
|
||||
extern int initdevice(), resolve();
|
||||
extern int ip_test1(), ip_test2(), ip_test3(), ip_test4(), ip_test5();
|
||||
extern int ip_test6(), ip_test7();
|
||||
|
||||
char options[68];
|
||||
#ifdef linux
|
||||
char default_device[] = "eth0";
|
||||
#else
|
||||
# ifdef sun
|
||||
char default_device[] = "le0";
|
||||
# else
|
||||
# ifdef ultrix
|
||||
char default_device[] = "ln0";
|
||||
# else
|
||||
# ifdef __bsdi__
|
||||
char default_device[] = "ef0";
|
||||
# else
|
||||
char default_device[] = "lan0";
|
||||
# endif
|
||||
# endif
|
||||
# endif
|
||||
#endif
|
||||
|
||||
|
||||
void usage(prog)
|
||||
char *prog;
|
||||
{
|
||||
fprintf(stderr, "Usage: %s [options] dest\n\
|
||||
\toptions:\n\
|
||||
\t\t-d device\tSend out on this device\n\
|
||||
\t\t-g gateway\tIP gateway to use if non-local dest.\n\
|
||||
\t\t-m mtu\t\tfake MTU to use when sending out\n\
|
||||
\t\t-p pointtest\t\n\
|
||||
\t\t-s src\t\tsource address for IP packet\n\
|
||||
\t\t-1 \t\tPerform test 1 (IP header)\n\
|
||||
\t\t-2 \t\tPerform test 2 (IP options)\n\
|
||||
\t\t-3 \t\tPerform test 3 (ICMP)\n\
|
||||
\t\t-4 \t\tPerform test 4 (UDP)\n\
|
||||
\t\t-5 \t\tPerform test 5 (TCP)\n\
|
||||
\t\t-6 \t\tPerform test 6 (overlapping fragments)\n\
|
||||
\t\t-7 \t\tPerform test 7 (random packets)\n\
|
||||
", prog);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
int main(argc, argv)
|
||||
int argc;
|
||||
char **argv;
|
||||
{
|
||||
struct tcpiphdr *ti;
|
||||
struct in_addr gwip;
|
||||
ip_t *ip;
|
||||
char *name = argv[0], host[64], *gateway = NULL, *dev = NULL;
|
||||
char *src = NULL, *dst, c;
|
||||
int mtu = 1500, tests = 0, pointtest = 0;
|
||||
|
||||
/*
|
||||
* 65535 is maximum packet size...you never know...
|
||||
*/
|
||||
ip = (ip_t *)calloc(1, 65536);
|
||||
ti = (struct tcpiphdr *)ip;
|
||||
ip->ip_len = sizeof(*ip);
|
||||
ip->ip_hl = sizeof(*ip) >> 2;
|
||||
|
||||
while ((c = getopt(argc, argv, "1234567IP:TUd:f:g:m:o:p:s:t:")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case '1' :
|
||||
case '2' :
|
||||
case '3' :
|
||||
case '4' :
|
||||
case '5' :
|
||||
case '6' :
|
||||
case '7' :
|
||||
tests = c - '0';
|
||||
break;
|
||||
case 'd' :
|
||||
dev = optarg;
|
||||
break;
|
||||
case 'g' :
|
||||
gateway = optarg;
|
||||
break;
|
||||
case 'm' :
|
||||
mtu = atoi(optarg);
|
||||
if (mtu < 28)
|
||||
{
|
||||
fprintf(stderr, "mtu must be > 28\n");
|
||||
exit(1);
|
||||
}
|
||||
break;
|
||||
case 'p' :
|
||||
pointtest = atoi(optarg);
|
||||
break;
|
||||
case 's' :
|
||||
src = optarg;
|
||||
break;
|
||||
default :
|
||||
fprintf(stderr, "Unknown option \"%c\"\n", c);
|
||||
usage(name);
|
||||
}
|
||||
|
||||
if (argc - optind < 2 && !tests)
|
||||
usage(name);
|
||||
dst = argv[optind++];
|
||||
|
||||
if (!src)
|
||||
{
|
||||
gethostname(host, sizeof(host));
|
||||
src = host;
|
||||
}
|
||||
|
||||
if (resolve(dst, (char *)&ip->ip_dst) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", dst);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (resolve(src, (char *)&ip->ip_src) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", src);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
if (!gateway)
|
||||
gwip = ip->ip_dst;
|
||||
else if (resolve(gateway, (char *)&gwip) == -1)
|
||||
{
|
||||
fprintf(stderr,"Cant resolve %s\n", gateway);
|
||||
exit(2);
|
||||
}
|
||||
|
||||
|
||||
if (!dev)
|
||||
dev = default_device;
|
||||
printf("Device: %s\n", dev);
|
||||
printf("Source: %s\n", inet_ntoa(ip->ip_src));
|
||||
printf("Dest: %s\n", inet_ntoa(ip->ip_dst));
|
||||
printf("Gateway: %s\n", inet_ntoa(gwip));
|
||||
printf("mtu: %d\n", mtu);
|
||||
|
||||
switch (tests)
|
||||
{
|
||||
case 1 :
|
||||
return ip_test1(dev, mtu, ti, gwip, pointtest);
|
||||
case 2 :
|
||||
return ip_test2(dev, mtu, ti, gwip, pointtest);
|
||||
case 3 :
|
||||
return ip_test3(dev, mtu, ti, gwip, pointtest);
|
||||
case 4 :
|
||||
return ip_test4(dev, mtu, ti, gwip, pointtest);
|
||||
case 5 :
|
||||
return ip_test5(dev, mtu, ti, gwip, pointtest);
|
||||
case 6 :
|
||||
return ip_test6(dev, mtu, ti, gwip, pointtest);
|
||||
case 7 :
|
||||
return ip_test7(dev, mtu, ti, gwip, pointtest);
|
||||
default :
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
1296
contrib/ipfilter/ipsend/iptests.c
Normal file
1296
contrib/ipfilter/ipsend/iptests.c
Normal file
File diff suppressed because it is too large
Load Diff
85
contrib/ipfilter/ipsend/larp.c
Normal file
85
contrib/ipfilter/ipsend/larp.c
Normal file
@ -0,0 +1,85 @@
|
||||
/*
|
||||
* larp.c (C) 1995 Darren Reed
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netdb.h>
|
||||
#include <netinet/in.h>
|
||||
#include <net/if.h>
|
||||
#include <net/if_arp.h>
|
||||
|
||||
/*
|
||||
* lookup host and return
|
||||
* its IP address in address
|
||||
* (4 bytes)
|
||||
*/
|
||||
int resolve(host, address)
|
||||
char *host, *address;
|
||||
{
|
||||
struct hostent *hp;
|
||||
u_long add;
|
||||
|
||||
add = inet_addr(host);
|
||||
if (add == -1)
|
||||
{
|
||||
if (!(hp = gethostbyname(host)))
|
||||
{
|
||||
fprintf(stderr, "unknown host: %s\n", host);
|
||||
return -1;
|
||||
}
|
||||
bcopy((char *)hp->h_addr, (char *)address, 4);
|
||||
return 0;
|
||||
}
|
||||
bcopy((char*)&add, address, 4);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* ARP for the MAC address corresponding
|
||||
* to the IP address. This taken from
|
||||
* some BSD program, I cant remember which.
|
||||
*/
|
||||
int arp(ip, ether)
|
||||
char *ip;
|
||||
char *ether;
|
||||
{
|
||||
static int s = -1;
|
||||
struct arpreq ar;
|
||||
struct sockaddr_in *sin;
|
||||
char *inet_ntoa();
|
||||
|
||||
bzero((char *)&ar, sizeof(ar));
|
||||
sin = (struct sockaddr_in *)&ar.arp_pa;
|
||||
sin->sin_family = AF_INET;
|
||||
bcopy(ip, (char *)&sin->sin_addr.s_addr, 4);
|
||||
|
||||
if (s == -1)
|
||||
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
|
||||
{
|
||||
perror("arp: socket");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ioctl(s, SIOCGARP, (caddr_t)&ar) == -1)
|
||||
{
|
||||
fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr));
|
||||
if (errno != ENXIO)
|
||||
perror("SIOCGARP");
|
||||
return -1;
|
||||
}
|
||||
|
||||
bcopy(ar.arp_ha.sa_data, ether, 6);
|
||||
return 0;
|
||||
}
|
17
contrib/ipfilter/ipsend/linux.h
Normal file
17
contrib/ipfilter/ipsend/linux.h
Normal file
@ -0,0 +1,17 @@
|
||||
/*
|
||||
* (C)opyright 1995 by Darren Reed.
|
||||
*
|
||||
* This code may be freely distributed as long as it retains this notice
|
||||
* and is not changed in any way. The author accepts no responsibility
|
||||
* for the use of this software. I hate legaleese, don't you ?
|
||||
*
|
||||
* @(#)linux.h 1.1 8/19/95
|
||||
*/
|
||||
|
||||
#include <linux/config.h>
|
||||
#ifdef MODULE
|
||||
#include <linux/module.h>
|
||||
#include <linux/version.h>
|
||||
#endif /* MODULE */
|
||||
|
||||
#include "ip_compat.h"
|
261
contrib/ipfilter/ipsend/lsock.c
Normal file
261
contrib/ipfilter/ipsend/lsock.c
Normal file
@ -0,0 +1,261 @@
|
||||
/*
|
||||
* lsock.c (C) 1995 Darren Reed
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stddef.h>
|
||||
#include <pwd.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/dir.h>
|
||||
#define __KERNEL__
|
||||
#if LINUX >= 0200
|
||||
# undef UINT_MAX
|
||||
# undef INT_MAX
|
||||
# undef ULONG_MAX
|
||||
# undef LONG_MAX
|
||||
# include <linux/notifier.h>
|
||||
#endif
|
||||
#include <linux/fs.h>
|
||||
#if LINUX >= 0200
|
||||
#include "linux/netdevice.h"
|
||||
#include "net/sock.h"
|
||||
#endif
|
||||
#undef __KERNEL__
|
||||
#include <linux/sched.h>
|
||||
#include <linux/netdevice.h>
|
||||
#include <nlist.h>
|
||||
#include <sys/user.h>
|
||||
#include <sys/socket.h>
|
||||
#include <math.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <net/if.h>
|
||||
#if LINUX < 0103
|
||||
#include <net/inet/sock.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#include "tcpip.h"
|
||||
|
||||
int nproc;
|
||||
struct task_struct *proc;
|
||||
|
||||
#ifndef KMEM
|
||||
# ifdef _PATH_KMEM
|
||||
# define KMEM _PATH_KMEM
|
||||
# endif
|
||||
#endif
|
||||
#ifndef KMEM
|
||||
# define KMEM "/dev/kmem"
|
||||
#endif
|
||||
#ifndef KERNEL
|
||||
# define KERNEL "/System.map"
|
||||
#endif
|
||||
|
||||
int kmemcpy(buf, pos, n)
|
||||
char *buf;
|
||||
void *pos;
|
||||
int n;
|
||||
{
|
||||
static int kfd = -1;
|
||||
|
||||
if (kfd == -1)
|
||||
kfd = open(KMEM, O_RDONLY);
|
||||
|
||||
if (lseek(kfd, (off_t)pos, SEEK_SET) == -1)
|
||||
{
|
||||
perror("lseek");
|
||||
return -1;
|
||||
}
|
||||
if (read(kfd, buf, n) == -1)
|
||||
{
|
||||
perror("read");
|
||||
return -1;
|
||||
}
|
||||
return n;
|
||||
}
|
||||
|
||||
struct nlist names[3] = {
|
||||
{ "_task" },
|
||||
{ "_nr_tasks" },
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
struct task_struct *getproc()
|
||||
{
|
||||
struct task_struct *p, **pp;
|
||||
void *v;
|
||||
pid_t pid = getpid();
|
||||
int siz, n;
|
||||
|
||||
n = nlist(KERNEL, names);
|
||||
if (n != 0)
|
||||
{
|
||||
fprintf(stderr, "nlist(%#x) == %d\n", names, n);
|
||||
return NULL;
|
||||
}
|
||||
if (kmemcpy((char *)&nproc, (void *)names[1].n_value,
|
||||
sizeof(nproc)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read nproc (%#x)\n", names[1].n_value);
|
||||
return NULL;
|
||||
}
|
||||
siz = nproc * sizeof(struct task_struct *);
|
||||
if (kmemcpy((char *)&v, (void *)names[0].n_value, sizeof(v)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) proc\n",
|
||||
names[0].n_value, &v, sizeof(v));
|
||||
return NULL;
|
||||
}
|
||||
pp = (struct task_struct **)malloc(siz);
|
||||
if (kmemcpy((char *)pp, (void *)v, siz) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) proc\n",
|
||||
v, pp, siz);
|
||||
return NULL;
|
||||
}
|
||||
proc = (struct task_struct *)malloc(siz);
|
||||
for (n = 0; n < NR_TASKS; n++)
|
||||
{
|
||||
if (kmemcpy((char *)(proc + n), (void *)pp[n],
|
||||
sizeof(*proc)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) proc\n",
|
||||
pp[n], proc + n, sizeof(*proc));
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
p = proc;
|
||||
|
||||
for (n = NR_TASKS; n; n--, p++)
|
||||
if (p->pid == pid)
|
||||
break;
|
||||
if (!n)
|
||||
return NULL;
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
|
||||
struct sock *find_tcp(fd, ti)
|
||||
int fd;
|
||||
struct tcpiphdr *ti;
|
||||
{
|
||||
struct sock *s;
|
||||
struct inode *i;
|
||||
struct files_struct *fs;
|
||||
struct task_struct *p;
|
||||
struct file *f, **o;
|
||||
|
||||
if (!(p = getproc()))
|
||||
return NULL;
|
||||
|
||||
fs = p->files;
|
||||
o = (struct file **)calloc(1, sizeof(*o) * (fs->count + 1));
|
||||
if (kmemcpy((char *)o, (void *)fs->fd,
|
||||
(fs->count + 1) * sizeof(*o)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - fd - failed\n",
|
||||
fs->fd, o, sizeof(*o));
|
||||
return NULL;
|
||||
}
|
||||
f = (struct file *)calloc(1, sizeof(*f));
|
||||
if (kmemcpy((char *)f, (void *)o[fd], sizeof(*f)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n",
|
||||
o[fd], f, sizeof(*f));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
i = (struct inode *)calloc(1, sizeof(*i));
|
||||
if (kmemcpy((char *)i, (void *)f->f_inode, sizeof(*i)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - f_inode - failed\n",
|
||||
f->f_inode, i, sizeof(*i));
|
||||
return NULL;
|
||||
}
|
||||
return i->u.socket_i.data;
|
||||
}
|
||||
|
||||
int do_socket(dev, mtu, ti, gwip, flags)
|
||||
char *dev;
|
||||
int mtu;
|
||||
struct tcpiphdr *ti;
|
||||
struct in_addr gwip;
|
||||
int flags;
|
||||
{
|
||||
struct sockaddr_in rsin, lsin;
|
||||
struct sock *s, sk;
|
||||
int fd, nfd, len;
|
||||
|
||||
printf("Dest. Port: %d\n", ti->ti_dport);
|
||||
|
||||
fd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if (fd == -1)
|
||||
{
|
||||
perror("socket");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (fcntl(fd, F_SETFL, FNDELAY) == -1)
|
||||
{
|
||||
perror("fcntl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
bzero((char *)&lsin, sizeof(lsin));
|
||||
lsin.sin_family = AF_INET;
|
||||
bcopy((char *)&ti->ti_src, (char *)&lsin.sin_addr,
|
||||
sizeof(struct in_addr));
|
||||
if (bind(fd, (struct sockaddr *)&lsin, sizeof(lsin)) == -1)
|
||||
{
|
||||
perror("bind");
|
||||
return -1;
|
||||
}
|
||||
len = sizeof(lsin);
|
||||
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
|
||||
ti->ti_sport = lsin.sin_port;
|
||||
printf("sport %d\n", ntohs(lsin.sin_port));
|
||||
nfd = initdevice(dev, ntohs(lsin.sin_port));
|
||||
|
||||
if (!(s = find_tcp(fd, ti)))
|
||||
return -1;
|
||||
|
||||
bzero((char *)&rsin, sizeof(rsin));
|
||||
rsin.sin_family = AF_INET;
|
||||
bcopy((char *)&ti->ti_dst, (char *)&rsin.sin_addr,
|
||||
sizeof(struct in_addr));
|
||||
rsin.sin_port = ti->ti_dport;
|
||||
if (connect(fd, (struct sockaddr *)&rsin, sizeof(rsin)) == -1 &&
|
||||
errno != EINPROGRESS)
|
||||
{
|
||||
perror("connect");
|
||||
return -1;
|
||||
}
|
||||
kmemcpy((char*)&sk, (void *)s, sizeof(sk));
|
||||
ti->ti_win = sk.window;
|
||||
ti->ti_seq = sk.sent_seq - 1;
|
||||
ti->ti_ack = sk.rcv_ack_seq;
|
||||
|
||||
if (send_tcp(nfd, mtu, ti, gwip, TH_SYN) == -1)
|
||||
return -1;
|
||||
(void)write(fd, "Hello World\n", 12);
|
||||
sleep(2);
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
130
contrib/ipfilter/ipsend/resend.c
Normal file
130
contrib/ipfilter/ipsend/resend.c
Normal file
@ -0,0 +1,130 @@
|
||||
/*
|
||||
* resend.c (C) 1995 Darren Reed
|
||||
*
|
||||
* This was written to test what size TCP fragments would get through
|
||||
* various TCP/IP packet filters, as used in IP firewalls. In certain
|
||||
* conditions, enough of the TCP header is missing for unpredictable
|
||||
* results unless the filter is aware that this can happen.
|
||||
*
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/socket.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#ifndef linux
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#endif
|
||||
#include "ip_compat.h"
|
||||
#ifdef linux
|
||||
#include <linux/sockios.h>
|
||||
#include "tcpip.h"
|
||||
#endif
|
||||
#include "ipt.h"
|
||||
|
||||
|
||||
static u_char buf[65536]; /* 1 big packet */
|
||||
|
||||
extern int initdevice(), arp(), sendip();
|
||||
|
||||
void printpacket(ip)
|
||||
ip_t *ip;
|
||||
{
|
||||
tcphdr_t *t;
|
||||
int i, j;
|
||||
|
||||
t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2));
|
||||
if (ip->ip_tos)
|
||||
printf("tos %#x ", ip->ip_tos);
|
||||
if (ip->ip_off & 0x3fff)
|
||||
printf("frag @%#x ", (ip->ip_off & 0x1fff) << 3);
|
||||
printf("len %d id %d ", ip->ip_len, ip->ip_id);
|
||||
printf("ttl %d p %d src %s", ip->ip_ttl, ip->ip_p,
|
||||
inet_ntoa(ip->ip_src));
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
printf(",%d", t->th_sport);
|
||||
printf(" dst %s", inet_ntoa(ip->ip_dst));
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
printf(",%d", t->th_dport);
|
||||
if (ip->ip_p == IPPROTO_TCP) {
|
||||
printf(" seq %lu:%lu flags ",
|
||||
(u_long)t->th_seq, (u_long)t->th_ack);
|
||||
for (j = 0, i = 1; i < 256; i *= 2, j++)
|
||||
if (t->th_flags & i)
|
||||
printf("%c", "FSRPAU--"[j]);
|
||||
}
|
||||
putchar('\n');
|
||||
}
|
||||
|
||||
|
||||
int ip_resend(dev, mtu, r, gwip, datain)
|
||||
char *dev;
|
||||
int mtu;
|
||||
struct in_addr gwip;
|
||||
struct ipread *r;
|
||||
char *datain;
|
||||
{
|
||||
ether_header_t *eh;
|
||||
char dhost[6];
|
||||
ip_t *ip;
|
||||
int fd, wfd = initdevice(dev, 0, 5), len, i;
|
||||
|
||||
if (datain)
|
||||
fd = (*r->r_open)(datain);
|
||||
else
|
||||
fd = (*r->r_open)("-");
|
||||
|
||||
if (fd < 0)
|
||||
exit(-1);
|
||||
|
||||
ip = (struct ip *)buf;
|
||||
eh = (ether_header_t *)malloc(sizeof(*eh));
|
||||
|
||||
bzero(&eh->ether_shost, sizeof(eh->ether_shost));
|
||||
if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1))
|
||||
{
|
||||
perror("arp");
|
||||
return -2;
|
||||
}
|
||||
|
||||
while ((i = (*r->r_readip)(buf, sizeof(buf), NULL, NULL)) > 0)
|
||||
{
|
||||
len = ntohs(ip->ip_len);
|
||||
eh = (ether_header_t *)realloc((char *)eh, sizeof(*eh) + len);
|
||||
eh->ether_type = htons((u_short)ETHERTYPE_IP);
|
||||
if (!gwip.s_addr) {
|
||||
if (arp((char *)&gwip,
|
||||
(char *)&eh->ether_dhost) == -1) {
|
||||
perror("arp");
|
||||
continue;
|
||||
}
|
||||
} else
|
||||
bcopy(dhost, (char *)&eh->ether_dhost, sizeof(dhost));
|
||||
bcopy(ip, (char *)(eh + 1), len);
|
||||
printpacket(ip);
|
||||
|
||||
if (sendip(wfd, eh, sizeof(*eh) + len) == -1)
|
||||
{
|
||||
perror("send_packet");
|
||||
break;
|
||||
}
|
||||
}
|
||||
(*r->r_close)();
|
||||
return 0;
|
||||
}
|
136
contrib/ipfilter/ipsend/sbpf.c
Normal file
136
contrib/ipfilter/ipsend/sbpf.c
Normal file
@ -0,0 +1,136 @@
|
||||
/*
|
||||
* (C)opyright October 1995 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/mbuf.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#if BSD < 199103
|
||||
#include <sys/fcntlcom.h>
|
||||
#endif
|
||||
#include <sys/dir.h>
|
||||
#include <net/bpf.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sbpf[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
/*
|
||||
* the code herein is dervied from libpcap.
|
||||
*/
|
||||
static u_char *buf = NULL;
|
||||
static int bufsize = 0, timeout = 1;
|
||||
|
||||
|
||||
int initdevice(device, sport, tout)
|
||||
char *device;
|
||||
int sport, tout;
|
||||
{
|
||||
struct bpf_version bv;
|
||||
struct timeval to;
|
||||
struct ifreq ifr;
|
||||
char bpfname[16];
|
||||
int fd, i;
|
||||
|
||||
for (i = 0; i < 16; i++)
|
||||
{
|
||||
(void) sprintf(bpfname, "/dev/bpf%d", i);
|
||||
if ((fd = open(bpfname, O_RDWR)) >= 0)
|
||||
break;
|
||||
}
|
||||
if (i == 16)
|
||||
{
|
||||
fprintf(stderr, "no bpf devices available as /dev/bpfxx\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0)
|
||||
{
|
||||
perror("BIOCVERSION");
|
||||
return -1;
|
||||
}
|
||||
if (bv.bv_major != BPF_MAJOR_VERSION ||
|
||||
bv.bv_minor < BPF_MINOR_VERSION)
|
||||
{
|
||||
fprintf(stderr, "kernel bpf (v%d.%d) filter out of date:\n",
|
||||
bv.bv_major, bv.bv_minor);
|
||||
fprintf(stderr, "current version: %d.%d\n",
|
||||
BPF_MAJOR_VERSION, BPF_MINOR_VERSION);
|
||||
return -1;
|
||||
}
|
||||
|
||||
(void) strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
|
||||
if (ioctl(fd, BIOCSETIF, &ifr) == -1)
|
||||
{
|
||||
fprintf(stderr, "%s(%d):", ifr.ifr_name, fd);
|
||||
perror("BIOCSETIF");
|
||||
exit(1);
|
||||
}
|
||||
/*
|
||||
* get kernel buffer size
|
||||
*/
|
||||
if (ioctl(fd, BIOCGBLEN, &bufsize) == -1)
|
||||
{
|
||||
perror("BIOCSBLEN");
|
||||
exit(-1);
|
||||
}
|
||||
buf = (u_char*)malloc(bufsize);
|
||||
/*
|
||||
* set the timeout
|
||||
*/
|
||||
timeout = tout;
|
||||
to.tv_sec = 1;
|
||||
to.tv_usec = 0;
|
||||
if (ioctl(fd, BIOCSRTIMEOUT, (caddr_t)&to) == -1)
|
||||
{
|
||||
perror("BIOCSRTIMEOUT");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
(void) ioctl(fd, BIOCFLUSH, 0);
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* output an IP packet onto a fd opened for /dev/bpf
|
||||
*/
|
||||
int sendip(fd, pkt, len)
|
||||
int fd, len;
|
||||
char *pkt;
|
||||
{
|
||||
if (write(fd, pkt, len) == -1)
|
||||
{
|
||||
perror("send");
|
||||
return -1;
|
||||
}
|
||||
|
||||
return len;
|
||||
}
|
130
contrib/ipfilter/ipsend/sdlpi.c
Normal file
130
contrib/ipfilter/ipsend/sdlpi.c
Normal file
@ -0,0 +1,130 @@
|
||||
/*
|
||||
* (C)opyright October 1992 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/stropts.h>
|
||||
|
||||
#include <sys/pfmod.h>
|
||||
#include <sys/bufmod.h>
|
||||
#include <sys/dlpi.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
|
||||
#include "ip_compat.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char snitid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
#define CHUNKSIZE 8192
|
||||
#define BUFSPACE (4*CHUNKSIZE)
|
||||
|
||||
|
||||
/*
|
||||
* Be careful to only include those defined in the flags option for the
|
||||
* interface are included in the header size.
|
||||
*/
|
||||
int initdevice(device, sport, tout)
|
||||
char *device;
|
||||
int sport, tout;
|
||||
{
|
||||
char devname[16], *s, buf[256];
|
||||
int i, fd;
|
||||
|
||||
(void) sprintf(devname, "/dev/%s", device);
|
||||
|
||||
s = devname + 5;
|
||||
while (*s && !isdigit(*s))
|
||||
s++;
|
||||
if (!*s)
|
||||
{
|
||||
fprintf(stderr, "bad device name %s\n", devname);
|
||||
exit(-1);
|
||||
}
|
||||
i = atoi(s);
|
||||
*s = '\0';
|
||||
/*
|
||||
* For writing
|
||||
*/
|
||||
if ((fd = open(devname, O_RDWR)) < 0)
|
||||
{
|
||||
fprintf(stderr, "O_RDWR(1) ");
|
||||
perror(devname);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
if (dlattachreq(fd, i) == -1 || dlokack(fd, buf) == -1)
|
||||
{
|
||||
fprintf(stderr, "DLPI error\n");
|
||||
exit(-1);
|
||||
}
|
||||
dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0);
|
||||
dlbindack(fd, buf);
|
||||
/*
|
||||
* write full headers
|
||||
*/
|
||||
if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1)
|
||||
{
|
||||
fprintf(stderr, "DLIOCRAW error\n");
|
||||
exit(-1);
|
||||
}
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* output an IP packet onto a fd opened for /dev/nit
|
||||
*/
|
||||
int sendip(fd, pkt, len)
|
||||
int fd, len;
|
||||
char *pkt;
|
||||
{
|
||||
struct strbuf dbuf, *dp = &dbuf;
|
||||
|
||||
/*
|
||||
* construct NIT STREAMS messages, first control then data.
|
||||
*/
|
||||
dp->buf = pkt;
|
||||
dp->len = len;
|
||||
dp->maxlen = dp->len;
|
||||
|
||||
if (putmsg(fd, NULL, dp, 0) == -1)
|
||||
{
|
||||
perror("putmsg");
|
||||
return -1;
|
||||
}
|
||||
if (ioctl(fd, I_FLUSH, FLUSHW) == -1)
|
||||
{
|
||||
perror("I_FLUSHW");
|
||||
return -1;
|
||||
}
|
||||
return len;
|
||||
}
|
94
contrib/ipfilter/ipsend/slinux.c
Normal file
94
contrib/ipfilter/ipsend/slinux.c
Normal file
@ -0,0 +1,94 @@
|
||||
/*
|
||||
* (C)opyright October 1992 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/dir.h>
|
||||
#include <linux/netdevice.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include "ip_compat.h"
|
||||
#include "tcpip.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)slinux.c 1.2 8/25/95";
|
||||
#endif
|
||||
|
||||
#define CHUNKSIZE 8192
|
||||
#define BUFSPACE (4*CHUNKSIZE)
|
||||
|
||||
/*
|
||||
* Be careful to only include those defined in the flags option for the
|
||||
* interface are included in the header size.
|
||||
*/
|
||||
|
||||
static int timeout;
|
||||
static char *eth_dev = NULL;
|
||||
|
||||
|
||||
int initdevice(dev, sport, tout)
|
||||
char *dev;
|
||||
int sport, tout;
|
||||
{
|
||||
int fd;
|
||||
|
||||
eth_dev = strdup(dev);
|
||||
if ((fd = socket(AF_INET, SOCK_PACKET, htons(ETHERTYPE_IP))) == -1)
|
||||
{
|
||||
perror("socket(SOCK_PACKET)");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* output an IP packet onto a fd opened for /dev/nit
|
||||
*/
|
||||
int sendip(fd, pkt, len)
|
||||
int fd, len;
|
||||
char *pkt;
|
||||
{
|
||||
struct sockaddr s;
|
||||
struct ifreq ifr;
|
||||
|
||||
strncpy(ifr.ifr_name, eth_dev, sizeof(ifr.ifr_name));
|
||||
if (ioctl(fd, SIOCGIFHWADDR, &ifr) == -1)
|
||||
{
|
||||
perror("SIOCGIFHWADDR");
|
||||
return -1;
|
||||
}
|
||||
bcopy(ifr.ifr_hwaddr.sa_data, pkt + 6, 6);
|
||||
s.sa_family = ETHERTYPE_IP;
|
||||
strncpy(s.sa_data, eth_dev, sizeof(s.sa_data));
|
||||
|
||||
if (sendto(fd, pkt, len, 0, &s, sizeof(s)) == -1)
|
||||
{
|
||||
perror("send");
|
||||
return -1;
|
||||
}
|
||||
|
||||
return len;
|
||||
}
|
160
contrib/ipfilter/ipsend/snit.c
Normal file
160
contrib/ipfilter/ipsend/snit.c
Normal file
@ -0,0 +1,160 @@
|
||||
/*
|
||||
* (C)opyright October 1992 Darren Reed. (from tcplog)
|
||||
*
|
||||
* This software may be freely distributed as long as it is not altered
|
||||
* in any way and that this messagge always accompanies it.
|
||||
*
|
||||
* The author of this software makes no garuntee about the
|
||||
* performance of this package or its suitability to fulfill any purpose.
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <netdb.h>
|
||||
#include <ctype.h>
|
||||
#include <signal.h>
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/timeb.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <net/nit.h>
|
||||
#include <sys/fcntlcom.h>
|
||||
#include <sys/dir.h>
|
||||
#include <net/nit_if.h>
|
||||
#include <net/nit_pf.h>
|
||||
#include <net/nit_buf.h>
|
||||
#include <net/packetfilt.h>
|
||||
#include <sys/stropts.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char snitid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
|
||||
#define CHUNKSIZE 8192
|
||||
#define BUFSPACE (4*CHUNKSIZE)
|
||||
|
||||
/*
|
||||
* Be careful to only include those defined in the flags option for the
|
||||
* interface are included in the header size.
|
||||
*/
|
||||
#define BUFHDR_SIZE (sizeof(struct nit_bufhdr))
|
||||
#define NIT_HDRSIZE (BUFHDR_SIZE)
|
||||
|
||||
static int timeout;
|
||||
|
||||
|
||||
int initdevice(device, sport, tout)
|
||||
char *device;
|
||||
int sport, tout;
|
||||
{
|
||||
struct strioctl si;
|
||||
struct timeval to;
|
||||
struct ifreq ifr;
|
||||
int fd;
|
||||
|
||||
if ((fd = open("/dev/nit", O_RDWR)) < 0)
|
||||
{
|
||||
perror("/dev/nit");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* arrange to get messages from the NIT STREAM and use NIT_BUF option
|
||||
*/
|
||||
ioctl(fd, I_SRDOPT, (char*)RMSGD);
|
||||
ioctl(fd, I_PUSH, "nbuf");
|
||||
|
||||
/*
|
||||
* set the timeout
|
||||
*/
|
||||
timeout = tout;
|
||||
si.ic_timout = 1;
|
||||
to.tv_sec = 1;
|
||||
to.tv_usec = 0;
|
||||
si.ic_cmd = NIOCSTIME;
|
||||
si.ic_len = sizeof(to);
|
||||
si.ic_dp = (char*)&to;
|
||||
if (ioctl(fd, I_STR, (char*)&si) == -1)
|
||||
{
|
||||
perror("ioctl: NIT timeout");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* request the interface
|
||||
*/
|
||||
strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
|
||||
ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = ' ';
|
||||
si.ic_cmd = NIOCBIND;
|
||||
si.ic_len = sizeof(ifr);
|
||||
si.ic_dp = (char*)𝔦
|
||||
if (ioctl(fd, I_STR, (char*)&si) == -1)
|
||||
{
|
||||
perror(ifr.ifr_name);
|
||||
exit(1);
|
||||
}
|
||||
return fd;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* output an IP packet onto a fd opened for /dev/nit
|
||||
*/
|
||||
int sendip(fd, pkt, len)
|
||||
int fd, len;
|
||||
char *pkt;
|
||||
{
|
||||
struct sockaddr sk, *sa = &sk;
|
||||
struct strbuf cbuf, *cp = &cbuf, dbuf, *dp = &dbuf;
|
||||
|
||||
/*
|
||||
* For ethernet, need at least 802.3 header and IP header.
|
||||
*/
|
||||
if (len < (sizeof(sa->sa_data) + sizeof(struct ip)))
|
||||
return -1;
|
||||
/*
|
||||
* to avoid any output processing for IP, say we're not.
|
||||
*/
|
||||
sa->sa_family = AF_UNSPEC;
|
||||
bcopy(pkt, sa->sa_data, sizeof(sa->sa_data));
|
||||
pkt += sizeof(sa->sa_data);
|
||||
len -= sizeof(sa->sa_data);
|
||||
|
||||
/*
|
||||
* construct NIT STREAMS messages, first control then data.
|
||||
*/
|
||||
cp->len = sizeof(*sa);
|
||||
cp->maxlen = sizeof(*sa);
|
||||
cp->buf = (char *)sa;
|
||||
|
||||
dp->buf = pkt;
|
||||
dp->len = len;
|
||||
dp->maxlen = dp->len;
|
||||
|
||||
if (putmsg(fd, cp, dp, 0) == -1)
|
||||
{
|
||||
perror("putmsg");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (ioctl(fd, I_FLUSH, FLUSHW) == -1)
|
||||
{
|
||||
perror("I_FLUSH");
|
||||
return -1;
|
||||
}
|
||||
return len;
|
||||
}
|
370
contrib/ipfilter/ipsend/sock.c
Normal file
370
contrib/ipfilter/ipsend/sock.c
Normal file
@ -0,0 +1,370 @@
|
||||
/*
|
||||
* sock.c (C) 1995 Darren Reed
|
||||
*
|
||||
* The author provides this program as-is, with no gaurantee for its
|
||||
* suitability for any specific purpose. The author takes no responsibility
|
||||
* for the misuse/abuse of this program and provides it for the sole purpose
|
||||
* of testing packet filter policies. This file maybe distributed freely
|
||||
* providing it is not modified and that this notice remains in tact.
|
||||
*/
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stddef.h>
|
||||
#include <pwd.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/dir.h>
|
||||
#define _KERNEL
|
||||
#define KERNEL
|
||||
#include <sys/file.h>
|
||||
#undef _KERNEL
|
||||
#undef KERNEL
|
||||
#include <nlist.h>
|
||||
#include <sys/user.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/proc.h>
|
||||
#include <kvm.h>
|
||||
#ifdef sun
|
||||
#include <sys/systm.h>
|
||||
#include <sys/session.h>
|
||||
#endif
|
||||
#if BSD >= 199103
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/filedesc.h>
|
||||
#include <paths.h>
|
||||
#endif
|
||||
#include <math.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/in_pcb.h>
|
||||
#include <netinet/tcp_timer.h>
|
||||
#include <netinet/tcp_var.h>
|
||||
#include <netinet/tcpip.h>
|
||||
|
||||
int nproc;
|
||||
struct proc *proc;
|
||||
|
||||
extern int initdevice(), send_tcp();
|
||||
|
||||
#ifndef KMEM
|
||||
# ifdef _PATH_KMEM
|
||||
# define KMEM _PATH_KMEM
|
||||
# endif
|
||||
#endif
|
||||
#ifndef KERNEL
|
||||
# ifdef _PATH_UNIX
|
||||
# define KERNEL _PATH_UNIX
|
||||
# endif
|
||||
#endif
|
||||
#ifndef KMEM
|
||||
# define KMEM "/dev/kmem"
|
||||
#endif
|
||||
#ifndef KERNEL
|
||||
# define KERNEL "/vmunix"
|
||||
#endif
|
||||
|
||||
int kmemcpy(buf, pos, n)
|
||||
char *buf;
|
||||
off_t pos;
|
||||
int n;
|
||||
{
|
||||
static int kfd = -1;
|
||||
|
||||
if (kfd == -1)
|
||||
kfd = open(KMEM, O_RDONLY);
|
||||
|
||||
if (lseek(kfd, pos, SEEK_SET) == -1)
|
||||
{
|
||||
perror("lseek");
|
||||
return -1;
|
||||
}
|
||||
if (read(kfd, buf, n) == -1)
|
||||
{
|
||||
perror("read");
|
||||
return -1;
|
||||
}
|
||||
return n;
|
||||
}
|
||||
|
||||
struct nlist names[3] = {
|
||||
{ "_proc" },
|
||||
{ "_nproc" },
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
#if BSD < 199103
|
||||
struct proc *getproc()
|
||||
{
|
||||
struct proc *p;
|
||||
pid_t pid = getpid();
|
||||
int siz, n;
|
||||
|
||||
n = nlist(KERNEL, names);
|
||||
if (n != 0)
|
||||
{
|
||||
fprintf(stderr, "nlist(%#x) == %d\n", names, n);
|
||||
return NULL;
|
||||
}
|
||||
if (kmemcpy((char *)&nproc, (off_t)names[1].n_value,
|
||||
sizeof(nproc)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read nproc (%#x)\n", names[1].n_value);
|
||||
return NULL;
|
||||
}
|
||||
siz = nproc * sizeof(struct proc);
|
||||
if (kmemcpy((char *)&p, (off_t)names[0].n_value, sizeof(p)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) proc\n",
|
||||
names[0].n_value, &p, sizeof(p));
|
||||
return NULL;
|
||||
}
|
||||
proc = (struct proc *)malloc(siz);
|
||||
if (kmemcpy((char *)proc, (off_t)p, siz) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) proc\n",
|
||||
p, proc, siz);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
p = proc;
|
||||
|
||||
for (n = nproc; n; n--, p++)
|
||||
if (p->p_pid == pid)
|
||||
break;
|
||||
if (!n)
|
||||
return NULL;
|
||||
|
||||
return p;
|
||||
}
|
||||
|
||||
|
||||
struct tcpcb *find_tcp(fd, ti)
|
||||
int fd;
|
||||
struct tcpiphdr *ti;
|
||||
{
|
||||
struct tcpcb *t;
|
||||
struct inpcb *i;
|
||||
struct socket *s;
|
||||
struct user *up;
|
||||
struct proc *p;
|
||||
struct file *f, **o;
|
||||
|
||||
if (!(p = getproc()))
|
||||
return NULL;
|
||||
|
||||
up = (struct user *)malloc(sizeof(*up));
|
||||
if (kmemcpy((char *)up, (off_t)p->p_uarea, sizeof(*up)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x) failed\n", p, p->p_uarea);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
o = (struct file **)calloc(1, sizeof(*o) * (up->u_lastfile + 1));
|
||||
if (kmemcpy((char *)o, (off_t)up->u_ofile,
|
||||
(up->u_lastfile + 1) * sizeof(*o)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - u_ofile - failed\n",
|
||||
up->u_ofile_arr, o, sizeof(*o));
|
||||
return NULL;
|
||||
}
|
||||
f = (struct file *)calloc(1, sizeof(*f));
|
||||
if (kmemcpy((char *)f, (off_t)o[fd], sizeof(*f)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n",
|
||||
up->u_ofile_arr[fd], f, sizeof(*f));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
s = (struct socket *)calloc(1, sizeof(*s));
|
||||
if (kmemcpy((char *)s, (off_t)f->f_data, sizeof(*s)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - f_data - failed\n",
|
||||
o[fd], s, sizeof(*s));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
i = (struct inpcb *)calloc(1, sizeof(*i));
|
||||
if (kmemcpy((char *)i, (off_t)s->so_pcb, sizeof(*i)) == -1)
|
||||
{
|
||||
fprintf(stderr, "kvm_read(%#x,%#x,%d) - so_pcb - failed\n",
|
||||
s->so_pcb, i, sizeof(*i));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
t = (struct tcpcb *)calloc(1, sizeof(*t));
|
||||
if (kmemcpy((char *)t, (off_t)i->inp_ppcb, sizeof(*t)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#x,%#x,%d) - inp_ppcb - failed\n",
|
||||
i->inp_ppcb, t, sizeof(*t));
|
||||
return NULL;
|
||||
}
|
||||
return (struct tcpcb *)i->inp_ppcb;
|
||||
}
|
||||
#else
|
||||
struct kinfo_proc *getproc()
|
||||
{
|
||||
static struct kinfo_proc kp;
|
||||
pid_t pid = getpid();
|
||||
int n, mib[4];
|
||||
|
||||
mib[0] = CTL_KERN;
|
||||
mib[1] = KERN_PROC;
|
||||
mib[2] = KERN_PROC_PID;
|
||||
mib[3] = pid;
|
||||
|
||||
n = 1;
|
||||
if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1)
|
||||
{
|
||||
perror("sysctl");
|
||||
return NULL;
|
||||
}
|
||||
return &kp;
|
||||
}
|
||||
|
||||
|
||||
struct tcpcb *find_tcp(tfd, ti)
|
||||
int tfd;
|
||||
struct tcpiphdr *ti;
|
||||
{
|
||||
struct tcpcb *t;
|
||||
struct inpcb *i;
|
||||
struct socket *s;
|
||||
struct filedesc *fd;
|
||||
struct kinfo_proc *p;
|
||||
struct file *f, **o;
|
||||
|
||||
if (!(p = getproc()))
|
||||
return NULL;
|
||||
|
||||
fd = (struct filedesc *)malloc(sizeof(*fd));
|
||||
if (kmemcpy((char *)fd, (void *)p->kp_proc.p_fd, sizeof(*fd)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#lx,%#lx) failed\n",
|
||||
(u_long)p, (u_long)p->kp_proc.p_fd);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1));
|
||||
if (kmemcpy((char *)o, (void *)fd->fd_ofiles,
|
||||
(fd->fd_lastfile + 1) * sizeof(*o)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#lx,%#lx,%d) - u_ofile - failed\n",
|
||||
(u_long)fd->fd_ofiles, (u_long)o, sizeof(*o));
|
||||
return NULL;
|
||||
}
|
||||
f = (struct file *)calloc(1, sizeof(*f));
|
||||
if (kmemcpy((char *)f, (void *)o[tfd], sizeof(*f)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#lx,%#lx,%d) - o[tfd] - failed\n",
|
||||
(u_long)o[tfd], (u_long)f, sizeof(*f));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
s = (struct socket *)calloc(1, sizeof(*s));
|
||||
if (kmemcpy((char *)s, (void *)f->f_data, sizeof(*s)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#lx,%#lx,%d) - f_data - failed\n",
|
||||
(u_long)f->f_data, (u_long)s, sizeof(*s));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
i = (struct inpcb *)calloc(1, sizeof(*i));
|
||||
if (kmemcpy((char *)i, (void *)s->so_pcb, sizeof(*i)) == -1)
|
||||
{
|
||||
fprintf(stderr, "kvm_read(%#lx,%#lx,%d) - so_pcb - failed\n",
|
||||
(u_long)s->so_pcb, (u_long)i, sizeof(*i));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
t = (struct tcpcb *)calloc(1, sizeof(*t));
|
||||
if (kmemcpy((char *)t, (void *)i->inp_ppcb, sizeof(*t)) == -1)
|
||||
{
|
||||
fprintf(stderr, "read(%#lx,%#lx,%d) - inp_ppcb - failed\n",
|
||||
(u_long)i->inp_ppcb, (u_long)t, sizeof(*t));
|
||||
return NULL;
|
||||
}
|
||||
return (struct tcpcb *)i->inp_ppcb;
|
||||
}
|
||||
#endif /* BSD < 199301 */
|
||||
|
||||
int do_socket(dev, mtu, ti, gwip, flags)
|
||||
char *dev;
|
||||
int mtu;
|
||||
struct tcpiphdr *ti;
|
||||
struct in_addr gwip;
|
||||
int flags;
|
||||
{
|
||||
struct sockaddr_in rsin, lsin;
|
||||
struct tcpcb *t, tcb;
|
||||
int fd, nfd, len;
|
||||
|
||||
printf("Dest. Port: %d\n", ti->ti_dport);
|
||||
|
||||
fd = socket(AF_INET, SOCK_STREAM, 0);
|
||||
if (fd == -1)
|
||||
{
|
||||
perror("socket");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (fcntl(fd, F_SETFL, FNDELAY) == -1)
|
||||
{
|
||||
perror("fcntl");
|
||||
return -1;
|
||||
}
|
||||
|
||||
bzero((char *)&lsin, sizeof(lsin));
|
||||
lsin.sin_family = AF_INET;
|
||||
bcopy((char *)&ti->ti_src, (char *)&lsin.sin_addr,
|
||||
sizeof(struct in_addr));
|
||||
if (bind(fd, (struct sockaddr *)&lsin, sizeof(lsin)) == -1)
|
||||
{
|
||||
perror("bind");
|
||||
return -1;
|
||||
}
|
||||
len = sizeof(lsin);
|
||||
(void) getsockname(fd, (struct sockaddr *)&lsin, &len);
|
||||
ti->ti_sport = lsin.sin_port;
|
||||
printf("sport %d\n", ntohs(lsin.sin_port));
|
||||
nfd = initdevice(dev, ntohs(lsin.sin_port));
|
||||
|
||||
if (!(t = find_tcp(fd, ti)))
|
||||
return -1;
|
||||
|
||||
bzero((char *)&rsin, sizeof(rsin));
|
||||
rsin.sin_family = AF_INET;
|
||||
bcopy((char *)&ti->ti_dst, (char *)&rsin.sin_addr,
|
||||
sizeof(struct in_addr));
|
||||
rsin.sin_port = ti->ti_dport;
|
||||
if (connect(fd, (struct sockaddr *)&rsin, sizeof(rsin)) == -1 &&
|
||||
errno != EINPROGRESS)
|
||||
{
|
||||
perror("connect");
|
||||
return -1;
|
||||
}
|
||||
kmemcpy((char*)&tcb, (void *)t, sizeof(tcb));
|
||||
ti->ti_win = tcb.rcv_adv;
|
||||
ti->ti_seq = tcb.snd_nxt - 1;
|
||||
ti->ti_ack = tcb.rcv_nxt;
|
||||
|
||||
if (send_tcp(nfd, mtu, ti, gwip, TH_SYN) == -1)
|
||||
return -1;
|
||||
(void)write(fd, "Hello World\n", 12);
|
||||
sleep(2);
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
38
contrib/ipfilter/ipsend/tcpip.h
Normal file
38
contrib/ipfilter/ipsend/tcpip.h
Normal file
@ -0,0 +1,38 @@
|
||||
/* @(#)tcpip.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/85 */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1982, 1986 Regents of the University of California.
|
||||
* All rights reserved. The Berkeley software License Agreement
|
||||
* specifies the terms and conditions for redistribution.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Tcp+ip header, after ip options removed.
|
||||
*/
|
||||
|
||||
#ifndef _netinet_tcpip_h
|
||||
#define _netinet_tcpip_h
|
||||
|
||||
struct tcpiphdr {
|
||||
struct ipovly ti_i; /* overlaid ip structure */
|
||||
tcphdr_t ti_t; /* tcp header */
|
||||
};
|
||||
#define ti_next ti_i.ih_next
|
||||
#define ti_prev ti_i.ih_prev
|
||||
#define ti_x1 ti_i.ih_x1
|
||||
#define ti_pr ti_i.ih_pr
|
||||
#define ti_len ti_i.ih_len
|
||||
#define ti_src ti_i.ih_src
|
||||
#define ti_dst ti_i.ih_dst
|
||||
#define ti_sport ti_t.th_sport
|
||||
#define ti_dport ti_t.th_dport
|
||||
#define ti_seq ti_t.th_seq
|
||||
#define ti_ack ti_t.th_ack
|
||||
#define ti_x2 ti_t.th_x2
|
||||
#define ti_off ti_t.th_off
|
||||
#define ti_flags ti_t.th_flags
|
||||
#define ti_win ti_t.th_win
|
||||
#define ti_sum ti_t.th_sum
|
||||
#define ti_urp ti_t.th_urp
|
||||
|
||||
#endif /*!_netinet_tcpip_h*/
|
199
contrib/ipfilter/ipt.c
Normal file
199
contrib/ipfilter/ipt.c
Normal file
@ -0,0 +1,199 @@
|
||||
/*
|
||||
* (C)opyright 1993-1996 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
#else
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include "ip_fil.h"
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <resolv.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
#include <ctype.h>
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed";
|
||||
static char rcsid[] = "$Id: ipt.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
extern int fr_check();
|
||||
extern char *optarg;
|
||||
extern struct frentry *ipfilter[2][2];
|
||||
extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex;
|
||||
extern void debug(), verbose();
|
||||
|
||||
struct frentry *ft_in = NULL, *ft_out = NULL;
|
||||
|
||||
int opts = 0;
|
||||
|
||||
int main(argc,argv)
|
||||
int argc;
|
||||
char *argv[];
|
||||
{
|
||||
struct ipread *r = &iptext;
|
||||
struct frentry *f;
|
||||
struct ip *ip;
|
||||
u_long buf[64];
|
||||
char c;
|
||||
char *rules = NULL, *datain = NULL, *iface = NULL;
|
||||
int fd, i, dir = 0;
|
||||
|
||||
while ((c = getopt(argc, argv, "bdEHi:I:Pr:STvX")) != -1)
|
||||
switch (c)
|
||||
{
|
||||
case 'b' :
|
||||
opts |= OPT_BRIEF;
|
||||
break;
|
||||
case 'd' :
|
||||
opts |= OPT_DEBUG;
|
||||
break;
|
||||
case 'i' :
|
||||
datain = optarg;
|
||||
break;
|
||||
case 'I' :
|
||||
iface = optarg;
|
||||
break;
|
||||
case 'r' :
|
||||
rules = optarg;
|
||||
break;
|
||||
case 'v' :
|
||||
opts |= OPT_VERBOSE;
|
||||
break;
|
||||
case 'E' :
|
||||
r = ðerf;
|
||||
break;
|
||||
case 'H' :
|
||||
r = &iphex;
|
||||
break;
|
||||
case 'P' :
|
||||
r = &pcap;
|
||||
break;
|
||||
case 'S' :
|
||||
r = &snoop;
|
||||
break;
|
||||
case 'T' :
|
||||
r = &tcpd;
|
||||
break;
|
||||
case 'X' :
|
||||
r = &iptext;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!rules) {
|
||||
(void)fprintf(stderr,"no rule file present\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
initparse();
|
||||
|
||||
if (rules) {
|
||||
struct frentry *fr;
|
||||
char line[513], *s;
|
||||
FILE *fp;
|
||||
|
||||
if (!strcmp(rules, "-"))
|
||||
fp = stdin;
|
||||
else if (!(fp = fopen(rules, "r"))) {
|
||||
(void)fprintf(stderr, "couldn't open %s\n", rules);
|
||||
exit(-1);
|
||||
}
|
||||
if (!(opts & OPT_BRIEF))
|
||||
(void)printf("opening rule file \"%s\"\n", rules);
|
||||
while (fgets(line, sizeof(line)-1, fp)) {
|
||||
/*
|
||||
* treat both CR and LF as EOL
|
||||
*/
|
||||
if ((s = index(line, '\n')))
|
||||
*s = '\0';
|
||||
if ((s = index(line, '\r')))
|
||||
*s = '\0';
|
||||
/*
|
||||
* # is comment marker, everything after is a ignored
|
||||
*/
|
||||
if ((s = index(line, '#')))
|
||||
*s = '\0';
|
||||
|
||||
if (!*line)
|
||||
continue;
|
||||
|
||||
if (!(fr = parse(line)))
|
||||
continue;
|
||||
f = (struct frentry *)malloc(sizeof(*f));
|
||||
if (fr->fr_flags & FR_INQUE) {
|
||||
if (!ft_in)
|
||||
ft_in = ipfilter[0][0] = f;
|
||||
else
|
||||
ft_in->fr_next = f, ft_in = f;
|
||||
} else if (fr->fr_flags & FR_OUTQUE) {
|
||||
if (!ft_out)
|
||||
ft_out = ipfilter[1][0] = f;
|
||||
else
|
||||
ft_out->fr_next = f, ft_out = f;
|
||||
}
|
||||
bcopy((char *)fr, (char *)f, sizeof(*fr));
|
||||
}
|
||||
(void)fclose(fp);
|
||||
}
|
||||
|
||||
if (datain)
|
||||
fd = (*r->r_open)(datain);
|
||||
else
|
||||
fd = (*r->r_open)("-");
|
||||
|
||||
if (fd < 0)
|
||||
exit(-1);
|
||||
|
||||
ip = (struct ip *)buf;
|
||||
while ((i = (*r->r_readip)(buf, sizeof(buf), &iface, &dir)) > 0) {
|
||||
ip->ip_off = ntohs(ip->ip_off);
|
||||
ip->ip_len = ntohs(ip->ip_len);
|
||||
switch (fr_check(ip, ip->ip_hl << 2, iface, dir))
|
||||
{
|
||||
case -1 :
|
||||
(void)printf("block");
|
||||
break;
|
||||
case 0 :
|
||||
(void)printf("pass");
|
||||
break;
|
||||
case 1 :
|
||||
(void)printf("nomatch");
|
||||
break;
|
||||
}
|
||||
if (!(opts & OPT_BRIEF)) {
|
||||
putchar(' ');
|
||||
printpacket(buf);
|
||||
printf("--------------");
|
||||
}
|
||||
putchar('\n');
|
||||
dir = 0;
|
||||
}
|
||||
(*r->r_close)();
|
||||
return 0;
|
||||
}
|
16
contrib/ipfilter/ipt.h
Normal file
16
contrib/ipfilter/ipt.h
Normal file
@ -0,0 +1,16 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
* $Id: ipt.h,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $
|
||||
*/
|
||||
|
||||
#include <fcntl.h>
|
||||
|
||||
struct ipread {
|
||||
int (*r_open)();
|
||||
int (*r_close)();
|
||||
int (*r_readip)();
|
||||
};
|
68
contrib/ipfilter/kmem.c
Normal file
68
contrib/ipfilter/kmem.c
Normal file
@ -0,0 +1,68 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
/*
|
||||
* kmemcpy() - copies n bytes from kernel memory into user buffer.
|
||||
* returns 0 on success, -1 on error.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/file.h>
|
||||
|
||||
#define KMEM "/dev/kmem"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
|
||||
static char rcsid[] = "$Id: kmem.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
static int kmemfd = -1;
|
||||
|
||||
int openkmem()
|
||||
{
|
||||
if ((kmemfd = open(KMEM,O_RDONLY)) == -1)
|
||||
{
|
||||
perror("kmeminit:open");
|
||||
return -1;
|
||||
}
|
||||
return kmemfd;
|
||||
}
|
||||
|
||||
int kmemcpy(buf, pos, n)
|
||||
register char *buf;
|
||||
long pos;
|
||||
register int n;
|
||||
{
|
||||
register int r;
|
||||
|
||||
if (!n)
|
||||
return 0;
|
||||
if (kmemfd == -1)
|
||||
if (openkmem() == -1)
|
||||
return -1;
|
||||
if (lseek(kmemfd, pos, 0) == -1)
|
||||
{
|
||||
perror("kmemcpy:lseek");
|
||||
return -1;
|
||||
}
|
||||
while ((r = read(kmemfd, buf, n)) < n)
|
||||
if (r <= 0)
|
||||
{
|
||||
perror("kmemcpy:read");
|
||||
return -1;
|
||||
}
|
||||
else
|
||||
{
|
||||
buf += r;
|
||||
n -= r;
|
||||
}
|
||||
return 0;
|
||||
}
|
12
contrib/ipfilter/kmem.h
Normal file
12
contrib/ipfilter/kmem.h
Normal file
@ -0,0 +1,12 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
* $Id: kmem.h,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $
|
||||
*/
|
||||
|
||||
extern int openkmem();
|
||||
extern int kmemcpy();
|
||||
|
19
contrib/ipfilter/linux.h
Normal file
19
contrib/ipfilter/linux.h
Normal file
@ -0,0 +1,19 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors. The author accepts no
|
||||
* responsibility and is not changed in any way.
|
||||
*
|
||||
* I hate legaleese, don't you ?
|
||||
* $Id: linux.h,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $
|
||||
*/
|
||||
|
||||
#include <linux/config.h>
|
||||
#ifdef MODULE
|
||||
#include <linux/module.h>
|
||||
#include <linux/version.h>
|
||||
#endif /* MODULE */
|
||||
|
||||
#include "ip_compat.h"
|
21
contrib/ipfilter/man/Makefile
Normal file
21
contrib/ipfilter/man/Makefile
Normal file
@ -0,0 +1,21 @@
|
||||
#
|
||||
# (C)opyright 1993, 1994, 1995 by Darren Reed.
|
||||
#
|
||||
# This code may be freely distributed as long as it retains this notice
|
||||
# and is not changed in any way. The author accepts no responsibility
|
||||
# for the use of this software. I hate legaleese, don't you ?
|
||||
|
||||
all:
|
||||
|
||||
install:
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipf.1 $(MANDIR)/man1
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipnat.1 $(MANDIR)/man1
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8
|
||||
$(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8
|
||||
@echo "Remember to rebuild the whatis database."
|
109
contrib/ipfilter/man/ipf.1
Normal file
109
contrib/ipfilter/man/ipf.1
Normal file
@ -0,0 +1,109 @@
|
||||
.TH IPF 1
|
||||
.SH NAME
|
||||
ipf \- alters packet filtering lists for IP packet input and ouput
|
||||
.SH SYNOPSIS
|
||||
.B ipf
|
||||
[
|
||||
.B \-AdDEInorsUvyzZ
|
||||
] [
|
||||
.B \-l
|
||||
<block|pass|nomatch>
|
||||
] [
|
||||
.B \-F
|
||||
<i|o|a>
|
||||
]
|
||||
.B \-f
|
||||
<\fIfilename\fP>
|
||||
[
|
||||
.B \-f
|
||||
<\fIfilename\fP>
|
||||
[...]]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
|
||||
file for a set of rules which are to be added or removed from the packet
|
||||
filter rule set.
|
||||
.PP
|
||||
Each rule processed by \fBipf\fP
|
||||
is added to the kernel's internal lists if there are no parsing problems.
|
||||
Rules are added to the end of the internal lists, matching the order in
|
||||
which they appear when given to \fBipf\fP.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-A
|
||||
Set the list to make changes to the active list (default).
|
||||
.TP
|
||||
.B \-d
|
||||
Turn debug mode on. Causes a hexdump of filter rules to be generated as
|
||||
it processes each one.
|
||||
.TP
|
||||
.B \-D
|
||||
Disable the filter (if enabled). Not effective for loadable kernel versions.
|
||||
.TP
|
||||
.B \-E
|
||||
Enable the filter (if disabled). Not effective for loadable kernel versions.
|
||||
.TP
|
||||
.BR \-F \0<param>
|
||||
This option specifies which filter list to flush. The parameter should
|
||||
either be "i" (input), "o" (output) or "a" (remove all filter rules).
|
||||
Either a single letter or an entire word starting with the appropriate
|
||||
letter maybe used. This option maybe before, or after, any other with
|
||||
the order on the command line being that used to execute options.
|
||||
.TP
|
||||
.BR \-f \0<filename>
|
||||
This option specifies which files
|
||||
\fBipf\fP should use to get input from for modifying the packet filter rule
|
||||
lists.
|
||||
.TP
|
||||
.B \-I
|
||||
Set the list to make changes to the inactive list.
|
||||
.TP
|
||||
.B \-l \0<param>
|
||||
Use of the \fB-l\fP flag toggles default logging of packets. Valid
|
||||
arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
|
||||
When an option is set, any packet which exits filtering and matches the
|
||||
set category is logged. This is most useful for causing all packets
|
||||
which don't match any of the loaded rules to be logged.
|
||||
.TP
|
||||
.B \-n
|
||||
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
|
||||
calls or doing anything which would alter the currently running kernel.
|
||||
.TP
|
||||
.B \-o
|
||||
Force rules by default to be added/deleted to/from the output list, rather
|
||||
than the (default) input list.
|
||||
.TP
|
||||
.B \-r
|
||||
Remove matching filter rules rather than add them to the internal lists
|
||||
.TP
|
||||
.B \-s
|
||||
Swap the active filter list in use to be the "other" one.
|
||||
.TP
|
||||
.B \-U
|
||||
(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
|
||||
recognised as IP packets. They will be printed out on the console.
|
||||
.TP
|
||||
.B \-v
|
||||
Turn verbose mode on. Displays information relating to rule processing.
|
||||
.TP
|
||||
.B \-y
|
||||
(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
|
||||
by IP Filter with the current interface status list.
|
||||
.TP
|
||||
.B \-z
|
||||
For each rule in the input file, reset the statistics for it to zero and
|
||||
display the statistics prior to them being zero'd.
|
||||
.TP
|
||||
.B \-Z
|
||||
Zero global statistics held in the kernel for filtering only (this doesn't
|
||||
affect fragment or state statistics).
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipftest(1), ipf(5)
|
||||
.SH DIAGNOSTICS
|
||||
.PP
|
||||
Needs to be run as root for the packet filtering lists to actually
|
||||
be affected inside the kernel.
|
||||
.SH BUGS
|
||||
.PP
|
||||
If you find any, please send email to me at darrenr@cyber.com.au
|
184
contrib/ipfilter/man/ipf.4
Normal file
184
contrib/ipfilter/man/ipf.4
Normal file
@ -0,0 +1,184 @@
|
||||
.TH IPF 4
|
||||
.SH NAME
|
||||
ipf \- packet filtering kernel interface
|
||||
.SH SYNOPSIS
|
||||
#include <sys/ip_fil.h>
|
||||
.SH IOCTLS
|
||||
.PP
|
||||
To add and delete rules to the filter list, three 'basic' ioctls are provided
|
||||
for use. The ioctl's are called as:
|
||||
.LP
|
||||
.nf
|
||||
ioctl(fd, SIOCADDFR, struct frentry *)
|
||||
ioctl(fd, SIOCDELFR, struct frentry *)
|
||||
ioctl(fd, SIOCIPFFL, int *)
|
||||
.fi
|
||||
.PP
|
||||
However, the full complement is as follows:
|
||||
.LP
|
||||
.nf
|
||||
ioctl(fd, SIOCADAFR, struct frentry *) (same as SUICADDFR)
|
||||
ioctl(fd, SIOCRMAFR, struct frentry *) (same as SUICDELFR)
|
||||
ioctl(fd, SIOCADIFR, struct frentry *)
|
||||
ioctl(fd, SIOCRMIFR, struct frentry *)
|
||||
ioctl(fd, SIOCINAFR, struct frentry *)
|
||||
ioctl(fd, SIOCINIFR, struct frentry *)
|
||||
ioctl(fd, SIOCIPFFL, int *)
|
||||
.fi
|
||||
.PP
|
||||
The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
|
||||
active and inactive, respectively. All of these ioctl's are implemented
|
||||
as being routing ioctls and thus the same rules for the various routing
|
||||
ioctls and the file descriptor are employed, mainly being that the fd must
|
||||
be that of the device associated with the module (i.e., /dev/ipl).
|
||||
.LP
|
||||
.PP
|
||||
The three groups of ioctls above perform adding rules to the end of the
|
||||
list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
|
||||
and insertion of a rule into the list (SIOCIN*). The rule place into
|
||||
which it is inserted is stored in the "fr_hits" field, below.
|
||||
.LP
|
||||
.nf
|
||||
typedef struct frentry {
|
||||
struct frentry *fr_next;
|
||||
struct ifnet *fr_ifa;
|
||||
u_long fr_hits;
|
||||
u_long fr_bytes; /* this is only incremented when a packet */
|
||||
/* stops matching on this rule */
|
||||
/*
|
||||
* Fields after this may not change whilst in the kernel.
|
||||
*/
|
||||
struct fr_ip fr_ip;
|
||||
struct fr_ip fr_mip;
|
||||
|
||||
u_char fr_tcpfm; /* tcp flags mask */
|
||||
u_char fr_tcpf; /* tcp flags */
|
||||
|
||||
u_short fr_icmpm; /* data for ICMP packets (mask) */
|
||||
u_short fr_icmp;
|
||||
|
||||
u_char fr_scmp; /* data for port comparisons */
|
||||
u_char fr_dcmp;
|
||||
u_short fr_dport;
|
||||
u_short fr_sport;
|
||||
u_short fr_stop; /* top port for <> and >< */
|
||||
u_short fr_dtop; /* top port for <> and >< */
|
||||
u_long fr_flags; /* per-rule flags && options (see below) */
|
||||
int (*fr_func)(); /* call this function */
|
||||
char fr_icode; /* return ICMP code */
|
||||
char fr_ifname[IFNAMSIZ];
|
||||
struct frdest fr_tif; /* "to" interface */
|
||||
struct frdest fr_dif; /* duplicate packet interfaces */
|
||||
} frentry_t;
|
||||
.fi
|
||||
.PP
|
||||
When adding a new rule, all unused fields (in the filter rule) should be
|
||||
initialised to be zero. To insert a rule, at a particular position in the
|
||||
filter list, the number of the rule which it is to be inserted before must
|
||||
be put in the "fr_hits" field (the first rule is number 0).
|
||||
.LP
|
||||
.PP
|
||||
Flags which are recognised in fr_pass:
|
||||
.nf
|
||||
|
||||
FR_BLOCK 0x00001 /* do not allow packet to pass */
|
||||
FR_PASS 0x00002 /* allow packet to pass */
|
||||
FR_OUTQUE 0x00004 /* outgoing packets */
|
||||
FR_INQUE 0x00008 /* ingoing packets */
|
||||
FR_LOG 0x00010 /* Log */
|
||||
FR_LOGP 0x00011 /* Log-pass */
|
||||
FR_LOGB 0x00012 /* Log-fail */
|
||||
FR_LOGBODY 0x00020 /* log the body of packets too */
|
||||
FR_LOGFIRST 0x00040 /* log only the first packet to match */
|
||||
FR_RETRST 0x00080 /* return a TCP RST packet if blocked */
|
||||
FR_RETICMP 0x00100 /* return an ICMP packet if blocked */
|
||||
FR_NOMATCH 0x00200 /* no match occured */
|
||||
FR_ACCOUNT 0x00400 /* count packet bytes */
|
||||
FR_KEEPFRAG 0x00800
|
||||
FR_KEEPSTATE 0x01000 /* keep packet flow state information */
|
||||
FR_INACTIVE 0x02000
|
||||
FR_QUICK 0x04000 /* quick-match and return */
|
||||
FR_FASTROUTE 0x08000
|
||||
FR_CALLFUNC 0x10000
|
||||
FR_CALLNOW 0x20000
|
||||
FR_DUP 0x40000 /* duplicate the packet (not Solaris2)
|
||||
|
||||
.fi
|
||||
.PP
|
||||
Values for fr_scomp and fr_dcomp (source and destination port value
|
||||
comparisons) :
|
||||
.LP
|
||||
.nf
|
||||
FR_NONE 0
|
||||
FR_EQUAL 1
|
||||
FR_NEQUAL 2
|
||||
FR_LESST 3
|
||||
FR_GREATERT 4
|
||||
FR_LESSTE 5
|
||||
FR_GREATERTE 6
|
||||
FR_OUTRANGE 7
|
||||
FR_INRANGE 8
|
||||
.fi
|
||||
.PP
|
||||
The third ioctl, SIOCIPFFL, flushes either the input filter list, the
|
||||
output filter list or both and it returns the number of filters removed
|
||||
from the list(s). The values which it will take and recognise are FR_INQUE
|
||||
and FR_OUTQUE (see above).
|
||||
|
||||
\fBGeneral Logging Flags\fP
|
||||
There are two flags which can be set to log packets independantly of the
|
||||
rules used. These allow for packets which are either passed or blocked
|
||||
to be logged. To set (and clear)/get these flags, two ioctls are
|
||||
provided:
|
||||
.IP SIOCSETFF 16
|
||||
Takes an unsigned integer as the parameter. The flags are then set to
|
||||
those provided (clearing/setting all in one).
|
||||
.nf
|
||||
|
||||
FF_LOGPASS 1
|
||||
FF_LOGBLOCK 2
|
||||
.fi
|
||||
.IP SIOCGETFF 16
|
||||
Takes a pointer to an unsigned integer as the parameter. A copy of the
|
||||
flags currently in used is copied to user space.
|
||||
.LP
|
||||
\fBFilter statistics\fP
|
||||
Statistics on the various operations performed by this package on packets
|
||||
is kept inside the kernel. These statistics apply to packets traversing
|
||||
through the kernel. To retrieve this structure, use this ioctl:
|
||||
.nf
|
||||
|
||||
ioctl(fd, SIOCGETFS, struct friostat *)
|
||||
|
||||
struct friostat {
|
||||
struct filterstats f_st[2];
|
||||
struct frentry *f_fin;
|
||||
struct frentry *f_fout;
|
||||
};
|
||||
|
||||
struct filterstats {
|
||||
u_long fr_pass; /* packets allowed */
|
||||
u_long fr_block; /* packets denied */
|
||||
u_long fr_nom; /* packets which don't match any rule */
|
||||
u_long fr_ppkl; /* packets allowed and logged */
|
||||
u_long fr_bpkl; /* packets denied and logged */
|
||||
u_long fr_npkl; /* packets unmatched and logged */
|
||||
u_long fr_pkl; /* packets logged */
|
||||
u_long fr_skip; /* packets to be logged but buffer full */
|
||||
u_long fr_ret; /* packets for which a return is sent */
|
||||
u_long fr_acct; /* packets for which counting was performed */
|
||||
u_long fr_bnfr; /* bad attempts to allocate fragment state */
|
||||
u_long fr_nfr; /* new fragment state kept */
|
||||
u_long fr_cfr; /* add new fragment state but complete pkt */
|
||||
u_long fr_bads; /* bad attempts to allocate packet state */
|
||||
u_long fr_ads; /* new packet state kept */
|
||||
u_long fr_chit; /* cached hit */
|
||||
#if SOLARIS
|
||||
u_long fr_bad; /* bad IP packets to the filter */
|
||||
u_long fr_notip; /* packets passed through no on ip queue */
|
||||
u_long fr_drop; /* packets dropped - no info for them! */
|
||||
#endif
|
||||
};
|
||||
.fi
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipf(1), ipf(5)
|
433
contrib/ipfilter/man/ipf.5
Normal file
433
contrib/ipfilter/man/ipf.5
Normal file
@ -0,0 +1,433 @@
|
||||
.TH IPF 5
|
||||
.SH NAME
|
||||
ipf \- IP packet filter rule syntax
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
A rule file for \fBipf\fP may have any name or even be stdin. As
|
||||
\fBipfstat\fP produces parseable rules as output when displaying the internal
|
||||
kernel filter lists, it is quite plausible to use its output to feed back
|
||||
into \fBipf\fP. Thus, to remove all filters on input packets, the following
|
||||
could be done:
|
||||
.nf
|
||||
|
||||
\fC# ipfstat \-i | ipf \-rf \-\fP
|
||||
.fi
|
||||
.SH GRAMMAR
|
||||
.PP
|
||||
The format used by \fBipf\fP for construction of filtering rules can be
|
||||
described using the following grammar in BNF:
|
||||
\fC
|
||||
.nf
|
||||
filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
|
||||
|
||||
insert = "@" decnumber .
|
||||
action = block | "pass" | log | "count" | call .
|
||||
in-out = "in" | "out" .
|
||||
options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
|
||||
match = [ tos ] [ ttl ] [ proto ] [ ip ] .
|
||||
keep = "keep state" | "keep frags" .
|
||||
|
||||
block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
|
||||
log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
|
||||
call = "call" [ "now" ] function-name .
|
||||
|
||||
dup = "dup-to" interface-name[":"ipaddr] .
|
||||
froute = "fastroute" | "to" interface-name .
|
||||
|
||||
tos = "tos" decnumber | "tos" hexnumber .
|
||||
ttl = "ttl" decnumber .
|
||||
proto = "proto" protocol .
|
||||
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
||||
|
||||
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
|
||||
srcdst = "all" | fromto .
|
||||
fromto = "from" object "to" object .
|
||||
|
||||
object = addr [ port-comp | port-range ] .
|
||||
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
|
||||
port-comp = "port" compare port-num .
|
||||
port-range = "port" port-num range port-num .
|
||||
|
||||
flags = "flags" flag { flag } [ "/" flag { flag } ] .
|
||||
with = "with" | "and" .
|
||||
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
|
||||
return-code = "("icmp-code")" .
|
||||
|
||||
nummask = host-name [ "/" decnumber ] .
|
||||
host-name = ipaddr | hostname | "any" .
|
||||
ipaddr = host-num "." host-num "." host-num "." host-num .
|
||||
host-num = digit [ digit [ digit ] ] .
|
||||
port-num = service-name | decnumber .
|
||||
|
||||
withopt = [ "not" | "no" ] opttype [ withopt ] .
|
||||
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
|
||||
optname = ipopts [ "," optname ] .
|
||||
ipopts = optlist | "sec-class" [ secname ] .
|
||||
secname = seclvl [ "," secname ] .
|
||||
seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
|
||||
"reserv-4" | "secret" | "topsecret" .
|
||||
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
|
||||
"timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
|
||||
"inforep" | "maskreq" | "maskrep" | decnumber .
|
||||
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
|
||||
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
|
||||
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
|
||||
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
|
||||
"sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
|
||||
"visa" | "imitd" | "eip" | "finn" .
|
||||
|
||||
hexnumber = "0" "x" hexstring .
|
||||
hexstring = hexdigit [ hexstring ] .
|
||||
decnumber = digit [ decnumber ] .
|
||||
|
||||
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
|
||||
"le" | "ge" .
|
||||
range = "<>" | "><" .
|
||||
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
|
||||
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
|
||||
flag = "F" | "S" | "R" | "P" | "A" | "U" .
|
||||
.fi
|
||||
.PP
|
||||
This syntax is somewhat simplified for readability, some combinations
|
||||
that match this grammar are disallowed by the software because they do
|
||||
not make sense (such as tcp \fBflags\fP for non-TCP packets).
|
||||
.SH FILTER RULES
|
||||
.PP
|
||||
The "briefest" valid rules are (currently) no-ops and are of the form:
|
||||
.nf
|
||||
block in
|
||||
pass in
|
||||
log in
|
||||
count in
|
||||
.fi
|
||||
.PP
|
||||
These are supposed to be the same as, but currently differ from:
|
||||
.\" XXX How, why do they differ??
|
||||
.nf
|
||||
block in all
|
||||
pass in from any to any
|
||||
log in all
|
||||
count in all
|
||||
.fi
|
||||
.PP
|
||||
Filter rules are checked in order, with the last matching rule
|
||||
determining the fate of the packet (but see the \fBquick\fP option,
|
||||
below).
|
||||
.PP
|
||||
Filters are installed by default at the end of the kernel's filter
|
||||
lists, prepending the rule with \fB@n\fP will cause it to be inserted
|
||||
as the n'th entry in the current list. This is especially useful when
|
||||
modifying and testing active filter rulesets. See ipf(1) for more
|
||||
information.
|
||||
.SH ACTIONS
|
||||
.PP
|
||||
The action indicates what to do with the packet if it matches the rest
|
||||
of the filter rule. Each rule MUST have an action. The following
|
||||
actions are recognised:
|
||||
.TP
|
||||
.B block
|
||||
indicates that the packet should be flagged to be dropped. In response
|
||||
to blocking a packet, the filter may be instructed to send a reply
|
||||
packet, either an ICMP packet (\fBreturn-icmp\fP) or a TCP "reset"
|
||||
(\fBreturn-rst\fP). An ICMP packet may be generated in response to
|
||||
any IP packet, and its type may optionally be specified, but a TCP
|
||||
reset may only be used with a rule which is being applied to TCP
|
||||
packets.
|
||||
.TP
|
||||
.B pass
|
||||
will flag the packet to be let through the filter.
|
||||
.TP
|
||||
.B log
|
||||
causes the packet to be logged (as described in the LOGGING section
|
||||
below) and has no effect on whether the packet will be allowed through
|
||||
the filter.
|
||||
.TP
|
||||
.B count
|
||||
causes the packet to be included in the accounting statistics kept by
|
||||
the filter, and has no effect on whether the packet will be allowed through
|
||||
the filter. These statistics are viewable with ipfstat(8).
|
||||
.TP
|
||||
.B call
|
||||
this action is used to invoke the named function in the kernel, which
|
||||
must conform to a specific calling interface. Customised actions and
|
||||
semantics can thus be implemented to supplement those available. This
|
||||
feature is for use by knowledgeable hackers, and is not currently
|
||||
documented.
|
||||
.PP
|
||||
The next word must be either \fBin\fP or \fBout\fP. Each packet
|
||||
moving through the kernel is either inbound (just been received on an
|
||||
interface, and moving towards the kernel's protocol processing) or
|
||||
outbound (transmitted or forwarded by the stack, and on its way to an
|
||||
interface). There is a requirement that each filter rule explicitly
|
||||
state which side of the I/O it is to be used on.
|
||||
.SH OPTIONS
|
||||
.PP
|
||||
The list of options is brief, and all are indeed optional. Where
|
||||
options are used, they must be present in the order shown here. These
|
||||
are the currently supported options:
|
||||
.TP
|
||||
.B log
|
||||
indicates that, should this be the last matching rule, the packet
|
||||
header will be written to the \fBipl\fP log (as described in the
|
||||
LOGGING section below).
|
||||
.TP
|
||||
.B quick
|
||||
allows "short-cut" rules in order to speed up the filter or override
|
||||
later rules. If a packet matches a filter rule which is marked as
|
||||
\fBquick\fP, this rule will be the last rule checked, allowing a
|
||||
"short-circuit" path to avoid processing later rules for this
|
||||
packet. The current status of the packet (after any effects of the
|
||||
current rule) will determine whether it is passed or blocked.
|
||||
.IP
|
||||
If this option is missing, the rule is taken to be a "fall-through"
|
||||
rule, meaning that the result of the match (block/pass) is saved and
|
||||
that processing will continue to see if there are any more matches.
|
||||
.TP
|
||||
.B on
|
||||
allows an interface name to be incorporated into the matching
|
||||
procedure. Interface names are as printed by "netstat \-i". If this
|
||||
option is used, the rule will only match if the packet is going
|
||||
through that interface in the specified direction (in/out). If this
|
||||
option is absent, the rule is taken to be applied to a packet
|
||||
regardless of the interface it is present on (i.e. on all interfaces).
|
||||
Filter rulesets are common to all interfaces, rather than having a
|
||||
filter list for each interface.
|
||||
.IP
|
||||
This option is especially useful for simple IP-spoofing protection:
|
||||
packets should only be allowed to pass inbound on the interface from
|
||||
which the specified source address would be expected, others may be
|
||||
logged and/or dropped.
|
||||
.TP
|
||||
.B dup-to
|
||||
causes the packet to be copied, and the duplicate packet to be sent outbound on the specified interface, optionally with the destination IP address changed to that specified. This is useful for off-host logging, using a network sniffer.
|
||||
.TP
|
||||
.B to
|
||||
causes the packet to be moved to the outbound queue on the
|
||||
specified interface. This can be used to circumvent kernel routing
|
||||
decisions, and even to bypass the rest of the kernel processing of the
|
||||
packet (if applied to an inbound rule). It is thus possible to
|
||||
construct a firewall that behaves transparently, like a filtering hub
|
||||
or switch, rather than a router. The \fBfastroute\fP keyword is a
|
||||
synonym for this option.
|
||||
.SH MATCHING PARAMETERS
|
||||
.PP
|
||||
The keywords described in this section are used to describe attributes
|
||||
of the packet to be used when determining whether rules match or don't
|
||||
match. The following general-purpose attributes are provided for
|
||||
matching, and must be used in this order:
|
||||
.TP
|
||||
.B tos
|
||||
packets with different Type-Of-Service values can be filtered.
|
||||
Individual service levels or combinations can be filtered upon. The
|
||||
value for the TOS mask can either be represented as a hex number or a
|
||||
decimal integer value.
|
||||
.\" XXX TOS mask?? not in grammar!
|
||||
.TP
|
||||
.B ttl
|
||||
packets may also be selected by their Time-To-Live value. The value given in
|
||||
the filter rule must exactly match that in the packet for a match to occur.
|
||||
This value can only be given as a decimal integer value.
|
||||
.TP
|
||||
.B proto
|
||||
allows a specific protocol to be matched against. All protocol names
|
||||
found in \fB/etc/protocols\fP are recognised and may be used.
|
||||
However, the protocol may also be given as a DECIMAL number, allowing
|
||||
for rules to match your own protocols, or new ones which would
|
||||
out-date any attempted listing.
|
||||
.IP
|
||||
The special protocol keyword \fBtcp/udp\fP may be used to match either
|
||||
a TCP or a UDP packet, and has been added as a convenience to save
|
||||
duplication of otherwise-identical rules.
|
||||
.\" XXX grammar should reflect this (/etc/protocols)
|
||||
.PP
|
||||
The \fBfrom\fP and \fBto\fP keywords are used to match against IP
|
||||
addresses (and optionally port numbers). Rules must specify BOTH
|
||||
source and destination parameters.
|
||||
.PP
|
||||
IP addresses may be specified in one of two ways: as a numerical
|
||||
address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname
|
||||
may either be a valid hostname, from either the hosts file or DNS
|
||||
(depending on your configuration and library) or of the dotted numeric
|
||||
form. There is no special designation for networks but network names
|
||||
are recognised. Note that having your filter rules depend on DNS
|
||||
results can introduce an avenue of attack, and is discouraged.
|
||||
.PP
|
||||
There is a special case for the hostname \fBany\fP which is taken to
|
||||
be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
|
||||
Only the presence of "any" has an implied mask, in all other
|
||||
situations, a hostname MUST be accompanied by a mask. It is possible
|
||||
to give "any" a hostmask, but in the context of this language, it is
|
||||
non-sensical.
|
||||
.PP
|
||||
The numerical format "x\fB/\fPy" indicates that a mask of y
|
||||
consecutive 1 bits set is generated, starting with the MSB, so a y value
|
||||
of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
|
||||
that the mask y is in dotted IP notation or a hexadecimal number of
|
||||
the form 0x12345678. Note that all the bits of the IP address
|
||||
indicated by the bitmask must match the address on the packet exactly;
|
||||
there isn't currently a way to invert the sense of the match, or to
|
||||
match ranges of IP addresses which do not express themselves easily as
|
||||
bitmasks (anthropomorphization; it's not just for breakfast anymore).
|
||||
.PP
|
||||
If a \fBport\fP match is included, for either or both of source and
|
||||
destination, then it is only applied to
|
||||
.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
|
||||
TCP and UDP packets. If there is no \fBproto\fP match parameter,
|
||||
packets from both protocols are compared. This is equivalent to "proto
|
||||
tcp/udp". When composing \fBport\fP comparisons, either the service
|
||||
name or an integer port number may be used. Port comparisons may be
|
||||
done in a number of forms, with a number of comparison operators, or
|
||||
port ranges may be specified. See the examples for more information.
|
||||
.PP
|
||||
The \fBall\fP keyword is essentially a synonym for "from any to any"
|
||||
with no other match parameters.
|
||||
.PP
|
||||
Following the source and destination matching parameters, the
|
||||
following additional parameters may be used:
|
||||
.TP
|
||||
.B with
|
||||
is used to match irregular attributes that some packets may have
|
||||
associated with them. To match the presence of IP options in general,
|
||||
use \fBwith ipopts\fP. To match packets that are too short to contain
|
||||
a complete header, use \fBwith short\fP. To match fragmented packets,
|
||||
use \fBwith frag\fP. For more specific filtering on IP options,
|
||||
individual options can be listed.
|
||||
.IP
|
||||
Before any parameter used after the \fBwith\fP keyword, the word
|
||||
\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
|
||||
match if the option(s) is not present.
|
||||
.IP
|
||||
Multiple consecutive \fBwith\fP clauses are allowed. Alternatively,
|
||||
the keyword \fBand\fP may be used in place of \fBwith\fP, this is
|
||||
provided purely to make the rules more readable ("with ... and ...").
|
||||
When multiple clauses are listed, all those must match to cause a
|
||||
match of the rule.
|
||||
.\" XXX describe the options more specifically in a separate section
|
||||
.TP
|
||||
.B flags
|
||||
is only effective for TCP filtering. Each of the letters possible
|
||||
represents one of the possible flags that can be set in the TCP
|
||||
header. The association is as follows:
|
||||
.LP
|
||||
.nf
|
||||
F - FIN
|
||||
S - SYN
|
||||
R - RST
|
||||
P - PUSH
|
||||
A - ACK
|
||||
U - URG
|
||||
.fi
|
||||
.IP
|
||||
The various flag symbols may be used in combination, so that "SA"
|
||||
would represent a SYN-ACK combination present in a packet. There is
|
||||
nothing preventing the specification of combinations, such as "SFR",
|
||||
that would not normally be generated by law-abiding TCP
|
||||
implementations. However, to guard against weird aberrations, it is
|
||||
necessary to state which flags you are filtering against. To allow
|
||||
this, it is possible to set a mask indicating which TCP flags you wish
|
||||
to compare (i.e., those you deem significant). This is done by
|
||||
appending "/<flags>" to the set of TCP flags you wish to match
|
||||
against, e.g.:
|
||||
.LP
|
||||
.nf
|
||||
... flags S
|
||||
# becomes "flags S/AUPRFS" and will match
|
||||
# packets with ONLY the SYN flag set.
|
||||
|
||||
... flags SA
|
||||
# becomes "flags SA/AUPRFS" and will match any
|
||||
# packet with only the SYN and ACK flags set.
|
||||
|
||||
... flags S/SA
|
||||
# will match any packet with just the SYN flag set
|
||||
# out of the SYN-ACK pair; the common "establish"
|
||||
# keyword action. "S/SA" will NOT match a packet
|
||||
# with BOTH SYN and ACK set, but WILL match "SFP".
|
||||
.fi
|
||||
.TP
|
||||
.B icmp-type
|
||||
is only effective when used with \fBproto icmp\fP and must NOT be used
|
||||
in conjuction with \fBflags\fP. There are a number of types, which can be
|
||||
referred to by an abbreviation recognised by this language, or the numbers
|
||||
with which they are associated can be used. The most important from
|
||||
a security point of view is the ICMP redirect.
|
||||
.SH KEEP HISTORY
|
||||
.PP
|
||||
The last parameter which can be set for a filter rule is whether on not to
|
||||
record historical information for that packet, and what sort to keep. The following information can be kept:
|
||||
.TP
|
||||
.B state
|
||||
keeps information about the flow of a communication session. State can
|
||||
be kept for TCP, UDP, and ICMP packets.
|
||||
.TP
|
||||
.B frags
|
||||
keeps information on fragmented packets, to be applied to later
|
||||
fragments.
|
||||
.PP
|
||||
allowing packets which match these to flow straight through, rather
|
||||
than going through the access control list.
|
||||
.SH LOGGING
|
||||
.PP
|
||||
When a packet is logged, with either the \fBlog\fP action or option,
|
||||
the headers of the packet are written to the \fBipl\fP packet logging
|
||||
psuedo-device. Immediately following the \fBlog\fP keyword, the
|
||||
following qualifiers may be used (in order):
|
||||
.TP
|
||||
.B body
|
||||
indicates that the first 128 bytes of the packet contents will be
|
||||
logged after the headers.
|
||||
.TP
|
||||
.B first
|
||||
??
|
||||
.TP
|
||||
.B or-block
|
||||
indicates that, if for some reason the filter is unable to log the packet (such as the log reader being too slow) then the rule should be interpreted as if the action was \fBblock\fP for this packet.
|
||||
.PP
|
||||
See ipl(4) for the format of records written
|
||||
to this device. The ipmon(8) program can be used to read and format
|
||||
this log.
|
||||
.SH EXAMPLES
|
||||
.PP
|
||||
The \fBquick\fP option is good for rules such as:
|
||||
\fC
|
||||
.nf
|
||||
block in quick from any to any with ipopts
|
||||
.fi
|
||||
.PP
|
||||
which will match any packet with a non-standard header length (IP
|
||||
options present) and abort further processing of later rules,
|
||||
recording a match and also that the packet should be blocked.
|
||||
.PP
|
||||
The "fall-through" rule parsing allows for effects such as this:
|
||||
.LP
|
||||
.nf
|
||||
block in from any to any port < 6000
|
||||
pass in from any to any port >= 6000
|
||||
block in from any to port > 6003
|
||||
.fi
|
||||
.PP
|
||||
which sets up the range 6000-6003 as being permitted and all others being
|
||||
denied. Note that the effect of the first rule is overridden by subsequent
|
||||
rules. Another (easier) way to do the same is:
|
||||
.LP
|
||||
.nf
|
||||
block in from any to any port 6000 <> 6003
|
||||
pass in from any to any port 5999 >< 6004
|
||||
.fi
|
||||
.PP
|
||||
Note that both the "block" and "pass" are needed here to effect a
|
||||
result as a failed match on the "block" action does not imply a pass,
|
||||
only that the rule hasn't taken effect. To then allow ports < 1024, a
|
||||
rule such as:
|
||||
.LP
|
||||
.nf
|
||||
pass in quick from any to any port < 1024
|
||||
.fi
|
||||
.PP
|
||||
would be needed before the first block.
|
||||
.SH FILES
|
||||
/etc/services
|
||||
.br
|
||||
/etc/hosts
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipftest(1)
|
73
contrib/ipfilter/man/ipfstat.8
Normal file
73
contrib/ipfilter/man/ipfstat.8
Normal file
@ -0,0 +1,73 @@
|
||||
.TH ipfstat 8
|
||||
.SH NAME
|
||||
ipfstat \- reports on packet filter statistics and filter list
|
||||
.SH SYNOPSIS
|
||||
.B ipfstat
|
||||
[
|
||||
.B \-hIinov
|
||||
] [
|
||||
.B \-d
|
||||
<device>
|
||||
]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
|
||||
\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
|
||||
To run and work, it needs to be able to read both /dev/kmem and the
|
||||
kernel itself. The kernel name defaults to \fB/vmunix\fP.
|
||||
.PP
|
||||
The default behaviour of \fBipfstat\fP
|
||||
is to retrieve and display the accumulated statistics which have been
|
||||
accumulated over time as the kernel has put packets through the filter.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-a
|
||||
Display the accounting filter list and show bytes counted against each rule.
|
||||
.TP
|
||||
.BR \-d \0<device>
|
||||
Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
|
||||
.TP
|
||||
.B \-f
|
||||
Show fragment state information (statistics) and held state information (in
|
||||
the kernel) if any is present.
|
||||
.TP
|
||||
.B \-h
|
||||
Show per-rule the number of times each one scores a "hit". For use in
|
||||
combination with \fB\-i\fP.
|
||||
.TP
|
||||
.B \-i
|
||||
Display the filter list used for the input side of the kernel IP processing.
|
||||
.TP
|
||||
.B \-I
|
||||
Swap between retrieving "inactive"/"active" filter list details. For use
|
||||
in combination with \fB\-i\fP.
|
||||
.TP
|
||||
.B \-n
|
||||
Show the "rule number" for each rule as it is printed.
|
||||
.TP
|
||||
.B \-o
|
||||
Display the filter list used for the output side of the kernel IP processing.
|
||||
.TP
|
||||
.B \-s
|
||||
Show packet/flow state information (statistics) and held state information (in
|
||||
the kernel) if any is present.
|
||||
.TP
|
||||
.B \-v
|
||||
Turn verbose mode on. Displays more debugging information.
|
||||
.SH SYNOPSIS
|
||||
The role of \fBipfstat\fP is to display current kernel statistics gathered
|
||||
as a result of applying the filters in place (if any) to packets going in and
|
||||
out of the kernel. This is the default operation when no command line
|
||||
parameters are present.
|
||||
.PP
|
||||
When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
|
||||
the appropriate list of filter rules currently installed and in use by the
|
||||
kernel.
|
||||
.SH FILES
|
||||
/dev/kmem
|
||||
.br
|
||||
/vmunix
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipfstat(1)
|
||||
.SH BUGS
|
||||
none known.
|
127
contrib/ipfilter/man/ipftest.1
Normal file
127
contrib/ipfilter/man/ipftest.1
Normal file
@ -0,0 +1,127 @@
|
||||
.TH ipftest 8
|
||||
.SH NAME
|
||||
ipftest \- test packet filter rules with arbitary input.
|
||||
.SH SYNOPSIS
|
||||
.B ipftest
|
||||
[
|
||||
.B \-vbdPSTEHX
|
||||
] [
|
||||
.B \-I
|
||||
interface
|
||||
]
|
||||
.B \-r
|
||||
<filename>
|
||||
[
|
||||
.B \-i
|
||||
<filename>
|
||||
]
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBipftest\fP is provided for the purpose of being able to test a set of
|
||||
filter rules without having to put them in place, in operation and proceed
|
||||
to test their effectiveness. The hope is that this minimises disruptions
|
||||
in providing a secure IP environment.
|
||||
.PP
|
||||
\fBipftest\fP will parse any standard ruleset for use with \fBipf\fP
|
||||
and apply input, returning output as to the result. However, \fBipftest\fP
|
||||
will return one of three values for packets passed through the filter:
|
||||
pass, block or nomatch. This is intended to give the operator a better
|
||||
idea of what is happening with packets passing through their filter
|
||||
ruleset.
|
||||
.PP
|
||||
When used without either of \fB\-S\fP, \fB\-T\fP or \fB\-E\fP,
|
||||
\fBipftest\fP uses its own text input format to generate "fake" IP packets.
|
||||
The format used is as follows:
|
||||
.nf
|
||||
"in"|"out" "on" if ["tcp"|"udp"|"icmp"]
|
||||
srchost[,srcport] dsthost[,destport] [FSRPAU]
|
||||
.fi
|
||||
.PP
|
||||
This allows for a packet going "in" or "out" of an interface (if) to be
|
||||
generated, being one of the three main protocols (optionally), and if
|
||||
either TCP or UDP, a port parameter is also expected. If TCP is selected,
|
||||
it is possible to (optionally) supply TCP flags at the end. Some examples
|
||||
are:
|
||||
.nf
|
||||
# a UDP packet coming in on le0
|
||||
in on le0 udp 10.1.1.1,2210 10.2.1.5,23
|
||||
# an IP packet coming in on le0 from localhost - hmm :)
|
||||
in on le0 localhost 10.4.12.1
|
||||
# a TCP packet going out of le0 with the SYN flag set.
|
||||
out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S
|
||||
.fi
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-v
|
||||
Verbose mode. This provides more information about which parts of rule
|
||||
matching the input packet passes and fails.
|
||||
.TP
|
||||
.B \-d
|
||||
Turn on filter rule debugging. Currently, this only shows you what caused
|
||||
the rule to not match in the IP header checking (addresses/netmasks, etc).
|
||||
.TP
|
||||
.B \-b
|
||||
Cause the output to be a brief summary (one-word) of the result of passing
|
||||
the packet through the filter; either "pass", "block" or "nomatch".
|
||||
This is used in the regression testing.
|
||||
.TP
|
||||
.BR \-I \0<interface>
|
||||
Set the interface name (used in rule matching) to be the name supplied.
|
||||
This is useful with the \fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is
|
||||
not otherwise possible to associate a packet with an interface. Normal
|
||||
"text packets" can override this setting.
|
||||
.TP
|
||||
.B \-P
|
||||
The input file specified by \fB\-i\fP is a binary file produced using libpcap
|
||||
(i.e., tcpdump version 3). Packets are read from this file as being input
|
||||
(for rule purposes). An interface maybe specified using \fB\-I\fP.
|
||||
.TP
|
||||
.B \-S
|
||||
The input file is to be in "snoop" format (see RFC 1761). Packets are read
|
||||
from this file and used as input from any interface. This is perhaps the
|
||||
most useful input type, currently.
|
||||
.TP
|
||||
.B \-T
|
||||
The input file is to be text output from tcpdump. The text formats which
|
||||
are currently supported are those which result from the following tcpdump
|
||||
option combinations:
|
||||
.PP
|
||||
.nf
|
||||
tcpdump -n
|
||||
tcpdump -nq
|
||||
tcpdump -nqt
|
||||
tcpdump -nqtt
|
||||
tcpdump -nqte
|
||||
.fi
|
||||
.LP
|
||||
.TP
|
||||
.B \-H
|
||||
The input file is to be hex digits, representing the binary makeup of the
|
||||
packet. No length correction is made, if an incorrect length is put in
|
||||
the IP header.
|
||||
.TP
|
||||
.B \-X
|
||||
The input file is composed of text descriptions of IP packets.
|
||||
.TP
|
||||
.B \-E
|
||||
The input file is to be text output from etherfind. The text formats which
|
||||
are currently supported are those which result from the following etherfind
|
||||
option combinations:
|
||||
.PP
|
||||
.nf
|
||||
etherfind -n
|
||||
etherfind -n -t
|
||||
.fi
|
||||
.LP
|
||||
.TP
|
||||
.BR \-i \0<filename>
|
||||
Specify the filename from which to take input. Default is stdin.
|
||||
.TP
|
||||
.BR \-r \0<filename>
|
||||
Specify the filename from which to read filter rules.
|
||||
.SH FILES
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipf(5), snoop(1m), tcpdump(8), etherfind(8c)
|
||||
.SH BUGS
|
||||
Not all of the input formats are sufficiently capable of introducing a
|
||||
wide enough variety of packets for them to be all useful in testing.
|
62
contrib/ipfilter/man/ipl.4
Normal file
62
contrib/ipfilter/man/ipl.4
Normal file
@ -0,0 +1,62 @@
|
||||
.TH IPL 4
|
||||
.SH NAME
|
||||
ipl \- IP packet log device
|
||||
.SH DESCRIPTION
|
||||
The \fBipl\fP pseudo device's purpose is to provide an easy way to gather
|
||||
packet headers of packets you wish to log. If a packet header is to be
|
||||
logged, the entire header is logged (including any IP options \- TCP/UDP
|
||||
options are not included when it calculates header size) or not at all.
|
||||
The packet contents are also logged after the header.
|
||||
.PP
|
||||
Prepending every packet header logged is a structure containing information
|
||||
relevant to the packet following and why it was logged. The structure's
|
||||
format is as follows:
|
||||
.LP
|
||||
.nf
|
||||
struct ipl_ci {
|
||||
u_long sec; /* time when the packet was logged */
|
||||
u_long usec;
|
||||
u_long plen; /* length of packet data logged */
|
||||
u_short hlen; /* length of headers logged */
|
||||
u_short rule; /* rule number (for log ...) or 0 if result = log */
|
||||
u_long flags:24; /* XXX FIXME do we care about the extra bytes? */
|
||||
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606))
|
||||
u_long filler:8; /* XXX FIXME do we care? */
|
||||
u_char ifname[IFNAMSIZ];
|
||||
#else
|
||||
u_long unit:8;
|
||||
u_char ifname[4];
|
||||
#endif
|
||||
};
|
||||
.fi
|
||||
.PP
|
||||
In the case of the header causing the buffer to finish on a non-32bit
|
||||
boundary, padding will be `appended' to ensure that the next log entry
|
||||
is aligned to a 32bit boundary.
|
||||
.LP
|
||||
.PP
|
||||
If the packet contents is more then 128 bytes, then only 128 bytes of the
|
||||
packet contents is logged. Should the packet contents finish on a non-32bit
|
||||
boundary, then the last few bytes are not logged to ensure the log entry
|
||||
is aligned to a 32bit boundary.
|
||||
|
||||
\fBipl\fP is a read-only (sequential) character pseudo-device.
|
||||
|
||||
The ioctls which are loaded with this device can be found under \fBipf(4)\fP.
|
||||
The only ioctl which is used for logging and doesn't affect the filter is:
|
||||
.LP
|
||||
.nf
|
||||
ioctl(fd, SIOCIPFFB, int *)
|
||||
.fi
|
||||
.PP
|
||||
This ioctl flushes the log buffer and returns the number of bytes flushed.
|
||||
.PP
|
||||
There is currently no support for non-blocking IO with this device, meaning
|
||||
all read operations should be considered blocking in nature (if there is no
|
||||
data to read, it will sleep until some is made available).
|
||||
.SH SEE ALSO
|
||||
ipf(4)
|
||||
.SH BUGS
|
||||
Packet headers are dropped when the internal buffer (static size) fills.
|
||||
.SH FILES
|
||||
/dev/ipl0
|
56
contrib/ipfilter/man/ipmon.8
Normal file
56
contrib/ipfilter/man/ipmon.8
Normal file
@ -0,0 +1,56 @@
|
||||
.TH ipmon 8
|
||||
.SH NAME
|
||||
ipmon \- monitors /dev/ipl for logged packets
|
||||
.SH SYNOPSIS
|
||||
.B ipmon
|
||||
[
|
||||
.B \-sfN
|
||||
] [
|
||||
<filename>
|
||||
]
|
||||
.SH DESCRIPTION
|
||||
.LP
|
||||
\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
|
||||
the packet filter. The binary data read from the device is reprinted in
|
||||
human readable for, however, IP#'s are not mapped back to hostnames, nor are
|
||||
ports mapped back to service names. The output goes to standard output by
|
||||
default or a filename, if given on the command line. Should the \fB\-s\fP
|
||||
option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent
|
||||
via syslog have the day, month and year removed from the message, but the
|
||||
time (including microseconds), as recorded in the log, is still included.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-s
|
||||
Packet information read in will be sent through syslogd rather than
|
||||
saved to a file. The following levels are used:
|
||||
.IP
|
||||
.B LOG_INFO
|
||||
\- packets logged using the "log" keyword as the action rather
|
||||
than pass or block.
|
||||
.IP
|
||||
.B LOG_NOTICE
|
||||
\- packets logged which are also passed
|
||||
.IP
|
||||
.B LOG_WARNING
|
||||
\- packets logged which are also blocked
|
||||
.IP
|
||||
.B LOG_ERR
|
||||
\- packets which have been logged and which can be considered
|
||||
"short".
|
||||
.TP
|
||||
.B \-f
|
||||
Flush the current packet log buffer. The number of bytes flushed is displayed,
|
||||
even should the result be zero.
|
||||
.TP
|
||||
.B \-N
|
||||
IP addresses and port numbers will be mapped, where possible, back into
|
||||
hostnames and service names.
|
||||
.SH DIAGNOSTICS
|
||||
\fBipmon\fP expects data that it reads to be consistant with how it should be
|
||||
saved and will abort if it fails an assertion which detects an anomoly in the
|
||||
recorded data.
|
||||
.SH FILES
|
||||
/dev/ipl
|
||||
.SH SEE ALSO
|
||||
ipf(1), ipfstat(1)
|
||||
.SH BUGS
|
45
contrib/ipfilter/man/ipnat.1
Normal file
45
contrib/ipfilter/man/ipnat.1
Normal file
@ -0,0 +1,45 @@
|
||||
.TH IPNAT 1
|
||||
.SH NAME
|
||||
ipnat \- user interface to the NAT
|
||||
.SH SYNOPSIS
|
||||
.B ipnat
|
||||
[
|
||||
.B \-lnrsvCF
|
||||
]
|
||||
.B \-f <\fIfilename\fP>
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
|
||||
file for a set of rules which are to be added or removed from the IP NAT.
|
||||
.PP
|
||||
Each rule processed by \fBipnat\fP
|
||||
is added to the kernels internal lists if there are no parsing problems.
|
||||
Rules are added to the end of the internal lists, matching the order in
|
||||
which they appear when given to \fBipnat\fP.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
.B \-C
|
||||
delete all entries in the current NAT listing (NAT rules)
|
||||
.TP
|
||||
.B \-F
|
||||
delete all active entries in the current NAT table (currently active
|
||||
NAT mappings)
|
||||
.TP
|
||||
.B \-l
|
||||
Show the list of current NAT table entry mappings.
|
||||
.TP
|
||||
.B \-n
|
||||
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
|
||||
calls or doing anything which would alter the currently running kernel.
|
||||
.TP
|
||||
.B \-s
|
||||
Retrieve and display NAT statistics
|
||||
.TP
|
||||
.B \-r
|
||||
Remove matching NAT rules rather than add them to the internal lists
|
||||
.TP
|
||||
.B \-v
|
||||
Turn verbose mode on. Displays information relating to rule processing.
|
||||
.DT
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipftest(1), ipf(1), ipnat(5)
|
88
contrib/ipfilter/man/ipnat.4
Normal file
88
contrib/ipfilter/man/ipnat.4
Normal file
@ -0,0 +1,88 @@
|
||||
.TH IPNAT 4
|
||||
.SH NAME
|
||||
ipnat \- Network Address Translation kernel interface
|
||||
.SH SYNOPSIS
|
||||
#include <sys/ip_fil.h>
|
||||
.SH IOCTLS
|
||||
.PP
|
||||
To add and delete rules to the NAT list, two 'basic' ioctls are provided
|
||||
for use. The ioctl's are called as:
|
||||
.LP
|
||||
.nf
|
||||
ioctl(fd, SIOCADNAT, struct ipnat *)
|
||||
ioctl(fd, SIOCRMNAT, struct ipnat *)
|
||||
.fi
|
||||
.PP
|
||||
Unlike \fBipf(4)\fP, there is only a single list supported by the kernel NAT
|
||||
interface. An inactive list which can be swapped to is not currently
|
||||
supported.
|
||||
|
||||
These ioctl's are implemented as being routing ioctls and thus the same rules
|
||||
for the various routing ioctls and the file descriptor are employed, mainly
|
||||
being that the fd must be that of the device associated with the module
|
||||
(i.e., /dev/ipl).
|
||||
.LP
|
||||
.PP
|
||||
The strcture used with the NAT interface is described below:
|
||||
.LP
|
||||
.nf
|
||||
typedef struct ipnat {
|
||||
struct ipnat *in_next;
|
||||
void *in_ifp;
|
||||
u_short in_flags;
|
||||
u_short in_pnext;
|
||||
u_short in_port[2];
|
||||
struct in_addr in_in[2];
|
||||
struct in_addr in_out[2];
|
||||
struct in_addr in_nextip;
|
||||
int in_space;
|
||||
int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */
|
||||
char in_ifname[IFNAMSIZ];
|
||||
} ipnat_t;
|
||||
|
||||
#define in_pmin in_port[0] /* Also holds static redir port */
|
||||
#define in_pmax in_port[1]
|
||||
#define in_nip in_nextip.s_addr
|
||||
#define in_inip in_in[0].s_addr
|
||||
#define in_inmsk in_in[1].s_addr
|
||||
#define in_outip in_out[0].s_addr
|
||||
#define in_outmsk in_out[1].s_addr
|
||||
|
||||
.fi
|
||||
.PP
|
||||
Recognised values for in_redir:
|
||||
.LP
|
||||
.nf
|
||||
#define NAT_MAP 0
|
||||
#define NAT_REDIRECT 1
|
||||
.fi
|
||||
.PP
|
||||
.LP
|
||||
\fBNAT statistics\fP
|
||||
Statistics on the the number of packets mapped, going in and out are kept,
|
||||
the number of times a new entry is added and deleted (through expiration) to
|
||||
the NAT table and the current usage level of the NAT table.
|
||||
.PP
|
||||
Pointers to the NAT table inside the kernel, as well as to the top of the
|
||||
internal NAT lists constructed with the \fBSIOCADNAT\fP ioctls. The table
|
||||
itself is a hash table of size NAT_SIZE (default size is 367).
|
||||
.PP
|
||||
To retrieve the statistics, the \fBSIOCGNATS\fP ioctl must be used, with
|
||||
the appropriate structure passed by reference, as follows:
|
||||
.nf
|
||||
ioctl(fd, SIOCGNATS, struct natstat *)
|
||||
|
||||
typedef struct natstat {
|
||||
u_long ns_mapped[2];
|
||||
u_long ns_added;
|
||||
u_long ns_expire;
|
||||
u_long ns_inuse;
|
||||
nat_t ***ns_table;
|
||||
ipnat_t *ns_list;
|
||||
} natstat_t;
|
||||
.fi
|
||||
.SH BUGS
|
||||
It would be nice if there were more flexibility when adding and deleting
|
||||
filter rules.
|
||||
.SH SEE ALSO
|
||||
ipfstat(1), ipf(1), ipf(4), ipnat(5)
|
70
contrib/ipfilter/man/ipnat.5
Normal file
70
contrib/ipfilter/man/ipnat.5
Normal file
@ -0,0 +1,70 @@
|
||||
.TH IPNAT 5
|
||||
.SH NAME
|
||||
ipnat \- IP NAT file format
|
||||
.SH DESCRIPTION
|
||||
The format for files accepted by ipnat is described by the following grammar:
|
||||
.LP
|
||||
.nf
|
||||
ipmap :: = mapit ifname ipmask "->" ipmask [ mapport ] .
|
||||
|
||||
mapit ::= "map" | "rdr" .
|
||||
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
|
||||
mapport ::= "portmap" tcpudp portnumber ":" portnumber .
|
||||
|
||||
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
|
||||
portnumber ::= number { numbers } .
|
||||
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
|
||||
|
||||
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
|
||||
.fi
|
||||
.PP
|
||||
For standard NAT functionality, a rule should start with \fBmap\fP and then
|
||||
proceeds to specify the interface for which outgoing packets will have their
|
||||
source address rewritten.
|
||||
.PP
|
||||
Packets which will be rewritten can only be selected by matching the original
|
||||
source address. A netmask must be specified with the IP address.
|
||||
.PP
|
||||
The address selected for replacing the original is chosen from an IP#/netmask
|
||||
pair. A netmask of all 1's indicating a hostname is valid. A netmask of
|
||||
31 1's (255.255.255.254) is considered invalid as there is no space for
|
||||
allocating host IP#'s after consideration for broadcast and network
|
||||
addresses.
|
||||
.PP
|
||||
When remapping TCP and UDP packets, it is also possible to change the source
|
||||
port number. Either TCP or UDP or both can be selected by each rule, with a
|
||||
range of port numbers to remap into given as \fBport-number:port-number\fP.
|
||||
.SH Examples
|
||||
.PP
|
||||
To change IP#'s used internally from network 10 into an ISP provided 8 bit
|
||||
subnet at 209.1.2.0, the following would be used:
|
||||
.LP
|
||||
.nf
|
||||
map 10.0.0.0/8 -> 209.1.2.0/24
|
||||
.fi
|
||||
.PP
|
||||
The obvious problem here is we're trying to squeeze over 16,000,000 IP
|
||||
addresses into a 254 address space. To increase the scope, remapping for TCP
|
||||
and/or UDP, port remapping can be used;
|
||||
.LP
|
||||
.nf
|
||||
map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
|
||||
.fi
|
||||
.PP
|
||||
which falls only 527,566 `addresses' short of the space available in network
|
||||
10. If we were to combine these rules, they would need to be specified as
|
||||
follows:
|
||||
.LP
|
||||
.nf
|
||||
map 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
|
||||
map 10.0.0.0/8 -> 209.1.2.0/24
|
||||
.fi
|
||||
.PP
|
||||
so that all TCP/UDP packets were port mapped and only other protocols, such as
|
||||
ICMP, only have their IP# changed.
|
||||
.SH FILES
|
||||
/etc/services
|
||||
.br
|
||||
/etc/hosts
|
||||
.SH SEE ALSO
|
||||
ipnat(1), ipf(5), ipnat(4)
|
85
contrib/ipfilter/misc.c
Normal file
85
contrib/ipfilter/misc.c
Normal file
@ -0,0 +1,85 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <assert.h>
|
||||
#include <string.h>
|
||||
#if !defined(__SVR4) && !defined(__svr4__)
|
||||
#include <strings.h>
|
||||
#else
|
||||
#include <sys/byteorder.h>
|
||||
#endif
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip_var.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/ip_icmp.h>
|
||||
#include <netinet/tcpip.h>
|
||||
#include <net/if.h>
|
||||
#include "ip_fil.h"
|
||||
#include <netdb.h>
|
||||
#include <arpa/nameser.h>
|
||||
#include <resolv.h>
|
||||
#include "ipf.h"
|
||||
#include "ipt.h"
|
||||
|
||||
#if !defined(lint) && defined(LIBC_SCCS)
|
||||
static char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed";
|
||||
static char rcsid[] = "$Id: misc.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
|
||||
#endif
|
||||
|
||||
void debug(), verbose();
|
||||
|
||||
extern int opts;
|
||||
|
||||
|
||||
void printpacket(ip)
|
||||
struct ip *ip;
|
||||
{
|
||||
struct tcphdr *tcp;
|
||||
|
||||
tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2));
|
||||
printf("ip %d(%d) %d ", ip->ip_len, ip->ip_hl << 2, ip->ip_p);
|
||||
if (ip->ip_off & 0x1fff)
|
||||
printf("@%d", ip->ip_off << 3);
|
||||
(void)printf(" %s", inet_ntoa(ip->ip_src));
|
||||
if (!(ip->ip_off & 0x1fff))
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
(void)printf(",%d", ntohs(tcp->th_sport));
|
||||
(void)printf(" > ");
|
||||
(void)printf("%s", inet_ntoa(ip->ip_dst));
|
||||
if (!(ip->ip_off & 0x1fff))
|
||||
if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP)
|
||||
(void)printf(",%d", ntohs(tcp->th_dport));
|
||||
putchar('\n');
|
||||
}
|
||||
|
||||
|
||||
void verbose(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9)
|
||||
char *fmt, *p1, *p2, *p3, *p4, *p5, *p6, *p7,*p8,*p9;
|
||||
{
|
||||
if (opts & OPT_VERBOSE)
|
||||
printf(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9);
|
||||
}
|
||||
|
||||
|
||||
void debug(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9)
|
||||
char *fmt, *p1, *p2, *p3, *p4, *p5, *p6, *p7,*p8,*p9;
|
||||
{
|
||||
if (opts & OPT_DEBUG)
|
||||
printf(fmt, p1, p2, p3, p4, p5, p6, p7, p8, p9);
|
||||
}
|
65
contrib/ipfilter/mkfilters
Normal file
65
contrib/ipfilter/mkfilters
Normal file
@ -0,0 +1,65 @@
|
||||
#!/usr/local/bin/perl
|
||||
# for best results, bring up all your interfaces before running this
|
||||
open(I, "ifconfig -a|") || die $!;
|
||||
while (<I>) {
|
||||
chop;
|
||||
if (/^[a-zA-Z]+\d+:/) {
|
||||
($iface = $_) =~ s/^([a-zA-Z]+\d+).*/$1/;
|
||||
$ifaces{$iface} = $iface;
|
||||
next;
|
||||
}
|
||||
if (/inet/) {
|
||||
if (/\-\-\>/) { # PPP, (SLIP?)
|
||||
($inet{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$1/;
|
||||
($ppp{$iface} = $_) =~ s/.*inet ([^ ]+) \-\-\> ([^ ]+).*/$2/;
|
||||
} else {
|
||||
($inet{$iface} = $_) =~ s/.*inet ([^ ]+).*/$1/;
|
||||
}
|
||||
}
|
||||
if (/netmask/) {
|
||||
($mask = $_) =~ s/.*netmask ([^ ]+).*/$1/;
|
||||
$mask =~ s/^/0x/ if ($mask =~ /^[0-9a-f]*$/);
|
||||
$netmask{$iface} = $mask;
|
||||
}
|
||||
if (/broadcast/) {
|
||||
($bcast{$iface} = $_) =~ s/.*broadcast ([^ ]+).*/$1/;
|
||||
}
|
||||
}
|
||||
foreach $i (keys %ifaces) {
|
||||
$net{$i} = $inet{$i}."/".$netmask{$i} if (defined($inet{$i}));
|
||||
}
|
||||
#
|
||||
# print out route suggestions
|
||||
#
|
||||
print "#\n";
|
||||
print "# The following routes should be configured, if not already:\n";
|
||||
print "#\n";
|
||||
foreach $i (keys %ifaces) {
|
||||
next if (($i =~ /lo/) || !defined($net{$i}) || defined($ppp{$i}));
|
||||
print "# route add $inet{$i} localhost 0\n";
|
||||
}
|
||||
print "#\n";
|
||||
|
||||
#
|
||||
# print out some generic filters which people should use somewhere near the top
|
||||
#
|
||||
print "block in log quick from any to any with ipopts\n";
|
||||
print "block in log quick proto tcp from any to any with short\n";
|
||||
|
||||
foreach $i (keys %ifaces) {
|
||||
if (!defined($inet{$i})) {
|
||||
next;
|
||||
}
|
||||
if ($i !~ /lo/) {
|
||||
print "block in on $i from 127.0.0.0/8 to any\n";
|
||||
print "block out on $i from 127.0.0.0/8 to any\n";
|
||||
print "block out on $i from any to 127.0.0.0/8\n";
|
||||
print "block in on $i from $inet{$i}/32 to any\n";
|
||||
print "block out on $i from any to $inet{$i}/32\n";
|
||||
foreach $j (keys %ifaces) {
|
||||
if ($i ne $j && $j !~ /^lo/ && defined($net{$j})) {
|
||||
print "block in on $i from $net{$j} to any\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
167
contrib/ipfilter/ml_ipl.c
Normal file
167
contrib/ipfilter/ml_ipl.c
Normal file
@ -0,0 +1,167 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors. The author accepts no
|
||||
* responsibility and is not changed in any way.
|
||||
*
|
||||
* I hate legaleese, don't you ?
|
||||
*/
|
||||
/*
|
||||
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
|
||||
* its own major char number! Way cool patch!
|
||||
*/
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/syslog.h>
|
||||
#include <sys/buf.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/vnode.h>
|
||||
#include <sundev/mbvar.h>
|
||||
#include <sun/autoconf.h>
|
||||
#include <sun/vddrv.h>
|
||||
#if defined(sun4c) || defined(sun4m)
|
||||
#include <sun/openprom.h>
|
||||
#endif
|
||||
|
||||
#ifndef IPL_NAME
|
||||
#define IPL_NAME "/dev/ipl"
|
||||
#endif
|
||||
|
||||
extern int iplattach(), iplopen(), iplclose(), iplioctl(), iplread();
|
||||
extern int nulldev(), iplidentify(), errno;
|
||||
|
||||
struct cdevsw ipldevsw =
|
||||
{
|
||||
iplopen, iplclose, iplread, nulldev,
|
||||
iplioctl, nulldev, nulldev, nulldev,
|
||||
0, nulldev,
|
||||
};
|
||||
|
||||
|
||||
struct dev_ops ipl_ops =
|
||||
{
|
||||
1,
|
||||
iplidentify,
|
||||
iplattach,
|
||||
iplopen,
|
||||
iplclose,
|
||||
iplread,
|
||||
NULL, /* write */
|
||||
NULL, /* strategy */
|
||||
NULL, /* dump */
|
||||
0, /* psize */
|
||||
iplioctl,
|
||||
NULL, /* reset */
|
||||
NULL /* mmap */
|
||||
};
|
||||
|
||||
int ipl_major = 0;
|
||||
|
||||
#ifdef sun4m
|
||||
struct vdldrv vd =
|
||||
{
|
||||
VDMAGIC_PSEUDO,
|
||||
"ipl",
|
||||
&ipl_ops,
|
||||
NULL,
|
||||
&ipldevsw,
|
||||
0,
|
||||
0,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
0,
|
||||
1,
|
||||
};
|
||||
#else /* sun4m */
|
||||
struct vdldrv vd =
|
||||
{
|
||||
VDMAGIC_PSEUDO, /* magic */
|
||||
"ipl", /* name */
|
||||
#ifdef sun4c
|
||||
&ipl_ops, /* dev_ops */
|
||||
#else
|
||||
NULL, /* struct mb_ctlr *mb_ctlr */
|
||||
NULL, /* struct mb_driver *mb_driver */
|
||||
NULL, /* struct mb_device *mb_device */
|
||||
0, /* num ctlrs */
|
||||
1, /* numdevs */
|
||||
#endif /* sun4c */
|
||||
NULL, /* bdevsw */
|
||||
&ipldevsw, /* cdevsw */
|
||||
0, /* block major */
|
||||
0, /* char major */
|
||||
};
|
||||
#endif /* sun4m */
|
||||
|
||||
extern int vd_unuseddev();
|
||||
extern struct cdevsw cdevsw[];
|
||||
extern int nchrdev;
|
||||
|
||||
xxxinit(fc, vdp, vdi, vds)
|
||||
u_int fc;
|
||||
struct vddrv *vdp;
|
||||
caddr_t vdi;
|
||||
struct vdstat *vds;
|
||||
{
|
||||
struct vdlinkage *v;
|
||||
int i;
|
||||
|
||||
switch (fc)
|
||||
{
|
||||
case VDLOAD:
|
||||
while (ipl_major < nchrdev &&
|
||||
cdevsw[ipl_major].d_open != vd_unuseddev)
|
||||
ipl_major++;
|
||||
if (ipl_major == nchrdev)
|
||||
return ENODEV;
|
||||
vd.Drv_charmajor = ipl_major;
|
||||
vdp->vdd_vdtab = (struct vdlinkage *)&vd;
|
||||
return ipl_attach(vdi);
|
||||
case VDUNLOAD:
|
||||
return unload(vdp, vdi);
|
||||
|
||||
case VDSTAT:
|
||||
return 0;
|
||||
|
||||
default:
|
||||
return EIO;
|
||||
}
|
||||
}
|
||||
|
||||
static unload(vdp, vdi)
|
||||
struct vddrv *vdp;
|
||||
struct vdioctl_unload *vdi;
|
||||
{
|
||||
int i;
|
||||
|
||||
(void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
|
||||
return ipldetach();
|
||||
}
|
||||
|
||||
|
||||
static int ipl_attach(vdi)
|
||||
struct vdioctl_load *vdi;
|
||||
{
|
||||
struct vnode *vp;
|
||||
struct vattr vattr;
|
||||
int error = 0, fmode = S_IFCHR|0600;
|
||||
|
||||
(void) vn_remove(IPL_NAME, UIO_SYSSPACE, FILE);
|
||||
vattr_null(&vattr);
|
||||
vattr.va_type = MFTOVT(fmode);
|
||||
vattr.va_mode = (fmode & 07777);
|
||||
vattr.va_rdev = ipl_major<<8;
|
||||
|
||||
error = vn_create(IPL_NAME, UIO_SYSSPACE, &vattr, EXCL, 0, &vp);
|
||||
if (error == 0)
|
||||
VN_RELE(vp);
|
||||
return iplattach(0);
|
||||
}
|
237
contrib/ipfilter/mln_ipl.c
Normal file
237
contrib/ipfilter/mln_ipl.c
Normal file
@ -0,0 +1,237 @@
|
||||
/*
|
||||
* (C)opyright 1993,1994,1995 by Darren Reed.
|
||||
*
|
||||
* Redistribution and use in source and binary forms are permitted
|
||||
* provided that this notice is preserved and due credit is given
|
||||
* to the original author and the contributors.
|
||||
*/
|
||||
/*
|
||||
* 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate
|
||||
* its own major char number! Way cool patch!
|
||||
*/
|
||||
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
/*
|
||||
* Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
|
||||
* on those hooks. We don't need any special mods with this!
|
||||
*/
|
||||
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
|
||||
(defined(NetBSD1_2) && NetBSD1_2 > 1)
|
||||
# define NETBSD_PF
|
||||
#endif
|
||||
|
||||
#if defined(__FreeBSD__) && (__FreeBSD__ > 1)
|
||||
# include <osreldate.h>
|
||||
#endif
|
||||
#include <sys/systm.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/file.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/uio.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/vnode.h>
|
||||
#include <sys/namei.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/exec.h>
|
||||
#include <sys/mbuf.h>
|
||||
#if defined(__NetBSD__) || (defined(__FreeBSD_version) && \
|
||||
(__FreeBSD_version >= 199607))
|
||||
#include <net/if.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/ip.h>
|
||||
#endif
|
||||
#ifndef __NetBSD__
|
||||
#include <sys/sysent.h>
|
||||
#endif
|
||||
#include <sys/lkm.h>
|
||||
#include "ipl.h"
|
||||
#include "ip_fil.h"
|
||||
|
||||
#ifndef IPL_NAME
|
||||
#define IPL_NAME "/dev/ipl"
|
||||
#endif
|
||||
#if !defined(VOP_LEASE) && defined(LEASE_CHECK)
|
||||
#define VOP_LEASE LEASE_CHECK
|
||||
#endif
|
||||
|
||||
#ifndef MIN
|
||||
#define MIN(a,b) (((a)<(b))?(a):(b))
|
||||
#endif
|
||||
|
||||
extern int lkmenodev(), lkmexists(), lkmdispatch();
|
||||
|
||||
extern int iplattach(), iplopen(), iplclose(), iplioctl(), ipldetach();
|
||||
#ifdef NETBSD_PF
|
||||
#include <net/pfil.h>
|
||||
#endif
|
||||
#ifdef IPFILTER_LOG
|
||||
extern int iplread();
|
||||
#else
|
||||
#ifdef NETBSD_PF
|
||||
#define iplread enodev
|
||||
#else
|
||||
#define iplread nodev
|
||||
#endif
|
||||
#endif
|
||||
extern int iplidentify();
|
||||
|
||||
#ifdef NETBSD_PF
|
||||
int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)) = NULL;
|
||||
#endif
|
||||
|
||||
static int ipl_unload(), ipl_load();
|
||||
#if (defined(NetBSD1_0) && (NetBSD1_0 > 1)) || \
|
||||
(defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199511))
|
||||
struct cdevsw ipldevsw =
|
||||
{
|
||||
iplopen, /* open */
|
||||
iplclose, /* close */
|
||||
iplread, /* read */
|
||||
0, /* write */
|
||||
iplioctl, /* ioctl */
|
||||
0, /* stop */
|
||||
0, /* tty */
|
||||
0, /* select */
|
||||
0, /* mmap */
|
||||
NULL /* strategy */
|
||||
};
|
||||
#else
|
||||
struct cdevsw ipldevsw =
|
||||
{
|
||||
iplopen, /* open */
|
||||
iplclose, /* close */
|
||||
iplread, /* read */
|
||||
(void *)nullop, /* write */
|
||||
iplioctl, /* ioctl */
|
||||
(void *)nullop, /* stop */
|
||||
(void *)nullop, /* reset */
|
||||
(void *)NULL, /* tty */
|
||||
(void *)nullop, /* select */
|
||||
(void *)nullop, /* mmap */
|
||||
NULL /* strategy */
|
||||
};
|
||||
#endif
|
||||
static struct cdevsw cdev_sav;
|
||||
int ipl_major = 0;
|
||||
|
||||
MOD_DEV(IPL_VERSION, LM_DT_CHAR, -1, &ipldevsw);
|
||||
|
||||
extern int vd_unuseddev();
|
||||
extern struct cdevsw cdevsw[];
|
||||
extern int nchrdev;
|
||||
|
||||
static int iplaction(lkmtp, cmd)
|
||||
struct lkm_table *lkmtp;
|
||||
int cmd;
|
||||
{
|
||||
int i;
|
||||
struct lkm_dev *args = lkmtp->private.lkm_dev;
|
||||
int err = 0;
|
||||
|
||||
switch (cmd)
|
||||
{
|
||||
case LKM_E_LOAD :
|
||||
if (lkmexists(lkmtp))
|
||||
return EEXIST;
|
||||
|
||||
for (i = 0; i < nchrdev; i++)
|
||||
if (cdevsw[i].d_open == lkmenodev ||
|
||||
cdevsw[i].d_open == iplopen)
|
||||
break;
|
||||
if (i == nchrdev) {
|
||||
printf("IP Filter: No free cdevsw slots\n");
|
||||
return ENODEV;
|
||||
}
|
||||
|
||||
ipl_major = i;
|
||||
args->lkm_offset = i; /* slot in cdevsw[] */
|
||||
printf("IP Filter: loaded into slot %d\n", ipl_major);
|
||||
return ipl_load();
|
||||
case LKM_E_UNLOAD :
|
||||
printf("IP Filter: unloaded from slot %d\n", ipl_major);
|
||||
return ipl_unload();
|
||||
case LKM_E_STAT :
|
||||
break;
|
||||
default:
|
||||
err = EIO;
|
||||
break;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static int ipl_remove()
|
||||
{
|
||||
struct nameidata nd;
|
||||
int error;
|
||||
|
||||
NDINIT(&nd, DELETE, LOCKPARENT, UIO_SYSSPACE, IPL_NAME, curproc);
|
||||
if ((error = namei(&nd)))
|
||||
return (error);
|
||||
VOP_LEASE(nd.ni_vp, curproc, curproc->p_ucred, LEASE_WRITE);
|
||||
VOP_LOCK(nd.ni_vp);
|
||||
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
|
||||
return VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd);
|
||||
}
|
||||
|
||||
|
||||
static int ipl_unload()
|
||||
{
|
||||
int error;
|
||||
|
||||
error = ipldetach();
|
||||
#ifdef NETBSD_PF
|
||||
pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT);
|
||||
#endif
|
||||
if (!error)
|
||||
error = ipl_remove();
|
||||
return error;
|
||||
}
|
||||
|
||||
|
||||
static int ipl_load()
|
||||
{
|
||||
struct nameidata nd;
|
||||
struct vattr vattr;
|
||||
int error, fmode = S_IFCHR|0600;
|
||||
|
||||
error = iplattach();
|
||||
#ifdef NETBSD_PF
|
||||
pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT);
|
||||
#endif
|
||||
if (error)
|
||||
return error;
|
||||
(void) ipl_remove();
|
||||
error = 0;
|
||||
NDINIT(&nd, CREATE, LOCKPARENT, UIO_SYSSPACE, IPL_NAME, curproc);
|
||||
if (error = namei(&nd))
|
||||
return error;
|
||||
if (nd.ni_vp != NULL) {
|
||||
VOP_ABORTOP(nd.ni_dvp, &nd.ni_cnd);
|
||||
if (nd.ni_dvp == nd.ni_vp)
|
||||
vrele(nd.ni_dvp);
|
||||
else
|
||||
vput(nd.ni_dvp);
|
||||
vrele(nd.ni_vp);
|
||||
return (EEXIST);
|
||||
}
|
||||
VATTR_NULL(&vattr);
|
||||
vattr.va_type = VCHR;
|
||||
vattr.va_mode = (fmode & 07777);
|
||||
vattr.va_rdev = ipl_major<<8;
|
||||
VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE);
|
||||
return VOP_MKNOD(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
|
||||
}
|
||||
|
||||
|
||||
int xxxinit(lkmtp, cmd, ver)
|
||||
struct lkm_table *lkmtp;
|
||||
int cmd, ver;
|
||||
{
|
||||
DISPATCH(lkmtp, cmd, ver, iplaction, iplaction, iplaction);
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user