diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2001-05-30 02:12:57 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2001-05-30 02:12:57 +0000 |
| commit | b15a5a165339d99f4dd696f22eb53227671e1b7c (patch) | |
| tree | df0e361f461c1f4de76c81e5b9dc791ba6768ec8 | |
| parent | d818215253f2f1d16376a6482ac14c27f16520a1 (diff) | |
Remove ipf. Darren Reed has interpreted his (old, new, whichever)
licence in a way that makes ipf not free according to the rules we
established over 5 years ago, at www.openbsd.org/goals.html (and those
same basic rules govern the other *BSD projects too). Specifically,
Darren says that modified versions are not permitted. But software
which OpenBSD uses and redistributes must be free to all (be they
people or companies), for any purpose they wish to use it, including
modification, use, peeing on, or even integration into baby mulching
machines or atomic bombs to be dropped on Australia. Furthermore, we
know of a number of companies using ipf with modification like us, who
are now in the same situation, and we hope that some of them will work
with us to fill this gap that now exists in OpenBSD (temporarily, we
hope).
146 files changed, 65 insertions, 34265 deletions
diff --git a/etc/Makefile b/etc/Makefile index 707ce57067f..d92d22922f4 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.121 2001/05/14 14:39:39 hin Exp $ +# $OpenBSD: Makefile,v 1.122 2001/05/30 02:11:04 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= US/Pacific @@ -15,8 +15,8 @@ BINGRP= wheel BIN1= bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \ daily dhcpd.conf dhcpd.interfaces dm.conf exports ftpusers \ ftpchroot gettytab group hosts hosts.lpd inetd.conf \ - ipf.rules ksh.kshrc locate.rc man.conf monthly motd mrouted.conf \ - myname ipnat.rules netstart networks newsyslog.conf passwd.conf \ + ksh.kshrc locate.rc man.conf monthly motd mrouted.conf \ + myname netstart networks newsyslog.conf passwd.conf \ phones printcap protocols rbootd.conf rc rc.conf rc.local \ rc.securelevel rc.shutdown remote rpc security services \ shells syslog.conf weekly etc.${MACHINE}/disktab dhclient.conf \ @@ -187,8 +187,6 @@ distribution-etc-root-var: distrib-dirs ${DESTDIR}/var/log/daemon ${INSTALL} -c -o ${BINOWN} -g wheel -m 640 /dev/null \ ${DESTDIR}/var/log/ftpd - ${INSTALL} -c -o ${BINOWN} -g wheel -m 640 /dev/null \ - ${DESTDIR}/var/log/ipflog ${INSTALL} -c -o ${BINOWN} -g wheel -m 644 /dev/null \ ${DESTDIR}/var/log/lastlog ${INSTALL} -c -o ${BINOWN} -g wheel -m 640 /dev/null \ diff --git a/etc/changelist b/etc/changelist index 4e7d61453ec..8e060f08abd 100644 --- a/etc/changelist +++ b/etc/changelist @@ -1,4 +1,4 @@ -# $OpenBSD: changelist,v 1.16 2001/05/04 15:57:11 millert Exp $ +# $OpenBSD: changelist,v 1.17 2001/05/30 02:11:05 deraadt Exp $ # # List of files which the security script backs up and checks # for modifications. @@ -33,8 +33,6 @@ /etc/hosts.equiv /etc/hosts.lpd /etc/inetd.conf -/etc/ipf.rules -/etc/ipnat.rules /etc/locate.rc /etc/mail.rc /etc/mailer.conf diff --git a/etc/etc.alpha/MAKEDEV b/etc/etc.alpha/MAKEDEV index 3b6a8ab8b32..8a87f1a8e1b 100644 --- a/etc/etc.alpha/MAKEDEV +++ b/etc/etc.alpha/MAKEDEV @@ -1,5 +1,5 @@ #!/bin/sh - -# $OpenBSD: MAKEDEV,v 1.51 2001/05/14 07:56:36 deraadt Exp $ +# $OpenBSD: MAKEDEV,v 1.52 2001/05/30 02:11:11 deraadt Exp $ # $NetBSD: MAKEDEV,v 1.8.4.1 1996/06/18 00:41:56 cgd Exp $ # # Copyright (c) 1990 The Regents of the University of California. @@ -82,7 +82,6 @@ # *random inkernal random data source # uk* SCSI Unknown device # ss* SCSI scanners -# ipl IP filter log PATH=/sbin:/bin:/usr/bin:/usr/sbin this=$0 @@ -159,7 +158,7 @@ all) sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 sh $this tun0 tun1 tun2 tun3 sh $this ttyB0 ttyB1 tty00 tty01 lkm - sh $this mmclock lpa0 lpt0 random ipl + sh $this mmclock lpa0 lpt0 random sh $this uk0 uk1 ss0 ss1 sh $this ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 ttyc6 ttyc7 sh $this local xfs0 @@ -538,15 +537,6 @@ random|srandom|urandom|prandom|arandom) chmod 644 random srandom urandom prandom arandom ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 35 0 - mknod ipnat c 35 1 - mknod ipstate c 35 2 - mknod ipauth c 35 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - uk*) rm -f uk$unit mknod uk$unit c 33 $unit diff --git a/etc/etc.amiga/MAKEDEV b/etc/etc.amiga/MAKEDEV index dbd56c36923..03d0178341f 100644 --- a/etc/etc.amiga/MAKEDEV +++ b/etc/etc.amiga/MAKEDEV @@ -1,5 +1,5 @@ #!/bin/sh - -# $OpenBSD: MAKEDEV,v 1.46 2001/04/10 03:03:50 brad Exp $ +# $OpenBSD: MAKEDEV,v 1.47 2001/05/30 02:11:12 deraadt Exp $ # $NetBSD: MAKEDEV,v 1.21 1996/05/19 21:03:49 veego Exp $ # # Copyright (c) 1990 The Regents of the University of California. @@ -86,7 +86,6 @@ # lkm loadable kernel modules interface # bpf* Berkeley Packet Filter # tun* network tunnel driver -# ipf IP filter # ss* SCSI scanners # uk* SCSI Unknown device # *random inkernal random data source @@ -168,7 +167,7 @@ all) sh $this vnd0 vnd1 vnd2 vnd3 vnd4 vnd5 vnd6 cd0 cd1 fd0 fd1 fd2 fd3 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 sh $this view00 view01 view02 view03 view04 view05 pty0 pty1 - sh $this lpa0 lpa1 lpt0 lpt1 lpt2 ipl + sh $this lpa0 lpa1 lpt0 lpt1 lpt2 sh $this ccd0 ccd1 ccd2 ccd3 wd0 wd1 ch0 uk0 uk1 sh $this tun0 tun1 par0 lkm ss0 random audio0 xfs0 local ;; @@ -182,7 +181,7 @@ floppy|ramdisk) std) rm -f console drum kmem mem reload null zero tty - rm -f klog stdin stdout stderr ipf ksyms + rm -f klog stdin stdout stderr ksyms mknod console c 0 0 mknod drum c 3 0 ; chmod 640 drum ; chown root.kmem drum mknod kmem c 2 1 ; chmod 640 kmem ; chown root.kmem kmem @@ -195,7 +194,6 @@ std) mknod stdin c 21 0 ; chmod 666 stdin mknod stdout c 21 1 ; chmod 666 stdout mknod stderr c 21 2 ; chmod 666 stderr - mknod ipf c 34 0 ; chmod 444 ipf mknod ksyms c 42 0 ; chmod 640 ksyms ; chown root.kmem ksyms ;; @@ -598,15 +596,6 @@ lpt*|lpa*) chown root.wheel $name$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 34 0 - mknod ipnat c 34 1 - mknod ipstate c 34 2 - mknod ipauth c 34 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=`expr $i : 'tun\(.*\)'` rm -f tun$unit diff --git a/etc/etc.arc/MAKEDEV b/etc/etc.arc/MAKEDEV index 4881e9a6c80..459cb6e5cbb 100644 --- a/etc/etc.arc/MAKEDEV +++ b/etc/etc.arc/MAKEDEV @@ -1,5 +1,5 @@ #!/bin/sh - -# $OpenBSD: MAKEDEV,v 1.34 2000/03/22 08:08:52 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.35 2001/05/30 02:11:13 deraadt Exp $ # @(#)MAKEDEV 8.1 (Berkeley) 6/9/93 # @@ -122,7 +122,7 @@ all) sh $this ccd0 ccd1 ccd2 xfs0 sh $this vnd0 vnd1 vnd2 vnd3 tty00 tty01 tty02 tty03 pty0 pty1 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh $this ipl tun0 tun1 tun2 + sh $this tun0 tun1 tun2 sh $this ttyC0 lpt0 pms0 random uk0 uk1 local joy0 joy1 ;; @@ -236,15 +236,6 @@ bpf*|tun*) chown root.wheel $name$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 31 0 - mknod ipnat c 31 1 - mknod ipstate c 31 2 - mknod ipauth c 31 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - rd*) umask 2 ; unit=`expr $i : '.*d\(.*\)'` mknod rd${unit}a b 8 `expr $unit '*' 16 + 0` diff --git a/etc/etc.hp300/MAKEDEV b/etc/etc.hp300/MAKEDEV index 62621ea4a8e..5a338d90785 100644 --- a/etc/etc.hp300/MAKEDEV +++ b/etc/etc.hp300/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.31 2000/03/22 07:34:28 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.32 2001/05/30 02:11:15 deraadt Exp $ # $NetBSD: MAKEDEV,v 1.12 1995/11/05 23:50:22 thorpej Exp $ # # Copyright (c) 1990 The Regents of the University of California. @@ -102,7 +102,7 @@ all) sh MAKEDEV sd0 sd1 sd2 rd0 rd1 pty0 vnd0 vnd1 vnd2 vnd3 sh MAKEDEV hil grf0 apci0 ppi0 ite0 dca0 dcm0 dcm1 dcm2 dcm3 sh MAKEDEV bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh MAKEDEV ipl tun0 tun1 tun2 tun3 lkm random xfs0 + sh MAKEDEV tun0 tun1 tun2 tun3 lkm random xfs0 sh MAKEDEV local ;; @@ -189,15 +189,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 33 0 - mknod ipnat c 33 1 - mknod ipstate c 33 2 - mknod ipauth c 33 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=`expr $i : 'tun\(.*\)'` rm -f tun$unit diff --git a/etc/etc.hppa/MAKEDEV b/etc/etc.hppa/MAKEDEV index 377202aefb3..fafebe24989 100644 --- a/etc/etc.hppa/MAKEDEV +++ b/etc/etc.hppa/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.3 2000/03/22 08:08:53 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.4 2001/05/30 02:11:16 deraadt Exp $ # @(#)MAKEDEV 5.5 (Berkeley) 5/28/91 # # Device "make" file. Valid arguments: @@ -105,7 +105,7 @@ all) sh MAKEDEV sd0 sd1 sd2 rd0 rd1 pty0 vnd0 vnd1 vnd2 vnd3 sh MAKEDEV hil com0 com1 com2 com3 sh MAKEDEV bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh MAKEDEV ipl tun0 tun1 tun2 tun3 lkm random xfs0 + sh MAKEDEV tun0 tun1 tun2 tun3 lkm random xfs0 sh MAKEDEV local ;; @@ -181,15 +181,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 21 0 - mknod ipnat c 21 1 - mknod ipstate c 21 2 - mknod ipauth c 21 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=${i##*[a-z]} rm -f tun$unit diff --git a/etc/etc.i386/MAKEDEV b/etc/etc.i386/MAKEDEV index b12abaaaa6e..b707769c4f0 100644 --- a/etc/etc.i386/MAKEDEV +++ b/etc/etc.i386/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.93 2001/05/14 07:42:18 deraadt Exp $ +# $OpenBSD: MAKEDEV,v 1.94 2001/05/30 02:11:17 deraadt Exp $ # $NetBSD: MAKEDEV,v 1.40 1996/03/31 00:50:47 perry Exp $ # # Copyright (c) 1990 The Regents of the University of California. @@ -189,7 +189,7 @@ all) sh $this ttyC0 ttyC1 ttyC2 ttyC3 ttyC4 ttyC5 ttyC6 ttyC7 ttyC8 ttyC9 sh $this ttyCa ttyCb sh $this wscons - sh $this ipl tun0 tun1 tun2 + sh $this tun0 tun1 tun2 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 sh $this speaker lkm audio0 joy0 joy1 apm local sh $this random ses0 uk0 uk1 ss0 ss1 pctr bktr0 tuner0 wdt0 @@ -562,15 +562,6 @@ bpf*|tun[0-9]*) chown root.wheel $name$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 44 0 - mknod ipnat c 44 1 - mknod ipstate c 44 2 - mknod ipauth c 44 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - speaker) # (XXX - installed) rm -f speaker mknod speaker c 27 0 diff --git a/etc/etc.mac68k/MAKEDEV b/etc/etc.mac68k/MAKEDEV index d27a0a8fd58..4567d5816e6 100644 --- a/etc/etc.mac68k/MAKEDEV +++ b/etc/etc.mac68k/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.31 2000/03/22 07:34:29 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.32 2001/05/30 02:11:19 deraadt Exp $ # # Copyright (c) 1990 The Regents of the University of California. # All rights reserved. @@ -139,7 +139,6 @@ all) sh $this adb asc0 grf0 grf1 grf2 grf3 ttye0 sh $this tty00 tty01 pty0 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh $this ipl sh $this tun0 tun1 tun2 tun3 sh $this lkm sh $this random @@ -422,15 +421,6 @@ bpf*) chown root.wheel bpf${unit} ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 35 0 - mknod ipnat c 35 1 - mknod ipstate c 35 2 - mknod ipauth c 35 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=`expr $i : 'tun\(.*\)'` rm -f tun$unit diff --git a/etc/etc.mvme68k/MAKEDEV b/etc/etc.mvme68k/MAKEDEV index 0fa5a5e1e4a..df3f0603290 100644 --- a/etc/etc.mvme68k/MAKEDEV +++ b/etc/etc.mvme68k/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.29 2000/03/22 07:34:29 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.30 2001/05/30 02:11:20 deraadt Exp $ # # Copyright (c) 1990 The Regents of the University of California. # All rights reserved. @@ -33,7 +33,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $OpenBSD: MAKEDEV,v 1.29 2000/03/22 07:34:29 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.30 2001/05/30 02:11:20 deraadt Exp $ # # Device "make" file. Valid arguments: # all makes all known devices, including local devices, @@ -90,7 +90,7 @@ all) sh MAKEDEV tty00 tty01 tty02 tty03 sh MAKEDEV ttyw0 sh MAKEDEV sd0 sd1 sd2 sd3 sd4 sd5 sd6 sd7 sd8 sd9 - sh MAKEDEV vnd0 vnd1 pty0 cd0 ipl + sh MAKEDEV vnd0 vnd1 pty0 cd0 sh MAKEDEV bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 #sh MAKEDEV ccd0 ccd1 ccd2 ccd3 sh MAKEDEV tun0 tun1 lkm local @@ -398,15 +398,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 39 0 - mknod ipnat c 39 1 - mknod ipstate c 39 2 - mknod ipauth c 39 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=`expr $i : 'tun\(.*\)'` rm -f tun$unit diff --git a/etc/etc.mvme88k/MAKEDEV b/etc/etc.mvme88k/MAKEDEV index ed4548c5387..6ad5db246a4 100644 --- a/etc/etc.mvme88k/MAKEDEV +++ b/etc/etc.mvme88k/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.10 2001/03/12 23:23:50 miod Exp $ +# $OpenBSD: MAKEDEV,v 1.11 2001/05/30 02:11:21 deraadt Exp $ # $NetBSD: MAKEDEV,v 1.5 1997/01/01 23:46:23 pk Exp $ # # Copyright (c) 1990 The Regents of the University of California. @@ -77,7 +77,7 @@ all) sh $this tty00 tty01 tty02 tty03 sh $this ttyw0 sh $this sd0 sd1 sd2 sd3 sd4 sd5 sd6 sd7 sd8 sd9 - sh $this vnd0 vnd1 pty0 cd0 ipl + sh $this vnd0 vnd1 pty0 cd0 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 #sh $this ccd0 ccd1 ccd2 ccd3 sh $this tun0 tun1 lkm local @@ -340,15 +340,6 @@ lkm) chmod 640 lkm ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 39 0 - mknod ipnat c 39 1 - mknod ipstate c 39 2 - mknod ipauth c 39 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - local) umask 0 test -s MAKEDEV.local && sh MAKEDEV.local diff --git a/etc/etc.pc532/MAKEDEV b/etc/etc.pc532/MAKEDEV index e3aca0bfbdd..9bad435840c 100644 --- a/etc/etc.pc532/MAKEDEV +++ b/etc/etc.pc532/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.19 2000/03/22 08:34:16 niklas Exp $ +# $OpenBSD: MAKEDEV,v 1.20 2001/05/30 02:11:22 deraadt Exp $ # # Copyright (c) 1990 The Regents of the University of California. # All rights reserved. @@ -69,7 +69,7 @@ all) sh MAKEDEV std fd sd0 sd1 sd2 st0 st1 cd0 cd1 sh MAKEDEV tty0 tty1 tty2 tty3 tty4 tty5 tty6 tty7 sh MAKEDEV bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh MAKEDEV tun0 tun1 tun2 lkm random ipl + sh MAKEDEV tun0 tun1 tun2 lkm random sh MAKEDEV ccd0 ccd1 ccd2 ccd3 sh MAKEDEV uk0 uk1 sh MAKEDEV ss0 @@ -282,15 +282,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 19 0 - mknod ipnat c 19 1 - mknod ipstate c 19 2 - mknod ipauth c 19 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=`expr $i : 'tun\(.*\)'` rm -f tun$unit diff --git a/etc/etc.pmax/MAKEDEV b/etc/etc.pmax/MAKEDEV index 43ae9b4049a..2641fe93ce1 100644 --- a/etc/etc.pmax/MAKEDEV +++ b/etc/etc.pmax/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.35 2000/09/13 21:09:51 maja Exp $ +# $OpenBSD: MAKEDEV,v 1.36 2001/05/30 02:11:23 deraadt Exp $ # @(#)MAKEDEV 8.1 (Berkeley) 6/9/93 # @@ -117,7 +117,7 @@ all) # sh $this lkm local sh $this xfs0 sh $this fb0 fb1 fb2 - sh $this random ipl + sh $this random ;; raminst) @@ -180,15 +180,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 91 0 - mknod ipnat c 91 1 - mknod ipstate c 91 2 - mknod ipauth c 91 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - #tun*) # unit=`expr $i : 'tun\(.*\)'` # rm -f tun$unit diff --git a/etc/etc.powerpc/MAKEDEV b/etc/etc.powerpc/MAKEDEV index 5397d414f5f..d84d1456270 100644 --- a/etc/etc.powerpc/MAKEDEV +++ b/etc/etc.powerpc/MAKEDEV @@ -1,5 +1,5 @@ #!/bin/sh - -# $OpenBSD: MAKEDEV,v 1.43 2001/04/10 03:03:52 brad Exp $ +# $OpenBSD: MAKEDEV,v 1.44 2001/05/30 02:11:24 deraadt Exp $ # # Copyright (c) 1990 The Regents of the University of California. # All rights reserved. @@ -153,7 +153,7 @@ all) sh $this vnd0 vnd1 vnd2 vnd3 sh $this ccd0 ccd1 ccd2 ccd3 sh $this raid0 raid1 raid2 raid3 - sh $this rd0 ipl + sh $this rd0 sh $this ttyC0 ttyCcfg sh $this tty00 tty01 tty02 tty03 pty0 pty1 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 @@ -525,15 +525,6 @@ bpf*) chown root.wheel bpf${unit} ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 39 0 - mknod ipnat c 39 1 - mknod ipstate c 39 2 - mknod ipauth c 39 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) unit=${i##*[a-z]} rm -f tun$unit diff --git a/etc/etc.sparc/MAKEDEV b/etc/etc.sparc/MAKEDEV index 83167c8919a..2f666a694be 100644 --- a/etc/etc.sparc/MAKEDEV +++ b/etc/etc.sparc/MAKEDEV @@ -1,5 +1,5 @@ #!/bin/sh - -# $OpenBSD: MAKEDEV,v 1.65 2001/05/14 07:51:41 deraadt Exp $ +# $OpenBSD: MAKEDEV,v 1.66 2001/05/30 02:11:25 deraadt Exp $ # # Copyright (c) 1990 The Regents of the University of California. # All rights reserved. @@ -86,7 +86,6 @@ # spif* spif card (makes 8 tty and 1 bpp) # bpp* bpp # xfs* XFS filesystem devices -# ipl IP filter log PATH=/sbin:/bin:/usr/bin:/usr/sbin this=$0 @@ -206,7 +205,6 @@ all) sh $this ccd0 ccd1 ccd2 ccd3 sh $this raid0 raid1 raid2 raid3 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh $this ipl sh $this bwtwo0 cgtwo0 cgthree0 cgfour0 cgsix0 sh $this cgeight0 cgfourteen0 tcx0 sh $this lkm random local @@ -337,15 +335,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 59 0 - mknod ipnat c 59 1 - mknod ipstate c 59 2 - mknod ipauth c 59 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) rm -f tun$unit mknod tun$unit c 111 $unit diff --git a/etc/etc.sun3/MAKEDEV b/etc/etc.sun3/MAKEDEV index a6ca077c911..b1d3b964efc 100644 --- a/etc/etc.sun3/MAKEDEV +++ b/etc/etc.sun3/MAKEDEV @@ -1,5 +1,5 @@ #!/bin/sh - -# $OpenBSD: MAKEDEV,v 1.33 2001/02/15 01:41:49 todd Exp $ +# $OpenBSD: MAKEDEV,v 1.34 2001/05/30 02:11:26 deraadt Exp $ # # Copyright (c) 1990 The Regents of the University of California. # All rights reserved. @@ -70,7 +70,6 @@ # tun* network tunnel driver # *random inkernal random data source # xfs* XFS filesystem devices -# ipl IP filter log PATH=/sbin:/bin:/usr/bin:/usr/sbin this=$0 @@ -187,7 +186,6 @@ all) sh $this pty0 vnd0 vnd1 vnd2 vnd3 tun0 tun1 tun2 tun3 sh $this ccd0 ccd1 ccd2 ccd3 sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 - sh $this ipl sh $this bwtwo0 cgtwo0 cgfour0 sh $this random local sh $this xfs0 @@ -273,15 +271,6 @@ bpf*) chown root.wheel bpf$unit ;; -ipl) - rm -f ipl ipnat ipstate ipauth - mknod ipl c 75 0 - mknod ipnat c 75 1 - mknod ipstate c 75 2 - mknod ipauth c 75 3 - chown root.wheel ipl ipnat ipstate ipauth - ;; - tun*) rm -f tun$unit mknod tun$unit c 24 $unit diff --git a/etc/etc.vax/MAKEDEV b/etc/etc.vax/MAKEDEV index e18974983d4..9b705f1ac7a 100644 --- a/etc/etc.vax/MAKEDEV +++ b/etc/etc.vax/MAKEDEV @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: MAKEDEV,v 1.27 2001/04/01 20:14:40 hugh Exp $ +# $OpenBSD: MAKEDEV,v 1.28 2001/05/30 02:11:27 deraadt Exp $ # $NetBSD: MAKEDEV,v 1.30 2000/01/21 12:28:29 tsutsui Exp $ # # @(#)MAKEDEV 8.1 (Berkeley) 6/9/93 @@ -92,7 +92,7 @@ ramdisk) std) rm -f console drum floppy crl csa1 csa2 tu0 tu1 g0 g1 g2 g3 rm -f kUmem kmem mem null zero tty klog ttyg[0-3] - rm -f stdin stdout stderr ksyms ipl ipnat ipstate ipauth + rm -f stdin stdout stderr ksyms mknod console c 0 0 mknod ttyg0 c 25 0 mknod ttyg1 c 25 1 @@ -115,11 +115,7 @@ std) mknod stdin c 53 0 ; chmod 666 stdin mknod stdout c 53 1 ; chmod 666 stdout mknod stderr c 53 2 ; chmod 666 stderr - mknod ipl c 42 0 ; chmod 600 ipl mknod ksyms c 50 0 ; chmod 640 ksyms ; chown root.kmem ksyms - mknod ipnat c 42 1 ; chmod 600 ipnat - mknod ipstate c 42 2 ; chmod 600 ipstate - mknod ipauth c 42 3 ; chmod 600 ipauth ;; fd) diff --git a/etc/ipf.rules b/etc/ipf.rules deleted file mode 100644 index 35e058b02ab..00000000000 --- a/etc/ipf.rules +++ /dev/null @@ -1,11 +0,0 @@ -# $OpenBSD: ipf.rules,v 1.6 1997/11/04 08:39:32 deraadt Exp $ -# -# IP filtering rules. See the ipf(5) man page for more -# information on the format of this file, and /usr/share/ipf -# for example configuration files. -# -# Pass all packets by default. -# edit the ipfilter= line in /etc/rc.conf to enable IP filtering -# -pass in from any to any -pass out from any to any diff --git a/etc/ipnat.rules b/etc/ipnat.rules deleted file mode 100644 index 20e5a165574..00000000000 --- a/etc/ipnat.rules +++ /dev/null @@ -1,6 +0,0 @@ -# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $ -# -# See /usr/share/ipf/nat.1 for examples. -# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation - -#map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000 diff --git a/etc/mtree/special b/etc/mtree/special index dec4f2c22b0..32e2535c33b 100644 --- a/etc/mtree/special +++ b/etc/mtree/special @@ -1,4 +1,4 @@ -# $OpenBSD: special,v 1.31 2001/03/16 15:39:08 millert Exp $ +# $OpenBSD: special,v 1.32 2001/05/30 02:11:29 deraadt Exp $ # $NetBSD: special,v 1.4 1996/05/08 21:30:18 pk Exp $ # @(#)special 8.2 (Berkeley) 1/23/94 # @@ -32,7 +32,6 @@ group type=file mode=0644 uname=root gname=wheel hosts type=file mode=0644 uname=root gname=wheel hosts.equiv type=file mode=0600 uname=root gname=wheel optional inetd.conf type=file mode=0644 uname=root gname=wheel -ipf.rules type=file mode=0644 uname=root gname=wheel optional kerberosIV type=dir mode=0755 uname=root gname=wheel optional ignore .. #kerberosIV host.random type=file mode=0600 uname=root gname=wheel optional diff --git a/etc/netstart b/etc/netstart index 7718072f234..7cef40fc9ff 100644 --- a/etc/netstart +++ b/etc/netstart @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: netstart,v 1.77 2001/03/13 21:15:09 deraadt Exp $ +# $OpenBSD: netstart,v 1.78 2001/05/30 02:11:08 deraadt Exp $ # Returns true if $1 contains only alphanumerics isalphanumeric() { @@ -27,14 +27,6 @@ fi # pick up option configuration . /etc/rc.conf -# Configure the IP filter before configuring network interfaces -if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then - echo 'configuring IP filter' - ipf -Fa -f ${ipfilter_rules} -else - ipfilter=NO -fi - # set the address for the loopback interface # it will also initialize IPv6 address for lo0 (::1 and others). ifconfig lo0 inet localhost @@ -281,11 +273,3 @@ EOF route -n add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null ;; esac - -# Configure NAT after configuring network interfaces -if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then - echo 'configuring NAT' - ipnat -CF -f ${ipnat_rules} -else - ipnat=NO -fi diff --git a/etc/newsyslog.conf b/etc/newsyslog.conf index 0e4cbb1fa48..6361fa12150 100644 --- a/etc/newsyslog.conf +++ b/etc/newsyslog.conf @@ -1,4 +1,4 @@ -# $OpenBSD: newsyslog.conf,v 1.11 2000/09/22 14:25:40 millert Exp $ +# $OpenBSD: newsyslog.conf,v 1.12 2001/05/30 02:11:08 deraadt Exp $ # # configuration file for newsyslog # @@ -14,8 +14,6 @@ /var/log/wtmp 644 7 * 168 ZB /var/log/xferlog 640 7 250 * Z /var/log/ppp.log 640 7 250 * Z -# If you run ipmon w/o the -Ds flag you need to add "/var/run/ipmon.pid" here -/var/log/ipflog 640 7 * 24 Z # # Uncomment to rotate apache logs # @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.170 2001/05/15 21:28:43 deraadt Exp $ +# $OpenBSD: rc,v 1.171 2001/05/30 02:11:09 deraadt Exp $ # System startup script run by init on autoboot # or after single-user. @@ -184,10 +184,6 @@ if [ "X${named_flags}" != X"NO" ]; then echo 'starting named'; named $named_flags fi -if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then - echo 'starting ipmon'; ipmon ${ipmon_flags} -fi - # $photurisd_flags is imported from /etc/rc.conf; # If $photurisd_flags == NO or /etc/photuris/photuris.conf doesn't exist, then # photurisd isn't run. diff --git a/etc/rc.conf b/etc/rc.conf index 57f0b16a3e5..7f19c1b1993 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: rc.conf,v 1.60 2001/05/23 16:32:03 aaron Exp $ +# $OpenBSD: rc.conf,v 1.61 2001/05/30 02:11:09 deraadt Exp $ # set these to "NO" to turn them off. otherwise, they're used as flags routed_flags=NO # for normal use: "-q" @@ -50,8 +50,6 @@ gated=NO kerberos_server=NO # kerberos server. run 'info kth-krb' for assistance. kerberos_slave=NO # kerberos slave server. amd=NO -ipfilter=NO -ipnat=NO # for "YES" ipfilter must also be "YES" portmap=YES # almost always needed inetd=YES # almost always needed lpd=NO # printing daemons @@ -72,9 +70,6 @@ yppasswdd_flags= # "-d /etc/yp" if passwd files are in /etc/yp nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver amd_dir=/tmp_mnt # AMD's mount directory amd_master=/etc/amd/master # AMD 'master' map -ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering -ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation -ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log" named_user=named # Named should not run as root unless necessary named_chroot=/var/named # Where to chroot named if not empty diff --git a/etc/syslog.conf b/etc/syslog.conf index 8ec070adaac..ed07bee4a2d 100644 --- a/etc/syslog.conf +++ b/etc/syslog.conf @@ -1,4 +1,4 @@ -# $OpenBSD: syslog.conf,v 1.7 2000/06/20 03:37:49 kjell Exp $ +# $OpenBSD: syslog.conf,v 1.8 2001/05/30 02:11:10 deraadt Exp $ # *.err;kern.debug;auth.notice;authpriv.none;mail.crit /dev/console @@ -11,7 +11,7 @@ daemon.info /var/log/daemon ftp.info /var/log/xferlog lpr.debug /var/log/lpd-errs mail.info /var/log/maillog -local0.info /var/log/ipflog +#local0.info /var/log/ipflog #uucp.info /var/log/uucp *.err root @@ -23,7 +23,7 @@ local0.info /var/log/ipflog # syslogd with the -u option on the remote host if you are using this. # (This is also required to log info from things like routers and # ISDN-equipment). If you run -u, you are vulnerable to syslog bombing, -# and should consider using ipf to block external syslog packets +# and should consider blocking external syslog packets #*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost #kern.debug,user.info,syslog.info @loghost #auth.info,authpriv.debug,daemon.info @loghost diff --git a/sbin/Makefile b/sbin/Makefile index 4d4efab7b7c..235bfceb41d 100644 --- a/sbin/Makefile +++ b/sbin/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.56 2001/04/17 05:09:21 drahn Exp $ +# $OpenBSD: Makefile,v 1.57 2001/05/30 02:11:30 deraadt Exp $ # Not ported: XNSrouted enpload scsiformat startslip # Missing: icheck SUBDIR= atactl badsect brconfig ccdconfig disklabel dmesg fsck ifconfig init \ - ipf ipfstat ipnat ipsecadm isakmpd kbd lmccontrol mknod modload \ + ipsecadm isakmpd kbd lmccontrol mknod modload \ modunload mount mountd ncheck_ffs nfsd nologin photurisd ping \ quotacheck raidctl reboot route routed savecore scan_ffs scsi \ shutdown slattach startkey swapctl sysctl ttyflags umount diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY deleted file mode 100644 index 3d1c6478fbc..00000000000 --- a/sbin/ipf/HISTORY +++ /dev/null @@ -1,1679 +0,0 @@ -# $OpenBSD: HISTORY,v 1.11 2001/01/17 07:26:57 fgsch Exp $ -# -# NOTE: Quite a few patches and suggestions come from other sources, to whom -# I'm greatly indebted, even if no names are mentioned. -# -# Thanks to the Coombs Computing Unit at the ANU for their continued support -# in providing a very available location for the IP Filter home page and -# distribution center. -# -# Thanks to Hewlett Packard for making it possible to port IP Filter to -# HP-UX 11.00. -# -# Thanks to Tel.Net Media for supplying me with equipment to ensure that -# IP Filter continues to work on Solaris/sparc64. -# -# Thanks to BSDI for providing object files for BSD/OS 3.1 and the means -# to further support development of IP Filter under BSDI. -# -# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the -# loan of a machine to work on a Solaris 2.x port of this software. -# -# Thanks also to all those who have contributed patches and other code, -# and especially those who have found the time to port IP Filter to new -# platforms. -# -3.4.16 15/01/2001 - Released - -fix race condition in flushing of state entries that are timing out - -Add TCP ECN patches - -log all NAT entries created, not just those via rules - -3.4.15 17/12/2000 - Released - -add minimum ttl filtering (to be replaced later by return-icmp-as-dest -for all ICMP packets matching state entries). - -fix NAT'ing of fragments - -fix sanity checks for ICMPV6 - -fix up compiling on IRIX 6.2 with IDF/IDL installed - -3.4.14 02/11/2000 - Released - -cause flushing NAT table to generate log records the same as state flush -does. - -fix ftp proxy port/pasv - -fix problem where nat_{in,out}lookup() would release a write lock when it -didn't need to. - -add check for ipf6.conf in Solaris ipfboot - -3.4.13 28/10/2000 - Released - -fix introduced bug with ICMP packets being rejected when valid - -fix bug with proxy's that don't set fin_dlen correctly when calling -fr_addstate() - -3.4.12 26/10/2000 - Released - -fix installing into FreeBSD-4.1 - -fix FTP proxy bug where it'd hang and make NAT slightly more efficient - -fix general compiling errors/warnings on various platforms - -don't access ICMP data fields that aren't there - -3.4.11 09/10/2000 - Released - -return NULL for IPv6 access control lists if it is disabled rather than -random garbage. - -fix for getting protocol & packet length for IPv6 packets for pullup. - -update plog script from version 0.8 to version 0.10 - -patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the -capabilities for "fixing" checksums. - -3.4.10 03/09/2000 - Released - -merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' - -getline() adjusts linenum now - -add tcphalfclosed timeout - -fill in icmp_nextmtu field if it is defined on the platform - -RST generation fix from guido - -force 32bit compile for gcc on solaris if it can't generate 64bit code - -encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG - -fix up line wrap problems in plog script - -fix ICMP packet handling to not drop valid ICMP errors - -freebsd 5.0 compat changes - -3.4.9 08/08/2000 - Released - -implement new aging mechanism in fr_tcp_age() - -fix icmp state checking bug - -revamp buildsunos script and build both sparcv7/sparcv9 for Solaris -if on an Ultra with a 64bit system & compiler (Caseper Dik) - -open ipfilter device read only if we know we can - -print out better information for ICMP packets in ipmon - -move checking for source spoofed packets to a point where we can generate -logs of them - -return EFAULT from ircopyptr/iwcopyptr - -don't do ioctl(SIOCGETFS) for auth stats - -fix up freeing mbufs for post-4.3BSD - -fix returning of inc from ftp proxy - -fix bugs with ipfs -R/-W (Caseper Dik) - -3.4.8 19/07/2000 - Released - -create fake opt_inet6.h for FreeBSD-4 compile as LKM - -add #ifdef's for KLD_MODULE sanity - -NAT fastroute'd packets which come out of return-* - -fix upper/lower case crap in ftp proxy and get seq# checking fixed up. - -3.4.7 08/07/2000 - Released - -make "ipf -y" lookup NAT if's which are unknown - -prepend line numbers to ioctl error messages in ipf/ipnat - -don't apply patches to FreeBSD twice - -allow for ip_len to be on an unaligned boundary early on in fr_precheck - -fix printing of icmp code when it is 0 - -correct printing of port numbers in map rules with from/to - -don't allow fr_func to be called at securelevel > 0 or rules to be added -if securelevel > 0 if they have a non-zero fr_func. - -3.4.6 11/06/2000 - Released - -add extra regression tests for new nat functionality - -place restrictions on using '!' in map/rdr rules - -fix up solaris compile problems - -3.4.5 10/06/2000 - Released - -mention -sl in ipfstat.8 - -fix/support '!' in from/to rules (rdr) for NAT - -add from/to support to rdr NAT rules - -don't send ICMP errors in response to ICMP errors - -fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot - -input accounting list used for both outbound and inbound packets - -3.4.4 23/05/2000 - Released - -don't add TCP state if it is an RST packet and (attempt) to send out -RST/ICMP packets in a manner that bypasses IP Filter. - -add patch to work with 4.0_STABLE delayed checksums - -3.4.3 20/05/2000 - Released - -fix ipmon -F - -don't truncate IPv6 packets on Solaris - -fix keep state for ICMP ECHO - -add some NAT stats and use def_nat_age rather than DEF_NAT_AGE - -don't make ftp proxy drop packets - -use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be -swapped back. - -fix up RST generation for non-Solaris - -get "short" flag right for IPv6 - -3.4.2 - 10/5/2000 - Released - -Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun - -ignore previous NAT mappings for 0/0 and 0/32 rules - -bring in a completely new ftp proxy - -allow NAT to cause packets to be dropped. - -add NetBSD callout support for 1.4-current - -3.4.1 - 30/4/2000 - Released - -add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX - -don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined - -Solaris must use copyin() for all types of ioctl() args - -fix up screen/tty when leaving "top mode" of ipfstat - -linked list for maptable not setup correctly in nat_hostmap() - -check for maptable rather than nat_table[1] to see if malloc for maptable -succeeded in nat_init - -fix handling of map NAT rules with "from/to" host specs - -fix printout out of source address when using "from/to" with map rules - -convert ip_len back to network byte order, not plen, for solaris as ip_len -may have been changed by NAT and plen won't reflect this - -3.4 - 27/4/2000 - Released - -source address spoofing can be turned on (fr_chksrc) without using -filter rules - -group numbers are now 32bits in size, up from 16bits - -IPv6 filtering available - -add frank volf's state-top patches - -add load splitting and round-robin attribute to redirect rules - -FreeBSD-4.0 support (including KLD) - -add top-style operation mode for ipfstat (-t) - -add save/restore of IP Filter state/NAT information (ipfs) - -further ftp proxy security checks - -support for adding and removing proxies at runtime - -3.3.13 26/04/2000 - Released - -Fix parsing of "range" with "portmap" - -Relax checking of ftp replies, slightly. - -Fix NAT timeouts for ICMP packets - -SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) - -3.3.12 16/03/2000 - Released - -tighten up ftp proxy behaviour. sigh. yuck. hate. - -fix bug in range check for NAT where the last IP# was not used. - -fix problem with icmp codes > 127 in filter rules caused bad things to -happen and in particular, where #18 caused the rule to be printed -erroneously. - -fix bug with the spl level not being reset when returning EIO from -iplioctl due to ipfilter not being initialized yet. - -3.3.11 04/03/2000 - Released - -make "or-block" work with lines that start with "log" - -fix up parsing and printing of rules with syslog levels in them - -fix from Cy Schubert for calling of apr_fini only if non-null - - -3.3.10 24/02/2000 - Released - -* fix back from guido for state tracking interfaces - -* update for NetBSD pfil interface changes - -* if attaching fails and we can abort, then cleanup when doing so. - -julian@computer.org: -* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. -* ipf.c (packetlogon): use flag to store the return value from get_flags. -* ipmon.c (init_tabs): General cleanup so we do not have to cast - an int s->s_port to u_int port and try to check if the u_int port - is less than zero. - -3.3.9 15/02/2000 - Released - -fix scheduling of bad locking in fr_addstate() used when we attach onto -a filter rule. - -fix up ip_statesync() with storing interface names in ipstate_t - -fix fr_running for LKM's - Eugene Polovnikov - -junk using pullupmsg() for solaris - it's next to useless for what we -need to do here anyway - and implement what we require. - -don't call fr_delstate() in fr_checkstate(), when compiled for a user -program, early but when we're finished with it (got fr & pass) - -ipnat(5) fix from Guido - -on solaris2, copy message and use that with filter if there is another -copy if it being used (db_ref > 1). bad for performance, but better -than causing a crash. - -patch for solaris8-fcs compile from Casper Dik - -3.3.8 01/02/2000 - Released - -fix state handling of SYN packets. - -add parsing recognition of extra icmp types/codes and fix handling of -icmp time stamps and mask requests - Frank volf - -3.3.7 25/01/2000 - Released - -sync on state information as well as NAT information when required - -record nat protocol in all nat log records - -don't reuse the IP# from an active NAT session if the IP# in the rule -has changed dynamically. - -lookup the protocol for NAT log information in ipmon and pass that to -portname. - -fix the bug with changing the outbound interface of a packet where it -would lead to a panic. - -use fr_running instead of ipl_inited. (sysctl name change on freebsd) - -return EIO if someone attempts an ioctl on state/nat if ipfilter is not -enabled. - -fix rule insertion bug - -make state flushing clean anything that's not fully established (4/4) - -call fr_state_flush() after we've released ipf_state so we don't generate -a recursive mutex acquisition panic - -fix parsing of icmp code after return-icmp/return-icmp-as-dest and add -some patches to enhance parsing strength - -3.3.6 28/12/1999 - Released - -add in missing rwlock release in fr_checkicmpmatchingstate() and fix check -for ICMP_ECHO to only be for packet, not state entry which we don't have yet. - -handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() - -fix size of friostat for SunOS4 - -fix bug in running off the end of a buffer in real audio proxy - -3.3.5 11/12/1999 - Released - -fix parsing of "log level" and printing it back out too - -<net/if_types.h> is only present on Solaris2.6/7/8 - -use send_icmp_err rather than icmp_error to send back a frag-needed error -when doing PMTU - -do not use -b with add_drv on Solaris unless $BASEDIR is set. - -fix problem where source address in icmp replies is reversed - -fix yet another problem with real audio. - -3.3.4 4/12/1999 - Released - -fix up the real audio proxy to properly setup state information and NAT -entries, thanks to Laine Stump for testing/advice/fixes. - -fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent -FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this -routine. - -fix kinstall for BSDI - -support ICMP errors being allowed through for ICMP packets going out with -keep state enabled - -support hardware checksumming (gigabit ethernet cards) on Solaris thanks to -Tel.Net Media for providing hardware for testing. - -patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing -ICMP responses to ICMP packets in the keep state table. - -add in patches for hardware checksumming under solaris - -Solaris install scripts now use $BASEDIR as appropriate. - -add Solaris8 support - -fix "ipf -y" on solaris so that it rescans rules also for changes in -interface pointers - -let ipmon become a daemon with -D if it is using syslog - -fix parsing of return-icmp-as-dest(foo) - -add reference to ipfstat -g to ipfstat.8 - -ipf_mutex needs to be declared for irix in ip_fil.c - -3.3.3 22/10/1999 - Released - -add -g command line option to ipfstat to show groups still define. - -fix problem with fragment table not recording rule pointer when called -from state functions (fin_fr not set). - -fixup fastroute problems with keep state rules. - -load rules into inactive set first, so we don't disable things like NIS -lookups half way through processing - found by Kevin Littlejohn - -fix handling of unaligned ip pointer for solaris - -patch for fr_newauth from Rudi Sluijtman - -fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short - -3.3.2 23/09/1999 - Released - -patches from Scott Presnell to fix rcmd proxy - -patches from Greg to fix Solaris detachment of interfaces - -add openbsd compatibility fixes - -fix free'ing already freed memory in ipfr_slowtimer() - -fix for deferencing invalid memory in cleaning up after a device disappears - -3.3.1 14/8/1999 - Released - -remove include file sys/user.h for irix - -prevent people from running buildsunos directly - -fix up some problems with the saving of rule pointers so that NAT saves -that information in case it should need to call fr_addstate() from a proxy. - -fix up scanning for the end of FTP messages - -don't remove /etc/opt/ipf in postremove - -attempt to prevent people running buildsolaris script without doing a -"make solaris" - -fix timeout losing on freebsd3 - -3.3 7/8/1999 - Released - -NAT: information (rules, mappings) are stored in hash tables; setup some -basic NAT regression testing. - -display version name of installed kernel code when initializing. - -add -V command line option to ipf, showing version (program and kernel -module) as well as the run-status of the kernel code. - -fix problem with "log" rules actually affecting result of filtering. - -automatically use SUNWspro if available and on a 64bit Solaris system for -compiling. - -add kernel proxies for rcmd(3) and RealAudio (PNA) - -use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking -ip_slowtimo - -fix IP headers generated through parsing of text information - -fix NAT rules to be in the correct order again. - -make keep-state work with to/fastroute keywords and enforce usage of those -interfaces. - -update keep-state code with new algorithm from Guido - -add FreeBSD-3 support - -add return-icmp-as-dest option to retrun an ICMP packet using the original -destination as the source rather than a local IP address - -add "level [facility.]<priority>" option to filter language - -add changes from Guido to state code. - -add code to return EPERM if the device is opened for writing and we're -in securelevel 2 or greater. - -authentication code patches from Guido - -fix real audio proxy - -fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon -log output. - -fix bimap rules with hash tables - -update addresses used in NAT mappings for 0/32 rules for any protocol but TCP -if it changes on the interface - check every ip_natexpire() - -add redirect regression test - -count buckets used in the state hash table. - -fix sending of RST's with return-rst to use the ack number provided in -the packet being replied to in addition to the sequence number. - -fix to compile as a 64bit application on solaris7-64bit - -add NAT IP mapping to ranges of IP addresses that aren't CIDR specified - -fix calculation of in_space parameter for NAT - -fix `wrapping' when incrementing the next ip address for use in NAT - -fix free'ing of kernel memory in ip_natunload on solaris - -fix -l/-U command line options from interfering with each other - -fix fastroute under solaris2 and cleanup compilation for solaris7 - -add install scripts and compile cleanly on BSD/OS 4.0 - -safely open files in /tmp for writing device output when testing. - -fix uninitialized pointer bug in NAT - -fix SIOCZRLST (zero list rule stats) bug with groups - -change some usage of u_short to u_int in function calling - -fix compilation for Solaris7 (SUNWspro) - -change solaris makefiles to build for either sparc or i386 rather than -per-cpu (sun4u, etc). - -fixed bug in ipllog - -add patches from George Michaelson for FreeBSD 3.0 - -add patch from Guido to provide ICMP checking for known state in the same -manner as is done for NAT. - -enable FTP PASV proxying and enable wildcarding in NAT/state code for ports -for better PORT/PASV support with FTP. - -bring into main tree static nat features: map-block and "auto" portmapping. - -add in source host filtering for redirects (alan jones) - -3.2.10 22/11/98 - Released - -3.2.10beta9 17/11/98 - Released - -fix fr_tcpsum problems in handling mbufs with an odd number of bytes -and/or split across an mbuf boundary - -fix NAT list entry comparisons and allow multiple entries for the same -proxy (but on different ports). - -don't create duplicate NAT entries for repeated PORT commands. - -3.2.10beta8 14/11/98 - Released - -always exit an rwlock before expecting to enter it again on solaris - -fix loop in nat_new for pre-existing nat - -don't setup state for an ftp connection if creating nat fails. - -3.2.10beta7 05/11/98 - Released - -set fake window in ipft_tx.c to ensure code passes tests. - -cleaned up/enhanced ipnat -l/ipnat -lv output - -fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. - -Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather -than mutexes. - -3.2.10beta6 03/11/98 - Released - -fix mixed use of krwlock_t and kmutex_t on Solaris2 - -fix FTP proxy back up, splitting pasv code out of port code. - -3.2.10beta5 02/11/98 - Released - -fixed port translation in ICMP reply handling - -3.2.10beta4 01/11/98 - Released - -increase useful statistic collection on solaris - -filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris - -disable PASV reply translation for now - -fail with an error if we try to load a NAT rule with a non-existant - proxy name - Guido - -fix portmap usage with 0/0 and 0/32 map rules - -remove ap_unload/ap_expire - automatically done when NAT is cleaned up - -print "STATE:CLOSED" from ipmon if the connection progresses past established - rather than "STATE:EXPIRED" - -3.2.10beta3 26/10/98 - Released - -fixed traceroute/nat problem - -rewrote nat/proxy interface - -ipnat now lists associated proxy sessions for each NAT where applicable - -3.2.10beta2 13/10/98 - Released - -use KRWLOCK_T in place of krwlock_t for solaris as well as irix - -disable use of read-write lock acquisition by default - -add in mb_t for linux, non-kernel - -some changes to progress compilation on linux with glibc - -change PASV as well as PORT when passed through kernel ftp proxy. - -don't allow window to become 0 in tcp state code - -make ipmon compile cleaner - -irix patches - -3.2.10beta 11/09/98 - Released - -stop fr_tcpsum() thinking it has run out of data when it hasn't. - -stop solaris panics due to fin_dp being something wild. - -revisit usage of ATOMIC_*() - -log closing state of TCP connection in "keep state" - -fix fake-arp table code for ipsend. - -ipmon now writes pid to a file. - -fix "ipmon -a" to actually activate all logging devices. - -add patches for BSDOS4. - -perl scripts for log analysis donated. - -3.2.9 22/06/98 - Released - -fix byte order for ICMP packets generated on Solaris - -fix some locking problems. - -fix malloc bug in NAT (introduced in 3.2.8). - -patch from guido for state connections that get fragmented - -3.2.8 08/06/98 - Released - -use readers/writers locks in Solaris2 in place of some mutexes. - -Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) - -3.2.7 24/05/98 - Released - -u_long -> u_32_t conversions - -patches from Bernd Ernesti for NetBSD - -fixup ipmon to actually handle HUP's. - -Linux fixes from Michael H. Warfield (mhw@wittsend.com) - -update for keep state patch (not security related) - Guido - -dumphex() uses stdout rather than log - -3.2.6 18/05/98 - Released - -fix potential security loop hole in keep state code. - -update examples. - -3.2.5 09/05/98 - Released - -BSD/OS 3.1 .o files added for the kernel. - -fix sequence # skew vs window size check. - -fix minimum ICMP header size check. - -remove references to Cybersource. - -fix my email address. - -remove ntohl in ipnat - Thomas Tornblom - -3.2.4 09/04/98 - Released - -add script to make devices for /dev on BSD boxes - -fixup building into the kernel for FreeBSD 2.2.5 - -add -D command line option to ipmon to make it a daemon and SIGHUP causes -it to close and reopen the logfile - -fixup make clean and make package for SunOS5 - Marc Boucher - -postinstall keeps adding "minor=ipf ipl" - George Ross <gdmr@dcs.ed.ac.uk> - -protected by IP Filter gif - Sergey Solyanik <solik@atom.ru> - -3.2.3 10/11/97 - Released - -fix some iplang bugs - -fix tcp checksum data overrun, sgi #define changes, -avoid infinite loop when nat'ing to single IP# - Marc Boucher - -fixup DEVFS usage for FreeBSD - -fix sunos5 "make clean" cleaning up too much - -3.2.2 28/11/97 - Released - -change packet matching to return actual error, if bad packet, to facilitate -ECONNRESET for TCP. - -allow ip:netmask in grammar too now - Guido - -assume IRIX has u_int32_t in sys/types.h (needed for R10000) - -rewrite parts of command line options for ipmon - -fix TCP urgent packet & offset testing and add LAND attack test for iptest - -fix grammar error in yacc grammar for iplang - -redirect (rdr) destination port bytes-wapped when it shouldn't be. - -general: fr_check now returns error code, such as EHOSTUNREACH or -ECONNRESET (attempt to make ECONNRESET work for locally outbound -packets). - -linux: enable return-rst, need to filter tcp retransmits which are sent - separately from normal packets - -memory leak plugged in ip_proxy.c - -BSDI compatibility patches from Guido - -tcp checksum fix - Marc Boucher - -recursive mutex and ioctl param fix - Marc Boucher - -3.2.1 12/11/97 - Released - -port to BSD/OS 3.0 - -port to Linux 2.0.31 - -patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher - -add "ipf -F s" and "ipf -F S" to flush state table entries. - -announce if logging is on or off when ip filter initializes. - -"ipf -F a" doesn't flush groups properly for Solaris. - -3.2 30/10/97 - Released - -ipnat doesn't successfully remove proxy mappings with "-rf" - -Alexander Romanyu - -use K&R C function style for solaris kernel code - -use m_adj() to decrease packet size in ftp proxy - -use mbufchainlen rather than msgdsize, -IRIX update - Marc Boucher - -fix NetBSD modunload bug (pfil_add_hook done twice) - -patches for OpenBSD 2.1 - Craig Bevins <craigb@bitcom.net.au> - -3.2beta10 24/10/97 - Released - -fix fragment table entries allocated for NAT. - -fix tcp checksum calculations over mbuf/mblk boundaries - -fix panic for blen < 0 in ftp kernel proxy - marc boucher - -fix flushing of rules which have been grouped. - -3.2beta9 20/10/97 - Released - -some nit picking on solaris2 with SUNWspro - Michael Lyle <mrl@rpnet.net> - -ftp kernel proxy patches from Marc Boucher - -3.2beta8 13/10/97 - Released - -add support for passing ICMP errors back through NAT. - -IRIX port update - Marc Boucher - -calculate correct MIN size of packet to log for UDP - Marc Boucher - -need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang - -copyright header fixups - -3.2beta7 23/09/97 - Released - -fickup problems introduced by prior merges & changes. - -3.2beta6 23/09/97 - Released - -patch for spin-reading race condition - Marc Boucher. - -IRIX port by Marc Boucher. - -compatibility updates for Linux to ipsend - -3.2beta5 13/09/97 - Released - -patches from Bernd Ernesti for NetBSD integration (mostly prototyping and -compiler warning things) - -ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it -changes. - -update manual pages and other documentation updates. - -3.2beta4 27/8/97 - Released - -enable setting IP and TCP options for iplang/ - -Solaris2 patches from Marc Boucher. - -add groups for filter rules. - -3.2beta3 21/8/97 - Released - -patches for Solaris2 (interface panic solution ?): fix FIONREAD and -replacing q_qinfo points - Marc Boucher <marc@CAM.ORG> - -change ipsend/* and ipsd/* copyright notices to be the same as ip filter's - -patch for SYN-ACK skew testing fix from Eric V. Smith <EricSmith@windsor.com> - -3.2beta2 6/8/97 - Released - -make it load on Solaris 2.3 - -rewrote logging to remove solaris errors, introduced checking to see if the -same packet is logged successively. - -fix filter cache to work when there are no rules loaded. - -add "raw" option to ipresend to send entire ethernet frames. - -nat list corruption bug - NetBSD - Klaus Klein - -3.2beta1 5/7/97 - Released - -patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits -lossage, and other NetBSD bits. - -NetBSD 1.2G update. - -fixup fwtk patches and add protocol field for SIOCGNATL. - -rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with -fixes: -* rdr matched all packets of a given protocol (ignored ports). -* severe bug in nat_delete which caused system crash/freeze. - -change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use -the default CC - cc, not gcc) - -3.2alpha9 16/6/97 - Released - -added "skip" keyword. - -implement preauthentication of packets, as outlined by Guido. - -Make it compile as cleanly as possible with -Wall & general code cleanup - -getopt returns int, not char. Bernd Ernesti - -3.2alpha8 13/6/97 - Released - -code added to support "auth" rules which require a user program to allow them -through. First revision and much of the code came from Guido. - -hex output from ipmon doesn't goto syslog when recovering from out of sync -error. Luke Mewburn (lukem@connect.com.au) - -fix solaris2.6 lookup of destination ire's. - -ipnat doesn't throw away unused bits (after masking), causing it to -behave incorrectly. Carson Gaspar - -NAT code doesn't include inteface name when matching - Alexey Mavrin -<lha@elco.spb.ru> - -replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. - -update install procedures to include ip_proxy.c - -mask out unused bits in NAT/RDR rules. - -use a generic type (u_32_t) for 32bit variables, rather than rely on -u_long being such - Jason Thorpe. - -create a local "netinet" directory and include from ~netinet/*" rather than -just "*" to make keeping the code working on ports easier. - -add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) - -documentation updates. - -NetBSD update from Jason Thorpe <thorpej@netbsd.org> - -allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij - -ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram -<Reinhard.Bertram@KOM.th-darmstadt.de> - -3.2alpha7 25/5/97 - Released - -add strlen for pre-2.2 kernels - Doug Kite <dkite@websgi.icomnet.com> - -setup bits and pieces for compiling into a FreeBSD-2.2 kernel. - -split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. -mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). - -fix (negative) host matching in filtering. - -add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels -or later. - -make all the candidates for kernel compiling include "netinet/..." and build -a subdirectory "netinet" when compiling and symlink all .h files into this. - -add install make target to Makefile.ipsend - -3.2alpha6 8/5/97 - Released - -Add "!" (not) to hostname/ip matching. - -Automatically add packet info to the fragment cache if it is a fragment -and we're translating addreses for. - -Automatically add packet info to the fragment cache if it is a fragment -and we're "keeping state" for the packet. - -Solaris2 patches - Anthony Baxter (arb@connect.com.au) - -change install procedure for FreeBSD 2.2 to allow building to a kernel -which is different to the running kernel. - -add FIONREAD for Solaris2! - -when expiring NAT table entries, if we would set a time to fr_tcpclosed -(which is 1), make it fr_tcplaskack(20) so that the state tables have a -chance to clear up. - -3.2alpha5 - -add proxying skeleton support and sample ftp transparent proxy code. - -add printfs at startup to tell user what is happening. - -add packets & bytes for EXPIRE NAT log records. - -fix the "install-bsd" target in the root Makefile. Chris Williams -<psion@mv.mv.com> - -Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. - -3.2alpha4 2/4/97 - Released - -Some compiler warnings cleaned up. - -FreeBSD-2.2 patches for LKM completed. - -3.2alpha3 31/3/97 - Released - -ipmon changes: -N for reading NAT logfile, -S for reading state logfile. --a for reading all. -n now toggles hostname resolution. - -Add logging of new state entries and expiration of old state entries. -count log successes and failures. - -Add logging of new NAT entries and expiration of old NAT entries. -count log successes and failures. - -Use u_quad_t for records of bytes & packets where kept -(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). - -Fixup use of CPU and DCPU in Makefiles. - -Fix broken 0/32 NAT mapping. Carl Makin <cmakin@nla.gov.au> - -3.2alpha2 - -Implement mapping to 0/32 as being an alias for automatically using the -interface's first IP address. - -Implement separate minor devices for both NAT and IP state code. - -Fully prototype all functions. - -Fix Makefile problem due to attempt to fix Sun compiling problems. - -3.1.10 23/3/97 - Released - -ipfstat -a requires a -i or -o command line option too. Print an error -when not present rather than attempt to do something. - -patch updates for SunOS4 for kernel compiling. -patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr -<schorr@ead.dsa.com> - -too many people hit their heads hard when compiling code into the kernel -that doesn't let any packets through. (fil.c - IPF_NOMATCH) - -icmp-type parsing doesn't return any errors when it isn't constructed -correctly. Neil Readwin - -Using "-conf" with modload on SunOS4 doesn't work. -Timothy Demarest <demarest@arraycomm.com> - -Need to define ARCH in makefile for SunOS4 building. "make sunos4" -in INSTALL.SunOS is incorrect. James R Grinter <jrg@blodwen.demon.co.uk> -[all SunOS targets now run buildsunos] - -NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP -information. ArkanoiD <ark@paranoid.convey.ru> - -Need to check for __FreeBSD_version being 199511 rather than 199607 -in mln_ipl.c. Eric Feillant <Eric.Feillant@EUnet.fr> - -3.1.9 8/3/97 - Released - -fixed incorrect lookup of active NAT entries. - -patch for ip_deq() wrong for pre 2.1.6 FreeBSD. -fyeung@fyeung8.netific.com (Francis Yeung) - -check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi -(erkki@vlsi.fi) - -text_readip returns the interface pointer pointing to text on stack - -Neil Readwin - -fix from Pradeep Krishnan for printout rules "with not opt sec". - -3.1.8 18/2/97 - Released - -Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and -compiling warnings about reuse of m0. - -prevent use of return-rst and return-icmp with rules blocking packets going -out, preventing panics in certain situations. - -loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua> - -should use SPLNET/SPLX around expire routines in NAT/frag/state code. - -redeclared malloc in 44arp.c - - -3.1.7 8/2/97 - Released - -Macros used for ntohs/htons supplied with gcc don't always work very well -when the assignment is the same variable being converted. - -Filter matching doesn't not match rule which checks tcp flags on packets -which are fragments - David Wilson - -3.1.7beta 30/1/97 - Released - -Fix up NAT bugs introduced in last major change (now tested), including -nat_delete(), nat_lookupredir(), checksum changes, etc. - -3.1.7alpha 30/1/97 - Released - -Many changes to NAT code, including contributions from Laurent Joncheray -<lpj@ans.net> - -Use "NO_SLEEP" when allocating memory under SunOS. - -Make kernel printf's nicer for BSD/SunOS4 - -Always do a checksum for packets being filtered going out and being -processed by fastroute. - -Leave kernel to play with cdevsw on *BSD systems with LKM's. - -ipnat.1 man page fixes. - -3.1.6 21/1/97 - Released - -Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" - -Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried -to free memory twice. - -NAT recalculates IP header checksum based on difference between IP#'s and -port numbers - should be just IP#'s (Solaris2 only) - -3.1.5 13/1/97 - Released - -fixed setting of NAT timeouts and use different timeouts for concurrent -TCP sessions using the same IP# mapping (when port mapping isn't used) - -multiple loading/unloading of LKM's doesn't clean up cdevsw properly for -*BSD systems. - -3.1.4 10/1/97 - Released - -add command line options -C and -F to ipnat to flush NAT list and table - -ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) - -NetBSD/FreeBSD kernel malloc changes - Daniel Carosone - -3.1.3 10/1/97 - Released - -NAT chains not constructed correctly in hash tables - Antony Y.R Lu -(antony@hawk.ee.ncku.edu.tw) - -Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 - -man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) - -ICMP header checksum update now included in NAT. - -Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. - -3.1.2 4/12/96 - Released - -ipmon doesn't use syslog all the time when given -s option - -fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro - -check the results of hostname resolution in ipnat - -"make *install" fixed for subdirectories. - -problems with "ARCH:=" and gnu make resolved - -parser reports an error for lines with whitespaces only rather than skipping -them. D.Carosone@abm.com.au (Daniel Carosone) - -patches for integration into NetBSD-current (post 1.2). - -add an option to allow non-IP packets going up/down the stream on Solaris2 -to be dropped. John Bass. - -3.1.2beta 21/11/96 - Released - -make ipsend compile on Linux 2.0.24 - -changes to TCP kept state algorithm, making it watch state on TCP -connections in both directions. Also use the same algorithm for NAT TCP. - --Wall cleanup - Bernd Ernesti - -added "or-block" for "pass .. log or-block" after a suggestion from -David Oppenheim (davido@optimation.com.au) - -added subdirectories for building IP Filter in SunOS5/BSD for different -cpu architecures - -Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 - -mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 - -3.1.1 28/10/96 - Released - -Installation script fixes and deinstall scripts for IP Filter on: -SunOS4/FreeBSD/NetBSD - -Man page fixes - Paul Dubois (dubois@primate.wisc.edu) - -Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) - -parsing isn't completely case insensitive - David Wilson -(davidw@optimation.com.au) - -Release ipl_mutex across uiomove() calls - -print entire rule entries out for "ipf -z" when zero'ing per-rule stats. - -ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik -(ts@polynet.lviv.ua) - -New algorithm for setting timeouts for TCP connection (more closely follow -TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) - -Track both window sizes for TCP connections through "keep state". - -Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel -(wezel@bio.vu.nl) - -3.1.1-beta2 6/10/96 - Released - -Solaris2 fastroute/dup-to/to now works - -ipmon `record' reading rewritten - -Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) - -Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson -(davidw@optimation.com.au) - -Michael Ryan (mike@NetworX.ie) reports the following: -* The Trumpet WinSock under Windows always sends its SYN packet with an ACK - value of 1, unlike any other implementation I've seen, which would set it - to zero. The "keep state" feature of IP Filter doesn't work when receiving - non-zero ACK values on new connection requests. -* */Makefile install rule doesn't install all the binaries/man pages -* Make ipnat use "tcp/udp" instead of "tcpudp" -* Print out "tcp/udp" properly -* ipnat "portmap tcp" matches "portmap udp" when adding/removing -* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't - -3.1.1-beta 1/9/96 - Released - -add better detection of TCP connections closing to TCP state monitoring. - -fr_addstate() not called correctly for fragments. "keep state" and -"keep frag" code don't work together 100% - Songqing Cai -(songqing_cai@sterling.com) - -call to fr_addstate() incorrect for adding state in combination with keeping -fragment information - Songqing Cai (songqing_cai@sterling.com) - -KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood -(cgull@smoke.marlboro.vt.us) - -make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban -(dima@best.net) - -3.1.1-alpha 23/8/96 - Released - -kernel panic's when ICMP packets go through NAT code - -stats aren't zero'd properly with ipf -Z - -ipnat doesn't show port numbers correctly all the time and also add the -protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) - -fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) - -NetBSD-1.2 patches from - VaX#n8 <vax@linkdead.paranoia.com> - -Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) - -ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall -(nrh@tardis.ed.ac.uk) - -3.1.0 7/7/96 - Released - -Reformatted ipnat output to be compatible with it's input, so that -"ipnat -l | ipnat -rf -" is possible. - -3.1.0beta 30/6/96 - Released - -NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) - -kernel module must not be installed stripped (Solaris2), as created by -"make package" for Solaris2 - Peter Heimann -(peter@i3.informatik.rwth-aachen.de) - -3.1.0alpha 5/6/96 - Released - -include examples in package for solaris2 - -patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) - -removed trailing space from printouts of rules in ipf. - -ipresend supports the same range of inputs that ipftest does. - -sending a duplicate copy of a packet to another network devices is now -supported. ("dup-to") - -sending a packet to an arbitary interface is now supported, irrespective -of its actual route, with no ttl decrement. Can also be routed without -the ttl being decremented. ("to" and "fastroute"). - -"call" option added to support calling a generic function if a packet is -matched. - -show all (upto 4) recorded bytes from the interface name in logging from -ipmon. - -support for using unix file permissions for read/write access on the device -is now in place. - -recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen <per@stibo.dk> - -ipftest doesn't call initparse() for THISHOST - Catherine Allen -(cla@connect.com.au) - -Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) - -3.0.4 10/4/96 - Released - -looop in `parsing' IP packets with optlen 0 for ip options. - -rule number not initialized and resulted in unexpected results for state -maching. - -option parsing and printing bugs - Pradeep Krishnan - -3.0.4beta 25/3/96 - Released - -wouldn't parse "keep flags keep state" correctly. - -SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon - -patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems -from Thorsten Lockert <tholo@tetherless.com> - -b* functions in fil.c on Solaris 2.4 - -3.0.3 17/3/96 - Released - -added patches to support IP Filter initialisation when compiled into the -kernel. - -added -x option to ipmon to display hex dumps of logged packets. - -added -H option to ipftest to allow ascii-hex formatted input to specify -arbitary IP packets. - -Sending TCP RSTs as a response now work for Solaris2 x86 - -add patches to make IP Filter compile into NetBSD kernels properly. - -patch to stop SunOS 4.1.x kernels panicing with "data traps". - -ipfboot script unloads and reloads ipf module on Solaris2 if it is already -loaded into the kernel. - -Installation of IP Filter as a Solaris2 package is now supported. - -Man pages for ipnat.4, ipnat.5 added. - -added some more regression tests and fixed up IP Filter to pass the new tests -(previous versions failed some of the tests in set 12). - -IP option filter processing has changed so that saying "with opt lsrr" will -check only for that one, but not mask out other options, so a packet with -strict source routing, along with loose source routing will match all of -"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". - -IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) - -patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) - -make install is incorrect - Julian Briggs (julian@lightwork.co.uk) - -strtol() returns 0x7fffffff for all negative numbers, -printfr() generates incorrect output for "opt sec-class *", -handling of "not opt xxx opt yyy" incorrect. -- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) - -m_pullup() called only for input and not output; caused problems -with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) - -parsing problem for "port 1" and NetBSD patches incorrect - -Andreas Gustafsson (gson@guava.araneus.fi) - -3.0.2 4/2/96 - Released - -Corrected bug where NAT recalculates checksums for fragments. - -make NAT recalculate UDP checksums (rather than setting them to 0), -if they're non-zero. - -DNS patches - Real Page (Real.Page@Matrox.com) - -alteration of checksum recalculations in NAT code and addition of -redirection with NAT - Mike Neuman - -core dump, if tcp/udp is used with a port number and not service name, -in ipf - Mike Neuman (mcn@engarde.com) - -initparse() call, missing to prime "<thishost>" hook - Craig Bishop - -3.0.1 14/1/96 - Released - -miscellaneous patches for Solaris2 - -3.0 14/1/96 - Released - -Patch included for FDDI, from Richard Ohnemus -(Richard_Ohnemus@dallas.csd.sterling.com) - -Code cleanup for release. - -3.0beta4 10/1/96 - -recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop - -recursive mutex in sending TCP RSTs fixed, reported by Tony Becker - -3.0beta3 9/1/96 - -FIxup for Solaris2.5 install and interface name bug in ipftest from -Julian Briggs (julian@lightwork.co.uk) - -Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) - -3.0beta2 7/1/96 - -Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. -Note, this isn't really what one would call IP account, when compared to -process accounting, sigh. - -Split up ipresend into iptest/ipresend/ipsend - -Added another m_pullup() inside fr_check() for BSD style kernels and -added some checks to ipllog() to not log more than is present (for short -packets). - -Fixed bug where failed hostname/netname resolution goes undetecte and -becomes 0.0.0.0 (any) (reported Guido van Rooij) - -3.0beta 11/11/95 - Released - -Rewrote the way rule testing is done, reducing the number of files needed and -generated. - -SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) - -Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 -BSD based Unixes (panic'd) - -Patches for FreeBSD/i86 ipmon from Riku Kalinen <riku@tequila.nixu.fi> -(I think someone else already told me about these but they got lost :-/) - -Changed Makefile structure to build object files for different operating -systems in separate directories by default. - -BSDI has ef0 for first ethernet interface - -Allow for a "not" operator before optional keywords. - -The "rule number" was being incorrectly incremented every time it went through -the loop rather than when it matched a rule. - -2.8.2 24/10/95 - Released - -Fixed up problems with "textip" for doing lots of testing. - -Fixed bug in detection of "short" tcp/ip packets (all reported as being short). - -Solaris 2.4 port now works 100%. - -Man page errors reported and fixed. - -Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). - -Fixed ipmon output to put a space after the log-letter. - -Patch from Guido van Rooij to fix parsing problem. - -2.8.1 15/10/95 - Released - -Added ttl and tos filtering. - -Patches for fixing up compilation and port problems (little endian) -from Guido van Rooij <guido@IAEhv.nl>. - -Man page problems reported and fixed by Carson Gaspar <carson@lehman.com>. - -ipsend doesn't compile properly on Solaris2.4 - -Lots of work done for Solaris2.4 to make it MT/MP safe and work. - -2.8 15/9/95 - Released - -ipmon can now send messages to syslogd (-s) and use names instead of -numbers (-N). - -IP packets are now "compiled" into a structure only containing filterable -bits. - -Added regression testing in the test/ subdirectory, using a new option -(-b) with the ipftest program. - -Added "nomatch" return to filter results. These are counted and show -up in reports from ipfstat. - -Moved filter code out of ip_fil.c and into fil.c - there is now only one -instance of it in the package. - -Added Solaris 2.4 support. - -Added IPSO basic security option filtering. - -Added name support for filtering on all 19 named IP options. - -Patches from Ivan Brawley to log packet contents as well as packet headers. - -Update for sun/conf.c.diff from Ivan Brawley <ibrawley@awadi.com.AU> - -Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, -along with a new ioctl, SIOCFRENB. -From: Dieter Dworkin Muller <dworkin@village.org> - -2.7.3 31/7.95 - Released - -Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). - -ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. - -Brought ipftest program upto date with actual filter code. - -Filter would cause a match to occur when it wasn't meant to if the packet -had short headers and was missing portions that should have been there. -Err, it would rightly not match on them, but their absence caused a match -when it shouldn't have been. - -2.7.2 26/7/95 - Released - -Problem with filtering just SYN flagged packets reported by -Dieter Dworkin Muller <dworkin@village.org>. To solve this -problem, added support for masking TCP flags for comparison "flags X/Y". - -2.7.1 9/7/95 - Released - -Added ip_dirbroadcast support for Sun ip_input.c - -Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are -better. - -2.7 7/7/95 - Released - -Added "return-rst" to return TCP RST's to TCP packets. - -Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. - -Added insertion of filter rules. Use "@<#>" at the beginning of a filter -to insert a rule at row #. - -Filter keeps track of how many times each rule is matched. - -Changed compile time things to match kernel option (IPFILTER_LKM & -IPFILTER_LOG). - -Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. -(No change required for 3.6) - -Now includes TCP fragments which start inside the TCP header as being short. -Added counting the number of times each rule is matched. - - -2.6 11/5/95 - Released - -Added -n option to ipf: when supplied, no changes are made to the kernel. - -Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. - -Rewrote filtering to use a more generic mask & match procedure for -checking if a packet matches a rule. - -2.5.2 27/4/95 - Released - -"tcp/udp" and a non-initialised pointer caused the "proto" to become -a `random' value; added "ip#/dotted.mask" notation to the BNF. -From Adam W. Feigin <feigin@iis.ee.ethz.ch> - -2.5.1 22/3/95 - Released - -"tcp/udp" had a strange effect (undesired) on getserv*() functions, -causing protocol/service lookups to fail. Reported by Matthew Green. - -2.5 17/3/95 - Released - -Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop -output through the ipftest program. Suggestions from: -Michael Ciavarella (mikec@phyto.apana.org.au) - -Conflicts occur when "general" filter rules are used for ports and the -lack of a "proto" when used with "port" matches other packets when only -TCP/UDP are implied. -Reported Matthew Green (mrg@fulcom.com.au); -reported & fixed 6-8/3/95 - -Added filtering of short TCP packets using "with short" 28/2/95 -(These can possibly slip by checks for the various flags). Short UDP -or ICMP are dropped to the floor and logged. - -Added filtering of fragmented packets using "with frag" 24/2/95 - -Port to NetBSD-current completed 20/2/95, using LKM. - -Added logging of the rule # which caused the logging to happen and the -interface on which the packet is currently as suggested by -Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 - -2.4 9/2/95 - Released -Fixed saving of IP headers in ICMP packets. - -2.3 29/1/95 -Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). -Fixed iplread() and iplsave() with help from Marc Huber. - -2.2 7/1/95 - Released -Added code from Marc Huber <huber@fzi.de> to allow it to allocate -its own major char number dynamically when modload'ing. Fixed up -use of <, >, <=, >= and >< for ports. - -2.1 21/12/94 - Released -repackaged to include the correct ip_output.c and ip_input.c *goof* - -2.0 18/12/94 - Released -added code to check for port ranges - complete. -rewrote to work as a loadable kernel module - complete. - -1.1 -added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. - -1.0 22/04/93 - Released -First release cut. diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile deleted file mode 100644 index ed7af593210..00000000000 --- a/sbin/ipf/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2001/01/17 05:00:57 fgsch Exp $ - -PROG= ipf -MAN= ipf.8 ipf.4 ipf.5 -SRCS= ipf.c parse.c opt.c facpri.c common.c ifaddr.c - -.include <bsd.prog.mk> diff --git a/sbin/ipf/common.c b/sbin/ipf/common.c deleted file mode 100644 index edea2441d88..00000000000 --- a/sbin/ipf/common.c +++ /dev/null @@ -1,613 +0,0 @@ -/* $OpenBSD: common.c,v 1.2 2001/01/30 04:26:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/param.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <stdio.h> -#include <string.h> -#include <limits.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#include <syslog.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include "ipf.h" -#include "facpri.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $"; -#endif - -extern struct ipopt_names ionames[], secclass[]; -extern int opts; -#ifdef USE_INET6 -extern int use_inet6; -#endif -#if defined(__OpenBSD__) -extern int if_addr __P((char *, struct in_addr *)); -#endif - - - -char *proto = NULL; -char flagset[] = "FSRPAUEC"; -u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, - TH_ECN, TH_CWR }; - -#ifdef USE_INET6 -void fill6bits __P((int, u_32_t *)); -int count6bits __P((u_32_t *)); -#endif - -static char thishost[MAXHOSTNAMELEN]; - - -void initparse() -{ - gethostname(thishost, sizeof(thishost)); -} - - -int genmask(msk, mskp) -char *msk; -u_32_t *mskp; -{ - char *endptr = NULL; -#ifdef USE_INET6 - u_32_t addr; -#endif - int bits; - - if (index(msk, '.') || index(msk, 'x') || index(msk, ':')) { - /* possibly of the form xxx.xxx.xxx.xxx - * or 0xYYYYYYYY */ -#ifdef USE_INET6 - if (use_inet6) { - if (inet_pton(AF_INET6, msk, &addr) != 1) - return -1; - } else -#endif - if (inet_aton(msk, (struct in_addr *)mskp) == 0) - return -1; - } else { - /* - * set x most significant bits - */ - bits = (int)strtol(msk, &endptr, 0); -#ifdef USE_INET6 - if ((*endptr != '\0') || - ((bits > 32) && !use_inet6) || (bits < 0) || - ((bits > 128) && use_inet6)) -#else - if (*endptr != '\0' || bits > 32 || bits < 0) -#endif - return -1; -#ifdef USE_INET6 - if (use_inet6) - fill6bits(bits, mskp); - else -#endif - if (bits == 0) - *mskp = 0; - else - *mskp = htonl(0xffffffff << (32 - bits)); - } - return 0; -} - - - -#ifdef USE_INET6 -void fill6bits(bits, msk) -int bits; -u_32_t *msk; -{ - int i; - - for (i = 0; bits >= 32 && i < 4 ; ++i, bits -= 32) - msk[i] = 0xffffffff; - - if (bits > 0 && i < 4) - msk[i++] = htonl(0xffffffff << (32 - bits)); - - while (i < 4) - msk[i++] = 0; -} -#endif - - -/* - * returns -1 if neither "hostmask/num" or "hostmask mask addr" are - * found in the line segments, there is an error processing this information, - * or there is an error processing ports information. - */ -int hostmask(seg, sa, msk, pp, cp, tp, linenum) -char ***seg; -u_32_t *sa, *msk; -u_short *pp, *tp; -int *cp; -int linenum; -{ - struct in_addr maskaddr; - char *s; - - /* - * is it possibly hostname/num ? - */ - if ((s = index(**seg, '/')) || - ((s = index(**seg, ':')) && !index(s + 1, ':'))) { - *s++ = '\0'; - if (genmask(s, msk) == -1) { - fprintf(stderr, "%d: bad mask (%s)\n", linenum, s); - return -1; - } - if (hostnum(sa, **seg, linenum) == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - *sa &= *msk; - (*seg)++; - return ports(seg, pp, cp, tp, linenum); - } - - /* - * look for extra segments if "mask" found in right spot - */ - if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) { - if (hostnum(sa, **seg, linenum) == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; - (*seg)++; - if (inet_aton(**seg, &maskaddr) == 0) { - fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg); - return -1; - } - *msk = maskaddr.s_addr; - (*seg)++; - *sa &= *msk; - return ports(seg, pp, cp, tp, linenum); - } - - if (**seg) { - if (hostnum(sa, **seg, linenum) == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; -#ifdef USE_INET6 - if (use_inet6) { - u_32_t k = 0; - if (sa[0] || sa[1] || sa[2] || sa[3]) - k = 0xffffffff; - msk[0] = msk[1] = msk[2] = msk[3] = k; - } - else -#endif - *msk = *sa ? 0xffffffff : 0; - return ports(seg, pp, cp, tp, linenum); - } - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; -} - -/* - * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_addr() call - */ -int hostnum(ipa, host, linenum) -u_32_t *ipa; -char *host; -int linenum; -{ - struct hostent *hp; - struct netent *np; - struct in_addr ip; - - if (!strcasecmp("any", host)) - return 0; -#ifdef USE_INET6 - if (use_inet6) { - if (inet_pton(AF_INET6, host, ipa) == 1) - return 0; - else - return -1; - } -#endif - if (isdigit(*host) && inet_aton(host, &ip)) { - *ipa = ip.s_addr; - return 0; - } - - if (!strcasecmp("<thishost>", host)) - host = thishost; - -#if defined(__OpenBSD__) - /* attempt a map from interface name to address */ - if (if_addr(host, &ip)) { - *ipa = ip.s_addr; - return 0; - } -#endif - - if (!(hp = gethostbyname(host))) { - if (!(np = getnetbyname(host))) { - fprintf(stderr, "%d: can't resolve hostname: %s\n", - linenum, host); - return -1; - } - *ipa = htonl(np->n_net); - return 0; - } - *ipa = *(u_32_t *)hp->h_addr; - return 0; -} - - -/* - * check for possible presence of the port fields in the line - */ -int ports(seg, pp, cp, tp, linenum) -char ***seg; -u_short *pp, *tp; -int *cp; -int linenum; -{ - int comp = -1; - - if (!*seg || !**seg || !***seg) - return 0; - if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { - (*seg)++; - if (isalnum(***seg) && *(*seg + 2)) { - if (portnum(**seg, pp, linenum) == 0) - return -1; - (*seg)++; - if (!strcmp(**seg, "<>")) - comp = FR_OUTRANGE; - else if (!strcmp(**seg, "><")) - comp = FR_INRANGE; - else { - fprintf(stderr, - "%d: unknown range operator (%s)\n", - linenum, **seg); - return -1; - } - (*seg)++; - if (**seg == NULL) { - fprintf(stderr, "%d: missing 2nd port value\n", - linenum); - return -1; - } - if (portnum(**seg, tp, linenum) == 0) - return -1; - } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) - comp = FR_EQUAL; - else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) - comp = FR_NEQUAL; - else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt")) - comp = FR_LESST; - else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt")) - comp = FR_GREATERT; - else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le")) - comp = FR_LESSTE; - else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) - comp = FR_GREATERTE; - else { - fprintf(stderr, "%d: unknown comparator (%s)\n", - linenum, **seg); - return -1; - } - if (comp != FR_OUTRANGE && comp != FR_INRANGE) { - (*seg)++; - if (portnum(**seg, pp, linenum) == 0) - return -1; - } - *cp = comp; - (*seg)++; - } - return 0; -} - - -/* - * find the port number given by the name, either from getservbyname() or - * straight atoi(). Return 1 on success, 0 on failure - */ -int portnum(name, port, linenum) -char *name; -u_short *port; -int linenum; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - int i; - - if (isdigit(*name)) { - if (ratoi(name, &i, 0, USHRT_MAX)) { - *port = (u_short)i; - return 1; - } - fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name); - return 0; - } - if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) { - sp = getservbyname(name, proto); - if (sp) { - *port = ntohs(sp->s_port); - return 1; - } - fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", - linenum, name); - return 0; - } - if (p1 != sp2->s_port) { - fprintf(stderr, "%d: %s %d/tcp is a different port to ", - linenum, name, p1); - fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); - return 0; - } - *port = ntohs(p1); - return 1; -} - - -u_char tcp_flags(flgs, mask, linenum) -char *flgs; -u_char *mask; -int linenum; -{ - u_char tcpf = 0, tcpfm = 0, *fp = &tcpf; - char *s, *t; - - if (*flgs == '0') { - s = strchr(flgs, '/'); - if (s) - *s++ = '\0'; - tcpf = strtol(flgs, NULL, 0); - fp = &tcpfm; - } else - s = flgs; - - for (; *s; s++) { - if (*s == '/' && fp == &tcpf) { - fp = &tcpfm; - if (*(s + 1) == '0') - break; - continue; - } - if (!(t = index(flagset, *s))) { - fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s); - return 0; - } - *fp |= flags[t - flagset]; - } - - if (s && *s == '0') - tcpfm = strtol(s, NULL, 0); - - if (!tcpfm) { - if (tcpf == TH_SYN) - tcpfm = 0xff & ~(TH_ECN|TH_CWR); - else - tcpfm = 0xff & ~(TH_ECN); - } - *mask = tcpfm; - return tcpf; -} - - -/* - * count consecutive 1's in bit mask. If the mask generated by counting - * consecutive 1's is different to that passed, return -1, else return # - * of bits. - */ -int countbits(ip) -u_32_t ip; -{ - u_32_t ipn; - int cnt = 0, i, j; - - ip = ipn = ntohl(ip); - for (i = 32; i; i--, ipn *= 2) - if (ipn & 0x80000000) - cnt++; - else - break; - ipn = 0; - for (i = 32, j = cnt; i; i--, j--) { - ipn *= 2; - if (j > 0) - ipn++; - } - if (ipn == ip) - return cnt; - return -1; -} - - -#ifdef USE_INET6 -int count6bits(msk) -u_32_t *msk; -{ - int i = 0, k; - u_32_t j; - - for (k = 3; k >= 0; k--) - if (msk[k] == 0xffffffff) - i += 32; - else { - for (j = msk[k]; j; j <<= 1) - if (j & 0x80000000) - i++; - } - return i; -} -#endif - - -char *portname(pr, port) -int pr, port; -{ - static char buf[32]; - struct protoent *p = NULL; - struct servent *sv = NULL, *sv1 = NULL; - - if (pr == -1) { - if ((sv = getservbyport(htons(port), "tcp"))) { - strncpy(buf, sv->s_name, sizeof(buf)-1); - buf[sizeof(buf)-1] = '\0'; - sv1 = getservbyport(htons(port), "udp"); - sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? - NULL : sv1; - } - if (sv) - return buf; - } else if (pr && (p = getprotobynumber(pr))) { - if ((sv = getservbyport(htons(port), p->p_name))) { - strncpy(buf, sv->s_name, sizeof(buf)-1); - buf[sizeof(buf)-1] = '\0'; - return buf; - } - } - - (void) sprintf(buf, "%d", port); - return buf; -} - - -int ratoi(ps, pi, min, max) -char *ps; -int *pi, min, max; -{ - int i; - char *pe; - - i = (int)strtol(ps, &pe, 0); - if (*pe != '\0' || i < min || i > max) - return 0; - *pi = i; - return 1; -} - - -int ratoui(ps, pi, min, max) -char *ps; -u_int *pi, min, max; -{ - u_int i; - char *pe; - - i = (u_int)strtol(ps, &pe, 0); - if (*pe != '\0' || i < min || i > max) - return 0; - *pi = i; - return 1; -} - - -void printhostmask(v, addr, mask) -int v; -u_32_t *addr, *mask; -{ - struct in_addr ipa; - int ones; - -#ifdef USE_INET6 - if (v == 6) { - ones = count6bits(mask); - if (ones == 0 && !addr[0] && !addr[1] && !addr[2] && !addr[3]) - printf("any"); - else { - char ipbuf[64]; - printf("%s/%d", - inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf)), - ones); - } - } - else -#endif - if (!*addr && !*mask) - printf("any"); - else { - ipa.s_addr = *addr; - printf("%s", inet_ntoa(ipa)); - if ((ones = countbits(*mask)) == -1) { - ipa.s_addr = *mask; - printf("/%s", inet_ntoa(ipa)); - } else - printf("/%d", ones); - } -} - - -void printportcmp(pr, frp) -int pr; -frpcmp_t *frp; -{ - static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=", - "<>", "><"}; - - if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE) - printf(" port %d %s %d", frp->frp_port, - pcmp1[frp->frp_cmp], frp->frp_top); - else - printf(" port %s %s", pcmp1[frp->frp_cmp], - portname(pr, frp->frp_port)); -} - - -void printbuf(buf, len, zend) -char *buf; -int len, zend; -{ - char *s, c; - int i; - - for (s = buf, i = len; i; i--) { - c = *s++; - if (isprint(c)) - putchar(c); - else - printf("\\%03o", c); - if ((c == '\0') && zend) - break; - } -} diff --git a/sbin/ipf/facpri.c b/sbin/ipf/facpri.c deleted file mode 100644 index 4333b4345fd..00000000000 --- a/sbin/ipf/facpri.c +++ /dev/null @@ -1,148 +0,0 @@ -/* $OpenBSD: facpri.c,v 1.5 2001/01/17 05:00:58 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <string.h> -#include <limits.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#endif -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <syslog.h> -#include "facpri.h" - -#if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: facpri.c,v 1.3 2000/03/13 22:10:18 darrenr Exp $"; -#endif - -typedef struct table { - char *name; - int value; -} table_t; - -table_t facs[] = { - { "kern", LOG_KERN }, { "user", LOG_USER }, - { "mail", LOG_MAIL }, { "daemon", LOG_DAEMON }, - { "auth", LOG_AUTH }, { "syslog", LOG_SYSLOG }, - { "lpr", LOG_LPR }, { "news", LOG_NEWS }, - { "uucp", LOG_UUCP }, -#if LOG_CRON == LOG_CRON2 - { "cron2", LOG_CRON1 }, -#else - { "cron", LOG_CRON1 }, -#endif -#ifdef LOG_FTP - { "ftp", LOG_FTP }, -#endif -#ifdef LOG_AUTHPRIV - { "authpriv", LOG_AUTHPRIV }, -#endif -#ifdef LOG_AUDIT - { "audit", LOG_AUDIT }, -#endif -#ifdef LOG_LFMT - { "logalert", LOG_LFMT }, -#endif -#if LOG_CRON == LOG_CRON1 - { "cron", LOG_CRON2 }, -#else - { "cron2", LOG_CRON2 }, -#endif - { "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 }, - { "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 }, - { "local4", LOG_LOCAL4 }, { "local5", LOG_LOCAL5 }, - { "local6", LOG_LOCAL6 }, { "local7", LOG_LOCAL7 }, - { NULL, 0 } -}; - - -/* - * map a facility number to its name - */ -char * -fac_toname(facpri) - int facpri; -{ - int i, j, fac; - - fac = facpri & LOG_FACMASK; - j = fac >> 3; - if (j < 24) { - if (facs[j].value == fac) - return facs[j].name; - for (i = 0; facs[i].name; i++) - if (fac == facs[i].value) - return facs[i].name; - } - - return NULL; -} - - -/* - * map a facility name to its number - */ -int -fac_findname(name) - char *name; -{ - int i; - - for (i = 0; facs[i].name; i++) - if (!strcmp(facs[i].name, name)) - return facs[i].value; - return -1; -} - - -table_t pris[] = { - { "emerg", LOG_EMERG }, { "alert", LOG_ALERT }, - { "crit", LOG_CRIT }, { "err", LOG_ERR }, - { "warn", LOG_WARNING }, { "notice", LOG_NOTICE }, - { "info", LOG_INFO }, { "debug", LOG_DEBUG }, - { NULL, 0 } -}; - - -/* - * map a priority name to its number - */ -int -pri_findname(name) - char *name; -{ - int i; - - for (i = 0; pris[i].name; i++) - if (!strcmp(pris[i].name, name)) - return pris[i].value; - return -1; -} - - -/* - * map a priority number to its name - */ -char * -pri_toname(facpri) - int facpri; -{ - int i, pri; - - pri = facpri & LOG_PRIMASK; - if (pris[pri].value == pri) - return pris[pri].name; - for (i = 0; pris[i].name; i++) - if (pri == pris[i].value) - return pris[i].name; - return NULL; -} diff --git a/sbin/ipf/facpri.h b/sbin/ipf/facpri.h deleted file mode 100644 index 68621f5b4a2..00000000000 --- a/sbin/ipf/facpri.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: facpri.h,v 1.5 2001/01/17 05:00:58 fgsch Exp $ */ - -/* - * Copyright (C) 1999-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $IPFilter: facpri.h,v 1.3 2000/03/13 22:10:18 darrenr Exp $ - */ - -#ifndef __FACPRI_H__ -#define __FACPRI_H__ - -#ifndef __P -# define P_DEF -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - -extern char *fac_toname __P((int)); -extern int fac_findname __P((char *)); - -extern char *pri_toname __P((int)); -extern int pri_findname __P((char *)); - -#ifdef P_DEF -# undef __P -# undef P_DEF -#endif - -#if LOG_CRON == (9<<3) -# define LOG_CRON1 LOG_CRON -# define LOG_CRON2 (15<<3) -#endif -#if LOG_CRON == (15<<3) -# define LOG_CRON1 (9<<3) -# define LOG_CRON2 LOG_CRON -#endif - -#endif /* __FACPRI_H__ */ diff --git a/sbin/ipf/ifaddr.c b/sbin/ipf/ifaddr.c deleted file mode 100644 index 59e3fcf1b8a..00000000000 --- a/sbin/ipf/ifaddr.c +++ /dev/null @@ -1,45 +0,0 @@ -/* $OpenBSD: ifaddr.c,v 1.7 2001/01/30 04:26:01 kjell Exp $ */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <net/if.h> -#include <arpa/inet.h> -#include <string.h> -#include <err.h> -#include "ifaddr.h" - -/* - * if_addr(): - * given a string containing an interface name (e.g. "ppp0") - * return the IP address it represents - * - * The OpenBSD community considers this feature to be quite useful and - * suggests inclusion into other platforms. The closest alternative is - * to define /etc/networks with suitable values. - */ -int if_addr(name, ap) - char *name; - struct in_addr *ap; -{ - struct sockaddr_in *sin; - struct ifreq ifr; - int s; - - if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { - warn("socket"); - return (0); - } - - strncpy(ifr.ifr_name, name, IFNAMSIZ); - ifr.ifr_name[IFNAMSIZ - 1] = '\0'; - - if (ioctl(s, SIOCGIFADDR, &ifr) < 0) - return (0); - - sin = (struct sockaddr_in *)&ifr.ifr_addr; - *ap = sin->sin_addr; - - return (1); -} diff --git a/sbin/ipf/ifaddr.h b/sbin/ipf/ifaddr.h deleted file mode 100644 index 34e01f42fc5..00000000000 --- a/sbin/ipf/ifaddr.h +++ /dev/null @@ -1,3 +0,0 @@ -/* $OpenBSD: ifaddr.h,v 1.6 2001/01/17 05:00:58 fgsch Exp $ */ - -int if_addr __P((char *, struct in_addr *)); diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4 deleted file mode 100644 index 49471c29b28..00000000000 --- a/sbin/ipf/ipf.4 +++ /dev/null @@ -1,257 +0,0 @@ -.\" $OpenBSD: ipf.4,v 1.22 2001/01/30 04:26:01 kjell Exp $ -.\" -.TH IPF 4 -.SH NAME -ipf \- packet filtering kernel interface -.SH SYNOPSIS -#include <netinet/ip_compat.h> -.br -#include <netinet/ip_fil.h> -.SH IOCTLS -.PP -To add and delete rules to the filter list, three 'basic' ioctls are provided -for use. The ioctl's are called as: -.LP -.nf - ioctl(fd, SIOCADDFR, struct frentry **) - ioctl(fd, SIOCDELFR, struct frentry **) - ioctl(fd, SIOCIPFFL, int *) -.fi -.PP -However, the full complement is as follows: -.LP -.nf - ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR) - ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR) - ioctl(fd, SIOCADIFR, struct frentry **) - ioctl(fd, SIOCRMIFR, struct frentry **) - ioctl(fd, SIOCINAFR, struct frentry **) - ioctl(fd, SIOCINIFR, struct frentry **) - ioctl(fd, SIOCSETFF, u_int *) - ioctl(fd, SIOGGETFF, u_int *) - ioctl(fd, SIOCGETFS, struct friostat **) - ioctl(fd, SIOCIPFFL, int *) - ioctl(fd, SIOCIPFFB, int *) - ioctl(fd, SIOCSWAPA, u_int *) - ioctl(fd, SIOCFRENB, u_int *) - ioctl(fd, SIOCFRSYN, u_int *) - ioctl(fd, SIOCFRZST, struct friostat **) - ioctl(fd, SIOCZRLST, struct frentry **) - ioctl(fd, SIOCAUTHW, struct fr_info **) - ioctl(fd, SIOCAUTHR, struct fr_info **) - ioctl(fd, SIOCATHST, struct fr_authstat **) -.fi -.PP -The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists, -active and inactive, respectively. All of these ioctl's are implemented -as being routing ioctls and thus the same rules for the various routing -ioctls and the file descriptor are employed, mainly being that the fd must -be that of the device associated with the module (i.e., /dev/ipl). -.LP -.PP -The three groups of ioctls above perform adding rules to the end of the -list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*) -and insertion of a rule into the list (SIOCIN*). The rule place into -which it is inserted is stored in the "fr_hits" field, below. -.LP -.nf -typedef struct frentry { - struct frentry *fr_next; - u_short fr_group; /* group to which this rule belongs */ - u_short fr_grhead; /* group # which this rule starts */ - struct frentry *fr_grp; - int fr_ref; /* reference count - for grouping */ - void *fr_ifa; -#if BSD >= 199306 - void *fr_oifa; -#endif - /* - * These are only incremented when a packet matches this rule and - * it is the last match - */ - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; - /* - * Fields after this may not change whilst in the kernel. - */ - struct fr_ip fr_ip; - struct fr_ip fr_mip; /* mask structure */ - - u_char fr_tcpfm; /* tcp flags mask */ - u_char fr_tcpf; /* tcp flags */ - - u_short fr_icmpm; /* data for ICMP packets (mask) */ - u_short fr_icmp; - - u_char fr_scmp; /* data for port comparisons */ - u_char fr_dcmp; - u_short fr_dport; - u_short fr_sport; - u_short fr_stop; /* top port for <> and >< */ - u_short fr_dtop; /* top port for <> and >< */ - u_32_t fr_flags; /* per-rule flags && options (see below) */ - u_short fr_skip; /* # of rules to skip */ - u_short fr_loglevel; /* syslog log facility + priority */ - int (*fr_func) __P((int, ip_t *, fr_info_t *)); - char fr_icode; /* return ICMP code */ - char fr_ifname[IFNAMSIZ]; -#if BSD > 199306 - char fr_oifname[IFNAMSIZ]; -#endif - struct frdest fr_tif; /* "to" interface */ - struct frdest fr_dif; /* duplicate packet interfaces */ -} frentry_t; -.fi -.PP -When adding a new rule, all unused fields (in the filter rule) should be -initialised to be zero. To insert a rule, at a particular position in the -filter list, the number of the rule which it is to be inserted before must -be put in the "fr_hits" field (the first rule is number 0). -.LP -.PP -Flags which are recognised in fr_flags: -.nf - - FR_BLOCK 0x000001 /* do not allow packet to pass */ - FR_PASS 0x000002 /* allow packet to pass */ - FR_OUTQUE 0x000004 /* outgoing packets */ - FR_INQUE 0x000008 /* ingoing packets */ - FR_LOG 0x000010 /* Log */ - FR_LOGB 0x000011 /* Log-fail */ - FR_LOGP 0x000012 /* Log-pass */ - FR_LOGBODY 0x000020 /* log the body of packets too */ - FR_LOGFIRST 0x000040 /* log only the first packet to match */ - FR_RETRST 0x000080 /* return a TCP RST packet if blocked */ - FR_RETICMP 0x000100 /* return an ICMP packet if blocked */ - FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ - FR_NOMATCH 0x000200 /* no match occured */ - FR_ACCOUNT 0x000400 /* count packet bytes */ - FR_KEEPFRAG 0x000800 /* keep fragment information */ - FR_KEEPSTATE 0x001000 /* keep `connection' state information */ - FR_INACTIVE 0x002000 - FR_QUICK 0x004000 /* match & stop processing list */ - FR_FASTROUTE 0x008000 /* bypass normal routing */ - FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */ - FR_DUP 0x020000 /* duplicate the packet */ - FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */ - FR_NOTSRCIP 0x080000 /* not the src IP# */ - FR_NOTDSTIP 0x100000 /* not the dst IP# */ - FR_AUTH 0x200000 /* use authentication */ - FR_PREAUTH 0x400000 /* require preauthentication */ - -.fi -.PP -Values for fr_scomp and fr_dcomp (source and destination port value -comparisons) : -.LP -.nf - FR_NONE 0 - FR_EQUAL 1 - FR_NEQUAL 2 - FR_LESST 3 - FR_GREATERT 4 - FR_LESSTE 5 - FR_GREATERTE 6 - FR_OUTRANGE 7 - FR_INRANGE 8 -.fi -.PP -The third ioctl, SIOCIPFFL, flushes either the input filter list, the -output filter list or both and it returns the number of filters removed -from the list(s). The values which it will take and recognise are FR_INQUE -and FR_OUTQUE (see above). This ioctl is also implemented for -\fB/dev/ipstate\fP and will flush all state tables entries if passed 0 -or just all those which are not established if passed 1. - -.IP "\fBGeneral Logging Flags\fP" 0 -There are two flags which can be set to log packets independantly of the -rules used. These allow for packets which are either passed or blocked -to be logged. To set (and clear)/get these flags, two ioctls are -provided: -.IP SIOCSETFF 16 -Takes an unsigned integer as the parameter. The flags are then set to -those provided (clearing/setting all in one). -.nf - - FF_LOGPASS 0x10000000 - FF_LOGBLOCK 0x20000000 - FF_LOGNOMATCH 0x40000000 - FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */ -.fi -.IP SIOCGETFF 16 -Takes a pointer to an unsigned integer as the parameter. A copy of the -flags currently in used is copied to user space. -.IP "\fBFilter statistics\fP" 0 -Statistics on the various operations performed by this package on packets -is kept inside the kernel. These statistics apply to packets traversing -through the kernel. To retrieve this structure, use this ioctl: -.nf - - ioctl(fd, SIOCGETFS, struct friostat *) - -struct friostat { - struct filterstats f_st[2]; - struct frentry *f_fin[2]; - struct frentry *f_fout[2]; - struct frentry *f_acctin[2]; - struct frentry *f_acctout[2]; - struct frentry *f_auth; - u_long f_froute[2]; - int f_active; /* 1 or 0 - active rule set */ - int f_defpass; /* default pass - from fr_pass */ - int f_running; /* 1 if running, else 0 */ - int f_logging; /* 1 if enabled, else 0 */ - char f_version[32]; /* version string */ -}; - -struct filterstats { - u_long fr_pass; /* packets allowed */ - u_long fr_block; /* packets denied */ - u_long fr_nom; /* packets which don't match any rule */ - u_long fr_ppkl; /* packets allowed and logged */ - u_long fr_bpkl; /* packets denied and logged */ - u_long fr_npkl; /* packets unmatched and logged */ - u_long fr_pkl; /* packets logged */ - u_long fr_skip; /* packets to be logged but buffer full */ - u_long fr_ret; /* packets for which a return is sent */ - u_long fr_acct; /* packets for which counting was performed */ - u_long fr_bnfr; /* bad attempts to allocate fragment state */ - u_long fr_nfr; /* new fragment state kept */ - u_long fr_cfr; /* add new fragment state but complete pkt */ - u_long fr_bads; /* bad attempts to allocate packet state */ - u_long fr_ads; /* new packet state kept */ - u_long fr_chit; /* cached hit */ - u_long fr_pull[2]; /* good and bad pullup attempts */ -#if SOLARIS - u_long fr_notdata; /* PROTO/PCPROTO that have no data */ - u_long fr_nodata; /* mblks that have no data */ - u_long fr_bad; /* bad IP packets to the filter */ - u_long fr_notip; /* packets passed through no on ip queue */ - u_long fr_drop; /* packets dropped - no info for them! */ -#endif -}; -.fi -If we wanted to retrieve all the statistics and reset the counters back to -0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS. -In addition to the statistics above, each rule keeps a hit count, counting -both number of packets and bytes. To reset these counters for a rule, -load the various rule information into a frentry structure and call -SIOCZRLST. -.IP "Swapping Active lists" 0 -IP Filter supports two lists of rules for filtering and accounting: an -active list and an inactive list. This allows for large scale rule base -changes to be put in place atomically with otherwise minimal interruption. -Which of the two is active can be changed using the SIOCSWAPA ioctl. It -is important to note that no passed argument is recognised and that the -value returned is that of the list which is now inactive. -.br -.SH FILES -/dev/ipauth -.br -/dev/ipl -.br -/dev/ipnat -.br -/dev/ipstate -.SH SEE ALSO -ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8) diff --git a/sbin/ipf/ipf.5 b/sbin/ipf/ipf.5 deleted file mode 100644 index 13f02a01a42..00000000000 --- a/sbin/ipf/ipf.5 +++ /dev/null @@ -1,542 +0,0 @@ -.\" $OpenBSD: ipf.5,v 1.26 2001/01/30 04:26:01 kjell Exp $ -.\" -.TH IPF 5 -.SH NAME -ipf \- IP packet filter rule syntax -.SH DESCRIPTION -.PP -A rule file for \fBipf\fP may have any name or even be stdin. As -\fBipfstat\fP produces parseable rules as output when displaying the internal -kernel filter lists, it is quite plausible to use its output to feed back -into \fBipf\fP. Thus, to remove all filters on input packets, the following -could be done: -.nf - -\fC# ipfstat \-i | ipf \-rf \-\fP -.fi -.SH GRAMMAR -.PP -The format used by \fBipf\fP for construction of filtering rules can be -described using the following grammar in BNF: -\fC -.nf -filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] - [ proto ] [ ip ] [ group ]. - -insert = "@" decnumber . -action = block | "pass" | log | "count" | skip | auth | call . -in-out = "in" | "out" . -options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] . -tos = "tos" decnumber | "tos" hexnumber . -ttl = "ttl" decnumber . -proto = "proto" protocol . -ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . -group = [ "head" decnumber ] [ "group" decnumber ] . - -block = "block" [ return-icmp[return-code] | "return-rst" ] . -auth = "auth" | "preauth" . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . -call = "call" [ "now" ] function-name . -skip = "skip" decnumber . -dup = "dup-to" interface-name[":"ipaddr] . -froute = "fastroute" | "to" interface-name . -protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . -srcdst = "all" | fromto . -fromto = "from" [ "!" ] object "to" [ "!" ] object . - -return-icmp = "return-icmp" | "return-icmp-as-dest" . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . -flags = "flags" flag { flag } [ "/" flag { flag } ] . -with = "with" | "and" . -icmp = "icmp-type" icmp-type [ "code" decnumber ] . -return-code = "("icmp-code")" . -keep = "keep" "state" | "keep" "frags" . -loglevel = facility"."priority | priority . - -nummask = host-name [ "/" decnumber ] . -host-name = ipaddr | hostname | "any" . -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . -port-num = service-name | decnumber . - -withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "frag" | "opt" ipopts . -optname = ipopts [ "," optname ] . -ipopts = optlist | "sec-class" [ secname ] . -secname = seclvl [ "," secname ] . -seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | - "reserv-4" | "secret" | "topsecret" . -icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | - "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | - "inforep" | "maskreq" | "maskrep" | decnumber . -icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | - "filter-prohib" | "host-preced" | "cutoff-preced" . -optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | - "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | - "addext" | "visa" | "imitd" | "eip" | "finn" . -facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | - "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | - "audit" | "logalert" | "local0" | "local1" | "local2" | - "local3" | "local4" | "local5" | "local6" | "local7" . -priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . - -hexnumber = "0" "x" hexstring . -hexstring = hexdigit [ hexstring ] . -decnumber = digit [ decnumber ] . - -compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | - "gt" | "le" | "ge" . -range = "<>" | "><" . -hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . -digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -flag = "F" | "S" | "R" | "P" | "A" | "U" . -.fi -.PP -This syntax is somewhat simplified for readability, some combinations -that match this grammar are disallowed by the software because they do -not make sense (such as tcp \fBflags\fP for non-TCP packets). -.SH FILTER RULES -.PP -The "briefest" valid rules are (currently) no-ops and are of the form: -.nf - block in all - pass in all - log out all - count in all -.fi -.PP -Filter rules are checked in order, with the last matching rule -determining the fate of the packet (but see the \fBquick\fP option, -below). -.PP -Filters are installed by default at the end of the kernel's filter -lists, prepending the rule with \fB@n\fP will cause it to be inserted -as the n'th entry in the current list. This is especially useful when -modifying and testing active filter rulesets. See ipf(1) for more -information. -.SH ACTIONS -.PP -The action indicates what to do with the packet if it matches the rest -of the filter rule. Each rule MUST have an action. The following -actions are recognised: -.TP -.B block -indicates that the packet should be flagged to be dropped. In response -to blocking a packet, the filter may be instructed to send a reply -packet, either an ICMP packet (\fBreturn-icmp\fP), an ICMP packet -masquerading as being from the original packet's destination -(\fBreturn-icmp-as-dest\fP), or a TCP "reset" (\fBreturn-rst\fP). An -ICMP packet may be generated in response to any IP packet, and its -type may optionally be specified, but a TCP reset may only be used -with a rule which is being applied to TCP packets. When using -\fBreturn-icmp\fP or \fBreturn-icmp-as-dest\fP, it is possible to specify -the actual unreachable `type'. That is, whether it is a network -unreachable, port unreachable or even administratively -prohibitied. This is done by enclosing the ICMP code associated with -it in parenthesis directly following \fBreturn-icmp\fP or -\fBreturn-icmp-as-dest\fP as follows: -.nf - block return-icmp(11) ... -.fi -.PP -Would return a Type-Of-Service (TOS) ICMP unreachable error. -.TP -.B pass -will flag the packet to be let through the filter. -.TP -.B log -causes the packet to be logged (as described in the LOGGING section -below) and has no effect on whether the packet will be allowed through -the filter. -.TP -.B count -causes the packet to be included in the accounting statistics kept by -the filter, and has no effect on whether the packet will be allowed through -the filter. These statistics are viewable with ipfstat(8). -.TP -.B call -this action is used to invoke the named function in the kernel, which -must conform to a specific calling interface. Customised actions and -semantics can thus be implemented to supplement those available. This -feature is for use by knowledgeable hackers, and is not currently -documented. -.TP -.B "skip <n>" -causes the filter to skip over the next \fIn\fP filter rules. If a rule is -inserted or deleted inside the region being skipped over, then the value of -\fIn\fP is adjusted appropriately. -.TP -.B auth -this allows authentication to be performed by a user-space program running -and waiting for packet information to validate. The packet is held for a -period of time in an internal buffer whilst it waits for the program to return -to the kernel the \fIreal\fP flags for whether it should be allowed through -or not. Such a program might look at the source address and request some sort -of authentication from the user (such as a password) before allowing the -packet through or telling the kernel to drop it if from an unrecognised source. -.TP -.B preauth -tells the filter that for packets of this class, it should look in the -pre-authenticated list for further clarification. If no further matching -rule is found, the packet will be dropped (the FR_PREAUTH is not the same -as FR_PASS). If a further matching rule is found, the result from that is -used in its instead. This might be used in a situation where a person -\fIlogs in\fP to the firewall and it sets up some temporary rules defining -the access for that person. -.PP -The next word must be either \fBin\fP or \fBout\fP. Each packet -moving through the kernel is either inbound (just been received on an -interface, and moving towards the kernel's protocol processing) or -outbound (transmitted or forwarded by the stack, and on its way to an -interface). There is a requirement that each filter rule explicitly -state which side of the I/O it is to be used on. -.SH OPTIONS -.PP -The list of options is brief, and all are indeed optional. Where -options are used, they must be present in the order shown here. These -are the currently supported options: -.TP -.B log -indicates that, should this be the last matching rule, the packet -header will be written to the \fBipl\fP log (as described in the -LOGGING section below). -.TP -.B quick -allows "short-cut" rules in order to speed up the filter or override -later rules. If a packet matches a filter rule which is marked as -\fBquick\fP, this rule will be the last rule checked, allowing a -"short-circuit" path to avoid processing later rules for this -packet. The current status of the packet (after any effects of the -current rule) will determine whether it is passed or blocked. -.IP -If this option is missing, the rule is taken to be a "fall-through" -rule, meaning that the result of the match (block/pass) is saved and -that processing will continue to see if there are any more matches. -.TP -.B on -allows an interface name to be incorporated into the matching -procedure. Interface names are as printed by "netstat \-i". If this -option is used, the rule will only match if the packet is going -through that interface in the specified direction (in/out). If this -option is absent, the rule is taken to be applied to a packet -regardless of the interface it is present on (i.e. on all interfaces). -Filter rulesets are common to all interfaces, rather than having a -filter list for each interface. -.IP -This option is especially useful for simple IP-spoofing protection: -packets should only be allowed to pass inbound on the interface from -which the specified source address would be expected, others may be -logged and/or dropped. -.TP -.B dup-to -causes the packet to be copied, and the duplicate packet to be sent -outbound on the specified interface, optionally with the destination -IP address changed to that specified. This is useful for off-host -logging, using a network sniffer. -.TP -.B to -causes the packet to be moved to the outbound queue on the -specified interface. This can be used to circumvent kernel routing -decisions, and even to bypass the rest of the kernel processing of the -packet (if applied to an inbound rule). It is thus possible to -construct a firewall that behaves transparently, like a filtering hub -or switch, rather than a router. The \fBfastroute\fP keyword is a -synonym for this option. -.SH MATCHING PARAMETERS -.PP -The keywords described in this section are used to describe attributes -of the packet to be used when determining whether rules match or don't -match. The following general-purpose attributes are provided for -matching, and must be used in this order: -.TP -.B tos -packets with different Type-Of-Service values can be filtered. -Individual service levels or combinations can be filtered upon. The -value for the TOS mask can either be represented as a hex number or a -decimal integer value. -.TP -.B ttl -packets may also be selected by their Time-To-Live value. The value given in -the filter rule must exactly match that in the packet for a match to occur. -This value can only be given as a decimal integer value. -.TP -.B proto -allows a specific protocol to be matched against. All protocol names -found in \fB/etc/protocols\fP are recognised and may be used. -However, the protocol may also be given as a DECIMAL number, allowing -for rules to match your own protocols, or new ones which would -out-date any attempted listing. -.IP -The special protocol keyword \fBtcp/udp\fP may be used to match either -a TCP or a UDP packet, and has been added as a convenience to save -duplication of otherwise-identical rules. -.\" XXX grammar should reflect this (/etc/protocols) -.PP -The \fBfrom\fP and \fBto\fP keywords are used to match against IP -addresses (and optionally port numbers). Rules must specify BOTH -source and destination parameters. -.PP -IP addresses may be specified in one of two ways: as a numerical -address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname -may either be a valid hostname, from either the hosts file or DNS -(depending on your configuration and library) or of the dotted numeric -form. There is no special designation for networks but network names -are recognised. Note that having your filter rules depend on DNS -results can introduce an avenue of attack, and is discouraged. -.PP -There is a special case for the hostname \fBany\fP which is taken to -be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses. -Only the presence of "any" has an implied mask, in all other -situations, a hostname MUST be accompanied by a mask. It is possible -to give "any" a hostmask, but in the context of this language, it is -non-sensical. -.PP -The numerical format "x\fB/\fPy" indicates that a mask of y -consecutive 1 bits set is generated, starting with the MSB, so a y value -of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates -that the mask y is in dotted IP notation or a hexadecimal number of -the form 0x12345678. Note that all the bits of the IP address -indicated by the bitmask must match the address on the packet exactly; -there isn't currently a way to invert the sense of the match, or to -match ranges of IP addresses which do not express themselves easily as -bitmasks (anthropomorphization; it's not just for breakfast anymore). -.PP -If a \fBport\fP match is included, for either or both of source and -destination, then it is only applied to -.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored? -TCP and UDP packets. If there is no \fBproto\fP match parameter, -packets from both protocols are compared. This is equivalent to "proto -tcp/udp". When composing \fBport\fP comparisons, either the service -name or an integer port number may be used. Port comparisons may be -done in a number of forms, with a number of comparison operators, or -port ranges may be specified. When the port appears as part of the -\fBfrom\fP object, it matches the source port number, when it appears -as part of the \fBto\fP object, it matches the destination port number. -See the examples for more information. -.PP -The \fBall\fP keyword is essentially a synonym for "from any to any" -with no other match parameters. -.PP -Following the source and destination matching parameters, the -following additional parameters may be used: -.TP -.B with -is used to match irregular attributes that some packets may have -associated with them. To match the presence of IP options in general, -use \fBwith ipopts\fP. To match packets that are too short to contain -a complete header, use \fBwith short\fP. To match fragmented packets, -use \fBwith frag\fP. For more specific filtering on IP options, -individual options can be listed. -.IP -Before any parameter used after the \fBwith\fP keyword, the word -\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only -match if the option(s) is not present. -.IP -Multiple consecutive \fBwith\fP clauses are allowed. Alternatively, -the keyword \fBand\fP may be used in place of \fBwith\fP, this is -provided purely to make the rules more readable ("with ... and ..."). -When multiple clauses are listed, all those must match to cause a -match of the rule. -.\" XXX describe the options more specifically in a separate section -.TP -.B flags -is only effective for TCP filtering. Each of the letters possible -represents one of the possible flags that can be set in the TCP -header. The association is as follows: -.LP -.nf - F - FIN - S - SYN - R - RST - P - PUSH - A - ACK - U - URG -.fi -.IP -The various flag symbols may be used in combination, so that "SA" -would represent a SYN-ACK combination present in a packet. There is -nothing preventing the specification of combinations, such as "SFR", -that would not normally be generated by law-abiding TCP -implementations. However, to guard against weird aberrations, it is -necessary to state which flags you are filtering against. To allow -this, it is possible to set a mask indicating which TCP flags you wish -to compare (i.e., those you deem significant). This is done by -appending "/<flags>" to the set of TCP flags you wish to match -against, e.g.: -.LP -.nf - ... flags S - # becomes "flags S/AUPRFS" and will match - # packets with ONLY the SYN flag set. - - ... flags SA - # becomes "flags SA/AUPRFS" and will match any - # packet with only the SYN and ACK flags set. - - ... flags S/SA - # will match any packet with just the SYN flag set - # out of the SYN-ACK pair; the common "establish" - # keyword action. "S/SA" will NOT match a packet - # with BOTH SYN and ACK set, but WILL match "SFP". -.fi -.TP -.B icmp-type -is only effective when used with \fBproto icmp\fP and must NOT be used -in conjuction with \fBflags\fP. There are a number of types, which can be -referred to by an abbreviation recognised by this language, or the numbers -with which they are associated can be used. The most important from -a security point of view is the ICMP redirect. -.SH KEEP HISTORY -.PP -The second last parameter which can be set for a filter rule is whether or not -to record historical information for that packet, and what sort to keep. The -following information can be kept: -.TP -.B state -keeps information about the flow of a communication session. State can -be kept for TCP, UDP, and ICMP packets. -.TP -.B frags -keeps information on fragmented packets, to be applied to later -fragments. -.PP -allowing packets which match these to flow straight through, rather -than going through the access control list. -.SH GROUPS -The last pair of parameters control filter rule "grouping". By default, all -filter rules are placed in group 0 if no other group is specified. To add a -rule to a non-default group, the group must first be started by creating a -group \fIhead\fP. If a packet matches a rule which is the \fIhead\fP of a -group, the filter processing then switches to the group, using that rule as -the default for the group. If \fBquick\fP is used with a \fBhead\fP rule, rule -processing isn't stopped until it has returned from processing the group. -.PP -A rule may be both the head for a new group and a member of a non-default -group (\fBhead\fP and \fBgroup\fP may be used together in a rule). -.TP -.B "head <n>" -indicates that a new group (number n) should be created. -.TP -.B "group <n>" -indicates that the rule should be put in group (number n) rather than group 0. -.SH LOGGING -.PP -When a packet is logged, with either the \fBlog\fP action or option, -the headers of the packet are written to the \fBipl\fP packet logging -psuedo-device. Immediately following the \fBlog\fP keyword, the -following qualifiers may be used (in order): -.TP -.B body -indicates that the first 128 bytes of the packet contents will be -logged after the headers. -.TP -.B first -If log is being used in conjunction with a "keep" option, it is recommended -that this option is also applied so that only the triggering packet is logged -and not every packet which thereafter matches state information. -.TP -.B or-block -indicates that, if for some reason the filter is unable to log the -packet (such as the log reader being too slow) then the rule should be -interpreted as if the action was \fBblock\fP for this packet. -.TP -.B "level <loglevel>" -indicates what logging facility and priority, or just priority with -the default facility being used, will be used to log information about -this packet using ipmon's -s option. -.PP -See ipl(4) for the format of records written -to this device. The ipmon(8) program can be used to read and format -this log. -.SH EXAMPLES -.PP -The \fBquick\fP option is good for rules such as: -\fC -.nf -block in quick from any to any with ipopts -.fi -.PP -which will match any packet with a non-standard header length (IP -options present) and abort further processing of later rules, -recording a match and also that the packet should be blocked. -.PP -The "fall-through" rule parsing allows for effects such as this: -.LP -.nf - block in from any to any port < 6000 - pass in from any to any port >= 6000 - block in from any to any port > 6003 -.fi -.PP -which sets up the range 6000-6003 as being permitted and all others being -denied. Note that the effect of the first rule is overridden by subsequent -rules. Another (easier) way to do the same is: -.LP -.nf - block in from any to any port 6000 <> 6003 - pass in from any to any port 5999 >< 6004 -.fi -.PP -Note that both the "block" and "pass" are needed here to effect a -result as a failed match on the "block" action does not imply a pass, -only that the rule hasn't taken effect. To then allow ports < 1024, a -rule such as: -.LP -.nf - pass in quick from any to any port < 1024 -.fi -.PP -would be needed before the first block. To create a new group for -processing all inbound packets on le0/le1/lo0, with the default being to block -all inbound packets, we would do something like: -.LP -.nf - block in all - block in quick on le0 all head 100 - block in quick on le1 all head 200 - block in quick on lo0 all head 300 -.fi -.PP - -and to then allow ICMP packets in on le0, only, we would do: -.LP -.nf - pass in proto icmp all group 100 -.fi -.PP -Note that because only inbound packets on le0 are used processed by group 100, -there is no need to respecify the interface name. Likewise, we could further -breakup processing of TCP, etc, as follows: -.LP -.nf - block in proto tcp all head 110 group 100 - pass in from any to any port = 23 group 110 -.fi -.PP -and so on. The last line, if written without the groups would be: -.LP -.nf - pass in on le0 proto tcp from any to any port = telnet -.fi -.PP -Note, that if we wanted to say "port = telnet", "proto tcp" would -need to be specified as the parser interprets each rule on its own and -qualifies all service/port names with the protocol specified. -.SH FILES -/dev/ipauth -.br -/dev/ipl -.br -/dev/ipstate -.br -/etc/hosts -.br -/etc/services -.SH SEE ALSO -ipftest(1), iptest(1), mkfilters(1), ipf(4), ipnat(5), ipf(8), ipfstat(8) diff --git a/sbin/ipf/ipf.8 b/sbin/ipf/ipf.8 deleted file mode 100644 index 3dbcdcb4c47..00000000000 --- a/sbin/ipf/ipf.8 +++ /dev/null @@ -1,329 +0,0 @@ -.\" $OpenBSD: ipf.8,v 1.22 2000/03/18 22:55:58 aaron Exp $ -.Dd January 6, 2000 -.Dt IPF 8 -.Os -.Sh NAME -.Nm ipf -.Nd "manage IP packet filtering and firewalling rules" -.Sh SYNOPSIS -.Nm ipf -.Op Fl AdDEInoPrsUvVyzZ -.Op Fl l Ar category -.Op Fl F Ar list -.Op Fl F Ar table -.Op Fl f Ar filename -.Sh DESCRIPTION -The -.Nm -utility allows the insertion and removal of TCP/IP packet filtering and -firewalling rules. -.Nm -can be used for anything from very simple tasks (i.e., preventing a host from -replying to ping packets), to installing complex rulesets for a firewall to -protect an entire network. -.Pp -Based on the specified rules, -.Nm -can explicitly deny/permit any inbound or outbound packet on any interface, -filter by IP networks or hosts, selectively filter packets by protocol and/or -protocol options, keep packet state information for TCP, UDP, and ICMP packet -flows, track fragment state information for IP packets (applying the same rules -to all fragments), and much more. -.Pp -.Nm -provides special capabilities for the most common Internet protocols. -Both TCP and UDP packets may be filtered by port number or port range, or ICMP -packets by type/code. -Rules may filter packets on any arbitrary combination of -TCP flags, IP options, IP security classes, or Type of Service (TOS). -.Nm -also supports inverted host/net matching. -.Pp -To get started, follow these steps: -.Bl -enum -offset indent -.It -Edit -.Pa /etc/rc.conf -and set -.Cm ipfilter=YES . -This will cause -.Nm -to install the ruleset specified in -.Pa /etc/ipf.rules -each time the system is booted. -.It -Check that the kernel has been compiled with -.Cm option IPFILTER -(see -.Xr options 4 ) . -Refer to -.Xr afterboot 8 -for further instructions on compiling a custom kernel. -.It -Edit -.Pa /etc/sysctl.conf -and set -.Cm net.inet.ip.forwarding=1 -if this machine is to act as a firewall that also routes traffic or does -Network Address Translation (NAT). -.El -.Pp -Once these steps are complete a rule file may be created. -A very simple rule file might contain the following: -.Pp -.Dl pass in from any to any -.Dl pass out from any to any -.Pp -Here we're passing all packets and not doing any filtering. -This is a -recommended starting point since it allows the current configuration to be -tested before formulating and installing a more restrictive ruleset. -For example, the following: -.Pp -.Dl "block in on we0 proto tcp from foo/32 to any" -.Pp -This would block all incoming TCP packets on interface -.Dq we0 -from host -.Dq foo -to any internal destination. -If this file is -.Pa /etc/ipf.rules -(the default location), the following command will flush the kernel's current -ruleset, install the new ruleset, and enable -.Pq Fl E -.Nm ipf : -.Pp -.Dl "ipf -Fa -f /etc/ipf.rules -E" -.Pp -(This is the exact command executed by the -.Pa /etc/rc -script at boot-time if -.Cm ipfilter=YES -in -.Pa /etc/rc.conf . ) -.Pp -Please see -.Xr ipf 5 -for a complete description of the -.Nm -rules file format and the example files in -.Pa /usr/share/ipf . -.Pp -In addition to -.Dq active -rulesets (those installed into the kernel which dictate the current filtering -policies), -.Nm -can maintain a separate -.Dq inactive -ruleset simultaneously. -Inactive rulesets are useful for debugging pending or -proposed changes to the active ruleset (see -.Fl I -option below). -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl A -Apply changes to the active ruleset. -This is the default. -.It Fl I -Apply changes to the inactive ruleset. -.It Fl D -Disable the filter (if enabled). -.It Fl E -Enable the filter (if disabled). -.It Fl F Ar list -Flush filter lists. -.Ar list -is one of -.Sq i -(input rules), -.Sq o -(output rules), -or -.Sq a -(all filtering rules). -.It Fl F Ar table -Flush entries from state tables. -If -.Ar table -is -.Sq s , -.Nm -removes any state information about connections that are non-fully established. -If -.Sq S , -.Nm -removes the entire state table. -Only one of the two options may be specified. -A fully established connection will appear in -.Ic ipfstat -s output -as -.Dq 4/4 ; -any deviations indicate a connection that has not completed the three-way -handshake. -.It Fl P -Add rules as temporary entries in the authentication rule table. -.It Fl V -Show version information. -This will display the version information compiled -into the ipf binary and retrieve it from the kernel code (if running/present). -If it is present in the kernel, information about its current state will be -displayed (whether logging is active, default filtering, etc). -.It Fl d -Enable debug mode. -Causes a hexdump of filter rules to be generated as it processes each one. -.It Fl f Ar filename -Read, parse, and process the -.Nm -rules contained in -.Ar filename . -If -.Ar filename -is -.Ql - , -.Nm -reads from the standard input. -All valid rules are installed into the kernel's internal rule list using the -interface described by -.Xr ipf 4 . -Blank lines and lines beginning with -.Ql # -(comments) are ignored. -.It Fl l Ar category -Packet logging. -.Ar category -is one of -.Cm pass , -.Cm block , -or -.Cm nomatch . -Any packet which exits filtering and matches the set category is logged. -This -is useful for causing all packets which don't match any of the loaded rules to -be logged. -.It Fl n -No change. -Prevent -.Nm -from actually changing the state of the in-kernel filtering configuration. -.It Fl o -Force rules to be added/deleted to/from the output list rather than the -(default) input list. -.It Fl r -Remove matching filter rules rather than add them to the in-kernel lists. -.It Fl s -Swap the active and inactive rulesets. -.It Fl v -Enable verbose mode. -.Nm -will echo each of the successfully processed rules to the standard output. -The -original rule and any error messages that result will be echoed to standard -error. -.It Fl y -Force -.Nm -to synchronize the IP filter's in-kernel network interface list with the -current system interface list. -In particular, if an interface's IP address -changes (i.e., due to a DHCP operation), -.Nm -must be executed with this option. -.It Fl z -For each rule in the input file, display its statistics, then reset them to 0. -.It Fl Z -Globally reset all in-kernel filtering statistics to 0 (does not affect -fragment or state statistics). -.El -.Sh EXAMPLES -To flush all in-kernel filtering lists, install the ruleset contained in -.Pa /etc/ipf.rules -into the active list, and enable IP filtering: -.Pp -.Dl ipf -A -Fa -f /etc/ipf.rules -E -.Pp -It is advisable to work with an inactive filtering list before commiting new -rules to the active in-kernel filtering list. -To load a ruleset into the inactive list: -.Pp -.Dl ipf -I -Fa -f /etc/ipf.rules -.Pp -The verbose -.Pq Fl v -option is useful for verifying that rules are being processed as -expected and is often used in conjunction with the inactive -.Pq Fl I -ruleset: -.Pp -.Dl ipf -I -Fa -vf /etc/ipf.rules -.Pp -After the inactive ruleset has been tested and seems to be processed correctly, -use the -.Fl s -option to swap it with the active ruleset so that it represents the new -filtering policy for the system: -.Pp -.Dl ipf -s -.Pp -Consider a system manager who administers -.Nm -remotely and has made changes to the -.Pa /etc/ipf.rules -file on the remote system. -The following command sequence is noteworthy: -.Pp -.Dl ipf -I -Fa -f /etc/ipf.rules -.Dl ipf -s; sleep 10; ipf -s -.Pp -The first command installs the new ruleset into the inactive filtering list. -The second command first swaps the inactive (new) rules with the active (old) -rules. -After entering the second command, type some characters. -If the characters are echoed the new ruleset is possibly valid. -If not, within 10 -seconds the old ruleset will be re-installed. -This trick is useful for minimizing service disruptions. -.Sh NOTES -Rules are checked in the order they are specified. -The last matching rule wins, except when the -.Dq quick -keyword is present (see -.Xr ipf 5 ) . -.Pp -Note that -.Fl F Ns No a -does not affect the state table. -To view the current state table, use the -.Xr ipfstat 8 -program: -.Pp -.Dl ipfstat -s -.Pp -To remove all active state entries: -.Pp -.Dl ipf -FS -.Sh FILES -.Bl -tag -width /usr/share/ipf/example.* -compact -.It /usr/share/ipf/example.* -sample rule files -.It /dev/ipfauth -ipf authentication socket -.It /dev/ipl -ipf logging socket -.It /dev/ipstate -ipf state socket -.El -.Sh SEE ALSO -.Xr ipftest 1 , -.Xr ipf 4 , -.Xr ipl 4 , -.Xr ipnat 4 , -.Xr ipf 5 , -.Xr ipfstat 8 , -.Xr ipmon 8 , -.Xr ipnat 8 -.Pp -http://coombs.anu.edu.au/~avalon diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c deleted file mode 100644 index 6e9a000e136..00000000000 --- a/sbin/ipf/ipf.c +++ /dev/null @@ -1,627 +0,0 @@ -/* $OpenBSD: ipf.c,v 1.26 2001/01/30 04:26:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#ifdef __FreeBSD__ -# include <osreldate.h> -#endif -#include <stdio.h> -#include <unistd.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> -#include <stdlib.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <sys/time.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netinet/ip.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_nat.h> -#include "ipf.h" -#include <netinet/ipl.h> - -#if !defined(lint) -static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.10.2.5 2000/10/25 10:37:11 darrenr Exp $"; -#endif - -#if SOLARIS -static void blockunknown __P((void)); -#endif -#if !defined(__SVR4) && defined(__GNUC__) -extern char *index __P((const char *, int)); -#endif - -extern char *optarg; - -void frsync __P((void)); -void zerostats __P((void)); -int main __P((int, char *[])); - -int opts = 0; -#ifdef USE_INET6 -int use_inet6 = 0; -#endif - -static int fd = -1; - -static void procfile __P((char *, char *)), flushfilter __P((char *)); -static void set_state __P((u_int)), showstats __P((friostat_t *)); -static void packetlogon __P((char *)), swapactive __P((void)); -static int opendevice __P((char *)); -static void closedevice __P((void)); -static char *getline __P((char *, size_t, FILE *, int *)); -static char *ipfname = IPL_NAME; -static void usage __P((void)); -static void showversion __P((void)); -static int get_flags __P((void)); - -#if SOLARIS -#define OPTS "6AdDEf:F:Il:noPrsUvVyzZ" -#else -#define OPTS "6AdDEf:F:Il:noPrsvVyzZ" -#endif - -static void usage() -{ -#if SOLARIS - fprintf(stderr, "usage: ipf [-6AdDEInoPrsUvVyzZ] %s %s %s\n", -#else - fprintf(stderr, "usage: ipf [-6AdDEInoPrsvVyzZ] %s %s %s\n", -#endif - "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); - exit(1); -} - - -int main(argc,argv) -int argc; -char *argv[]; -{ - int c; - - while ((c = getopt(argc, argv, OPTS)) != -1) - if (c == '?') - usage(); - - optreset=1; - optind=1; - while ((c = getopt(argc, argv, OPTS)) != -1) { - switch (c) - { -#ifdef USE_INET6 - case '6' : - use_inet6 = 1; - break; -#endif - case 'A' : - opts &= ~OPT_INACTIVE; - break; - case 'E' : - set_state((u_int)1); - break; - case 'D' : - set_state((u_int)0); - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'f' : - procfile(argv[0], optarg); - break; - case 'F' : - flushfilter(optarg); - break; - case 'I' : - opts |= OPT_INACTIVE; - break; - case 'l' : - packetlogon(optarg); - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'o' : - break; - case 'P' : - ipfname = IPL_AUTH; - break; - case 'r' : - opts |= OPT_REMOVE; - break; - case 's' : - swapactive(); - break; -#if SOLARIS - case 'U' : - blockunknown(); - break; -#endif - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'V' : - showversion(); - break; - case 'y' : - frsync(); - break; - case 'z' : - opts |= OPT_ZERORULEST; - break; - case 'Z' : - zerostats(); - break; - } - } - - if (fd != -1) - (void) close(fd); - - exit(0); - /* NOTREACHED */ -} - - -static int opendevice(ipfdev) -char *ipfdev; -{ - if (opts & OPT_DONOTHING) - return -2; - - if (!ipfdev) - ipfdev = ipfname; - - if (!(opts & OPT_DONOTHING) && fd == -1) - if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfdev, O_RDONLY)) == -1) - perror("open device"); - return fd; -} - - -static void closedevice() -{ - close(fd); - fd = -1; -} - - -static int get_flags() -{ - int i; - - if ((opendevice(ipfname) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { - perror("SIOCGETFF"); - return 0; - } - return i; -} - - -static void set_state(enable) -u_int enable; -{ - if (opendevice(ipfname) != -2) - if (ioctl(fd, SIOCFRENB, &enable) == -1) { - if (errno == EBUSY) - fprintf(stderr, - "IP FIlter: already initialized\n"); - else - perror("SIOCFRENB"); - } - return; -} - -static void procfile(name, file) -char *name, *file; -{ - FILE *fp; - char line[513], *s; - struct frentry *fr; - u_int add, del; - int linenum = 0; - - (void) opendevice(ipfname); - - if (opts & OPT_INACTIVE) { - add = SIOCADIFR; - del = SIOCRMIFR; - } else { - add = SIOCADAFR; - del = SIOCRMAFR; - } - if (opts & OPT_DEBUG) - printf("add %x del %x\n", add, del); - - initparse(); - - if (!strcmp(file, "-")) - fp = stdin; - else if (!(fp = fopen(file, "r"))) { - fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file, - STRERROR(errno)); - exit(1); - } - - while (getline(line, sizeof(line), fp, &linenum)) { - /* - * treat CR as EOL. LF is converted to NUL by getline(). - */ - if ((s = index(line, '\r'))) - *s = '\0'; - /* - * # is comment marker, everything after is a ignored - */ - if ((s = index(line, '#'))) - *s = '\0'; - - if (!*line) - continue; - - if (opts & OPT_VERBOSE) - (void)fprintf(stderr, "[%s]\n", line); - - fr = parse(line, linenum); - (void)fflush(stdout); - - if (fr) { - if (opts & OPT_ZERORULEST) - add = SIOCZRLST; - else if (opts & OPT_INACTIVE) - add = (u_int)fr->fr_hits ? SIOCINIFR : - SIOCADIFR; - else - add = (u_int)fr->fr_hits ? SIOCINAFR : - SIOCADAFR; - if (fr->fr_hits) - fr->fr_hits--; - if (fr && (opts & OPT_VERBOSE)) - printfr(fr); - if (fr && (opts & OPT_OUTQUE)) - fr->fr_flags |= FR_OUTQUE; - - if (opts & OPT_DEBUG) - binprint(fr); - - if ((opts & OPT_ZERORULEST) && - !(opts & OPT_DONOTHING)) { - if (ioctl(fd, add, &fr) == -1) { - fprintf(stderr, "%d:", linenum); - perror("ioctl(SIOCZRLST)"); - } else { -#ifdef USE_QUAD_T - printf("hits %qd bytes %qd ", - (long long)fr->fr_hits, - (long long)fr->fr_bytes); -#else - printf("hits %ld bytes %ld ", - fr->fr_hits, fr->fr_bytes); -#endif - printfr(fr); - } - } else if ((opts & OPT_REMOVE) && - !(opts & OPT_DONOTHING)) { - if (ioctl(fd, del, &fr) == -1) { - fprintf(stderr, "%d:", linenum); - perror("ioctl(delete rule)"); - } - } else if (!(opts & OPT_DONOTHING)) { - if (ioctl(fd, add, &fr) == -1) { - fprintf(stderr, "%d:", linenum); - perror("ioctl(add/insert rule)"); - } - } - } - } - if (ferror(fp) || !feof(fp)) { - fprintf(stderr, "%s: %s: file error or line too long\n", - name, file); - exit(1); - } - (void)fclose(fp); -} - -/* - * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. - * Returns NULL if error occured, EOF encounterd or input line is too long. - */ -static char *getline(str, size, file, linenum) -register char *str; -size_t size; -FILE *file; -int *linenum; -{ - char *p; - int s, len; - - do { - for (p = str, s = size;; p += (len - 1), s -= (len - 1)) { - /* - * if an error occured, EOF was encounterd, or there - * was no room to put NUL, return NULL. - */ - if (fgets(p, s, file) == NULL) - return (NULL); - len = strlen(p); - if (p[len - 1] != '\n') { - p[len] = '\0'; - break; - } - (*linenum)++; - p[len - 1] = '\0'; - if (len < 2 || p[len - 2] != '\\') - break; - else - /* - * Convert '\\' to a space so words don't - * run together - */ - p[len - 2] = ' '; - } - } while (*str == '\0'); - return (str); -} - - -static void packetlogon(opt) -char *opt; -{ - int flag, err; - - flag = get_flags(); - if (flag != 0) { - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) - printf("log flag is currently %#x\n", flag); - } - - flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK); - - if (index(opt, 'p')) { - flag |= FF_LOGPASS; - if (opts & OPT_VERBOSE) - printf("set log flag: pass\n"); - } - if (index(opt, 'm') && (*opt == 'n' || *opt == 'N')) { - flag |= FF_LOGNOMATCH; - if (opts & OPT_VERBOSE) - printf("set log flag: nomatch\n"); - } - if (index(opt, 'b') || index(opt, 'd')) { - flag |= FF_LOGBLOCK; - if (opts & OPT_VERBOSE) - printf("set log flag: block\n"); - } - - if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag))) - perror("ioctl(SIOCSETFF)"); - - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - flag = get_flags(); - printf("log flag is now %#x\n", flag); - } -} - - -static void flushfilter(arg) -char *arg; -{ - int fl = 0, rem; - - if (!arg || !*arg) - return; - if (!strcmp(arg, "s") || !strcmp(arg, "S")) { - if (*arg == 'S') - fl = 0; - else - fl = 1; - rem = fl; - - closedevice(); - if (opendevice(IPL_STATE) != -2 && - ioctl(fd, SIOCIPFFL, &fl) == -1) - perror("ioctl(SIOCIPFFL)"); - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - printf("remove flags %s (%d)\n", arg, rem); - printf("removed %d filter rules\n", fl); - } - closedevice(); - return; - } - if (strchr(arg, 'i') || strchr(arg, 'I')) - fl = FR_INQUE; - if (strchr(arg, 'o') || strchr(arg, 'O')) - fl = FR_OUTQUE; - if (strchr(arg, 'a') || strchr(arg, 'A')) - fl = FR_OUTQUE|FR_INQUE; - fl |= (opts & FR_INACTIVE); - rem = fl; - - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCIPFFL, &fl) == -1) - perror("ioctl(SIOCIPFFL)"); - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "", - (rem & FR_OUTQUE) ? "O" : "", rem); - printf("removed %d filter rules\n", fl); - } - return; -} - - -static void swapactive() -{ - int in = 2; - - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1) - perror("ioctl(SIOCSWAPA)"); - else - printf("Set %d now inactive\n", in); -} - - -void frsync() -{ - int frsyn = 0; - - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1) - perror("SIOCFRSYN"); - else - printf("filter sync'd\n"); -} - - -void zerostats() -{ - friostat_t fio; - friostat_t *fiop = &fio; - - if (opendevice(ipfname) != -2) { - if (ioctl(fd, SIOCFRZST, &fiop) == -1) { - perror("ioctl(SIOCFRZST)"); - exit(-1); - } - showstats(fiop); - } - -} - - -/* - * read the kernel stats for packets blocked and passed - */ -static void showstats(fp) -friostat_t *fp; -{ -#if SOLARIS - printf("dropped packets:\tin %lu\tout %lu\n", - fp->f_st[0].fr_drop, fp->f_st[1].fr_drop); - printf("non-ip packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); - printf(" bad packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); -#endif - printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[0].fr_block, fp->f_st[0].fr_pass, - fp->f_st[0].fr_nom); - printf(" counted %lu\n", fp->f_st[0].fr_acct); - printf("output packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[1].fr_block, fp->f_st[1].fr_pass, - fp->f_st[1].fr_nom); - printf(" counted %lu\n", fp->f_st[0].fr_acct); - printf(" input packets logged:\tblocked %lu passed %lu\n", - fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); - printf("output packets logged:\tblocked %lu passed %lu\n", - fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n", - fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip, - fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip); -} - - -#if SOLARIS -static void blockunknown() -{ - u_32_t flag; - - if (opendevice(ipfname) == -1) - return; - - flag = get_flags(); - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) - printf("log flag is currently %#x\n", flag); - - flag ^= FF_BLOCKNONIP; - - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCSETFF, &flag)) - perror("ioctl(SIOCSETFF)"); - - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if (ioctl(fd, SIOCGETFF, &flag)) - perror("ioctl(SIOCGETFF)"); - - printf("log flag is now %#x\n", flag); - } -} -#endif - - -static void showversion() -{ - struct friostat fio; - struct friostat *fiop=&fio; - u_32_t flags; - char *s; - int vfd; - - printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t)); - - if ((vfd = open(ipfname, O_RDONLY)) == -1) { - perror("open device"); - return; - } - - if (ioctl(vfd, SIOCGETFS, &fiop)) { - perror("ioctl(SIOCGETFS)"); - close(vfd); - return; - } - close(vfd); - flags = get_flags(); - - printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), - (int)sizeof(fio.f_version), fio.f_version); - printf("Running: %s\n", fio.f_running ? "yes" : "no"); - printf("Log Flags: %#x = ", flags); - s = ""; - if (flags & FF_LOGPASS) { - printf("pass"); - s = ", "; - } - if (flags & FF_LOGBLOCK) { - printf("%sblock", s); - s = ", "; - } - if (flags & FF_LOGNOMATCH) { - printf("%snomatch", s); - s = ", "; - } - if (flags & FF_BLOCKNONIP) { - printf("%snonip", s); - s = ", "; - } - if (!*s) - printf("none set"); - putchar('\n'); - - printf("Default: "); - if (fio.f_defpass & FR_PASS) - s = "pass"; - else if (fio.f_defpass & FR_BLOCK) - s = "block"; - else - s = "nomatch -> block"; - printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); - printf("Active list: %d\n", fio.f_active); -} diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h deleted file mode 100644 index 164bacda75f..00000000000 --- a/sbin/ipf/ipf.h +++ /dev/null @@ -1,117 +0,0 @@ -/* $OpenBSD: ipf.h,v 1.15 2001/01/17 05:00:59 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ipf.h 1.12 6/5/96 - * $IPFilter: ipf.h,v 2.9.2.2 2000/05/06 11:20:20 darrenr Exp $ - */ - -#ifndef __IPF_H__ -#define __IPF_H__ - -#ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif -#define OPT_REMOVE 0x000001 -#define OPT_DEBUG 0x000002 -#define OPT_OUTQUE FR_OUTQUE /* 0x00004 */ -#define OPT_INQUE FR_INQUE /* 0x00008 */ -#define OPT_LOG FR_LOG /* 0x00010 */ -#define OPT_SHOWLIST 0x000020 -#define OPT_VERBOSE 0x000040 -#define OPT_DONOTHING 0x000080 -#define OPT_HITS 0x000100 -#define OPT_BRIEF 0x000200 -#define OPT_ACCNT FR_ACCOUNT /* 0x0400 */ -#define OPT_FRSTATES FR_KEEPFRAG /* 0x0800 */ -#define OPT_IPSTATES FR_KEEPSTATE /* 0x1000 */ -#define OPT_INACTIVE FR_INACTIVE /* 0x2000 */ -#define OPT_SHOWLINENO 0x004000 -#define OPT_PRINTFR 0x008000 -#define OPT_ZERORULEST 0x010000 -#define OPT_SAVEOUT 0x020000 -#define OPT_AUTHSTATS 0x040000 -#define OPT_RAW 0x080000 -#define OPT_NAT 0x100000 -#define OPT_GROUPS 0x200000 -#define OPT_STATETOP 0x400000 -#define OPT_FLUSH 0x800000 -#define OPT_CLEAR 0x1000000 -#define OPT_NODO 0x80000000 - -#define OPT_STAT OPT_FRSTATES -#define OPT_LIST OPT_SHOWLIST - - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - -struct frpcmp; - -#ifdef ultrix -extern char *strdup __P((char *)); -#endif - -extern struct frentry *parse __P((char *, int)); - -extern void printfr __P((struct frentry *)); -extern void binprint __P((struct frentry *)), initparse __P((void)); -extern int portnum __P((char *, u_short *, int)); - - -struct ipopt_names { - int on_value; - int on_bit; - int on_siz; - char *on_name; -}; - - -extern char *proto; -extern char flagset[]; -extern u_char flags[]; - -extern u_char tcp_flags __P((char *, u_char *, int)); -extern int countbits __P((u_32_t)); -extern int ratoi __P((char *, int *, int, int)); -extern int ratoui __P((char *, u_int *, u_int, u_int)); -extern int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, int *, - u_short *, int)); -extern int ports __P((char ***, u_short *, int *, u_short *, int)); -extern char *portname __P((int, int)); -extern u_32_t buildopts __P((char *, char *, int)); -extern int genmask __P((char *, u_32_t *)); -extern int hostnum __P((u_32_t *, char *, int)); -extern u_32_t optname __P((char ***, u_short *, int)); -extern void printpacket __P((ip_t *)); -extern void printportcmp __P((int, struct frpcmp *)); -extern void printhostmask __P((int, u_32_t *, u_32_t *)); -extern void printbuf __P((char *, int, int)); -#if SOLARIS -extern int inet_aton __P((const char *, struct in_addr *)); -extern int gethostname __P((char *, int )); -extern void sync __P((void)); -#endif - -#if defined(sun) && !SOLARIS -# define STRERROR(x) sys_errlist[x] -extern char *sys_errlist[]; -#else -# define STRERROR(x) strerror(x) -#endif - -#ifndef MIN -#define MIN(a,b) ((a) > (b) ? (b) : (a)) -#endif - -#endif /* __IPF_H__ */ diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c deleted file mode 100644 index d382870b8ad..00000000000 --- a/sbin/ipf/opt.c +++ /dev/null @@ -1,180 +0,0 @@ -/* $OpenBSD: opt.c,v 1.16 2001/01/30 04:26:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#include <net/if.h> -#include <arpa/inet.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include "ipf.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: opt.c,v 2.2 2000/03/13 22:10:26 darrenr Exp $"; -#endif - -extern int opts; - -struct ipopt_names ionames[] ={ - { IPOPT_NOP, 0x000001, 1, "nop" }, - { IPOPT_RR, 0x000002, 7, "rr" }, /* 1 route */ - { IPOPT_ZSU, 0x000004, 3, "zsu" }, - { IPOPT_MTUP, 0x000008, 3, "mtup" }, - { IPOPT_MTUR, 0x000010, 3, "mtur" }, - { IPOPT_ENCODE, 0x000020, 3, "encode" }, - { IPOPT_TS, 0x000040, 8, "ts" }, /* 1 TS */ - { IPOPT_TR, 0x000080, 3, "tr" }, - { IPOPT_SECURITY,0x000100, 11, "sec" }, - { IPOPT_SECURITY,0x000100, 11, "sec-class" }, - { IPOPT_LSRR, 0x000200, 7, "lsrr" }, /* 1 route */ - { IPOPT_E_SEC, 0x000400, 3, "e-sec" }, - { IPOPT_CIPSO, 0x000800, 3, "cipso" }, - { IPOPT_SATID, 0x001000, 4, "satid" }, - { IPOPT_SSRR, 0x002000, 7, "ssrr" }, /* 1 route */ - { IPOPT_ADDEXT, 0x004000, 3, "addext" }, - { IPOPT_VISA, 0x008000, 3, "visa" }, - { IPOPT_IMITD, 0x010000, 3, "imitd" }, - { IPOPT_EIP, 0x020000, 3, "eip" }, - { IPOPT_FINN, 0x040000, 3, "finn" }, - { 0, 0, 0, (char *)NULL } /* must be last */ -}; - -struct ipopt_names secclass[] = { - { IPSO_CLASS_RES4, 0x01, 0, "reserv-4" }, - { IPSO_CLASS_TOPS, 0x02, 0, "topsecret" }, - { IPSO_CLASS_SECR, 0x04, 0, "secret" }, - { IPSO_CLASS_RES3, 0x08, 0, "reserv-3" }, - { IPSO_CLASS_CONF, 0x10, 0, "confid" }, - { IPSO_CLASS_UNCL, 0x20, 0, "unclass" }, - { IPSO_CLASS_RES2, 0x40, 0, "reserv-2" }, - { IPSO_CLASS_RES1, 0x80, 0, "reserv-1" }, - { 0, 0, 0, NULL } /* must be last */ -}; - - -static u_char seclevel __P((char *)); -int addipopt __P((char *, struct ipopt_names *, int, char *)); - -static u_char seclevel(slevel) -char *slevel; -{ - struct ipopt_names *so; - - for (so = secclass; so->on_name; so++) - if (!strcasecmp(slevel, so->on_name)) - break; - - if (!so->on_name) { - fprintf(stderr, "no such security level: %s\n", slevel); - return 0; - } - return (u_char)so->on_value; -} - - -int addipopt(op, io, len, class) -char *op; -struct ipopt_names *io; -int len; -char *class; -{ - int olen = len; - struct in_addr ipadr; - u_short val; - u_char lvl; - char *s; - - if ((len + io->on_siz) > 48) { - fprintf(stderr, "options too long\n"); - return 0; - } - len += io->on_siz; - *op++ = io->on_value; - if (io->on_siz > 1) { - s = op; - *op++ = io->on_siz; - *op++ = IPOPT_MINOFF; - - if (class) { - switch (io->on_value) - { - case IPOPT_SECURITY : - lvl = seclevel(class); - *(op - 1) = lvl; - break; - case IPOPT_LSRR : - case IPOPT_SSRR : - ipadr.s_addr = inet_addr(class); - s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4; - bcopy((char *)&ipadr, op, sizeof(ipadr)); - break; - case IPOPT_SATID : - val = atoi(class); - bcopy((char *)&val, op, 2); - break; - } - } - - op += io->on_siz - 3; - if (len & 3) { - *op++ = IPOPT_NOP; - len++; - } - } - if (opts & OPT_DEBUG) - fprintf(stderr, "bo: %s %d %#x: %d\n", - io->on_name, io->on_value, io->on_bit, len); - return len - olen; -} - - -u_32_t buildopts(cp, op, len) -char *cp, *op; -int len; -{ - struct ipopt_names *io; - u_32_t msk = 0; - char *s, *t; - int inc; - - for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) { - if ((t = strchr(s, '='))) - *t++ = '\0'; - for (io = ionames; io->on_name; io++) { - if (strcasecmp(s, io->on_name) || (msk & io->on_bit)) - continue; - if ((inc = addipopt(op, io, len, t))) { - op += inc; - len += inc; - } - msk |= io->on_bit; - break; - } - if (!io->on_name) { - fprintf(stderr, "unknown IP option name %s\n", s); - return 0; - } - } - *op++ = IPOPT_EOL; - len++; - return len; -} diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c deleted file mode 100644 index 8d667630169..00000000000 --- a/sbin/ipf/parse.c +++ /dev/null @@ -1,1243 +0,0 @@ -/* $OpenBSD: parse.c,v 1.38 2001/01/30 04:26:02 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/param.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <stdio.h> -#include <string.h> -#include <limits.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#include <syslog.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include "ipf.h" -#include "facpri.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $"; -#endif - -extern struct ipopt_names ionames[], secclass[]; -extern int opts; -#ifdef USE_INET6 -extern int use_inet6; -#endif - -int addicmp __P((char ***, struct frentry *, int)); -int extras __P((char ***, struct frentry *, int)); - -int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int)); -int to_interface __P((frdest_t *, char *, int)); -void print_toif __P((char *, frdest_t *)); -void optprint __P((u_short *, u_long, u_long)); -int loglevel __P((char **, u_int *, int)); -void printlog __P((frentry_t *)); - -extern char *proto; -extern char flagset[]; -extern u_char flags[]; - - -/* parse() - * - * parse a line read from the input filter rule file - */ -struct frentry *parse(line, linenum) -char *line; -int linenum; -{ - static struct frentry fil; - struct protoent *p = NULL; - char *cps[31], **cpp, *endptr; - int i, cnt = 1, j, ch; - u_int k; - - while (*line && isspace(*line)) - line++; - if (!*line) - return NULL; - - bzero((char *)&fil, sizeof(fil)); - fil.fr_mip.fi_v = 0xf; -#ifdef USE_INET6 - fil.fr_ip.fi_v = use_inet6 ? 6 : 4; -#else - fil.fr_ip.fi_v = 4; -#endif - fil.fr_loglevel = 0xffff; - - /* - * break line up into max of 20 segments - */ - if (opts & OPT_DEBUG) - fprintf(stderr, "parse [%s]\n", line); - for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++) - cps[++i] = strtok(NULL, " \b\t\r\n"); - cps[i] = NULL; - - if (cnt < 3) { - fprintf(stderr, "%d: not enough segments in line\n", linenum); - return NULL; - } - - cpp = cps; - if (**cpp == '@') - fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1; - - - if (!strcasecmp("block", *cpp)) { - fil.fr_flags |= FR_BLOCK; - if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) && - (i = 19)) - fil.fr_flags |= FR_FAKEICMP; - else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11)) - fil.fr_flags |= FR_RETICMP; - if (fil.fr_flags & FR_RETICMP) { - cpp++; - if (strlen(*cpp) == i) { - if (*(cpp + 1) && **(cpp +1) == '(') { - cpp++; - i = 0; - } else - i = -1; - } - - /* - * The ICMP code is not required to follow in ()'s - */ - if ((i >= 0) && (*(*cpp + i) == '(')) { - i++; - j = icmpcode(*cpp + i); - if (j == -1) { - fprintf(stderr, - "%d: unrecognised icmp code %s\n", - linenum, *cpp + 20); - return NULL; - } - fil.fr_icode = j; - } - } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) { - fil.fr_flags |= FR_RETRST; - cpp++; - } - } else if (!strcasecmp("count", *cpp)) { - fil.fr_flags |= FR_ACCOUNT; - } else if (!strcasecmp("pass", *cpp)) { - fil.fr_flags |= FR_PASS; - } else if (!strcasecmp("auth", *cpp)) { - fil.fr_flags |= FR_AUTH; - } else if (!strcasecmp("preauth", *cpp)) { - fil.fr_flags |= FR_PREAUTH; - } else if (!strcasecmp("skip", *cpp)) { - cpp++; - if (ratoui(*cpp, &k, 0, UINT_MAX)) - fil.fr_skip = k; - else { - fprintf(stderr, "%d: integer must follow skip\n", - linenum); - return NULL; - } - } else if (!strcasecmp("log", *cpp)) { - fil.fr_flags |= FR_LOG; - if (!strcasecmp(*(cpp+1), "body")) { - fil.fr_flags |= FR_LOGBODY; - cpp++; - } - if (!strcasecmp(*(cpp+1), "first")) { - fil.fr_flags |= FR_LOGFIRST; - cpp++; - } - if (*cpp && !strcasecmp(*(cpp+1), "or-block")) { - fil.fr_flags |= FR_LOGORBLOCK; - cpp++; - } - if (!strcasecmp(*(cpp+1), "level")) { - cpp++; - if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) - return NULL; - cpp++; - } - } else { - /* - * Doesn't start with one of the action words - */ - fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum); - return NULL; - } - - if (!strcasecmp("in", *cpp)) - fil.fr_flags |= FR_INQUE; - else if (!strcasecmp("out", *cpp)) { - fil.fr_flags |= FR_OUTQUE; - if (fil.fr_flags & FR_RETICMP) { - fprintf(stderr, - "%d: Can only use return-icmp with 'in'\n", - linenum); - return NULL; - } else if (fil.fr_flags & FR_RETRST) { - fprintf(stderr, - "%d: Can only use return-rst with 'in'\n", - linenum); - return NULL; - } - } - if (!*++cpp) { - fprintf(stderr, "%d: missing source specification\n", linenum); - return NULL; - } - - if (!strcasecmp("log", *cpp)) { - if (!*++cpp) { - fprintf(stderr, "%d: missing source specification\n", - linenum); - return NULL; - } - if (fil.fr_flags & FR_PASS) - fil.fr_flags |= FR_LOGP; - else if (fil.fr_flags & FR_BLOCK) - fil.fr_flags |= FR_LOGB; - if (*cpp && !strcasecmp(*cpp, "body")) { - fil.fr_flags |= FR_LOGBODY; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "first")) { - fil.fr_flags |= FR_LOGFIRST; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "or-block")) { - if (!(fil.fr_flags & FR_PASS)) { - fprintf(stderr, - "%d: or-block must be used with pass\n", - linenum); - return NULL; - } - fil.fr_flags |= FR_LOGORBLOCK; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "level")) { - if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) - return NULL; - cpp++; - cpp++; - } - } - - if (*cpp && !strcasecmp("quick", *cpp)) { - cpp++; - fil.fr_flags |= FR_QUICK; - } - - *fil.fr_ifname = '\0'; - if (*cpp && !strcasecmp(*cpp, "on")) { - if (!*++cpp) { - fprintf(stderr, "%d: interface name missing\n", - linenum); - return NULL; - } - (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1); - fil.fr_ifname[IFNAMSIZ-1] = '\0'; - cpp++; - if (!*cpp) { - if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) { - fprintf(stderr, - "%d: %s can only be used with TCP\n", - linenum, "return-rst"); - return NULL; - } - return &fil; - } - - if (*cpp) { - if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) { - cpp++; - if (to_interface(&fil.fr_dif, *cpp, linenum)) - return NULL; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) { - cpp++; - if (to_interface(&fil.fr_tif, *cpp, linenum)) - return NULL; - cpp++; - } else if (*cpp && !strcasecmp(*cpp, "fastroute")) { - if (!(fil.fr_flags & FR_INQUE)) { - fprintf(stderr, - "can only use %s with 'in'\n", - "fastroute"); - return NULL; - } - fil.fr_flags |= FR_FASTROUTE; - cpp++; - } - } - } - if (*cpp && !strcasecmp(*cpp, "tos")) { - if (!*++cpp) { - fprintf(stderr, "%d: tos missing value\n", linenum); - return NULL; - } - fil.fr_tos = strtol(*cpp, NULL, 0); - fil.fr_mip.fi_tos = 0xff; - cpp++; - } - - if (*cpp && !strcasecmp(*cpp, "ttl")) { - if (!*++cpp) { - fprintf(stderr, "%d: ttl missing hopcount value\n", - linenum); - return NULL; - } - if (ratoi(*cpp, &i, 0, 255)) - fil.fr_ttl = i; - else { - fprintf(stderr, "%d: invalid ttl (%s)\n", - linenum, *cpp); - return NULL; - } - fil.fr_mip.fi_ttl = 0xff; - cpp++; - } - - /* - * check for "proto <protoname>" only decode udp/tcp/icmp as protoname - */ - proto = NULL; - if (*cpp && !strcasecmp(*cpp, "proto")) { - if (!*++cpp) { - fprintf(stderr, "%d: protocol name missing\n", linenum); - return NULL; - } - proto = *cpp++; - if (!strcasecmp(proto, "tcp/udp")) { - fil.fr_ip.fi_fl |= FI_TCPUDP; - fil.fr_mip.fi_fl |= FI_TCPUDP; - } else { - if (!(p = getprotobyname(proto)) && !isdigit(*proto)) { - fprintf(stderr, - "%d: unknown protocol (%s)\n", - linenum, proto); - return NULL; - } - if (p) - fil.fr_proto = p->p_proto; - else if (isdigit(*proto)) { - i = (int)strtol(proto, &endptr, 0); - if (*endptr != '\0' || i < 0 || i > 255) { - fprintf(stderr, - "%d: unknown protocol (%s)\n", - linenum, proto); - return NULL; - } - fil.fr_proto = i; - } - fil.fr_mip.fi_p = 0xff; - } - } - if ((fil.fr_proto != IPPROTO_TCP) && - ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) { - fprintf(stderr, "%d: %s can only be used with TCP\n", - linenum, "return-rst"); - return NULL; - } - - /* - * get the from host and bit mask to use against packets - */ - - if (!*cpp) { - fprintf(stderr, "%d: missing source specification\n", linenum); - return NULL; - } - if (!strcasecmp(*cpp, "all")) { - cpp++; - if (!*cpp) - return &fil; - } else { - if (strcasecmp(*cpp, "from")) { - fprintf(stderr, "%d: unexpected keyword (%s) - from\n", - linenum, *cpp); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: missing host after from\n", - linenum); - return NULL; - } - if (**cpp == '!') { - fil.fr_flags |= FR_NOTSRCIP; - (*cpp)++; - } - ch = 0; - if (hostmask(&cpp, (u_32_t *)&fil.fr_src, - (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch, - &fil.fr_stop, linenum)) { - return NULL; - } - - fil.fr_scmp = ch; - if (!*cpp) { - fprintf(stderr, "%d: missing to fields\n", linenum); - return NULL; - } - - /* - * do the same for the to field (destination host) - */ - if (strcasecmp(*cpp, "to")) { - fprintf(stderr, "%d: unexpected keyword (%s) - to\n", - linenum, *cpp); - return NULL; - } - if (!*++cpp) { - fprintf(stderr, "%d: missing host after to\n", linenum); - return NULL; - } - ch = 0; - if (**cpp == '!') { - fil.fr_flags |= FR_NOTDSTIP; - (*cpp)++; - } - if (hostmask(&cpp, (u_32_t *)&fil.fr_dst, - (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch, - &fil.fr_dtop, linenum)) { - return NULL; - } - fil.fr_dcmp = ch; - } - - /* - * check some sanity, make sure we don't have icmp checks with tcp - * or udp or visa versa. - */ - if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) && - fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) { - fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum); - return NULL; - } - if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) { - fprintf(stderr, "%d: icmp comparisons on wrong protocol\n", - linenum); - return NULL; - } - - if (!*cpp) - return &fil; - - if (*cpp && !strcasecmp(*cpp, "flags")) { - if (!*++cpp) { - fprintf(stderr, "%d: no flags present\n", linenum); - return NULL; - } - fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum); - cpp++; - } - - /* - * extras... - */ - if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") || - !strcasecmp(*cpp, "and"))) - if (extras(&cpp, &fil, linenum)) - return NULL; - - /* - * icmp types for use with the icmp protocol - */ - if (*cpp && !strcasecmp(*cpp, "icmp-type")) { - if (fil.fr_proto != IPPROTO_ICMP) { - fprintf(stderr, - "%d: icmp with wrong protocol (%d)\n", - linenum, fil.fr_proto); - return NULL; - } - if (addicmp(&cpp, &fil, linenum)) - return NULL; - fil.fr_icmp = htons(fil.fr_icmp); - fil.fr_icmpm = htons(fil.fr_icmpm); - } - - /* - * Keep something... - */ - while (*cpp && !strcasecmp(*cpp, "keep")) - if (addkeep(&cpp, &fil, linenum)) - return NULL; - - /* - * head of a new group ? - */ - if (*cpp && !strcasecmp(*cpp, "head")) { - if (!*++cpp) { - fprintf(stderr, "%d: head without group #\n", linenum); - return NULL; - } - if (ratoui(*cpp, &k, 0, UINT_MAX)) - fil.fr_grhead = (u_32_t)k; - else { - fprintf(stderr, "%d: invalid group (%s)\n", - linenum, *cpp); - return NULL; - } - cpp++; - } - - /* - * head of a new group ? - */ - if (*cpp && !strcasecmp(*cpp, "group")) { - if (!*++cpp) { - fprintf(stderr, "%d: group without group #\n", - linenum); - return NULL; - } - if (ratoui(*cpp, &k, 0, UINT_MAX)) - fil.fr_group = k; - else { - fprintf(stderr, "%d: invalid group (%s)\n", - linenum, *cpp); - return NULL; - } - cpp++; - } - - /* - * leftovers...yuck - */ - if (*cpp && **cpp) { - fprintf(stderr, "%d: unknown words at end: [", linenum); - for (; *cpp; cpp++) - fprintf(stderr, "%s ", *cpp); - fprintf(stderr, "]\n"); - return NULL; - } - - /* - * lazy users... - */ - if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) { - fprintf(stderr, "%d: TCP protocol not specified\n", linenum); - return NULL; - } - if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) && - (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) { - if (!fil.fr_proto) { - fil.fr_ip.fi_fl |= FI_TCPUDP; - fil.fr_mip.fi_fl |= FI_TCPUDP; - } else { - fprintf(stderr, - "%d: port comparisons for non-TCP/UDP\n", - linenum); - return NULL; - } - } -/* - if ((fil.fr_flags & FR_KEEPFRAG) && - (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { - fprintf(stderr, - "%d: must use 'with frags' with 'keep frags'\n", - linenum); - return NULL; - } -*/ - return &fil; -} - - -int loglevel(cpp, facpri, linenum) -char **cpp; -u_int *facpri; -int linenum; -{ - int fac, pri; - char *s; - - fac = 0; - pri = 0; - if (!*++cpp) { - fprintf(stderr, "%d: %s\n", linenum, - "missing identifier after level"); - return -1; - } - - s = index(*cpp, '.'); - if (s) { - *s++ = '\0'; - fac = fac_findname(*cpp); - if (fac == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown facility", *cpp); - return -1; - } - pri = pri_findname(s); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", s); - return -1; - } - } else { - pri = pri_findname(*cpp); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", *cpp); - return -1; - } - } - *facpri = fac|pri; - return 0; -} - - -int to_interface(fdp, to, linenum) -frdest_t *fdp; -char *to; -int linenum; -{ - char *s; - - s = index(to, ':'); - fdp->fd_ifp = NULL; - if (s) { - *s++ = '\0'; - if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum) == -1) - return -1; - } - (void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1); - fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0'; - return 0; -} - - -void print_toif(tag, fdp) -char *tag; -frdest_t *fdp; -{ - printf("%s %s%s", tag, fdp->fd_ifname, - (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)"); - if (fdp->fd_ip.s_addr) - printf(":%s", inet_ntoa(fdp->fd_ip)); - putchar(' '); -} - - -/* - * deal with extra bits on end of the line - */ -int extras(cp, fr, linenum) -char ***cp; -struct frentry *fr; -int linenum; -{ - u_short secmsk; - u_long opts; - int notopt; - char oflags; - - opts = 0; - secmsk = 0; - notopt = 0; - (*cp)++; - if (!**cp) - return -1; - - while (**cp && (!strncasecmp(**cp, "ipopt", 5) || - !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) || - !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) || - !strncasecmp(**cp, "short", 5))) { - if (***cp == 'n' || ***cp == 'N') { - notopt = 1; - (*cp)++; - continue; - } else if (***cp == 'i' || ***cp == 'I') { - if (!notopt) - fr->fr_ip.fi_fl |= FI_OPTIONS; - fr->fr_mip.fi_fl |= FI_OPTIONS; - goto nextopt; - } else if (***cp == 'f' || ***cp == 'F') { - if (!notopt) - fr->fr_ip.fi_fl |= FI_FRAG; - fr->fr_mip.fi_fl |= FI_FRAG; - goto nextopt; - } else if (***cp == 'o' || ***cp == 'O') { - if (!*(*cp + 1)) { - fprintf(stderr, - "%d: opt missing arguements\n", - linenum); - return -1; - } - (*cp)++; - if (!(opts = optname(cp, &secmsk, linenum))) - return -1; - oflags = FI_OPTIONS; - } else if (***cp == 's' || ***cp == 'S') { - if (fr->fr_tcpf) { - fprintf(stderr, - "%d: short cannot be used with TCP flags\n", - linenum); - return -1; - } - - if (!notopt) - fr->fr_ip.fi_fl |= FI_SHORT; - fr->fr_mip.fi_fl |= FI_SHORT; - goto nextopt; - } else - return -1; - - if (!notopt || !opts) - fr->fr_mip.fi_fl |= oflags; - if (notopt) { - if (!secmsk) { - fr->fr_mip.fi_optmsk |= opts; - } else { - fr->fr_mip.fi_optmsk |= (opts & ~0x0100); - } - } else { - fr->fr_mip.fi_optmsk |= opts; - } - fr->fr_mip.fi_secmsk |= secmsk; - - if (notopt) { - fr->fr_ip.fi_fl &= (~oflags & 0xf); - fr->fr_ip.fi_optmsk &= ~opts; - fr->fr_ip.fi_secmsk &= ~secmsk; - } else { - fr->fr_ip.fi_fl |= oflags; - fr->fr_ip.fi_optmsk |= opts; - fr->fr_ip.fi_secmsk |= secmsk; - } -nextopt: - notopt = 0; - opts = 0; - oflags = 0; - secmsk = 0; - (*cp)++; - } - return 0; -} - - -u_32_t optname(cp, sp, linenum) -char ***cp; -u_short *sp; -int linenum; -{ - struct ipopt_names *io, *so; - u_long msk = 0; - u_short smsk = 0; - char *s; - int sec = 0; - - for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) { - for (io = ionames; io->on_name; io++) - if (!strcasecmp(s, io->on_name)) { - msk |= io->on_bit; - break; - } - if (!io->on_name) { - fprintf(stderr, "%d: unknown IP option name %s\n", - linenum, s); - return 0; - } - if (!strcasecmp(s, "sec-class")) - sec = 1; - } - - if (sec && !*(*cp + 1)) { - fprintf(stderr, "%d: missing security level after sec-class\n", - linenum); - return 0; - } - - if (sec) { - (*cp)++; - for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) { - for (so = secclass; so->on_name; so++) - if (!strcasecmp(s, so->on_name)) { - smsk |= so->on_bit; - break; - } - if (!so->on_name) { - fprintf(stderr, - "%d: no such security level: %s\n", - linenum, s); - return 0; - } - } - if (smsk) - *sp = smsk; - } - return msk; -} - - -#ifdef __STDC__ -void optprint(u_short *sec, u_long optmsk, u_long optbits) -#else -void optprint(sec, optmsk, optbits) -u_short *sec; -u_long optmsk, optbits; -#endif -{ - u_short secmsk = sec[0], secbits = sec[1]; - struct ipopt_names *io, *so; - char *s; - int secflag = 0; - - s = " opt "; - for (io = ionames; io->on_name; io++) - if ((io->on_bit & optmsk) && - ((io->on_bit & optmsk) == (io->on_bit & optbits))) { - if ((io->on_value != IPOPT_SECURITY) || - (!secmsk && !secbits)) { - printf("%s%s", s, io->on_name); - if (io->on_value == IPOPT_SECURITY) - io++; - s = ","; - } else - secflag = 1; - } - - - if (secmsk & secbits) { - printf("%ssec-class", s); - s = " "; - for (so = secclass; so->on_name; so++) - if ((secmsk & so->on_bit) && - ((so->on_bit & secmsk) == (so->on_bit & secbits))) { - printf("%s%s", s, so->on_name); - s = ","; - } - } - - if ((optmsk && (optmsk != optbits)) || - (secmsk && (secmsk != secbits))) { - s = " "; - printf(" not opt"); - if (optmsk != optbits) { - for (io = ionames; io->on_name; io++) - if ((io->on_bit & optmsk) && - ((io->on_bit & optmsk) != - (io->on_bit & optbits))) { - if ((io->on_value != IPOPT_SECURITY) || - (!secmsk && !secbits)) { - printf("%s%s", s, io->on_name); - s = ","; - if (io->on_value == - IPOPT_SECURITY) - io++; - } else - io++; - } - } - - if (secmsk != secbits) { - printf("%ssec-class", s); - s = " "; - for (so = secclass; so->on_name; so++) - if ((so->on_bit & secmsk) && - ((so->on_bit & secmsk) != - (so->on_bit & secbits))) { - printf("%s%s", s, so->on_name); - s = ","; - } - } - } -} - -char *icmptypes[] = { - "echorep", (char *)NULL, (char *)NULL, "unreach", "squench", - "redir", (char *)NULL, (char *)NULL, "echo", "routerad", - "routersol", "timex", "paramprob", "timest", "timestrep", - "inforeq", "inforep", "maskreq", "maskrep", "END" -}; - -/* - * set the icmp field to the correct type if "icmp" word is found - */ -int addicmp(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; -{ - char **t; - int i; - - (*cp)++; - if (!**cp) - return -1; - if (!fp->fr_proto) /* to catch lusers */ - fp->fr_proto = IPPROTO_ICMP; - if (isdigit(***cp)) { - if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, - "%d: Invalid icmp-type (%s) specified\n", - linenum, **cp); - return -1; - } - } else { - for (t = icmptypes, i = 0; ; t++, i++) { - if (!*t) - continue; - if (!strcasecmp("END", *t)) { - i = -1; - break; - } - if (!strcasecmp(*t, **cp)) - break; - } - if (i == -1) { - fprintf(stderr, - "%d: Invalid icmp-type (%s) specified\n", - linenum, **cp); - return -1; - } - } - fp->fr_icmp = (u_short)(i << 8); - fp->fr_icmpm = (u_short)0xff00; - (*cp)++; - if (!**cp) - return 0; - - if (**cp && strcasecmp("code", **cp)) - return 0; - (*cp)++; - if (isdigit(***cp)) { - if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, - "%d: Invalid icmp code (%s) specified\n", - linenum, **cp); - return -1; - } - } else { - i = icmpcode(**cp); - if (i == -1) { - fprintf(stderr, - "%d: Invalid icmp code (%s) specified\n", - linenum, **cp); - return -1; - } - } - i &= 0xff; - fp->fr_icmp |= (u_short)i; - fp->fr_icmpm = (u_short)0xffff; - (*cp)++; - return 0; -} - - -#define MAX_ICMPCODE 15 - -char *icmpcodes[] = { - "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail", - "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", - "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", - NULL }; -/* - * Return the number for the associated ICMP unreachable code. - */ -int icmpcode(str) -char *str; -{ - char *s; - int i, len; - - if ((s = strrchr(str, ')'))) - *s = '\0'; - if (isdigit(*str)) { - if (!ratoi(str, &i, 0, 255)) - return -1; - else - return i; - } - len = strlen(str); - for (i = 0; icmpcodes[i]; i++) - if (!strncasecmp(str, icmpcodes[i], MIN(len, - strlen(icmpcodes[i])) )) - return i; - return -1; -} - - -/* - * set the icmp field to the correct type if "icmp" word is found - */ -int addkeep(cp, fp, linenum) -char ***cp; -struct frentry *fp; -int linenum; -{ - if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP && -#ifdef USE_INET6 - fp->fr_proto != IPPROTO_ICMPV6 && -#endif - fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) { - fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n", - linenum); - return -1; - } - - (*cp)++; - if (!**cp) { - fprintf(stderr, "%d: Missing state/frag after keep\n", - linenum); - return -1; - } - if (strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { - fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", - linenum, **cp); - return -1; - } - - if (***cp == 's' || ***cp == 'S') - fp->fr_flags |= FR_KEEPSTATE; - else if (***cp == 'f' || ***cp == 'F') - fp->fr_flags |= FR_KEEPFRAG; - (*cp)++; - return 0; -} - - -/* - * print the filter structure in a useful way - */ -void printfr(fp) -struct frentry *fp; -{ - struct protoent *p; - u_short sec[2]; - char *s; - u_char *t; - int pr; - - if (fp->fr_flags & FR_PASS) - printf("pass"); - else if (fp->fr_flags & FR_BLOCK) { - printf("block"); - if (fp->fr_flags & FR_RETICMP) { - if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP) - printf(" return-icmp-as-dest"); - else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP) - printf(" return-icmp"); - if (fp->fr_icode) { - if (fp->fr_icode <= MAX_ICMPCODE) - printf("(%s)", - icmpcodes[(int)fp->fr_icode]); - else - printf("(%d)", fp->fr_icode); - } - } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST) - printf(" return-rst"); - } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) { - printlog(fp); - } else if (fp->fr_flags & FR_ACCOUNT) - printf("count"); - else if (fp->fr_flags & FR_AUTH) - printf("auth"); - else if (fp->fr_flags & FR_PREAUTH) - printf("preauth"); - else if (fp->fr_skip) - printf("skip %hu", fp->fr_skip); - - if (fp->fr_flags & FR_OUTQUE) - printf(" out "); - else - printf(" in "); - - if (((fp->fr_flags & FR_LOGB) == FR_LOGB) || - ((fp->fr_flags & FR_LOGP) == FR_LOGP)) { - printlog(fp); - putchar(' '); - } - - if (fp->fr_flags & FR_QUICK) - printf("quick "); - - if (*fp->fr_ifname) { - printf("on %s%s ", fp->fr_ifname, - (fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)"); - if (*fp->fr_dif.fd_ifname) - print_toif("dup-to", &fp->fr_dif); - if (*fp->fr_tif.fd_ifname) - print_toif("to", &fp->fr_tif); - if (fp->fr_flags & FR_FASTROUTE) - printf("fastroute "); - - } - if (fp->fr_mip.fi_tos) - printf("tos %#x ", fp->fr_tos); - if (fp->fr_mip.fi_ttl) - printf("ttl %d ", fp->fr_ttl); - if (fp->fr_ip.fi_fl & FI_TCPUDP) { - printf("proto tcp/udp "); - pr = -1; - } else if ((pr = fp->fr_mip.fi_p)) { - if ((p = getprotobynumber(fp->fr_proto))) - printf("proto %s ", p->p_name); - else - printf("proto %d ", fp->fr_proto); - } - - printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); - printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr, - (u_32_t *)&fp->fr_smsk.s_addr); - if (fp->fr_scmp) - printportcmp(pr, &fp->fr_tuc.ftu_src); - - printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); - printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr, - (u_32_t *)&fp->fr_dmsk.s_addr); - if (fp->fr_dcmp) - printportcmp(pr, &fp->fr_tuc.ftu_dst); - - if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) || - (fp->fr_mip.fi_fl & ~FI_TCPUDP) || - fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || - fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { - printf(" with"); - if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || - fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { - sec[0] = fp->fr_mip.fi_secmsk; - sec[1] = fp->fr_ip.fi_secmsk; - optprint(sec, - fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk); - } else if (fp->fr_mip.fi_fl & FI_OPTIONS) { - if (!(fp->fr_ip.fi_fl & FI_OPTIONS)) - printf(" not"); - printf(" ipopt"); - } - if (fp->fr_mip.fi_fl & FI_SHORT) { - if (!(fp->fr_ip.fi_fl & FI_SHORT)) - printf(" not"); - printf(" short"); - } - if (fp->fr_mip.fi_fl & FI_FRAG) { - if (!(fp->fr_ip.fi_fl & FI_FRAG)) - printf(" not"); - printf(" frag"); - } - } - if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) { - int type = fp->fr_icmp, code; - - type = ntohs(fp->fr_icmp); - code = type & 0xff; - type /= 256; - if (type < (sizeof(icmptypes) / sizeof(char *) - 1) && - icmptypes[type]) - printf(" icmp-type %s", icmptypes[type]); - else - printf(" icmp-type %d", type); - if (ntohs(fp->fr_icmpm) & 0xff) - printf(" code %d", code); - } - if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { - printf(" flags "); - if (fp->fr_tcpf & ~TCPF_ALL) - printf("0x%x", fp->fr_tcpf); - else - for (s = flagset, t = flags; *s; s++, t++) - if (fp->fr_tcpf & *t) - (void)putchar(*s); - if (fp->fr_tcpfm) { - (void)putchar('/'); - if (fp->fr_tcpfm & ~TCPF_ALL) - printf("0x%x", fp->fr_tcpfm); - else - for (s = flagset, t = flags; *s; s++, t++) - if (fp->fr_tcpfm & *t) - (void)putchar(*s); - } - } - - if (fp->fr_flags & FR_KEEPSTATE) - printf(" keep state"); - if (fp->fr_flags & FR_KEEPFRAG) - printf(" keep frags"); - if (fp->fr_grhead) - printf(" head %d", fp->fr_grhead); - if (fp->fr_group) - printf(" group %d", fp->fr_group); - (void)putchar('\n'); -} - -void binprint(fp) -struct frentry *fp; -{ - int i = sizeof(*fp), j = 0; - u_char *s; - - for (s = (u_char *)fp; i; i--, s++) { - j++; - printf("%02x ", *s); - if (j == 16) { - printf("\n"); - j = 0; - } - } - putchar('\n'); - (void)fflush(stdout); -} - - -void printlog(fp) -frentry_t *fp; -{ - char *s, *u; - - printf("log"); - if (fp->fr_flags & FR_LOGBODY) - printf(" body"); - if (fp->fr_flags & FR_LOGFIRST) - printf(" first"); - if (fp->fr_flags & FR_LOGORBLOCK) - printf(" or-block"); - if (fp->fr_loglevel != 0xffff) { - printf(" level "); - if (fp->fr_loglevel & LOG_FACMASK) { - s = fac_toname(fp->fr_loglevel); - if (s == NULL) - s = "!!!"; - } else - s = ""; - u = pri_toname(fp->fr_loglevel); - if (u == NULL) - u = "!!!"; - if (*s) - printf("%s.%s", s, u); - else - printf("%s", u); - } -} diff --git a/sbin/ipfstat/Makefile b/sbin/ipfstat/Makefile deleted file mode 100644 index 314f1a46b5f..00000000000 --- a/sbin/ipfstat/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 2001/02/13 01:12:33 fgsch Exp $ - -PROG= ipfstat -MAN= ipfstat.8 -SRCS= fils.c parse.c opt.c kmem.c facpri.c common.c ifaddr.c -.PATH: ${.CURDIR}/../../sbin/ipf -CFLAGS+=-I${.CURDIR}/../../sbin/ipf -DSTATETOP -DPADD= ${LIBCURSES} -LDADD= -lcurses - -.include <bsd.prog.mk> diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c deleted file mode 100644 index c39f91e862c..00000000000 --- a/sbin/ipfstat/fils.c +++ /dev/null @@ -1,1268 +0,0 @@ -/* $OpenBSD: fils.c,v 1.24 2001/01/30 04:27:58 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#ifdef __FreeBSD__ -# include <osreldate.h> -#endif -#include <stdio.h> -#include <string.h> -#if !defined(__SVR4) && !defined(__svr4__) -# include <strings.h> -#endif -#include <sys/types.h> -#include <sys/time.h> -#include <sys/param.h> -#include <sys/file.h> -#if defined(STATETOP) && defined(sun) && !defined(__svr4__) && !defined(__SVR4) -#include <sys/select.h> -#endif -#include <stdlib.h> -#include <unistd.h> -#include <fcntl.h> -#include <stddef.h> -#include <nlist.h> -#ifdef STATETOP -#include <ctype.h> -#include <ncurses.h> -#endif -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <netinet/tcp.h> -#if defined(STATETOP) && !defined(linux) -# include <netinet/ip_var.h> -# include <netinet/tcp_fsm.h> -#endif -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include "ipf.h" -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_state.h> -#include <netinet/ip_auth.h> -#ifdef STATETOP -#include <netinet/ipl.h> -#endif -#include "kmem.h" -#if defined(__NetBSD__) || (__OpenBSD__) -# include <paths.h> -#endif - -#if !defined(lint) -static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $"; -#endif - -#define F_IN 0 -#define F_OUT 1 -#define F_AC 2 -static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", - "ipacct(in)", "ipacct(out)" }; - -int opts = 0; -#ifdef USE_INET6 -int use_inet6 = 0; -#endif - -#ifdef STATETOP -#define STSTRSIZE 80 -#define STGROWSIZE 16 - -#define STSORT_PR 0 -#define STSORT_PKTS 1 -#define STSORT_BYTES 2 -#define STSORT_TTL 3 -#define STSORT_MAX STSORT_TTL -#define STSORT_DEFAULT STSORT_BYTES - - -typedef struct statetop { - union i6addr st_src; - union i6addr st_dst; - u_short st_sport; - u_short st_dport; - u_char st_p; - u_char st_state[2]; - U_QUAD_T st_pkts; - U_QUAD_T st_bytes; - u_long st_age; -} statetop_t; -#endif - -char *nlistf = NULL, *memf = NULL; - -extern int main __P((int, char *[])); -static void showstats __P((int, friostat_t *)); -static void showfrstates __P((int, ipfrstat_t *)); -static void showlist __P((friostat_t *)); -static void showipstates __P((int, ips_stat_t *)); -static void showauthstates __P((int, fr_authstat_t *)); -static void showgroups __P((friostat_t *)); -static void Usage __P((char *)); -static void printlist __P((frentry_t *)); -static char *get_ifname __P((void *)); -static char *hostname __P((int, void *)); -static void parse_ipportstr __P((const char *, struct in_addr *, int *)); -#ifdef STATETOP -static void topipstates __P((int, struct in_addr, struct in_addr, int, int, int, int, int)); -static char *ttl_to_string __P((long)); -static int sort_p __P((const void *, const void *)); -static int sort_pkts __P((const void *, const void *)); -static int sort_bytes __P((const void *, const void *)); -static int sort_ttl __P((const void *, const void *)); -#endif - -static char *hostname(v, ip) -int v; -void *ip; -{ -#ifdef USE_INET6 - static char hostbuf[MAXHOSTNAMELEN+1]; -#endif - struct in_addr ipa; - - if (v == 4) { - ipa.s_addr = *(u_32_t *)ip; - return inet_ntoa(ipa); - } -#ifdef USE_INET6 - (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); - hostbuf[MAXHOSTNAMELEN] = '\0'; - return hostbuf; -#else - return "IPv6"; -#endif -} - - -static void Usage(name) -char *name; -{ -#ifdef USE_INET6 - fprintf(stderr, - "Usage: %s [-6aAfhIinosv] [-d <device>] [-M core]\n", name); -#else - fprintf(stderr, - "Usage: %s [-aAfhIinosv] [-d <device>] [-M core]\n", name); -#endif - fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); - exit(1); -} - - -int main(argc,argv) -int argc; -char *argv[]; -{ - fr_authstat_t frauthst; - fr_authstat_t *frauthstp = &frauthst; - friostat_t fio; - friostat_t *fiop=&fio; - ips_stat_t ipsst; - ips_stat_t *ipsstp = &ipsst; - ipfrstat_t ifrst; - ipfrstat_t *ifrstp = &ifrst; - char *name = NULL, *device = IPL_NAME; - int c, fd; - struct protoent *proto; - - int protocol = -1; /* -1 = wild card for any protocol */ - int refreshtime = 1; /* default update time */ - int sport = -1; /* -1 = wild card for any source port */ - int dport = -1; /* -1 = wild card for any dest port */ - int topclosed = 0; /* do not show closed tcp sessions */ - struct in_addr saddr, daddr; - saddr.s_addr = INADDR_ANY; /* default any source addr */ - daddr.s_addr = INADDR_ANY; /* default any dest addr */ - - while ((c = getopt(argc, argv, "6aACfghIilnostvd:M:D:P:S:T:")) != -1) - { - switch (c) - { -#ifdef USE_INET6 - case '6' : - use_inet6 = 1; - break; -#endif - case 'a' : - opts |= OPT_ACCNT|OPT_SHOWLIST; - break; - case 'A' : - device = IPAUTH_NAME; - opts |= OPT_AUTHSTATS; - break; - case 'C' : - topclosed = 1; - break; - case 'd' : - device = optarg; - break; - case 'D' : - parse_ipportstr(optarg, &daddr, &dport); - break; - case 'f' : - opts |= OPT_FRSTATES; - break; - case 'g' : - opts |= OPT_GROUPS; - break; - case 'h' : - opts |= OPT_HITS; - break; - case 'i' : - opts |= OPT_INQUE|OPT_SHOWLIST; - break; - case 'I' : - opts |= OPT_INACTIVE; - break; - case 'l' : - opts |= OPT_SHOWLIST; - break; - case 'n' : - opts |= OPT_SHOWLINENO; - break; - case 'M' : - memf = optarg; - break; - case 'o' : - opts |= OPT_OUTQUE|OPT_SHOWLIST; - break; - case 'P' : - if ((proto = getprotobyname(optarg)) != NULL) { - protocol = proto->p_proto; - } else if (!sscanf(optarg, "%ud", &protocol) || - (protocol < 0)) { - fprintf(stderr, "%s : Invalid protocol: %s\n", - argv[0], optarg); - exit(-2); - } - break; - case 's' : - opts |= OPT_IPSTATES; - break; - case 'S' : - parse_ipportstr(optarg, &saddr, &sport); - break; - case 't' : -#ifdef STATETOP - opts |= OPT_STATETOP; - break; -#else - fprintf(stderr, - "%s : state top facility not compiled in\n", - argv[0]); - exit(-2); -#endif - case 'T' : - if (!sscanf(optarg, "%d", &refreshtime) || - (refreshtime <= 0)) { - fprintf(stderr, - "%s : Invalid refreshtime < 1 : %s\n", - argv[0], optarg); - exit(-2); - } - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - default : - Usage(argv[0]); - break; - } - } - - if (nlistf != NULL || memf != NULL) { - (void)setuid(getuid()); - (void)setgid(getgid()); - } - - if (openkmem(nlistf, memf) == -1) - exit(-1); - - (void)setuid(getuid()); - (void)setgid(getgid()); - - if ((fd = open(device, O_RDONLY)) < 0) { - perror("open"); - exit(-1); - } - - bzero((char *)&fio, sizeof(fio)); - bzero((char *)&ipsst, sizeof(ipsst)); - bzero((char *)&ifrst, sizeof(ifrst)); - - if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, &fiop) == -1) { - perror("ioctl(ipf:SIOCGETFS)"); - exit(-1); - } - if ((opts & OPT_IPSTATES)) { - int sfd = open(IPL_STATE, O_RDONLY); - - if (sfd == -1) { - perror("open"); - exit(-1); - } - if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) { - perror("ioctl(state:SIOCGETFS)"); - exit(-1); - } - close(sfd); - } - if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrstp) == -1)) { - perror("ioctl(SIOCGFRST)"); - exit(-1); - } - - if (opts & OPT_VERBOSE) - printf("opts %#x name %s\n", opts, name ? name : "<>"); - - if ((opts & OPT_AUTHSTATS) && - (ioctl(fd, SIOCATHST, &frauthstp) == -1)) { - perror("ioctl(SIOCATHST)"); - exit(-1); - } - - if (opts & OPT_IPSTATES) { - showipstates(fd, ipsstp); - } else if (opts & OPT_SHOWLIST) { - showlist(&fio); - if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ - opts &= ~OPT_OUTQUE; - showlist(&fio); - } - } else { - if (opts & OPT_FRSTATES) - showfrstates(fd, ifrstp); -#ifdef STATETOP - else if (opts & OPT_STATETOP) - topipstates(fd, saddr, daddr, sport, dport, - protocol, refreshtime, topclosed); -#endif - else if (opts & OPT_AUTHSTATS) - showauthstates(fd, frauthstp); - else if (opts & OPT_GROUPS) - showgroups(&fio); - else - showstats(fd, &fio); - } - return 0; -} - - -/* - * read the kernel stats for packets blocked and passed - */ -static void showstats(fd, fp) -int fd; -struct friostat *fp; -{ - u_32_t frf = 0; - - if (ioctl(fd, SIOCGETFF, &frf) == -1) - perror("ioctl(SIOCGETFF)"); - -#if SOLARIS - printf("dropped packets:\tin %lu\tout %lu\n", - fp->f_st[0].fr_drop, fp->f_st[1].fr_drop); - printf("non-data packets:\tin %lu\tout %lu\n", - fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata); - printf("no-data packets:\tin %lu\tout %lu\n", - fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata); - printf("non-ip packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); - printf(" bad packets:\t\tin %lu\tout %lu\n", - fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); - printf("copied messages:\tin %lu\tout %lu\n", - fp->f_st[0].fr_copy, fp->f_st[1].fr_copy); -#endif -#ifdef USE_INET6 - printf(" IPv6 packets:\t\tin %lu out %lu\n", - fp->f_st[0].fr_ipv6[0], fp->f_st[0].fr_ipv6[1]); -#endif - printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[0].fr_block, fp->f_st[0].fr_pass, - fp->f_st[0].fr_nom); - printf(" counted %lu short %lu\n", - fp->f_st[0].fr_acct, fp->f_st[0].fr_short); - printf("output packets:\t\tblocked %lu passed %lu nomatch %lu", - fp->f_st[1].fr_block, fp->f_st[1].fr_pass, - fp->f_st[1].fr_nom); - printf(" counted %lu short %lu\n", - fp->f_st[1].fr_acct, fp->f_st[1].fr_short); - printf(" input packets logged:\tblocked %lu passed %lu\n", - fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); - printf("output packets logged:\tblocked %lu passed %lu\n", - fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - printf(" packets logged:\tinput %lu output %lu\n", - fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl); - printf(" log failures:\t\tinput %lu output %lu\n", - fp->f_st[0].fr_skip, fp->f_st[1].fr_skip); - printf("fragment state(in):\tkept %lu\tlost %lu\n", - fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr); - printf("fragment state(out):\tkept %lu\tlost %lu\n", - fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr); - printf("packet state(in):\tkept %lu\tlost %lu\n", - fp->f_st[0].fr_ads, fp->f_st[0].fr_bads); - printf("packet state(out):\tkept %lu\tlost %lu\n", - fp->f_st[1].fr_ads, fp->f_st[1].fr_bads); - printf("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n", - fp->f_st[0].fr_ret, fp->f_st[1].fr_ret); - printf("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc); - printf("Result cache hits(in):\t%lu\t(out):\t%lu\n", - fp->f_st[0].fr_chit, fp->f_st[1].fr_chit); - printf("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n", - fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]); - printf("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n", - fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); - printf("Fastroute successes:\t%lu\tfailures:\t%lu\n", - fp->f_froute[0], fp->f_froute[1]); - printf("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", - fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); - - printf("Packet log flags set: (%#x)\n", frf); - if (frf & FF_LOGPASS) - printf("\tpackets passed through filter\n"); - if (frf & FF_LOGBLOCK) - printf("\tpackets blocked by filter\n"); - if (frf & FF_LOGNOMATCH) - printf("\tpackets not matched by filter\n"); - if (!frf) - printf("\tnone\n"); -} - - -static void printlist(fp) -frentry_t *fp; -{ - struct frentry fb; - int n; - - for (n = 1; fp; n++) { - if (kmemcpy((char *)&fb, (u_long)fp, sizeof(fb)) == -1) { - perror("kmemcpy"); - return; - } - fp = &fb; - if (opts & OPT_OUTQUE) - fp->fr_flags |= FR_OUTQUE; - if (opts & (OPT_HITS|OPT_VERBOSE)) -#ifdef USE_QUAD_T - printf("%qu ", (unsigned long long) fp->fr_hits); -#else - printf("%lu ", fp->fr_hits); -#endif - if (opts & (OPT_ACCNT|OPT_VERBOSE)) -#ifdef USE_QUAD_T - printf("%qu ", (unsigned long long) fp->fr_bytes); -#else - printf("%lu ", fp->fr_bytes); -#endif - if (opts & OPT_SHOWLINENO) - printf("@%d ", n); - printfr(fp); - if (opts & OPT_VERBOSE) - binprint(fp); - if (fp->fr_grp) - printlist(fp->fr_grp); - fp = fp->fr_next; - } -} - -/* - * print out filter rule list - */ -static void showlist(fiop) -struct friostat *fiop; -{ - struct frentry *fp = NULL; - int i, set; - - set = fiop->f_active; - if (opts & OPT_INACTIVE) - set = 1 - set; - if (opts & OPT_ACCNT) { - i = F_AC; - if (opts & OPT_OUTQUE) { - fp = (struct frentry *)fiop->f_acctout[set]; - i++; - } else if (opts & OPT_INQUE) - fp = (struct frentry *)fiop->f_acctin[set]; - else { - fprintf(stderr, "No -i or -o given with -a\n"); - return; - } - } else { -#ifdef USE_INET6 - if ((use_inet6) && (opts & OPT_OUTQUE)) { - i = F_OUT; - fp = (struct frentry *)fiop->f_fout6[set]; - } else if ((use_inet6) && (opts & OPT_INQUE)) { - i = F_IN; - fp = (struct frentry *)fiop->f_fin6[set]; - } else -#endif - if (opts & OPT_OUTQUE) { - i = F_OUT; - fp = (struct frentry *)fiop->f_fout[set]; - } else if (opts & OPT_INQUE) { - i = F_IN; - fp = (struct frentry *)fiop->f_fin[set]; - } else - return; - } - if (opts & OPT_VERBOSE) - fprintf(stderr, "showlist:opts %#x i %d\n", opts, i); - - if (opts & OPT_VERBOSE) - printf("fp %p set %d\n", fp, set); - if (!fp) { - fprintf(stderr, "empty list for %s%s\n", - (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); - return; - } - printlist(fp); -} - - -static void showipstates(fd, ipsp) -int fd; -ips_stat_t *ipsp; -{ - ipstate_t *istab[IPSTATE_SIZE], ips; - - if (!(opts & OPT_SHOWLIST)) { - printf("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", - ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); - printf("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, - ipsp->iss_miss); - printf("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); - printf("\t%lu active\n\t%lu expired\n\t%lu closed\n", - ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); - return; - } - - if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab))) - return; - - while (ipsp->iss_list) { - if (kmemcpy((char *)&ips, (u_long)ipsp->iss_list, sizeof(ips))) - break; - ipsp->iss_list = ips.is_next; - printf("%s -> ", hostname(ips.is_v, &ips.is_src.in4)); - printf("%s ttl %ld pass %#x pr %d state %d/%d\n", - hostname(ips.is_v, &ips.is_dst.in4), - ips.is_age, ips.is_pass, ips.is_p, - ips.is_state[0], ips.is_state[1]); -#ifdef USE_QUAD_T - printf("\tpkts %qu bytes %qu", - (unsigned long long) ips.is_pkts, - (unsigned long long) ips.is_bytes); -#else - printf("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes); -#endif - if (ips.is_p == IPPROTO_TCP) -#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - (__FreeBSD_version >= 220000) || defined(__OpenBSD__) - printf("\t%hu -> %hu %x:%x %hu:%hu", - ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); -#else - printf("\t%hu -> %hu %x:%x %hu:%hu", - ntohs(ips.is_sport), ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); -#endif - else if (ips.is_p == IPPROTO_UDP) - printf(" %hu -> %hu", ntohs(ips.is_sport), - ntohs(ips.is_dport)); - else if (ips.is_p == IPPROTO_ICMP -#ifdef USE_INET6 - || ips.is_p == IPPROTO_ICMPV6 -#endif - ) - printf(" %hu %hu %d", ips.is_icmp.ics_id, - ips.is_icmp.ics_seq, ips.is_icmp.ics_type); - - printf("\n\t"); - - if (ips.is_pass & FR_PASS) { - printf("pass"); - } else if (ips.is_pass & FR_BLOCK) { - printf("block"); - switch (ips.is_pass & FR_RETMASK) - { - case FR_RETICMP : - printf(" return-icmp"); - break; - case FR_FAKEICMP : - printf(" return-icmp-as-dest"); - break; - case FR_RETRST : - printf(" return-rst"); - break; - default : - break; - } - } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { - printf("log"); - if (ips.is_pass & FR_LOGBODY) - printf(" body"); - if (ips.is_pass & FR_LOGFIRST) - printf(" first"); - } else if (ips.is_pass & FR_ACCOUNT) - printf("count"); - - if (ips.is_pass & FR_OUTQUE) - printf(" out"); - else - printf(" in"); - - if ((ips.is_pass & FR_LOG) != 0) { - printf(" log"); - if (ips.is_pass & FR_LOGBODY) - printf(" body"); - if (ips.is_pass & FR_LOGFIRST) - printf(" first"); - if (ips.is_pass & FR_LOGORBLOCK) - printf(" or-block"); - } - if (ips.is_pass & FR_QUICK) - printf(" quick"); - if (ips.is_pass & FR_KEEPFRAG) - printf(" keep frags"); - /* a given; no? */ - if (ips.is_pass & FR_KEEPSTATE) - printf(" keep state"); - printf("\tIPv%d", ips.is_v); - printf("\n"); - - printf("\tpkt_flags & %x(%x) = %x,\t", - ips.is_flags & 0xf, ips.is_flags, - ips.is_flags >> 4); - printf("\tpkt_options & %x = %x\n", ips.is_optmsk, - ips.is_opt); - printf("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", - ips.is_secmsk, ips.is_sec, ips.is_authmsk, - ips.is_auth); - printf("interfaces: in %s[%p] ", - get_ifname(ips.is_ifpin), ips.is_ifpin); - printf("out %s[%p]\n", - get_ifname(ips.is_ifpout), ips.is_ifpout); - } -} - -#ifdef STATETOP -static void topipstates(fd, saddr, daddr, sport, dport, protocol, - refreshtime, topclosed) -int fd; -struct in_addr saddr; -struct in_addr daddr; -int sport; -int dport; -int protocol; -int refreshtime; -int topclosed; -{ - char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; - int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; - int i, j, sfd, winx, tsentry, maxx, maxy, redraw = 0; - ipstate_t *istab[IPSTATE_SIZE], ips; - ips_stat_t ipsst, *ipsstp = &ipsst; - statetop_t *tstable = NULL, *tp; - struct timeval selecttimeout; - struct protoent *proto; - fd_set readfd; - char c = '\0'; - time_t t; - - /* open state device */ - if ((sfd = open(IPL_STATE, O_RDONLY)) == -1) { - perror("open"); - exit(-1); - } - - /* init ncurses stuff */ - initscr(); - cbreak(); - noecho(); - nodelay(stdscr, 1); - - /* repeat until user aborts */ - while ( 1 ) { - - /* get state table */ - bzero((char *)&ipsst, sizeof(&ipsst)); - if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) { - perror("ioctl(SIOCGETFS)"); - exit(-1); - } - if (kmemcpy((char *)istab, (u_long)ipsstp->iss_table, - sizeof(ips))) - return; - - /* clear the history */ - tsentry = -1; - - /* read the state table and store in tstable */ - while (ipsstp->iss_list) { - if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list, - sizeof(ips))) - break; - ipsstp->iss_list = ips.is_next; - - if (((saddr.s_addr == INADDR_ANY) || - (saddr.s_addr == ips.is_saddr)) && - ((daddr.s_addr == INADDR_ANY) || - (daddr.s_addr == ips.is_daddr)) && - ((protocol < 0) || (protocol == ips.is_p)) && - (((ips.is_p != IPPROTO_TCP) && - (ips.is_p != IPPROTO_UDP)) || - (((sport < 0) || - (htons(sport) == ips.is_sport)) && - ((dport < 0) || - (htons(dport) == ips.is_dport)))) && - (topclosed || (ips.is_p != IPPROTO_TCP) || - (ips.is_state[0] < TCPS_CLOSE_WAIT) || - (ips.is_state[1] < TCPS_CLOSE_WAIT))) { - /* - * if necessary make room for this state - * entry - */ - tsentry++; - if (!maxtsentries || - (tsentry == maxtsentries)) { - - maxtsentries += STGROWSIZE; - tstable = realloc(tstable, maxtsentries * sizeof(statetop_t)); - if (!tstable) { - perror("malloc"); - exit(-1); - } - } - - /* fill structure */ - tp = tstable + tsentry; - tp->st_src = ips.is_src; - tp->st_dst = ips.is_dst; - tp->st_p = ips.is_p; - tp->st_state[0] = ips.is_state[0]; - tp->st_state[1] = ips.is_state[1]; - tp->st_pkts = ips.is_pkts; - tp->st_bytes = ips.is_bytes; - tp->st_age = ips.is_age; - if ((ips.is_p == IPPROTO_TCP) || - (ips.is_p == IPPROTO_UDP)) { - tp->st_sport = ips.is_sport; - tp->st_dport = ips.is_dport; - } - - } - } - - - /* sort the array */ - if (tsentry != -1) - switch (sorting) - { - case STSORT_PR: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_p); - break; - case STSORT_PKTS: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_pkts); - break; - case STSORT_BYTES: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_bytes); - break; - case STSORT_TTL: - qsort(tstable, tsentry + 1, - sizeof(statetop_t), sort_ttl); - break; - default: - break; - } - - /* print title */ - erase(); - getmaxyx(stdscr, maxy, maxx); - attron(A_BOLD); - winx = 0; - move(winx,0); - sprintf(str1, "%s - state top", IPL_VERSION); - for(j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) - printw(" "); - printw("%s", str1); - attroff(A_BOLD); - - /* just for fun add a clock */ - move(winx, maxx - 8); - t = time(NULL); - strftime(str1, 80, "%T", localtime(&t)); - printw("%s\n", str1); - - /* - * print the display filters, this is placed in the loop, - * because someday I might add code for changing these - * while the programming is running :-) - */ - if (sport >= 0) - sprintf(str1, "%s,%d", inet_ntoa(saddr), sport); - else - sprintf(str1, "%s", inet_ntoa(saddr)); - - if (dport >= 0) - sprintf(str2, "%s,%d", inet_ntoa(daddr), dport); - else - sprintf(str2, "%s", inet_ntoa(daddr)); - - if (protocol < 0) - strcpy(str3, "any"); - else if ((proto = getprotobynumber(protocol)) != NULL) - sprintf(str3, "%s", proto->p_name); - else - sprintf(str3, "%d", protocol); - - switch (sorting) - { - case STSORT_PR: - sprintf(str4, "proto"); - break; - case STSORT_PKTS: - sprintf(str4, "# pkts"); - break; - case STSORT_BYTES: - sprintf(str4, "# bytes"); - break; - case STSORT_TTL: - sprintf(str4, "ttl"); - break; - default: - sprintf(str4, "unknown"); - break; - } - - if (reverse) - strcat(str4, " (reverse)"); - - winx += 2; - move(winx,0); - printw("Src = %s Dest = %s Proto = %s Sorted by = %s\n\n", - str1, str2, str3, str4); - - /* print column description */ - winx += 2; - move(winx,0); - attron(A_BOLD); - printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP", - "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl"); - attroff(A_BOLD); - - /* print all the entries */ - tp = tstable; - if (reverse) - tp += tsentry; - - for(i = 0; i <= tsentry; i++) { - /* print src/dest and port */ - if ((tp->st_p == IPPROTO_TCP) || - (tp->st_p == IPPROTO_UDP)) { - sprintf(str1, "%s,%hu", - inet_ntoa(tp->st_src.in4), - ntohs(tp->st_sport)); - sprintf(str2, "%s,%hu", - inet_ntoa(tp->st_dst.in4), - ntohs(tp->st_dport)); - } else { - sprintf(str1, "%s", inet_ntoa(tp->st_src.in4)); - sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4)); - } - winx++; - move(winx, 0); - printw("%-21s %-21s", str1, str2); - - /* print state */ - sprintf(str1, "%X/%X", tp->st_state[0], - tp->st_state[1]); - printw(" %3s", str1); - - /* print proto */ - proto = getprotobynumber(tp->st_p); - if (proto) { - strncpy(str1, proto->p_name, 4); - str1[4] = '\0'; - } else { - sprintf(str1, "%d", tp->st_p); - } - printw(" %4s", str1); - /* print #pkt/#bytes */ -#ifdef USE_QUAD_T - printw(" %7qu %9qu", (unsigned long long) tp->st_pkts, - (unsigned long long) tp->st_bytes); -#else - printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes); -#endif - printw(" %9s", ttl_to_string(tp->st_age)); - - if (reverse) - tp--; - else - tp++; - } - - /* screen data structure is filled, now update the screen */ - if (redraw) - clearok(stdscr,1); - - refresh(); - if (redraw) { - clearok(stdscr,0); - redraw = 0; - } - - /* wait for key press or a 1 second time out period */ - selecttimeout.tv_sec = refreshtime; - selecttimeout.tv_usec = 0; - FD_ZERO(&readfd); - FD_SET(0, &readfd); - select(1, &readfd, NULL, NULL, &selecttimeout); - - /* if key pressed, read all waiting keys */ - if (FD_ISSET(0, &readfd)) - while ((c = wgetch(stdscr)) != ERR) { - if (tolower(c) == 'l') { - redraw = 1; - } else if (tolower(c) == 'q') { - nocbreak(); - endwin(); - exit(0); - } else if (tolower(c) == 'r') { - reverse = !reverse; - } else if (tolower(c) == 's') { - sorting++; - if (sorting > STSORT_MAX) - sorting = 0; - } - } - } /* while */ - - close(sfd); - - printw("\n"); - nocbreak(); - endwin(); -} -#endif - -static void showfrstates(fd, ifsp) -int fd; -ipfrstat_t *ifsp; -{ - struct ipfr *ipfrtab[IPFT_SIZE], ifr; - frentry_t fr; - int i; - - printf("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", - ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); - printf("\t%lu no memory\n\t%lu already exist\n", - ifsp->ifs_nomem, ifsp->ifs_exists); - printf("\t%lu inuse\n", ifsp->ifs_inuse); - if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab))) - return; - for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i]) { - if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], - sizeof(ifr)) == -1) - break; - printf("%s -> ", hostname(4, &ifr.ipfr_src)); - if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, - sizeof(fr)) == -1) - break; - printf("%s %d %d %d %#02x = %#x\n", - hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, - ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, - fr.fr_flags); - ipfrtab[i] = ifr.ipfr_next; - } - if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) - return; - for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i]) { - if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], - sizeof(ifr)) == -1) - break; - printf("NAT: %s -> ", hostname(4, &ifr.ipfr_src)); - if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, - sizeof(fr)) == -1) - break; - printf("%s %d %d %d %#02x = %#x\n", - hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, - ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, - fr.fr_flags); - ipfrtab[i] = ifr.ipfr_next; - } -} - - -static void showauthstates(fd, asp) -int fd; -fr_authstat_t *asp; -{ - frauthent_t *frap, fra; - -#ifdef USE_QUAD_T - printf("Authorisation hits: %qu\tmisses %qu\n", - (unsigned long long) asp->fas_hits, - (unsigned long long) asp->fas_miss); -#else - printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits, - asp->fas_miss); -#endif - printf("nospace %ld\nadded %ld\nsendfail %ld\nsendok %ld\n", - asp->fas_nospace, asp->fas_added, asp->fas_sendfail, - asp->fas_sendok); - printf("queok %ld\nquefail %ld\nexpire %ld\n", - asp->fas_queok, asp->fas_quefail, asp->fas_expire); - - frap = asp->fas_faelist; - while (frap) { - if (kmemcpy((char *)&fra, (u_long)frap, sizeof(fra)) == -1) - break; - - printf("age %ld\t", fra.fae_age); - printfr(&fra.fae_fr); - frap = fra.fae_next; - } -} - - -static char *get_ifname(ptr) -void *ptr; -{ -#if SOLARIS - char *ifname; - ill_t ill; - - if (ptr == (void *)-1) - return "!"; - if (ptr == NULL) - return "-"; - - if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1) - return "X"; - ifname = malloc(ill.ill_name_length + 1); - if (kmemcpy(ifname, (u_long)ill.ill_name, - ill.ill_name_length) == -1) - return "X"; - return ifname; -#else -# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - defined(__OpenBSD__) -#else - char buf[32]; - int len; -# endif - struct ifnet netif; - - if (ptr == (void *)-1) - return "!"; - if (ptr == NULL) - return "-"; - - if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) - return "X"; -# if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - defined(__OpenBSD__) - return strdup(netif.if_xname); -# else - if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) - return "X"; - if (netif.if_unit < 10) - len = 2; - else if (netif.if_unit < 1000) - len = 3; - else if (netif.if_unit < 10000) - len = 4; - else - len = 5; - buf[sizeof(buf) - len] = '\0'; - sprintf(buf + strlen(buf), "%d", netif.if_unit % 10000); - return strdup(buf); -# endif -#endif -} - - -static void showgroups(fiop) -struct friostat *fiop; -{ - static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; - frgroup_t *fp, grp; - int on, off, i; - - on = fiop->f_active; - off = 1 - on; - - for (i = 0; i < 3; i++) { - printf("%s groups (active):\n", gnames[i]); - for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next) - if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) - break; - else - printf("%hu\n", grp.fg_num); - printf("%s groups (inactive):\n", gnames[i]); - for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next) - if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) - break; - else - printf("%hu\n", grp.fg_num); - } -} - -static void parse_ipportstr(argument, ip, port) -const char *argument; -struct in_addr *ip; -int *port; -{ - - char *s, *comma; - - /* make working copy of argument, Theoretically you must be able - * to write to optarg, but that seems very ugly to me.... - */ - if ((s = malloc(strlen(argument) + 1)) == NULL) - perror("malloc"); - strcpy(s, argument); - - /* get port */ - if ((comma = strchr(s, ',')) != NULL) { - if (!strcasecmp(s, "any")) { - *port = -1; - } else if (!sscanf(comma + 1, "%d", port) || - (*port < 0) || (*port > 65535)) { - fprintf(stderr, "Invalid port specfication in %s\n", - argument); - exit(-2); - } - *comma = '\0'; - } - - - /* get ip address */ - if (!strcasecmp(s, "any")) { - ip->s_addr = INADDR_ANY; - } else if (!inet_aton(s, ip)) { - fprintf(stderr, "Invalid IP address: %s\n", s); - exit(-2); - } - - /* free allocated memory */ - free(s); -} - - -#ifdef STATETOP -static char ttlbuf[STSTRSIZE]; - -static char *ttl_to_string(ttl) -long int ttl; -{ - - int hours, minutes, seconds; - - /* ttl is in half seconds */ - ttl /= 2; - - hours = ttl / 3600; - ttl = ttl % 3600; - minutes = ttl / 60; - seconds = ttl % 60; - - if (hours > 0 ) - sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds); - else - sprintf(ttlbuf, "%2d:%02d", minutes, seconds); - return ttlbuf; -} - - -static int sort_pkts(a, b) -const void *a; -const void *b; -{ - - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_pkts == bp->st_pkts) - return 0; - else if (ap->st_pkts < bp->st_pkts) - return 1; - return -1; -} - - -static int sort_bytes(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_bytes == bp->st_bytes) - return 0; - else if (ap->st_bytes < bp->st_bytes) - return 1; - return -1; -} - - -static int sort_p(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_p == bp->st_p) - return 0; - else if (ap->st_p < bp->st_p) - return 1; - return -1; -} - - -static int sort_ttl(a, b) -const void *a; -const void *b; -{ - register const statetop_t *ap = a; - register const statetop_t *bp = b; - - if (ap->st_age == bp->st_age) - return 0; - else if (ap->st_age < bp->st_age) - return 1; - return -1; -} -#endif diff --git a/sbin/ipfstat/ipfstat.8 b/sbin/ipfstat/ipfstat.8 deleted file mode 100644 index c8a81e892f6..00000000000 --- a/sbin/ipfstat/ipfstat.8 +++ /dev/null @@ -1,105 +0,0 @@ -.\" $OpenBSD: ipfstat.8,v 1.20 2000/11/14 18:55:56 aaron Exp $ -.Dd June 13, 1999 -.Dt IPFSTAT 8 -.Os -.Sh NAME -.Nm ipfstat -.Nd reports on packet filter statistics and filter lists -.Sh SYNOPSIS -.Nm ipfstat -.Op Fl aAfghIinosv -.Op Fl d Ar device -.Op Fl M Ar core -.Sh DESCRIPTION -By default, -.Nm -displays current kernel statistics gathered -as a result of applying the filters in place (if any) to packets going through -the kernel. -.Pp -When supplied with either -.Fl i -or -.Fl o , -it will retrieve and display -the appropriate list of filter rules currently installed and in use by the -kernel. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl a -Display the accounting filter list and show bytes counted against each rule. -Used with -.Fl i -or -.Fl o . -.It Fl A -Display packet authentication statistics. -.It Fl d Ar device -Use -.Ar device -instead of -.Pa /dev/ipl -for interfacing with the kernel. -.It Fl f -Show fragment state information (statistics) and held state information (in -the kernel) if any is present. -.It Fl g -Show group information for active and inactive filter, accounting, and -authentication groups. -.It Fl h -Show per-rule the number of times each one scores a -.Dq hit . -For use in -combination with -.Fl i -or -.Fl o . -.It Fl i -Display the filter list used for the input side of the kernel IP processing. -.It Fl I -Swap between retrieving -.Dq inactive -and -.Dq active -filter list details. -For use in combination with -.Fl h . -.It Fl n -Show the rule number for each rule as it is printed. -.It Fl M Ar core -Extract values associated with the name list from the specified core -instead of the default -.Pa /dev/kmem . -.It Fl o -Display the filter list used for the output side of the kernel IP processing. -.It Fl s -Show packet/flow state information (statistics) and held state information (in -the kernel) if any is present. -.It Fl v -Turn verbose mode on. -Displays more debugging information. -.El -.Sh FILES -.Bl -tag -width /dev/ipstate -compact -.It Pa /dev/kmem -default kernel memory -.It Pa /dev/ipl -IP packet logging pseudo-device -.It Pa /dev/ipstate -IP filter state device -.El -.Sh SEE ALSO -.Xr ipftest 1 , -.Xr ipf 4 , -.Xr ipl 4 , -.Xr ipnat 4 , -.Xr ipf 5 , -.Xr ipnat 5 , -.Xr ipf 8 , -.Xr ipmon 8 , -.Xr ipnat 8 , -.Pp -http://coombs.anu.edu.au/ipfilter/ -.Sh BUGS -If you find any, please send email to me at darrenr@pobox.com. diff --git a/sbin/ipfstat/kmem.c b/sbin/ipfstat/kmem.c deleted file mode 100644 index 543da82be64..00000000000 --- a/sbin/ipfstat/kmem.c +++ /dev/null @@ -1,108 +0,0 @@ -/* $OpenBSD: kmem.c,v 1.17 2001/01/30 04:27:58 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -/* - * kmemcpy() - copies n bytes from kernel memory into user buffer. - * returns 0 on success, -1 on error. - */ - -#include <stdio.h> -#include <sys/types.h> -#include <sys/uio.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/file.h> -#include "kmem.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: kmem.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $"; -#endif - -static int kmemfd = -1; - -int openkmem(nlistf, memf) -char *nlistf, *memf; -{ - if (memf == NULL) - memf = KMEM; - - if ((kmemfd = open(memf,O_RDONLY)) == -1) - { - perror("kmeminit:open"); - return -1; - } - return kmemfd; -} - -int kmemcpy(buf, pos, n) -register char *buf; -long pos; -register int n; -{ - register int r; - - if (!n) - return 0; - if (kmemfd == -1) - if (openkmem(nlistf, memf) == -1) - return -1; - if (lseek(kmemfd, pos, 0) == -1) - { - perror("kmemcpy:lseek"); - return -1; - } - while ((r = read(kmemfd, buf, n)) < n) - if (r <= 0) - { - perror("kmemcpy:read"); - return -1; - } - else - { - buf += r; - n -= r; - } - return 0; -} - -int kstrncpy(buf, pos, n) -register char *buf; -long pos; -register int n; -{ - register int r; - - if (!n) - return 0; - if (kmemfd == -1) - if (openkmem(nlistf, memf) == -1) - return -1; - if (lseek(kmemfd, pos, 0) == -1) - { - perror("kmemcpy:lseek"); - return -1; - } - while (n > 0) { - r = read(kmemfd, buf, 1); - if (r <= 0) - { - perror("kmemcpy:read"); - return -1; - } - else - { - if (*buf == '\0') - break; - buf++; - n--; - } - } - return 0; -} diff --git a/sbin/ipfstat/kmem.h b/sbin/ipfstat/kmem.h deleted file mode 100644 index 29625d8f478..00000000000 --- a/sbin/ipfstat/kmem.h +++ /dev/null @@ -1,39 +0,0 @@ -/* $OpenBSD: kmem.h,v 1.14 2001/01/30 04:27:58 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $IPFilter: kmem.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $ - */ - -#ifndef __KMEM_H__ -#define __KMEM_H__ - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif -extern int openkmem __P((char *, char *)); -extern int kmemcpy __P((char *, long, int)); -extern int kstrncpy __P((char *, long, int)); - -#if defined(__NetBSD__) || defined(__OpenBSD) -# include <paths.h> -#endif - -extern char *nlistf; -extern char *memf; - -#ifdef _PATH_KMEM -# define KMEM _PATH_KMEM -#else -# define KMEM "/dev/kmem" -#endif - -#endif /* __KMEM_H__ */ diff --git a/sbin/ipnat/Makefile b/sbin/ipnat/Makefile deleted file mode 100644 index 3ed89451018..00000000000 --- a/sbin/ipnat/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $OpenBSD: Makefile,v 1.10 2001/01/17 05:01:01 fgsch Exp $ - -PROG= ipnat -MAN= ipnat.8 ipnat.4 ipnat.5 -SRCS= ipnat.c kmem.c natparse.c common.c ifaddr.c -.PATH: ${.CURDIR}/../ipfstat ${.CURDIR}/../ipf -CFLAGS+=-I${.CURDIR}/../../sbin/ipfstat -I${.CURDIR}/../ipf - -.include <bsd.prog.mk> diff --git a/sbin/ipnat/ipnat.4 b/sbin/ipnat/ipnat.4 deleted file mode 100644 index 6e9b12abc55..00000000000 --- a/sbin/ipnat/ipnat.4 +++ /dev/null @@ -1,100 +0,0 @@ -.\" $OpenBSD: ipnat.4,v 1.20 2001/01/20 20:50:55 fgsch Exp $ -.\" -.TH IPNAT 4 -.SH NAME -ipnat \- Network Address Translation kernel interface -.SH SYNOPSIS -#include <netinet/ip_compat.h> -.br -#include <netinet/ip_fil.h> -.br -#include <netinet/ip_proxy.h> -.br -#include <netinet/ip_nat.h> -.SH IOCTLS -.PP -To add and delete rules to the NAT list, two 'basic' ioctls are provided -for use. The ioctl's are called as: -.LP -.nf - ioctl(fd, SIOCADNAT, struct ipnat **) - ioctl(fd, SIOCRMNAT, struct ipnat **) - ioctl(fd, SIOCGNATS, struct natstat **) - ioctl(fd, SIOCGNATL, struct natlookup **) -.fi -.PP -Unlike \fBipf(4)\fP, there is only a single list supported by the kernel NAT -interface. An inactive list which can be swapped to is not currently -supported. - -These ioctl's are implemented as being routing ioctls and thus the same rules -for the various routing ioctls and the file descriptor are employed, mainly -being that the fd must be that of the device associated with the module -(i.e., /dev/ipl). -.LP -.PP -The strcture used with the NAT interface is described below: -.LP -.nf -typedef struct ipnat { - struct ipnat *in_next; - void *in_ifp; - u_short in_flags; - u_short in_pnext; - u_short in_port[2]; - struct in_addr in_in[2]; - struct in_addr in_out[2]; - struct in_addr in_nextip; - int in_space; - int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ - char in_ifname[IFNAMSIZ]; -} ipnat_t; - -#define in_pmin in_port[0] /* Also holds static redir port */ -#define in_pmax in_port[1] -#define in_nip in_nextip.s_addr -#define in_inip in_in[0].s_addr -#define in_inmsk in_in[1].s_addr -#define in_outip in_out[0].s_addr -#define in_outmsk in_out[1].s_addr - -.fi -.PP -Recognised values for in_redir: -.LP -.nf -#define NAT_MAP 0 -#define NAT_REDIRECT 1 -.fi -.PP -.LP -\fBNAT statistics\fP -Statistics on the number of packets mapped, going in and out are kept, -the number of times a new entry is added and deleted (through expiration) to -the NAT table and the current usage level of the NAT table. -.PP -Pointers to the NAT table inside the kernel, as well as to the top of the -internal NAT lists constructed with the \fBSIOCADNAT\fP ioctls. The table -itself is a hash table of size NAT_SIZE (default size is 367). -.PP -To retrieve the statistics, the \fBSIOCGNATS\fP ioctl must be used, with -the appropriate structure passed by reference, as follows: -.nf - ioctl(fd, SIOCGNATS, struct natstat *) - -typedef struct natstat { - u_long ns_mapped[2]; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - nat_t ***ns_table; - ipnat_t *ns_list; -} natstat_t; -.fi -.SH BUGS -It would be nice if there were more flexibility when adding and deleting -filter rules. -.SH FILES -/dev/ipnat -.SH SEE ALSO -ipf(4), ipnat(5), ipf(8), ipnat(8), ipfstat(8) diff --git a/sbin/ipnat/ipnat.5 b/sbin/ipnat/ipnat.5 deleted file mode 100644 index 4a8d24afd0e..00000000000 --- a/sbin/ipnat/ipnat.5 +++ /dev/null @@ -1,211 +0,0 @@ -.\" $OpenBSD: ipnat.5,v 1.18 2001/03/09 18:16:44 marc Exp $ -.\" -.TH IPNAT 5 -.SH NAME -ipnat \- IP NAT file format -.SH DESCRIPTION -The format for files accepted by ipnat is described by the following grammar: -.LP -.nf -ipmap :: = mapblock | redir | map . - -map ::= mapit ifname ipmask "->" ipmask [ mapport ] . -map ::= mapit ifname fromto "->" ipmask [ mapport ] . -mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options . - -dport ::= "port" portnum [ "-" portnum ] . -ports ::= "ports" numports | "auto" . -mapit ::= "map" | "bimap" . -fromto ::= "from" object "to" object . -ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . -mapport ::= "portmap" tcpudp portnumber ":" portnumber . -options ::= [ tcpudp ] [ rr ] . - -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . - -rr ::= "round-robin" . -tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } | "auto" . -ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . - -numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . -.fi -.PP -For standard NAT functionality, a rule should start with \fBmap\fP and then -proceeds to specify the interface for which outgoing packets will have their -source address rewritten. -.PP -Packets which will be rewritten can only be selected by matching the original -source address. A netmask must be specified with the IP address. -.PP -The address selected for replacing the original is chosen from an IP#/netmask -pair. A netmask of all 1's indicating a hostname is valid. A netmask of -31 1's (255.255.255.254) is considered invalid as there is no space for -allocating host IP#'s after consideration for broadcast and network -addresses. -.PP -When remapping TCP and UDP packets, it is also possible to change the source -port number. Either TCP or UDP or both can be selected by each rule, with a -range of port numbers to remap into given as \fBport-number:port-number\fP. -.SH COMMANDS -There are four commands recognised by IP Filter's NAT code: -.TP -.B map -that is used for mapping one address or network to another in an unregulated -round robin fashion; -.TP -.B rdr -that is used for redirecting packets to one IP address and port pair to -another; -.TP -.B bimap -for setting up bidirectional NAT between an external IP address and an internal -IP address and -.TP -.B map-block -which sets up static IP address based translation, based on a algorithm to -squeeze the addresses to be translated into the destination range. -.SH MATCHING -.PP -For basic NAT and redirection of packets, the address subject to change is used -along with its protocol to check if a packet should be altered. The packet -\fImatching\fP part of the rule is to the left of the "->" in each rule. -.PP -Matching of packets has now been extended to allow more complex compares. -In place of the address which is to be translated, an IP address and port -number comparison can be made using the same expressions available with -\fBipf\fP. A simple NAT rule could be written as: -.LP -.nf -map de0 10.1.0.0/16 -> 201.2.3.4/32 -.fi -.LP -or as -.LP -.nf -map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 -.fi -.LP -Only IP address and port numbers can be compared against. This is available -with all NAT rules. -.SH TRANSLATION -.PP -To the right of the "->" is the address and port specificaton which will be -written into the packet providing it has already successful matched the -prior constraints. The case of redirections (\fBrdr\fP) is the simpliest: -the new destination address is that specified in the rule. For \fBmap\fP -rules, the destination address will be one for which the tuple combining -the new source and destination is known to be unique. If the packet is -either a TCP or UDP packet, the destination and source ports come into the -equation too. If the tuple already exists, IP Filter will increment the -port number first, within the available range specified with \fBportmap\fP -and if there exists no unique tuple, the source address will be incremented -within the specified netmask. If a unique tuple cannot be determined, then -the packet will not be translated. The \fBmap-block\fP is more limited in -how it searches for a new, free and unique tuple, in that it will used an -algorithm to determine what the new source address should be, along with the -range of available ports - the IP address is never changed and nor does the -port number ever exceed its alloted range. -.SH KERNEL PROXIES -.PP -IP Filter comes with a few, simple, proxies built into the code that is loaded -into the kernel to allow secondary channels to be opened without forcing the -packets through a user program. -.SH TRNSPARENT PROXIES -.PP -True transparent proxying should be performed using the redirect (\fBrdr\fP) -rules directing ports to localhost (127.0.0.1) with the proxy program doing -a lookup through \fB/dev/ipnat\fP to determine the real source and address -of the connection. -.SH LOAD-BALANCING -.PP -Two options for use with \fBrdr\fP are available to support primitive, -\fIround-robin\fP based load balancing. The first option allows for a -\fBrdr\fP to specify a second destination, as follows: -.LP -.nf -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp -.fi -.LP -This would send alternate connections to either 203.1.2.3 or 203.1.2.4. -In scenarios where the load is being spread amongst a larger set of -servers, you can use: -.LP -.nf -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.3,203.1.2.4 port 80 tcp round-robin -rdr le0 203.1.2.3/32 port 80 -> 203.1.2.5 port 80 tcp round-robin -.fi -.LP -In this case, a connection will be redirected to 203.1.2.3, then 203.1.2.4 -and then 203.1.2.5 before going back to 203.1.2.3. In accomplishing this, -the rule is removed from the top of the list and added to the end, -automatically, as required. This will not effect the display of rules -using "ipnat -l", only the internal application order. -.SH EXAMPLES -.PP -This section deals with the \fBmap\fP command and it's variations. -.PP -To change IP#'s used internally from network 10 into an ISP provided 8 bit -subnet at 209.1.2.0 through the ppp0 interface, the following would be used: -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.fi -.PP -The obvious problem here is we're trying to squeeze over 16,000,000 IP -addresses into a 254 address space. To increase the scope, remapping for TCP -and/or UDP, port remapping can be used; -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -.fi -.PP -which falls only 527,566 `addresses' short of the space available in network -10. If we were to combine these rules, they would need to be specified as -follows: -.LP -.nf -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.fi -.PP -so that all TCP/UDP packets were port mapped and only other protocols, such as -ICMP, only have their IP# changed. In some instaces, it is more appropriate -to use the keyword \fBauto\fP in place of an actual range of port numbers if -you want to guarantee simultaneous access to all within the given range. -However, in the above case, it would default to 1 port per IP address, since -we need to squeeze 24 bits of address space into 8. A good example of how -this is used might be: -.LP -.nf -map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto -.fi -.PP -which would result in each IP address being given a small range of ports to -use (252). The problem here is that the \fBmap\fP directive tells the NAT -code to use the next address/port pair available for an outgoing connection, -resulting in no easily discernable relation between external addresses/ports -and internal ones. This is overcome by using \fBmap-block\fP as follows: -.LP -.nf -map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto -.fi -.PP -For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32 -with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its -own. As opposed to the above use of \fBmap\fP, if for some reason the user -of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would -be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next -IP address with the \fBmap\fP command. -.SH FILES -/dev/ipnat -.br -/etc/services -.br -/etc/hosts -.SH SEE ALSO -ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8) diff --git a/sbin/ipnat/ipnat.8 b/sbin/ipnat/ipnat.8 deleted file mode 100644 index 37f75ce43d4..00000000000 --- a/sbin/ipnat/ipnat.8 +++ /dev/null @@ -1,347 +0,0 @@ -.Dd October 10, 1998 -.Dt IPNAT 8 -.Os -.Sh NAME -.Nm ipnat -.Nd manage IP network address translation rules -.Sh SYNOPSIS -.Nm ipnat -.Op Fl CFlnrsv -.Op Fl f Ar filename -.Sh DESCRIPTION -The -.Nm -utility -provides control over the kernel's network address translation (NAT). -The NAT facility remaps IP addresses from one range to another. -It can be used to provide internal networks with Internet connectivity by -mapping several private IP addresses to a single routeable -.Pq i.e., Dq real -Internet address. -.Pp -In other words, when properly configured on a gateway, the NAT provides -Internet access to connected computers lacking officially assigned IP -addresses. -It is discussed in RFC 1631. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl f Ar filename -File from which rules are read. -.It Fl C -Delete all entries in the NAT list. -.It Fl F -Flush all active mappings from the NAT table. -.It Fl l -Display the current rule list and active mappings. -.It Fl n -Do not alter the NAT table. -.It Fl r -Remove, rather than add, entries specified in the rule list. -.It Fl s -Display statistics. -.It Fl v -Verbosity. -Displays detailed information pertaining to rule processing. -.El -.Pp -Certain configuration requirements must be met before -.Nm -will work: -.Bl -enum -offset indent -.It -Network address translation requires packet forwarding capabilities. -Ensure the -.Pa /etc/sysctl.conf -file contains the assignment -.Cm net.inet.ip.forwarding=1 . -.It -Packet filtering (see -.Xr ipf 8 ) -must be enabled, even if it's not being used. -Check the -.Pa /etc/rc.conf -file and make sure it contains the assignment -.Cm ipfilter=YES . -.It -The kernel must be configured with -.Cm option IPFILTER -(and -.Cm option IPFILTER_LOG -if -.Xr ipmon 8 -is needed). -Both options are compiled into the default (GENERIC) kernel that comes with -the system. -.It -Finally, enable NAT itself by setting -.Cm ipnat=YES -in -.Pa /etc/rc.conf . -This will cause -.Pa /etc/netstart -to run -.Nm -at boot-time with -.Pa /etc/ipnat.rules -as the rule list to install. -.El -.Pp -The -.Nm -utility operates on a list of rules, specified by -.Fl f Ar filename . -This file is typically -.Pa /etc/ipnat.rules ; -standard input is represented by a single dash -.Pq Ql - . -Each rule is parsed, then sequentially added to -the kernel's internal NAT list. -Like -.Xr ipf 8 , -if an entry contradicts another previously added, the newer will take -precedence. -.Pp -Comments (beginning with a -.Ql # ) -and blank lines are ignored as -.Nm -parses the file. -Entries may be separated by spaces or tabs. -Each rule must begin with either -.Em map , -.Em bimap , -or -.Em rdr . -See below for rule syntax, or refer to -.Pa /usr/share/ipf/nat.1 -for sample rule entries. -.Ss Mapping rules -.Em map -tells the NAT how a range of addresses should be translated. -The entries use the following format: -.Pp -.Bd -unfilled -offset indent -compact -map ifname internal/mask -> external/mask options -.Ed -.Pp -The -.Em ifname -field is the interface to which packets are sent. -A gateway with a PPP link would probably use -.Dq ppp0 -or -.Dq tun0 , -while an Ethernet connection would instead have the name of its device. -In the presence of multiple network devices, you wish to use the device -which is on the external side. -.Pp -As a quick example: -.Bd -literal -offset indent -map ep1 10.1.1.0/24 -> ep1/32 portmap tcp/udp 10000:20000 -.Ed -.Pp -This rule would remap all connections originating from 10.1.1.0 through -10.1.1.254 to the externally-connected network. -Note that -.Dq ep1 -is the name of the -.Em outside -interface on the gateway; that is, the interface with the external -.Pq i.e., Dq real -IP address. -Do not specify internal interface names, use their addresses instead. -.Pp -The address range of the LAN goes in the -.Em internal -field. -This is usually one of the three blocks of address space the Internet -Assigned Numbers Authority has allocated for private networks (RFC 1918): -.Pp -.Bd -unfilled -offset indent -compact -10.0.0.0 - 10.255.255.255 (ie. 10/8) -172.16.0.0 - 172.31.255.255 (ie. 172.16/12) -192.168.0.0 - 192.168.255.255 (ie. 192.168/16) -.Ed -.Pp -The -.Em external -address is the offically assigned IP number of the gateway or network. -.Pp -.Em mask -is the netmask of the address. -This mask is 32 bits long, and is divided into four 8-bit numbers. -.Pp -.Bd -unfilled -offset indent -compact -11111111.0.0.0 Class A - 8 bits set. -11111111.11111111.0.0 Class B - 16 bits set. -11111111.11111111.11111111.0 Class C - 24 bits set. -.Ed -.Pp -The number of bits set in the mask is placed following the IP address. -.Pp -Both -.Em internal -and -.Em external -may be an actual IP address, the name of an interface, or a hostname. -If it is a network number, however, a problem may arise. -For example: -.Pp -.Bd -unfilled -offset indent -compact -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.Ed -.Pp -16,000,000 IP addresses are being squeezed into an address space of only 254. -This is solved by the -.Em portmap -option, which remaps ports instead of IP addresses. -The protocol is specified by following the option with either -.Em tcp , -.Em udp , -.Em tcp/udp , -or -.Em tcpudp -(the last two have the same effect). -The syntax to assign a range of ports is -.Dq portnumber:portnumber . -This looks like: -.Pp -.Bd -unfilled -offset indent -compact -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000 -map ppp0 10.0.0.0/8 -> 209.1.2.0/24 -.Ed -.Pp -That will cut the number down from ~16,000,000 addresses short to only 527,566. -.Pp -.Ss Bi-directional mapping rules -.Em bimap -is used to create static, bidirectional NAT mappings. -Standard -.Em map -rules only create NAT mappings when the connection is initiated from the -internal IP address. -For example, using the following rule: -.Pp -.Bd -unfilled -offset indent -compact -map ppp0 10.0.0.3/32 -> 209.1.2.3/32 -.Ed -.Pp -NAT mappings will only be created if the machine at 10.0.0.3 initiates the -connection. -To create a truly bidirectional NAT entry, -.Em bimap -is necessary. -Using the following rule, for example, clients on the -ppp0 side of the NAT box can initiate requests to 209.1.2.3. -This traffic will be mapped to 10.0.0.3 as expected: -.Pp -.Bd -unfilled -offset indent -compact -bimap ppp0 10.0.0.3/32 -> 209.1.2.3/32 -.Ed -.Pp -To be genuinely useful, -.Em bimap -should be used in conjunction with either proxy arp, or -.Xr ifconfig 8 -aliases. -For example, if we create two bimap entries such as: -.Pp -.Bd -unfilled -offset indent -compact -bimap fxp0 10.0.0.3/32 -> 209.1.2.3/32 -bimap fxp0 10.0.0.4/32 -> 209.1.2.4/32 -.Ed -.Pp -It is necessary to do either: -.Pp -.Bd -unfilled -offset indent -compact -arp -s 209.1.2.3 00:40:aa:bb:cc:dd pub -arp -s 209.1.2.4 00:40:aa:bb:cc:dd pub -.Ed -.Pp -(where 00:40:aa:bb:cc:dd is the MAC address of fxp0) or -.Pp -.Bd -unfilled -offset indent -compact -ifconfig fxp0 alias 209.1.2.3 netmask 255.255.255.255 -ifconfig fxp0 alias 209.1.2.4 netmask 255.255.255.255 -.Ed -.Pp -Note that since -.Xr ipnat 8 -works on the principle of first match (as apposed to -.Xr ipf 1 -which is last match), it is customary to put all -.Em rdr -rules before any and all -.Em (bi)map -rules. This is particularly vital if the network ranges in question -verlap. -Otherwise the -.Em rdr -rules simply -.Em will not work . -.Ss Redirection rules -.Em rdr -tells the NAT how to redirect incoming packets. -It is useful if one wishes to -redirect a connection through a proxy, or to another box on the private -network. -The format of this directive is: -.Pp -rdr ifname external/mask port service -> internal port service protocol -.Pp -This setup is best described by an example of an actual entry: -.Pp -.Bd -unfilled -offset indent -compact -rdr xl0 0.0.0.0/0 port 25 -> 204.213.176.10 port smtp -.Ed -.Pp -This redirects all smtp packets received on xl0 to 204.213.176.10, port 25. -A netmask is not needed on the -.Em internal -address; it is always 32. -The -.Em external -and -.Em internal -fields, similar to the -.Em map -directive, may be actual addresses, hostnames, or interfaces. -Likewise, the -.Em service -field may be the name of a service, or a port number. -The -.Em protocol -of the service may be selected by appending -.Em tcp , -.Em udp , -.Em tcp/udp , -or -.Em tcpudp -(the last two have the same effect) to the end of the line. -TCP is the default. -.Sh FILES -.Bl -tag -width /usr/share/ipf/nat.1 -compact -.It Pa /etc/ipnat.rules -default system rule list -.It Pa /usr/share/ipf/nat.1 -example rules -.It Pa /usr/share/ipf/nat.2 -system requirements for use of the NAT -.It Pa /usr/share/ipf/nat.3 -example rules for use with ppp -.It Pa /dev/ipnat -device file -.El -.Sh BUGS -.Em bimap -should really only be used with single IP addresses (x.x.x.x/32). -Bimapping -other CIDR ranges will result in unexpected, and possibly random mappings -into the destination address block. -.Sh SEE ALSO -.Xr ipnat 4 , -.Xr ipnat 5 , -.Xr ipf 8 -.Pp -http://coombs.anu.edu.au/~avalon diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c deleted file mode 100644 index b7a7a50230f..00000000000 --- a/sbin/ipnat/ipnat.c +++ /dev/null @@ -1,410 +0,0 @@ -/* $OpenBSD: ipnat.c,v 1.40 2001/01/30 04:26:49 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) - */ -#include <stdio.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/time.h> -#include <sys/param.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) -# include <sys/ioccom.h> -# include <sys/sysmacros.h> -#endif -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include "ipf.h" -#include "kmem.h" - -#if defined(sun) && !SOLARIS2 -# define STRERROR(x) sys_errlist[x] -extern char *sys_errlist[]; -#else -# define STRERROR(x) strerror(x) -#endif - -#if !defined(lint) -static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $"; -#endif - - -#if SOLARIS -#define bzero(a,b) memset(a,0,b) -#endif -#ifdef USE_INET6 -int use_inet6 = 0; -#endif - -static char thishost[MAXHOSTNAMELEN]; - - -extern char *optarg; -char *nlistf = NULL, *memf = NULL; -extern ipnat_t *natparse __P((char *, int)); -extern void natparsefile __P((int, char *, int)); -extern void printnat __P((ipnat_t *, int, void *)); - -void dostats __P((int, int)), flushtable __P((int, int)); -void usage __P((char *)); -int countbits __P((u_32_t)); -char *getnattype __P((ipnat_t *)); -int main __P((int, char*[])); -void printaps __P((ap_session_t *, int)); -char *getsumd __P((u_32_t)); - - -void usage(name) -char *name; -{ - fprintf(stderr, "%s: [-CFhlnrsv] [-f filename]\n", name); - exit(1); -} - - -char *getsumd(sum) -u_32_t sum; -{ - static char sumdbuf[17]; - - if (sum & NAT_HW_CKSUM) - sprintf(sumdbuf, "hw(%#0x)", sum & 0xffff); - else - sprintf(sumdbuf, "%#0x", sum); - return sumdbuf; -} - - -int main(argc, argv) -int argc; -char *argv[]; -{ - char *file = NULL; - int fd = -1, opts = 0, c, mode = O_RDWR; - - while ((c = getopt(argc, argv, "CdFf:hlnrsv")) != -1) - switch (c) - { - case 'C' : - opts |= OPT_CLEAR; - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'f' : - file = optarg; - break; - case 'F' : - opts |= OPT_FLUSH; - break; - case 'h' : - opts |=OPT_HITS; - break; - case 'l' : - opts |= OPT_LIST; - mode = O_RDONLY; - break; - case 'n' : - opts |= OPT_NODO; - mode = O_RDONLY; - break; - case 'r' : - opts |= OPT_REMOVE; - break; - case 's' : - opts |= OPT_STAT; - mode = O_RDONLY; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - default : - usage(argv[0]); - } - - gethostname(thishost, sizeof(thishost)); - thishost[sizeof(thishost) - 1] = '\0'; - - if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, mode)) == -1) && - ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { - (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, - STRERROR(errno)); - exit(-1); - } - - if (opts & (OPT_FLUSH|OPT_CLEAR)) - flushtable(fd, opts); - if (file) - natparsefile(fd, file, opts); - if (opts & (OPT_LIST|OPT_STAT)) - dostats(fd, opts); - return 0; -} - - -void printaps(aps, opts) -ap_session_t *aps; -int opts; -{ - ap_session_t ap; - ftpinfo_t ftp; - aproxy_t apr; - raudio_t ra; - - if (kmemcpy((char *)&ap, (long)aps, sizeof(ap))) - return; - if (kmemcpy((char *)&apr, (long)ap.aps_apr, sizeof(apr))) - return; - printf("\tproxy %s/%d use %d flags %x\n", apr.apr_label, - apr.apr_p, apr.apr_ref, apr.apr_flags); - printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags); -#ifdef USE_QUAD_T - printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes, - (unsigned long long)ap.aps_pkts); -#else - printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts); -#endif - printf(" data %p psiz %d\n", ap.aps_data, ap.aps_psiz); - if ((ap.aps_p == IPPROTO_TCP) && (opts & OPT_VERBOSE)) { - printf("\t\tstate[%u,%u], sel[%d,%d]\n", - ap.aps_state[0], ap.aps_state[1], - ap.aps_sel[0], ap.aps_sel[1]); -#if (defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011)) || \ - (__FreeBSD_version >= 300000) || defined(OpenBSD) - printf("\t\tseq: off %hd/%hd min %x/%x\n", - ap.aps_seqoff[0], ap.aps_seqoff[1], - ap.aps_seqmin[0], ap.aps_seqmin[1]); - printf("\t\tack: off %hd/%hd min %x/%x\n", - ap.aps_ackoff[0], ap.aps_ackoff[1], - ap.aps_ackmin[0], ap.aps_ackmin[1]); -#else - printf("\t\tseq: off %hd/%hd min %lx/%lx\n", - ap.aps_seqoff[0], ap.aps_seqoff[1], - ap.aps_seqmin[0], ap.aps_seqmin[1]); - printf("\t\tack: off %hd/%hd min %lx/%lx\n", - ap.aps_ackoff[0], ap.aps_ackoff[1], - ap.aps_ackmin[0], ap.aps_ackmin[1]); -#endif - } - - if (!strcmp(apr.apr_label, "raudio") && ap.aps_psiz == sizeof(ra)) { - if (kmemcpy((char *)&ra, (long)ap.aps_data, sizeof(ra))) - return; - printf("\tReal Audio Proxy:\n"); - printf("\t\tSeen PNA: %d\tVersion: %d\tEOS: %d\n", - ra.rap_seenpna, ra.rap_version, ra.rap_eos); - printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); - printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n", - ra.rap_plport, ra.rap_prport, ra.rap_srport); - } else if (!strcmp(apr.apr_label, "ftp") && - (ap.aps_psiz == sizeof(ftp))) { - if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp))) - return; - printf("\tFTP Proxy:\n"); - printf("\t\tpassok: %d\n", ftp.ftp_passok); - ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; - ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; - printf("\tClient:\n"); - printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", - ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr, - ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len, - ftp.ftp_side[0].ftps_junk); - printf("\t\tbuf ["); - printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); - printf("]\n\tServer:\n"); - printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", - ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr, - ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len, - ftp.ftp_side[1].ftps_junk); - printf("\t\tbuf ["); - printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); - printf("]\n"); - } -} - - -/* - * Get a nat filter type given its kernel address. - */ -char *getnattype(ipnat) -ipnat_t *ipnat; -{ - char *which; - ipnat_t ipnatbuff; - - if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, - sizeof(ipnatbuff)))) - return "???"; - - switch (ipnatbuff.in_redir) - { - case NAT_MAP : - which = "MAP"; - break; - case NAT_MAPBLK : - which = "MAP-BLOCK"; - break; - case NAT_REDIRECT : - which = "RDR"; - break; - case NAT_BIMAP : - which = "BIMAP"; - break; - default : - which = "unknown"; - break; - } - return which; -} - - -void dostats(fd, opts) -int fd, opts; -{ - natstat_t ns, *nsp = &ns; - nat_t **nt[2], *np, nat; - ipnat_t ipn; - - bzero((char *)&ns, sizeof(ns)); - - if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &nsp) == -1) { - perror("ioctl(SIOCGNATS)"); - return; - } - - if (opts & OPT_STAT) { - printf("mapped\tin\t%lu\tout\t%lu\n", - ns.ns_mapped[0], ns.ns_mapped[1]); - printf("added\t%lu\texpired\t%lu\n", - ns.ns_added, ns.ns_expire); - printf("no memory\t%lu\tbad nat\t%lu\n", - ns.ns_memfail, ns.ns_badnat); - printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules); - printf("wilds\t%u\n", ns.ns_wilds); - if (opts & OPT_VERBOSE) - printf("table %p list %p\n", ns.ns_table, ns.ns_list); - } - if (opts & OPT_LIST) { - printf("List of active MAP/Redirect filters:\n"); - while (ns.ns_list) { - if (kmemcpy((char *)&ipn, (long)ns.ns_list, - sizeof(ipn))) { - perror("kmemcpy"); - break; - } - if (opts & OPT_HITS) - printf("%d ", ipn.in_hits); - printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE), - (void *)ns.ns_list); - ns.ns_list = ipn.in_next; - } - - nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE); - if (kmemcpy((char *)nt[0], (long)ns.ns_table[0], - sizeof(**nt) * NAT_SIZE)) { - perror("kmemcpy"); - return; - } - - printf("\nList of active sessions:\n"); - - for (np = ns.ns_instances; np; np = nat.nat_next) { - if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) - break; - - printf("%s %-15s %-5hu <- ->", getnattype(nat.nat_ptr), - inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport)); - printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip), - ntohs(nat.nat_outport)); - printf(" [%s %hu]", inet_ntoa(nat.nat_oip), - ntohs(nat.nat_oport)); - if (opts & OPT_VERBOSE) { - printf("\n\tage %lu use %hu sumd %s/", - nat.nat_age, nat.nat_use, - getsumd(nat.nat_sumd[0])); - printf("%s pr %u bkt %d/%d flags %x ", - getsumd(nat.nat_sumd[1]), nat.nat_p, - (int)NAT_HASH_FN(nat.nat_inip.s_addr, - nat.nat_inport, - NAT_TABLE_SZ), - (int)NAT_HASH_FN(nat.nat_outip.s_addr, - nat.nat_outport, - NAT_TABLE_SZ), - nat.nat_flags); -#ifdef USE_QUAD_T - printf("bytes %qu pkts %qu", - (unsigned long long)nat.nat_bytes, - (unsigned long long)nat.nat_pkts); -#else - printf("bytes %lu pkts %lu", - nat.nat_bytes, nat.nat_pkts); -#endif -#if SOLARIS - printf(" %lx", nat.nat_ipsumd); -#endif - } - putchar('\n'); - if (nat.nat_aps) - printaps(nat.nat_aps, opts); - } - - free(nt[0]); - } -} - - -void flushtable(fd, opts) -int fd, opts; -{ - int n = 0; - - if (opts & OPT_FLUSH) { - n = 0; - if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCFLNAT)"); - else - printf("%d entries flushed from NAT table\n", n); - } - - if (opts & OPT_CLEAR) { - n = 1; - if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) - perror("ioctl(SIOCCNATL)"); - else - printf("%d entries flushed from NAT list\n", n); - } -} diff --git a/sbin/ipnat/natparse.c b/sbin/ipnat/natparse.c deleted file mode 100644 index 4c31727eb9b..00000000000 --- a/sbin/ipnat/natparse.c +++ /dev/null @@ -1,823 +0,0 @@ -/* $OpenBSD: natparse.c,v 1.11 2001/02/18 23:20:42 millert Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/time.h> -#include <sys/param.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) -# include <sys/ioccom.h> -# include <sys/sysmacros.h> -#endif -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include "ipf.h" - -#if defined(sun) && !SOLARIS2 -# define STRERROR(x) sys_errlist[x] -extern char *sys_errlist[]; -#else -# define STRERROR(x) strerror(x) -#endif - -#if !defined(lint) -static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $"; -#endif - - -#if SOLARIS -#define bzero(a,b) memset(a,0,b) -#endif - -extern int countbits __P((u_32_t)); -extern char *proto; - -ipnat_t *natparse __P((char *, int)); -void printnat __P((ipnat_t *, int, void *)); -void natparsefile __P((int, char *, int)); -void nat_setgroupmap __P((struct ipnat *)); - - -void printnat(np, opts, ptr) -ipnat_t *np; -int opts; -void *ptr; -{ - struct protoent *pr; - struct servent *sv; - int bits; - - switch (np->in_redir) - { - case NAT_REDIRECT : - printf("rdr"); - break; - case NAT_MAP : - printf("map"); - break; - case NAT_MAPBLK : - printf("map-block"); - break; - case NAT_BIMAP : - printf("bimap"); - break; - default : - fprintf(stderr, "unknown value for in_redir: %#x\n", - np->in_redir); - break; - } - - printf(" %s ", np->in_ifname); - - if (np->in_flags & IPN_FILTER) { - if (np->in_flags & IPN_NOTSRC) - printf("! "); - printf("from "); - if (np->in_redir == NAT_REDIRECT) { - printhostmask(4, (u_32_t *)&np->in_srcip, - (u_32_t *)&np->in_srcmsk); - if (np->in_scmp) - printportcmp(np->in_p, &np->in_tuc.ftu_src); - } else { - printhostmask(4, (u_32_t *)&np->in_inip, - (u_32_t *)&np->in_inmsk); - if (np->in_dcmp) - printportcmp(np->in_p, &np->in_tuc.ftu_dst); - } - - if (np->in_flags & IPN_NOTDST) - printf(" !"); - printf(" to "); - if (np->in_redir == NAT_REDIRECT) { - printhostmask(4, (u_32_t *)&np->in_outip, - (u_32_t *)&np->in_outmsk); - if (np->in_dcmp) - printportcmp(np->in_p, &np->in_tuc.ftu_dst); - } else { - printhostmask(4, (u_32_t *)&np->in_srcip, - (u_32_t *)&np->in_srcmsk); - if (np->in_scmp) - printportcmp(np->in_p, &np->in_tuc.ftu_src); - } - } - - if (np->in_redir == NAT_REDIRECT) { - if (!(np->in_flags & IPN_FILTER)) { - printf("%s", inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("/%d ", bits); - else - printf("/%s ", inet_ntoa(np->in_out[1])); - if (np->in_pmin) - printf("port %d", ntohs(np->in_pmin)); - if (np->in_pmax != np->in_pmin) - printf("- %d", ntohs(np->in_pmax)); - } - printf(" -> %s", inet_ntoa(np->in_in[0])); - if (np->in_flags & IPN_SPLIT) - printf(",%s", inet_ntoa(np->in_in[1])); - if (np->in_pnext) - printf(" port %d", ntohs(np->in_pnext)); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if ((np->in_flags & IPN_TCP) == IPN_TCP) - printf(" tcp"); - else if ((np->in_flags & IPN_UDP) == IPN_UDP) - printf(" udp"); - if (np->in_flags & IPN_ROUNDR) - printf(" round-robin"); - printf("\n"); - if (opts & OPT_DEBUG) - printf("\t%p %lu %#x %u %p %d\n", np->in_ifp, - np->in_space, np->in_flags, np->in_pmax, np, - np->in_use); - } else { - np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); - if (!(np->in_flags & IPN_FILTER)) { - printf("%s/", inet_ntoa(np->in_in[0])); - bits = countbits(np->in_in[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_in[1])); - } - printf(" -> "); - if (np->in_flags & IPN_IPRANGE) { - printf("range %s-", inet_ntoa(np->in_out[0])); - printf("%s", inet_ntoa(np->in_out[1])); - } else { - printf("%s/", inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_out[1])); - } - if (*np->in_plabel) { - pr = getprotobynumber(np->in_p); - printf(" proxy port"); - if (np->in_dport != 0) { - if (pr != NULL) - sv = getservbyport(np->in_dport, - pr->p_name); - else - sv = getservbyport(np->in_dport, NULL); - if (sv != NULL) - printf(" %s", sv->s_name); - else - printf(" %hu", ntohs(np->in_dport)); - } - printf(" %.*s/", (int)sizeof(np->in_plabel), - np->in_plabel); - if (pr != NULL) - fputs(pr->p_name, stdout); - else - printf("%d", np->in_p); - } else if (np->in_redir == NAT_MAPBLK) { - printf(" ports %d", np->in_pmin); - if (opts & OPT_VERBOSE) - printf("\n\tip modulous %d", np->in_pmax); - } else if (np->in_pmin || np->in_pmax) { - printf(" portmap"); - if (np->in_flags & IPN_AUTOPORTMAP) { - printf(" auto"); - if (opts & OPT_DEBUG) - printf(" [%d:%d %d %d]", - ntohs(np->in_pmin), - ntohs(np->in_pmax), - np->in_ippip, np->in_ppip); - } else { - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); - printf(" %d:%d", ntohs(np->in_pmin), - ntohs(np->in_pmax)); - } - } - printf("\n"); - if (opts & OPT_DEBUG) { - printf("\tifp %p space %lu nextip %s pnext %d", - np->in_ifp, np->in_space, - inet_ntoa(np->in_nextip), np->in_pnext); - printf(" flags %x use %u\n", - np->in_flags, np->in_use); - } - } -} - - -void nat_setgroupmap(n) -ipnat_t *n; -{ - if (n->in_outmsk == n->in_inmsk) - n->in_ippip = 1; - else if (n->in_flags & IPN_AUTOPORTMAP) { - n->in_ippip = ~ntohl(n->in_inmsk); - if (n->in_outmsk != 0xffffffff) - n->in_ippip /= (~ntohl(n->in_outmsk) + 1); - n->in_ippip++; - if (n->in_ippip == 0) - n->in_ippip = 1; - n->in_ppip = USABLE_PORTS / n->in_ippip; - } else { - n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); - n->in_nip = 0; - if (!(n->in_ppip = n->in_pmin)) - n->in_ppip = 1; - n->in_ippip = USABLE_PORTS / n->in_ppip; - } -} - - - -ipnat_t *natparse(line, linenum) -char *line; -int linenum; -{ - static ipnat_t ipn; - struct protoent *pr; - char *dnetm = NULL, *dport = NULL; - char *s, *t, *cps[31], **cpp; - int i, cnt; - - - if ((s = strchr(line, '\n'))) - *s = '\0'; - if ((s = strchr(line, '#'))) - *s = '\0'; - while (*line && isspace(*line)) - line++; - if (!*line) - return NULL; - - bzero((char *)&ipn, sizeof(ipn)); - cnt = 0; - - for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++) - cps[++i] = strtok(NULL, " \b\t\r\n"); - - cps[i] = NULL; - - if (cnt < 3) { - fprintf(stderr, "%d: not enough segments in line\n", linenum); - return NULL; - } - - cpp = cps; - - if (!strcasecmp(*cpp, "map")) - ipn.in_redir = NAT_MAP; - else if (!strcasecmp(*cpp, "map-block")) - ipn.in_redir = NAT_MAPBLK; - else if (!strcasecmp(*cpp, "rdr")) - ipn.in_redir = NAT_REDIRECT; - else if (!strcasecmp(*cpp, "bimap")) - ipn.in_redir = NAT_BIMAP; - else { - fprintf(stderr, "%d: unknown mapping: \"%s\"\n", - linenum, *cpp); - return NULL; - } - - cpp++; - - strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1); - ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; - cpp++; - - if (!strcasecmp(*cpp, "from") || (**cpp == '!')) { - if (!strcmp(*cpp, "!")) { - cpp++; - if (strcasecmp(*cpp, "from")) { - fprintf(stderr, "Missing from after !\n"); - return NULL; - } - ipn.in_flags |= IPN_NOTSRC; - } else if (**cpp == '!') { - if (strcasecmp(*cpp + 1, "from")) { - fprintf(stderr, "Missing from after !\n"); - return NULL; - } - ipn.in_flags |= IPN_NOTSRC; - } - if ((ipn.in_flags & IPN_NOTSRC) && - (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) { - fprintf(stderr, "Cannot use '! from' with map\n"); - return NULL; - } - - ipn.in_flags |= IPN_FILTER; - cpp++; - if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, - (u_32_t *)&ipn.in_srcmsk, - &ipn.in_sport, &ipn.in_scmp, - &ipn.in_stop, linenum)) { - return NULL; - } - } else { - if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, - (u_32_t *)&ipn.in_inmsk, - &ipn.in_sport, &ipn.in_scmp, - &ipn.in_stop, linenum)) { - return NULL; - } - } - - if (!strcmp(*cpp, "!")) { - cpp++; - ipn.in_flags |= IPN_NOTDST; - } else if (**cpp == '!') { - (*cpp)++; - ipn.in_flags |= IPN_NOTDST; - } - - if (strcasecmp(*cpp, "to")) { - fprintf(stderr, "%d: unexpected keyword (%s) - to\n", - linenum, *cpp); - return NULL; - } - if ((ipn.in_flags & IPN_NOTDST) && - (ipn.in_redir & (NAT_REDIRECT))) { - fprintf(stderr, "Cannot use '! to' with rdr\n"); - return NULL; - } - - if (!*++cpp) { - fprintf(stderr, "%d: missing host after to\n", linenum); - return NULL; - } - if (ipn.in_redir == NAT_REDIRECT) { - if (hostmask(&cpp, (u_32_t *)&ipn.in_outip, - (u_32_t *)&ipn.in_outmsk, - &ipn.in_dport, &ipn.in_dcmp, - &ipn.in_dtop, linenum)) { - return NULL; - } - ipn.in_pmin = htons(ipn.in_dport); - } else { - if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, - (u_32_t *)&ipn.in_srcmsk, - &ipn.in_dport, &ipn.in_dcmp, - &ipn.in_dtop, linenum)) { - return NULL; - } - } - } else { - s = *cpp; - if (!s) - return NULL; - t = strchr(s, '/'); - if (!t) - return NULL; - *t++ = '\0'; - if (ipn.in_redir == NAT_REDIRECT) { - if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1) - return NULL; - if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) { - return NULL; - } - } else { - if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) - return NULL; - if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) { - return NULL; - } - } - cpp++; - if (!*cpp) - return NULL; - } - - if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { - if (strcasecmp(*cpp, "port")) { - fprintf(stderr, "%d: missing fields - 1st port\n", - linenum); - return NULL; - } - - /* The default protocol for "redir" is TCP */ - ipn.in_flags |= IPN_TCP; - proto = "tcp"; - - cpp++; - - if (!*cpp) { - fprintf(stderr, - "%d: missing fields (destination port)\n", - linenum); - return NULL; - } - - if (isdigit(**cpp) && (s = strchr(*cpp, '-'))) - *s++ = '\0'; - else - s = NULL; - - if (!portnum(*cpp, &ipn.in_pmin, linenum)) - return NULL; - ipn.in_pmin = htons(ipn.in_pmin); - cpp++; - - if (!strcmp(*cpp, "-")) { - cpp++; - s = *cpp++; - } - - if (s) { - if (!portnum(s, &ipn.in_pmax, linenum)) - return NULL; - ipn.in_pmax = htons(ipn.in_pmax); - } else - ipn.in_pmax = ipn.in_pmin; - } - - if (!*cpp) { - fprintf(stderr, "%d: missing fields (->)\n", linenum); - return NULL; - } - if (strcmp(*cpp, "->")) { - fprintf(stderr, "%d: missing ->\n", linenum); - return NULL; - } - cpp++; - - if (!*cpp) { - fprintf(stderr, "%d: missing fields (%s)\n", - linenum, ipn.in_redir ? "destination" : "target"); - return NULL; - } - - if (ipn.in_redir == NAT_MAP) { - if (!strcasecmp(*cpp, "range")) { - cpp++; - ipn.in_flags |= IPN_IPRANGE; - if (!*cpp) { - fprintf(stderr, "%d: missing fields (%s)\n", - linenum, - ipn.in_redir ? "destination":"target"); - return NULL; - } - } - } - - if (ipn.in_flags & IPN_IPRANGE) { - dnetm = strrchr(*cpp, '-'); - if (dnetm == NULL) { - cpp++; - if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1)) - dnetm = *(cpp + 1); - } else - *dnetm++ = '\0'; - if (dnetm == NULL || *dnetm == '\0') { - fprintf(stderr, - "%d: desination range not specified\n", - linenum); - return NULL; - } - } else if (ipn.in_redir != NAT_REDIRECT) { - dnetm = strrchr(*cpp, '/'); - if (dnetm == NULL) { - cpp++; - if (*cpp && !strcasecmp(*cpp, "netmask")) - dnetm = *++cpp; - } - if (dnetm == NULL) { - fprintf(stderr, - "%d: missing fields (dest netmask)\n", - linenum); - return NULL; - } - if (*dnetm == '/') - *dnetm++ = '\0'; - } - - if (ipn.in_redir == NAT_REDIRECT) { - dnetm = strchr(*cpp, ','); - if (dnetm != NULL) { - ipn.in_flags |= IPN_SPLIT; - *dnetm++ = '\0'; - } - if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) - return NULL; - } else { - if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) - return NULL; - } - cpp++; - - if (ipn.in_redir & NAT_MAPBLK) { - if (*cpp && strcasecmp(*cpp, "ports")) { - fprintf(stderr, - "%d: expected \"ports\" - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - cpp++; - if (*cpp) { - ipn.in_pmin = atoi(*cpp); - cpp++; - } else - ipn.in_pmin = 0; - } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { - if (strrchr(*cpp, '/') != NULL) { - fprintf(stderr, "%d: No netmask supported in %s\n", - linenum, "destination host for redirect"); - return NULL; - } - /* If it's a in_redir, expect target port */ - - if (strcasecmp(*cpp, "port")) { - fprintf(stderr, "%d: missing fields - 2nd port (%s)\n", - linenum, *cpp); - return NULL; - } - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing fields (destination port)\n", - linenum); - return NULL; - } - if (!portnum(*cpp, &ipn.in_pnext, linenum)) - return NULL; - ipn.in_pnext = htons(ipn.in_pnext); - cpp++; - } - if (dnetm && *dnetm == '/') - *dnetm++ = '\0'; - - if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { - if (ipn.in_flags & IPN_IPRANGE) { - if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm, - linenum) == -1) - return NULL; - } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) - return NULL; - } else { - if (ipn.in_flags & IPN_SPLIT) { - if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm, - linenum) == -1) - return NULL; - } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)) - return NULL; - if (*cpp) { - ipn.in_flags &= ~IPN_TCP; /* override default */ - if (!strcasecmp(*cpp, "tcp")) - ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(*cpp, "udp")) - ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(*cpp, "tcp/udp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "tcpudp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "ip")) - ipn.in_flags |= IPN_ANY; - else { - ipn.in_flags |= IPN_ANY; - if ((pr = getprotobyname(*cpp))) - ipn.in_p = pr->p_proto; - else - ipn.in_p = atoi(*cpp); - } - proto = *cpp; - cpp++; - - if (*cpp && !strcasecmp(*cpp, "round-robin")) { - cpp++; - ipn.in_flags |= IPN_ROUNDR; - } - - if (*cpp) { - fprintf(stderr, - "%d: extra junk at the end of rdr: %s\n", - linenum, *cpp); - return NULL; - } - } - } - - if (!(ipn.in_flags & IPN_SPLIT)) - ipn.in_inip &= ipn.in_inmsk; - if ((ipn.in_flags & IPN_IPRANGE) == 0) - ipn.in_outip &= ipn.in_outmsk; - ipn.in_srcip &= ipn.in_srcmsk; - - if ((ipn.in_redir & NAT_MAPBLK) != 0) - nat_setgroupmap(&ipn); - - if (!*cpp) - return &ipn; - - if (ipn.in_redir == NAT_BIMAP) { - fprintf(stderr, - "%d: extra words at the end of bimap line: %s\n", - linenum, *cpp); - return NULL; - } - - if (!strcasecmp(*cpp, "proxy")) { - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing parameter for \"proxy\"\n", - linenum); - return NULL; - } - dport = NULL; - - if (!strcasecmp(*cpp, "port")) { - cpp++; - if (!*cpp) { - fprintf(stderr, - "%d: missing parameter for \"port\"\n", - linenum); - return NULL; - } - - dport = *cpp; - cpp++; - - if (!*cpp) { - fprintf(stderr, - "%d: missing parameter for \"proxy\"\n", - linenum); - return NULL; - } - } else { - fprintf(stderr, - "%d: missing keyword \"port\"\n", linenum); - return NULL; - } - - if ((proto = index(*cpp, '/'))) { - *proto++ = '\0'; - if ((pr = getprotobyname(proto))) - ipn.in_p = pr->p_proto; - else - ipn.in_p = atoi(proto); - } else - ipn.in_p = 0; - - if (dport && !portnum(dport, &ipn.in_dport, linenum)) - return NULL; - ipn.in_dport = htons(ipn.in_dport); - - (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); - cpp++; - - if (*cpp) { - fprintf(stderr, - "%d: too many parameters for \"proxy\"\n", - linenum); - return NULL; - } - return &ipn; - } - - if (strcasecmp(*cpp, "portmap")) { - fprintf(stderr, - "%d: expected \"portmap\" - got \"%s\"\n", linenum, - *cpp); - return NULL; - } - cpp++; - if (!*cpp) { - fprintf(stderr, "%d: missing expression following portmap\n", - linenum); - return NULL; - } - - if (!strcasecmp(*cpp, "tcp")) - ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(*cpp, "udp")) - ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(*cpp, "tcpudp")) - ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(*cpp, "tcp/udp")) - ipn.in_flags |= IPN_TCPUDP; - else { - fprintf(stderr, - "%d: expected protocol name - got \"%s\"\n", - linenum, *cpp); - return NULL; - } - proto = *cpp; - cpp++; - - if (!*cpp) { - fprintf(stderr, "%d: no port range found\n", linenum); - return NULL; - } - - if (!strcasecmp(*cpp, "auto")) { - ipn.in_flags |= IPN_AUTOPORTMAP; - ipn.in_pmin = htons(1024); - ipn.in_pmax = htons(65535); - nat_setgroupmap(&ipn); - return &ipn; - } - - if (!(t = strchr(*cpp, ':'))) { - fprintf(stderr, "%d: no port range in \"%s\"\n", - linenum, *cpp); - return NULL; - } - *t++ = '\0'; - if (!portnum(*cpp, &ipn.in_pmin, linenum) || - !portnum(t, &ipn.in_pmax, linenum)) - return NULL; - ipn.in_pmin = htons(ipn.in_pmin); - ipn.in_pmax = htons(ipn.in_pmax); - return &ipn; -} - - -void natparsefile(fd, file, opts) -int fd; -char *file; -int opts; -{ - char line[512], *s; - ipnat_t *np; - FILE *fp; - int linenum = 0; - - if (strcmp(file, "-")) { - if (!(fp = fopen(file, "r"))) { - fprintf(stderr, "%s: open: %s\n", file, - STRERROR(errno)); - exit(1); - } - } else - fp = stdin; - - while (fgets(line, sizeof(line) - 1, fp)) { - linenum++; - line[sizeof(line) - 1] = '\0'; - if ((s = strchr(line, '\n'))) - *s = '\0'; - - if (!(np = natparse(line, linenum))) { - if (*line) - fprintf(stderr, "%d: syntax error in \"%s\"\n", - linenum, line); - } else { - if ((opts & OPT_VERBOSE) && np) - printnat(np, opts, NULL); - if (!(opts & OPT_NODO)) { - if (!(opts & OPT_REMOVE)) { - if (ioctl(fd, SIOCADNAT, &np) == -1) { - fprintf(stderr, "%d:", - linenum); - perror("ioctl(SIOCADNAT)"); - } - } else if (ioctl(fd, SIOCRMNAT, &np) == -1) { - fprintf(stderr, "%d:", linenum); - perror("ioctl(SIOCRMNAT)"); - } - } - } - } - if (fp != stdin) - fclose(fp); -} diff --git a/share/Makefile b/share/Makefile index 5d0ab8a51bc..26acf331c8b 100644 --- a/share/Makefile +++ b/share/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.8 2000/04/25 21:12:53 jakob Exp $ +# $OpenBSD: Makefile,v 1.9 2001/05/30 02:11:00 deraadt Exp $ -SUBDIR= dict doc ipf ipsec lkm man misc mk tabset termtypes \ +SUBDIR= dict doc ipsec lkm man misc mk tabset termtypes \ tmac zoneinfo smtpd .include <bsd.subdir.mk> diff --git a/share/ipf/Makefile b/share/ipf/Makefile deleted file mode 100644 index 3919a72fd85..00000000000 --- a/share/ipf/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 2000/03/02 14:46:34 todd Exp $ -# -# -FILES= example.* nat.* firewall.* -NOOBJ= noobj - -all clean cleandir depend lint tags: - -install: - install -d ${DESTDIR}${BINDIR}/ipf - install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/ipf - -.include <bsd.prog.mk> diff --git a/share/ipf/example.1 b/share/ipf/example.1 deleted file mode 100644 index ff93f492caf..00000000000 --- a/share/ipf/example.1 +++ /dev/null @@ -1,4 +0,0 @@ -# -# block all incoming TCP packets on le0 from host 10.1.1.1 to any destination. -# -block in on le0 proto tcp from 10.1.1.1/32 to any diff --git a/share/ipf/example.10 b/share/ipf/example.10 deleted file mode 100644 index 560d1e670f6..00000000000 --- a/share/ipf/example.10 +++ /dev/null @@ -1,12 +0,0 @@ -# -# pass ack packets (ie established connection) -# -pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A -pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A -# -# block incoming connection requests to my internal network from the big bad -# internet. -# -block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA -# to block the replies: -block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA diff --git a/share/ipf/example.11 b/share/ipf/example.11 deleted file mode 100644 index e9045d24f1b..00000000000 --- a/share/ipf/example.11 +++ /dev/null @@ -1,27 +0,0 @@ -# For this example, "foo" has an IP address of 10.2.2.2 -# -# allow any TCP packets from the same subnet as foo is on through to host -# 10.1.1.2 if they are destined for port 6667. -# -pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 -# -# allow in UDP packets which are NOT from port 53 and are destined for -# localhost -# -pass in proto udp from 10.2.2.2 port != 53 to localhost -# -# block anything trying to get to X terminal ports, X:0 to X:9 -# -block in proto tcp from any to any port 5999 >< 6010 -# -# allow any connections to be made, except to BSD print/r-services -# this will also protect syslog. -# -block in proto tcp/udp all -pass in proto tcp/udp from any to any port 512 <> 515 -# -# allow any connections to be made, except to BSD print/r-services -# this will also protect syslog. -# -pass in proto tcp/udp all -block in proto tcp/udp from any to any port 511 >< 516 diff --git a/share/ipf/example.12 b/share/ipf/example.12 deleted file mode 100644 index c0ba1d3cdda..00000000000 --- a/share/ipf/example.12 +++ /dev/null @@ -1,17 +0,0 @@ -# -# get rid of all short IP fragments (too small for valid comparison) -# -block in proto tcp all with short -# -# drop and log any IP packets with options set in them. -# -block in log all with ipopts -# -# log packets with BOTH ssrr and lsrr set -# -log in all with opt lsrr,ssrr -# -# drop any source routing options -# -block in quick all with opt lsrr -block in quick all with opt ssrr diff --git a/share/ipf/example.13 b/share/ipf/example.13 deleted file mode 100644 index 854f07f1694..00000000000 --- a/share/ipf/example.13 +++ /dev/null @@ -1,17 +0,0 @@ -# -# Log all short TCP packets to qe3, with 10.3.3.3 as the intended -# destination for the packet. -# -block in on qe0 to qe3:10.3.3.3 proto tcp all with short -# -# Log all connection attempts for TCP -# -pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA -# -# Route all UDP packets through transparently. -# -pass in on ppp0 fastroute proto udp all -# -# Route all ICMP packets to network 10 out through le1, to 10.3.3.1 -# -pass in on le0 to le1:10.3.3.1 proto icmp all diff --git a/share/ipf/example.14 b/share/ipf/example.14 deleted file mode 100644 index c4c1994030b..00000000000 --- a/share/ipf/example.14 +++ /dev/null @@ -1,61 +0,0 @@ -# -# log all inbound packet on le0 which has IP options present -# -log in on le0 from any to any with ipopts -# -# block any inbound packets on le0 which are fragmented and "too short" to -# do any meaningful comparison on. This actually only applies to TCP -# packets which can be missing the flags/ports (depending on which part -# of the fragment you see). -# -block in log quick on le0 from any to any with short frag -# -# log all inbound TCP packets with the SYN flag (only) set -# (NOTE: if it were an inbound TCP packet with the SYN flag set and it -# had IP options present, this rule and the above would cause it -# to be logged twice). -# -log in on le0 proto tcp from any to any flags S/SA -# -# block and log any inbound ICMP unreachables -# -block in log on le0 proto icmp from any to any icmp-type unreach -# -# block and log any inbound UDP packets on le0 which are going to port 2049 -# (the NFS port). -# -block in log on le0 proto udp from any to any port = 2049 -# -# quickly allow any packets to/from a particular pair of hosts -# -pass in quick from any to 10.1.3.2/32 -pass in quick from any to 10.1.0.13/32 -pass in quick from 10.1.3.2/32 to any -pass in quick from 10.1.0.13/32 to any -# -# block (and stop matching) any packet with IP options present. -# -block in quick on le0 from any to any with ipopts -# -# allow any packet through -# -pass in from any to any -# -# block any inbound UDP packets destined for these subnets. -# -block in on le0 proto udp from any to 10.1.3.0/24 -block in on le0 proto udp from any to 10.1.1.0/24 -block in on le0 proto udp from any to 10.1.2.0/24 -# -# block any inbound TCP packets with only the SYN flag set that are -# destined for these subnets. -# -block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA -block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA -# -# block any inbound ICMP packets destined for these subnets. -# -block in on le0 proto icmp from any to 10.1.3.0/24 -block in on le0 proto icmp from any to 10.1.1.0/24 -block in on le0 proto icmp from any to 10.1.2.0/24 diff --git a/share/ipf/example.15 b/share/ipf/example.15 deleted file mode 100644 index f2fb2041faf..00000000000 --- a/share/ipf/example.15 +++ /dev/null @@ -1,11 +0,0 @@ -# -# For a network server, which has two interfaces, 128.1.40.1 (le0) and -# 128.1.2.1 (le1), we want to block all IP spoofing attacks. le1 is -# connected to the majority of the network, whilst le0 is connected to a -# leaf subnet. We're not concerned about filtering individual services -# or -# -pass in quick on le0 from 128.1.40.0/24 to any -block in log quick on le0 from any to any -block in log quick on le1 from 128.1.1.0/24 to any -pass in quick on le1 from any to any diff --git a/share/ipf/example.16 b/share/ipf/example.16 deleted file mode 100644 index 339a25f963f..00000000000 --- a/share/ipf/example.16 +++ /dev/null @@ -1,13 +0,0 @@ -# -# Only allow TCP packets in/out of le0 if there is an outgoing connection setup -# somewhere, waiting for it. -# -pass out quick on le0 proto tcp from any to any flags S/SAFR keep state -block out on le0 proto tcp all -block in on le0 proto tcp all -# -# allow nameserver queries and replies to pass through, but no other UDP -# -pass out quick on le0 proto udp from any to any port = 53 keep state -block out on le0 proto udp all -block in on le0 proto udp all diff --git a/share/ipf/example.2 b/share/ipf/example.2 deleted file mode 100644 index 4f81725eeb0..00000000000 --- a/share/ipf/example.2 +++ /dev/null @@ -1,5 +0,0 @@ -# -# block all outgoing TCP packets on le0 from any host to port 23 of -# host 10.1.1.2 -# -block out on le0 proto tcp from any to 10.1.1.3/32 port = 23 diff --git a/share/ipf/example.3 b/share/ipf/example.3 deleted file mode 100644 index cd31f73e7c2..00000000000 --- a/share/ipf/example.3 +++ /dev/null @@ -1,40 +0,0 @@ -# -# block all inbound packets. -# -block in from any to any -# -# pass through packets to and from localhost. -# -pass in from 127.0.0.1/32 to 127.0.0.1/32 -# -# allow a variety of individual hosts to send any type of IP packet to any -# other host. -# -pass in from 10.1.3.1/32 to any -pass in from 10.1.3.2/32 to any -pass in from 10.1.3.3/32 to any -pass in from 10.1.3.4/32 to any -pass in from 10.1.3.5/32 to any -pass in from 10.1.0.13/32 to any -pass in from 10.1.1.1/32 to any -pass in from 10.1.2.1/32 to any -# -# -# block all outbound packets. -# -block out from any to any -# -# allow any packets destined for localhost out. -# -pass out from any to 127.0.0.1/32 -# -# allow any host to send any IP packet out to a limited number of hosts. -# -pass out from any to 10.1.3.1/32 -pass out from any to 10.1.3.2/32 -pass out from any to 10.1.3.3/32 -pass out from any to 10.1.3.4/32 -pass out from any to 10.1.3.5/32 -pass out from any to 10.1.0.13/32 -pass out from any to 10.1.1.1/32 -pass out from any to 10.1.2.1/32 diff --git a/share/ipf/example.4 b/share/ipf/example.4 deleted file mode 100644 index 7918ec2fbd9..00000000000 --- a/share/ipf/example.4 +++ /dev/null @@ -1,4 +0,0 @@ -# -# block all ICMP packets. -# -block in proto icmp from any to any diff --git a/share/ipf/example.5 b/share/ipf/example.5 deleted file mode 100644 index a45a4fa5b34..00000000000 --- a/share/ipf/example.5 +++ /dev/null @@ -1,25 +0,0 @@ -# -# test ruleset -# -# allow packets coming from foo (10.1.1.2) to bar (10.2.1.1) through. -# -pass in from 10.1.1.2 to 10.2.1.1 -# -# allow any TCP packets from the same subnet as foo is on through to host -# 10.1.1.2 if they are destined for port 6667. -# -pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667 -# -# allow in UDP packets which are NOT from port 53 and are destined for -# localhost -# -pass in proto udp from 10.2.2.2 port != 53 to localhost -# -# block all ICMP unreachables. -# -block in proto icmp from any to any icmp-type unreach -# -# allow packets through which have a non-standard IP header length (ie there -# are IP options such as source-routing present). -# -pass in from any to any with ipopts diff --git a/share/ipf/example.6 b/share/ipf/example.6 deleted file mode 100644 index d40f0f3d2a1..00000000000 --- a/share/ipf/example.6 +++ /dev/null @@ -1,5 +0,0 @@ -# -# block all TCP packets with only the SYN flag set (this is the first -# packet sent to establish a connection) out of the SYN-ACK pair. -# -block in proto tcp from any to any flags S/SA diff --git a/share/ipf/example.7 b/share/ipf/example.7 deleted file mode 100644 index 062de981193..00000000000 --- a/share/ipf/example.7 +++ /dev/null @@ -1,12 +0,0 @@ -# block all ICMP packets. -# -block in proto icmp all -# -# allow in ICMP echos and echo-replies. -# -pass in on le1 proto icmp from any to any icmp-type echo -pass in on le1 proto icmp from any to any icmp-type echorep -# -# block all ICMP destination unreachable packets which are port-unreachables -# -block in on le1 proto icmp from any to any icmp-type unreach code 3 diff --git a/share/ipf/example.8 b/share/ipf/example.8 deleted file mode 100644 index baa02581256..00000000000 --- a/share/ipf/example.8 +++ /dev/null @@ -1,10 +0,0 @@ -# -# block all incoming TCP connections but send back a TCP-RST for ones to -# the ident port -# -block in proto tcp from any to any flags S/SA -block return-rst in quick proto tcp from any to any port = 113 flags S/SA -# -# block all inbound UDP packets and send back an ICMP error. -# -block return-icmp in proto udp from any to any diff --git a/share/ipf/example.9 b/share/ipf/example.9 deleted file mode 100644 index 77968f85d2f..00000000000 --- a/share/ipf/example.9 +++ /dev/null @@ -1,12 +0,0 @@ -# -# drop all packets without IP security options -# -block in all -pass in all with opt sec -# -# only allow packets in and out on le0 which are top secret -# -block out on le1 all -pass out on le1 all with opt sec-class topsecret -block in on le1 all -pass in on le1 all with opt sec-class topsecret diff --git a/share/ipf/firewall.1 b/share/ipf/firewall.1 deleted file mode 100644 index 4a86f3d15df..00000000000 --- a/share/ipf/firewall.1 +++ /dev/null @@ -1,35 +0,0 @@ -# -# This is an example of a very light firewall used to guard against -# some of the most easily exploited common security holes. -# -# The example assumes it is running on a gateway with interface ppp0 -# attached to the outside world, and interface ed0 attached to -# network 192.168.4.0 which needs to be protected. -# -# -# Pass any packets not explicitly mentioned by subsequent rules -# -pass out from any to any -pass in from any to any -# -# Block any inherently bad packets coming in from the outside world. -# These include ICMP redirect packets and IP fragments so short the -# filtering rules won't be able to examine the whole UDP/TCP header. -# -block in log quick on ppp0 proto icmp from any to any icmp-type redir -block in log quick on ppp0 proto tcp/udp all with short -# -# Block any IP spoofing atempts. (Packets "from" our network -# shouldn't be coming in from outside). -# -block in log quick on ppp0 from 192.168.4.0/24 to any -block in log quick on ppp0 from localhost to any -block in log quick on ppp0 from 0.0.0.0/32 to any -block in log quick on ppp0 from 255.255.255.255/32 to any -# -# Block any incoming traffic to NFS ports, to the RPC portmapper, and -# to X servers. -# -block in log on ppp0 proto tcp/udp from any to any port = sunrpc -block in log on ppp0 proto tcp/udp from any to any port = 2049 -block in log on ppp0 proto tcp from any to any port = 6000 diff --git a/share/ipf/firewall.2 b/share/ipf/firewall.2 deleted file mode 100644 index e0ad5639c52..00000000000 --- a/share/ipf/firewall.2 +++ /dev/null @@ -1,69 +0,0 @@ -# -# This is an example of a fairly heavy firewall used to keep everyone -# out of a particular network while still allowing people within that -# network to get outside. -# -# The example assumes it is running on a gateway with interface ppp0 -# attached to the outside world, and interface ed0 attached to -# network 192.168.4.0 which needs to be protected. -# -# -# Pass any packets not explicitly mentioned by subsequent rules -# -pass out from any to any -pass in from any to any -# -# Block any inherently bad packets coming in from the outside world. -# These include ICMP redirect packets, IP fragments so short the -# filtering rules won't be able to examine the whole UDP/TCP header, -# and anything with IP options. -# -block in log quick on ppp0 proto icmp from any to any icmp-type redir -block in log quick on ppp0 proto tcp/udp all with short -block in log quick on ppp0 from any to any with ipopts -# -# Block any IP spoofing atempts. (Packets "from" our network -# shouldn't be coming in from outside). -# -block in log quick on ppp0 from 192.168.4.0/24 to any -block in log quick on ppp0 from localhost to any -block in log quick on ppp0 from 0.0.0.0/32 to any -block in log quick on ppp0 from 255.255.255.255/32 to any -# -# Block all incoming UDP traffic except talk and DNS traffic. NFS -# and portmap are special-cased and logged. -# -block in on ppp0 proto udp from any to any -block in log on ppp0 proto udp from any to any port = sunrpc -block in log on ppp0 proto udp from any to any port = 2049 -pass in on ppp0 proto udp from any to any port = domain -pass in on ppp0 proto udp from any to any port = talk -pass in on ppp0 proto udp from any to any port = ntalk -# -# Block all incoming TCP traffic connections to known services, -# returning a connection reset so things like ident don't take -# forever timing out. Don't log ident (auth port) as it's so common. -# -block return-rst in log on ppp0 proto tcp from any to any flags S/SA -block return-rst in on ppp0 proto tcp from any to any port = auth flags S/SA -# -# Allow incoming TCP connections to ports between 1024 and 5000, as -# these don't have daemons listening but are used by outgoing -# services like ftp and talk. For slightly more obscurity (though -# not much more security), the second commented out rule can chosen -# instead. -# -pass in on ppp0 proto tcp from any to any port 1024 >< 5000 -#pass in on ppp0 proto tcp from any port = ftp-data to any port 1024 >< 5000 -# -# Now allow various incoming TCP connections to particular hosts, TCP -# to the main nameserver so secondaries can do zone transfers, SMTP -# to the mail host, www to the web server (which really should be -# outside the firewall if you care about security), and ssh to a -# hypothetical machine caled 'gatekeeper' that can be used to gain -# access to the protected network from the outside world. -# -pass in on ppp0 proto tcp from any to ns1 port = domain -pass in on ppp0 proto tcp from any to mail port = smtp -pass in on ppp0 proto tcp from any to www port = www -pass in on ppp0 proto tcp from any to gatekeeper port = ssh diff --git a/share/ipf/firewall.3 b/share/ipf/firewall.3 deleted file mode 100644 index d2bd60a3188..00000000000 --- a/share/ipf/firewall.3 +++ /dev/null @@ -1,99 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: RESTRICTIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block in log proto tcp all flags S/SA head 101 group 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block in log proto tcp all flags S/SA head 201 group 200 -block in log proto udp all head 202 group 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Allow outgoing DNS requests (no named on firewall) -# -pass in quick proto udp from any to any port = 53 keep state group 202 -# -# If we were running named on the firewall and all internal hosts talked to -# it, we'd use the following: -# -#pass in quick proto udp from any to w.x.y.z/32 port = 53 keep state group 202 -#pass out quick on ppp0 proto udp from a.b.c.d/32 to any port = 53 keep state -# -# Allow outgoing FTP from any internal host to any external FTP server. -# -pass in quick proto tcp from any to any port = ftp keep state group 201 -pass in quick proto tcp from any to any port = ftp-data keep state group 201 -pass in quick proto tcp from any port = ftp-data to any port > 1023 keep state group 101 -# -# Allow NTP from any internal host to any external NTP server. -# -pass in quick proto udp from any to any port = ntp keep state group 202 -# -# Allow outgoing connections: SSH, TELNET, WWW -# -pass in quick proto tcp from any to any port = 22 keep state group 201 -pass in quick proto tcp from any to any port = telnet keep state group 201 -pass in quick proto tcp from any to any port = www keep state group 201 -# -#------------------------------------------------------- -block in log proto tcp from any to a.b.c.d/32 flags S/SA head 110 group 100 -# -# Allow incoming to the external firewall interface: mail, WWW, DNS -# -pass in log quick proto tcp from any to any port = smtp keep state group 110 -pass in log quick proto tcp from any to any port = www keep state group 110 -pass in log quick proto tcp from any to any port = 53 keep state group 110 -pass in log quick proto udp from any to any port = 53 keep state group 100 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 diff --git a/share/ipf/firewall.4 b/share/ipf/firewall.4 deleted file mode 100644 index 46564f0ee41..00000000000 --- a/share/ipf/firewall.4 +++ /dev/null @@ -1,72 +0,0 @@ -#!/sbin/ipf -f - -# -# SAMPLE: PERMISSIVE FILTER RULES -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# This file contains the basic rules needed to construct a firewall for the -# above situation. -# -#------------------------------------------------------- -# *Nasty* packets we don't want to allow near us at all! -# short packets which are packets fragmented too short to be real. -block in log quick all with short -#------------------------------------------------------- -# Group setup. -# ============ -# By default, block and log everything. This maybe too much logging -# (especially for ed0) and needs to be further refined. -# -block in log on ppp0 all head 100 -block out log on ppp0 all head 150 -block in log on ed0 from w.x.y.z/24 to any head 200 -block out log on ed0 all head 250 -#------------------------------------------------------- -# Invalid Internet packets. -# ========================= -# -# Deny reserved addresses. -# -block in log quick from 10.0.0.0/8 to any group 100 -block in log quick from 192.168.0.0/16 to any group 100 -block in log quick from 172.16.0.0/12 to any group 100 -# -# Prevent IP spoofing. -# -block in log quick from a.b.c.d/24 to any group 100 -# -#------------------------------------------------------- -# Localhost packets. -# ================== -# packets going in/out of network interfaces that aren't on the loopback -# interface should *NOT* exist. -block in log quick from 127.0.0.0/8 to any group 100 -block in log quick from any to 127.0.0.0/8 group 100 -block in log quick from 127.0.0.0/8 to any group 200 -block in log quick from any to 127.0.0.0/8 group 200 -# And of course, make sure the loopback allows packets to traverse it. -pass in quick on lo0 all -pass out quick on lo0 all -#------------------------------------------------------- -# Allow any communication between the inside network and the outside only. -# -# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) -# -pass in log quick proto tcp all flags S/SA keep state group 200 -# -# Support all UDP `connections' initiated from inside. -# -# Allow ping out -# -pass in log quick proto icmp all keep state group 200 -#------------------------------------------------------- -# Log these: -# ========== -# * return RST packets for invalid SYN packets to help the other end close -block return-rst in log proto tcp from any to any flags S/SA group 100 -# * return ICMP error packets for invalid UDP packets -block return-icmp(net-unr) in proto udp all group 100 diff --git a/share/ipf/nat.1 b/share/ipf/nat.1 deleted file mode 100644 index f862a23786b..00000000000 --- a/share/ipf/nat.1 +++ /dev/null @@ -1,31 +0,0 @@ -Example NAT Rules - -# Scenario: Two network interfaces; one connected to internal 192.168.0.XXX -# network, other connected externally to the Internet. Suppose the internal -# interface is named ep1 and the external interface is named xl0. The -# following mapping will provide the internal network with Internet -# connectivity for tcp/udp traffic (note the ep1 name is not used; instead -# its network address is used): -map xl0 192.168.0.0/24 -> xl0/32 portmap tcp/udp 10000:20000 - -# map all tcp connections from network 10 to the address of the first ppp0 -# interface (which can be dynamically assigned prior to use of ipnat) -map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000 - -# map all tcp connections from network 10 into addresses of network 240.1.0 -map ppp0 10.0.0.0/8 -> 240.1.0.0/24 portmap tcp/udp 10000:60000 - -# map all tcp connections from 10.1.0.0/16 to 240.1.0.1, changing the source -# port number to something between 10,000 and 20,000 inclusive. For all other -# IP packets, allocate an IP # between 240.1.0.0 and 240.1.0.255, temporarily -# for each new user. -# -map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp 10000:20000 -map ed1 10.1.0.0/16 -> 240.1.0.0/24 -# -# Redirection is triggered for input packets. -# For example, to redirect FTP connections through this box, to the local ftp -# port, forcing them to connect through a proxy, you would use: -# -rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp -# diff --git a/share/ipf/nat.2 b/share/ipf/nat.2 deleted file mode 100644 index badec5edb3f..00000000000 --- a/share/ipf/nat.2 +++ /dev/null @@ -1,21 +0,0 @@ - Miscellaneous NAT Configuration Tips - -Don't forget to add "net.inet.ip.forwarding=1" to /etc/sysctl.conf or NAT will -not work. NAT requires IP packet forwarding. - -Don't forget to add "option IPFILTER" (and maybe "option IPFILTER_LOG" -if you want ipmon(8) to work) to the kernel config file or NAT will -not work. NAT requires the IPF packet filter. - -You must have IPF enabled even if you aren't using it for anything or -NAT will not work. The standard way to do this is to make sure -/etc/ipf.rules is installed and edit /etc/rc.conf changing -"ipfilter=NO" to "ipfilter=YES" then reboot. - -When you bring up NAT it needs the interface to have an address. If you are -using the ppp0 interface unless you start pppd from /etc/rc you cannot start -NAT there. Instead, in the /etc/ppp/ip-up shell script add - -/sbin/ipnat -CF -f /etc/ipnat.rules - -to start NAT when the link comes up and the interface has an address. diff --git a/share/ipf/nat.3 b/share/ipf/nat.3 deleted file mode 100644 index df041d1119c..00000000000 --- a/share/ipf/nat.3 +++ /dev/null @@ -1,45 +0,0 @@ -#!/sbin/ipnat -f - -# -# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 -# -# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 -# -# ed0 - (internal) network interface, address w.x.y.z/32 -# -# If we have only 1 valid IP address from our ISP, then we do this: -# -map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 -map ppp0 w.x.y.z/24 -> a.b.c.d/32 -# -# if we get a different dialup IP address each time, then we would use: -# -#map ppp0 w.x.y.z/24 -> 0/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.z/24 -> 0/32 -# -# If we have a class C address space of valid IP#'s from our ISP, then we can -# do this: -# -#map ppp0 w.x.y.z/24 -> a.b.c.d/24 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.z/24 -> a.b.c.d/24 -# -# or, if we only have a small number of PC's, this: -# -#map ppp0 w.x.y.v/32 -> a.b.c.E/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.v/32 -> a.b.c.E/32 -#map ppp0 w.x.y.u/32 -> a.b.c.F/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.u/32 -> a.b.c.F/32 -#map ppp0 w.x.y.t/32 -> a.b.c.G/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.t/32 -> a.b.c.G/32 -#map ppp0 w.x.y.s/32 -> a.b.c.H/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.s/32 -> a.b.c.H/32 -#map ppp0 w.x.y.r/32 -> a.b.c.I/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.r/32 -> a.b.c.I/32 -#map ppp0 w.x.y.q/32 -> a.b.c.J/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.q/32 -> a.b.c.J/32 -#map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 -#map ppp0 w.x.y.p/32 -> a.b.c.K/32 -# -# To make ftp work, using the internal ftp proxy, use: -# -map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp -# diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 0dcea02bed8..c413c406549 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.162 2001/05/14 09:32:36 deraadt Exp $ +# $OpenBSD: Makefile,v 1.163 2001/05/30 02:12:10 deraadt Exp $ MAN= aac.4 ac97.4 adv.4 aha.4 ahb.4 ahc.4 aic.4 ami.4 amphy.4 an.4 \ aria.4 ast.4 \ @@ -11,7 +11,7 @@ MAN= aac.4 ac97.4 adv.4 aha.4 ahb.4 ahc.4 aic.4 ami.4 amphy.4 an.4 \ eso.4 ess.4 exphy.4 fd.4 fdc.4 fpa.4 \ fms.4 fxp.4 gdt.4 gre.4 hifn.4 hsq.4 auich.4 icmp.4 icsphy.4 \ idp.4 iha.4 ifmedia.4 \ - inet.4 inphy.4 iophy.4 ip.4 ipl.4 ipsec.4 isa.4 isapnp.4 ises.4 iso.4 \ + inet.4 inphy.4 iophy.4 ip.4 ipsec.4 isa.4 isapnp.4 ises.4 iso.4 \ isp.4 \ ksyms.4 kue.4 lkm.4 lmc.4 lo.4 lxtphy.4 maestro.4 midi.4 mii.4 \ mtdphy.4 \ diff --git a/share/man/man4/ipl.4 b/share/man/man4/ipl.4 deleted file mode 100644 index f897e591288..00000000000 --- a/share/man/man4/ipl.4 +++ /dev/null @@ -1,81 +0,0 @@ -.\" $OpenBSD: ipl.4,v 1.9 2000/04/13 19:59:40 kjell Exp $ -.\" -.TH IPL 4 -.SH NAME -ipl \- IP packet log device -.SH DESCRIPTION -The \fBipl\fP pseudo device's purpose is to provide an easy way to gather -packet headers of packets you wish to log. If a packet header is to be -logged, the entire header is logged (including any IP options \- TCP/UDP -options are not included when it calculates header size) or not at all. -The packet contents are also logged after the header. If the log reader -is busy or otherwise unable to read log records, upto IPLLOGSIZE (8192 is the -default) bytes of data are stored. -.PP -Prepending every packet header logged is a structure containing information -relevant to the packet following and why it was logged. The structure's -format is as follows: -.LP -.nf -/* - * Log structure. Each packet header logged is prepended by one of these. - * Following this in the log records read from the device will be an ipflog - * structure which is then followed by any packet data. - */ -typedef struct iplog { - u_long ipl_sec; - u_long ipl_usec; - u_int ipl_len; - u_int ipl_count; - size_t ipl_dsize; - struct iplog *ipl_next; -} iplog_t; - - -typedef struct ipflog { -#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) - u_char fl_ifname[IFNAMSIZ]; -#else - u_int fl_unit; - u_char fl_ifname[4]; -#endif - u_char fl_plen; /* extra data after hlen */ - u_char fl_hlen; /* length of IP headers saved */ - u_short fl_rule; /* assume never more than 64k rules, total */ - u_32_t fl_flags; -} ipflog_t; - -.fi -.PP -When reading from the \fBipl\fP device, it is necessary to call read(2) with -a buffer big enough to hold at least 1 complete log record - reading of partial -log records is not supported. -.PP -If the packet contents is more then 128 bytes when \fBlog body\fP is used, -then only 128 bytes of the packet contents is logged. -.PP -Although it is only possible to read from the \fBipl\fP device, opening it -for writing is required when using an ioctl which changes any kernel data. -.PP -The ioctls which are loaded with this device can be found under \fBipf(4)\fP. -The ioctls which are for use with logging and don't affect the filter are: -.LP -.nf - ioctl(fd, SIOCIPFFB, int *) - ioctl(fd, FIONREAD, int *) -.fi -.PP -The SIOCIPFFB ioctl flushes the log buffer and returns the number of bytes -flushed. FIONREAD returns the number of bytes currently used for storing -log data. If IPFILTER_LOG is not defined when compiling, SIOCIPFFB is not -available and FIONREAD will return but not do anything. -.PP -There is currently no support for non-blocking IO with this device, meaning -all read operations should be considered blocking in nature (if there is no -data to read, it will sleep until some is made available). -.SH SEE ALSO -ipf(4) -.SH BUGS -Packet headers are dropped when the internal buffer (static size) fills. -.SH FILES -/dev/ipl diff --git a/sys/arch/pmax/conf/GENERIC b/sys/arch/pmax/conf/GENERIC index 15e3b09b8f2..a0cf6153c72 100644 --- a/sys/arch/pmax/conf/GENERIC +++ b/sys/arch/pmax/conf/GENERIC @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC,v 1.21 2001/05/17 00:57:57 pvalchev Exp $ +# $OpenBSD: GENERIC,v 1.22 2001/05/30 02:12:21 deraadt Exp $ # # GENERIC kernel for the distribition simpleroot # @@ -69,8 +69,6 @@ option KERNFS # kernel data-structure filesystem #option ISO # osi networking #option TPIP #option EON -option IPFILTER # IP packet filter for security -option IPFILTER_LOG # use /dev/ipl to log IPF # compat stuff #option COMPAT_ULTRIX # ultrix compatibility diff --git a/sys/arch/pmax/conf/GENERIC.NFS b/sys/arch/pmax/conf/GENERIC.NFS index a3076892eb1..0d9df5c2ba6 100644 --- a/sys/arch/pmax/conf/GENERIC.NFS +++ b/sys/arch/pmax/conf/GENERIC.NFS @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC.NFS,v 1.9 2001/05/17 00:57:57 pvalchev Exp $ +# $OpenBSD: GENERIC.NFS,v 1.10 2001/05/30 02:12:21 deraadt Exp $ # # GENERIC netboot / nfs root + swap kernel for the distribition simpleroot # @@ -67,8 +67,6 @@ option KERNFS # kernel data-structure filesystem #option ISO # osi networking #option TPIP #option EON -option IPFILTER # IP packet filter for security -option IPFILTER_LOG # use /dev/ipl to log IPF # compat stuff #option COMPAT_ULTRIX # ultrix compatibility diff --git a/sys/arch/pmax/conf/GENERIC.rz0 b/sys/arch/pmax/conf/GENERIC.rz0 index e643f54d639..eda9aebe999 100644 --- a/sys/arch/pmax/conf/GENERIC.rz0 +++ b/sys/arch/pmax/conf/GENERIC.rz0 @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC.rz0,v 1.9 2001/05/17 00:57:58 pvalchev Exp $ +# $OpenBSD: GENERIC.rz0,v 1.10 2001/05/30 02:12:21 deraadt Exp $ # # GENERIC kernel for the distribition simpleroot with root + swap hardcoded # to rz0 - required for use with zip drives for instance @@ -68,8 +68,7 @@ option KERNFS # kernel data-structure filesystem #option ISO # osi networking #option TPIP #option EON -option IPFILTER # IP packet filter for security -option IPFILTER_LOG # use /dev/ipl to log IPF + # compat stuff #option COMPAT_ULTRIX # ultrix compatibility diff --git a/sys/conf/GENERIC b/sys/conf/GENERIC index 5855f0bc42b..5abc542e1a2 100644 --- a/sys/conf/GENERIC +++ b/sys/conf/GENERIC @@ -1,4 +1,4 @@ -# $OpenBSD: GENERIC,v 1.75 2001/05/17 00:58:00 pvalchev Exp $ +# $OpenBSD: GENERIC,v 1.76 2001/05/30 02:12:22 deraadt Exp $ # # Machine-independent option; used by all architectures for their # GENERIC kernel @@ -75,8 +75,6 @@ option IPSEC # IPsec #option EON # OSI tunneling over IP #option NETATALK # AppleTalk #option CCITT,LLC,HDLC # X.25 -option IPFILTER # IP packet filter for security -option IPFILTER_LOG # use /dev/ipl to log IPF option PPP_BSDCOMP # PPP BSD compression option PPP_DEFLATE #option MROUTING # Multicast router diff --git a/sys/conf/files b/sys/conf/files index 87fb7fb8914..bf5670f77ec 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -1,4 +1,4 @@ -# $OpenBSD: files,v 1.200 2001/05/15 02:40:34 millert Exp $ +# $OpenBSD: files,v 1.201 2001/05/30 02:12:22 deraadt Exp $ # $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $ # @(#)files.newconf 7.5 (Berkeley) 5/10/93 @@ -600,14 +600,6 @@ file netinet/tcp_timer.c inet file netinet/tcp_usrreq.c inet file netinet/udp_usrreq.c inet file netinet/ip_gre.c inet -file netinet/ip_fil.c ipfilter -file netinet/fil.c ipfilter -file netinet/ip_nat.c ipfilter -file netinet/ip_frag.c ipfilter -file netinet/ip_state.c ipfilter -file netinet/ip_proxy.c ipfilter -file netinet/ip_auth.c ipfilter -file netinet/ip_log.c ipfilter file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature) file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature) file netinet/ip_ipip.c inet | inet6 diff --git a/sys/net/bridgestp.c b/sys/net/bridgestp.c index 89dd6a352a7..f84e8f5016b 100644 --- a/sys/net/bridgestp.c +++ b/sys/net/bridgestp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bridgestp.c,v 1.5 2001/03/22 03:48:29 jason Exp $ */ +/* $OpenBSD: bridgestp.c,v 1.6 2001/05/30 02:12:23 deraadt Exp $ */ /* * Copyright (c) 2000 Jason L. Wright (jason@thought.net) @@ -63,11 +63,6 @@ #include <netinet/in_var.h> #include <netinet/ip.h> #include <netinet/if_ether.h> - -#ifdef IPFILTER -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#endif #endif #if NBPFILTER > 0 diff --git a/sys/net/if.c b/sys/net/if.c index 578e8dcf327..71d2c36572c 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.43 2001/02/20 13:50:53 itojun Exp $ */ +/* $OpenBSD: if.c,v 1.44 2001/05/30 02:12:24 deraadt Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -103,12 +103,6 @@ #include <netinet6/in6_var.h> #endif -#ifdef IPFILTER -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_nat.h> -#endif - #if NBPFILTER > 0 #include <net/bpf.h> #endif @@ -381,11 +375,6 @@ if_detach(ifp) /* Remove the interface from the list of all interfaces. */ TAILQ_REMOVE(&ifnet, ifp, if_list); -#ifdef IPFILTER - /* XXX More ipf & ipnat cleanup needed. */ - nat_clearlist(); -#endif - /* Deallocate private resources. */ for (ifa = TAILQ_FIRST(&ifp->if_addrlist); ifa; ifa = TAILQ_FIRST(&ifp->if_addrlist)) { diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index dc2fe6c6511..f6599495097 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.55 2001/05/11 04:56:15 jason Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.56 2001/05/30 02:12:24 deraadt Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -141,7 +141,7 @@ u_int8_t bridge_filterrule __P((struct brl_head *, struct ether_header *)); (a)->ether_addr_octet[2] == 0x5e) -#if defined(INET) && (defined(IPFILTER) || defined(IPFILTER_LKM)) +#if defined(INET) && defined(IPFILTER) /* * Filter hooks */ @@ -1002,7 +1002,7 @@ bridgeintr_frame(sc, m) return; } -#if defined(INET) && (defined(IPFILTER) || defined(IPFILTER_LKM)) +#if defined(INET) && defined(IPFILTER) m = bridge_filter(sc, src_if, &eh, m); if (m == NULL) return; @@ -1847,7 +1847,7 @@ bridge_flushrule(bif) return (0); } -#if defined(INET) && (defined(IPFILTER) || defined(IPFILTER_LKM)) +#if defined(INET) && defined(IPFILTER) /* * Filter IP packets by peeking into the ethernet frame. This violates diff --git a/sys/netinet/fil.c b/sys/netinet/fil.c deleted file mode 100644 index 5d6a67fb890..00000000000 --- a/sys/netinet/fil.c +++ /dev/null @@ -1,2131 +0,0 @@ -/* $OpenBSD: fil.c,v 1.30 2001/05/11 17:20:11 aaron Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fil.c,v 2.35.2.31 2001/04/03 15:46:41 dar renr Exp $"; -#endif - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/time.h> -#include <sys/file.h> -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ - defined(_KERNEL) -# include "opt_ipfilter_log.h" -#endif -#if (defined(KERNEL) || defined(_KERNEL)) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 220000) -# if (__FreeBSD_version >= 400000) -# ifndef KLD_MODULE -# include "opt_inet6.h" -# endif -# if (__FreeBSD_version == 400019) -# define CSUM_DELAY_DATA -# endif -# endif -# include <sys/filio.h> -# include <sys/fcntl.h> -#else -# include <sys/ioctl.h> -#endif -#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) -# include <sys/systm.h> -#else -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif -#include <sys/uio.h> -#if !defined(__SVR4) && !defined(__svr4__) -# ifndef linux -# include <sys/mbuf.h> -# endif -#else -# include <sys/byteorder.h> -# if SOLARIS2 < 5 -# include <sys/dditypes.h> -# endif -# include <sys/stream.h> -#endif -#ifndef linux -# include <sys/protosw.h> -# include <sys/socket.h> -#endif -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#ifndef linux -# include <netinet/ip_var.h> -#endif -#if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ -# include <sys/hashing.h> -# include <netinet/in_var.h> -#endif -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fil_compat.h> -#ifdef USE_INET6 -# include <netinet/icmp6.h> -# if !SOLARIS && defined(_KERNEL) -# include <netinet6/in6_var.h> -# endif -#endif -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_state.h> -#include <netinet/ip_auth.h> -# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include "opt_ipfilter.h" -# endif -# endif -#ifndef MIN -# define MIN(a,b) (((a)<(b))?(a):(b)) -#endif -#include <netinet/ipl.h> - -#ifndef _KERNEL -# include "ipf.h" -# include "ipt.h" -extern int opts; - -# define FR_VERBOSE(verb_pr) verbose verb_pr -# define FR_DEBUG(verb_pr) debug verb_pr -# define IPLLOG(a, c, d, e) ipllog() -#else /* #ifndef _KERNEL */ -# define FR_VERBOSE(verb_pr) -# define FR_DEBUG(verb_pr) -# define IPLLOG(a, c, d, e) ipflog(a, c, d, e) -# if SOLARIS || defined(__sgi) -extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; -extern kmutex_t ipf_rw; -# endif -# if SOLARIS -# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \ - ip, qif) -# else /* SOLARIS */ -# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) -# endif /* SOLARIS || __sgi */ -#endif /* _KERNEL */ - - -struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; -struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, -#ifdef USE_INET6 - *ipfilter6[2][2] = { { NULL, NULL }, { NULL, NULL } }, - *ipacct6[2][2] = { { NULL, NULL }, { NULL, NULL } }, -#endif - *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; -struct frgroup *ipfgroups[3][2]; -int fr_flags = IPF_LOGGING; -int fr_active = 0; -int fr_chksrc = 0; -int fr_minttl = 3; -int fr_minttllog = 1; -#if defined(IPFILTER_DEFAULT_BLOCK) -int fr_pass = FR_NOMATCH|FR_BLOCK; -#else -int fr_pass = (IPF_DEFAULT_PASS|FR_NOMATCH); -#endif -char ipfilter_version[] = IPL_VERSION; - -fr_info_t frcache[2]; - -static int frflushlist __P((int, minor_t, int *, frentry_t **)); -#ifdef _KERNEL -static void frsynclist __P((frentry_t *)); -#endif - - -/* - * bit values for identifying presence of individual IP options - */ -struct optlist ipopts[20] = { - { IPOPT_NOP, 0x000001 }, - { IPOPT_RR, 0x000002 }, - { IPOPT_ZSU, 0x000004 }, - { IPOPT_MTUP, 0x000008 }, - { IPOPT_MTUR, 0x000010 }, - { IPOPT_ENCODE, 0x000020 }, - { IPOPT_TS, 0x000040 }, - { IPOPT_TR, 0x000080 }, - { IPOPT_SECURITY, 0x000100 }, - { IPOPT_LSRR, 0x000200 }, - { IPOPT_E_SEC, 0x000400 }, - { IPOPT_CIPSO, 0x000800 }, - { IPOPT_SATID, 0x001000 }, - { IPOPT_SSRR, 0x002000 }, - { IPOPT_ADDEXT, 0x004000 }, - { IPOPT_VISA, 0x008000 }, - { IPOPT_IMITD, 0x010000 }, - { IPOPT_EIP, 0x020000 }, - { IPOPT_FINN, 0x040000 }, - { 0, 0x000000 } -}; - -/* - * bit values for identifying presence of individual IP security options - */ -struct optlist secopt[8] = { - { IPSO_CLASS_RES4, 0x01 }, - { IPSO_CLASS_TOPS, 0x02 }, - { IPSO_CLASS_SECR, 0x04 }, - { IPSO_CLASS_RES3, 0x08 }, - { IPSO_CLASS_CONF, 0x10 }, - { IPSO_CLASS_UNCL, 0x20 }, - { IPSO_CLASS_RES2, 0x40 }, - { IPSO_CLASS_RES1, 0x80 } -}; - - -/* - * compact the IP header into a structure which contains just the info. - * which is useful for comparing IP headers with. - */ -void fr_makefrip(hlen, ip, fin) -int hlen; -ip_t *ip; -fr_info_t *fin; -{ - u_short optmsk = 0, secmsk = 0, auth = 0; - int i, mv, ol, off, p, plen, v; - fr_ip_t *fi = &fin->fin_fi; - struct optlist *op; - u_char *s, opt; - tcphdr_t *tcp; - - fin->fin_rev = 0; - fin->fin_fr = NULL; - fin->fin_tcpf = 0; - fin->fin_data[0] = 0; - fin->fin_data[1] = 0; - fin->fin_rule = -1; - fin->fin_group = -1; -#ifdef _KERNEL - fin->fin_icode = ipl_unreach; -#endif - v = fin->fin_v; - fi->fi_v = v; - fin->fin_hlen = hlen; - if (v == 4) { - fin->fin_id = ip->ip_id; - fi->fi_tos = ip->ip_tos; - off = (ip->ip_off & IP_OFFMASK) << 3; - tcp = (tcphdr_t *)((char *)ip + hlen); - (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); - fi->fi_src.i6[1] = 0; - fi->fi_src.i6[2] = 0; - fi->fi_src.i6[3] = 0; - fi->fi_dst.i6[1] = 0; - fi->fi_dst.i6[2] = 0; - fi->fi_dst.i6[3] = 0; - fi->fi_saddr = ip->ip_src.s_addr; - fi->fi_daddr = ip->ip_dst.s_addr; - p = ip->ip_p; - fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; - if (ip->ip_off & 0x3fff) - fi->fi_fl |= FI_FRAG; - plen = ip->ip_len; - fin->fin_dlen = plen - hlen; - } -#ifdef USE_INET6 - else if (v == 6) { - ip6_t *ip6 = (ip6_t *)ip; - - off = 0; - p = ip6->ip6_nxt; - fi->fi_p = p; - fi->fi_ttl = ip6->ip6_hlim; - tcp = (tcphdr_t *)(ip6 + 1); - fi->fi_src.in6 = ip6->ip6_src; - fi->fi_dst.in6 = ip6->ip6_dst; - fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); - fi->fi_tos = 0; - fi->fi_fl = 0; - plen = ntohs(ip6->ip6_plen) + sizeof(*ip6); - fin->fin_dlen = plen; - } -#endif - else - return; - - fin->fin_off = off; - fin->fin_plen = plen; - fin->fin_dp = (void *)tcp; - - switch (p) - { -#ifdef USE_INET6 - case IPPROTO_ICMPV6 : - { - int minicmpsz = sizeof(struct icmp6_hdr); - struct icmp6_hdr *icmp6; - - if (fin->fin_dlen > 1) { - fin->fin_data[0] = *(u_short *)tcp; - - icmp6 = (struct icmp6_hdr *)tcp; - - switch (icmp6->icmp6_type) - { - case ICMP6_ECHO_REPLY : - case ICMP6_ECHO_REQUEST : - minicmpsz = ICMP6ERR_MINPKTLEN; - break; - case ICMP6_DST_UNREACH : - case ICMP6_PACKET_TOO_BIG : - case ICMP6_TIME_EXCEEDED : - case ICMP6_PARAM_PROB : - minicmpsz = ICMP6ERR_IPICMPHLEN; - break; - default : - break; - } - } - - if (!(plen >= hlen + minicmpsz)) - fi->fi_fl |= FI_SHORT; - - break; - } -#endif - case IPPROTO_ICMP : - { - int minicmpsz = sizeof(struct icmp); - icmphdr_t *icmp; - - if (!off && (fin->fin_dlen > 1)) { - fin->fin_data[0] = *(u_short *)tcp; - - icmp = (icmphdr_t *)tcp; - - if (icmp->icmp_type == ICMP_ECHOREPLY || - icmp->icmp_type == ICMP_ECHO) - minicmpsz = ICMP_MINLEN; - - /* - * type(1) + code(1) + cksum(2) + id(2) seq(2) + - * 3*timestamp(3*4) - */ - else if (icmp->icmp_type == ICMP_TSTAMP || - icmp->icmp_type == ICMP_TSTAMPREPLY) - minicmpsz = 20; - - /* - * type(1) + code(1) + cksum(2) + id(2) seq(2) + - * mask(4) - */ - else if (icmp->icmp_type == ICMP_MASKREQ || - icmp->icmp_type == ICMP_MASKREPLY) - minicmpsz = 12; - } - - if ((!(plen >= hlen + minicmpsz) && !off) || - (off && off < sizeof(struct icmp))) - fi->fi_fl |= FI_SHORT; - - break; - } - case IPPROTO_TCP : - fi->fi_fl |= FI_TCPUDP; -#ifdef USE_INET6 - if (v == 6) { - if (plen < sizeof(struct tcphdr)) - fi->fi_fl |= FI_SHORT; - } else -#endif - if (v == 4) { - if ((!IPMINLEN(ip, tcphdr) && !off) || - (off && off < sizeof(struct tcphdr))) - fi->fi_fl |= FI_SHORT; - } - if (!(fi->fi_fl & FI_SHORT) && !off) - fin->fin_tcpf = tcp->th_flags; - goto getports; - case IPPROTO_UDP : - fi->fi_fl |= FI_TCPUDP; -#ifdef USE_INET6 - if (v == 6) { - if (plen < sizeof(struct udphdr)) - fi->fi_fl |= FI_SHORT; - } else -#endif - if (v == 4) { - if ((!IPMINLEN(ip, udphdr) && !off) || - (off && off < sizeof(struct udphdr))) - fi->fi_fl |= FI_SHORT; - } -getports: - if (!off && (fin->fin_dlen > 3)) { - fin->fin_data[0] = ntohs(tcp->th_sport); - fin->fin_data[1] = ntohs(tcp->th_dport); - } - break; - default : - break; - } - -#ifdef USE_INET6 - if (v == 6) { - fi->fi_optmsk = 0; - fi->fi_secmsk = 0; - fi->fi_auth = 0; - return; - } -#endif - - for (s = (u_char *)(ip + 1), hlen -= (int)sizeof(*ip); hlen > 0; ) { - opt = *s; - if (opt == '\0') - break; - else if (opt == IPOPT_NOP) - ol = 1; - else { - if (hlen < 2) - break; - ol = (int)*(s + 1); - if (ol < 2 || ol > hlen) - break; - } - for (i = 9, mv = 4; mv >= 0; ) { - op = ipopts + i; - if (opt == (u_char)op->ol_val) { - optmsk |= op->ol_bit; - if (opt == IPOPT_SECURITY) { - struct optlist *sp; - u_char sec; - int j, m; - - sec = *(s + 2); /* classification */ - for (j = 3, m = 2; m >= 0; ) { - sp = secopt + j; - if (sec == sp->ol_val) { - secmsk |= sp->ol_bit; - auth = *(s + 3); - auth *= 256; - auth += *(s + 4); - break; - } - if (sec < sp->ol_val) - j -= m--; - else - j += m--; - } - } - break; - } - if (opt < op->ol_val) - i -= mv--; - else - i += mv--; - } - hlen -= ol; - s += ol; - } - if (auth && !(auth & 0x0100)) - auth &= 0xff00; - fi->fi_optmsk = optmsk; - fi->fi_secmsk = secmsk; - fi->fi_auth = auth; -} - - -/* - * check an IP packet for TCP/UDP characteristics such as ports and flags. - */ -int fr_tcpudpchk(ft, fin) -frtuc_t *ft; -fr_info_t *fin; -{ - register u_short po, tup; - register char i; - register int err = 1; - - /* - * Both ports should *always* be in the first fragment. - * So far, I cannot find any cases where they can not be. - * - * compare destination ports - */ - if ((i = (int)ft->ftu_dcmp)) { - po = ft->ftu_dport; - tup = fin->fin_data[1]; - /* - * Do opposite test to that required and - * continue if that succeeds. - */ - if (!--i && tup != po) /* EQUAL */ - err = 0; - else if (!--i && tup == po) /* NOTEQUAL */ - err = 0; - else if (!--i && tup >= po) /* LESSTHAN */ - err = 0; - else if (!--i && tup <= po) /* GREATERTHAN */ - err = 0; - else if (!--i && tup > po) /* LT or EQ */ - err = 0; - else if (!--i && tup < po) /* GT or EQ */ - err = 0; - else if (!--i && /* Out of range */ - (tup >= po && tup <= ft->ftu_dtop)) - err = 0; - else if (!--i && /* In range */ - (tup <= po || tup >= ft->ftu_dtop)) - err = 0; - } - /* - * compare source ports - */ - if (err && (i = (int)ft->ftu_scmp)) { - po = ft->ftu_sport; - tup = fin->fin_data[0]; - if (!--i && tup != po) - err = 0; - else if (!--i && tup == po) - err = 0; - else if (!--i && tup >= po) - err = 0; - else if (!--i && tup <= po) - err = 0; - else if (!--i && tup > po) - err = 0; - else if (!--i && tup < po) - err = 0; - else if (!--i && /* Out of range */ - (tup >= po && tup <= ft->ftu_stop)) - err = 0; - else if (!--i && /* In range */ - (tup <= po || tup >= ft->ftu_stop)) - err = 0; - } - - /* - * If we don't have all the TCP/UDP header, then how can we - * expect to do any sort of match on it ? If we were looking for - * TCP flags, then NO match. If not, then match (which should - * satisfy the "short" class too). - */ - if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) { - if (fin->fin_fi.fi_fl & FI_SHORT) - return !(ft->ftu_tcpf | ft->ftu_tcpfm); - /* - * Match the flags ? If not, abort this match. - */ - if (ft->ftu_tcpfm && - ft->ftu_tcpf != (fin->fin_tcpf & ft->ftu_tcpfm)) { - FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, - ft->ftu_tcpfm, ft->ftu_tcpf)); - err = 0; - } - } - return err; -} - -/* - * Check the input/output list of rules for a match and result. - * Could be per interface, but this gets real nasty when you don't have - * kernel sauce. - */ -int fr_scanlist(pass, ip, fin, m) -u_32_t pass; -ip_t *ip; -register fr_info_t *fin; -void *m; -{ - register struct frentry *fr; - register fr_ip_t *fi = &fin->fin_fi; - int rulen, portcmp = 0, off, skip = 0, logged = 0; - u_32_t passt; - - fr = fin->fin_fr; - fin->fin_fr = NULL; - fin->fin_rule = 0; - fin->fin_group = 0; - if (fin->fin_v == 4) - off = ip->ip_off & IP_OFFMASK; - else - off = 0; - pass |= (fi->fi_fl << 24); - - if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) - portcmp = 1; - - for (rulen = 0; fr; fr = fr->fr_next, rulen++) { - if (skip) { - skip--; - continue; - } - /* - * In all checks below, a null (zero) value in the - * filter struture is taken to mean a wildcard. - * - * check that we are working for the right interface - */ -#ifdef _KERNEL -# if BSD >= 199306 - if (fin->fin_out != 0) { - if ((fr->fr_oifa && - fr->fr_oifa != ((mb_t *)m)->m_pkthdr.rcvif) || - (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp)) - continue; - } else -# endif - if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) - continue; -#else - if (opts & (OPT_VERBOSE|OPT_DEBUG)) - printf("\n"); - FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : - (pass & FR_AUTH) ? 'a' : 'b')); - if (fr->fr_ifa && fr->fr_ifa != fin->fin_ifp) - continue; - FR_VERBOSE((":i")); -#endif - { - register u_32_t *ld, *lm, *lip; - register int i; - - lip = (u_32_t *)fi; - lm = (u_32_t *)&fr->fr_mip; - ld = (u_32_t *)&fr->fr_ip; - i = ((*lip & *lm) != *ld); - FR_DEBUG(("0. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - if (i) - continue; - /* - * We now know whether the packet version and the - * rule version match, along with protocol, ttl and - * tos. - */ - lip++, lm++, ld++; - /* - * Unrolled loops (4 each, for 32 bits). - */ - i |= ((*lip & *lm) != *ld) << 19; - FR_DEBUG(("1a. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - if (fi->fi_v == 6) { - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 19; - FR_DEBUG(("1b. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 19; - FR_DEBUG(("1c. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 19; - FR_DEBUG(("1d. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - } else { - lip += 3; - lm += 3; - ld += 3; - } - i ^= (fr->fr_flags & FR_NOTSRCIP); - if (i) - continue; - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 20; - FR_DEBUG(("2a. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - if (fi->fi_v == 6) { - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 20; - FR_DEBUG(("2b. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 20; - FR_DEBUG(("2c. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld) << 20; - FR_DEBUG(("2d. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - } else { - lip += 3; - lm += 3; - ld += 3; - } - i ^= (fr->fr_flags & FR_NOTDSTIP); - if (i) - continue; - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld); - FR_DEBUG(("3. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - lip++, lm++, ld++; - i |= ((*lip & *lm) != *ld); - FR_DEBUG(("4. %#08x & %#08x != %#08x\n", - *lip, *lm, *ld)); - if (i) - continue; - } - - /* - * If a fragment, then only the first has what we're looking - * for here... - */ - if (!portcmp && (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || - fr->fr_tcpfm)) - continue; - if (fi->fi_fl & FI_TCPUDP) { - if (!fr_tcpudpchk(&fr->fr_tuc, fin)) - continue; - } else if (fr->fr_icmpm || fr->fr_icmp) { - if ((fi->fi_p != IPPROTO_ICMP) || off || - (fin->fin_dlen < 2)) - continue; - if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) { - FR_DEBUG(("i. %#x & %#x != %#x\n", - fin->fin_data[0], fr->fr_icmpm, - fr->fr_icmp)); - continue; - } - } - FR_VERBOSE(("*")); - /* - * Just log this packet... - */ - passt = fr->fr_flags; -#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL)) - if (securelevel <= 0) -#endif - if ((passt & FR_CALLNOW) && fr->fr_func) - passt = (*fr->fr_func)(passt, ip, fin); - fin->fin_fr = fr; -#ifdef IPFILTER_LOG - if ((passt & FR_LOGMASK) == FR_LOG) { - if (!IPLLOG(passt, ip, fin, m)) { - if (passt & FR_LOGORBLOCK) - passt |= FR_BLOCK|FR_QUICK; - ATOMIC_INCL(frstats[fin->fin_out].fr_skip); - } - ATOMIC_INCL(frstats[fin->fin_out].fr_pkl); - logged = 1; - } -#endif /* IPFILTER_LOG */ - if (!(skip = fr->fr_skip) && (passt & FR_LOGMASK) != FR_LOG) - pass = passt; - FR_DEBUG(("pass %#x\n", pass)); - ATOMIC_INCL(fr->fr_hits); - if (pass & FR_ACCOUNT) - fr->fr_bytes += (U_QUAD_T)ip->ip_len; - else - fin->fin_icode = fr->fr_icode; - fin->fin_rule = rulen; - fin->fin_group = fr->fr_group; - if (fr->fr_grp) { - fin->fin_fr = fr->fr_grp; - pass = fr_scanlist(pass, ip, fin, m); - if (fin->fin_fr == NULL) { - fin->fin_rule = rulen; - fin->fin_group = fr->fr_group; - fin->fin_fr = fr; - } - if (pass & FR_DONTCACHE) - logged = 1; - } - if (pass & FR_QUICK) - break; - } - if (logged) - pass |= FR_DONTCACHE; - return pass; -} - - -/* - * frcheck - filter check - * check using source and destination addresses/ports in a packet whether - * or not to pass it on or not. - */ -int fr_check(ip, hlen, ifp, out -#if defined(_KERNEL) && SOLARIS -, qif, mp) -qif_t *qif; -#else -, mp) -#endif -mb_t **mp; -ip_t *ip; -int hlen; -void *ifp; -int out; -{ - /* - * The above really sucks, but short of writing a diff - */ - fr_info_t frinfo, *fc; - register fr_info_t *fin = &frinfo; - int changed, error = EHOSTUNREACH, v = ip->ip_v; - frentry_t *fr = NULL, *list; - u_32_t pass, apass; -#if !SOLARIS || !defined(_KERNEL) - register mb_t *m = *mp; -#endif - -#ifdef _KERNEL - int p, len, drop = 0, logit = 0; - mb_t *mc = NULL; -# if !defined(__SVR4) && !defined(__svr4__) -# ifdef __sgi - char hbuf[128]; -# endif - int up; - -# ifdef M_CANFASTFWD - /* - * XXX For now, IP Filter and fast-forwarding of cached flows - * XXX are mutually exclusive. Eventually, IP Filter should - * XXX get a "can-fast-forward" filter rule. - */ - m->m_flags &= ~M_CANFASTFWD; -# endif /* M_CANFASTFWD */ -# ifdef CSUM_DELAY_DATA - /* - * disable delayed checksums. - */ - if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { - in_delayed_cksum(m); - m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } -# endif /* CSUM_DELAY_DATA */ - -# ifdef USE_INET6 - if (v == 6) { - len = ntohs(((ip6_t*)ip)->ip6_plen); - if (!len) - return -1; /* potential jumbo gram */ - len += sizeof(ip6_t); - p = ((ip6_t *)ip)->ip6_nxt; - } else -# endif - { - p = ip->ip_p; - len = ip->ip_len; - } - - if ((p == IPPROTO_TCP || p == IPPROTO_UDP || - (v == 4 && p == IPPROTO_ICMP) -# ifdef USE_INET6 - || (v == 6 && p == IPPROTO_ICMPV6) -# endif - )) { - int plen = 0; - - if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0) - switch(p) - { - case IPPROTO_TCP: - plen = sizeof(tcphdr_t); - break; - case IPPROTO_UDP: - plen = sizeof(udphdr_t); - break; - /* 96 - enough for complete ICMP error IP header */ - case IPPROTO_ICMP: - plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); - break; -# ifdef USE_INET6 - case IPPROTO_ICMPV6 : - /* - * XXX does not take intermediate header - * into account - */ - plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t); - break; -# endif - } - up = MIN(hlen + plen, len); - - if (up > m->m_len) { -# ifdef __sgi - /* Under IRIX, avoid m_pullup as it makes ping <hostname> panic */ - if ((up > sizeof(hbuf)) || (m_length(m) < up)) { - ATOMIC_INCL(frstats[out].fr_pull[1]); - return -1; - } - m_copydata(m, 0, up, hbuf); - ATOMIC_INCL(frstats[out].fr_pull[0]); - ip = (ip_t *)hbuf; -# else /* __ sgi */ -# ifndef linux - if ((*mp = m_pullup(m, up)) == NULL) { - ATOMIC_INCL(frstats[out].fr_pull[1]); - return -1; - } else { - ATOMIC_INCL(frstats[out].fr_pull[0]); - m = *mp; - ip = mtod(m, ip_t *); - } -# endif /* !linux */ -# endif /* __sgi */ - } else - up = 0; - } else - up = 0; -# endif /* !defined(__SVR4) && !defined(__svr4__) */ -# if SOLARIS - mb_t *m = qif->qf_m; - - if ((u_int)ip & 0x3) - return 2; - fin->fin_qfm = m; - fin->fin_qif = qif; -# endif -#endif /* _KERNEL */ - - /* - * Be careful here: ip_id is in network byte order when called - * from ip_output() - */ - if ((out) && (v == 4)) - ip->ip_id = ntohs(ip->ip_id); - - changed = 0; - fin->fin_ifp = ifp; - fin->fin_v = v; - fin->fin_out = out; - fin->fin_mp = mp; - fr_makefrip(hlen, ip, fin); - -#ifdef _KERNEL -# ifdef USE_INET6 - if (v == 6) { - ATOMIC_INCL(frstats[0].fr_ipv6[out]); - if (((ip6_t *)ip)->ip6_hlim < fr_minttl) { - ATOMIC_INCL(frstats[0].fr_badttl); - if (fr_minttllog) - logit = -2; - } - } else -# endif - if (!out) { - if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) { - ATOMIC_INCL(frstats[0].fr_badsrc); - if (fr_chksrc == 2) - logit = -2; - } else if (ip->ip_ttl < fr_minttl) { - ATOMIC_INCL(frstats[0].fr_badttl); - if (fr_minttllog) - logit = -3; - } - } - if (drop) { -# ifdef IPFILTER_LOG - if (logit) { - fin->fin_group = logit; - pass = FR_INQUE|FR_NOMATCH|FR_LOGB; - (void) IPLLOG(pass, ip, fin, m); - } -# endif -# if !SOLARIS - m_freem(m); -# endif - return error; - } -#endif - pass = fr_pass; - if (fin->fin_fi.fi_fl & FI_SHORT) { - ATOMIC_INCL(frstats[out].fr_short); - } - - READ_ENTER(&ipf_mutex); - - if (fin->fin_fi.fi_fl & FI_SHORT) - ATOMIC_INCL(frstats[out].fr_short); - - /* - * Check auth now. This, combined with the check below to see if apass - * is 0 is to ensure that we don't count the packet twice, which can - * otherwise occur when we reprocess it. As it is, we only count it - * after it has no auth. table matchup. This also stops NAT from - * occuring until after the packet has been auth'd. - */ - apass = fr_checkauth(ip, fin); - - if (!out) { -#ifdef USE_INET6 - if (v == 6) - list = ipacct6[0][fr_active]; - else -#endif - list = ipacct[0][fr_active]; - changed = ip_natin(ip, fin); - if (!apass && (fin->fin_fr = list) && - (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { - ATOMIC_INCL(frstats[0].fr_acct); - } - } - - if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && - !(fr = fr_checkstate(ip, fin)))) { - /* - * If a packet is found in the auth table, then skip checking - * the access lists for permission but we do need to consider - * the result as if it were from the ACL's. - */ - if (!apass) { - fc = frcache + out; - if (!bcmp((char *)fin, (char *)fc, FI_CSIZE)) { - /* - * copy cached data so we can unlock the mutex - * earlier. - */ - bcopy((char *)fc, (char *)fin, FI_COPYSIZE); - ATOMIC_INCL(frstats[out].fr_chit); - if ((fr = fin->fin_fr)) { - ATOMIC_INCL(fr->fr_hits); - pass = fr->fr_flags; - } - } else { -#ifdef USE_INET6 - if (v == 6) - list = ipfilter6[out][fr_active]; - else -#endif - list = ipfilter[out][fr_active]; - if ((fin->fin_fr = list)) - pass = fr_scanlist(fr_pass, ip, fin, m); - if (!(pass & (FR_KEEPSTATE|FR_DONTCACHE))) - bcopy((char *)fin, (char *)fc, - FI_COPYSIZE); - if (pass & FR_NOMATCH) { - ATOMIC_INCL(frstats[out].fr_nom); - } - } - fr = fin->fin_fr; - } else - pass = apass; - - /* - * If we fail to add a packet to the authorization queue, - * then we drop the packet later. However, if it was added - * then pretend we've dropped it already. - */ - if ((pass & FR_AUTH)) - if (fr_newauth((mb_t *)m, fin, ip) != 0) -#ifdef _KERNEL - m = *mp = NULL; -#else - ; -#endif - - if (pass & FR_PREAUTH) { - READ_ENTER(&ipf_auth); - if ((fin->fin_fr = ipauth) && - (pass = fr_scanlist(0, ip, fin, m))) { - ATOMIC_INCL(fr_authstats.fas_hits); - } else { - ATOMIC_INCL(fr_authstats.fas_miss); - } - RWLOCK_EXIT(&ipf_auth); - } - - fin->fin_fr = fr; - if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { - if (fin->fin_fi.fi_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) { - ATOMIC_INCL(frstats[out].fr_bnfr); - } else { - ATOMIC_INCL(frstats[out].fr_nfr); - } - } else { - ATOMIC_INCL(frstats[out].fr_cfr); - } - } - if (pass & FR_KEEPSTATE) { - if (fr_addstate(ip, fin, 0) == NULL) { - ATOMIC_INCL(frstats[out].fr_bads); - } else { - ATOMIC_INCL(frstats[out].fr_ads); - } - } - } else if (fr != NULL) { - pass = fr->fr_flags; - if (pass & FR_LOGFIRST) - pass &= ~(FR_LOGFIRST|FR_LOG); - } - -#if (BSD >= 199306) && (defined(_KERNEL) || defined(KERNEL)) - if (securelevel <= 0) -#endif - if (fr && fr->fr_func && !(pass & FR_CALLNOW)) - pass = (*fr->fr_func)(pass, ip, fin); - - /* - * Only count/translate packets which will be passed on, out the - * interface. - */ - if (out && (pass & FR_PASS)) { -#ifdef USE_INET6 - if (v == 6) - list = ipacct6[1][fr_active]; - else -#endif - list = ipacct[1][fr_active]; - if ((fin->fin_fr = list) && - (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { - ATOMIC_INCL(frstats[1].fr_acct); - } - fin->fin_fr = fr; - changed = ip_natout(ip, fin); - } else - fin->fin_fr = fr; - RWLOCK_EXIT(&ipf_mutex); - -#ifdef IPFILTER_LOG - if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { - if ((fr_flags & FF_LOGNOMATCH) && (pass & FR_NOMATCH)) { - pass |= FF_LOGNOMATCH; - ATOMIC_INCL(frstats[out].fr_npkl); - goto logit; - } else if (((pass & FR_LOGMASK) == FR_LOGP) || - ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) { - if ((pass & FR_LOGMASK) != FR_LOGP) - pass |= FF_LOGPASS; - ATOMIC_INCL(frstats[out].fr_ppkl); - goto logit; - } else if (((pass & FR_LOGMASK) == FR_LOGB) || - ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) { - if ((pass & FR_LOGMASK) != FR_LOGB) - pass |= FF_LOGBLOCK; - ATOMIC_INCL(frstats[out].fr_bpkl); -logit: - if (!IPLLOG(pass, ip, fin, m)) { - ATOMIC_INCL(frstats[out].fr_skip); - if ((pass & (FR_PASS|FR_LOGORBLOCK)) == - (FR_PASS|FR_LOGORBLOCK)) - pass ^= FR_PASS|FR_BLOCK; - } - } - } -#endif /* IPFILTER_LOG */ - - if ((out) && (v == 4)) - ip->ip_id = htons(ip->ip_id); - -#ifdef _KERNEL - /* - * Only allow FR_DUP to work if a rule matched - it makes no sense to - * set FR_DUP as a "default" as there are no instructions about where - * to send the packet. - */ - if (fr && (pass & FR_DUP)) -# if SOLARIS - mc = dupmsg(m); -# else -# ifndef linux - mc = m_copy(m, 0, M_COPYALL); -# else - ; -# endif -# endif -#endif - if (pass & FR_PASS) { - ATOMIC_INCL(frstats[out].fr_pass); - } else if (pass & FR_BLOCK) { - ATOMIC_INCL(frstats[out].fr_block); - /* - * Should we return an ICMP packet to indicate error - * status passing through the packet filter ? - * WARNING: ICMP error packets AND TCP RST packets should - * ONLY be sent in repsonse to incoming packets. Sending them - * in response to outbound packets can result in a panic on - * some operating systems. - */ - if (!out) { -#ifdef _KERNEL - if (pass & FR_RETICMP) { - int dst; - - if ((pass & FR_RETMASK) == FR_FAKEICMP) - dst = 1; - else - dst = 0; - send_icmp_err(ip, ICMP_UNREACH, fin, dst); - ATOMIC_INCL(frstats[0].fr_ret); - } else if (((pass & FR_RETMASK) == FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (send_reset(ip, fin) == 0) { - ATOMIC_INCL(frstats[1].fr_ret); - } - } -#else - if ((pass & FR_RETMASK) == FR_RETICMP) { - verbose("- ICMP unreachable sent\n"); - ATOMIC_INCL(frstats[0].fr_ret); - } else if ((pass & FR_RETMASK) == FR_FAKEICMP) { - verbose("- forged ICMP unreachable sent\n"); - ATOMIC_INCL(frstats[0].fr_ret); - } else if (((pass & FR_RETMASK) == FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - verbose("- TCP RST sent\n"); - ATOMIC_INCL(frstats[1].fr_ret); - } -#endif - } else { - if (pass & FR_RETRST) - error = ECONNRESET; - } - } - - /* - * If we didn't drop off the bottom of the list of rules (and thus - * the 'current' rule fr is not NULL), then we may have some extra - * instructions about what to do with a packet. - * Once we're finished return to our caller, freeing the packet if - * we are dropping it (* BSD ONLY *). - */ - if ((changed == -1) && (pass & FR_PASS)) { - pass &= ~FR_PASS; - pass |= FR_BLOCK; - } -#if defined(_KERNEL) -# if !SOLARIS -# if !defined(linux) - if (fr) { - frdest_t *fdp = &fr->fr_tif; - - if (((pass & FR_FASTROUTE) && !out) || - (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - if (ipfr_fastroute(m, fin, fdp) == 0) - m = *mp = NULL; - } - if (mc) - ipfr_fastroute(mc, fin, &fr->fr_dif); - } - if (!(pass & FR_PASS) && m) - m_freem(m); -# ifdef __sgi - else if (changed && up && m) - m_copyback(m, 0, up, hbuf); -# endif -# endif /* !linux */ -# else /* !SOLARIS */ - if (fr) { - frdest_t *fdp = &fr->fr_tif; - - if (((pass & FR_FASTROUTE) && !out) || - (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - if (ipfr_fastroute(ip, m, mp, fin, fdp) == 0) - m = *mp = NULL; - } - if (mc) - ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); - } -# endif /* !SOLARIS */ - return (pass & (FR_PASS|FR_AUTH)) ? 0 : error; -#else /* _KERNEL */ - if (pass & FR_NOMATCH) - return 1; - if (pass & FR_PASS) - return 0; - if (pass & FR_AUTH) - return -2; - return -1; -#endif /* _KERNEL */ -} - - -/* - * ipf_cksum - * addr should be 16bit aligned and len is in bytes. - * length is in bytes - */ -u_short ipf_cksum(addr, len) -register u_short *addr; -register int len; -{ - register u_32_t sum = 0; - - for (sum = 0; len > 1; len -= 2) - sum += *addr++; - - /* mop up an odd byte, if necessary */ - if (len == 1) - sum += *(u_char *)addr; - - /* - * add back carry outs from top 16 bits to low 16 bits - */ - sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ - sum += (sum >> 16); /* add carry */ - return (u_short)(~sum); -} - - -/* - * NB: This function assumes we've pullup'd enough for all of the IP header - * and the TCP header. We also assume that data blocks aren't allocated in - * odd sizes. - */ -u_short fr_tcpsum(m, ip, tcp) -mb_t *m; -ip_t *ip; -tcphdr_t *tcp; -{ - u_short *sp, slen, ts; - u_int sum, sum2; - int hlen; - - /* - * Add up IP Header portion - */ - hlen = ip->ip_hl << 2; - slen = ip->ip_len - hlen; - sum = htons((u_short)ip->ip_p); - sum += htons(slen); - sp = (u_short *)&ip->ip_src; - sum += *sp++; /* ip_src */ - sum += *sp++; - sum += *sp++; /* ip_dst */ - sum += *sp++; - ts = tcp->th_sum; - tcp->th_sum = 0; -#ifdef KERNEL -# if SOLARIS - sum2 = ip_cksum(m, hlen, sum); /* hlen == offset */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = ~sum2 & 0xffff; -# else /* SOLARIS */ -# if defined(BSD) || defined(sun) -# if BSD >= 199306 - m->m_data += hlen; -# else - m->m_off += hlen; -# endif - m->m_len -= hlen; - sum2 = in_cksum(m, slen); - m->m_len += hlen; -# if BSD >= 199306 - m->m_data -= hlen; -# else - m->m_off -= hlen; -# endif - /* - * Both sum and sum2 are partial sums, so combine them together. - */ - sum = (sum & 0xffff) + (sum >> 16); - sum = ~sum & 0xffff; - sum2 += sum; - sum2 = (sum2 & 0xffff) + (sum2 >> 16); -# else /* defined(BSD) || defined(sun) */ -{ - union { - u_char c[2]; - u_short s; - } bytes; - u_short len = ip->ip_len; -# if defined(__sgi) - int add; -# endif - - /* - * Add up IP Header portion - */ - sp = (u_short *)&ip->ip_src; - len -= (ip->ip_hl << 2); - sum = ntohs(IPPROTO_TCP); - sum += htons(len); - sum += *sp++; /* ip_src */ - sum += *sp++; - sum += *sp++; /* ip_dst */ - sum += *sp++; - if (sp != (u_short *)tcp) - sp = (u_short *)tcp; - sum += *sp++; /* sport */ - sum += *sp++; /* dport */ - sum += *sp++; /* seq */ - sum += *sp++; - sum += *sp++; /* ack */ - sum += *sp++; - sum += *sp++; /* off */ - sum += *sp++; /* win */ - sum += *sp++; /* Skip over checksum */ - sum += *sp++; /* urp */ - -# ifdef __sgi - /* - * In case we had to copy the IP & TCP header out of mbufs, - * skip over the mbuf bits which are the header - */ - if ((caddr_t)ip != mtod(m, caddr_t)) { - hlen = (caddr_t)sp - (caddr_t)ip; - while (hlen) { - add = MIN(hlen, m->m_len); - sp = (u_short *)(mtod(m, caddr_t) + add); - hlen -= add; - if (add == m->m_len) { - m = m->m_next; - if (!hlen) { - if (!m) - break; - sp = mtod(m, u_short *); - } - PANIC((!m),("fr_tcpsum(1): not enough data")); - } - } - } -# endif - - if (!(len -= sizeof(*tcp))) - goto nodata; - while (len > 1) { - if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { - m = m->m_next; - PANIC((!m),("fr_tcpsum(2): not enough data")); - sp = mtod(m, u_short *); - } - if (((caddr_t)(sp + 1) - mtod(m, caddr_t)) > m->m_len) { - bytes.c[0] = *(u_char *)sp; - m = m->m_next; - PANIC((!m),("fr_tcpsum(3): not enough data")); - sp = mtod(m, u_short *); - bytes.c[1] = *(u_char *)sp; - sum += bytes.s; - sp = (u_short *)((u_char *)sp + 1); - } - if ((u_long)sp & 1) { - bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); - sum += bytes.s; - } else - sum += *sp++; - len -= 2; - } - if (len) - sum += ntohs(*(u_char *)sp << 8); -nodata: - while (sum > 0xffff) - sum = (sum & 0xffff) + (sum >> 16); - sum2 = (u_short)(~sum & 0xffff); -} -# endif /* defined(BSD) || defined(sun) */ -# endif /* SOLARIS */ -#else /* KERNEL */ - sum2 = 0; -#endif /* KERNEL */ - tcp->th_sum = ts; - return sum2; -} - - -#if defined(_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || defined(__sgi) ) -/* - * Copyright (c) 1982, 1986, 1988, 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $IPFilter: fil.c,v 2.35.2.31 2001/04/03 15:46:41 darrenr Exp $ - */ -/* - * Copy data from an mbuf chain starting "off" bytes from the beginning, - * continuing for "len" bytes, into the indicated buffer. - */ -void -m_copydata(m, off, len, cp) - register mb_t *m; - register int off; - register int len; - caddr_t cp; -{ - register unsigned count; - - if (off < 0 || len < 0) - panic("m_copydata"); - while (off > 0) { - if (m == 0) - panic("m_copydata"); - if (off < m->m_len) - break; - off -= m->m_len; - m = m->m_next; - } - while (len > 0) { - if (m == 0) - panic("m_copydata"); - count = MIN(m->m_len - off, len); - bcopy(mtod(m, caddr_t) + off, cp, count); - len -= count; - cp += count; - off = 0; - m = m->m_next; - } -} - - -# ifndef linux -/* - * Copy data from a buffer back into the indicated mbuf chain, - * starting "off" bytes from the beginning, extending the mbuf - * chain if necessary. - */ -void -m_copyback(m0, off, len, cp) - struct mbuf *m0; - register int off; - register int len; - caddr_t cp; -{ - register int mlen; - register struct mbuf *m = m0, *n; - int totlen = 0; - - if (m0 == 0) - return; - while (off > (mlen = m->m_len)) { - off -= mlen; - totlen += mlen; - if (m->m_next == 0) { - n = m_getclr(M_DONTWAIT, m->m_type); - if (n == 0) - goto out; - n->m_len = min(MLEN, len + off); - m->m_next = n; - } - m = m->m_next; - } - while (len > 0) { - mlen = min (m->m_len - off, len); - bcopy(cp, off + mtod(m, caddr_t), (unsigned)mlen); - cp += mlen; - len -= mlen; - mlen += off; - off = 0; - totlen += mlen; - if (len == 0) - break; - if (m->m_next == 0) { - n = m_get(M_DONTWAIT, m->m_type); - if (n == 0) - break; - n->m_len = min(MLEN, len); - m->m_next = n; - } - m = m->m_next; - } -out: -#if 0 - if (((m = m0)->m_flags & M_PKTHDR) && (m->m_pkthdr.len < totlen)) - m->m_pkthdr.len = totlen; -#endif - return; -} -# endif /* linux */ -#endif /* (_KERNEL) && ( ((BSD < 199306) && !SOLARIS) || __sgi) */ - - -frgroup_t *fr_findgroup(num, flags, which, set, fgpp) -u_32_t num, flags; -minor_t which; -int set; -frgroup_t ***fgpp; -{ - frgroup_t *fg, **fgp; - - if (which == IPL_LOGAUTH) - fgp = &ipfgroups[2][set]; - else if (flags & FR_ACCOUNT) - fgp = &ipfgroups[1][set]; - else if (flags & (FR_OUTQUE|FR_INQUE)) - fgp = &ipfgroups[0][set]; - else - return NULL; - num &= 0xffff; - - while ((fg = *fgp)) - if (fg->fg_num == num) - break; - else - fgp = &fg->fg_next; - if (fgpp) - *fgpp = fgp; - return fg; -} - - -frgroup_t *fr_addgroup(num, fp, which, set) -u_32_t num; -frentry_t *fp; -minor_t which; -int set; -{ - frgroup_t *fg, **fgp; - - if ((fg = fr_findgroup(num, fp->fr_flags, which, set, &fgp))) - return fg; - - KMALLOC(fg, frgroup_t *); - if (fg) { - fg->fg_num = num; - fg->fg_next = *fgp; - fg->fg_head = fp; - fg->fg_start = &fp->fr_grp; - *fgp = fg; - } - return fg; -} - - -void fr_delgroup(num, flags, which, set) -u_32_t num, flags; -minor_t which; -int set; -{ - frgroup_t *fg, **fgp; - - if (!(fg = fr_findgroup(num, flags, which, set, &fgp))) - return; - - *fgp = fg->fg_next; - KFREE(fg); -} - - - -/* - * recursively flush rules from the list, descending groups as they are - * encountered. if a rule is the head of a group and it has lost all its - * group members, then also delete the group reference. - */ -static int frflushlist(set, unit, nfreedp, listp) -int set; -minor_t unit; -int *nfreedp; -frentry_t **listp; -{ - register int freed = 0, i; - register frentry_t *fp; - - while ((fp = *listp)) { - *listp = fp->fr_next; - if (fp->fr_grp) { - i = frflushlist(set, unit, nfreedp, &fp->fr_grp); - MUTEX_ENTER(&ipf_rw); - fp->fr_ref -= i; - MUTEX_EXIT(&ipf_rw); - } - - ATOMIC_DEC32(fp->fr_ref); - if (fp->fr_grhead) { - fr_delgroup(fp->fr_grhead, fp->fr_flags, - unit, set); - fp->fr_grhead = 0; - } - if (fp->fr_ref == 0) { - KFREE(fp); - freed++; - } else - fp->fr_next = NULL; - } - *nfreedp += freed; - return freed; -} - - -int frflush(unit, flags) -minor_t unit; -int flags; -{ - int flushed = 0, set; - - if (unit != IPL_LOGIPF) - return 0; - WRITE_ENTER(&ipf_mutex); - bzero((char *)frcache, sizeof(frcache[0]) * 2); - - set = fr_active; - if (flags & FR_INACTIVE) - set = 1 - set; - - if (flags & FR_OUTQUE) { -#ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[1][set]); -#endif - (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[1][set]); - } - if (flags & FR_INQUE) { -#ifdef USE_INET6 - (void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct6[0][set]); -#endif - (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]); - (void) frflushlist(set, unit, &flushed, &ipacct[0][set]); - } - RWLOCK_EXIT(&ipf_mutex); - return flushed; -} - - -char *memstr(src, dst, slen, dlen) -char *src, *dst; -int slen, dlen; -{ - char *s = NULL; - - while (dlen >= slen) { - if (bcmp(src, dst, slen) == 0) { - s = dst; - break; - } - dst++; - dlen--; - } - return s; -} - - -void fixskip(listp, rp, addremove) -frentry_t **listp, *rp; -int addremove; -{ - frentry_t *fp; - int rules = 0, rn = 0; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rules++) - ; - - if (!fp) - return; - - for (fp = *listp; fp && (fp != rp); fp = fp->fr_next, rn++) - if (fp->fr_skip && (rn + fp->fr_skip >= rules)) - fp->fr_skip += addremove; -} - - -#ifdef _KERNEL -/* - * count consecutive 1's in bit mask. If the mask generated by counting - * consecutive 1's is different to that passed, return -1, else return # - * of bits. - */ -int countbits(ip) -u_32_t ip; -{ - u_32_t ipn; - int cnt = 0, i, j; - - ip = ipn = ntohl(ip); - for (i = 32; i; i--, ipn *= 2) - if (ipn & 0x80000000) - cnt++; - else - break; - ipn = 0; - for (i = 32, j = cnt; i; i--, j--) { - ipn *= 2; - if (j > 0) - ipn++; - } - if (ipn == ip) - return cnt; - return -1; -} - - -/* - * return the first IP Address associated with an interface - */ -int fr_ifpaddr(v, ifptr, inp) -int v; -void *ifptr; -struct in_addr *inp; -{ -# ifdef USE_INET6 - struct in6_addr *inp6 = NULL; -# endif -# if SOLARIS - ill_t *ill = ifptr; -# else - struct ifnet *ifp = ifptr; -# endif - struct in_addr in; - -# if SOLARIS -# ifdef USE_INET6 - if (v == 6) { - struct in6_addr in6; - - /* - * First is always link local. - */ - if (ill->ill_ipif->ipif_next) - in6 = ill->ill_ipif->ipif_next->ipif_v6lcl_addr; - else - bzero((char *)&in6, sizeof(in6)); - bcopy((char *)&in6, (char *)inp, sizeof(in6)); - } else -# endif - { - in.s_addr = ill->ill_ipif->ipif_local_addr; - *inp = in; - } -# else /* SOLARIS */ -# if linux - ; -# else /* linux */ - struct sockaddr_in *sin; - struct ifaddr *ifa; - -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_FIRST(&ifp->if_addrhead); -# else -# if defined(__NetBSD__) || defined(__OpenBSD__) - ifa = ifp->if_addrlist.tqh_first; -# else -# if defined(__sgi) && defined(IFF_DRVRLOCK) /* IRIX 6 */ - ifa = &((struct in_ifaddr *)ifp->in_ifaddr)->ia_ifa; -# else - ifa = ifp->if_addrlist; -# endif -# endif /* __NetBSD__ || __OpenBSD__ */ -# endif /* __FreeBSD_version >= 300000 */ -# if (BSD < 199306) && !(/*IRIX6*/defined(__sgi) && defined(IFF_DRVRLOCK)) - sin = (struct sockaddr_in *)&ifa->ifa_addr; -# else - sin = (struct sockaddr_in *)ifa->ifa_addr; - while (sin && ifa) { - if ((v == 4) && (sin->sin_family == AF_INET)) - break; -# ifdef USE_INET6 - if ((v == 6) && (sin->sin_family == AF_INET6)) { - inp6 = &((struct sockaddr_in6 *)sin)->sin6_addr; - if (!IN6_IS_ADDR_LINKLOCAL(inp6) && - !IN6_IS_ADDR_LOOPBACK(inp6)) - break; - } -# endif -# if (__FreeBSD_version >= 300000) - ifa = TAILQ_NEXT(ifa, ifa_link); -# else -# if defined(__NetBSD__) || defined(__OpenBSD__) - ifa = ifa->ifa_list.tqe_next; -# else - ifa = ifa->ifa_next; -# endif -# endif /* __FreeBSD_version >= 300000 */ - if (ifa) - sin = (struct sockaddr_in *)ifa->ifa_addr; - } - if (ifa == NULL) - sin = NULL; - if (sin == NULL) - return -1; -# endif /* (BSD < 199306) && (!__sgi && IFF_DRVLOCK) */ -# ifdef USE_INET6 - if (v == 6) - bcopy((char *)inp6, (char *)inp, sizeof(*inp6)); - else -# endif - { - in = sin->sin_addr; - *inp = in; - } -# endif /* linux */ -# endif /* SOLARIS */ - return 0; -} - - -static void frsynclist(fr) -register frentry_t *fr; -{ - for (; fr; fr = fr->fr_next) { - if (fr->fr_ifa != NULL) { - fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_ip.fi_v); - if (fr->fr_ifa == NULL) - fr->fr_ifa = (void *)-1; - } - if (fr->fr_grp) - frsynclist(fr->fr_grp); - } -} - - -void frsync() -{ -# if !SOLARIS - register struct ifnet *ifp; - -# if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \ - (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) -# if (NetBSD >= 199905) || defined(__OpenBSD__) - for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) -# else - for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) -# endif -# else - for (ifp = ifnet; ifp; ifp = ifp->if_next) -# endif - { - ip_natsync(ifp); - ip_statesync(ifp); - } - ip_natsync((struct ifnet *)-1); -# endif - - WRITE_ENTER(&ipf_mutex); - frsynclist(ipacct[0][fr_active]); - frsynclist(ipacct[1][fr_active]); - frsynclist(ipfilter[0][fr_active]); - frsynclist(ipfilter[1][fr_active]); -#ifdef USE_INET6 - frsynclist(ipacct6[0][fr_active]); - frsynclist(ipacct6[1][fr_active]); - frsynclist(ipfilter6[0][fr_active]); - frsynclist(ipfilter6[1][fr_active]); -#endif - RWLOCK_EXIT(&ipf_mutex); -} - - -/* - * In the functions below, bcopy() is called because the pointer being - * copied _from_ in this instance is a pointer to a char buf (which could - * end up being unaligned) and on the kernel's local stack. - */ -int ircopyptr(a, b, c) -void *a, *b; -size_t c; -{ - caddr_t ca; - int err; - -#if SOLARIS - if (copyin(a, (char *)&ca, sizeof(ca))) - return EFAULT; -#else - bcopy(a, &ca, sizeof(ca)); -#endif - err = copyin(ca, b, c); - if (err) - err = EFAULT; - return err; -} - - -int iwcopyptr(a, b, c) -void *a, *b; -size_t c; -{ - caddr_t ca; - int err; - -#if SOLARIS - if (copyin(b, (char *)&ca, sizeof(ca))) - return EFAULT; -#else - bcopy(b, &ca, sizeof(ca)); -#endif - err = copyout(a, ca, c); - if (err) - err = EFAULT; - return err; -} - -#else /* _KERNEL */ - - -/* - * return the first IP Address associated with an interface - */ -int fr_ifpaddr(v, ifptr, inp) -int v; -void *ifptr; -struct in_addr *inp; -{ - return 0; -} - - -int ircopyptr(a, b, c) -void *a, *b; -size_t c; -{ - caddr_t ca; - - bcopy(a, &ca, sizeof(ca)); - bcopy(ca, b, c); - return 0; -} - - -int iwcopyptr(a, b, c) -void *a, *b; -size_t c; -{ - caddr_t ca; - - bcopy(b, &ca, sizeof(ca)); - bcopy(a, ca, c); - return 0; -} - - -#endif - - -int fr_lock(data, lockp) -caddr_t data; -int *lockp; -{ - int arg, error; - - error = IRCOPY(data, (caddr_t)&arg, sizeof(arg)); - if (!error) { - error = IWCOPY((caddr_t)lockp, data, sizeof(*lockp)); - if (!error) - *lockp = arg; - } - return error; -} - - -void fr_getstat(fiop) -friostat_t *fiop; -{ - bcopy((char *)frstats, (char *)fiop->f_st, sizeof(filterstats_t) * 2); - fiop->f_locks[0] = fr_state_lock; - fiop->f_locks[1] = fr_nat_lock; - fiop->f_locks[2] = fr_frag_lock; - fiop->f_locks[3] = fr_auth_lock; - fiop->f_fin[0] = ipfilter[0][0]; - fiop->f_fin[1] = ipfilter[0][1]; - fiop->f_fout[0] = ipfilter[1][0]; - fiop->f_fout[1] = ipfilter[1][1]; - fiop->f_acctin[0] = ipacct[0][0]; - fiop->f_acctin[1] = ipacct[0][1]; - fiop->f_acctout[0] = ipacct[1][0]; - fiop->f_acctout[1] = ipacct[1][1]; -#ifdef USE_INET6 - fiop->f_fin6[0] = ipfilter6[0][0]; - fiop->f_fin6[1] = ipfilter6[0][1]; - fiop->f_fout6[0] = ipfilter6[1][0]; - fiop->f_fout6[1] = ipfilter6[1][1]; - fiop->f_acctin6[0] = ipacct6[0][0]; - fiop->f_acctin6[1] = ipacct6[0][1]; - fiop->f_acctout6[0] = ipacct6[1][0]; - fiop->f_acctout6[1] = ipacct6[1][1]; -#else - fiop->f_fin6[0] = NULL; - fiop->f_fin6[1] = NULL; - fiop->f_fout6[0] = NULL; - fiop->f_fout6[1] = NULL; - fiop->f_acctin6[0] = NULL; - fiop->f_acctin6[1] = NULL; - fiop->f_acctout6[0] = NULL; - fiop->f_acctout6[1] = NULL; -#endif - fiop->f_active = fr_active; - fiop->f_froute[0] = ipl_frouteok[0]; - fiop->f_froute[1] = ipl_frouteok[1]; - - fiop->f_running = fr_running; - fiop->f_groups[0][0] = ipfgroups[0][0]; - fiop->f_groups[0][1] = ipfgroups[0][1]; - fiop->f_groups[1][0] = ipfgroups[1][0]; - fiop->f_groups[1][1] = ipfgroups[1][1]; - fiop->f_groups[2][0] = ipfgroups[2][0]; - fiop->f_groups[2][1] = ipfgroups[2][1]; -#ifdef IPFILTER_LOG - fiop->f_logging = 1; -#else - fiop->f_logging = 0; -#endif - fiop->f_defpass = fr_pass; - strncpy(fiop->f_version, ipfilter_version, sizeof(fiop->f_version)); -} - - -#ifdef USE_INET6 -int icmptoicmp6types[ICMP_MAXTYPE+1] = { - ICMP6_ECHO_REPLY, /* 0: ICMP_ECHOREPLY */ - -1, /* 1: UNUSED */ - -1, /* 2: UNUSED */ - ICMP6_DST_UNREACH, /* 3: ICMP_UNREACH */ - -1, /* 4: ICMP_SOURCEQUENCH */ - ND_REDIRECT, /* 5: ICMP_REDIRECT */ - -1, /* 6: UNUSED */ - -1, /* 7: UNUSED */ - ICMP6_ECHO_REQUEST, /* 8: ICMP_ECHO */ - -1, /* 9: UNUSED */ - -1, /* 10: UNUSED */ - ICMP6_TIME_EXCEEDED, /* 11: ICMP_TIMXCEED */ - ICMP6_PARAM_PROB, /* 12: ICMP_PARAMPROB */ - -1, /* 13: ICMP_TSTAMP */ - -1, /* 14: ICMP_TSTAMPREPLY */ - -1, /* 15: ICMP_IREQ */ - -1, /* 16: ICMP_IREQREPLY */ - -1, /* 17: ICMP_MASKREQ */ - -1, /* 18: ICMP_MASKREPLY */ -}; - - -int icmptoicmp6unreach[ICMP_MAX_UNREACH] = { - ICMP6_DST_UNREACH_ADDR, /* 0: ICMP_UNREACH_NET */ - ICMP6_DST_UNREACH_ADDR, /* 1: ICMP_UNREACH_HOST */ - -1, /* 2: ICMP_UNREACH_PROTOCOL */ - ICMP6_DST_UNREACH_NOPORT, /* 3: ICMP_UNREACH_PORT */ - -1, /* 4: ICMP_UNREACH_NEEDFRAG */ - ICMP6_DST_UNREACH_NOTNEIGHBOR, /* 5: ICMP_UNREACH_SRCFAIL */ - ICMP6_DST_UNREACH_ADDR, /* 6: ICMP_UNREACH_NET_UNKNOWN */ - ICMP6_DST_UNREACH_ADDR, /* 7: ICMP_UNREACH_HOST_UNKNOWN */ - -1, /* 8: ICMP_UNREACH_ISOLATED */ - ICMP6_DST_UNREACH_ADMIN, /* 9: ICMP_UNREACH_NET_PROHIB */ - ICMP6_DST_UNREACH_ADMIN, /* 10: ICMP_UNREACH_HOST_PROHIB */ - -1, /* 11: ICMP_UNREACH_TOSNET */ - -1, /* 12: ICMP_UNREACH_TOSHOST */ - ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */ -}; -#endif diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index ed39157dddc..b10fd0fc85f 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_proto.c,v 1.26 2001/05/25 22:08:23 itojun Exp $ */ +/* $OpenBSD: in_proto.c,v 1.27 2001/05/30 02:12:27 deraadt Exp $ */ /* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */ /* @@ -143,11 +143,6 @@ didn't get a copy, you may request one from <license@ipv6.nrl.navy.mil>. #include <netinet/ip_mroute.h> #endif /* MROUTING */ -#ifdef IPFILTER -void iplinit __P((void)); -#define ip_init iplinit -#endif - #ifdef INET6 #include <netinet6/ip6_var.h> #endif /* INET6 */ diff --git a/sys/netinet/ip_auth.c b/sys/netinet/ip_auth.c deleted file mode 100644 index 72dc2799324..00000000000 --- a/sys/netinet/ip_auth.c +++ /dev/null @@ -1,550 +0,0 @@ -/* $OpenBSD: ip_auth.c,v 1.18 2001/05/08 19:58:01 fgsch Exp $ */ - -/* - * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: ip_auth.c,v 2.11.2.8 2001/04/03 15:48:12 darrenr Exp $"; -#endif - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/time.h> -#include <sys/file.h> -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <stdlib.h> -# include <string.h> -#endif -#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000) -# include <sys/filio.h> -# include <sys/fcntl.h> -#else -# include <sys/ioctl.h> -#endif -#include <sys/uio.h> -#ifndef linux -# include <sys/protosw.h> -#endif -#include <sys/socket.h> -#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) -# include <sys/systm.h> -#endif -#if !defined(__SVR4) && !defined(__svr4__) -# ifndef linux -# include <sys/mbuf.h> -# endif -#else -# include <sys/filio.h> -# include <sys/byteorder.h> -# ifdef _KERNEL -# include <sys/dditypes.h> -# endif -# include <sys/stream.h> -# include <sys/kmem.h> -#endif -#if (_BSDI_VERSION >= 199802) || (__FreeBSD_version >= 400000) -# include <sys/queue.h> -#endif -#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(bsdi) -# include <machine/cpu.h> -#endif -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#ifndef KERNEL -# define KERNEL -# define NOT_KERNEL -#endif -#ifndef linux -# include <netinet/ip_var.h> -#endif -#ifdef NOT_KERNEL -# undef KERNEL -#endif -#ifdef __sgi -# ifdef IFF_DRVRLOCK /* IRIX6 */ -# include <sys/hashing.h> -# endif -#endif -#include <netinet/tcp.h> -#if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */ -extern struct ifqueue ipintrq; /* ip packet input queue */ -#else -# ifndef linux -# if __FreeBSD_version >= 300000 -# include <net/if_var.h> -# endif -# include <netinet/in_var.h> -# include <netinet/tcp_fsm.h> -# endif -#endif -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_auth.h> -#if !SOLARIS && !defined(linux) -# include <net/netisr.h> -# ifdef __FreeBSD__ -# include <machine/cpufunc.h> -# endif -#endif -#if (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM) -# include <sys/libkern.h> -# include <sys/systm.h> -# endif -#endif - - - -#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern KRWLOCK_T ipf_auth; -extern kmutex_t ipf_authmx; -# if SOLARIS -extern kcondvar_t ipfauthwait; -# endif -#endif -#ifdef linux -static struct wait_queue *ipfauthwait = NULL; -#endif - -int fr_authsize = FR_NUMAUTH; -int fr_authused = 0; -int fr_defaultauthage = 600; -int fr_auth_lock = 0; -fr_authstat_t fr_authstats; -static frauth_t fr_auth[FR_NUMAUTH]; -mb_t *fr_authpkts[FR_NUMAUTH]; -static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0; -static frauthent_t *fae_list = NULL; -frentry_t *ipauth = NULL; - - -/* - * Check if a packet has authorization. If the packet is found to match an - * authorization result and that would result in a feedback loop (i.e. it - * will end up returning FR_AUTH) then return FR_BLOCK instead. - */ -u_32_t fr_checkauth(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - u_short id = ip->ip_id; - u_32_t pass; - int i; - - if (fr_auth_lock) - return 0; - - READ_ENTER(&ipf_auth); - for (i = fr_authstart; i != fr_authend; ) { - /* - * index becomes -2 only after an SIOCAUTHW. Check this in - * case the same packet gets sent again and it hasn't yet been - * auth'd. - */ - if ((fr_auth[i].fra_index == -2) && - (id == fr_auth[i].fra_info.fin_id) && - !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) { - /* - * Avoid feedback loop. - */ - if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH)) - pass = FR_BLOCK; - RWLOCK_EXIT(&ipf_auth); - WRITE_ENTER(&ipf_auth); - fr_authstats.fas_hits++; - fr_auth[i].fra_index = -1; - fr_authused--; - if (i == fr_authstart) { - while (fr_auth[i].fra_index == -1) { - i++; - if (i == FR_NUMAUTH) - i = 0; - fr_authstart = i; - if (i == fr_authend) - break; - } - if (fr_authstart == fr_authend) { - fr_authnext = 0; - fr_authstart = fr_authend = 0; - } - } - RWLOCK_EXIT(&ipf_auth); - return pass; - } - i++; - if (i == FR_NUMAUTH) - i = 0; - } - fr_authstats.fas_miss++; - RWLOCK_EXIT(&ipf_auth); - return 0; -} - - -/* - * Check if we have room in the auth array to hold details for another packet. - * If we do, store it and wake up any user programs which are waiting to - * hear about these events. - */ -int fr_newauth(m, fin, ip) -mb_t *m; -fr_info_t *fin; -ip_t *ip; -{ -#if defined(_KERNEL) && SOLARIS - qif_t *qif = fin->fin_qif; -#endif - int i; - - if (fr_auth_lock) - return 0; - - WRITE_ENTER(&ipf_auth); - if (fr_authstart > fr_authend) { - fr_authstats.fas_nospace++; - RWLOCK_EXIT(&ipf_auth); - return 0; - } else { - if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) { - fr_authstats.fas_nospace++; - RWLOCK_EXIT(&ipf_auth); - return 0; - } - } - - fr_authstats.fas_added++; - fr_authused++; - i = fr_authend++; - if (fr_authend == FR_NUMAUTH) - fr_authend = 0; - RWLOCK_EXIT(&ipf_auth); - fr_auth[i].fra_index = i; - fr_auth[i].fra_pass = 0; - fr_auth[i].fra_age = fr_defaultauthage; - bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin)); -#if SOLARIS && defined(_KERNEL) -# if !defined(sparc) - /* - * No need to copyback here as we want to undo the changes, not keep - * them. - */ - if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4)) - { - register u_short bo; - - bo = ip->ip_len; - ip->ip_len = htons(bo); - bo = ip->ip_off; - ip->ip_off = htons(bo); - } -# endif - m->b_rptr -= qif->qf_off; - fr_authpkts[i] = *(mblk_t **)fin->fin_mp; - fr_auth[i].fra_q = qif->qf_q; - cv_signal(&ipfauthwait); -#else - fr_authpkts[i] = m; - WAKEUP(&fr_authnext); -#endif - return 1; -} - - -int fr_auth_ioctl(data, cmd, fr, frptr) -caddr_t data; -#if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003) -u_long cmd; -#else -int cmd; -#endif -frentry_t *fr, **frptr; -{ - mb_t *m; -#if defined(_KERNEL) && !SOLARIS - struct ifqueue *ifq; -#endif - frauth_t auth, *au = &auth; - frauthent_t *fae, **faep; - int i, error = 0; - - switch (cmd) - { - case SIOCSTLCK : - error = fr_lock(data, &fr_auth_lock); - break; - case SIOCINIFR : - case SIOCRMIFR : - case SIOCADIFR : - error = EINVAL; - break; - case SIOCINAFR : - error = EINVAL; - break; - case SIOCRMAFR : - case SIOCADAFR : - for (faep = &fae_list; (fae = *faep); ) - if (&fae->fae_fr == fr) - break; - else - faep = &fae->fae_next; - if (cmd == SIOCRMAFR) { - if (!fr || !frptr) - error = EINVAL; - else if (!fae) - error = ESRCH; - else { - WRITE_ENTER(&ipf_auth); - *faep = fae->fae_next; - *frptr = fr->fr_next; - RWLOCK_EXIT(&ipf_auth); - KFREE(fae); - } - } else if (fr && frptr) { - KMALLOC(fae, frauthent_t *); - if (fae != NULL) { - bcopy((char *)fr, (char *)&fae->fae_fr, - sizeof(*fr)); - WRITE_ENTER(&ipf_auth); - fae->fae_age = fr_defaultauthage; - fae->fae_fr.fr_hits = 0; - fae->fae_fr.fr_next = *frptr; - *frptr = &fae->fae_fr; - fae->fae_next = *faep; - *faep = fae; - ipauth = &fae_list->fae_fr; - RWLOCK_EXIT(&ipf_auth); - } else - error = ENOMEM; - } else - error = EINVAL; - break; - case SIOCATHST: - READ_ENTER(&ipf_auth); - fr_authstats.fas_faelist = fae_list; - RWLOCK_EXIT(&ipf_auth); - error = IWCOPYPTR((char *)&fr_authstats, data, - sizeof(fr_authstats)); - break; - case SIOCAUTHW: -fr_authioctlloop: - READ_ENTER(&ipf_auth); - if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { - error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, - sizeof(frauth_t)); - RWLOCK_EXIT(&ipf_auth); - if (error) - break; - WRITE_ENTER(&ipf_auth); - fr_authnext++; - if (fr_authnext == FR_NUMAUTH) - fr_authnext = 0; - RWLOCK_EXIT(&ipf_auth); - return 0; - } -#ifdef _KERNEL -# if SOLARIS - mutex_enter(&ipf_authmx); - if (!cv_wait_sig(&ipfauthwait, &ipf_authmx)) { - mutex_exit(&ipf_authmx); - return EINTR; - } - mutex_exit(&ipf_authmx); -# else -# ifdef linux - interruptible_sleep_on(&ipfauthwait); - if (current->signal & ~current->blocked) - error = -EINTR; -# else - error = SLEEP(&fr_authnext, "fr_authnext"); -# endif -# endif -#endif - RWLOCK_EXIT(&ipf_auth); - if (!error) - goto fr_authioctlloop; - break; - case SIOCAUTHR: - error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth)); - if (error) - return error; - WRITE_ENTER(&ipf_auth); - i = au->fra_index; - if ((i < 0) || (i > FR_NUMAUTH) || - (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) { - RWLOCK_EXIT(&ipf_auth); - return EINVAL; - } - m = fr_authpkts[i]; - fr_auth[i].fra_index = -2; - fr_auth[i].fra_pass = au->fra_pass; - fr_authpkts[i] = NULL; -#ifdef _KERNEL - RWLOCK_EXIT(&ipf_auth); -# ifndef linux - if (m && au->fra_info.fin_out) { -# if SOLARIS - error = fr_qout(fr_auth[i].fra_q, m); -# else /* SOLARIS */ - struct route ro; - - bzero((char *)&ro, sizeof(ro)); -# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ - defined(__OpenBSD__) - error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, - NULL); -# else - error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL); -# endif - if (ro.ro_rt) - RTFREE(ro.ro_rt); -# endif /* SOLARIS */ - if (error) - fr_authstats.fas_sendfail++; - else - fr_authstats.fas_sendok++; - } else if (m) { -# if SOLARIS - error = fr_qin(fr_auth[i].fra_q, m); -# else /* SOLARIS */ - ifq = &ipintrq; - if (IF_QFULL(ifq)) { - IF_DROP(ifq); - m_freem(m); - error = ENOBUFS; - } else { - IF_ENQUEUE(ifq, m); - schednetisr(NETISR_IP); - } -# endif /* SOLARIS */ - if (error) - fr_authstats.fas_quefail++; - else - fr_authstats.fas_queok++; - } else - error = EINVAL; -# endif -# if SOLARIS - if (error) - error = EINVAL; -# else - /* - * If we experience an error which will result in the packet - * not being processed, make sure we advance to the next one. - */ - if (error == ENOBUFS) { - fr_authused--; - fr_auth[i].fra_index = -1; - fr_auth[i].fra_pass = 0; - if (i == fr_authstart) { - while (fr_auth[i].fra_index == -1) { - i++; - if (i == FR_NUMAUTH) - i = 0; - fr_authstart = i; - if (i == fr_authend) - break; - } - if (fr_authstart == fr_authend) { - fr_authnext = 0; - fr_authstart = fr_authend = 0; - } - } - } -# endif -#endif /* _KERNEL */ - break; - default : - error = EINVAL; - break; - } - return error; -} - - -#ifdef _KERNEL -/* - * Free all network buffer memory used to keep saved packets. - */ -void fr_authunload() -{ - register int i; - register frauthent_t *fae, **faep; - mb_t *m; - - WRITE_ENTER(&ipf_auth); - for (i = 0; i < FR_NUMAUTH; i++) { - if ((m = fr_authpkts[i])) { - FREE_MB_T(m); - fr_authpkts[i] = NULL; - fr_auth[i].fra_index = -1; - } - } - - - for (faep = &fae_list; (fae = *faep); ) { - *faep = fae->fae_next; - KFREE(fae); - } - ipauth = NULL; - RWLOCK_EXIT(&ipf_auth); -} - - -/* - * Slowly expire held auth records. Timeouts are set - * in expectation of this being called twice per second. - */ -void fr_authexpire() -{ - register int i; - register frauth_t *fra; - register frauthent_t *fae, **faep; - mb_t *m; -#if !SOLARIS - int s; -#endif - - if (fr_auth_lock) - return; - - SPL_NET(s); - WRITE_ENTER(&ipf_auth); - for (i = 0, fra = fr_auth; i < FR_NUMAUTH; i++, fra++) { - if ((!--fra->fra_age) && (m = fr_authpkts[i])) { - FREE_MB_T(m); - fr_authpkts[i] = NULL; - fr_auth[i].fra_index = -1; - fr_authstats.fas_expire++; - fr_authused--; - } - } - - for (faep = &fae_list; (fae = *faep); ) { - if (!--fae->fae_age) { - *faep = fae->fae_next; - KFREE(fae); - fr_authstats.fas_expire++; - } else - faep = &fae->fae_next; - } - ipauth = &fae_list->fae_fr; - RWLOCK_EXIT(&ipf_auth); - SPL_X(s); -} -#endif diff --git a/sys/netinet/ip_fil.c b/sys/netinet/ip_fil.c deleted file mode 100644 index 72e16b3b758..00000000000 --- a/sys/netinet/ip_fil.c +++ /dev/null @@ -1,1802 +0,0 @@ -/* $OpenBSD: ip_fil.c,v 1.46 2001/05/08 20:13:15 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_fil.c,v 2.42.2.19 2001/04/03 14:13:37 darrenr Exp $"; -#endif - -#ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif - -#if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -#endif -#if defined(_KERNEL) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 400000) && !defined(KLD_MODULE) -#include "opt_inet6.h" -#endif -#include <sys/param.h> -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ - defined(_KERNEL) -# include "opt_ipfilter_log.h" -#endif -#if defined(__FreeBSD__) && !defined(__FreeBSD_version) -# if !defined(_KERNEL) || defined(IPFILTER_LKM) -# include <osreldate.h> -# endif -#endif -#ifndef _KERNEL -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -# include <ctype.h> -# include <fcntl.h> -#endif -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/file.h> -#if __FreeBSD_version >= 220000 && defined(_KERNEL) -# include <sys/fcntl.h> -# include <sys/filio.h> -#else -# include <sys/ioctl.h> -#endif -#include <sys/time.h> -#ifdef _KERNEL -# include <sys/systm.h> -#endif -#include <sys/uio.h> -#if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -# else -# include <sys/dir.h> -# endif -# include <sys/mbuf.h> -#else -# include <sys/filio.h> -#endif -#include <sys/protosw.h> -#include <sys/socket.h> - -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include "opt_ipfilter.h" -# endif -#endif -#ifdef __sgi -#include <sys/debug.h> -# ifdef IFF_DRVRLOCK /* IRIX6 */ -#include <sys/hashing.h> -# endif -#endif -#include <net/route.h> -#include <netinet/in.h> -#if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ -# include <netinet/in_var.h> -#endif -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/tcpip.h> -#include <netinet/ip_icmp.h> -#ifndef _KERNEL -# include <unistd.h> -# include <syslog.h> -#endif -#include <netinet/ip_fil_compat.h> -#ifdef USE_INET6 -# include <netinet/icmp6.h> -#endif -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_state.h> -#include <netinet/ip_auth.h> -#if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -#endif -#ifndef MIN -# define MIN(a,b) (((a)<(b))?(a):(b)) -#endif -#if !SOLARIS && defined(_KERNEL) && !defined(__sgi) -# include <sys/kernel.h> -extern int ip_optcopy __P((struct ip *, struct ip *)); -#endif - - -extern struct protosw inetsw[]; - -#ifndef _KERNEL -# include "ipt.h" -static struct ifnet **ifneta = NULL; -static int nifs = 0; -#else -# if (BSD < 199306) || defined(__sgi) -extern int tcp_ttl; -# endif -#endif - -int ipl_unreach = ICMP_UNREACH_FILTER; -u_long ipl_frouteok[2] = {0, 0}; - -static int frzerostats __P((caddr_t)); -#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) -static int frrequest __P((int, u_long, caddr_t, int)); -#else -static int frrequest __P((int, int, caddr_t, int)); -#endif -#ifdef _KERNEL -static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); -static int send_ip __P((ip_t *, fr_info_t *, struct mbuf *)); -# ifdef __sgi -extern kmutex_t ipf_rw; -extern KRWLOCK_T ipf_mutex; -# endif -#else -int ipllog __P((void)); -void init_ifp __P((void)); -# ifdef __sgi -static int no_output __P((struct ifnet *, struct mbuf *, - struct sockaddr *)); -static int write_output __P((struct ifnet *, struct mbuf *, - struct sockaddr *)); -# else -static int no_output __P((struct ifnet *, struct mbuf *, - struct sockaddr *, struct rtentry *)); -static int write_output __P((struct ifnet *, struct mbuf *, - struct sockaddr *, struct rtentry *)); -# endif -#endif -int fr_running = 0; - -#if (__FreeBSD_version >= 300000) && defined(_KERNEL) -struct callout_handle ipfr_slowtimer_ch; -#endif -#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) -# include <sys/callout.h> -struct callout ipfr_slowtimer_ch; -#endif -#if defined(__OpenBSD__) -# include <sys/timeout.h> -struct timeout ipfr_slowtimer_ch; -#endif -#if defined(__sgi) && defined(_KERNEL) -toid_t ipfr_slowtimer_ch; -#endif - -#if (_BSDI_VERSION >= 199510) && defined(_KERNEL) -# include <sys/device.h> -# include <sys/conf.h> - -struct cfdriver iplcd = { - NULL, "ipl", NULL, NULL, DV_DULL, 0 -}; - -struct devsw iplsw = { - &iplcd, - iplopen, iplclose, iplread, nowrite, iplioctl, noselect, nommap, - nostrat, nodump, nopsize, 0, - nostop -}; -#endif /* _BSDI_VERSION >= 199510 && _KERNEL */ - -#if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) -# include <sys/conf.h> -# if defined(NETBSD_PF) -# include <net/pfil.h> -/* - * We provide the fr_checkp name just to minimize changes later. - */ -int (*fr_checkp) __P((ip_t *ip, int hlen, void *ifp, int out, mb_t **mp)); -# endif /* NETBSD_PF */ -#endif /* __NetBSD__ */ - -#ifdef _KERNEL -# if defined(IPFILTER_LKM) && !defined(__sgi) -int iplidentify(s) -char *s; -{ - if (strcmp(s, "ipl") == 0) - return 1; - return 0; -} -# endif /* IPFILTER_LKM */ - - -/* - * Try to detect the case when compiling for NetBSD with pseudo-device - */ -# if defined(__NetBSD__) && defined(PFIL_HOOKS) -void -ipfilterattach(count) -int count; -{ - if (iplattach() != 0) - printf("IP Filter failed to attach\n"); -} -# endif - - -int iplattach() -{ - char *defpass; - int s; -# if defined(__sgi) || (defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)) - int error = 0; -# endif - - SPL_NET(s); - if (fr_running || (fr_checkp == fr_check)) { - printf("IP Filter: already initialized\n"); - SPL_X(s); - return EBUSY; - } - -# ifdef IPFILTER_LOG - ipflog_init(); -# endif - if (nat_init() == -1) { - SPL_X(s); - return EIO; - } - if (fr_stateinit() == -1) { - SPL_X(s); - return EIO; - } - if (appr_init() == -1) { - SPL_X(s); - return EIO; - } - -# ifdef NETBSD_PF -# if __NetBSD_Version__ >= 104200000 - error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); - if (error) { -# ifdef USE_INET6 - goto pfil_error; -# else - SPL_X(s); - appr_unload(); - ip_natunload(); - fr_stateunload(); - return error; -# endif - } -# else - pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT); -# endif -# ifdef USE_INET6 - error = pfil_add_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); - if (error) { - pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); -pfil_error: - SPL_X(s); - appr_unload(); - ip_natunload(); - fr_stateunload(); - return error; - } -# endif -# endif - -# ifdef __sgi - error = ipfilter_sgi_attach(); - if (error) { - SPL_X(s); - appr_unload(); - ip_natunload(); - fr_stateunload(); - return error; - } -# endif - - bzero((char *)frcache, sizeof(frcache)); - fr_savep = fr_checkp; - fr_checkp = fr_check; - fr_running = 1; - - SPL_X(s); - if (fr_pass & FR_PASS) - defpass = "pass"; - else if (fr_pass & FR_BLOCK) - defpass = "block"; - else - defpass = "no-match -> block"; - -#if !defined(__OpenBSD__) - printf("%s initialized. Default = %s all, Logging = %s\n", - ipfilter_version, defpass, -# ifdef IPFILTER_LOG - "enabled"); -# else - "disabled"); -# endif -#endif - -#ifdef _KERNEL -# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) - callout_init(&ipfr_slowtimer_ch); - callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL); -# else -# if defined(__OpenBSD__) - timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL); - timeout_add(&ipfr_slowtimer_ch, hz / 2); -# else -# if (__FreeBSD_version >= 300000) || defined(__sgi) - ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); -# else - timeout(ipfr_slowtimer, NULL, hz/2); -# endif -# endif -# endif -#endif - return 0; -} - - -/* - * Disable the filter by removing the hooks from the IP input/output - * stream. - */ -int ipldetach() -{ - int s, i = FR_INQUE|FR_OUTQUE; -#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) - int error = 0; -#endif - -#ifdef _KERNEL -# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) - callout_stop(&ipfr_slowtimer_ch); -# else -# if defined(__OpenBSD__) - timeout_del(&ipfr_slowtimer_ch); -# else -# if (__FreeBSD_version >= 300000) - untimeout(ipfr_slowtimer, NULL, ipfr_slowtimer_ch); -# else -# ifdef __sgi - untimeout(ipfr_slowtimer_ch); -# else - untimeout(ipfr_slowtimer, NULL); -# endif -# endif /* FreeBSD */ -# endif /* OpenBSD */ -# endif /* NetBSD */ -#endif - SPL_NET(s); - if (!fr_running) - { - printf("IP Filter: not initialized\n"); - SPL_X(s); - return 0; - } - - printf("%s unloaded\n", ipfilter_version); - - fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, i); - fr_running = 0; - -# ifdef NETBSD_PF -# if __NetBSD_Version__ >= 104200000 - error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); - if (error) { - SPL_X(s); - return error; - } -# else - pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); -# endif -# ifdef USE_INET6 - error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, - &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); - if (error) { - SPL_X(s); - return error; - } -# endif -# endif - -# ifdef __sgi - ipfilter_sgi_detach(); -# endif - - appr_unload(); - ipfr_unload(); - ip_natunload(); - fr_stateunload(); - fr_authunload(); - - SPL_X(s); - return 0; -} -#endif /* _KERNEL */ - - -static int frzerostats(data) -caddr_t data; -{ - friostat_t fio; - int error; - - fr_getstat(&fio); - error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); - if (error) - return EFAULT; - - bzero((char *)frstats, sizeof(*frstats) * 2); - - return 0; -} - - -/* - * Filter ioctl interface. - */ -#ifdef __sgi -int IPL_EXTERN(ioctl)(dev_t dev, int cmd, caddr_t data, int mode -# ifdef _KERNEL - , cred_t *cp, int *rp -# endif -) -#else -int IPL_EXTERN(ioctl)(dev, cmd, data, mode -# if (defined(_KERNEL) && ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || \ - (NetBSD >= 199511) || (__FreeBSD_version >= 220000) || \ - defined(__OpenBSD__))) -, p) -struct proc *p; -# else -) -# endif -dev_t dev; -# if defined(__NetBSD__) || defined(__OpenBSD__) || \ - (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) -u_long cmd; -# else -int cmd; -# endif -caddr_t data; -int mode; -#endif /* __sgi */ -{ -#if defined(_KERNEL) && !SOLARIS - int s; -#endif - int error = 0, unit = 0, tmp; - -#if (BSD >= 199306) && defined(_KERNEL) - if ((securelevel >= 2) && (mode & FWRITE)) - return EPERM; -#endif -#ifdef _KERNEL - unit = GET_MINOR(dev); - if ((IPL_LOGMAX < unit) || (unit < 0)) - return ENXIO; -#else - unit = dev; -#endif - - SPL_NET(s); - - if (unit == IPL_LOGNAT) { - if (fr_running) - error = nat_ioctl(data, cmd, mode); - else - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGSTATE) { - if (fr_running) - error = fr_state_ioctl(data, cmd, mode); - else - error = EIO; - SPL_X(s); - return error; - } - if (unit == IPL_LOGAUTH) { - if (fr_running) - error = fr_auth_ioctl(data, cmd, NULL, NULL); - else - error = EIO; - SPL_X(s); - return error; - } - - switch (cmd) { - case FIONREAD : -#ifdef IPFILTER_LOG - error = IWCOPY((caddr_t)&iplused[IPL_LOGIPF], (caddr_t)data, - sizeof(iplused[IPL_LOGIPF])); -#endif - break; -#if !defined(IPFILTER_LKM) && defined(_KERNEL) - case SIOCFRENB : - { - u_int enable; - - if (!(mode & FWRITE)) - error = EPERM; - else { - error = IRCOPY(data, (caddr_t)&enable, sizeof(enable)); - if (error) - break; - if (enable) - error = iplattach(); - else - error = ipldetach(); - } - break; - } -#endif - case SIOCSETFF : - if (!(mode & FWRITE)) - error = EPERM; - else - error = IRCOPY(data, (caddr_t)&fr_flags, - sizeof(fr_flags)); - break; - case SIOCGETFF : - error = IWCOPY((caddr_t)&fr_flags, data, sizeof(fr_flags)); - break; - case SIOCINAFR : - case SIOCRMAFR : - case SIOCADAFR : - case SIOCZRLST : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frrequest(unit, cmd, data, fr_active); - break; - case SIOCINIFR : - case SIOCRMIFR : - case SIOCADIFR : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frrequest(unit, cmd, data, 1 - fr_active); - break; - case SIOCSWAPA : - if (!(mode & FWRITE)) - error = EPERM; - else { - bzero((char *)frcache, sizeof(frcache[0]) * 2); - *(u_int *)data = fr_active; - fr_active = 1 - fr_active; - } - break; - case SIOCGETFS : - { - friostat_t fio; - - fr_getstat(&fio); - error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); - if (error) - error = EFAULT; - break; - } - case SIOCFRZST : - if (!(mode & FWRITE)) - error = EPERM; - else - error = frzerostats(data); - break; - case SIOCIPFFL : - if (!(mode & FWRITE)) - error = EPERM; - else { - error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - if (!error) { - tmp = frflush(unit, tmp); - error = IWCOPY((caddr_t)&tmp, data, - sizeof(tmp)); - } - } - break; - case SIOCSTLCK : - error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); - if (!error) { - fr_state_lock = tmp; - fr_nat_lock = tmp; - fr_frag_lock = tmp; - fr_auth_lock = tmp; - } else - error = EFAULT; - break; -#ifdef IPFILTER_LOG - case SIOCIPFFB : - if (!(mode & FWRITE)) - error = EPERM; - else - *(int *)data = ipflog_clear(unit); - break; -#endif /* IPFILTER_LOG */ - case SIOCGFRST : - error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data, - sizeof(ipfrstat_t)); - if (error) - error = EFAULT; - break; - case SIOCAUTHW : - case SIOCAUTHR : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } - case SIOCFRSYN : - if (!(mode & FWRITE)) - error = EPERM; - else { -#if defined(_KERNEL) && defined(__sgi) - ipfsync(); -#endif - frsync(); - } - break; - default : - error = EINVAL; - break; - } - SPL_X(s); - return error; -} - - -void fr_forgetifp(ifp) -void *ifp; -{ - register frentry_t *f; - - WRITE_ENTER(&ipf_mutex); - for (f = ipacct[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipacct[1][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipfilter[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipfilter[1][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; -#ifdef USE_INET6 - for (f = ipacct6[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipacct6[1][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipfilter6[0][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; - for (f = ipfilter6[1][fr_active]; (f != NULL); f = f->fr_next) - if (f->fr_ifa == ifp) - f->fr_ifa = (void *)-1; -#endif - RWLOCK_EXIT(&ipf_mutex); - ip_natsync(ifp); -} - - -static int frrequest(unit, req, data, set) -int unit; -#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) -u_long req; -#else -int req; -#endif -int set; -caddr_t data; -{ - register frentry_t *fp, *f, **fprev; - register frentry_t **ftail; - frentry_t frd; - frdest_t *fdp; - frgroup_t *fg = NULL; - u_int *p, *pp; - int error = 0, in; - u_int group; - - fp = &frd; - error = IRCOPYPTR(data, (caddr_t)fp, sizeof(*fp)); - if (error) - return EFAULT; - fp->fr_ref = 0; -#if (BSD >= 199306) && defined(_KERNEL) - if ((securelevel > 0) && (fp->fr_func != NULL)) - return EPERM; -#endif - - /* - * Check that the group number does exist and that if a head group - * has been specified, doesn't exist. - */ - if ((req != SIOCZRLST) && fp->fr_grhead && - fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) - return EEXIST; - if ((req != SIOCZRLST) && fp->fr_group && - !fr_findgroup((u_int)fp->fr_group, fp->fr_flags, unit, set, NULL)) - return ESRCH; - - in = (fp->fr_flags & FR_INQUE) ? 0 : 1; - - if (unit == IPL_LOGAUTH) - ftail = fprev = &ipauth; - else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 4)) - ftail = fprev = &ipacct[in][set]; - else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 4)) - ftail = fprev = &ipfilter[in][set]; -#ifdef USE_INET6 - else if ((fp->fr_flags & FR_ACCOUNT) && (fp->fr_v == 6)) - ftail = fprev = &ipacct6[in][set]; - else if ((fp->fr_flags & (FR_OUTQUE|FR_INQUE)) && (fp->fr_v == 6)) - ftail = fprev = &ipfilter6[in][set]; -#endif - else - return ESRCH; - - if ((group = fp->fr_group)) { - if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL))) - return ESRCH; - ftail = fprev = fg->fg_start; - } - - bzero((char *)frcache, sizeof(frcache[0]) * 2); - - if (*fp->fr_ifname) { - fp->fr_ifa = GETUNIT(fp->fr_ifname, fp->fr_v); - if (!fp->fr_ifa) - fp->fr_ifa = (void *)-1; - } -#if BSD >= 199306 - if (*fp->fr_oifname) { - fp->fr_oifa = GETUNIT(fp->fr_oifname, fp->fr_v); - if (!fp->fr_oifa) - fp->fr_oifa = (void *)-1; - } -#endif - - fdp = &fp->fr_dif; - fp->fr_flags &= ~FR_DUP; - if (*fdp->fd_ifname) { - fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v); - if (!fdp->fd_ifp) - fdp->fd_ifp = (struct ifnet *)-1; - else - fp->fr_flags |= FR_DUP; - } - - fdp = &fp->fr_tif; - if (*fdp->fd_ifname) { - fdp->fd_ifp = GETUNIT(fdp->fd_ifname, fp->fr_v); - if (!fdp->fd_ifp) - fdp->fd_ifp = (struct ifnet *)-1; - } - - /* - * Look for a matching filter rule, but don't include the next or - * interface pointer in the comparison (fr_next, fr_ifa). - */ - for (fp->fr_cksum = 0, p = (u_int *)&fp->fr_ip, pp = &fp->fr_cksum; - p < pp; p++) - fp->fr_cksum += *p; - - for (; (f = *ftail); ftail = &f->fr_next) - if ((fp->fr_cksum == f->fr_cksum) && - !bcmp((char *)&f->fr_ip, (char *)&fp->fr_ip, FR_CMPSIZ)) - break; - - /* - * If zero'ing statistics, copy current to caller and zero. - */ - if (req == SIOCZRLST) { - if (!f) - return ESRCH; - error = IWCOPYPTR((caddr_t)f, data, sizeof(*f)); - if (error) - return EFAULT; - f->fr_hits = 0; - f->fr_bytes = 0; - return 0; - } - - if (!f) { - if (req != SIOCINAFR && req != SIOCINIFR) - while ((f = *ftail)) - ftail = &f->fr_next; - else { - if (fp->fr_hits) { - ftail = fprev; - while (--fp->fr_hits && (f = *ftail)) - ftail = &f->fr_next; - } - f = NULL; - } - } - - if (req == SIOCRMAFR || req == SIOCRMIFR) { - if (!f) - error = ESRCH; - else { - /* - * Only return EBUSY if there is a group list, else - * it's probably just state information referencing - * the rule. - */ - if ((f->fr_ref > 1) && f->fr_grp) - return EBUSY; - if (fg && fg->fg_head) - fg->fg_head->fr_ref--; - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); - if (f->fr_grhead) - fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, - unit, set); - fixskip(fprev, f, -1); - *ftail = f->fr_next; - f->fr_next = NULL; - if (f->fr_ref == 0) - KFREE(f); - } - } else { - if (f) - error = EEXIST; - else { - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, fp, ftail); - KMALLOC(f, frentry_t *); - if (f != NULL) { - if (fg && fg->fg_head) - fg->fg_head->fr_ref++; - bcopy((char *)fp, (char *)f, sizeof(*f)); - f->fr_ref = 1; - f->fr_hits = 0; - f->fr_next = *ftail; - *ftail = f; - if (req == SIOCINIFR || req == SIOCINAFR) - fixskip(fprev, f, 1); - f->fr_grp = NULL; - if ((group = f->fr_grhead)) - fg = fr_addgroup(group, f, unit, set); - } else - error = ENOMEM; - } - } - return (error); -} - - -#ifdef _KERNEL -/* - * routines below for saving IP headers to buffer - */ -# ifdef __sgi -# ifdef _KERNEL -int IPL_EXTERN(open)(dev_t *pdev, int flags, int devtype, cred_t *cp) -# else -int IPL_EXTERN(open)(dev_t dev, int flags) -# endif -# else -int IPL_EXTERN(open)(dev, flags -# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) -, devtype, p) -int devtype; -struct proc *p; -# else -) -# endif -dev_t dev; -int flags; -# endif /* __sgi */ -{ -# if defined(__sgi) && defined(_KERNEL) - u_int min = geteminor(*pdev); -# else - u_int min = GET_MINOR(dev); -# endif - - if (IPL_LOGMAX < min) - min = ENXIO; - else - min = 0; - return min; -} - - -# ifdef __sgi -int IPL_EXTERN(close)(dev_t dev, int flags, int devtype, cred_t *cp) -#else -int IPL_EXTERN(close)(dev, flags -# if ((_BSDI_VERSION >= 199510) || (BSD >= 199506) || (NetBSD >= 199511) || \ - (__FreeBSD_version >= 220000) || defined(__OpenBSD__)) && defined(_KERNEL) -, devtype, p) -int devtype; -struct proc *p; -# else -) -# endif -dev_t dev; -int flags; -# endif /* __sgi */ -{ - u_int min = GET_MINOR(dev); - - if (IPL_LOGMAX < min) - min = ENXIO; - else - min = 0; - return min; -} - -/* - * iplread/ipllog - * both of these must operate with at least splnet() lest they be - * called during packet processing and cause an inconsistancy to appear in - * the filter lists. - */ -# ifdef __sgi -int IPL_EXTERN(read)(dev_t dev, uio_t *uio, cred_t *crp) -# else -# if BSD >= 199306 -int IPL_EXTERN(read)(dev, uio, ioflag) -int ioflag; -# else -int IPL_EXTERN(read)(dev, uio) -# endif -dev_t dev; -register struct uio *uio; -# endif /* __sgi */ -{ -# ifdef IPFILTER_LOG - return ipflog_read(GET_MINOR(dev), uio); -# else - return ENXIO; -# endif -} - - -/* - * send_reset - this could conceivably be a call to tcp_respond(), but that - * requires a large amount of setting up and isn't any more efficient. - */ -int send_reset(oip, fin) -struct ip *oip; -fr_info_t *fin; -{ - struct tcphdr *tcp, *tcp2; - int tlen = 0, hlen; - struct mbuf *m; -#ifdef USE_INET6 - ip6_t *ip6, *oip6 = (ip6_t *)oip; -#endif - ip_t *ip; - - tcp = (struct tcphdr *)fin->fin_dp; - if (tcp->th_flags & TH_RST) - return -1; /* feedback loop */ -# if (BSD < 199306) || defined(__sgi) - m = m_get(M_DONTWAIT, MT_HEADER); -# else - m = m_gethdr(M_DONTWAIT, MT_HEADER); -# endif - if (m == NULL) - return ENOBUFS; - if (m == NULL) - return -1; - - tlen = oip->ip_len - fin->fin_hlen - (tcp->th_off << 2) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); - -#ifdef USE_INET6 - hlen = (fin->fin_v == 6) ? sizeof(ip6_t) : sizeof(ip_t); -#else - hlen = sizeof(ip_t); -#endif - m->m_len = sizeof(*tcp2) + hlen; -# if BSD >= 199306 - m->m_data += max_linkhdr; - m->m_pkthdr.len = m->m_len; - m->m_pkthdr.rcvif = (struct ifnet *)0; -# endif - ip = mtod(m, struct ip *); -# ifdef USE_INET6 - ip6 = (ip6_t *)ip; -# endif - bzero((char *)ip, sizeof(*tcp2) + hlen); - tcp2 = (struct tcphdr *)((char *)ip + hlen); - - tcp2->th_sport = tcp->th_dport; - tcp2->th_dport = tcp->th_sport; - if (tcp->th_flags & TH_ACK) { - tcp2->th_seq = tcp->th_ack; - tcp2->th_flags = TH_RST; - } else { - tcp2->th_ack = ntohl(tcp->th_seq); - tcp2->th_ack += tlen; - tcp2->th_ack = htonl(tcp2->th_ack); - tcp2->th_flags = TH_RST|TH_ACK; - } - tcp2->th_off = sizeof(*tcp2) >> 2; -# ifdef USE_INET6 - if (fin->fin_v == 6) { - ip6->ip6_plen = htons(sizeof(struct tcphdr)); - ip6->ip6_nxt = IPPROTO_TCP; - ip6->ip6_src = oip6->ip6_dst; - ip6->ip6_dst = oip6->ip6_src; - tcp2->th_sum = in6_cksum(m, IPPROTO_TCP, - sizeof(*ip6), sizeof(*tcp2)); - return send_ip(oip, fin, m); - } -# endif - ip->ip_p = IPPROTO_TCP; - ip->ip_len = htons(sizeof(struct tcphdr)); - ip->ip_src.s_addr = oip->ip_dst.s_addr; - ip->ip_dst.s_addr = oip->ip_src.s_addr; - tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2)); - ip->ip_len = hlen + sizeof(*tcp2); - return send_ip(oip, fin, m); -} - - -static int send_ip(oip, fin, m) -ip_t *oip; -fr_info_t *fin; -struct mbuf *m; -{ - ip_t *ip; - - ip = mtod(m, ip_t *); - - ip->ip_v = fin->fin_v; - if (ip->ip_v == 4) { - ip->ip_hl = (sizeof(*oip) >> 2); - ip->ip_v = IPVERSION; - ip->ip_tos = oip->ip_tos; - ip->ip_id = oip->ip_id; - ip->ip_off = 0; -# if (BSD < 199306) || defined(__sgi) - ip->ip_ttl = tcp_ttl; -# else - ip->ip_ttl = ip_defttl; -# endif - ip->ip_sum = 0; - } -# ifdef USE_INET6 - else if (ip->ip_v == 6) { - ip6_t *ip6 = (ip6_t *)ip; - - ip6->ip6_hlim = 127; - - return ip6_output(m, NULL, NULL, 0, NULL, NULL); - } -# endif -# ifdef IPSEC - m->m_pkthdr.rcvif = NULL; -# endif - return ipfr_fastroute(m, fin, NULL); -} - - -int send_icmp_err(oip, type, fin, dst) -ip_t *oip; -int type; -fr_info_t *fin; -int dst; -{ - int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code; - struct in_addr dst4; - struct icmp *icmp; - struct mbuf *m; - void *ifp; -#ifdef USE_INET6 - ip6_t *ip6, *oip6 = (ip6_t *)oip; - struct in6_addr dst6; -#endif - ip_t *ip; - - if ((type < 0) || (type > ICMP_MAXTYPE)) - return -1; - - code = fin->fin_icode; -#ifdef USE_INET6 - if ((code < 0) || (code > sizeof(icmptoicmp6unreach)/sizeof(int))) - return -1; -#endif - - avail = 0; - m = NULL; - ifp = fin->fin_ifp; - if (fin->fin_v == 4) { - if ((oip->ip_p == IPPROTO_ICMP) && - !(fin->fin_fi.fi_fl & FI_SHORT)) - switch (ntohs(fin->fin_data[0]) >> 8) - { - case ICMP_ECHO : - case ICMP_TSTAMP : - case ICMP_IREQ : - case ICMP_MASKREQ : - break; - default : - return 0; - } - -# if (BSD < 199306) || defined(__sgi) - avail = MLEN; - m = m_get(M_DONTWAIT, MT_HEADER); -# else - avail = MHLEN; - m = m_gethdr(M_DONTWAIT, MT_HEADER); -# endif - if (m == NULL) - return ENOBUFS; - - if (dst == 0) { - if (fr_ifpaddr(4, ifp, &dst4) == -1) - return -1; - } else - dst4.s_addr = oip->ip_dst.s_addr; - - hlen = sizeof(ip_t); - ohlen = oip->ip_hl << 2; - xtra = 8; - } - -#ifdef USE_INET6 - else if (fin->fin_v == 6) { - hlen = sizeof(ip6_t); - ohlen = sizeof(ip6_t); - type = icmptoicmp6types[type]; - if (type == ICMP6_DST_UNREACH) - code = icmptoicmp6unreach[code]; - - MGETHDR(m, M_DONTWAIT, MT_HEADER); - if (!m) - return ENOBUFS; - - MCLGET(m, M_DONTWAIT); - if ((m->m_flags & M_EXT) == 0) { - m_freem(m); - return ENOBUFS; - } -# ifdef M_TRAILINGSPACE - m->m_len = 0; - avail = M_TRAILINGSPACE(m); -# else - avail = (m->m_flags & M_EXT) ? MCLBYTES : MHLEN; -# endif - xtra = MIN(ntohs(oip6->ip6_plen) + sizeof(ip6_t), - avail - hlen - sizeof(*icmp) - max_linkhdr); - if (dst == 0) { - if (fr_ifpaddr(6, ifp, (struct in_addr *)&dst6) == -1) - return -1; - } else - dst6 = oip6->ip6_dst; - } -#endif - - iclen = hlen + sizeof(*icmp); -# if BSD >= 199306 - avail -= (max_linkhdr + iclen); - m->m_data += max_linkhdr; - m->m_pkthdr.rcvif = (struct ifnet *)0; - if (xtra > avail) - xtra = avail; - iclen += xtra; - m->m_pkthdr.len = iclen; -#else - avail -= (m->m_off + iclen); - if (xtra > avail) - xtra = avail; - iclen += xtra; -#endif - m->m_len = iclen; - ip = mtod(m, ip_t *); - icmp = (struct icmp *)((char *)ip + hlen); - bzero((char *)ip, iclen); - - icmp->icmp_type = type; - icmp->icmp_code = fin->fin_icode; - icmp->icmp_cksum = 0; -#ifdef icmp_nextmtu - if (type == ICMP_UNREACH && - fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) - icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu); -#endif - - if (avail) { - bcopy((char *)oip, (char *)&icmp->icmp_ip, MIN(ohlen, avail)); - avail -= MIN(ohlen, avail); - } - -#ifdef USE_INET6 - ip6 = (ip6_t *)ip; - if (fin->fin_v == 6) { - ip6->ip6_flow = 0; - ip6->ip6_plen = htons(iclen - hlen); - ip6->ip6_nxt = IPPROTO_ICMPV6; - ip6->ip6_hlim = 0; - ip6->ip6_src = dst6; - ip6->ip6_dst = oip6->ip6_src; - if (avail) - bcopy((char *)oip + ohlen, - (char *)&icmp->icmp_ip + ohlen, avail); - icmp->icmp_cksum = in6_cksum(m, IPPROTO_ICMPV6, - sizeof(*ip6), iclen - hlen); - } else -#endif - { - ip->ip_src.s_addr = dst4.s_addr; - ip->ip_dst.s_addr = oip->ip_src.s_addr; - - if (avail > 8) - avail = 8; - if (avail) - bcopy((char *)oip + ohlen, - (char *)&icmp->icmp_ip + ohlen, avail); - icmp->icmp_cksum = ipf_cksum((u_short *)icmp, - sizeof(*icmp) + 8); - ip->ip_len = iclen; - ip->ip_p = IPPROTO_ICMP; - } - err = send_ip(oip, fin, m); - return err; -} - - -# if !defined(IPFILTER_LKM) && (__FreeBSD_version < 300000) && !defined(__sgi) -# if (BSD < 199306) -int iplinit __P((void)); - -int -# else -void iplinit __P((void)); - -void -# endif -iplinit() -{ - if (iplattach() != 0) - printf("IP Filter failed to attach\n"); - ip_init(); -} -# endif /* ! __NetBSD__ */ - - -size_t mbufchainlen(m0) -register struct mbuf *m0; -{ - register size_t len = 0; - - for (; m0; m0 = m0->m_next) - len += m0->m_len; - return len; -} - - -int ipfr_fastroute(m0, fin, fdp) -struct mbuf *m0; -fr_info_t *fin; -frdest_t *fdp; -{ - register struct ip *ip, *mhip; - register struct mbuf *m = m0; - register struct route *ro; - int len, off, error = 0, hlen, code; - struct ifnet *ifp, *sifp; - struct sockaddr_in *dst; - struct route iproute; - frentry_t *fr; - - hlen = fin->fin_hlen; - ip = mtod(m0, struct ip *); - -#ifdef USE_INET6 - if (ip->ip_v == 6) { - /* - * currently "to <if>" and "to <if>:ip#" are not supported - * for IPv6 - */ - return ip6_output(m0, NULL, NULL, 0, NULL, NULL); - } -#endif - /* - * Route packet. - */ - ro = &iproute; - bzero((caddr_t)ro, sizeof (*ro)); - dst = (struct sockaddr_in *)&ro->ro_dst; - dst->sin_family = AF_INET; - - fr = fin->fin_fr; - if (fdp) - ifp = fdp->fd_ifp; - else { - ifp = fin->fin_ifp; - dst->sin_addr = ip->ip_dst; - } - - /* - * In case we're here due to "to <if>" being used with "keep state", - * check that we're going in the correct direction. - */ - if ((fr != NULL) && (fin->fin_rev != 0)) { - if ((ifp != NULL) && (fdp == &fr->fr_tif)) - return -1; - dst->sin_addr = ip->ip_dst; - } else if (fdp) { - if (fdp->fd_ip.s_addr) { - dst->sin_addr = fdp->fd_ip; - ip->ip_dst = fdp->fd_ip; - } else - dst->sin_addr = ip->ip_dst; - } - -# if BSD >= 199306 - dst->sin_len = sizeof(*dst); -# endif -# if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \ - !defined(__OpenBSD__) -# ifdef RTF_CLONING - rtalloc_ign(ro, RTF_CLONING); -# else - rtalloc_ign(ro, RTF_PRCLONING); -# endif -# else - rtalloc(ro); -# endif - if (!ifp) { - if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { - error = -2; - goto bad; - } - if (ro->ro_rt == 0 || (ifp = ro->ro_rt->rt_ifp) == 0) { - if (in_localaddr(ip->ip_dst)) - error = EHOSTUNREACH; - else - error = ENETUNREACH; - goto bad; - } - if (ro->ro_rt->rt_flags & RTF_GATEWAY) - dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway; - } - if (ro->ro_rt) - ro->ro_rt->rt_use++; - - /* - * For input packets which are being "fastrouted", they won't - * go back through output filtering and miss their chance to get - * NAT'd and counted. - */ - fin->fin_ifp = ifp; - if (fin->fin_out == 0) { - fin->fin_out = 1; - if ((fin->fin_fr = ipacct[1][fr_active]) && - (fr_scanlist(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) { - ATOMIC_INCL(frstats[1].fr_acct); - } - fin->fin_fr = NULL; - if (!fr || !(fr->fr_flags & FR_RETMASK)) - (void) fr_checkstate(ip, fin); - (void) ip_natout(ip, fin); - } else - ip->ip_sum = 0; - /* - * If small enough for interface, can just send directly. - */ - if (ip->ip_len <= ifp->if_mtu) { -# if BSD >= 199306 - int i = 0; - -# ifdef MCLISREFERENCED - if ((m->m_flags & M_EXT) && MCLISREFERENCED(m)) -# else - if (m->m_flags & M_EXT) -# endif - i = 1; -# endif - ip->ip_id = htons(ip->ip_id); - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); - if (!ip->ip_sum) - ip->ip_sum = in_cksum(m, hlen); -# if BSD >= 199306 - error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, - ro->ro_rt); - if (i) { - ip->ip_id = ntohs(ip->ip_id); - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - } -# else - error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); -# endif - goto done; - } - /* - * Too large for interface; fragment if possible. - * Must be able to put at least 8 bytes per fragment. - */ - if (ip->ip_off & IP_DF) { - error = EMSGSIZE; - goto bad; - } - len = (ifp->if_mtu - hlen) &~ 7; - if (len < 8) { - error = EMSGSIZE; - goto bad; - } - - { - int mhlen, firstlen = len; - struct mbuf **mnext = &m->m_act; - - /* - * Loop through length of segment after first fragment, - * make new header and copy data of each part and link onto chain. - */ - m0 = m; - mhlen = sizeof (struct ip); - for (off = hlen + len; off < ip->ip_len; off += len) { -# ifdef MGETHDR - MGETHDR(m, M_DONTWAIT, MT_HEADER); -# else - MGET(m, M_DONTWAIT, MT_HEADER); -# endif - if (m == 0) { - error = ENOBUFS; - goto bad; - } -# if BSD >= 199306 - m->m_data += max_linkhdr; -# else - m->m_off = MMAXOFF - hlen; -# endif - mhip = mtod(m, struct ip *); - bcopy((char *)ip, (char *)mhip, sizeof(*ip)); - if (hlen > sizeof (struct ip)) { - mhlen = ip_optcopy(ip, mhip) + sizeof (struct ip); - mhip->ip_hl = mhlen >> 2; - } - m->m_len = mhlen; - mhip->ip_off = ((off - hlen) >> 3) + (ip->ip_off & ~IP_MF); - if (ip->ip_off & IP_MF) - mhip->ip_off |= IP_MF; - if (off + len >= ip->ip_len) - len = ip->ip_len - off; - else - mhip->ip_off |= IP_MF; - mhip->ip_len = htons((u_short)(len + mhlen)); - m->m_next = m_copy(m0, off, len); - if (m->m_next == 0) { - error = ENOBUFS; /* ??? */ - goto sendorfree; - } -# if BSD >= 199306 - m->m_pkthdr.len = mhlen + len; - m->m_pkthdr.rcvif = NULL; -# endif - mhip->ip_off = htons((u_short)mhip->ip_off); - mhip->ip_sum = 0; - mhip->ip_sum = in_cksum(m, mhlen); - *mnext = m; - mnext = &m->m_act; - } - /* - * Update first fragment by trimming what's been copied out - * and updating header, then send each fragment (in order). - */ - m_adj(m0, hlen + firstlen - ip->ip_len); - ip->ip_len = htons((u_short)(hlen + firstlen)); - ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); - ip->ip_sum = 0; - ip->ip_sum = in_cksum(m0, hlen); -sendorfree: - for (m = m0; m; m = m0) { - m0 = m->m_act; - m->m_act = 0; - if (error == 0) -# if BSD >= 199306 - error = (*ifp->if_output)(ifp, m, - (struct sockaddr *)dst, ro->ro_rt); -# else - error = (*ifp->if_output)(ifp, m, - (struct sockaddr *)dst); -# endif - else - m_freem(m); - } - } -done: - if (!error) - ipl_frouteok[0]++; - else - ipl_frouteok[1]++; - - if (ro->ro_rt) - RTFREE(ro->ro_rt); - return 0; -bad: - if (error == EMSGSIZE) { - sifp = fin->fin_ifp; - code = fin->fin_icode; - fin->fin_icode = ICMP_UNREACH_NEEDFRAG; - fin->fin_ifp = ifp; - (void) send_icmp_err(ip, ICMP_UNREACH, fin, 1); - fin->fin_ifp = sifp; - fin->fin_icode = code; - } - m_freem(m); - goto done; -} - - -int fr_verifysrc(ipa, ifp) -struct in_addr ipa; -void *ifp; -{ - struct sockaddr_in *dst; - struct route iproute; - - bzero((char *)&iproute, sizeof(iproute)); - dst = (struct sockaddr_in *)&iproute.ro_dst; - dst->sin_family = AF_INET; - dst->sin_addr = ipa; -# if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) && \ - !defined(__OpenBSD__) -# ifdef RTF_CLONING - rtalloc_ign(&iproute, RTF_CLONING); -# else - rtalloc_ign(&iproute, RTF_PRCLONING); -# endif -# else - rtalloc(&iproute); -# endif - if (iproute.ro_rt == NULL) - return 0; - return (ifp == iproute.ro_rt->rt_ifp); -} - -#else /* #ifdef _KERNEL */ - - -# ifdef __sgi -static int no_output __P((struct ifnet *ifp, struct mbuf *m, - struct sockaddr *s)) -# else -static int no_output __P((struct ifnet *ifp, struct mbuf *m, - struct sockaddr *s, struct rtentry *rt)) -# endif -{ - return 0; -} - - -# ifdef __STDC__ -# ifdef __sgi -static int write_output __P((struct ifnet *ifp, struct mbuf *m, - struct sockaddr *s)) -# else -static int write_output __P((struct ifnet *ifp, struct mbuf *m, - struct sockaddr *s, struct rtentry *rt)) -# endif -{ - ip_t *ip = (ip_t *)m; -# else -static int write_output(ifp, ip) -struct ifnet *ifp; -ip_t *ip; -{ -# endif - char fname[32]; - FILE *fp; - -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) -# if defined __OpenBSD__ - sprintf(fname, "/var/run/%s", ifp->if_xname); -# else - sprintf(fname, "/tmp/%s", ifp->if_xname); -# endif -# else - sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); -# endif - /* - * XXX - * This is still raceable, if the attacker gains the ability to - * erase the existing file in /tmp - */ - if ((fp = fopen(fname, "a"))) { - fwrite((char *)ip, ntohs(ip->ip_len), 1, fp); - fclose(fp); - } - return 0; -} - - -struct ifnet *get_unit(name, v) -char *name; -int v; -{ - struct ifnet *ifp, **ifa, **nifneta; -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { - if (!strcmp(name, ifp->if_xname)) - return ifp; - } -# else - char ifname[32], *s; - - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { - (void) sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit); - if (!strcmp(name, ifname)) - return ifp; - } -# endif - - if (!ifneta) { - ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2); - if (!ifneta) - return NULL; - ifneta[1] = NULL; - ifneta[0] = (struct ifnet *)calloc(1, sizeof(*ifp)); - if (!ifneta[0]) { - free(ifneta); - return NULL; - } - nifs = 1; - } else { - nifs++; - nifneta = (struct ifnet **)realloc(ifneta, - (nifs + 1) * sizeof(*ifa)); - if (!nifneta) { - nifs = 0; - free(ifneta); - return NULL; - } - ifneta = nifneta; - ifneta[nifs] = NULL; - ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp)); - if (!ifneta[nifs - 1]) { - nifs--; - return NULL; - } - } - ifp = ifneta[nifs - 1]; - -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); -# else - for (s = name; *s && !isdigit(*s); s++) - ; - if (*s && isdigit(*s)) { - ifp->if_unit = atoi(s); - ifp->if_name = (char *)malloc(s - name + 1); - strncpy(ifp->if_name, name, s - name); - ifp->if_name[s - name] = '\0'; - } else { - ifp->if_name = strdup(name); - ifp->if_unit = -1; - } -# endif - ifp->if_output = no_output; - return ifp; -} - - - -void init_ifp() -{ - struct ifnet *ifp, **ifa; - char fname[32]; - int fd; - -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { - ifp->if_output = write_output; -# if defined(__OpenBSD__) - sprintf(fname, "/var/run/%s", ifp->if_xname); -# else - sprintf(fname, "/tmp/%s", ifp->if_xname); -# endif - fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); - if (fd == -1) - perror("open"); - else - close(fd); - } -# else - - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { - ifp->if_output = write_output; - sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); - fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); - if (fd == -1) - perror("open"); - else - close(fd); - } -# endif -} - - -int ipfr_fastroute(ip, fin, fdp) -ip_t *ip; -fr_info_t *fin; -frdest_t *fdp; -{ - struct ifnet *ifp = fdp->fd_ifp; - - if (!ifp) - return 0; /* no routing table out here */ - - ip->ip_len = htons((u_short)ip->ip_len); - ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); - ip->ip_sum = 0; -#ifdef __sgi - (*ifp->if_output)(ifp, (void *)ip, NULL); -#else - (*ifp->if_output)(ifp, (void *)ip, NULL, 0); -#endif - return 0; -} - - -int ipllog __P((void)) -{ - verbose("l"); - return 0; -} - - -int send_reset(ip, ifp) -ip_t *ip; -struct ifnet *ifp; -{ - verbose("- TCP RST sent\n"); - return 0; -} - - -int icmp_error(ip, ifp) -ip_t *ip; -struct ifnet *ifp; -{ - verbose("- TCP RST sent\n"); - return 0; -} - - -void frsync() -{ - return; -} -#endif /* _KERNEL */ diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h deleted file mode 100644 index c7989940004..00000000000 --- a/sys/netinet/ip_fil.h +++ /dev/null @@ -1,633 +0,0 @@ -/* $OpenBSD: ip_fil.h,v 1.24 2001/05/08 19:58:01 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ip_fil.h 1.35 6/5/96 - * $IPFilter: ip_fil.h,v 2.29.2.5 2001/03/20 13:18:05 darrenr Exp $ - */ - -#ifndef __IP_FIL_H__ -#define __IP_FIL_H__ - -/* - * Pathnames for various IP Filter control devices. Used by LKM - * and userland, so defined here. - */ -#define IPNAT_NAME "/dev/ipnat" -#define IPSTATE_NAME "/dev/ipstate" -#define IPAUTH_NAME "/dev/ipauth" - -#ifndef SOLARIS -# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif - -#if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -#endif - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - -#if defined(__STDC__) || defined(__GNUC__) -# define SIOCADAFR _IOW('r', 60, struct frentry *) -# define SIOCRMAFR _IOW('r', 61, struct frentry *) -# define SIOCSETFF _IOW('r', 62, u_int) -# define SIOCGETFF _IOR('r', 63, u_int) -# define SIOCGETFS _IOWR('r', 64, struct friostat *) -# define SIOCIPFFL _IOWR('r', 65, int) -# define SIOCIPFFB _IOR('r', 66, int) -# define SIOCADIFR _IOW('r', 67, struct frentry *) -# define SIOCRMIFR _IOW('r', 68, struct frentry *) -# define SIOCSWAPA _IOR('r', 69, u_int) -# define SIOCINAFR _IOW('r', 70, struct frentry *) -# define SIOCINIFR _IOW('r', 71, struct frentry *) -# define SIOCFRENB _IOW('r', 72, u_int) -# define SIOCFRSYN _IOW('r', 73, u_int) -# define SIOCFRZST _IOWR('r', 74, struct friostat *) -# define SIOCZRLST _IOWR('r', 75, struct frentry *) -# define SIOCAUTHW _IOWR('r', 76, struct fr_info *) -# define SIOCAUTHR _IOWR('r', 77, struct fr_info *) -# define SIOCATHST _IOWR('r', 78, struct fr_authstat *) -# define SIOCSTLCK _IOWR('r', 79, u_int) -# define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) -# define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) -# define SIOCSTGSZ _IOWR('r', 82, struct natget) -# define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) -#else -# define SIOCADAFR _IOW(r, 60, struct frentry *) -# define SIOCRMAFR _IOW(r, 61, struct frentry *) -# define SIOCSETFF _IOW(r, 62, u_int) -# define SIOCGETFF _IOR(r, 63, u_int) -# define SIOCGETFS _IOWR(r, 64, struct friostat *) -# define SIOCIPFFL _IOWR(r, 65, int) -# define SIOCIPFFB _IOR(r, 66, int) -# define SIOCADIFR _IOW(r, 67, struct frentry *) -# define SIOCRMIFR _IOW(r, 68, struct frentry *) -# define SIOCSWAPA _IOR(r, 69, u_int) -# define SIOCINAFR _IOW(r, 70, struct frentry *) -# define SIOCINIFR _IOW(r, 71, struct frentry *) -# define SIOCFRENB _IOW(r, 72, u_int) -# define SIOCFRSYN _IOW(r, 73, u_int) -# define SIOCFRZST _IOWR(r, 74, struct friostat *) -# define SIOCZRLST _IOWR(r, 75, struct frentry *) -# define SIOCAUTHW _IOWR(r, 76, struct fr_info *) -# define SIOCAUTHR _IOWR(r, 77, struct fr_info *) -# define SIOCATHST _IOWR(r, 78, struct fr_authstat *) -# define SIOCSTLCK _IOWR(r, 79, u_int) -# define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) -# define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) -# define SIOCSTGSZ _IOWR(r, 82, struct natget) -# define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) -#endif -#define SIOCADDFR SIOCADAFR -#define SIOCDELFR SIOCRMAFR -#define SIOCINSFR SIOCINAFR - - -typedef struct fr_ip { - u_32_t fi_v:4; /* IP version */ - u_32_t fi_fl:4; /* packet flags */ - u_32_t fi_tos:8; /* IP packet TOS */ - u_32_t fi_ttl:8; /* IP packet TTL */ - u_32_t fi_p:8; /* IP packet protocol */ - union i6addr fi_src; /* source address from packet */ - union i6addr fi_dst; /* destination address from packet */ - u_32_t fi_optmsk; /* bitmask composed from IP options */ - u_short fi_secmsk; /* bitmask composed from IP security options */ - u_short fi_auth; /* authentication code from IP sec. options */ -} fr_ip_t; - -#define FI_OPTIONS (FF_OPTIONS >> 24) -#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/ -#define FI_FRAG (FF_FRAG >> 24) -#define FI_SHORT (FF_SHORT >> 24) -#define FI_CMP (FI_OPTIONS|FI_TCPUDP|FI_SHORT) - -#define fi_saddr fi_src.in4.s_addr -#define fi_daddr fi_dst.in4.s_addr - - -/* - * These are both used by the state and NAT code to indicate that one port or - * the other should be treated as a wildcard. - */ -#define FI_W_SPORT 0x00000100 -#define FI_W_DPORT 0x00000200 -#define FI_WILDP (FI_W_SPORT|FI_W_DPORT) -#define FI_W_SADDR 0x00000400 -#define FI_W_DADDR 0x00000800 -#define FI_WILDA (FI_W_SADDR|FI_W_DADDR) -#define FI_NEWFR 0x00001000 - -typedef struct fr_info { - void *fin_ifp; /* interface packet is `on' */ - struct fr_ip fin_fi; /* IP Packet summary */ - u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ - u_char fin_out; /* in or out ? 1 == out, 0 == in */ - u_char fin_rev; /* state only: 1 = reverse */ - u_short fin_hlen; /* length of IP header in bytes */ - u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ - /* From here on is packet specific */ - u_char fin_icode; /* ICMP error to return */ - u_short fin_rule; /* rule # last matched */ - u_32_t fin_group; /* group number, -1 for none */ - struct frentry *fin_fr; /* last matching rule */ - char *fin_dp; /* start of data past IP header */ - u_short fin_dlen; /* length of data portion of packet */ - u_short fin_id; /* IP packet id field */ - void *fin_mp; /* pointer to pointer to mbuf */ -#if SOLARIS - void *fin_qfm; /* pointer to mblk where pkt starts */ - void *fin_qif; -#endif - u_short fin_plen; - u_short fin_off; -} fr_info_t; - -#define fin_v fin_fi.fi_v - -/* - * Size for compares on fr_info structures - */ -#define FI_CSIZE offsetof(fr_info_t, fin_icode) - -/* - * Size for copying cache fr_info structure - */ -#define FI_COPYSIZE offsetof(fr_info_t, fin_dp) - -typedef struct frdest { - void *fd_ifp; - struct in_addr fd_ip; - char fd_ifname[IFNAMSIZ]; -} frdest_t; - -typedef struct frpcmp { - int frp_cmp; /* data for port comparisons */ - u_short frp_port; /* top port for <> and >< */ - u_short frp_top; /* top port for <> and >< */ -} frpcmp_t; - -typedef struct frtuc { - u_char ftu_tcpfm; /* tcp flags mask */ - u_char ftu_tcpf; /* tcp flags */ - frpcmp_t ftu_src; - frpcmp_t ftu_dst; -} frtuc_t; - -#define ftu_scmp ftu_src.frp_cmp -#define ftu_dcmp ftu_dst.frp_cmp -#define ftu_sport ftu_src.frp_port -#define ftu_dport ftu_dst.frp_port -#define ftu_stop ftu_src.frp_top -#define ftu_dtop ftu_dst.frp_top - -typedef struct frentry { - struct frentry *fr_next; - u_32_t fr_group; /* group to which this rule belongs */ - u_32_t fr_grhead; /* group # which this rule starts */ - struct frentry *fr_grp; - int fr_ref; /* reference count - for grouping */ - void *fr_ifa; -#if BSD >= 199306 - void *fr_oifa; -#endif - /* - * These are only incremented when a packet matches this rule and - * it is the last match - */ - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; - /* - * Fields after this may not change whilst in the kernel. - */ - struct fr_ip fr_ip; - struct fr_ip fr_mip; /* mask structure */ - - - u_short fr_icmpm; /* data for ICMP packets (mask) */ - u_short fr_icmp; - - frtuc_t fr_tuc; - u_32_t fr_flags; /* per-rule flags && options (see below) */ - u_int fr_skip; /* # of rules to skip */ - u_int fr_loglevel; /* syslog log facility + priority */ - int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ - int fr_sap; /* For solaris only */ - u_char fr_icode; /* return ICMP code */ - char fr_ifname[IFNAMSIZ]; -#if BSD >= 199306 - char fr_oifname[IFNAMSIZ]; -#endif - struct frdest fr_tif; /* "to" interface */ - struct frdest fr_dif; /* duplicate packet interfaces */ - u_int fr_cksum; /* checksum on filter rules for performance */ -} frentry_t; - -#define fr_v fr_ip.fi_v -#define fr_proto fr_ip.fi_p -#define fr_ttl fr_ip.fi_ttl -#define fr_tos fr_ip.fi_tos -#define fr_tcpfm fr_tuc.ftu_tcpfm -#define fr_tcpf fr_tuc.ftu_tcpf -#define fr_scmp fr_tuc.ftu_scmp -#define fr_dcmp fr_tuc.ftu_dcmp -#define fr_dport fr_tuc.ftu_dport -#define fr_sport fr_tuc.ftu_sport -#define fr_stop fr_tuc.ftu_stop -#define fr_dtop fr_tuc.ftu_dtop -#define fr_dst fr_ip.fi_dst.in4 -#define fr_src fr_ip.fi_src.in4 -#define fr_dmsk fr_mip.fi_dst.in4 -#define fr_smsk fr_mip.fi_src.in4 - -#ifndef offsetof -#define offsetof(t,m) (int)((&((t *)0L)->m)) -#endif -#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip)) - -/* - * fr_flags - */ -#define FR_BLOCK 0x00001 /* do not allow packet to pass */ -#define FR_PASS 0x00002 /* allow packet to pass */ -#define FR_OUTQUE 0x00004 /* outgoing packets */ -#define FR_INQUE 0x00008 /* ingoing packets */ -#define FR_LOG 0x00010 /* Log */ -#define FR_LOGB 0x00011 /* Log-fail */ -#define FR_LOGP 0x00012 /* Log-pass */ -#define FR_LOGBODY 0x00020 /* Log the body */ -#define FR_LOGFIRST 0x00040 /* Log the first byte if state held */ -#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */ -#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */ -#define FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ -#define FR_NOMATCH 0x00200 /* no match occured */ -#define FR_ACCOUNT 0x00400 /* count packet bytes */ -#define FR_KEEPFRAG 0x00800 /* keep fragment information */ -#define FR_KEEPSTATE 0x01000 /* keep `connection' state information */ -#define FR_INACTIVE 0x02000 -#define FR_QUICK 0x04000 /* match & stop processing list */ -#define FR_FASTROUTE 0x08000 /* bypass normal routing */ -#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */ -#define FR_DUP 0x20000 /* duplicate packet */ -#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ -#define FR_NOTSRCIP 0x80000 /* not the src IP# */ -#define FR_NOTDSTIP 0x100000 /* not the dst IP# */ -#define FR_AUTH 0x200000 /* use authentication */ -#define FR_PREAUTH 0x400000 /* require preauthentication */ -#define FR_DONTCACHE 0x800000 /* don't cache the result */ - -#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) -#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP) - -/* - * These correspond to #define's for FI_* and are stored in fr_flags - */ -#define FF_OPTIONS 0x01000000 -#define FF_TCPUDP 0x02000000 -#define FF_FRAG 0x04000000 -#define FF_SHORT 0x08000000 -/* - * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags - */ -#define FF_LOGPASS 0x10000000 -#define FF_LOGBLOCK 0x20000000 -#define FF_LOGNOMATCH 0x40000000 -#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) -#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */ - -#define FR_NONE 0 -#define FR_EQUAL 1 -#define FR_NEQUAL 2 -#define FR_LESST 3 -#define FR_GREATERT 4 -#define FR_LESSTE 5 -#define FR_GREATERTE 6 -#define FR_OUTRANGE 7 -#define FR_INRANGE 8 - -typedef struct filterstats { - u_long fr_pass; /* packets allowed */ - u_long fr_block; /* packets denied */ - u_long fr_nom; /* packets which don't match any rule */ - u_long fr_short; /* packets which are short */ - u_long fr_ppkl; /* packets allowed and logged */ - u_long fr_bpkl; /* packets denied and logged */ - u_long fr_npkl; /* packets unmatched and logged */ - u_long fr_pkl; /* packets logged */ - u_long fr_skip; /* packets to be logged but buffer full */ - u_long fr_ret; /* packets for which a return is sent */ - u_long fr_acct; /* packets for which counting was performed */ - u_long fr_bnfr; /* bad attempts to allocate fragment state */ - u_long fr_nfr; /* new fragment state kept */ - u_long fr_cfr; /* add new fragment state but complete pkt */ - u_long fr_bads; /* bad attempts to allocate packet state */ - u_long fr_ads; /* new packet state kept */ - u_long fr_chit; /* cached hit */ - u_long fr_tcpbad; /* TCP checksum check failures */ - u_long fr_pull[2]; /* good and bad pullup attempts */ - u_long fr_badsrc; /* source received doesn't match route */ - u_long fr_badttl; /* TTL in packet doesn't reach minimum */ -#if SOLARIS - u_long fr_notdata; /* PROTO/PCPROTO that have no data */ - u_long fr_nodata; /* mblks that have no data */ - u_long fr_bad; /* bad IP packets to the filter */ - u_long fr_notip; /* packets passed through no on ip queue */ - u_long fr_drop; /* packets dropped - no info for them! */ - u_long fr_copy; /* messages copied due to db_ref > 1 */ -#endif - u_long fr_ipv6[2]; /* IPv6 packets in/out */ -} filterstats_t; - -/* - * For SIOCGETFS - */ -typedef struct friostat { - struct filterstats f_st[2]; - struct frentry *f_fin[2]; - struct frentry *f_fout[2]; - struct frentry *f_acctin[2]; - struct frentry *f_acctout[2]; - struct frentry *f_fin6[2]; - struct frentry *f_fout6[2]; - struct frentry *f_acctin6[2]; - struct frentry *f_acctout6[2]; - struct frentry *f_auth; - struct frgroup *f_groups[3][2]; - u_long f_froute[2]; - int f_defpass; /* default pass - from fr_pass */ - char f_active; /* 1 or 0 - active rule set */ - char f_running; /* 1 if running, else 0 */ - char f_logging; /* 1 if enabled, else 0 */ - char f_version[32]; /* version string */ - int f_locks[4]; -} friostat_t; - -typedef struct optlist { - u_short ol_val; - int ol_bit; -} optlist_t; - - -/* - * Group list structure. - */ -typedef struct frgroup { - u_32_t fg_num; - struct frgroup *fg_next; - struct frentry *fg_head; - struct frentry **fg_start; -} frgroup_t; - - -/* - * Log structure. Each packet header logged is prepended by one of these. - * Following this in the log records read from the device will be an ipflog - * structure which is then followed by any packet data. - */ -typedef struct iplog { - u_32_t ipl_magic; - u_int ipl_count; - u_long ipl_sec; - u_long ipl_usec; - size_t ipl_dsize; - struct iplog *ipl_next; -} iplog_t; - -#define IPL_MAGIC 0x49504c4d /* 'IPLM' */ - -typedef struct ipflog { -#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - u_char fl_ifname[IFNAMSIZ]; -#else - u_int fl_unit; - u_char fl_ifname[4]; -#endif - u_char fl_plen; /* extra data after hlen */ - u_char fl_hlen; /* length of IP headers saved */ - u_short fl_loglevel; /* syslog log level */ - u_32_t fl_rule; - u_32_t fl_group; - u_32_t fl_flags; - u_32_t fl_lflags; -} ipflog_t; - - -#ifndef ICMP_UNREACH_FILTER -# define ICMP_UNREACH_FILTER 13 -#endif - -#ifndef IPF_LOGGING -# define IPF_LOGGING 0 -#endif -#ifndef IPF_DEFAULT_PASS -# define IPF_DEFAULT_PASS FR_PASS -#endif - -#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) -#define IPLLOGSIZE 8192 - -/* - * Device filenames for reading log information. Use ipf on Solaris2 because - * ipl is already a name used by something else. - */ -#ifndef IPL_NAME -# if SOLARIS -# define IPL_NAME "/dev/ipf" -# else -# define IPL_NAME "/dev/ipl" -# endif -#endif -#define IPL_NAT IPNAT_NAME -#define IPL_STATE IPSTATE_NAME -#define IPL_AUTH IPAUTH_NAME - -#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ -#define IPL_LOGNAT 1 -#define IPL_LOGSTATE 2 -#define IPL_LOGAUTH 3 -#define IPL_LOGMAX 3 - -#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \ - (__FreeBSD_version >= 220000) -# define CDEV_MAJOR 79 -#endif - -/* - * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns - * on those hooks. We don't need any special mods in non-IP Filter code - * with this! - */ -#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ - (defined(NetBSD1_2) && NetBSD1_2 > 1) -# if (NetBSD >= 199905) -# define PFIL_HOOKS -# endif -# ifdef PFIL_HOOKS -# define NETBSD_PF -# endif -#endif - - -#ifndef _KERNEL -extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); -extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); -extern int send_reset __P((ip_t *, struct ifnet *)); -extern int icmp_error __P((ip_t *, struct ifnet *)); -extern int ipf_log __P((void)); -extern int ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); -extern struct ifnet *get_unit __P((char *, int)); -# if defined(__NetBSD__) || defined(__OpenBSD__) || \ - (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) -extern int iplioctl __P((dev_t, u_long, caddr_t, int)); -# else -extern int iplioctl __P((dev_t, int, caddr_t, int)); -# endif -extern int iplopen __P((dev_t, int)); -extern int iplclose __P((dev_t, int)); -#else /* #ifndef _KERNEL */ -# if defined(__NetBSD__) && defined(PFIL_HOOKS) -extern void ipfilterattach __P((int)); -# endif -extern int iplattach __P((void)); -extern int ipl_enable __P((void)); -extern int ipl_disable __P((void)); -extern void ipflog_init __P((void)); -extern int ipflog_clear __P((minor_t)); -extern int ipflog_read __P((minor_t, struct uio *)); -extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); -extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); -extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); -extern int send_reset __P((ip_t *, fr_info_t *)); -# if SOLARIS -extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **)); -extern int (*fr_checkp) __P((ip_t *, int, void *, - int, qif_t *, mb_t **)); -# if SOLARIS2 >= 7 -extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *)); -# else -extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *)); -# endif -extern int iplopen __P((dev_t *, int, int, cred_t *)); -extern int iplclose __P((dev_t, int, int, cred_t *)); -extern int ipfsync __P((void)); -extern int ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **, - fr_info_t *, frdest_t *)); -extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *)); -extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *)); -extern int fr_qin __P((queue_t *, mblk_t *)); -extern int fr_qout __P((queue_t *, mblk_t *)); -extern int iplread __P((dev_t, struct uio *, cred_t *)); -# else /* SOLARIS */ -extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); -extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); -extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); -extern size_t mbufchainlen __P((mb_t *)); -# ifdef __sgi -# include <sys/cred.h> -extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *)); -extern int iplopen __P((dev_t *, int, int, cred_t *)); -extern int iplclose __P((dev_t, int, int, cred_t *)); -extern int iplread __P((dev_t, struct uio *, cred_t *)); -extern int ipfsync __P((void)); -extern int ipfilter_sgi_attach __P((void)); -extern void ipfilter_sgi_detach __P((void)); -extern void ipfilter_sgi_intfsync __P((void)); -# else -# ifdef IPFILTER_LKM -extern int iplidentify __P((char *)); -# endif -# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ - (NetBSD >= 199511) || defined(__OpenBSD__) -# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ - defined(__OpenBSD__) || (__FreeBSD_version >= 300000) -extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); -# else -extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); -# endif -extern int iplopen __P((dev_t, int, int, struct proc *)); -extern int iplclose __P((dev_t, int, int, struct proc *)); -# else -# ifndef linux -extern int iplopen __P((dev_t, int)); -extern int iplclose __P((dev_t, int)); -extern int iplioctl __P((dev_t, int, caddr_t, int)); -# else -extern int iplioctl(struct inode *, struct file *, u_int, u_long); -extern int iplopen __P((struct inode *, struct file *)); -extern void iplclose __P((struct inode *, struct file *)); -# endif /* !linux */ -# endif /* (_BSDI_VERSION >= 199510) */ -# if BSD >= 199306 -extern int iplread __P((dev_t, struct uio *, int)); -# else -# ifndef linux -extern int iplread __P((dev_t, struct uio *)); -# else -extern int iplread(struct inode *, struct file *, char *, int); -# endif /* !linux */ -# endif /* BSD >= 199306 */ -# endif /* __ sgi */ -# endif /* SOLARIS */ -#endif /* #ifndef _KERNEL */ - -extern char *memstr __P((char *, char *, int, int)); -extern void fixskip __P((frentry_t **, frentry_t *, int)); -extern int countbits __P((u_32_t)); -extern int ipldetach __P((void)); -extern u_short ipf_cksum __P((u_short *, int)); -extern int ircopyptr __P((void *, void *, size_t)); -extern int iwcopyptr __P((void *, void *, size_t)); - -extern int frflush __P((minor_t, int)); -extern void frsync __P((void)); -extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int)); -extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int)); -extern frgroup_t *fr_findgroup __P((u_32_t, u_32_t, minor_t, int, - frgroup_t ***)); - -extern int fr_copytolog __P((int, char *, int)); -extern void fr_forgetifp __P((void *)); -extern void fr_getstat __P((struct friostat *)); -extern int fr_ifpaddr __P((int, void *, struct in_addr *)); -extern int fr_lock __P((caddr_t, int *)); -extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); -extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); -extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *)); -extern int fr_tcpudpchk __P((frtuc_t *, fr_info_t *)); -extern int fr_verifysrc __P((struct in_addr, void *)); - -extern int ipl_unreach; -extern int fr_running; -extern u_long ipl_frouteok[2]; -extern int fr_pass; -extern int fr_flags; -extern int fr_active; -extern int fr_chksrc; -extern int fr_minttl; -extern int fr_minttllog; -extern fr_info_t frcache[2]; -extern char ipfilter_version[]; -extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; -extern size_t iplused[IPL_LOGMAX + 1]; -extern struct frentry *ipfilter[2][2], *ipacct[2][2]; -#ifdef USE_INET6 -extern struct frentry *ipfilter6[2][2], *ipacct6[2][2]; -extern int icmptoicmp6types[ICMP_MAXTYPE+1]; -extern int icmptoicmp6unreach[ICMP_MAX_UNREACH]; -#endif -extern struct frgroup *ipfgroups[3][2]; -extern struct filterstats frstats[]; - -#endif /* __IP_FIL_H__ */ diff --git a/sys/netinet/ip_fil_compat.h b/sys/netinet/ip_fil_compat.h deleted file mode 100644 index c8be3b22056..00000000000 --- a/sys/netinet/ip_fil_compat.h +++ /dev/null @@ -1,1014 +0,0 @@ -/* $OpenBSD: ip_fil_compat.h,v 1.21 2001/05/08 19:58:01 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ip_compat.h 1.8 1/14/96 - * $IPFilter: ip_compat.h,v 2.26.2.11 2001/04/03 14:13:35 darrenr Exp $ - */ - -#ifndef __IP_COMPAT_H__ -#define __IP_COMPAT_H__ - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif -#ifndef __STDC__ -# undef const -# define const -#endif - -#ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif -#if SOLARIS2 >= 8 -# ifndef USE_INET6 -# define USE_INET6 -# endif -#endif - -#if defined(_KERNEL) || defined(KERNEL) || defined(__KERNEL__) -# undef KERNEL -# undef _KERNEL -# undef __KERNEL__ -# define KERNEL -# define _KERNEL -# define __KERNEL__ -#endif - -#if defined(__SVR4) || defined(__svr4__) || defined(__sgi) -#define index strchr -# if !defined(KERNEL) -# define bzero(a,b) memset(a,0,b) -# define bcmp memcmp -# define bcopy(a,b,c) memmove(b,a,c) -# endif -#endif - -#ifndef offsetof -#define offsetof(t,m) (int)((&((t *)0L)->m)) -#endif - -#if defined(__sgi) || defined(bsdi) -struct ether_addr { - u_char ether_addr_octet[6]; -}; -#endif - -#if defined(__sgi) && !defined(IPFILTER_LKM) -# ifdef __STDC__ -# define IPL_EXTERN(ep) ipfilter##ep -# else -# define IPL_EXTERN(ep) ipfilter/**/ep -# endif -#else -# ifdef __STDC__ -# define IPL_EXTERN(ep) ipl##ep -# else -# define IPL_EXTERN(ep) ipl/**/ep -# endif -#endif - -#ifdef linux -# include <sys/sysmacros.h> -#endif -#if SOLARIS -# define MTYPE(m) ((m)->b_datap->db_type) -# include <sys/isa_defs.h> -# include <sys/ioccom.h> -# include <sys/sysmacros.h> -# include <sys/kmem.h> -/* - * because Solaris 2 defines these in two places :-/ - */ -# undef IPOPT_EOL -# undef IPOPT_NOP -# undef IPOPT_LSRR -# undef IPOPT_RR -# undef IPOPT_SSRR -# ifndef KERNEL -# define _KERNEL -# undef RES_INIT -# if SOLARIS2 >= 8 -# include <netinet/ip6.h> -# endif -# include <inet/common.h> -# include <inet/ip.h> -# include <inet/ip_ire.h> -# undef _KERNEL -# else /* _KERNEL */ -# if SOLARIS2 >= 8 -# include <netinet/ip6.h> -# endif -# include <inet/common.h> -# include <inet/ip.h> -# include <inet/ip_ire.h> -# endif /* _KERNEL */ -# if SOLARIS2 >= 8 -# include <inet/ip_if.h> -# include <netinet/ip6.h> -# define ipif_local_addr ipif_lcl_addr -/* Only defined in private include file */ -# ifndef V4_PART_OF_V6 -# define V4_PART_OF_V6(v6) v6.s6_addr32[3] -# endif -# endif -#else -# if !defined(__sgi) -typedef int minor_t; -#endif -#endif /* SOLARIS */ -#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) - -#if defined(__FreeBSD__) && (__FreeBSD__ >= 5) && defined(_KERNEL) -# include <machine/in_cksum.h> -#endif - -#ifndef IP_OFFMASK -#define IP_OFFMASK 0x1fff -#endif - -#if BSD > 199306 -# define USE_QUAD_T -# define U_QUAD_T u_quad_t -# define QUAD_T quad_t -#else /* BSD > 199306 */ -# define U_QUAD_T u_long -# define QUAD_T long -#endif /* BSD > 199306 */ - - -/* - * These operating systems already take care of the problem for us. - */ -#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \ - defined(__sgi) -typedef u_int32_t u_32_t; -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 104110000) -# include "opt_inet.h" -# endif -# if defined(__FreeBSD_version) && (__FreeBSD_version >= 400000) && \ - !defined(KLD_MODULE) -# include "opt_inet6.h" -# endif -# ifdef INET6 -# define USE_INET6 -# endif -# endif -#else -/* - * Really, any arch where sizeof(long) != sizeof(int). - */ -# if defined(__alpha__) || defined(__alpha) || defined(_LP64) -typedef unsigned int u_32_t; -# else -# if SOLARIS2 >= 6 -typedef uint32_t u_32_t; -# else -typedef unsigned int u_32_t; -# endif -# endif -#endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */ - -#ifdef USE_INET6 -# if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) -# include <netinet/ip6.h> -# ifdef _KERNEL -# include <netinet6/ip6_var.h> -# endif -typedef struct ip6_hdr ip6_t; -# endif -union i6addr { - u_32_t i6[4]; - struct in_addr in4; - struct in6_addr in6; -}; -#else -union i6addr { - u_32_t i6[4]; - struct in_addr in4; -}; -#endif - -#define IP6CMP(a,b) bcmp((char *)&(a), (char *)&(b), sizeof(a)) -#define IP6EQ(a,b) (bcmp((char *)&(a), (char *)&(b), sizeof(a)) == 0) -#define IP6NEQ(a,b) (bcmp((char *)&(a), (char *)&(b), sizeof(a)) != 0) - -#ifndef MAX -#define MAX(a,b) (((a) > (b)) ? (a) : (b)) -#endif - -/* - * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108. - * - * Basic Option - * - * 00000001 - (Reserved 4) - * 00111101 - Top Secret - * 01011010 - Secret - * 10010110 - Confidential - * 01100110 - (Reserved 3) - * 11001100 - (Reserved 2) - * 10101011 - Unclassified - * 11110001 - (Reserved 1) - */ -#define IPSO_CLASS_RES4 0x01 -#define IPSO_CLASS_TOPS 0x3d -#define IPSO_CLASS_SECR 0x5a -#define IPSO_CLASS_CONF 0x96 -#define IPSO_CLASS_RES3 0x66 -#define IPSO_CLASS_RES2 0xcc -#define IPSO_CLASS_UNCL 0xab -#define IPSO_CLASS_RES1 0xf1 - -#define IPSO_AUTH_GENSER 0x80 -#define IPSO_AUTH_ESI 0x40 -#define IPSO_AUTH_SCI 0x20 -#define IPSO_AUTH_NSA 0x10 -#define IPSO_AUTH_DOE 0x08 -#define IPSO_AUTH_UN 0x06 -#define IPSO_AUTH_FTE 0x01 - -/* - * IP option #defines - */ -/*#define IPOPT_RR 7 */ -#define IPOPT_ZSU 10 /* ZSU */ -#define IPOPT_MTUP 11 /* MTUP */ -#define IPOPT_MTUR 12 /* MTUR */ -#define IPOPT_ENCODE 15 /* ENCODE */ -/*#define IPOPT_TS 68 */ -#define IPOPT_TR 82 /* TR */ -/*#define IPOPT_SECURITY 130 */ -/*#define IPOPT_LSRR 131 */ -#define IPOPT_E_SEC 133 /* E-SEC */ -#define IPOPT_CIPSO 134 /* CIPSO */ -/*#define IPOPT_SATID 136 */ -#ifndef IPOPT_SID -# define IPOPT_SID IPOPT_SATID -#endif -/*#define IPOPT_SSRR 137 */ -#define IPOPT_ADDEXT 147 /* ADDEXT */ -#define IPOPT_VISA 142 /* VISA */ -#define IPOPT_IMITD 144 /* IMITD */ -#define IPOPT_EIP 145 /* EIP */ -#define IPOPT_FINN 205 /* FINN */ - - -#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) -# ifdef IPFILTER_LKM -# include <osreldate.h> -# define ACTUALLY_LKM_NOT_KERNEL -# else -# include <sys/osreldate.h> -# endif -# if __FreeBSD__ < 3 -# include <machine/spl.h> -# else -# if __FreeBSD__ == 3 -# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL) -# define ACTUALLY_LKM_NOT_KERNEL -# endif -# endif -# endif -#endif /* __FreeBSD__ && KERNEL */ - -/* - * Build some macros and #defines to enable the same code to compile anywhere - * Well, that's the idea, anyway :-) - */ -#if !SOLARIS || (SOLARIS2 < 6) || !defined(KERNEL) -# define ATOMIC_INCL ATOMIC_INC -# define ATOMIC_INC64 ATOMIC_INC -# define ATOMIC_INC32 ATOMIC_INC -# define ATOMIC_INC16 ATOMIC_INC -# define ATOMIC_DECL ATOMIC_DEC -# define ATOMIC_DEC64 ATOMIC_DEC -# define ATOMIC_DEC32 ATOMIC_DEC -# define ATOMIC_DEC16 ATOMIC_DEC -#endif -#ifdef __sgi -# define hz HZ -# include <sys/ksynch.h> -# define IPF_LOCK_PL plhi -# include <sys/sema.h> -#undef kmutex_t -typedef struct { - lock_t *l; - int pl; -} kmutex_t; -# undef MUTEX_INIT -# undef MUTEX_DESTROY -#endif -#ifdef KERNEL -# if SOLARIS -# if SOLARIS2 >= 6 -# include <sys/atomic.h> -# if SOLARIS2 == 6 -# define ATOMIC_INCL(x) atomic_add_long((uint32_t*)&(x), 1) -# define ATOMIC_DECL(x) atomic_add_long((uint32_t*)&(x), -1) -# else -# define ATOMIC_INCL(x) atomic_add_long(&(x), 1) -# define ATOMIC_DECL(x) atomic_add_long(&(x), -1) -# endif -# define ATOMIC_INC64(x) atomic_add_64((uint64_t*)&(x), 1) -# define ATOMIC_INC32(x) atomic_add_32((uint32_t*)&(x), 1) -# define ATOMIC_INC16(x) atomic_add_16((uint16_t*)&(x), 1) -# define ATOMIC_DEC64(x) atomic_add_64((uint64_t*)&(x), -1) -# define ATOMIC_DEC32(x) atomic_add_32((uint32_t*)&(x), -1) -# define ATOMIC_DEC16(x) atomic_add_16((uint16_t*)&(x), -1) -# else -# define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \ - mutex_exit(&ipf_rw); } -# define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \ - mutex_exit(&ipf_rw); } -# endif -# define MUTEX_ENTER(x) mutex_enter(x) -# if 1 -# define KRWLOCK_T krwlock_t -# define READ_ENTER(x) rw_enter(x, RW_READER) -# define WRITE_ENTER(x) rw_enter(x, RW_WRITER) -# define RW_UPGRADE(x) { if (rw_tryupgrade(x) == 0) { \ - rw_exit(x); \ - rw_enter(x, RW_WRITER); } \ - } -# define MUTEX_DOWNGRADE(x) rw_downgrade(x) -# define RWLOCK_INIT(x, y, z) rw_init((x), (y), RW_DRIVER, (z)) -# define RWLOCK_EXIT(x) rw_exit(x) -# define RW_DESTROY(x) rw_destroy(x) -# else -# define KRWLOCK_T kmutex_t -# define READ_ENTER(x) mutex_enter(x) -# define WRITE_ENTER(x) mutex_enter(x) -# define MUTEX_DOWNGRADE(x) ; -# define RWLOCK_INIT(x, y, z) mutex_init((x), (y), MUTEX_DRIVER, (z)) -# define RWLOCK_EXIT(x) mutex_exit(x) -# define RW_DESTROY(x) mutex_destroy(x) -# endif -# define MUTEX_INIT(x, y, z) mutex_init((x), (y), MUTEX_DRIVER, (z)) -# define MUTEX_DESTROY(x) mutex_destroy(x) -# define MUTEX_EXIT(x) mutex_exit(x) -# define MTOD(m,t) (t)((m)->b_rptr) -# define IRCOPY(a,b,c) copyin((caddr_t)(a), (caddr_t)(b), (c)) -# define IWCOPY(a,b,c) copyout((caddr_t)(a), (caddr_t)(b), (c)) -# define IRCOPYPTR ircopyptr -# define IWCOPYPTR iwcopyptr -# define FREE_MB_T(m) freemsg(m) -# define SPL_NET(x) ; -# define SPL_IMP(x) ; -# undef SPL_X -# define SPL_X(x) ; -# ifdef sparc -# define ntohs(x) (x) -# define ntohl(x) (x) -# define htons(x) (x) -# define htonl(x) (x) -# endif /* sparc */ -# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) -# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) -# define GET_MINOR(x) getminor(x) -typedef struct qif { - struct qif *qf_next; - ill_t *qf_ill; - kmutex_t qf_lock; - void *qf_iptr; - void *qf_optr; - queue_t *qf_in; - queue_t *qf_out; - struct qinit *qf_wqinfo; - struct qinit *qf_rqinfo; - struct qinit qf_wqinit; - struct qinit qf_rqinit; - mblk_t *qf_m; /* These three fields are for passing data up from */ - queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ - size_t qf_off; - size_t qf_len; /* this field is used for in ipfr_fastroute */ - char qf_name[8]; - /* - * in case the ILL has disappeared... - */ - size_t qf_hl; /* header length */ - int qf_sap; -} qif_t; -extern ill_t *get_unit __P((char *, int)); -# define GETUNIT(n, v) get_unit(n, v) -# define IFNAME(x) ((ill_t *)x)->ill_name -# else /* SOLARIS */ -# if defined(__sgi) -# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); \ - (x)++; MUTEX_EXIT(&ipf_rw); } -# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); \ - (x)--; MUTEX_EXIT(&ipf_rw); } -# define MUTEX_ENTER(x) (x)->pl = LOCK((x)->l, IPF_LOCK_PL); -# define KRWLOCK_T kmutex_t -# define READ_ENTER(x) MUTEX_ENTER(x) -# define WRITE_ENTER(x) MUTEX_ENTER(x) -# define RW_UPGRADE(x) ; -# define MUTEX_DOWNGRADE(x) ; -# define RWLOCK_EXIT(x) MUTEX_EXIT(x) -# define MUTEX_EXIT(x) UNLOCK((x)->l, (x)->pl); -# define MUTEX_INIT(x,y,z) (x)->l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP) -# define MUTEX_DESTROY(x) LOCK_DEALLOC((x)->l) -# else /* __sgi */ -# define ATOMIC_INC(x) (x)++ -# define ATOMIC_DEC(x) (x)-- -# define MUTEX_ENTER(x) ; -# define READ_ENTER(x) ; -# define WRITE_ENTER(x) ; -# define RW_UPGRADE(x) ; -# define MUTEX_DOWNGRADE(x) ; -# define RWLOCK_EXIT(x) ; -# define MUTEX_EXIT(x) ; -# define MUTEX_INIT(x,y,z) ; -# define MUTEX_DESTROY(x) ; -# endif /* __sgi */ -# ifndef linux -# define FREE_MB_T(m) m_freem(m) -# define MTOD(m,t) mtod(m,t) -# define IRCOPY(a,b,c) (bcopy((a), (b), (c)), 0) -# define IWCOPY(a,b,c) (bcopy((a), (b), (c)), 0) -# define IRCOPYPTR ircopyptr -# define IWCOPYPTR iwcopyptr -# endif /* !linux */ -# endif /* SOLARIS */ - -# ifdef sun -# if !SOLARIS -# include <sys/kmem_alloc.h> -# define GETUNIT(n, v) ifunit(n, IFNAMSIZ) -# define IFNAME(x) ((struct ifnet *)x)->if_name -# endif -# else -# ifndef linux -# define GETUNIT(n, v) ifunit(n) -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) -# define IFNAME(x) ((struct ifnet *)x)->if_xname -# else -# define IFNAME(x) ((struct ifnet *)x)->if_name -# endif -# endif -# endif /* sun */ - -# if defined(sun) && !defined(linux) || defined(__sgi) -# define UIOMOVE(a,b,c,d) uiomove((caddr_t)a,b,c,d) -# define SLEEP(id, n) sleep((id), PZERO+1) -# define WAKEUP(id) wakeup(id) -# define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) -# define KFREES(x,s) kmem_free((char *)(x), (s)) -# if !SOLARIS -extern void m_copydata __P((struct mbuf *, int, int, caddr_t)); -extern void m_copyback __P((struct mbuf *, int, int, caddr_t)); -# endif -# ifdef __sgi -# include <sys/kmem.h> -# include <sys/ddi.h> -# define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) -# define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) -# define GET_MINOR(x) getminor(x) -# else -# if !SOLARIS -# define KMALLOC(a,b) (a) = (b)new_kmem_alloc(sizeof(*(a)), \ - KMEM_NOSLEEP) -# define KMALLOCS(a,b,c) (a) = (b)new_kmem_alloc((c), KMEM_NOSLEEP) -# endif /* SOLARIS */ -# endif /* __sgi */ -# endif /* sun && !linux */ -# ifndef GET_MINOR -# define GET_MINOR(x) minor(x) -# endif -# if (BSD >= 199306) || defined(__FreeBSD__) -# include <vm/vm.h> -# if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3) -# include <vm/vm_extern.h> -# include <sys/proc.h> -extern vm_map_t kmem_map; -# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ -# include <vm/vm_kern.h> -# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */ -# ifdef M_PFIL -# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT) -# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT) -# define KFREE(x) FREE((x), M_PFIL) -# define KFREES(x,s) FREE((x), M_PFIL) -# else -# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_TEMP, M_NOWAIT) -# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_TEMP, M_NOWAIT) -# define KFREE(x) FREE((x), M_TEMP) -# define KFREES(x,s) FREE((x), M_TEMP) -# endif /* M_PFIL */ -# define UIOMOVE(a,b,c,d) uiomove(a,b,d) -# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) -# define WAKEUP(id) wakeup(id) -# endif /* BSD */ -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) -# define SPL_NET(x) x = splsoftnet() -# define SPL_X(x) (void) splx(x) -# else -# if !SOLARIS && !defined(linux) -# define SPL_IMP(x) x = splimp() -# define SPL_NET(x) x = splnet() -# define SPL_X(x) (void) splx(x) -# endif -# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */ -# define PANIC(x,y) if (x) panic y -#else /* KERNEL */ -# define SLEEP(x,y) ; -# define WAKEUP(x) ; -# define PANIC(x,y) ; -# define ATOMIC_INC(x) (x)++ -# define ATOMIC_DEC(x) (x)-- -# define MUTEX_ENTER(x) ; -# define READ_ENTER(x) ; -# define MUTEX_INIT(x,y,z) ; -# define MUTEX_DESTROY(x) ; -# define WRITE_ENTER(x) ; -# define RW_UPGRADE(x) ; -# define MUTEX_DOWNGRADE(x) ; -# define RWLOCK_EXIT(x) ; -# define MUTEX_EXIT(x) ; -# define SPL_NET(x) ; -# define SPL_IMP(x) ; -# undef SPL_X -# define SPL_X(x) ; -# define KMALLOC(a,b) (a) = (b)malloc(sizeof(*a)) -# define KMALLOCS(a,b,c) (a) = (b)malloc(c) -# define KFREE(x) free(x) -# define KFREES(x,s) free(x) -# define GETUNIT(x, v) get_unit(x,v) -# define IRCOPY(a,b,c) (bcopy((a), (b), (c)), 0) -# define IWCOPY(a,b,c) (bcopy((a), (b), (c)), 0) -# define IRCOPYPTR ircopyptr -# define IWCOPYPTR iwcopyptr -#endif /* KERNEL */ - -#if SOLARIS -typedef mblk_t mb_t; -# if SOLARIS2 >= 7 -# ifdef lint -# define ALIGN32(ptr) (ptr ? 0L : 0L) -# define ALIGN16(ptr) (ptr ? 0L : 0L) -# else -# define ALIGN32(ptr) (ptr) -# define ALIGN16(ptr) (ptr) -# endif -# endif -#else -# ifdef linux -# ifndef kernel -typedef struct mb { - struct mb *next; - u_int len; - u_char *data; -} mb_t; -# else -typedef struct sk_buff mb_t; -# endif -# else -typedef struct mbuf mb_t; -# endif -#endif /* SOLARIS */ - -#if defined(linux) || defined(__sgi) -/* - * These #ifdef's are here mainly for linux, but who knows, they may - * not be in other places or maybe one day linux will grow up and some - * of these will turn up there too. - */ -#ifndef ICMP_MINLEN -# define ICMP_MINLEN 8 -#endif -#ifndef ICMP_UNREACH -# define ICMP_UNREACH ICMP_DEST_UNREACH -#endif -#ifndef ICMP_SOURCEQUENCH -# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH -#endif -#ifndef ICMP_TIMXCEED -# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED -#endif -#ifndef ICMP_PARAMPROB -# define ICMP_PARAMPROB ICMP_PARAMETERPROB -#endif -#ifndef ICMP_TSTAMP -# define ICMP_TSTAMP ICMP_TIMESTAMP -#endif -#ifndef ICMP_TSTAMPREPLY -# define ICMP_TSTAMPREPLY ICMP_TIMESTAMPREPLY -#endif -#ifndef ICMP_IREQ -# define ICMP_IREQ ICMP_INFO_REQUEST -#endif -#ifndef ICMP_IREQREPLY -# define ICMP_IREQREPLY ICMP_INFO_REPLY -#endif -#ifndef ICMP_MASKREQ -# define ICMP_MASKREQ ICMP_ADDRESS -#endif -#ifndef ICMP_MASKREPLY -# define ICMP_MASKREPLY ICMP_ADDRESSREPLY -#endif -#ifndef IPVERSION -# define IPVERSION 4 -#endif -#ifndef IPOPT_MINOFF -# define IPOPT_MINOFF 4 -#endif -#ifndef IPOPT_COPIED -# define IPOPT_COPIED(x) ((x)&0x80) -#endif -#ifndef IPOPT_EOL -# define IPOPT_EOL 0 -#endif -#ifndef IPOPT_NOP -# define IPOPT_NOP 1 -#endif -#ifndef IP_MF -# define IP_MF ((u_short)0x2000) -#endif -#ifndef ETHERTYPE_IP -# define ETHERTYPE_IP ((u_short)0x0800) -#endif -#ifndef TH_FIN -# define TH_FIN 0x01 -#endif -#ifndef TH_SYN -# define TH_SYN 0x02 -#endif -#ifndef TH_RST -# define TH_RST 0x04 -#endif -#ifndef TH_PUSH -# define TH_PUSH 0x08 -#endif -#ifndef TH_ACK -# define TH_ACK 0x10 -#endif -#ifndef TH_URG -# define TH_URG 0x20 -#endif -#ifndef IPOPT_EOL -# define IPOPT_EOL 0 -#endif -#ifndef IPOPT_NOP -# define IPOPT_NOP 1 -#endif -#ifndef IPOPT_RR -# define IPOPT_RR 7 -#endif -#ifndef IPOPT_TS -# define IPOPT_TS 68 -#endif -#ifndef IPOPT_SECURITY -# define IPOPT_SECURITY 130 -#endif -#ifndef IPOPT_LSRR -# define IPOPT_LSRR 131 -#endif -#ifndef IPOPT_SATID -# define IPOPT_SATID 136 -#endif -#ifndef IPOPT_SSRR -# define IPOPT_SSRR 137 -#endif -#ifndef IPOPT_SECUR_UNCLASS -# define IPOPT_SECUR_UNCLASS ((u_short)0x0000) -#endif -#ifndef IPOPT_SECUR_CONFID -# define IPOPT_SECUR_CONFID ((u_short)0xf135) -#endif -#ifndef IPOPT_SECUR_EFTO -# define IPOPT_SECUR_EFTO ((u_short)0x789a) -#endif -#ifndef IPOPT_SECUR_MMMM -# define IPOPT_SECUR_MMMM ((u_short)0xbc4d) -#endif -#ifndef IPOPT_SECUR_RESTR -# define IPOPT_SECUR_RESTR ((u_short)0xaf13) -#endif -#ifndef IPOPT_SECUR_SECRET -# define IPOPT_SECUR_SECRET ((u_short)0xd788) -#endif -#ifndef IPOPT_SECUR_TOPSECRET -# define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5) -#endif -#ifndef IPOPT_OLEN -# define IPOPT_OLEN 1 -#endif -#endif /* linux || __sgi */ - -#ifdef linux -#include <linux/in_systm.h> -/* - * TCP States - */ -#define TCPS_CLOSED 0 /* closed */ -#define TCPS_LISTEN 1 /* listening for connection */ -#define TCPS_SYN_SENT 2 /* active, have sent syn */ -#define TCPS_SYN_RECEIVED 3 /* have send and received syn */ -/* states < TCPS_ESTABLISHED are those where connections not established */ -#define TCPS_ESTABLISHED 4 /* established */ -#define TCPS_CLOSE_WAIT 5 /* rcvd fin, waiting for close */ -/* states > TCPS_CLOSE_WAIT are those where user has closed */ -#define TCPS_FIN_WAIT_1 6 /* have closed, sent fin */ -#define TCPS_CLOSING 7 /* closed xchd FIN; await FIN ACK */ -#define TCPS_LAST_ACK 8 /* had fin and close; await FIN ACK */ -/* states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await ACK of FIN */ -#define TCPS_FIN_WAIT_2 9 /* have closed, fin is acked */ -#define TCPS_TIME_WAIT 10 /* in 2*msl quiet wait after close */ - -/* - * file flags. - */ -#ifdef WRITE -#define FWRITE WRITE -#define FREAD READ -#else -#define FWRITE _IOC_WRITE -#define FREAD _IOC_READ -#endif -/* - * mbuf related problems. - */ -#define mtod(m,t) (t)((m)->data) -#define m_len len -#define m_next next - -#ifdef IP_DF -#undef IP_DF -#endif -#define IP_DF 0x4000 - -typedef struct { - __u16 th_sport; - __u16 th_dport; - __u32 th_seq; - __u32 th_ack; -# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ - defined(vax) - __u8 th_res:4; - __u8 th_off:4; -#else - __u8 th_off:4; - __u8 th_res:4; -#endif - __u8 th_flags; - __u16 th_win; - __u16 th_sum; - __u16 th_urp; -} tcphdr_t; - -typedef struct { - __u16 uh_sport; - __u16 uh_dport; - __u16 uh_ulen; - __u16 uh_sum; -} udphdr_t; - -typedef struct { -# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ - defined(vax) - __u8 ip_hl:4; - __u8 ip_v:4; -# else - __u8 ip_v:4; - __u8 ip_hl:4; -# endif - __u8 ip_tos; - __u16 ip_len; - __u16 ip_id; - __u16 ip_off; - __u8 ip_ttl; - __u8 ip_p; - __u16 ip_sum; - struct in_addr ip_src; - struct in_addr ip_dst; -} ip_t; - -/* - * Structure of an icmp header. - */ -typedef struct icmp { - __u8 icmp_type; /* type of message, see below */ - __u8 icmp_code; /* type sub code */ - __u16 icmp_cksum; /* ones complement cksum of struct */ - union { - __u8 ih_pptr; /* ICMP_PARAMPROB */ - struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ - struct ih_idseq { - __u16 icd_id; - __u16 icd_seq; - } ih_idseq; - int ih_void; - } icmp_hun; -# define icmp_pptr icmp_hun.ih_pptr -# define icmp_gwaddr icmp_hun.ih_gwaddr -# define icmp_id icmp_hun.ih_idseq.icd_id -# define icmp_seq icmp_hun.ih_idseq.icd_seq -# define icmp_void icmp_hun.ih_void - union { - struct id_ts { - n_time its_otime; - n_time its_rtime; - n_time its_ttime; - } id_ts; - struct id_ip { - ip_t idi_ip; - /* options and then 64 bits of data */ - } id_ip; - u_long id_mask; - char id_data[1]; - } icmp_dun; -# define icmp_otime icmp_dun.id_ts.its_otime -# define icmp_rtime icmp_dun.id_ts.its_rtime -# define icmp_ttime icmp_dun.id_ts.its_ttime -# define icmp_ip icmp_dun.id_ip.idi_ip -# define icmp_mask icmp_dun.id_mask -# define icmp_data icmp_dun.id_data -} icmphdr_t; - -# ifndef LINUX_IPOVLY -# define LINUX_IPOVLY -struct ipovly { - caddr_t ih_next, ih_prev; /* for protocol sequence q's */ - u_char ih_x1; /* (unused) */ - u_char ih_pr; /* protocol */ - short ih_len; /* protocol length */ - struct in_addr ih_src; /* source internet address */ - struct in_addr ih_dst; /* destination internet address */ -}; -# endif - -typedef struct { - __u8 ether_dhost[6]; - __u8 ether_shost[6]; - __u16 ether_type; -} ether_header_t; - -typedef struct uio { - int uio_resid; - int uio_rw; - caddr_t uio_buf; -} uio_t; - -# define UIO_READ 0 -# define UIO_WRITE 1 -# define UIOMOVE(a, b, c, d) uiomove(a,b,c,d) - -/* - * For masking struct ifnet onto struct device - */ -# define if_name name - -# ifdef KERNEL -# define GETUNIT(x, v) dev_get(x) -# define FREE_MB_T(m) kfree_skb(m, FREE_WRITE) -# define uniqtime do_gettimeofday -# undef INT_MAX -# undef UINT_MAX -# undef LONG_MAX -# undef ULONG_MAX -# include <linux/netdevice.h> -# define SPL_X(x) -# define SPL_NET(x) -# define SPL_IMP(x) - -# define bcmp(a,b,c) memcmp(a,b,c) -# define bcopy(a,b,c) memcpy(b,a,c) -# define bzero(a,c) memset(a,0,c) - -# define UNITNAME(n) dev_get((n)) - -# define KMALLOC(a,b) (a) = (b)kmalloc(sizeof(*(a)), GFP_ATOMIC) -# define KMALLOCS(a,b,c) (a) = (b)kmalloc((c), GFP_ATOMIC) -# define KFREE(x) kfree_s((x), sizeof(*(x))) -# define KFREES(x,s) kfree_s((x), (s)) -#define IRCOPY(const void *a, void *b, size_t c) { \ - int error; \ - - error = verify_area(VERIFY_READ, a ,c); \ - if (!error) \ - memcpy_fromfs(b, a, c); \ - return error; \ -} -static inline int IWCOPY(const void *a, void *b, size_t c) -{ - int error; - - error = verify_area(VERIFY_WRITE, b, c); - if (!error) - memcpy_tofs(b, a, c); - return error; -} -static inline int IRCOPYPTR(const void *a, void *b, size_t c) { - caddr_t ca; - int error; - - error = verify_area(VERIFY_READ, a ,sizeof(ca)); - if (!error) { - memcpy_fromfs(ca, a, sizeof(ca)); - error = verify_area(VERIFY_READ, ca , c); - if (!error) - memcpy_fromfs(b, ca, c); - } - return error; -} -static inline int IWCOPYPTR(const void *a, void *b, size_t c) { - caddr_t ca; - int error; - - - error = verify_area(VERIFY_READ, b ,sizeof(ca)); - if (!error) { - memcpy_fromfs(ca, b, sizeof(ca)); - error = verify_area(VERIFY_WRITE, ca, c); - if (!error) - memcpy_tofs(ca, a, c); - } - return error; -} -# else -# define __KERNEL__ -# undef INT_MAX -# undef UINT_MAX -# undef LONG_MAX -# undef ULONG_MAX -# define s8 __s8 -# define u8 __u8 -# define s16 __s16 -# define u16 __u16 -# define s32 __s32 -# define u32 __u32 -# include <linux/netdevice.h> -# undef __KERNEL__ -# endif -# define ifnet device -#else -typedef struct tcphdr tcphdr_t; -typedef struct udphdr udphdr_t; -typedef struct icmp icmphdr_t; -typedef struct ip ip_t; -typedef struct ether_header ether_header_t; -#endif /* linux */ -typedef struct tcpiphdr tcpiphdr_t; - -#if defined(hpux) || defined(linux) -struct ether_addr { - char ether_addr_octet[6]; -}; -#endif - -/* - * XXX - This is one of those *awful* hacks which nobody likes - */ -#ifdef ultrix -#define A_A -#else -#define A_A & -#endif - -#ifndef ICMP_ROUTERADVERT -# define ICMP_ROUTERADVERT 9 -#endif -#ifndef ICMP_ROUTERSOLICIT -# define ICMP_ROUTERSOLICIT 10 -#endif -#undef ICMP_MAX_UNREACH -#define ICMP_MAX_UNREACH 14 -#undef ICMP_MAXTYPE -#define ICMP_MAXTYPE 18 -/* - * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data, - * another IP header and then 64 bits of data, totalling 56. Of course, - * the last 64 bits is dependant on that being available. - */ -#define ICMPERR_ICMPHLEN 8 -#define ICMPERR_IPICMPHLEN (20 + 8) -#define ICMPERR_MINPKTLEN (20 + 8 + 20) -#define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) -#define ICMP6ERR_MINPKTLEN (40 + 8) -#define ICMP6ERR_IPICMPHLEN (40 + 8 + 40) - -/* - * ECN is a new addition to TCP - RFC 2481 - */ -#ifndef TH_ECN -# define TH_ECN 0x40 -#endif -#ifndef TH_CWR -# define TH_CWR 0x80 -#endif -#define TH_ECNALL (TH_ECN|TH_CWR) - -#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR) - -#endif /* __IP_COMPAT_H__ */ diff --git a/sys/netinet/ip_frag.c b/sys/netinet/ip_frag.c deleted file mode 100644 index e86ad0175cd..00000000000 --- a/sys/netinet/ip_frag.c +++ /dev/null @@ -1,585 +0,0 @@ -/* $OpenBSD: ip_frag.c,v 1.22 2001/04/07 01:06:27 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_frag.c,v 2.10.2.8 2001/04/06 12:31:20 darrenr Exp $"; -#endif - -#if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -#endif - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/time.h> -#include <sys/file.h> -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif -#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000) -# include <sys/filio.h> -# include <sys/fcntl.h> -#else -# include <sys/ioctl.h> -#endif -#include <sys/uio.h> -#ifndef linux -# include <sys/protosw.h> -#endif -#include <sys/socket.h> -#if defined(_KERNEL) && !defined(linux) -# include <sys/systm.h> -#endif -#if !defined(__SVR4) && !defined(__svr4__) -# if defined(_KERNEL) && !defined(__sgi) -# include <sys/kernel.h> -# endif -# ifndef linux -# include <sys/mbuf.h> -# endif -#else -# include <sys/byteorder.h> -# ifdef _KERNEL -# include <sys/dditypes.h> -# endif -# include <sys/stream.h> -# include <sys/kmem.h> -#endif -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#ifndef linux -# include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_state.h> -#include <netinet/ip_auth.h> -#if (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -# if (defined(KERNEL) || defined(_KERNEL)) -# ifndef IPFILTER_LKM -# include <sys/libkern.h> -# include <sys/systm.h> -# endif -extern struct callout_handle ipfr_slowtimer_ch; -# endif -#endif -#if defined(__NetBSD__) && (__NetBSD_Version__ >= 104230000) -# include <sys/callout.h> -extern struct callout ipfr_slowtimer_ch; -#elif defined(__OpenBSD__) -# include <sys/timeout.h> -extern struct timeout ipfr_slowtimer_ch; -#endif - - -static ipfr_t *ipfr_heads[IPFT_SIZE]; -static ipfr_t *ipfr_nattab[IPFT_SIZE]; -static ipfrstat_t ipfr_stats; -static int ipfr_inuse = 0; - -int fr_ipfrttl = 120; /* 60 seconds */ -int fr_frag_lock = 0; - -#ifdef _KERNEL -# if SOLARIS2 >= 7 -extern timeout_id_t ipfr_timer_id; -# else -extern int ipfr_timer_id; -# endif -#endif -#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern KRWLOCK_T ipf_frag, ipf_natfrag, ipf_nat, ipf_mutex; -# if SOLARIS -extern KRWLOCK_T ipf_solaris; -# else -KRWLOCK_T ipf_solaris; -# endif -extern kmutex_t ipf_rw; -#endif - - -static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); -static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); -static void ipfr_delete __P((ipfr_t *)); - - -ipfrstat_t *ipfr_fragstats() -{ - ipfr_stats.ifs_table = ipfr_heads; - ipfr_stats.ifs_nattab = ipfr_nattab; - ipfr_stats.ifs_inuse = ipfr_inuse; - return &ipfr_stats; -} - - -/* - * add a new entry to the fragment cache, registering it as having come - * through this box, with the result of the filter operation. - */ -static ipfr_t *ipfr_new(ip, fin, pass, table) -ip_t *ip; -fr_info_t *fin; -u_int pass; -ipfr_t *table[]; -{ - ipfr_t **fp, *fra, frag; - u_int idx, off; - - if (ipfr_inuse >= IPFT_SIZE) - return NULL; - - if (!(fin->fin_fi.fi_fl & FI_FRAG)) - return NULL; - - frag.ipfr_p = ip->ip_p; - idx = ip->ip_p; - frag.ipfr_id = ip->ip_id; - idx += ip->ip_id; - frag.ipfr_tos = ip->ip_tos; - frag.ipfr_src.s_addr = ip->ip_src.s_addr; - idx += ip->ip_src.s_addr; - frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; - idx += ip->ip_dst.s_addr; - frag.ipfr_ifp = fin->fin_ifp; - idx *= 127; - idx %= IPFT_SIZE; - - /* - * first, make sure it isn't already there... - */ - for (fp = &table[idx]; (fra = *fp); fp = &fra->ipfr_next) - if (!bcmp((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, - IPFR_CMPSZ)) { - ATOMIC_INCL(ipfr_stats.ifs_exists); - return NULL; - } - - /* - * allocate some memory, if possible, if not, just record that we - * failed to do so. - */ - KMALLOC(fra, ipfr_t *); - if (fra == NULL) { - ATOMIC_INCL(ipfr_stats.ifs_nomem); - return NULL; - } - - if ((fra->ipfr_rule = fin->fin_fr) != NULL) { - ATOMIC_INC32(fin->fin_fr->fr_ref); - } - - - /* - * Instert the fragment into the fragment table, copy the struct used - * in the search using bcopy rather than reassign each field. - * Set the ttl to the default and mask out logging from "pass" - */ - if ((fra->ipfr_next = table[idx])) - table[idx]->ipfr_prev = fra; - fra->ipfr_prev = NULL; - fra->ipfr_data = NULL; - table[idx] = fra; - bcopy((char *)&frag.ipfr_src, (char *)&fra->ipfr_src, IPFR_CMPSZ); - fra->ipfr_ttl = fr_ipfrttl; - /* - * Compute the offset of the expected start of the next packet. - */ - off = ip->ip_off & IP_OFFMASK; - if (!off) - fra->ipfr_seen0 = 1; - fra->ipfr_off = off + (fin->fin_dlen >> 3); - ATOMIC_INCL(ipfr_stats.ifs_new); - ATOMIC_INC32(ipfr_inuse); - return fra; -} - - -int ipfr_newfrag(ip, fin, pass) -ip_t *ip; -fr_info_t *fin; -u_int pass; -{ - ipfr_t *ipf; - - if ((ip->ip_v != 4) || (fr_frag_lock)) - return -1; - WRITE_ENTER(&ipf_frag); - ipf = ipfr_new(ip, fin, pass, ipfr_heads); - RWLOCK_EXIT(&ipf_frag); - return ipf ? 0 : -1; -} - - -int ipfr_nat_newfrag(ip, fin, pass, nat) -ip_t *ip; -fr_info_t *fin; -u_int pass; -nat_t *nat; -{ - ipfr_t *ipf; - - if ((ip->ip_v != 4) || (fr_frag_lock)) - return -1; - WRITE_ENTER(&ipf_natfrag); - ipf = ipfr_new(ip, fin, pass, ipfr_nattab); - if (ipf != NULL) { - ipf->ipfr_data = nat; - nat->nat_data = ipf; - } - RWLOCK_EXIT(&ipf_natfrag); - return ipf ? 0 : -1; -} - - -/* - * check the fragment cache to see if there is already a record of this packet - * with its filter result known. - */ -static ipfr_t *ipfr_lookup(ip, fin, table) -ip_t *ip; -fr_info_t *fin; -ipfr_t *table[]; -{ - ipfr_t *f, frag; - u_int idx; - - if (!(fin->fin_fi.fi_fl & FI_FRAG)) - return NULL; - - /* - * For fragments, we record protocol, packet id, TOS and both IP#'s - * (these should all be the same for all fragments of a packet). - * - * build up a hash value to index the table with. - */ - frag.ipfr_p = ip->ip_p; - idx = ip->ip_p; - frag.ipfr_id = ip->ip_id; - idx += ip->ip_id; - frag.ipfr_tos = ip->ip_tos; - frag.ipfr_src.s_addr = ip->ip_src.s_addr; - idx += ip->ip_src.s_addr; - frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; - idx += ip->ip_dst.s_addr; - frag.ipfr_ifp = fin->fin_ifp; - idx *= 127; - idx %= IPFT_SIZE; - - /* - * check the table, careful to only compare the right amount of data - */ - for (f = table[idx]; f; f = f->ipfr_next) - if (!bcmp((char *)&frag.ipfr_src, (char *)&f->ipfr_src, - IPFR_CMPSZ)) { - u_short atoff, off; - - /* - * XXX - We really need to be guarding against the - * retransmission of (src,dst,id,offset-range) here - * because a fragmented packet is never resent with - * the same IP ID#. - */ - off = ip->ip_off & IP_OFFMASK; - if (f->ipfr_seen0) { - if (!off || (fin->fin_fi.fi_fl & FI_SHORT)) - continue; - } else if (!off) - f->ipfr_seen0 = 1; - - if (f != table[idx]) { - /* - * move fragment info. to the top of the list - * to speed up searches. - */ - if ((f->ipfr_prev->ipfr_next = f->ipfr_next)) - f->ipfr_next->ipfr_prev = f->ipfr_prev; - f->ipfr_next = table[idx]; - table[idx]->ipfr_prev = f; - f->ipfr_prev = NULL; - table[idx] = f; - } - atoff = off + (fin->fin_dlen >> 3); - /* - * If we've follwed the fragments, and this is the - * last (in order), shrink expiration time. - */ - if (off == f->ipfr_off) { - if (!(ip->ip_off & IP_MF)) - f->ipfr_ttl = 1; - else - f->ipfr_off = atoff; - } - ATOMIC_INCL(ipfr_stats.ifs_hits); - return f; - } - return NULL; -} - - -/* - * functional interface for NAT lookups of the NAT fragment cache - */ -nat_t *ipfr_nat_knownfrag(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - nat_t *nat; - ipfr_t *ipf; - - if ((ip->ip_v != 4) || (fr_frag_lock)) - return NULL; - READ_ENTER(&ipf_natfrag); - ipf = ipfr_lookup(ip, fin, ipfr_nattab); - if (ipf != NULL) { - nat = ipf->ipfr_data; - /* - * This is the last fragment for this packet. - */ - if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { - nat->nat_data = NULL; - ipf->ipfr_data = NULL; - } - } else - nat = NULL; - RWLOCK_EXIT(&ipf_natfrag); - return nat; -} - - -/* - * functional interface for normal lookups of the fragment cache - */ -frentry_t *ipfr_knownfrag(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - frentry_t *fr = NULL; - ipfr_t *fra; - - if ((ip->ip_v != 4) || (fr_frag_lock)) - return NULL; - READ_ENTER(&ipf_frag); - fra = ipfr_lookup(ip, fin, ipfr_heads); - if (fra != NULL) - fr = fra->ipfr_rule; - RWLOCK_EXIT(&ipf_frag); - return fr; -} - - -/* - * forget any references to this external object. - */ -void ipfr_forget(nat) -void *nat; -{ - ipfr_t *fr; - int idx; - - WRITE_ENTER(&ipf_natfrag); - for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next) - if (fr->ipfr_data == nat) - fr->ipfr_data = NULL; - - RWLOCK_EXIT(&ipf_natfrag); -} - - -static void ipfr_delete(fra) -ipfr_t *fra; -{ - frentry_t *fr; - - fr = fra->ipfr_rule; - if (fr != NULL) { - ATOMIC_DEC32(fr->fr_ref); - if (fr->fr_ref == 0) - KFREE(fr); - } - if (fra->ipfr_prev) - fra->ipfr_prev->ipfr_next = fra->ipfr_next; - if (fra->ipfr_next) - fra->ipfr_next->ipfr_prev = fra->ipfr_prev; - KFREE(fra); -} - - -/* - * Free memory in use by fragment state info. kept. - */ -void ipfr_unload() -{ - ipfr_t **fp, *fra; - nat_t *nat; - int idx; - - WRITE_ENTER(&ipf_frag); - for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_heads[idx]; (fra = *fp); ) { - *fp = fra->ipfr_next; - ipfr_delete(fra); - } - RWLOCK_EXIT(&ipf_frag); - - WRITE_ENTER(&ipf_nat); - WRITE_ENTER(&ipf_natfrag); - for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_nattab[idx]; (fra = *fp); ) { - *fp = fra->ipfr_next; - nat = fra->ipfr_data; - if (nat != NULL) { - if (nat->nat_data == fra) - nat->nat_data = NULL; - } - ipfr_delete(fra); - } - RWLOCK_EXIT(&ipf_natfrag); - RWLOCK_EXIT(&ipf_nat); -} - - -#ifdef _KERNEL -void ipfr_fragexpire() -{ - ipfr_t **fp, *fra; - nat_t *nat; - int idx; -#if defined(_KERNEL) -# if !SOLARIS - int s; -# endif -#endif - - if (fr_frag_lock) - return; - - SPL_NET(s); - WRITE_ENTER(&ipf_frag); - - /* - * Go through the entire table, looking for entries to expire, - * decreasing the ttl by one for each entry. If it reaches 0, - * remove it from the chain and free it. - */ - for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_heads[idx]; (fra = *fp); ) { - --fra->ipfr_ttl; - if (fra->ipfr_ttl == 0) { - *fp = fra->ipfr_next; - ipfr_delete(fra); - ATOMIC_INCL(ipfr_stats.ifs_expire); - ATOMIC_DEC32(ipfr_inuse); - } else - fp = &fra->ipfr_next; - } - RWLOCK_EXIT(&ipf_frag); - - /* - * Same again for the NAT table, except that if the structure also - * still points to a NAT structure, and the NAT structure points back - * at the one to be free'd, NULL the reference from the NAT struct. - * NOTE: We need to grab both mutex's early, and in this order so as - * to prevent a deadlock if both try to expire at the same time. - */ - WRITE_ENTER(&ipf_nat); - WRITE_ENTER(&ipf_natfrag); - for (idx = IPFT_SIZE - 1; idx >= 0; idx--) - for (fp = &ipfr_nattab[idx]; (fra = *fp); ) { - --fra->ipfr_ttl; - if (fra->ipfr_ttl == 0) { - ATOMIC_INCL(ipfr_stats.ifs_expire); - ATOMIC_DEC32(ipfr_inuse); - nat = fra->ipfr_data; - if (nat != NULL) { - if (nat->nat_data == fra) - nat->nat_data = NULL; - } - *fp = fra->ipfr_next; - ipfr_delete(fra); - } else - fp = &fra->ipfr_next; - } - RWLOCK_EXIT(&ipf_natfrag); - RWLOCK_EXIT(&ipf_nat); - SPL_X(s); -} - - -/* - * Slowly expire held state for fragments. Timeouts are set * in expectation - * of this being called twice per second. - */ -# if (BSD >= 199306) || SOLARIS || defined(__sgi) -# if defined(SOLARIS2) && (SOLARIS2 < 7) -void ipfr_slowtimer() -# else -void ipfr_slowtimer __P((void *ptr)) -# endif -# else -int ipfr_slowtimer() -# endif -{ -#if defined(_KERNEL) && SOLARIS - extern int fr_running; - - if (fr_running <= 0) - return; -#endif - - READ_ENTER(&ipf_solaris); -#ifdef __sgi - ipfilter_sgi_intfsync(); -#endif - - ipfr_fragexpire(); - fr_timeoutstate(); - ip_natexpire(); - fr_authexpire(); -# if SOLARIS - ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); - RWLOCK_EXIT(&ipf_solaris); -# else -# if defined(__NetBSD__) && (__NetBSD_Version__ >= 104240000) - callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL); -# else -# if defined(__OpenBSD__) - timeout_add(&ipfr_slowtimer_ch, hz/2); -# else -# if (__FreeBSD_version >= 300000) - ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); -# else - timeout(ipfr_slowtimer, NULL, hz/2); -# endif -# if (BSD < 199306) && !defined(__sgi) - return 0; -# endif /* FreeBSD */ -# endif /* OpenBSD */ -# endif /* NetBSD */ -# endif /* SOLARIS */ -} -#endif /* defined(_KERNEL) */ diff --git a/sys/netinet/ip_frag.h b/sys/netinet/ip_frag.h deleted file mode 100644 index 9da45ae0a68..00000000000 --- a/sys/netinet/ip_frag.h +++ /dev/null @@ -1,70 +0,0 @@ -/* $OpenBSD: ip_frag.h,v 1.15 2001/04/08 20:30:05 smart Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ip_frag.h 1.5 3/24/96 - * $IPFilter: ip_frag.h,v 2.4.2.3 2001/04/06 12:31:20 darrenr Exp $ - */ - -#ifndef __IP_FRAG_H__ -#define __IP_FRAG_H__ - -#define IPFT_SIZE 257 - -typedef struct ipfr { - struct ipfr *ipfr_next, *ipfr_prev; - void *ipfr_data; - struct in_addr ipfr_src; - struct in_addr ipfr_dst; - void *ipfr_ifp; - u_short ipfr_id; - u_char ipfr_p; - u_char ipfr_tos; - u_short ipfr_off; - u_char ipfr_ttl; - u_char ipfr_seen0; - frentry_t *ipfr_rule; -} ipfr_t; - - -typedef struct ipfrstat { - u_long ifs_exists; /* add & already exists */ - u_long ifs_nomem; - u_long ifs_new; - u_long ifs_hits; - u_long ifs_expire; - u_long ifs_inuse; - struct ipfr **ifs_table; - struct ipfr **ifs_nattab; -} ipfrstat_t; - -#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \ - offsetof(ipfr_t, ipfr_src)) - -extern int fr_ipfrttl; -extern int fr_frag_lock; -extern ipfrstat_t *ipfr_fragstats __P((void)); -extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); -extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); -extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); -extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); -extern void ipfr_forget __P((void *)); -extern void ipfr_unload __P((void)); -extern void ipfr_fragexpire __P((void)); - -#if (BSD >= 199306) || SOLARIS || defined(__sgi) -# if defined(SOLARIS2) && (SOLARIS2 < 7) -extern void ipfr_slowtimer __P((void)); -# else -extern void ipfr_slowtimer __P((void *)); -# endif -#else -extern int ipfr_slowtimer __P((void)); -#endif /* (BSD >= 199306) || SOLARIS */ - -#endif /* __IP_FRAG_H__ */ diff --git a/sys/netinet/ip_ftp_pxy.c b/sys/netinet/ip_ftp_pxy.c deleted file mode 100644 index a82544da0f2..00000000000 --- a/sys/netinet/ip_ftp_pxy.c +++ /dev/null @@ -1,789 +0,0 @@ -/* $OpenBSD: ip_ftp_pxy.c,v 1.14 2001/05/08 19:58:01 fgsch Exp $ */ - -/* - * Simple FTP transparent proxy for in-kernel use. For use with the NAT - * code. - * - * $IPFilter: ip_ftp_pxy.c,v 2.7.2.21 2001/01/17 13:30:52 darrenr Exp $ - */ -#if SOLARIS && defined(_KERNEL) -extern kmutex_t ipf_rw; -#endif - -#define isdigit(x) ((x) >= '0' && (x) <= '9') -#define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z')) -#define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z')) -#define isalpha(x) (isupper(x) || islower(x)) -#define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A') - -#define IPF_FTP_PROXY - -#define IPF_MINPORTLEN 18 -#define IPF_MAXPORTLEN 30 -#define IPF_MIN227LEN 39 -#define IPF_MAX227LEN 51 -#define IPF_FTPBUFSZ 96 /* This *MUST* be >= 53! */ - - -int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); -int ippr_ftp_complete __P((char *, size_t)); -int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_ftp_init __P((void)); -int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int)); -int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int)); -int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); -int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); -int ippr_ftp_valid __P((char *, size_t)); -u_short ippr_ftp_atoi __P((char **)); - -static frentry_t natfr; -int ippr_ftp_pasvonly = 0; -int ippr_ftp_insecure = 0; - - -/* - * Initialize local structures. - */ -int ippr_ftp_init() -{ - bzero((char *)&natfr, sizeof(natfr)); - natfr.fr_ref = 1; - natfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; - return 0; -} - - -int ippr_ftp_new(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - ftpinfo_t *ftp; - ftpside_t *f; - - KMALLOC(ftp, ftpinfo_t *); - if (ftp == NULL) - return -1; - aps->aps_data = ftp; - aps->aps_psiz = sizeof(ftpinfo_t); - - bzero((char *)ftp, sizeof(*ftp)); - f = &ftp->ftp_side[0]; - f->ftps_rptr = f->ftps_buf; - f->ftps_wptr = f->ftps_buf; - f = &ftp->ftp_side[1]; - f->ftps_rptr = f->ftps_buf; - f->ftps_wptr = f->ftps_buf; - return 0; -} - - -int ippr_ftp_port(fin, ip, nat, f, dlen) -fr_info_t *fin; -ip_t *ip; -nat_t *nat; -ftpside_t *f; -int dlen; -{ - tcphdr_t *tcp, tcph, *tcp2 = &tcph; - char newbuf[IPF_FTPBUFSZ], *s; - u_short a5, a6, sp, dp; - u_int a1, a2, a3, a4; - struct in_addr swip; - size_t nlen, olen; - fr_info_t fi; - int inc, off; - nat_t *ipn; - mb_t *m; -#if SOLARIS - mb_t *m1; -#endif - - tcp = (tcphdr_t *)fin->fin_dp; - /* - * Check for client sending out PORT message. - */ - if (dlen < IPF_MINPORTLEN) - return 0; - off = fin->fin_hlen + (tcp->th_off << 2); - /* - * Skip the PORT command + space - */ - s = f->ftps_rptr + 5; - /* - * Pick out the address components, two at a time. - */ - a1 = ippr_ftp_atoi(&s); - if (!s) - return 0; - a2 = ippr_ftp_atoi(&s); - if (!s) - return 0; - /* - * check that IP address in the PORT/PASV reply is the same as the - * sender of the command - prevents using PORT for port scanning. - */ - a1 <<= 16; - a1 |= a2; - if (a1 != ntohl(nat->nat_inip.s_addr)) - return 0; - - a5 = ippr_ftp_atoi(&s); - if (!s) - return 0; - if (*s == ')') - s++; - - /* - * check for CR-LF at the end. - */ - if (*s == '\n') - s--; - if ((*s == '\r') && (*(s + 1) == '\n')) { - s += 2; - a6 = a5 & 0xff; - } else - return 0; - a5 >>= 8; - a5 &= 0xff; - /* - * Calculate new address parts for PORT command - */ - a1 = ntohl(ip->ip_src.s_addr); - a2 = (a1 >> 16) & 0xff; - a3 = (a1 >> 8) & 0xff; - a4 = a1 & 0xff; - a1 >>= 24; - olen = s - f->ftps_rptr; - /* DO NOT change this to sprintf! */ - (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", - "PORT", a1, a2, a3, a4, a5, a6); - - nlen = strlen(newbuf); - inc = nlen - olen; - if ((inc + ip->ip_len) > 65535) - return 0; - -#if SOLARIS - m = fin->fin_qfm; - for (m1 = m; m1->b_cont; m1 = m1->b_cont) - ; - if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { - mblk_t *nm; - - /* alloc enough to keep same trailer space for lower driver */ - nm = allocb(nlen, BPRI_MED); - PANIC((!nm),("ippr_ftp_out: allocb failed")); - - nm->b_band = m1->b_band; - nm->b_wptr += nlen; - - m1->b_wptr -= olen; - PANIC((m1->b_wptr < m1->b_rptr), - ("ippr_ftp_out: cannot handle fragmented data block")); - - linkb(m1, nm); - } else { - if (m1->b_datap->db_struiolim == m1->b_wptr) - m1->b_datap->db_struiolim += inc; - m1->b_datap->db_struioflag &= ~STRUIO_IP; - m1->b_wptr += inc; - } - copyin_mblk(m, off, nlen, newbuf); -#else - m = *((mb_t **)fin->fin_mp); - if (inc < 0) - m_adj(m, inc); - /* the mbuf chain will be extended if necessary by m_copyback() */ - m_copyback(m, off, nlen, newbuf); -# ifdef M_PKTHDR - if (!(m->m_flags & M_PKTHDR)) - m->m_pkthdr.len += inc; -# endif -#endif - if (inc != 0) { -#if SOLARIS || defined(__sgi) - register u_32_t sum1, sum2; - - sum1 = ip->ip_len; - sum2 = ip->ip_len + inc; - - /* Because ~1 == -2, We really need ~1 == -1 */ - if (sum1 > sum2) - sum2--; - sum2 -= sum1; - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - fix_outcksum(&ip->ip_sum, sum2); -#endif - ip->ip_len += inc; - } - - /* - * Add skeleton NAT entry for connection which will come back the - * other way. - */ - sp = htons(a5 << 8 | a6); - /* - * Don't allow the PORT command to specify a port < 1024 due to - * security crap. - */ - if (ntohs(sp) < 1024) - return 0; - /* - * The server may not make the connection back from port 20, but - * it is the most likely so use it here to check for a conflicting - * mapping. - */ - dp = htons(fin->fin_data[1] - 1); - ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp, 0); - if (ipn == NULL) { - int slen; - - slen = ip->ip_len; - ip->ip_len = fin->fin_hlen + sizeof(*tcp2); - bcopy((char *)fin, (char *)&fi, sizeof(fi)); - bzero((char *)tcp2, sizeof(*tcp2)); - tcp2->th_win = htons(8192); - tcp2->th_sport = sp; - tcp2->th_off = 5; - tcp2->th_dport = 0; /* XXX - don't specify remote port */ - fi.fin_data[0] = ntohs(sp); - fi.fin_data[1] = 0; - fi.fin_dlen = sizeof(*tcp2); - fi.fin_dp = (char *)tcp2; - fi.fin_fr = &natfr; - swip = ip->ip_src; - fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; - ip->ip_src = nat->nat_inip; - ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, - NAT_OUTBOUND); - if (ipn != NULL) { - ipn->nat_age = fr_defnatage; - (void) fr_addstate(ip, &fi, FI_W_DPORT); - } - ip->ip_len = slen; - ip->ip_src = swip; - } - return APR_INC(inc); -} - - -int ippr_ftp_client(fin, ip, nat, ftp, dlen) -fr_info_t *fin; -nat_t *nat; -ftpinfo_t *ftp; -ip_t *ip; -int dlen; -{ - char *rptr, *wptr, cmd[6], c; - ftpside_t *f; - int inc, i; - - inc = 0; - f = &ftp->ftp_side[0]; - rptr = f->ftps_rptr; - wptr = f->ftps_wptr; - - for (i = 0; (i < 5) && (i < dlen); i++) { - c = rptr[i]; - if (isalpha(c)) { - cmd[i] = toupper(c); - } else { - cmd[i] = c; - } - } - cmd[i] = '\0'; - - if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5)) - ftp->ftp_passok = 1; - else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5)) - ftp->ftp_passok = 3; - else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly && - !strncmp(cmd, "PORT ", 5)) { - inc = ippr_ftp_port(fin, ip, nat, f, dlen); - } else if (ippr_ftp_insecure && !ippr_ftp_pasvonly && - !strncmp(cmd, "PORT ", 5)) { - inc = ippr_ftp_port(fin, ip, nat, f, dlen); - } - - while ((*rptr++ != '\n') && (rptr < wptr)) - ; - f->ftps_rptr = rptr; - return inc; -} - - -int ippr_ftp_pasv(fin, ip, nat, f, dlen) -fr_info_t *fin; -ip_t *ip; -nat_t *nat; -ftpside_t *f; -int dlen; -{ - tcphdr_t *tcp, tcph, *tcp2 = &tcph; - struct in_addr swip, swip2; - u_short a5, a6, sp, dp; - u_int a1, a2, a3, a4; - fr_info_t fi; - nat_t *ipn; - int inc; - char *s; - - /* - * Check for PASV reply message. - */ - if (dlen < IPF_MIN227LEN) - return 0; - else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25)) - return 0; - - tcp = (tcphdr_t *)fin->fin_dp; - - /* - * Skip the PORT command + space - */ - s = f->ftps_rptr + 25; - while (*s && !isdigit(*s)) - s++; - /* - * Pick out the address components, two at a time. - */ - a1 = ippr_ftp_atoi(&s); - if (!s) - return 0; - a2 = ippr_ftp_atoi(&s); - if (!s) - return 0; - - /* - * check that IP address in the PORT/PASV reply is the same as the - * sender of the command - prevents using PORT for port scanning. - */ - a1 <<= 16; - a1 |= a2; - if (a1 != ntohl(nat->nat_oip.s_addr)) - return 0; - - a5 = ippr_ftp_atoi(&s); - if (!s) - return 0; - - if (*s == ')') - s++; - if (*s == '\n') - s--; - /* - * check for CR-LF at the end. - */ - if ((*s == '\r') && (*(s + 1) == '\n')) { - s += 2; - a6 = a5 & 0xff; - } else - return 0; - a5 >>= 8; - /* - * Calculate new address parts for 227 reply - */ - a1 = ntohl(ip->ip_src.s_addr); - a2 = (a1 >> 16) & 0xff; - a3 = (a1 >> 8) & 0xff; - a4 = a1 & 0xff; - a1 >>= 24; - inc = 0; -#if 0 - olen = s - f->ftps_rptr; - (void) sprintf(newbuf, "%s %u,%u,%u,%u,%u,%u\r\n", - "227 Entering Passive Mode", a1, a2, a3, a4, a5, a6); - nlen = strlen(newbuf); - inc = nlen - olen; - if ((inc + ip->ip_len) > 65535) - return 0; - -#if SOLARIS - m = fin->fin_qfm; - for (m1 = m; m1->b_cont; m1 = m1->b_cont) - ; - if ((inc > 0) && (m1->b_datap->db_lim - m1->b_wptr < inc)) { - mblk_t *nm; - - /* alloc enough to keep same trailer space for lower driver */ - nm = allocb(nlen, BPRI_MED); - PANIC((!nm),("ippr_ftp_out: allocb failed")); - - nm->b_band = m1->b_band; - nm->b_wptr += nlen; - - m1->b_wptr -= olen; - PANIC((m1->b_wptr < m1->b_rptr), - ("ippr_ftp_out: cannot handle fragmented data block")); - - linkb(m1, nm); - } else { - m1->b_wptr += inc; - } - /*copyin_mblk(m, off, nlen, newbuf);*/ -#else /* SOLARIS */ - m = *((mb_t **)fin->fin_mp); - if (inc < 0) - m_adj(m, inc); - /* the mbuf chain will be extended if necessary by m_copyback() */ - /*m_copyback(m, off, nlen, newbuf);*/ -#endif /* SOLARIS */ - if (inc != 0) { -#if SOLARIS || defined(__sgi) - register u_32_t sum1, sum2; - - sum1 = ip->ip_len; - sum2 = ip->ip_len + inc; - - /* Because ~1 == -2, We really need ~1 == -1 */ - if (sum1 > sum2) - sum2--; - sum2 -= sum1; - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - fix_outcksum(&ip->ip_sum, sum2); -#endif /* SOLARIS || defined(__sgi) */ - ip->ip_len += inc; - } -#endif /* 0 */ - - /* - * Add skeleton NAT entry for connection which will come back the - * other way. - */ - sp = 0; - dp = htons(fin->fin_data[1] - 1); - ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp, 0); - if (ipn == NULL) { - int slen; - - slen = ip->ip_len; - ip->ip_len = fin->fin_hlen + sizeof(*tcp2); - bcopy((char *)fin, (char *)&fi, sizeof(fi)); - bzero((char *)tcp2, sizeof(*tcp2)); - tcp2->th_win = htons(8192); - tcp2->th_sport = 0; /* XXX - fake it for nat_new */ - tcp2->th_off = 5; - fi.fin_data[1] = a5 << 8 | a6; - fi.fin_dlen = sizeof(*tcp2); - tcp2->th_dport = htons(fi.fin_data[1]); - fi.fin_data[0] = 0; - fi.fin_dp = (char *)tcp2; - fi.fin_fr = &natfr; - swip = ip->ip_src; - swip2 = ip->ip_dst; - fi.fin_fi.fi_daddr = ip->ip_src.s_addr; - fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; - ip->ip_dst = ip->ip_src; - ip->ip_src = nat->nat_inip; - ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT, - NAT_OUTBOUND); - if (ipn != NULL) { - ipn->nat_age = fr_defnatage; - (void) fr_addstate(ip, &fi, FI_W_SPORT); - } - ip->ip_len = slen; - ip->ip_src = swip; - ip->ip_dst = swip2; - } - return inc; -} - - -int ippr_ftp_server(fin, ip, nat, ftp, dlen) -fr_info_t *fin; -ip_t *ip; -nat_t *nat; -ftpinfo_t *ftp; -int dlen; -{ - char *rptr, *wptr; - ftpside_t *f; - int inc; - - inc = 0; - f = &ftp->ftp_side[1]; - rptr = f->ftps_rptr; - wptr = f->ftps_wptr; - - if ((ftp->ftp_passok == 1) && !strncmp(rptr, "331", 3)) - ftp->ftp_passok = 2; - else if (((ftp->ftp_passok == 3) || (ftp->ftp_passok == 1)) && - !strncmp(rptr, "230", 3)) { - ftp->ftp_passok = 4; - } else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "530", 3)) - ftp->ftp_passok = 0; - else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) { - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); - } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); - } - while ((*rptr++ != '\n') && (rptr < wptr)) - ; - f->ftps_rptr = rptr; - return inc; -} - - -/* - * Look to see if the buffer starts with something which we recognise as - * being the correct syntax for the FTP protocol. - */ -int ippr_ftp_valid(buf, len) -char *buf; -size_t len; -{ - register char *s, c; - register size_t i = len; - - if (i < 5) - return 2; - s = buf; - c = *s++; - i--; - - if (isdigit(c)) { - c = *s++; - i--; - if (isdigit(c)) { - c = *s++; - i--; - if (isdigit(c)) { - c = *s++; - i--; - if ((c != '-') && (c != ' ')) - return 1; - } else - return 1; - } else - return 1; - } else if (isalpha(c)) { - c = *s++; - i--; - if (isalpha(c)) { - c = *s++; - i--; - if (isalpha(c)) { - c = *s++; - i--; - if (isalpha(c)) { - c = *s++; - i--; - if ((c != ' ') && (c != '\r')) - return 1; - } else if ((c != ' ') && (c != '\r')) - return 1; - } else - return 1; - } else - return 1; - } else - return 1; - for (; i; i--) { - c = *s++; - if (c == '\n') - return 0; - } - return 2; -} - - -int ippr_ftp_process(fin, ip, nat, ftp, rv) -fr_info_t *fin; -ip_t *ip; -nat_t *nat; -ftpinfo_t *ftp; -int rv; -{ - int mlen, len, off, inc, i, sel; - char *rptr, *wptr; - ftpside_t *f, *t; - tcphdr_t *tcp; - mb_t *m; - - tcp = (tcphdr_t *)fin->fin_dp; - off = fin->fin_hlen + (tcp->th_off << 2); - -#if SOLARIS - m = fin->fin_qfm; -#else - m = *((mb_t **)fin->fin_mp); -#endif - -#if SOLARIS - mlen = msgdsize(m) - off; -#else - mlen = mbufchainlen(m) - off; -#endif - - t = &ftp->ftp_side[1 - rv]; - f = &ftp->ftp_side[rv]; - if (!mlen) { - if (!t->ftps_seq || - (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0) - t->ftps_seq = ntohl(tcp->th_ack); - f->ftps_len = 0; - return 0; - } - - inc = 0; - rptr = f->ftps_rptr; - wptr = f->ftps_wptr; - - sel = nat->nat_aps->aps_sel[1 - rv]; - if (rv) - i = nat->nat_aps->aps_ackoff[sel]; - else - i = nat->nat_aps->aps_seqoff[sel]; - /* - * XXX - Ideally, this packet should get dropped because we now know - * that it is out of order (and there is no real danger in doing so - * apart from causing packets to go through here ordered). - */ - if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) - f->ftps_seq = ntohl(tcp->th_seq); - else if (ntohl(tcp->th_seq) + i != f->ftps_seq) { - return APR_ERR(-1); - } - f->ftps_len = mlen; - - while (mlen > 0) { - len = MIN(mlen, FTP_BUFSZ / 2); - -#if SOLARIS - copyout_mblk(m, off, len, wptr); -#else - m_copydata(m, off, len, wptr); -#endif - mlen -= len; - off += len; - wptr += len; - f->ftps_wptr = wptr; - if (f->ftps_junk == 2) - f->ftps_junk = ippr_ftp_valid(rptr, wptr - rptr); - - while ((f->ftps_junk == 0) && (wptr > rptr)) { - f->ftps_junk = ippr_ftp_valid(rptr, wptr - rptr); - if (f->ftps_junk == 0) { - len = wptr - rptr; - f->ftps_rptr = rptr; - if (rv) - inc += ippr_ftp_server(fin, ip, nat, - ftp, len); - else - inc += ippr_ftp_client(fin, ip, nat, - ftp, len); - rptr = f->ftps_rptr; - } - } - - while ((f->ftps_junk == 1) && (rptr < wptr)) { - while ((rptr < wptr) && (*rptr != '\r')) - rptr++; - - if (*rptr == '\r') { - if (rptr + 1 < wptr) { - if (*(rptr + 1) == '\n') { - rptr += 2; - f->ftps_junk = 0; - } else - rptr++; - } else - break; - } - } - f->ftps_rptr = rptr; - - if (rptr == wptr) { - rptr = wptr = f->ftps_buf; - } else { - if ((wptr > f->ftps_buf + FTP_BUFSZ / 2)) { - i = wptr - rptr; - if ((rptr == f->ftps_buf) || - (wptr - rptr > FTP_BUFSZ / 2)) { - f->ftps_junk = 1; - rptr = wptr = f->ftps_buf; - } else { - bcopy(rptr, f->ftps_buf, i); - wptr = f->ftps_buf + i; - rptr = f->ftps_buf; - } - } - f->ftps_rptr = rptr; - f->ftps_wptr = wptr; - } - } - - t->ftps_seq = ntohl(tcp->th_ack); - f->ftps_rptr = rptr; - f->ftps_wptr = wptr; - return APR_INC(inc); -} - - -int ippr_ftp_out(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - ftpinfo_t *ftp; - - ftp = aps->aps_data; - if (ftp == NULL) - return 0; - return ippr_ftp_process(fin, ip, nat, ftp, 0); -} - - -int ippr_ftp_in(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - ftpinfo_t *ftp; - - ftp = aps->aps_data; - if (ftp == NULL) - return 0; - return ippr_ftp_process(fin, ip, nat, ftp, 1); -} - - -/* - * ippr_ftp_atoi - implement a version of atoi which processes numbers in - * pairs separated by commas (which are expected to be in the range 0 - 255), - * returning a 16 bit number combining either side of the , as the MSB and - * LSB. - */ -u_short ippr_ftp_atoi(ptr) -char **ptr; -{ - register char *s = *ptr, c; - register u_char i = 0, j = 0; - - while ((c = *s++) && isdigit(c)) { - i *= 10; - i += c - '0'; - } - if (c != ',') { - *ptr = NULL; - return 0; - } - while ((c = *s++) && isdigit(c)) { - j *= 10; - j += c - '0'; - } - *ptr = s; - i &= 0xff; - j &= 0xff; - return (i << 8) | j; -} diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 5915a5ca322..6806fb4cecc 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.72 2001/05/27 00:39:26 angelos Exp $ */ +/* $OpenBSD: ip_input.c,v 1.73 2001/05/30 02:12:31 deraadt Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -148,10 +148,6 @@ u_char ip_protox[IPPROTO_MAX]; int ipqmaxlen = IFQ_MAXLEN; struct in_ifaddrhead in_ifaddr; struct ifqueue ipintrq; -#if defined(IPFILTER) || defined(IPFILTER_LKM) -int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, - struct mbuf **)); -#endif int ipq_locked; static __inline int ipq_lock_try __P((void)); @@ -377,23 +373,6 @@ ipv4_input(m) m_adj(m, ip->ip_len - m->m_pkthdr.len); } -#if defined(IPFILTER) || defined(IPFILTER_LKM) - /* - * Check if we want to allow this packet to be processed. - * Consider it to be bad if not. - */ - { - struct mbuf *m0 = m; - if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) { - return; - } - if (m0 == 0) { /* in case of 'fastroute' */ - return; - } - ip = mtod(m = m0, struct ip *); - } -#endif - /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an diff --git a/sys/netinet/ip_log.c b/sys/netinet/ip_log.c deleted file mode 100644 index 88ce0faee8d..00000000000 --- a/sys/netinet/ip_log.c +++ /dev/null @@ -1,472 +0,0 @@ -/* $OpenBSD: ip_log.c,v 1.12 2001/05/08 19:58:01 fgsch Exp $ */ - -/* - * Copyright (C) 1997-2001 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * $IPFilter: ip_log.c,v 2.5.2.3 2001/04/03 15:45:49 darrenr Exp $ - */ -#include <sys/param.h> -#if defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -#endif -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) -# include "opt_ipfilter_log.h" -#endif -#ifdef __FreeBSD__ -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# if defined(__FreeBSD_version) && (__FreeBSD_version >= 300000) -# include "opt_ipfilter.h" -# endif -# else -# ifdef KLD_MODULE -# include <osreldate.h> -# endif -# endif -#endif -#ifdef IPFILTER_LOG -# ifndef SOLARIS -# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -# endif -# ifndef _KERNEL -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -# include <ctype.h> -# endif -# include <sys/errno.h> -# include <sys/types.h> -# include <sys/file.h> -# if __FreeBSD_version >= 220000 && defined(_KERNEL) -# include <sys/fcntl.h> -# include <sys/filio.h> -# else -# include <sys/ioctl.h> -# endif -# include <sys/time.h> -# if defined(_KERNEL) -# include <sys/systm.h> -# endif -# include <sys/uio.h> -# if !SOLARIS -# if (NetBSD > 199609) || (OpenBSD > 199603) || (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -# else -# include <sys/dir.h> -# endif -# include <sys/mbuf.h> -# else -# include <sys/filio.h> -# include <sys/cred.h> -# include <sys/ddi.h> -# include <sys/sunddi.h> -# include <sys/ksynch.h> -# include <sys/kmem.h> -# include <sys/mkdev.h> -# include <sys/dditypes.h> -# include <sys/cmn_err.h> -# endif -# include <sys/protosw.h> -# include <sys/socket.h> - -# include <net/if.h> -# ifdef sun -# include <net/af.h> -# endif -# if __FreeBSD_version >= 300000 -# include <net/if_var.h> -# endif -# include <net/route.h> -# include <netinet/in.h> -# ifdef __sgi -# include <sys/ddi.h> -# ifdef IFF_DRVRLOCK /* IRIX6 */ -# include <sys/hashing.h> -# endif -# endif -# if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/ -# include <netinet/in_var.h> -# endif -# include <netinet/in_systm.h> -# include <netinet/ip.h> -# include <netinet/tcp.h> -# include <netinet/udp.h> -# include <netinet/ip_icmp.h> -# include <netinet/ip_var.h> -# ifndef _KERNEL -# include <syslog.h> -# endif -# include <netinet/ip_fil_compat.h> -# include <netinet/tcpip.h> -# include <netinet/ip_fil.h> -# include <netinet/ip_proxy.h> -# include <netinet/ip_nat.h> -# include <netinet/ip_frag.h> -# include <netinet/ip_state.h> -# include <netinet/ip_auth.h> -# if (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -# endif - -# ifndef MIN -# define MIN(a,b) (((a)<(b))?(a):(b)) -# endif - - -# if SOLARIS || defined(__sgi) -extern kmutex_t ipl_mutex; -# if SOLARIS -extern kcondvar_t iplwait; -# endif -# endif - -iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1]; -size_t iplused[IPL_LOGMAX+1]; -static fr_info_t iplcrc[IPL_LOGMAX+1]; - - -/* - * Initialise log buffers & pointers. Also iniialised the CRC to a local - * secret for use in calculating the "last log checksum". - */ -void ipflog_init() -{ - int i; - - for (i = IPL_LOGMAX; i >= 0; i--) { - iplt[i] = NULL; - ipll[i] = NULL; - iplh[i] = &iplt[i]; - iplused[i] = 0; - bzero((char *)&iplcrc[i], sizeof(iplcrc[i])); - } -} - - -/* - * ipflog - * Create a log record for a packet given that it has been triggered by a - * rule (or the default setting). Calculate the transport protocol header - * size using predetermined size of a couple of popular protocols and thus - * how much data to copy into the log, including part of the data body if - * requested. - */ -int ipflog(flags, ip, fin, m) -u_int flags; -ip_t *ip; -fr_info_t *fin; -mb_t *m; -{ - ipflog_t ipfl; - register size_t mlen, hlen; - size_t sizes[2]; - void *ptrs[2]; - int types[2]; - u_char p; -# if SOLARIS - ill_t *ifp = fin->fin_ifp; -# else - struct ifnet *ifp = fin->fin_ifp; -# endif - - /* - * calculate header size. - */ - hlen = fin->fin_hlen; - if (fin->fin_off == 0) { - p = fin->fin_fi.fi_p; - if (p == IPPROTO_TCP) - hlen += MIN(sizeof(tcphdr_t), fin->fin_dlen); - else if (p == IPPROTO_UDP) - hlen += MIN(sizeof(udphdr_t), fin->fin_dlen); - else if (p == IPPROTO_ICMP) { - struct icmp *icmp; - - icmp = (struct icmp *)fin->fin_dp; - - /* - * For ICMP, if the packet is an error packet, also - * include the information about the packet which - * caused the error. - */ - switch (icmp->icmp_type) - { - case ICMP_UNREACH : - case ICMP_SOURCEQUENCH : - case ICMP_REDIRECT : - case ICMP_TIMXCEED : - case ICMP_PARAMPROB : - hlen += MIN(sizeof(struct icmp) + 8, - fin->fin_dlen); - break; - default : - hlen += MIN(sizeof(struct icmp), - fin->fin_dlen); - break; - } - } - } - /* - * Get the interface number and name to which this packet is - * currently associated. - */ -# if SOLARIS - ipfl.fl_unit = (u_char)ifp->ill_ppa; - bcopy(ifp->ill_name, ipfl.fl_ifname, MIN(ifp->ill_name_length, 4)); - mlen = (flags & FR_LOGBODY) ? MIN(msgdsize(m) - hlen, 128) : 0; -# else -# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ); -# else - ipfl.fl_unit = (u_char)ifp->if_unit; - if ((ipfl.fl_ifname[0] = ifp->if_name[0])) - if ((ipfl.fl_ifname[1] = ifp->if_name[1])) - if ((ipfl.fl_ifname[2] = ifp->if_name[2])) - ipfl.fl_ifname[3] = ifp->if_name[3]; -# endif - mlen = (flags & FR_LOGBODY) ? MIN(fin->fin_plen - hlen, 128) : 0; -# endif - ipfl.fl_plen = (u_char)mlen; - ipfl.fl_hlen = (u_char)hlen; - ipfl.fl_rule = fin->fin_rule; - ipfl.fl_group = fin->fin_group; - if (fin->fin_fr != NULL) - ipfl.fl_loglevel = fin->fin_fr->fr_loglevel; - else - ipfl.fl_loglevel = 0xffff; - ipfl.fl_flags = flags; - ptrs[0] = (void *)&ipfl; - sizes[0] = sizeof(ipfl); - types[0] = 0; -# if SOLARIS - /* - * Are we copied from the mblk or an aligned array ? - */ - if (ip == (ip_t *)m->b_rptr) { - ptrs[1] = m; - sizes[1] = hlen + mlen; - types[1] = 1; - } else { - ptrs[1] = ip; - sizes[1] = hlen + mlen; - types[1] = 0; - } -# else - ptrs[1] = m; - sizes[1] = hlen + mlen; - types[1] = 1; -# endif - return ipllog(IPL_LOGIPF, fin, ptrs, sizes, types, 2); -} - - -/* - * ipllog - */ -int ipllog(dev, fin, items, itemsz, types, cnt) -int dev; -fr_info_t *fin; -void **items; -size_t *itemsz; -int *types, cnt; -{ - caddr_t buf, s; - iplog_t *ipl; - size_t len; - int i; - - /* - * Check to see if this log record has a CRC which matches the last - * record logged. If it does, just up the count on the previous one - * rather than create a new one. - */ - MUTEX_ENTER(&ipl_mutex); - if (fin != NULL) { - if ((ipll[dev] != NULL) && - bcmp((char *)fin, (char *)&iplcrc[dev], FI_CSIZE) == 0) { - ipll[dev]->ipl_count++; - MUTEX_EXIT(&ipl_mutex); - return 1; - } - bcopy((char *)fin, (char *)&iplcrc[dev], FI_CSIZE); - } else - bzero((char *)&iplcrc[dev], FI_CSIZE); - MUTEX_EXIT(&ipl_mutex); - - /* - * Get the total amount of data to be logged. - */ - for (i = 0, len = sizeof(iplog_t); i < cnt; i++) - len += itemsz[i]; - - /* - * check that we have space to record this information and can - * allocate that much. - */ - KMALLOCS(buf, caddr_t, len); - if (!buf) - return 0; - MUTEX_ENTER(&ipl_mutex); - if ((iplused[dev] + len) > IPLLOGSIZE) { - MUTEX_EXIT(&ipl_mutex); - KFREES(buf, len); - return 0; - } - iplused[dev] += len; - MUTEX_EXIT(&ipl_mutex); - - /* - * advance the log pointer to the next empty record and deduct the - * amount of space we're going to use. - */ - ipl = (iplog_t *)buf; - ipl->ipl_magic = IPL_MAGIC; - ipl->ipl_count = 1; - ipl->ipl_next = NULL; - ipl->ipl_dsize = len; -# if SOLARIS || defined(sun) - uniqtime((struct timeval *)&ipl->ipl_sec); -# else -# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) - microtime((struct timeval *)&ipl->ipl_sec); -# endif -# endif - - /* - * Loop through all the items to be logged, copying each one to the - * buffer. Use bcopy for normal data or the mb_t copyout routine. - */ - for (i = 0, s = buf + sizeof(*ipl); i < cnt; i++) { - if (types[i] == 0) - bcopy(items[i], s, itemsz[i]); - else if (types[i] == 1) { -# if SOLARIS - copyout_mblk(items[i], 0, itemsz[i], s); -# else - m_copydata(items[i], 0, itemsz[i], s); -# endif - } - s += itemsz[i]; - } - MUTEX_ENTER(&ipl_mutex); - ipll[dev] = ipl; - *iplh[dev] = ipl; - iplh[dev] = &ipl->ipl_next; -# if SOLARIS - cv_signal(&iplwait); - mutex_exit(&ipl_mutex); -# else - MUTEX_EXIT(&ipl_mutex); - wakeup(&iplh[dev]); -# endif - return 1; -} - - -int ipflog_read(unit, uio) -minor_t unit; -struct uio *uio; -{ - size_t dlen, copied; - int error = 0; - iplog_t *ipl; -# if defined(_KERNEL) && !SOLARIS - int s; -# endif - - /* - * Sanity checks. Make sure the minor # is valid and we're copying - * a valid chunk of data. - */ - if (IPL_LOGMAX < unit) - return ENXIO; - if (!uio->uio_resid) - return 0; - if (uio->uio_resid < sizeof(iplog_t)) - return EINVAL; - - /* - * Lock the log so we can snapshot the variables. Wait for a signal - * if the log is empty. - */ - SPL_NET(s); - MUTEX_ENTER(&ipl_mutex); - - while (!iplused[unit] || !iplt[unit]) { -# if SOLARIS && defined(_KERNEL) - if (!cv_wait_sig(&iplwait, &ipl_mutex)) { - MUTEX_EXIT(&ipl_mutex); - return EINTR; - } -# else - MUTEX_EXIT(&ipl_mutex); - error = SLEEP(&iplh[unit], "ipl sleep"); - if (error) { - SPL_X(s); - return error; - } - MUTEX_ENTER(&ipl_mutex); -# endif /* SOLARIS */ - } - -# if BSD >= 199306 || defined(__FreeBSD__) - uio->uio_rw = UIO_READ; -# endif - - for (copied = 0; (ipl = iplt[unit]); copied += dlen) { - dlen = ipl->ipl_dsize; - if (dlen > uio->uio_resid) - break; - /* - * Don't hold the mutex over the uiomove call. - */ - MUTEX_EXIT(&ipl_mutex); - SPL_X(s); - error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio); - if (error) { - SPL_NET(s); - MUTEX_ENTER(&ipl_mutex); - break; - } - SPL_NET(s); - MUTEX_ENTER(&ipl_mutex); - iplused[unit] -= dlen; - iplt[unit] = ipl->ipl_next; - KFREES((caddr_t)ipl, dlen); - } - if (!iplt[unit]) { - iplused[unit] = 0; - iplh[unit] = &iplt[unit]; - ipll[unit] = NULL; - } - - MUTEX_EXIT(&ipl_mutex); - SPL_X(s); - return error; -} - - -int ipflog_clear(unit) -minor_t unit; -{ - iplog_t *ipl; - int used; - - MUTEX_ENTER(&ipl_mutex); - while ((ipl = iplt[unit])) { - iplt[unit] = ipl->ipl_next; - KFREES((caddr_t)ipl, ipl->ipl_dsize); - } - iplh[unit] = &iplt[unit]; - ipll[unit] = NULL; - used = iplused[unit]; - iplused[unit] = 0; - bzero((char *)&iplcrc[unit], FI_CSIZE); - MUTEX_EXIT(&ipl_mutex); - return used; -} -#endif /* IPFILTER_LOG */ diff --git a/sys/netinet/ip_nat.c b/sys/netinet/ip_nat.c deleted file mode 100644 index 412fb9fb6a2..00000000000 --- a/sys/netinet/ip_nat.c +++ /dev/null @@ -1,2736 +0,0 @@ -/* $OpenBSD: ip_nat.c,v 1.40 2001/05/08 19:58:01 fgsch Exp $ */ - -/* - * Copyright (C) 1995-2001 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_nat.c,v 2.37.2.35 2001/04/06 14:07:40 darrenr Exp $"; -#endif - -#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) -#define _KERNEL -#endif - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/time.h> -#include <sys/file.h> -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ - defined(_KERNEL) -# include "opt_ipfilter_log.h" -#endif -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif -#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000) -# include <sys/filio.h> -# include <sys/fcntl.h> -#else -# include <sys/ioctl.h> -#endif -#include <sys/fcntl.h> -#include <sys/uio.h> -#ifndef linux -# include <sys/protosw.h> -#endif -#include <sys/socket.h> -#if defined(_KERNEL) && !defined(linux) -# include <sys/systm.h> -#endif -#if !defined(__SVR4) && !defined(__svr4__) -# ifndef linux -# include <sys/mbuf.h> -# endif -#else -# include <sys/filio.h> -# include <sys/byteorder.h> -# ifdef _KERNEL -# include <sys/dditypes.h> -# endif -# include <sys/stream.h> -# include <sys/kmem.h> -#endif -#if __FreeBSD_version >= 300000 -# include <sys/queue.h> -#endif -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -# if defined(_KERNEL) && !defined(IPFILTER_LKM) -# include "opt_ipfilter.h" -# endif -#endif -#ifdef sun -# include <net/af.h> -#endif -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> - -#ifdef __sgi -# ifdef IFF_DRVRLOCK /* IRIX6 */ -#include <sys/hashing.h> -#include <netinet/in_var.h> -# endif -#endif - -#ifdef RFC1825 -# include <vpn/md5.h> -# include <vpn/ipsec.h> -extern struct ifnet vpnif; -#endif - -#ifndef linux -# include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_state.h> -#if (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -#endif -#ifndef MIN -# define MIN(a,b) (((a)<(b))?(a):(b)) -#endif -#undef SOCKADDR_IN -#define SOCKADDR_IN struct sockaddr_in - -nat_t **nat_table[2] = { NULL, NULL }, - *nat_instances = NULL; -ipnat_t *nat_list = NULL; -u_int ipf_nattable_sz = NAT_TABLE_SZ; -u_int ipf_natrules_sz = NAT_SIZE; -u_int ipf_rdrrules_sz = RDR_SIZE; -u_int ipf_hostmap_sz = HOSTMAP_SIZE; -u_32_t nat_masks = 0; -u_32_t rdr_masks = 0; -ipnat_t **nat_rules = NULL; -ipnat_t **rdr_rules = NULL; -hostmap_t **maptable = NULL; - -u_long fr_defnatage = DEF_NAT_AGE, - fr_defnaticmpage = 6; /* 3 seconds */ -natstat_t nat_stats; -int fr_nat_lock = 0; -#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_rw; -extern KRWLOCK_T ipf_nat; -#endif - -static int nat_flushtable __P((void)); -static void nat_addnat __P((struct ipnat *)); -static void nat_addrdr __P((struct ipnat *)); -static void nat_delete __P((struct nat *)); -static void nat_delrdr __P((struct ipnat *)); -static void nat_delnat __P((struct ipnat *)); -static int fr_natgetent __P((caddr_t)); -static int fr_natgetsz __P((caddr_t)); -static int fr_natputent __P((caddr_t)); -static void nat_tabmove __P((nat_t *, u_32_t)); -static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); -static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, - struct in_addr)); -static void nat_hostmapdel __P((struct hostmap *)); - - -int nat_init() -{ - KMALLOCS(nat_table[0], nat_t **, sizeof(nat_t *) * ipf_nattable_sz); - if (nat_table[0] != NULL) - bzero((char *)nat_table[0], ipf_nattable_sz * sizeof(nat_t *)); - else - return -1; - - KMALLOCS(nat_table[1], nat_t **, sizeof(nat_t *) * ipf_nattable_sz); - if (nat_table[1] != NULL) - bzero((char *)nat_table[1], ipf_nattable_sz * sizeof(nat_t *)); - else - return -1; - - KMALLOCS(nat_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_natrules_sz); - if (nat_rules != NULL) - bzero((char *)nat_rules, ipf_natrules_sz * sizeof(ipnat_t *)); - else - return -1; - - KMALLOCS(rdr_rules, ipnat_t **, sizeof(ipnat_t *) * ipf_rdrrules_sz); - if (rdr_rules != NULL) - bzero((char *)rdr_rules, ipf_rdrrules_sz * sizeof(ipnat_t *)); - else - return -1; - - KMALLOCS(maptable, hostmap_t **, sizeof(hostmap_t *) * ipf_hostmap_sz); - if (maptable != NULL) - bzero((char *)maptable, sizeof(hostmap_t *) * ipf_hostmap_sz); - else - return -1; - return 0; -} - - -static void nat_addrdr(n) -ipnat_t *n; -{ - ipnat_t **np; - u_32_t j; - u_int hv; - int k; - - k = countbits(n->in_outmsk); - if ((k >= 0) && (k != 32)) - rdr_masks |= 1 << k; - j = (n->in_outip & n->in_outmsk); - hv = NAT_HASH_FN(j, 0, ipf_rdrrules_sz); - np = rdr_rules + hv; - while (*np != NULL) - np = &(*np)->in_rnext; - n->in_rnext = NULL; - n->in_prnext = np; - *np = n; -} - - -static void nat_addnat(n) -ipnat_t *n; -{ - ipnat_t **np; - u_32_t j; - u_int hv; - int k; - - k = countbits(n->in_inmsk); - if ((k >= 0) && (k != 32)) - nat_masks |= 1 << k; - j = (n->in_inip & n->in_inmsk); - hv = NAT_HASH_FN(j, 0, ipf_natrules_sz); - np = nat_rules + hv; - while (*np != NULL) - np = &(*np)->in_mnext; - n->in_mnext = NULL; - n->in_pmnext = np; - *np = n; -} - - -static void nat_delrdr(n) -ipnat_t *n; -{ - if (n->in_rnext) - n->in_rnext->in_prnext = n->in_prnext; - *n->in_prnext = n->in_rnext; -} - - -static void nat_delnat(n) -ipnat_t *n; -{ - if (n->in_mnext) - n->in_mnext->in_pmnext = n->in_pmnext; - *n->in_pmnext = n->in_mnext; -} - - -/* - * check if an ip address has already been allocated for a given mapping that - * is not doing port based translation. - * - * Must be called with ipf_nat held as a write lock. - */ -static struct hostmap *nat_hostmap(np, real, map) -ipnat_t *np; -struct in_addr real; -struct in_addr map; -{ - hostmap_t *hm; - u_int hv; - - hv = real.s_addr % HOSTMAP_SIZE; - for (hm = maptable[hv]; hm; hm = hm->hm_next) - if ((hm->hm_realip.s_addr == real.s_addr) && - (np == hm->hm_ipnat)) { - hm->hm_ref++; - return hm; - } - - KMALLOC(hm, hostmap_t *); - if (hm) { - hm->hm_next = maptable[hv]; - hm->hm_pnext = maptable + hv; - if (maptable[hv]) - maptable[hv]->hm_pnext = &hm->hm_next; - maptable[hv] = hm; - hm->hm_ipnat = np; - hm->hm_realip = real; - hm->hm_mapip = map; - hm->hm_ref = 1; - } - return hm; -} - - -/* - * Must be called with ipf_nat held as a write lock. - */ -static void nat_hostmapdel(hm) -struct hostmap *hm; -{ - ATOMIC_DEC32(hm->hm_ref); - if (hm->hm_ref == 0) { - if (hm->hm_next) - hm->hm_next->hm_pnext = hm->hm_pnext; - *hm->hm_pnext = hm->hm_next; - KFREE(hm); - } -} - - -void fix_outcksum(sp, n) -u_short *sp; -u_32_t n; -{ - register u_short sumshort; - register u_32_t sum1; - - if (!n) - return; -#if SOLARIS2 >= 6 - else if (n & NAT_HW_CKSUM) { - *sp = n & 0xffff; - return; - } -#endif - sum1 = (~ntohs(*sp)) & 0xffff; - sum1 += (n); - sum1 = (sum1 >> 16) + (sum1 & 0xffff); - /* Again */ - sum1 = (sum1 >> 16) + (sum1 & 0xffff); - sumshort = ~(u_short)sum1; - *(sp) = htons(sumshort); -} - - -void fix_incksum(sp, n) -u_short *sp; -u_32_t n; -{ - register u_short sumshort; - register u_32_t sum1; - - if (!n) - return; -#if SOLARIS2 >= 6 - else if (n & NAT_HW_CKSUM) { - *sp = n & 0xffff; - return; - } -#endif - sum1 = (~ntohs(*sp)) & 0xffff; - sum1 += ~(n) & 0xffff; - sum1 = (sum1 >> 16) + (sum1 & 0xffff); - /* Again */ - sum1 = (sum1 >> 16) + (sum1 & 0xffff); - sumshort = ~(u_short)sum1; - *(sp) = htons(sumshort); -} - - -/* - * fix_datacksum is used *only* for the adjustments of checksums in the data - * section of an IP packet. - * - * The only situation in which you need to do this is when NAT'ing an - * ICMP error message. Such a message, contains in its body the IP header - * of the original IP packet, that causes the error. - * - * You can't use fix_incksum or fix_outcksum in that case, because for the - * kernel the data section of the ICMP error is just data, and no special - * processing like hardware cksum or ntohs processing have been done by the - * kernel on the data section. - */ -void fix_datacksum(sp, n) -u_short *sp; -u_32_t n; -{ - register u_short sumshort; - register u_32_t sum1; - - if (!n) - return; - - sum1 = (~ntohs(*sp)) & 0xffff; - sum1 += (n); - sum1 = (sum1 >> 16) + (sum1 & 0xffff); - /* Again */ - sum1 = (sum1 >> 16) + (sum1 & 0xffff); - sumshort = ~(u_short)sum1; - *(sp) = htons(sumshort); -} - -/* - * How the NAT is organised and works. - * - * Inside (interface y) NAT Outside (interface x) - * -------------------- -+- ------------------------------------- - * Packet going | out, processsed by ip_natout() for x - * ------------> | ------------> - * src=10.1.1.1 | src=192.1.1.1 - * | - * | in, processed by ip_natin() for x - * <------------ | <------------ - * dst=10.1.1.1 | dst=192.1.1.1 - * -------------------- -+- ------------------------------------- - * ip_natout() - changes ip_src and if required, sport - * - creates a new mapping, if required. - * ip_natin() - changes ip_dst and if required, dport - * - * In the NAT table, internal source is recorded as "in" and externally - * seen as "out". - */ - -/* - * Handle ioctls which manipulate the NAT. - */ -int nat_ioctl(data, cmd, mode) -#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) -u_long cmd; -#else -int cmd; -#endif -caddr_t data; -int mode; -{ - register ipnat_t *nat, *nt, *n = NULL, **np = NULL; - int error = 0, ret, arg; - ipnat_t natd; - u_32_t i, j; - -#if (BSD >= 199306) && defined(_KERNEL) - if ((securelevel >= 2) && (mode & FWRITE)) - return EPERM; -#endif - - nat = NULL; /* XXX gcc -Wuninitialized */ - KMALLOC(nt, ipnat_t *); - if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) - error = IRCOPYPTR(data, (char *)&natd, sizeof(natd)); - else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */ - error = IRCOPY(data, (char *)&arg, sizeof(arg)); - if (error) - error = EFAULT; - } - - if (error) - goto done; - - /* - * For add/delete, look to see if the NAT entry is already present - */ - WRITE_ENTER(&ipf_nat); - if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { - nat = &natd; - nat->in_flags &= IPN_USERFLAGS; - if ((nat->in_redir & NAT_MAPBLK) == 0) { - if ((nat->in_flags & IPN_SPLIT) == 0) - nat->in_inip &= nat->in_inmsk; - if ((nat->in_flags & IPN_IPRANGE) == 0) - nat->in_outip &= nat->in_outmsk; - } - for (np = &nat_list; (n = *np); np = &n->in_next) - if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) - break; - } - - switch (cmd) - { -#ifdef IPFILTER_LOG - case SIOCIPFFB : - { - int tmp; - - if (!(mode & FWRITE)) - error = EPERM; - else { - tmp = ipflog_clear(IPL_LOGNAT); - IWCOPY((char *)&tmp, (char *)data, sizeof(tmp)); - } - break; - } -#endif - case SIOCADNAT : - if (!(mode & FWRITE)) { - error = EPERM; - break; - } - if (n) { - error = EEXIST; - break; - } - if (nt == NULL) { - error = ENOMEM; - break; - } - n = nt; - nt = NULL; - bcopy((char *)nat, (char *)n, sizeof(*n)); - n->in_ifp = (void *)GETUNIT(n->in_ifname, 4); - if (!n->in_ifp) - n->in_ifp = (void *)-1; - if (n->in_plabel[0] != '\0') { - n->in_apr = appr_match(n->in_p, n->in_plabel); - if (!n->in_apr) { - error = ENOENT; - break; - } - } - n->in_next = NULL; - *np = n; - - if (n->in_redir & NAT_REDIRECT) { - n->in_flags &= ~IPN_NOTDST; - nat_addrdr(n); - } - if (n->in_redir & (NAT_MAP|NAT_MAPBLK)) { - n->in_flags &= ~IPN_NOTSRC; - nat_addnat(n); - } - - n->in_use = 0; - if (n->in_redir & NAT_MAPBLK) - n->in_space = USABLE_PORTS * ~ntohl(n->in_outmsk); - else if (n->in_flags & IPN_AUTOPORTMAP) - n->in_space = USABLE_PORTS * ~ntohl(n->in_inmsk); - else if (n->in_flags & IPN_IPRANGE) - n->in_space = ntohl(n->in_outmsk) - ntohl(n->in_outip); - else if (n->in_flags & IPN_SPLIT) - n->in_space = 2; - else - n->in_space = ~ntohl(n->in_outmsk); - /* - * Calculate the number of valid IP addresses in the output - * mapping range. In all cases, the range is inclusive of - * the start and ending IP addresses. - * If to a CIDR address, lose 2: broadcast + network address - * (so subtract 1) - * If to a range, add one. - * If to a single IP address, set to 1. - */ - if (n->in_space) { - if ((n->in_flags & IPN_IPRANGE) != 0) - n->in_space += 1; - else - n->in_space -= 1; - } else - n->in_space = 1; - if ((n->in_outmsk != 0xffffffff) && (n->in_outmsk != 0) && - ((n->in_flags & (IPN_IPRANGE|IPN_SPLIT)) == 0)) - n->in_nip = ntohl(n->in_outip) + 1; - else if ((n->in_flags & IPN_SPLIT) && - (n->in_redir & NAT_REDIRECT)) - n->in_nip = ntohl(n->in_inip); - else - n->in_nip = ntohl(n->in_outip); - if (n->in_redir & NAT_MAP) { - n->in_pnext = ntohs(n->in_pmin); - /* - * Multiply by the number of ports made available. - */ - if (ntohs(n->in_pmax) >= ntohs(n->in_pmin)) { - n->in_space *= (ntohs(n->in_pmax) - - ntohs(n->in_pmin) + 1); - /* - * Because two different sources can map to - * different destinations but use the same - * local IP#/port #. - * If the result is smaller than in_space, then - * we may have wrapped around 32bits. - */ - i = n->in_inmsk; - if ((i != 0) && (i != 0xffffffff)) { - j = n->in_space * (~ntohl(i) + 1); - if (j >= n->in_space) - n->in_space = j; - else - n->in_space = 0xffffffff; - } - } - /* - * If no protocol is specified, multiple by 256. - */ - if ((n->in_flags & IPN_TCPUDP) == 0) { - j = n->in_space * 256; - if (j >= n->in_space) - n->in_space = j; - else - n->in_space = 0xffffffff; - } - } - /* Otherwise, these fields are preset */ - n = NULL; - nat_stats.ns_rules++; - break; - case SIOCRMNAT : - if (!(mode & FWRITE)) { - error = EPERM; - n = NULL; - break; - } - if (!n) { - error = ESRCH; - break; - } - if (n->in_redir & NAT_REDIRECT) - nat_delrdr(n); - if (n->in_redir & (NAT_MAPBLK|NAT_MAP)) - nat_delnat(n); - if (nat_list == NULL) { - nat_masks = 0; - rdr_masks = 0; - } - *np = n->in_next; - if (!n->in_use) { - if (n->in_apr) - appr_free(n->in_apr); - KFREE(n); - nat_stats.ns_rules--; - } else { - n->in_flags |= IPN_DELETE; - n->in_next = NULL; - } - n = NULL; - break; - case SIOCGNATS : - MUTEX_DOWNGRADE(&ipf_nat); - nat_stats.ns_table[0] = nat_table[0]; - nat_stats.ns_table[1] = nat_table[1]; - nat_stats.ns_list = nat_list; - nat_stats.ns_nattab_sz = ipf_nattable_sz; - nat_stats.ns_rultab_sz = ipf_natrules_sz; - nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz; - nat_stats.ns_instances = nat_instances; - nat_stats.ns_apslist = ap_sess_list; - error = IWCOPYPTR((char *)&nat_stats, (char *)data, - sizeof(nat_stats)); - break; - case SIOCGNATL : - { - natlookup_t nl; - - MUTEX_DOWNGRADE(&ipf_nat); - error = IRCOPYPTR((char *)data, (char *)&nl, sizeof(nl)); - if (error) - break; - - if (nat_lookupredir(&nl)) { - error = IWCOPYPTR((char *)&nl, (char *)data, - sizeof(nl)); - } else - error = ESRCH; - break; - } - case SIOCIPFFL : /* old SIOCFLNAT & SIOCCNATL */ - if (!(mode & FWRITE)) { - error = EPERM; - break; - } - error = 0; - if (arg == 0) - ret = nat_flushtable(); - else if (arg == 1) - ret = nat_clearlist(); - else - error = EINVAL; - MUTEX_DOWNGRADE(&ipf_nat); - if (!error) { - error = IWCOPY((caddr_t)&ret, data, sizeof(ret)); - if (error) - error = EFAULT; - } - break; - case SIOCSTLCK : - error = IRCOPY(data, (caddr_t)&arg, sizeof(arg)); - if (!error) { - error = IWCOPY((caddr_t)&fr_nat_lock, data, - sizeof(fr_nat_lock)); - if (!error) - fr_nat_lock = arg; - } else - error = EFAULT; - break; - case SIOCSTPUT : - if (fr_nat_lock) - error = fr_natputent(data); - else - error = EACCES; - break; - case SIOCSTGSZ : - if (fr_nat_lock) - error = fr_natgetsz(data); - else - error = EACCES; - break; - case SIOCSTGET : - if (fr_nat_lock) - error = fr_natgetent(data); - else - error = EACCES; - break; - case FIONREAD : -#ifdef IPFILTER_LOG - arg = (int)iplused[IPL_LOGNAT]; - MUTEX_DOWNGRADE(&ipf_nat); - error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg)); - if (error) - error = EFAULT; -#endif - break; - default : - error = EINVAL; - break; - } - RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ -done: - if (nt) - KFREE(nt); - return error; -} - - -static int fr_natgetsz(data) -caddr_t data; -{ - ap_session_t *aps; - nat_t *nat, *n; - int error = 0; - natget_t ng; - - error = IRCOPY(data, (caddr_t)&ng, sizeof(ng)); - if (error) - return EFAULT; - - nat = ng.ng_ptr; - if (!nat) { - nat = nat_instances; - ng.ng_sz = 0; - if (nat == NULL) { - error = IWCOPY((caddr_t)&ng, data, sizeof(ng)); - if (error) - error = EFAULT; - return error; - } - } else { - /* - * Make sure the pointer we're copying from exists in the - * current list of entries. Security precaution to prevent - * copying of random kernel data. - */ - for (n = nat_instances; n; n = n->nat_next) - if (n == nat) - break; - if (!n) - return ESRCH; - } - - ng.ng_sz = sizeof(nat_save_t); - aps = nat->nat_aps; - if ((aps != NULL) && (aps->aps_data != 0)) { - ng.ng_sz += sizeof(ap_session_t); - ng.ng_sz += aps->aps_psiz; - } - - error = IWCOPY((caddr_t)&ng, data, sizeof(ng)); - if (error) - error = EFAULT; - return error; -} - - -static int fr_natgetent(data) -caddr_t data; -{ - nat_save_t ipn, *ipnp, *ipnn = NULL; - register nat_t *n, *nat; - ap_session_t *aps; - int error; - - error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp)); - if (error) - return EFAULT; - error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn)); - if (error) - return EFAULT; - - nat = ipn.ipn_next; - if (!nat) { - nat = nat_instances; - if (nat == NULL) { - if (nat_instances == NULL) - return ENOENT; - return 0; - } - } else { - /* - * Make sure the pointer we're copying from exists in the - * current list of entries. Security precaution to prevent - * copying of random kernel data. - */ - for (n = nat_instances; n; n = n->nat_next) - if (n == nat) - break; - if (!n) - return ESRCH; - } - - ipn.ipn_next = nat->nat_next; - ipn.ipn_dsize = 0; - bcopy((char *)nat, (char *)&ipn.ipn_nat, sizeof(ipn.ipn_nat)); - ipn.ipn_nat.nat_data = NULL; - - if (nat->nat_ptr) { - bcopy((char *)nat->nat_ptr, (char *)&ipn.ipn_ipnat, - sizeof(ipn.ipn_ipnat)); - } - - if (nat->nat_fr) - bcopy((char *)nat->nat_fr, (char *)&ipn.ipn_rule, - sizeof(ipn.ipn_rule)); - - if ((aps = nat->nat_aps)) { - ipn.ipn_dsize = sizeof(*aps); - if (aps->aps_data) - ipn.ipn_dsize += aps->aps_psiz; - KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize); - if (ipnn == NULL) - return ENOMEM; - bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); - - bcopy((char *)aps, ipnn->ipn_data, sizeof(*aps)); - if (aps->aps_data) { - bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps), - aps->aps_psiz); - ipnn->ipn_dsize += aps->aps_psiz; - } - error = IWCOPY((caddr_t)ipnn, ipnp, - sizeof(ipn) + ipn.ipn_dsize); - if (error) - error = EFAULT; - KFREES(ipnn, sizeof(*ipnn) + ipn.ipn_dsize); - } else { - error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn)); - if (error) - error = EFAULT; - } - return error; -} - - -static int fr_natputent(data) -caddr_t data; -{ - nat_save_t ipn, *ipnp, *ipnn = NULL; - register nat_t *n, *nat; - ap_session_t *aps; - frentry_t *fr; - ipnat_t *in; - - int error; - - error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp)); - if (error) - return EFAULT; - error = IRCOPY((caddr_t)ipnp, (caddr_t)&ipn, sizeof(ipn)); - if (error) - return EFAULT; - nat = NULL; - if (ipn.ipn_dsize) { - KMALLOCS(ipnn, nat_save_t *, sizeof(ipn) + ipn.ipn_dsize); - if (ipnn == NULL) - return ENOMEM; - bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); - error = IRCOPY((caddr_t)ipnp, (caddr_t)ipn.ipn_data, - ipn.ipn_dsize); - if (error) { - error = EFAULT; - goto junkput; - } - } else - ipnn = NULL; - - KMALLOC(nat, nat_t *); - if (nat == NULL) { - error = EFAULT; - goto junkput; - } - - bcopy((char *)&ipn.ipn_nat, (char *)nat, sizeof(*nat)); - /* - * Initialize all these so that nat_delete() doesn't cause a crash. - */ - nat->nat_phnext[0] = NULL; - nat->nat_phnext[1] = NULL; - fr = nat->nat_fr; - nat->nat_fr = NULL; - aps = nat->nat_aps; - nat->nat_aps = NULL; - in = nat->nat_ptr; - nat->nat_ptr = NULL; - nat->nat_data = NULL; - - /* - * Restore the rule associated with this nat session - */ - if (in) { - KMALLOC(in, ipnat_t *); - if (in == NULL) { - error = ENOMEM; - goto junkput; - } - nat->nat_ptr = in; - bcopy((char *)&ipn.ipn_ipnat, (char *)in, sizeof(*in)); - in->in_use = 1; - in->in_flags |= IPN_DELETE; - in->in_next = NULL; - in->in_rnext = NULL; - in->in_prnext = NULL; - in->in_mnext = NULL; - in->in_pmnext = NULL; - in->in_ifp = GETUNIT(in->in_ifname, 4); - if (in->in_plabel[0] != '\0') { - in->in_apr = appr_match(in->in_p, in->in_plabel); - } - } - - /* - * Restore ap_session_t structure. Include the private data allocated - * if it was there. - */ - if (aps) { - KMALLOC(aps, ap_session_t *); - if (aps == NULL) { - error = ENOMEM; - goto junkput; - } - nat->nat_aps = aps; - aps->aps_next = ap_sess_list; - ap_sess_list = aps; - bcopy(ipnn->ipn_data, (char *)aps, sizeof(*aps)); - if (in) - aps->aps_apr = in->in_apr; - if (aps->aps_psiz) { - KMALLOCS(aps->aps_data, void *, aps->aps_psiz); - if (aps->aps_data == NULL) { - error = ENOMEM; - goto junkput; - } - bcopy(ipnn->ipn_data + sizeof(*aps), aps->aps_data, - aps->aps_psiz); - } else { - aps->aps_psiz = 0; - aps->aps_data = NULL; - } - } - - /* - * If there was a filtering rule associated with this entry then - * build up a new one. - */ - if (fr != NULL) { - if (nat->nat_flags & FI_NEWFR) { - KMALLOC(fr, frentry_t *); - nat->nat_fr = fr; - if (fr == NULL) { - error = ENOMEM; - goto junkput; - } - bcopy((char *)&ipn.ipn_fr, (char *)fr, sizeof(*fr)); - ipn.ipn_nat.nat_fr = fr; - error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn)); - if (error) { - error = EFAULT; - goto junkput; - } - } else { - for (n = nat_instances; n; n = n->nat_next) - if (n->nat_fr == fr) - break; - if (!n) { - error = ESRCH; - goto junkput; - } - } - } - - if (ipnn) - KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize); - nat_insert(nat); - return 0; -junkput: - if (ipnn) - KFREES(ipnn, sizeof(ipn) + ipn.ipn_dsize); - if (nat) - nat_delete(nat); - return error; -} - - -/* - * Delete a nat entry from the various lists and table. - */ -static void nat_delete(natd) -struct nat *natd; -{ - struct ipnat *ipn; - - if (natd->nat_flags & FI_WILDP) - nat_stats.ns_wilds--; - if (natd->nat_hnext[0]) - natd->nat_hnext[0]->nat_phnext[0] = natd->nat_phnext[0]; - *natd->nat_phnext[0] = natd->nat_hnext[0]; - if (natd->nat_hnext[1]) - natd->nat_hnext[1]->nat_phnext[1] = natd->nat_phnext[1]; - *natd->nat_phnext[1] = natd->nat_hnext[1]; - - if (natd->nat_fr != NULL) { - ATOMIC_DEC32(natd->nat_fr->fr_ref); - } - - if (natd->nat_hm != NULL) - nat_hostmapdel(natd->nat_hm); - - /* - * If there is an active reference from the nat entry to its parent - * rule, decrement the rule's reference count and free it too if no - * longer being used. - */ - ipn = natd->nat_ptr; - if (ipn != NULL) { - ipn->in_space++; - ipn->in_use--; - if (!ipn->in_use && (ipn->in_flags & IPN_DELETE)) { - if (ipn->in_apr) - appr_free(ipn->in_apr); - KFREE(ipn); - nat_stats.ns_rules--; - } - } - - MUTEX_DESTROY(&natd->nat_lock); - /* - * If there's a fragment table entry too for this nat entry, then - * dereference that as well. - */ - ipfr_forget((void *)natd); - aps_free(natd->nat_aps); - nat_stats.ns_inuse--; - KFREE(natd); -} - - -/* - * nat_flushtable - clear the NAT table of all mapping entries. - */ -static int nat_flushtable() -{ - register nat_t *nat, **natp; - register int j = 0; - - /* - * ALL NAT mappings deleted, so lets just make the deletions - * quicker. - */ - if (nat_table[0] != NULL) - bzero((char *)nat_table[0], - sizeof(nat_table[0]) * ipf_nattable_sz); - if (nat_table[1] != NULL) - bzero((char *)nat_table[1], - sizeof(nat_table[1]) * ipf_nattable_sz); - - for (natp = &nat_instances; (nat = *natp); ) { - *natp = nat->nat_next; -#ifdef IPFILTER_LOG - nat_log(nat, NL_FLUSH); -#endif - nat_delete(nat); - j++; - } - nat_stats.ns_inuse = 0; - return j; -} - - -/* - * nat_clearlist - delete all rules in the active NAT mapping list. - */ -int nat_clearlist() -{ - register ipnat_t *n, **np = &nat_list; - int i = 0; - - if (nat_rules != NULL) - bzero((char *)nat_rules, sizeof(*nat_rules) * ipf_natrules_sz); - if (rdr_rules != NULL) - bzero((char *)rdr_rules, sizeof(*rdr_rules) * ipf_rdrrules_sz); - - while ((n = *np)) { - *np = n->in_next; - if (!n->in_use) { - if (n->in_apr) - appr_free(n->in_apr); - KFREE(n); - nat_stats.ns_rules--; - } else { - n->in_flags |= IPN_DELETE; - n->in_next = NULL; - } - i++; - } - nat_masks = 0; - rdr_masks = 0; - return i; -} - - -/* - * Create a new NAT table entry. - * NOTE: assumes write lock on ipf_nat has been obtained already. - */ -nat_t *nat_new(np, ip, fin, flags, direction) -ipnat_t *np; -ip_t *ip; -fr_info_t *fin; -u_int flags; -int direction; -{ - register u_32_t sum1, sum2, sumd, l; - u_short port = 0, sport = 0, dport = 0, nport = 0; - struct in_addr in, inb; - tcphdr_t *tcp = NULL; - hostmap_t *hm = NULL; - nat_t *nat, *natl; - u_short nflags; -#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) - qif_t *qf = fin->fin_qif; -#endif - - nflags = flags & np->in_flags; - if (flags & IPN_TCPUDP) { - tcp = (tcphdr_t *)fin->fin_dp; - sport = tcp->th_sport; - dport = tcp->th_dport; - } - - /* Give me a new nat */ - KMALLOC(nat, nat_t *); - if (nat == NULL) { - nat_stats.ns_memfail++; - return NULL; - } - - bzero((char *)nat, sizeof(*nat)); - nat->nat_flags = flags; - if (flags & FI_WILDP) - nat_stats.ns_wilds++; - /* - * Search the current table for a match. - */ - if (direction == NAT_OUTBOUND) { - /* - * Values at which the search for a free resouce starts. - */ - u_32_t st_ip; - u_short st_port; - - /* - * If it's an outbound packet which doesn't match any existing - * record, then create a new port - */ - l = 0; - st_ip = np->in_nip; - st_port = np->in_pnext; - - do { - port = 0; - in.s_addr = htonl(np->in_nip); - if (l == 0) { - /* - * Check to see if there is an existing NAT - * setup for this IP address pair. - */ - hm = nat_hostmap(np, ip->ip_src, in); - if (hm != NULL) - in.s_addr = hm->hm_mapip.s_addr; - } else if ((l == 1) && (hm != NULL)) { - nat_hostmapdel(hm); - hm = NULL; - } - in.s_addr = ntohl(in.s_addr); - - nat->nat_hm = hm; - - if ((np->in_outmsk == 0xffffffff) && - (np->in_pnext == 0)) { - if (l > 0) - goto badnat; - } - - if (np->in_redir & NAT_MAPBLK) { - if ((l >= np->in_ppip) || ((l > 0) && - !(flags & IPN_TCPUDP))) - goto badnat; - /* - * map-block - Calculate destination address. - */ - in.s_addr = ntohl(ip->ip_src.s_addr); - in.s_addr &= ntohl(~np->in_inmsk); - inb.s_addr = in.s_addr; - in.s_addr /= np->in_ippip; - in.s_addr &= ntohl(~np->in_outmsk); - in.s_addr += ntohl(np->in_outip); - /* - * Calculate destination port. - */ - if ((flags & IPN_TCPUDP) && - (np->in_ppip != 0)) { - port = ntohs(sport) + l; - port %= np->in_ppip; - port += np->in_ppip * - (inb.s_addr % np->in_ippip); - port += MAPBLK_MINPORT; - port = htons(port); - } - } else if (!np->in_outip && - (np->in_outmsk == 0xffffffff)) { - /* - * 0/32 - use the interface's IP address. - */ - if ((l > 0) || - fr_ifpaddr(4, fin->fin_ifp, &in) == -1) - goto badnat; - in.s_addr = ntohl(in.s_addr); - } else if (!np->in_outip && !np->in_outmsk) { - /* - * 0/0 - use the original source address/port. - */ - if (l > 0) - goto badnat; - in.s_addr = ntohl(ip->ip_src.s_addr); - } else if ((np->in_outmsk != 0xffffffff) && - (np->in_pnext == 0) && - ((l > 0) || (hm == NULL))) - np->in_nip++; - natl = NULL; - - if ((nflags & IPN_TCPUDP) && - ((np->in_redir & NAT_MAPBLK) == 0) && - (np->in_flags & IPN_AUTOPORTMAP)) { - if ((l > 0) && (l % np->in_ppip == 0)) { - if (l > np->in_space) { - goto badnat; - } else if ((l > np->in_ppip) && - np->in_outmsk != 0xffffffff) - np->in_nip++; - } - if (np->in_ppip != 0) { - port = ntohs(sport); - port += (l % np->in_ppip); - port %= np->in_ppip; - port += np->in_ppip * - (ntohl(ip->ip_src.s_addr) % - np->in_ippip); - port += MAPBLK_MINPORT; - port = htons(port); - } - } else if (((np->in_redir & NAT_MAPBLK) == 0) && - (nflags & IPN_TCPUDP) && - (np->in_pnext != 0)) { - port = htons(np->in_pnext++); - if (np->in_pnext > ntohs(np->in_pmax)) { - np->in_pnext = ntohs(np->in_pmin); - if (np->in_outmsk != 0xffffffff) - np->in_nip++; - } - } - - if (np->in_flags & IPN_IPRANGE) { - if (np->in_nip > ntohl(np->in_outmsk)) - np->in_nip = ntohl(np->in_outip); - } else { - if ((np->in_outmsk != 0xffffffff) && - ((np->in_nip + 1) & ntohl(np->in_outmsk)) > - ntohl(np->in_outip)) - np->in_nip = ntohl(np->in_outip) + 1; - } - - if (!port && (flags & IPN_TCPUDP)) - port = sport; - - /* - * Here we do a lookup of the connection as seen from - * the outside. If an IP# pair already exists, try - * again. So if you have A->B becomes C->B, you can - * also have D->E become C->E but not D->B causing - * another C->B. Also take protocol and ports into - * account when determining whether a pre-existing - * NAT setup will cause an external conflict where - * this is appropriate. - */ - inb.s_addr = htonl(in.s_addr); - natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP, - (u_int)ip->ip_p, ip->ip_dst, inb, - (port << 16) | dport, 1); - - /* - * Has the search wrapped around and come back to the - * start ? - */ - if ((natl != NULL) && - (np->in_pnext != 0) && (st_port == np->in_pnext) && - (np->in_nip != 0) && (st_ip == np->in_nip)) - goto badnat; - l++; - } while (natl != NULL); - - if (np->in_space > 0) - np->in_space--; - - /* Setup the NAT table */ - nat->nat_inip = ip->ip_src; - nat->nat_outip.s_addr = htonl(in.s_addr); - nat->nat_oip = ip->ip_dst; - if (nat->nat_hm == NULL) - nat->nat_hm = nat_hostmap(np, ip->ip_src, - nat->nat_outip); - - sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)) + ntohs(sport); - sum2 = LONG_SUM(in.s_addr) + ntohs(port); - - if (flags & IPN_TCPUDP) { - nat->nat_inport = sport; - nat->nat_outport = port; /* sport */ - nat->nat_oport = dport; - } - } else { - /* - * Otherwise, it's an inbound packet. Most likely, we don't - * want to rewrite source ports and source addresses. Instead, - * we want to rewrite to a fixed internal address and fixed - * internal port. - */ - if (np->in_flags & IPN_SPLIT) { - in.s_addr = np->in_nip; - if (np->in_inip == htonl(in.s_addr)) - np->in_nip = ntohl(np->in_inmsk); - else { - np->in_nip = ntohl(np->in_inip); - if (np->in_flags & IPN_ROUNDR) { - nat_delrdr(np); - nat_addrdr(np); - } - } - } else { - in.s_addr = ntohl(np->in_inip); - if (np->in_flags & IPN_ROUNDR) { - nat_delrdr(np); - nat_addrdr(np); - } - } - if (!np->in_pnext) - nport = dport; - else { - /* - * Whilst not optimized for the case where - * pmin == pmax, the gain is not significant. - */ - nport = ntohs(dport) - ntohs(np->in_pmin) + - ntohs(np->in_pnext); - nport = htons(nport); - } - - /* - * When the redirect-to address is set to 0.0.0.0, just - * assume a blank `forwarding' of the packet. We don't - * setup any translation for this either. - */ - if (in.s_addr == 0) { - if (nport == dport) - goto badnat; - in.s_addr = ntohl(ip->ip_dst.s_addr); - } - - nat->nat_inip.s_addr = htonl(in.s_addr); - nat->nat_outip = ip->ip_dst; - nat->nat_oip = ip->ip_src; - - sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)) + ntohs(dport); - sum2 = LONG_SUM(in.s_addr) + ntohs(nport); - - if (flags & IPN_TCPUDP) { - nat->nat_inport = nport; - nat->nat_outport = dport; - nat->nat_oport = sport; - } - } - - CALC_SUMD(sum1, sum2, sumd); - nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); -#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) - if ((flags == IPN_TCP) && dohwcksum && - (qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) { - if (direction == NAT_OUTBOUND) - sum1 = LONG_SUM(ntohl(in.s_addr)); - else - sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); - sum1 += LONG_SUM(ntohl(ip->ip_dst.s_addr)); - sum1 += 30; - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff); - } else -#endif - nat->nat_sumd[1] = nat->nat_sumd[0]; - - if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) { - if (direction == NAT_OUTBOUND) - sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); - else - sum1 = LONG_SUM(ntohl(ip->ip_dst.s_addr)); - - sum2 = LONG_SUM(in.s_addr); - - CALC_SUMD(sum1, sum2, sumd); - nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16); - } else - nat->nat_ipsumd = nat->nat_sumd[0]; - - in.s_addr = htonl(in.s_addr); - -#ifdef _KERNEL - strncpy(nat->nat_ifname, IFNAME(fin->fin_ifp), IFNAMSIZ); -#endif - nat_insert(nat); - - nat->nat_dir = direction; - nat->nat_ifp = fin->fin_ifp; - nat->nat_ptr = np; - nat->nat_p = ip->ip_p; - nat->nat_bytes = 0; - nat->nat_pkts = 0; - nat->nat_fr = fin->fin_fr; - if (nat->nat_fr != NULL) { - ATOMIC_INC32(nat->nat_fr->fr_ref); - } - if (direction == NAT_OUTBOUND) { - if (flags & IPN_TCPUDP) - tcp->th_sport = port; - } else { - if (flags & IPN_TCPUDP) - tcp->th_dport = nport; - } - np->in_use++; -#ifdef IPFILTER_LOG - nat_log(nat, (u_int)np->in_redir); -#endif - return nat; -badnat: - nat_stats.ns_badnat++; - if ((hm = nat->nat_hm) != NULL) - nat_hostmapdel(hm); - KFREE(nat); - return NULL; -} - - -void nat_insert(nat) -nat_t *nat; -{ - nat_t **natp; - u_int hv; - - MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL); - - nat->nat_age = fr_defnatage; - nat->nat_ifname[sizeof(nat->nat_ifname) - 1] = '\0'; - if (nat->nat_ifname[0] !='\0') { - nat->nat_ifp = GETUNIT(nat->nat_ifname, 4); - } - - nat->nat_next = nat_instances; - nat_instances = nat; - - hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, - ipf_nattable_sz); - natp = &nat_table[0][hv]; - if (*natp) - (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; - nat->nat_phnext[0] = natp; - nat->nat_hnext[0] = *natp; - *natp = nat; - - hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, - ipf_nattable_sz); - natp = &nat_table[1][hv]; - if (*natp) - (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; - nat->nat_phnext[1] = natp; - nat->nat_hnext[1] = *natp; - *natp = nat; - - nat_stats.ns_added++; - nat_stats.ns_inuse++; -} - - -nat_t *nat_icmplookup(ip, fin, dir) -ip_t *ip; -fr_info_t *fin; -int dir; -{ - icmphdr_t *icmp; - tcphdr_t *tcp = NULL; - ip_t *oip; - int flags = 0, type, minlen; - - icmp = (icmphdr_t *)fin->fin_dp; - /* - * Does it at least have the return (basic) IP header ? - * Only a basic IP header (no options) should be with an ICMP error - * header. - */ - if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN)) - return NULL; - type = icmp->icmp_type; - /* - * If it's not an error type, then return. - */ - if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) && - (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) && - (type != ICMP_PARAMPROB)) - return NULL; - - oip = (ip_t *)((char *)fin->fin_dp + 8); - minlen = (oip->ip_hl << 2); - if (minlen < sizeof(ip_t)) - return NULL; - if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen) - return NULL; - /* - * Is the buffer big enough for all of it ? It's the size of the IP - * header claimed in the encapsulated part which is of concern. It - * may be too big to be in this buffer but not so big that it's - * outside the ICMP packet, leading to TCP deref's causing problems. - * This is possible because we don't know how big oip_hl is when we - * do the pullup early in fr_check() and thus can't gaurantee it is - * all here now. - */ -#ifdef _KERNEL - { - mb_t *m; - -# if SOLARIS - m = fin->fin_qfm; - if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr) - return NULL; -# else - m = *(mb_t **)fin->fin_mp; - if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > - (char *)ip + m->m_len) - return NULL; -# endif - } -#endif - - if (oip->ip_p == IPPROTO_TCP) - flags = IPN_TCP; - else if (oip->ip_p == IPPROTO_UDP) - flags = IPN_UDP; - if (flags & IPN_TCPUDP) { - minlen += 8; /* + 64bits of data to get ports */ - if (ip->ip_len < ICMPERR_IPICMPHLEN + minlen) - return NULL; - tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); - if (dir == NAT_INBOUND) - return nat_inlookup(fin->fin_ifp, flags, - (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, - (tcp->th_sport << 16) | tcp->th_dport, 0); - else - return nat_outlookup(fin->fin_ifp, flags, - (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, - (tcp->th_sport << 16) | tcp->th_dport, 0); - } - if (dir == NAT_INBOUND) - return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, - oip->ip_dst, oip->ip_src, 0, 0); - else - return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, - oip->ip_dst, oip->ip_src, 0, 0); -} - - -/* - * This should *ONLY* be used for incoming packets to make sure a NAT'd ICMP - * packet gets correctly recognised. - */ -nat_t *nat_icmp(ip, fin, nflags, dir) -ip_t *ip; -fr_info_t *fin; -u_int *nflags; -int dir; -{ - u_32_t sum1, sum2, sumd, sumd2 = 0; - struct in_addr in; - icmphdr_t *icmp; - udphdr_t *udp; - nat_t *nat; - ip_t *oip; - int flags = 0; - - if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) - return NULL; - /* - * nat_icmplookup() will return NULL for `defective' packets. - */ - if ((ip->ip_v != 4) || !(nat = nat_icmplookup(ip, fin, dir))) - return NULL; - *nflags = IPN_ICMPERR; - icmp = (icmphdr_t *)fin->fin_dp; - oip = (ip_t *)&icmp->icmp_ip; - if (oip->ip_p == IPPROTO_TCP) - flags = IPN_TCP; - else if (oip->ip_p == IPPROTO_UDP) - flags = IPN_UDP; - udp = (udphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); - /* - * Need to adjust ICMP header to include the real IP#'s and - * port #'s. Only apply a checksum change relative to the - * IP address change as it will be modified again in ip_natout - * for both address and port. Two checksum changes are - * necessary for the two header address changes. Be careful - * to only modify the checksum once for the port # and twice - * for the IP#. - */ - - /* - * Step 1 - * Fix the IP addresses in the offending IP packet. You also need - * to adjust the IP header checksum of that offending IP packet - * and the ICMP checksum of the ICMP error message itself. - * - * Unfortunately, for UDP and TCP, the IP addresses are also contained - * in the pseudo header that is used to compute the UDP resp. TCP - * checksum. So, we must compensate that as well. Even worse, the - * change in the UDP and TCP checksums require yet another - * adjustment of the ICMP checksum of the ICMP error message. - * - * For the moment we forget about TCP, because that checksum is not - * in the first 8 bytes, so it will not be available in most cases. - */ - - if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { - sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); - in = nat->nat_inip; - oip->ip_src = in; - } else { - sum1 = LONG_SUM(ntohl(oip->ip_dst.s_addr)); - in = nat->nat_outip; - oip->ip_dst = in; - } - - sum2 = LONG_SUM(ntohl(in.s_addr)); - - CALC_SUMD(sum1, sum2, sumd); - - if (nat->nat_dir == NAT_OUTBOUND) { - /* - * Fix IP checksum of the offending IP packet to adjust for - * the change in the IP address. - * - * Normally, you would expect that the ICMP checksum of the - * ICMP error message needs to be adjusted as well for the - * IP address change in oip. - * However, this is a NOP, because the ICMP checksum is - * calculated over the complete ICMP packet, which includes the - * changed oip IP addresses and oip->ip_sum. However, these - * two changes cancel each other out (if the delta for - * the IP address is x, then the delta for ip_sum is minus x), - * so no change in the icmp_cksum is necessary. - * - * Be careful that nat_dir refers to the direction of the - * offending IP packet (oip), not to its ICMP response (icmp) - */ - fix_datacksum(&oip->ip_sum, sumd); - - /* - * Fix UDP pseudo header checksum to compensate for the - * IP address change. - */ - if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) { - /* - * The UDP checksum is optional, only adjust it - * if it has been set. - */ - sum1 = ntohs(udp->uh_sum); - fix_datacksum(&udp->uh_sum, sumd); - sum2 = ntohs(udp->uh_sum); - - /* - * Fix ICMP checksum to compensate the UDP - * checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 = sumd; - } - -#if 0 - /* - * Fix TCP pseudo header checksum to compensate for the - * IP address change. Before we can do the change, we - * must make sure that oip is sufficient large to hold - * the TCP checksum (normally it does not!). - */ - if (oip->ip_p == IPPROTO_TCP) { - - } -#endif - } else { - - /* - * Fix IP checksum of the offending IP packet to adjust for - * the change in the IP address. - * - * Normally, you would expect that the ICMP checksum of the - * ICMP error message needs to be adjusted as well for the - * IP address change in oip. - * However, this is a NOP, because the ICMP checksum is - * calculated over the complete ICMP packet, which includes the - * changed oip IP addresses and oip->ip_sum. However, these - * two changes cancel each other out (if the delta for - * the IP address is x, then the delta for ip_sum is minus x), - * so no change in the icmp_cksum is necessary. - * - * Be careful that nat_dir refers to the direction of the - * offending IP packet (oip), not to its ICMP response (icmp) - */ - fix_datacksum(&oip->ip_sum, sumd); - -/* XXX FV : without having looked at Solaris source code, it seems unlikely - * that SOLARIS would compensate this in the kernel (a body of an IP packet - * in the data section of an ICMP packet). I have the feeling that this should - * be unconditional, but I'm not in a position to check. - */ -#if !SOLARIS && !defined(__sgi) - /* - * Fix UDP pseudo header checksum to compensate for the - * IP address change. - */ - if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) { - /* - * The UDP checksum is optional, only adjust it - * if it has been set - */ - sum1 = ntohs(udp->uh_sum); - fix_datacksum(&udp->uh_sum, sumd); - sum2 = ntohs(udp->uh_sum); - - /* - * Fix ICMP checksum to compensate the UDP - * checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 = sumd; - } - -#if 0 - /* - * Fix TCP pseudo header checksum to compensate for the - * IP address change. Before we can do the change, we - * must make sure that oip is sufficient large to hold - * the TCP checksum (normally it does not!). - */ - if (oip->ip_p == IPPROTO_TCP) { - - }; -#endif - -#endif - } - - if ((flags & IPN_TCPUDP) != 0) { - tcphdr_t *tcp; - - /* - * XXX - what if this is bogus hl and we go off the end ? - * In this case, nat_icmpinlookup() will have returned NULL. - */ - tcp = (tcphdr_t *)udp; - - /* - * Step 2 : - * For offending TCP/UDP IP packets, translate the ports as - * well, based on the NAT specification. Of course such - * a change must be reflected in the ICMP checksum as well. - * - * Advance notice : Now it becomes complicated :-) - * - * Since the port fields are part of the TCP/UDP checksum - * of the offending IP packet, you need to adjust that checksum - * as well... but, if you change, you must change the icmp - * checksum *again*, to reflect that change. - * - * To further complicate: the TCP checksum is not in the first - * 8 bytes of the offending ip packet, so it most likely is not - * available (we might have to fix that if the encounter a - * device that returns more than 8 data bytes on icmp error) - */ - - if (nat->nat_oport == tcp->th_dport) { - if (tcp->th_sport != nat->nat_inport) { - /* - * Fix ICMP checksum to compensate port - * adjustment. - */ - sum1 = ntohs(tcp->th_sport); - sum2 = ntohs(nat->nat_inport); - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; - tcp->th_sport = nat->nat_inport; - - /* - * Fix udp checksum to compensate port - * adjustment. NOTE : the offending IP packet - * flows the other direction compared to the - * ICMP message. - * - * The UDP checksum is optional, only adjust - * it if it has been set. - */ - if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) { - - sum1 = ntohs(udp->uh_sum); - fix_datacksum(&udp->uh_sum, sumd); - sum2 = ntohs(udp->uh_sum); - - /* - * Fix ICMP checksum to - * compensate UDP checksum - * adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; - } - } - } else { - if (tcp->th_dport != nat->nat_outport) { - /* - * Fix ICMP checksum to compensate port - * adjustment. - */ - sum1 = ntohs(tcp->th_dport); - sum2 = ntohs(nat->nat_outport); - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; - tcp->th_dport = nat->nat_outport; - - /* - * Fix udp checksum to compensate port - * adjustment. NOTE : the offending IP - * packet flows the other direction compared - * to the ICMP message. - * - * The UDP checksum is optional, only adjust - * it if it has been set. - */ - if (oip->ip_p == IPPROTO_UDP && udp->uh_sum) { - - sum1 = ntohs(udp->uh_sum); - fix_datacksum(&udp->uh_sum, sumd); - sum2 = ntohs(udp->uh_sum); - - /* - * Fix ICMP checksum to compensate - * UDP checksum adjustment. - */ - CALC_SUMD(sum1, sum2, sumd); - sumd2 += sumd; - } - } - } - if (sumd2) { - sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); - sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); - if (nat->nat_dir == NAT_OUTBOUND) { - fix_outcksum(&icmp->icmp_cksum, sumd2); - } else { - fix_incksum(&icmp->icmp_cksum, sumd2); - } - } - } - nat->nat_age = fr_defnaticmpage; - return nat; -} - - -/* - * NB: these lookups don't lock access to the list, it assume it has already - * been done! - */ -/* - * Lookup a nat entry based on the mapped destination ip address/port and - * real source address/port. We use this lookup when receiving a packet, - * we're looking for a table entry, based on the destination address. - * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. - */ -nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports, rw) -void *ifp; -register u_int flags, p; -struct in_addr src , mapdst; -u_32_t ports; -int rw; -{ - register u_short sport, dport; - register nat_t *nat; - register int nflags; - register u_32_t dst; - u_int hv; - - dst = mapdst.s_addr; - dport = ports >> 16; - sport = ports & 0xffff; - flags &= IPN_TCPUDP; - - hv = NAT_HASH_FN(dst, dport, ipf_nattable_sz); - nat = nat_table[1][hv]; - for (; nat; nat = nat->nat_hnext[1]) { - nflags = nat->nat_flags; - if ((!ifp || ifp == nat->nat_ifp) && - nat->nat_oip.s_addr == src.s_addr && - nat->nat_outip.s_addr == dst && - (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) - || (p == nat->nat_p)) && (!flags || - (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && - ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))))) - return nat; - } - if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) - return NULL; - if (!rw) { - RWLOCK_EXIT(&ipf_nat); - } - hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); - if (!rw) { - WRITE_ENTER(&ipf_nat); - } - nat = nat_table[1][hv]; - for (; nat; nat = nat->nat_hnext[1]) { - nflags = nat->nat_flags; - if (ifp && ifp != nat->nat_ifp) - continue; - if (!(nflags & IPN_TCPUDP)) - continue; - if (!(nflags & FI_WILDP)) - continue; - if (nat->nat_oip.s_addr != src.s_addr || - nat->nat_outip.s_addr != dst) - continue; - if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && - ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) { - nat_tabmove(nat, ports); - break; - } - } - if (!rw) { - MUTEX_DOWNGRADE(&ipf_nat); - } - return nat; -} - - -/* - * This function is only called for TCP/UDP NAT table entries where the - * original was placed in the table without hashing on the ports and we now - * want to include hashing on port numbers. - */ -static void nat_tabmove(nat, ports) -nat_t *nat; -u_32_t ports; -{ - register u_short sport, dport; - nat_t **natp; - u_int hv; - - dport = ports >> 16; - sport = ports & 0xffff; - - if (nat->nat_oport == dport) { - nat->nat_inport = sport; - nat->nat_outport = sport; - } - - /* - * Remove the NAT entry from the old location - */ - if (nat->nat_hnext[0]) - nat->nat_hnext[0]->nat_phnext[0] = nat->nat_phnext[0]; - *nat->nat_phnext[0] = nat->nat_hnext[0]; - - if (nat->nat_hnext[1]) - nat->nat_hnext[1]->nat_phnext[1] = nat->nat_phnext[1]; - *nat->nat_phnext[1] = nat->nat_hnext[1]; - - /* - * Add into the NAT table in the new position - */ - hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz); - natp = &nat_table[0][hv]; - if (*natp) - (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; - nat->nat_phnext[0] = natp; - nat->nat_hnext[0] = *natp; - *natp = nat; - - hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz); - natp = &nat_table[1][hv]; - if (*natp) - (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; - nat->nat_phnext[1] = natp; - nat->nat_hnext[1] = *natp; - *natp = nat; -} - - -/* - * Lookup a nat entry based on the source 'real' ip address/port and - * destination address/port. We use this lookup when sending a packet out, - * we're looking for a table entry, based on the source address. - * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. - */ -nat_t *nat_outlookup(ifp, flags, p, src, dst, ports, rw) -void *ifp; -register u_int flags, p; -struct in_addr src , dst; -u_32_t ports; -int rw; -{ - register u_short sport, dport; - register nat_t *nat; - register int nflags; - u_32_t srcip; - u_int hv; - - sport = ports & 0xffff; - dport = ports >> 16; - flags &= IPN_TCPUDP; - srcip = src.s_addr; - - hv = NAT_HASH_FN(srcip, sport, ipf_nattable_sz); - nat = nat_table[0][hv]; - for (; nat; nat = nat->nat_hnext[0]) { - nflags = nat->nat_flags; - - if ((!ifp || ifp == nat->nat_ifp) && - nat->nat_inip.s_addr == srcip && - nat->nat_oip.s_addr == dst.s_addr && - (((p == 0) && (flags == (nflags & IPN_TCPUDP))) - || (p == nat->nat_p)) && (!flags || - ((nat->nat_inport == sport || nflags & FI_W_SPORT) && - (nat->nat_oport == dport || nflags & FI_W_DPORT)))) - return nat; - } - if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) - return NULL; - if (!rw) { - RWLOCK_EXIT(&ipf_nat); - } - hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); - if (!rw) { - WRITE_ENTER(&ipf_nat); - } - nat = nat_table[0][hv]; - for (; nat; nat = nat->nat_hnext[0]) { - nflags = nat->nat_flags; - if (ifp && ifp != nat->nat_ifp) - continue; - if (!(nflags & IPN_TCPUDP)) - continue; - if (!(nflags & FI_WILDP)) - continue; - if ((nat->nat_inip.s_addr != srcip) || - (nat->nat_oip.s_addr != dst.s_addr)) - continue; - if (((nat->nat_inport == sport) || (nflags & FI_W_SPORT)) && - ((nat->nat_oport == dport) || (nflags & FI_W_DPORT))) { - nat_tabmove(nat, ports); - break; - } - } - if (!rw) { - MUTEX_DOWNGRADE(&ipf_nat); - } - return nat; -} - - -/* - * Lookup the NAT tables to search for a matching redirect - */ -nat_t *nat_lookupredir(np) -register natlookup_t *np; -{ - u_32_t ports; - nat_t *nat; - - ports = (np->nl_outport << 16) | np->nl_inport; - /* - * If nl_inip is non null, this is a lookup based on the real - * ip address. Else, we use the fake. - */ - if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip, - np->nl_outip, ports, 0))) { - np->nl_realip = nat->nat_outip; - np->nl_realport = nat->nat_outport; - } - return nat; -} - - -static int nat_match(fin, np, ip) -fr_info_t *fin; -ipnat_t *np; -ip_t *ip; -{ - frtuc_t *ft; - - if (ip->ip_v != 4) - return 0; - - if (np->in_p && ip->ip_p != np->in_p) - return 0; - if (fin->fin_out) { - if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK))) - return 0; - if (((fin->fin_fi.fi_saddr & np->in_inmsk) != np->in_inip) - ^ ((np->in_flags & IPN_NOTSRC) != 0)) - return 0; - if (((fin->fin_fi.fi_daddr & np->in_srcmsk) != np->in_srcip) - ^ ((np->in_flags & IPN_NOTDST) != 0)) - return 0; - } else { - if (!(np->in_redir & NAT_REDIRECT)) - return 0; - if (((fin->fin_fi.fi_saddr & np->in_srcmsk) != np->in_srcip) - ^ ((np->in_flags & IPN_NOTSRC) != 0)) - return 0; - if (((fin->fin_fi.fi_daddr & np->in_outmsk) != np->in_outip) - ^ ((np->in_flags & IPN_NOTDST) != 0)) - return 0; - } - - ft = &np->in_tuc; - if (!(fin->fin_fi.fi_fl & FI_TCPUDP) || - (fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) { - if (ft->ftu_scmp || ft->ftu_dcmp) - return 0; - return 1; - } - - return fr_tcpudpchk(ft, fin); -} - - -/* - * Packets going out on the external interface go through this. - * Here, the source address requires alteration, if anything. - */ -int ip_natout(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - register ipnat_t *np = NULL; - register u_32_t ipa; - tcphdr_t *tcp = NULL; - u_short sport = 0, dport = 0, *csump = NULL; - struct ifnet *ifp; - int natadd = 1; - frentry_t *fr; - u_int nflags = 0, hv, msk; - u_32_t iph; - nat_t *nat; - int i; - - if (nat_list == NULL || (fr_nat_lock)) - return 0; - - if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && - fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) - ifp = fr->fr_tif.fd_ifp; - else - ifp = fin->fin_ifp; - - if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (ip->ip_p == IPPROTO_TCP) - nflags = IPN_TCP; - else if (ip->ip_p == IPPROTO_UDP) - nflags = IPN_UDP; - if ((nflags & IPN_TCPUDP)) { - tcp = (tcphdr_t *)fin->fin_dp; - sport = tcp->th_sport; - dport = tcp->th_dport; - } - } - - ipa = ip->ip_src.s_addr; - - READ_ENTER(&ipf_nat); - - if ((ip->ip_p == IPPROTO_ICMP) && - (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND))) - ; - else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && - (nat = ipfr_nat_knownfrag(ip, fin))) - natadd = 0; - else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, - ip->ip_src, ip->ip_dst, - (dport << 16) | sport, 0))) { - nflags = nat->nat_flags; - if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { - if ((nflags & FI_W_SPORT) && - (nat->nat_inport != sport)) - nat->nat_inport = sport; - else if ((nflags & FI_W_DPORT) && - (nat->nat_oport != dport)) - nat->nat_oport = dport; - if (nat->nat_outport == 0) - nat->nat_outport = sport; - nat->nat_flags &= ~(FI_W_DPORT|FI_W_SPORT); - nflags = nat->nat_flags; - nat_stats.ns_wilds--; - } - } else { - RWLOCK_EXIT(&ipf_nat); - WRITE_ENTER(&ipf_nat); - /* - * If there is no current entry in the nat table for this IP#, - * create one for it (if there is a matching rule). - */ - msk = 0xffffffff; - i = 32; -maskloop: - iph = ipa & htonl(msk); - hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz); - for (np = nat_rules[hv]; np; np = np->in_mnext) - { - if ((np->in_ifp && (np->in_ifp != ifp)) || - !np->in_space) - continue; - if ((np->in_flags & IPN_RF) && - !(np->in_flags & nflags)) - continue; - if (np->in_flags & IPN_FILTER) { - if (!nat_match(fin, np, ip)) - continue; - } else if ((ipa & np->in_inmsk) != np->in_inip) - continue; - if (np->in_redir & (NAT_MAP|NAT_MAPBLK)) { - if (*np->in_plabel && !appr_ok(ip, tcp, np)) - continue; - /* - * If it's a redirection, then we don't want to - * create new outgoing port stuff. - * Redirections are only for incoming - * connections. - */ - if (!(np->in_redir & (NAT_MAP|NAT_MAPBLK))) - continue; - if ((nat = nat_new(np, ip, fin, (u_int)nflags, - NAT_OUTBOUND))) { - np->in_hits++; - break; - } - } - } - if ((np == NULL) && (i > 0)) { - do { - i--; - msk <<= 1; - } while ((i >= 0) && ((nat_masks & (1 << i)) == 0)); - if (i >= 0) - goto maskloop; - } - MUTEX_DOWNGRADE(&ipf_nat); - } - - /* - * NOTE: ipf_nat must now only be held as a read lock - */ - if (nat) { - np = nat->nat_ptr; - if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && - np && (np->in_flags & IPN_FRAG)) - ipfr_nat_newfrag(ip, fin, 0, nat); - MUTEX_ENTER(&nat->nat_lock); - nat->nat_age = fr_defnatage; - nat->nat_bytes += ip->ip_len; - nat->nat_pkts++; - MUTEX_EXIT(&nat->nat_lock); - - /* - * Fix up checksums, not by recalculating them, but - * simply computing adjustments. - */ - if (nflags == IPN_ICMPERR) { - u_32_t s1, s2, sumd; - - s1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); - s2 = LONG_SUM(ntohl(nat->nat_outip.s_addr)); - CALC_SUMD(s1, s2, sumd); - - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&ip->ip_sum, sumd); - else - fix_outcksum(&ip->ip_sum, sumd); - } -#if SOLARIS || defined(__sgi) - else { - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); - else - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); - } -#endif - ip->ip_src = nat->nat_outip; - - if (!(ip->ip_off & IP_OFFMASK) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - - if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) { - tcp->th_sport = nat->nat_outport; - fin->fin_data[0] = ntohs(tcp->th_sport); - } - - if (ip->ip_p == IPPROTO_TCP) { - csump = &tcp->th_sum; - MUTEX_ENTER(&nat->nat_lock); - fr_tcp_age(&nat->nat_age, - nat->nat_tcpstate, fin, 1); - if (nat->nat_age < fr_defnaticmpage) - nat->nat_age = fr_defnaticmpage; -#ifdef LARGE_NAT - else if (nat->nat_age > fr_defnatage) - nat->nat_age = fr_defnatage; -#endif - /* - * Increase this because we may have - * "keep state" following this too and - * packet storms can occur if this is - * removed too quickly. - */ - if (nat->nat_age == fr_tcpclosed) - nat->nat_age = fr_tcplastack; - MUTEX_EXIT(&nat->nat_lock); - } else if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; - - if (udp->uh_sum) - csump = &udp->uh_sum; - } else if (ip->ip_p == IPPROTO_ICMP) { - nat->nat_age = fr_defnaticmpage; - } - - if (csump) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(csump, nat->nat_sumd[1]); - else - fix_incksum(csump, nat->nat_sumd[1]); - } - } - - if ((np->in_apr != NULL) && (np->in_dport == 0 || - (tcp != NULL && dport == np->in_dport))) { - i = appr_check(ip, fin, nat); - if (i == 0) - i = 1; - } else - i = 1; - ATOMIC_INCL(nat_stats.ns_mapped[1]); - RWLOCK_EXIT(&ipf_nat); /* READ */ - return i; - } - RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ - return 0; -} - - -/* - * Packets coming in from the external interface go through this. - * Here, the destination address requires alteration, if anything. - */ -int ip_natin(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - register struct in_addr src; - register struct in_addr in; - register ipnat_t *np; - u_int nflags = 0, natadd = 1, hv, msk; - struct ifnet *ifp = fin->fin_ifp; - tcphdr_t *tcp = NULL; - u_short sport = 0, dport = 0, *csump = NULL; - nat_t *nat; - u_32_t iph; - int i; - - if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock)) - return 0; - - if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { - if (ip->ip_p == IPPROTO_TCP) - nflags = IPN_TCP; - else if (ip->ip_p == IPPROTO_UDP) - nflags = IPN_UDP; - if ((nflags & IPN_TCPUDP)) { - tcp = (tcphdr_t *)fin->fin_dp; - dport = tcp->th_dport; - sport = tcp->th_sport; - } - } - - in = ip->ip_dst; - /* make sure the source address is to be redirected */ - src = ip->ip_src; - - READ_ENTER(&ipf_nat); - - if ((ip->ip_p == IPPROTO_ICMP) && - (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND))) - ; - else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && - (nat = ipfr_nat_knownfrag(ip, fin))) - natadd = 0; - else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, - ip->ip_src, in, (dport << 16) | sport, - 0))) { - nflags = nat->nat_flags; - if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { - if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT)) - nat->nat_oport = sport; - else if ((nat->nat_outport != dport) && - (nflags & FI_W_SPORT)) - nat->nat_outport = dport; - nat->nat_flags &= ~(FI_W_SPORT|FI_W_DPORT); - nflags = nat->nat_flags; - nat_stats.ns_wilds--; - } - } else { - RWLOCK_EXIT(&ipf_nat); - WRITE_ENTER(&ipf_nat); - /* - * If there is no current entry in the nat table for this IP#, - * create one for it (if there is a matching rule). - */ - msk = 0xffffffff; - i = 32; -maskloop: - iph = in.s_addr & htonl(msk); - hv = NAT_HASH_FN(iph, 0, ipf_rdrrules_sz); - for (np = rdr_rules[hv]; np; np = np->in_rnext) { - if ((np->in_ifp && (np->in_ifp != ifp)) || - (np->in_p && (np->in_p != ip->ip_p)) || - (np->in_flags && !(nflags & np->in_flags))) - continue; - if (np->in_flags & IPN_FILTER) { - if (!nat_match(fin, np, ip)) - continue; - } else if ((in.s_addr & np->in_outmsk) != np->in_outip) - continue; - if ((np->in_redir & NAT_REDIRECT) && - (!np->in_pmin || (np->in_flags & IPN_FILTER) || - ((ntohs(np->in_pmax) >= ntohs(dport)) && - (ntohs(dport) >= ntohs(np->in_pmin))))) - if ((nat = nat_new(np, ip, fin, nflags, - NAT_INBOUND))) { - np->in_hits++; - break; - } - } - - if ((np == NULL) && (i > 0)) { - do { - i--; - msk <<= 1; - } while ((i >= 0) && ((rdr_masks & (1 << i)) == 0)); - if (i >= 0) - goto maskloop; - } - MUTEX_DOWNGRADE(&ipf_nat); - } - - /* - * NOTE: ipf_nat must now only be held as a read lock - */ - if (nat) { - np = nat->nat_ptr; - fin->fin_fr = nat->nat_fr; - if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && - np && (np->in_flags & IPN_FRAG)) - ipfr_nat_newfrag(ip, fin, 0, nat); - if ((np->in_apr != NULL) && (np->in_dport == 0 || - (tcp != NULL && sport == np->in_dport))) { - i = appr_check(ip, fin, nat); - if (i == -1) { - RWLOCK_EXIT(&ipf_nat); - return i; - } - } - - MUTEX_ENTER(&nat->nat_lock); - if (nflags != IPN_ICMPERR) - nat->nat_age = fr_defnatage; - - nat->nat_bytes += ip->ip_len; - nat->nat_pkts++; - MUTEX_EXIT(&nat->nat_lock); - ip->ip_dst = nat->nat_inip; - fin->fin_fi.fi_daddr = nat->nat_inip.s_addr; - - /* - * Fix up checksums, not by recalculating them, but - * simply computing adjustments. - */ -#if SOLARIS || defined(__sgi) - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); - else - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); -#endif - if (!(ip->ip_off & IP_OFFMASK) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { - - if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) { - tcp->th_dport = nat->nat_inport; - fin->fin_data[1] = ntohs(tcp->th_dport); - } - - if (ip->ip_p == IPPROTO_TCP) { - csump = &tcp->th_sum; - MUTEX_ENTER(&nat->nat_lock); - fr_tcp_age(&nat->nat_age, - nat->nat_tcpstate, fin, 0); - if (nat->nat_age < fr_defnaticmpage) - nat->nat_age = fr_defnaticmpage; -#ifdef LARGE_NAT - else if (nat->nat_age > fr_defnatage) - nat->nat_age = fr_defnatage; -#endif - /* - * Increase this because we may have - * "keep state" following this too and - * packet storms can occur if this is - * removed too quickly. - */ - if (nat->nat_age == fr_tcpclosed) - nat->nat_age = fr_tcplastack; - MUTEX_EXIT(&nat->nat_lock); - } else if (ip->ip_p == IPPROTO_UDP) { - udphdr_t *udp = (udphdr_t *)tcp; - - if (udp->uh_sum) - csump = &udp->uh_sum; - } else if (ip->ip_p == IPPROTO_ICMP) { - nat->nat_age = fr_defnaticmpage; - } - - if (csump) { - if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(csump, nat->nat_sumd[0]); - else - fix_outcksum(csump, nat->nat_sumd[0]); - } - } - ATOMIC_INCL(nat_stats.ns_mapped[0]); - RWLOCK_EXIT(&ipf_nat); /* READ */ - return 1; - } - RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */ - return 0; -} - - -/* - * Free all memory used by NAT structures allocated at runtime. - */ -void ip_natunload() -{ - WRITE_ENTER(&ipf_nat); - (void) nat_clearlist(); - (void) nat_flushtable(); - RWLOCK_EXIT(&ipf_nat); - - if (nat_table[0] != NULL) { - KFREES(nat_table[0], sizeof(nat_t *) * ipf_nattable_sz); - nat_table[0] = NULL; - } - if (nat_table[1] != NULL) { - KFREES(nat_table[1], sizeof(nat_t *) * ipf_nattable_sz); - nat_table[1] = NULL; - } - if (nat_rules != NULL) { - KFREES(nat_rules, sizeof(ipnat_t *) * ipf_natrules_sz); - nat_rules = NULL; - } - if (rdr_rules != NULL) { - KFREES(rdr_rules, sizeof(ipnat_t *) * ipf_rdrrules_sz); - rdr_rules = NULL; - } - if (maptable != NULL) { - KFREES(maptable, sizeof(hostmap_t *) * ipf_hostmap_sz); - maptable = NULL; - } -} - - -/* - * Slowly expire held state for NAT entries. Timeouts are set in - * expectation of this being called twice per second. - */ -void ip_natexpire() -{ - register struct nat *nat, **natp; -#if defined(_KERNEL) && !SOLARIS - int s; -#endif - - SPL_NET(s); - WRITE_ENTER(&ipf_nat); - for (natp = &nat_instances; (nat = *natp); ) { - nat->nat_age--; - if (nat->nat_age) { - natp = &nat->nat_next; - continue; - } - *natp = nat->nat_next; -#ifdef IPFILTER_LOG - nat_log(nat, NL_EXPIRE); -#endif - nat_delete(nat); - nat_stats.ns_expire++; - } - RWLOCK_EXIT(&ipf_nat); - SPL_X(s); -} - - -/* - */ -void ip_natsync(ifp) -void *ifp; -{ - register ipnat_t *n; - register nat_t *nat; - register u_32_t sum1, sum2, sumd; - struct in_addr in; - ipnat_t *np; - void *ifp2; -#if defined(_KERNEL) && !SOLARIS - int s; -#endif - - /* - * Change IP addresses for NAT sessions for any protocol except TCP - * since it will break the TCP connection anyway. - */ - SPL_NET(s); - WRITE_ENTER(&ipf_nat); - for (nat = nat_instances; nat; nat = nat->nat_next) - if (((ifp == NULL) || (ifp == nat->nat_ifp)) && - !(nat->nat_flags & IPN_TCP) && (np = nat->nat_ptr) && - (np->in_outmsk == 0xffffffff) && !np->in_nip) { - ifp2 = nat->nat_ifp; - /* - * Change the map-to address to be the same as the - * new one. - */ - sum1 = nat->nat_outip.s_addr; - if (fr_ifpaddr(4, ifp2, &in) != -1) - nat->nat_outip = in; - sum2 = nat->nat_outip.s_addr; - - if (sum1 == sum2) - continue; - /* - * Readjust the checksum adjustment to take into - * account the new IP#. - */ - CALC_SUMD(sum1, sum2, sumd); - /* XXX - dont change for TCP when solaris does - * hardware checksumming. - */ - sumd += nat->nat_sumd[0]; - nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); - nat->nat_sumd[1] = nat->nat_sumd[0]; - } - - for (n = nat_list; (n != NULL); n = n->in_next) - if (n->in_ifp == ifp) { - n->in_ifp = (void *)GETUNIT(n->in_ifname, 4); - if (!n->in_ifp) - n->in_ifp = (void *)-1; - } - RWLOCK_EXIT(&ipf_nat); - SPL_X(s); -} - - -#ifdef IPFILTER_LOG -void nat_log(nat, type) -struct nat *nat; -u_int type; -{ - struct ipnat *np; - struct natlog natl; - void *items[1]; - size_t sizes[1]; - int rulen, types[1]; - - natl.nl_inip = nat->nat_inip; - natl.nl_outip = nat->nat_outip; - natl.nl_origip = nat->nat_oip; - natl.nl_bytes = nat->nat_bytes; - natl.nl_pkts = nat->nat_pkts; - natl.nl_origport = nat->nat_oport; - natl.nl_inport = nat->nat_inport; - natl.nl_outport = nat->nat_outport; - natl.nl_p = nat->nat_p; - natl.nl_type = type; - natl.nl_rule = -1; -#ifndef LARGE_NAT - if (nat->nat_ptr != NULL) { - for (rulen = 0, np = nat_list; np; np = np->in_next, rulen++) - if (np == nat->nat_ptr) { - natl.nl_rule = rulen; - break; - } - } -#endif - items[0] = &natl; - sizes[0] = sizeof(natl); - types[0] = 0; - - (void) ipllog(IPL_LOGNAT, NULL, items, sizes, types, 1); -} -#endif diff --git a/sys/netinet/ip_nat.h b/sys/netinet/ip_nat.h deleted file mode 100644 index c0cab691185..00000000000 --- a/sys/netinet/ip_nat.h +++ /dev/null @@ -1,312 +0,0 @@ -/* $OpenBSD: ip_nat.h,v 1.19 2001/05/08 19:58:02 fgsch Exp $ */ - -/* - * Copyright (C) 1995-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ip_nat.h 1.5 2/4/96 - * $IPFilter: ip_nat.h,v 2.17.2.15 2001/04/06 13:47:35 darrenr Exp $ - */ - -#ifndef __IP_NAT_H__ -#define __IP_NAT_H__ - -#ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif - -#if defined(__STDC__) || defined(__GNUC__) -#define SIOCADNAT _IOW('r', 60, struct ipnat *) -#define SIOCRMNAT _IOW('r', 61, struct ipnat *) -#define SIOCGNATS _IOWR('r', 62, struct natstat *) -#define SIOCGNATL _IOWR('r', 63, struct natlookup *) -#else -#define SIOCADNAT _IOW(r, 60, struct ipnat *) -#define SIOCRMNAT _IOW(r, 61, struct ipnat *) -#define SIOCGNATS _IOWR(r, 62, struct natstat *) -#define SIOCGNATL _IOWR(r, 63, struct natlookup *) -#endif - -#undef LARGE_NAT /* define this if you're setting up a system to NAT - * LARGE numbers of networks/hosts - i.e. in the - * hundreds or thousands. In such a case, you should - * also change the RDR_SIZE and NAT_SIZE below to more - * appropriate sizes. The figures below were used for - * a setup with 1000-2000 networks to NAT. - */ -#define NAT_SIZE 127 -#define RDR_SIZE 127 -#define HOSTMAP_SIZE 127 -#define NAT_TABLE_SZ 127 -#ifdef LARGE_NAT -#undef NAT_SIZE -#undef RDR_SIZE -#undef NAT_TABLE_SZ -#undef HOSTMAP_SIZE 127 -#define NAT_SIZE 2047 -#define RDR_SIZE 2047 -#define NAT_TABLE_SZ 16383 -#define HOSTMAP_SIZE 8191 -#endif -#ifndef APR_LABELLEN -#define APR_LABELLEN 16 -#endif -#define NAT_HW_CKSUM 0x80000000 - -#define DEF_NAT_AGE 1200 /* 10 minutes (600 seconds) */ - -struct ap_session; - -typedef struct nat { - u_long nat_age; - int nat_flags; - u_32_t nat_sumd[2]; - u_32_t nat_ipsumd; - void *nat_data; - struct ap_session *nat_aps; /* proxy session */ - struct frentry *nat_fr; /* filter rule ptr if appropriate */ - struct in_addr nat_inip; - struct in_addr nat_outip; - struct in_addr nat_oip; /* other ip */ - U_QUAD_T nat_pkts; - U_QUAD_T nat_bytes; - u_short nat_oport; /* other port */ - u_short nat_inport; - u_short nat_outport; - u_short nat_use; - u_char nat_tcpstate[2]; - u_char nat_p; /* protocol for NAT */ - struct ipnat *nat_ptr; /* pointer back to the rule */ - struct hostmap *nat_hm; - struct nat *nat_next; - struct nat *nat_hnext[2]; - struct nat **nat_phnext[2]; - void *nat_ifp; - int nat_dir; - char nat_ifname[IFNAMSIZ]; -#if SOLARIS || defined(__sgi) - kmutex_t nat_lock; -#endif -} nat_t; - -typedef struct ipnat { - struct ipnat *in_next; - struct ipnat *in_rnext; - struct ipnat **in_prnext; - struct ipnat *in_mnext; - struct ipnat **in_pmnext; - void *in_ifp; - void *in_apr; - u_long in_space; - u_int in_use; - u_int in_hits; - struct in_addr in_nextip; - u_short in_pnext; - u_short in_ippip; /* IP #'s per IP# */ - u_32_t in_flags; /* From here to in_dport must be reflected */ - u_short in_spare; - u_short in_ppip; /* ports per IP */ - u_short in_port[2]; /* correctly in IPN_CMPSIZ */ - struct in_addr in_in[2]; - struct in_addr in_out[2]; - struct in_addr in_src[2]; - struct frtuc in_tuc; - int in_redir; /* 0 if it's a mapping, 1 if it's a hard redir */ - char in_ifname[IFNAMSIZ]; - char in_plabel[APR_LABELLEN]; /* proxy label */ - char in_p; /* protocol */ -} ipnat_t; - -#define in_pmin in_port[0] /* Also holds static redir port */ -#define in_pmax in_port[1] -#define in_nip in_nextip.s_addr -#define in_inip in_in[0].s_addr -#define in_inmsk in_in[1].s_addr -#define in_outip in_out[0].s_addr -#define in_outmsk in_out[1].s_addr -#define in_srcip in_src[0].s_addr -#define in_srcmsk in_src[1].s_addr -#define in_scmp in_tuc.ftu_scmp -#define in_dcmp in_tuc.ftu_dcmp -#define in_stop in_tuc.ftu_stop -#define in_dtop in_tuc.ftu_dtop -#define in_sport in_tuc.ftu_sport -#define in_dport in_tuc.ftu_dport - -#define NAT_OUTBOUND 0 -#define NAT_INBOUND 1 - -#define NAT_MAP 0x01 -#define NAT_REDIRECT 0x02 -#define NAT_BIMAP (NAT_MAP|NAT_REDIRECT) -#define NAT_MAPBLK 0x04 -/* 0x100 reserved for FI_W_SPORT */ -/* 0x200 reserved for FI_W_DPORT */ -/* 0x400 reserved for FI_W_SADDR */ -/* 0x800 reserved for FI_W_DADDR */ -/* 0x1000 reserved for FI_W_NEWFR */ - -#define MAPBLK_MINPORT 1024 /* don't use reserved ports for src port */ -#define USABLE_PORTS (65536 - MAPBLK_MINPORT) - -#define IPN_CMPSIZ (sizeof(ipnat_t) - offsetof(ipnat_t, in_flags)) - -typedef struct natlookup { - struct in_addr nl_inip; - struct in_addr nl_outip; - struct in_addr nl_realip; - int nl_flags; - u_short nl_inport; - u_short nl_outport; - u_short nl_realport; -} natlookup_t; - - -typedef struct nat_save { - void *ipn_next; - struct nat ipn_nat; - struct ipnat ipn_ipnat; - struct frentry ipn_fr; - int ipn_dsize; - char ipn_data[4]; -} nat_save_t; - -#define ipn_rule ipn_nat.nat_fr - -typedef struct natget { - void *ng_ptr; - int ng_sz; -} natget_t; - - -typedef struct hostmap { - struct hostmap *hm_next; - struct hostmap **hm_pnext; - struct ipnat *hm_ipnat; - struct in_addr hm_realip; - struct in_addr hm_mapip; - int hm_ref; -} hostmap_t; - - -typedef struct natstat { - u_long ns_mapped[2]; - u_long ns_rules; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - u_long ns_logged; - u_long ns_logfail; - u_long ns_memfail; - u_long ns_badnat; - nat_t **ns_table[2]; - ipnat_t *ns_list; - void *ns_apslist; - u_int ns_nattab_sz; - u_int ns_rultab_sz; - u_int ns_rdrtab_sz; - nat_t *ns_instances; - u_int ns_wilds; -} natstat_t; - -#define IPN_ANY 0x000 -#define IPN_TCP 0x001 -#define IPN_UDP 0x002 -#define IPN_TCPUDP (IPN_TCP|IPN_UDP) -#define IPN_DELETE 0x004 -#define IPN_ICMPERR 0x008 -#define IPN_RF (IPN_TCPUDP|IPN_DELETE|IPN_ICMPERR) -#define IPN_AUTOPORTMAP 0x010 -#define IPN_IPRANGE 0x020 -#define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\ - IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST) -#define IPN_FILTER 0x040 -#define IPN_SPLIT 0x080 -#define IPN_ROUNDR 0x100 -#define IPN_NOTSRC 0x080000 -#define IPN_NOTDST 0x100000 -#define IPN_FRAG 0x200000 - - -typedef struct natlog { - struct in_addr nl_origip; - struct in_addr nl_outip; - struct in_addr nl_inip; - u_short nl_origport; - u_short nl_outport; - u_short nl_inport; - u_short nl_type; - int nl_rule; - U_QUAD_T nl_pkts; - U_QUAD_T nl_bytes; - u_char nl_p; -} natlog_t; - - -#define NL_NEWMAP NAT_MAP -#define NL_NEWRDR NAT_REDIRECT -#define NL_NEWBIMAP NAT_BIMAP -#define NL_NEWBLOCK NAT_MAPBLK -#define NL_FLUSH 0xfffe -#define NL_EXPIRE 0xffff - -#define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m)) - -#define LONG_SUM(in) (((in) & 0xffff) + ((in) >> 16)) - -#define CALC_SUMD(s1, s2, sd) { \ - (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ - (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ - /* Do it twice */ \ - (s1) = ((s1) & 0xffff) + ((s1) >> 16); \ - (s2) = ((s2) & 0xffff) + ((s2) >> 16); \ - /* Because ~1 == -2, We really need ~1 == -1 */ \ - if ((s1) > (s2)) (s2)--; \ - (sd) = (s2) - (s1); \ - (sd) = ((sd) & 0xffff) + ((sd) >> 16); } - - -extern u_int ipf_nattable_sz; -extern u_int ipf_natrules_sz; -extern u_int ipf_rdrrules_sz; -extern int fr_nat_lock; -extern void ip_natsync __P((void *)); -extern u_long fr_defnatage; -extern u_long fr_defnaticmpage; -extern nat_t **nat_table[2]; -extern nat_t *nat_instances; -extern ipnat_t **nat_rules; -extern ipnat_t **rdr_rules; -extern natstat_t nat_stats; -#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003) -extern int nat_ioctl __P((caddr_t, u_long, int)); -#else -extern int nat_ioctl __P((caddr_t, int, int)); -#endif -extern int nat_init __P((void)); -extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int)); -extern nat_t *nat_outlookup __P((void *, u_int, u_int, struct in_addr, - struct in_addr, u_32_t, int)); -extern nat_t *nat_inlookup __P((void *, u_int, u_int, struct in_addr, - struct in_addr, u_32_t, int)); -extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr, - struct in_addr)); -extern nat_t *nat_lookupredir __P((natlookup_t *)); -extern nat_t *nat_icmplookup __P((ip_t *, fr_info_t *, int)); -extern nat_t *nat_icmp __P((ip_t *, fr_info_t *, u_int *, int)); -extern void nat_insert __P((nat_t *)); - -extern int nat_clearlist __P((void)); - -extern int ip_natout __P((ip_t *, fr_info_t *)); -extern int ip_natin __P((ip_t *, fr_info_t *)); -extern void ip_natunload __P((void)), ip_natexpire __P((void)); -extern void nat_log __P((struct nat *, u_int)); -extern void fix_incksum __P((u_short *, u_32_t)); -extern void fix_outcksum __P((u_short *, u_32_t)); -extern void fix_datacksum __P((u_short *, u_32_t)); - -#endif /* __IP_NAT_H__ */ diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 7ff5629d4d0..68d2648757c 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.97 2001/05/29 01:09:14 angelos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.98 2001/05/30 02:12:34 deraadt Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -90,9 +90,6 @@ extern int ipsec_esp_network_default_level; static struct mbuf *ip_insertoptions __P((struct mbuf *, struct mbuf *, int *)); static void ip_mloopback __P((struct ifnet *, struct mbuf *, struct sockaddr_in *)); -#if defined(IPFILTER) || defined(IPFILTER_LKM) -int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); -#endif /* * IP output. The packet in mbuf chain m contains a skeletal IP @@ -558,29 +555,6 @@ sendit: if (sproto != 0) { s = splnet(); -#if defined(IPFILTER) || defined(IPFILTER_LKM) - if (fr_checkp) { - /* - * Ok, it's time for a simple round-trip to the IPF/NAT - * code with the enc0 interface. - */ - struct mbuf *m0 = m; - void *ifp = (void *)&encif[0].sc_if; - if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) { - error = EHOSTUNREACH; - splx(s); - goto done; - } - if (m0 == 0) { /* in case of 'fastroute' */ - error = 0; - splx(s); - goto done; - } - ip = mtod(m = m0, struct ip *); - hlen = ip->ip_hl << 2; - } -#endif /* IPFILTER */ - tdb = gettdb(sspi, &sdst, sproto); if (tdb == NULL) { error = EHOSTUNREACH; @@ -624,23 +598,6 @@ sendit: } #endif /* IPSEC */ -#if defined(IPFILTER) || defined(IPFILTER_LKM) - /* - * looks like most checking has been done now...do a filter check - */ - { - struct mbuf *m0 = m; - if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) { - error = EHOSTUNREACH; - goto done; - } - if (m0 == 0) { /* in case of 'fastroute' */ - error = 0; - goto done; - } - ip = mtod(m = m0, struct ip *); - } -#endif /* * If small enough for interface, can just send directly. */ diff --git a/sys/netinet/ip_proxy.c b/sys/netinet/ip_proxy.c deleted file mode 100644 index 467b4f86eee..00000000000 --- a/sys/netinet/ip_proxy.c +++ /dev/null @@ -1,453 +0,0 @@ -/* $OpenBSD: ip_proxy.c,v 1.13 2001/01/30 04:23:56 kjell Exp $ */ - -/* - * Copyright (C) 1997-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 darrenr Exp $"; -#endif - -#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) -# define _KERNEL -#endif - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/time.h> -#include <sys/file.h> -#if !defined(__FreeBSD_version) -# include <sys/ioctl.h> -#endif -#include <sys/fcntl.h> -#include <sys/uio.h> -#if !defined(_KERNEL) && !defined(KERNEL) -# include <stdio.h> -# include <string.h> -# include <stdlib.h> -#endif -#ifndef linux -# include <sys/protosw.h> -#endif -#include <sys/socket.h> -#if defined(_KERNEL) -# if !defined(linux) -# include <sys/systm.h> -# else -# include <linux/string.h> -# endif -#endif -#if !defined(__SVR4) && !defined(__svr4__) -# ifndef linux -# include <sys/mbuf.h> -# endif -#else -# include <sys/byteorder.h> -# ifdef _KERNEL -# include <sys/dditypes.h> -# endif -# include <sys/stream.h> -# include <sys/kmem.h> -#endif -#if __FreeBSD__ > 2 -# include <sys/queue.h> -#endif -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#ifndef linux -# include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_state.h> -#if (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -#endif - - -#ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) -#endif - -static ap_session_t *appr_new_session __P((aproxy_t *, ip_t *, - fr_info_t *, nat_t *)); -static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); - - -#define AP_SESS_SIZE 53 - -#if defined(_KERNEL) && !defined(linux) -#include <netinet/ip_ftp_pxy.c> -#include <netinet/ip_rcmd_pxy.c> -#include <netinet/ip_raudio_pxy.c> -#endif - -ap_session_t *ap_sess_tab[AP_SESS_SIZE]; -ap_session_t *ap_sess_list = NULL; -aproxy_t *ap_proxylist = NULL; -aproxy_t ap_proxies[] = { -#ifdef IPF_FTP_PROXY - { NULL, "ftp", (char)IPPROTO_TCP, 0, 0, ippr_ftp_init, NULL, - ippr_ftp_new, ippr_ftp_in, ippr_ftp_out }, -#endif -#ifdef IPF_RCMD_PROXY - { NULL, "rcmd", (char)IPPROTO_TCP, 0, 0, ippr_rcmd_init, NULL, - ippr_rcmd_new, NULL, ippr_rcmd_out }, -#endif -#ifdef IPF_RAUDIO_PROXY - { NULL, "raudio", (char)IPPROTO_TCP, 0, 0, ippr_raudio_init, NULL, - ippr_raudio_new, ippr_raudio_in, ippr_raudio_out }, -#endif - { NULL, "", '\0', 0, 0, NULL, NULL } -}; - - -int appr_add(ap) -aproxy_t *ap; -{ - aproxy_t *a; - - for (a = ap_proxies; a->apr_p; a++) - if ((a->apr_p == ap->apr_p) && - !strncmp(a->apr_label, ap->apr_label, - sizeof(ap->apr_label))) - return -1; - - for (a = ap_proxylist; a->apr_p; a = a->apr_next) - if ((a->apr_p == ap->apr_p) && - !strncmp(a->apr_label, ap->apr_label, - sizeof(ap->apr_label))) - return -1; - ap->apr_next = ap_proxylist; - ap_proxylist = ap; - return (*ap->apr_init)(); -} - - -int appr_del(ap) -aproxy_t *ap; -{ - aproxy_t *a, **app; - - for (app = &ap_proxylist; (a = *app); app = &a->apr_next) - if (a == ap) { - if (ap->apr_ref != 0) - return 1; - *app = a->apr_next; - return 0; - } - return -1; -} - - -int appr_ok(ip, tcp, nat) -ip_t *ip; -tcphdr_t *tcp; -ipnat_t *nat; -{ - aproxy_t *apr = nat->in_apr; - u_short dport = nat->in_dport; - - if (!apr || (apr->apr_flags & APR_DELETE) || - (ip->ip_p != apr->apr_p)) - return 0; - if ((tcp && (tcp->th_dport != dport)) || (!tcp && dport)) - return 0; - return 1; -} - - -/* - * Allocate a new application proxy structure and fill it in with the - * relevant details. call the init function once complete, prior to - * returning. - */ -static ap_session_t *appr_new_session(apr, ip, fin, nat) -aproxy_t *apr; -ip_t *ip; -fr_info_t *fin; -nat_t *nat; -{ - register ap_session_t *aps; - - if (!apr || (apr->apr_flags & APR_DELETE) || (ip->ip_p != apr->apr_p)) - return NULL; - - KMALLOC(aps, ap_session_t *); - if (!aps) - return NULL; - bzero((char *)aps, sizeof(*aps)); - aps->aps_p = ip->ip_p; - aps->aps_data = NULL; - aps->aps_apr = apr; - aps->aps_psiz = 0; - if (apr->apr_new != NULL) - if ((*apr->apr_new)(fin, ip, aps, nat) == -1) { - KFREE(aps); - return NULL; - } - aps->aps_nat = nat; - aps->aps_next = ap_sess_list; - ap_sess_list = aps; - return aps; -} - - -/* - * check to see if a packet should be passed through an active proxy routine - * if one has been setup for it. - */ -int appr_check(ip, fin, nat) -ip_t *ip; -fr_info_t *fin; -nat_t *nat; -{ - ap_session_t *aps; - aproxy_t *apr; - tcphdr_t *tcp = NULL; - u_32_t sum; - short rv; - int err; - - if (nat->nat_aps == NULL) - nat->nat_aps = appr_new_session(nat->nat_ptr->in_apr, ip, - fin, nat); - aps = nat->nat_aps; - if ((aps != NULL) && (aps->aps_p == ip->ip_p)) { - if (ip->ip_p == IPPROTO_TCP) { - tcp = (tcphdr_t *)fin->fin_dp; - /* - * verify that the checksum is correct. If not, then - * don't do anything with this packet. - */ -#if SOLARIS && defined(_KERNEL) - sum = fr_tcpsum(fin->fin_qfm, ip, tcp); -#else - sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); -#endif - if (sum != tcp->th_sum) { - frstats[fin->fin_out].fr_tcpbad++; - return -1; - } - } - - apr = aps->aps_apr; - err = 0; - if (fin->fin_out != 0) { - if (apr->apr_outpkt != NULL) - err = (*apr->apr_outpkt)(fin, ip, aps, nat); - } else { - if (apr->apr_inpkt != NULL) - err = (*apr->apr_inpkt)(fin, ip, aps, nat); - } - - rv = APR_EXIT(err); - if (rv == -1) - return rv; - - if (tcp != NULL) { - err = appr_fixseqack(fin, ip, aps, APR_INC(err)); -#if SOLARIS && defined(_KERNEL) - tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); -#else - tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); -#endif - } - aps->aps_bytes += ip->ip_len; - aps->aps_pkts++; - return 1; - } - return 0; -} - - -aproxy_t *appr_match(pr, name) -u_int pr; -char *name; -{ - aproxy_t *ap; - - for (ap = ap_proxies; ap->apr_p; ap++) - if ((ap->apr_p == pr) && - !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { - ap->apr_ref++; - return ap; - } - - for (ap = ap_proxylist; ap; ap = ap->apr_next) - if ((ap->apr_p == pr) && - !strncmp(name, ap->apr_label, sizeof(ap->apr_label))) { - ap->apr_ref++; - return ap; - } - return NULL; -} - - -void appr_free(ap) -aproxy_t *ap; -{ - ap->apr_ref--; -} - - -void aps_free(aps) -ap_session_t *aps; -{ - ap_session_t *a, **ap; - - if (!aps) - return; - - for (ap = &ap_sess_list; (a = *ap); ap = &a->aps_next) - if (a == aps) { - *ap = a->aps_next; - break; - } - - if ((aps->aps_data != NULL) && (aps->aps_psiz != 0)) - KFREES(aps->aps_data, aps->aps_psiz); - KFREE(aps); -} - - -static int appr_fixseqack(fin, ip, aps, inc) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -int inc; -{ - int sel, ch = 0, out, nlen; - u_32_t seq1, seq2; - tcphdr_t *tcp; - - tcp = (tcphdr_t *)fin->fin_dp; - out = fin->fin_out; - nlen = ip->ip_len; - nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); - - if (out != 0) { - seq1 = (u_32_t)ntohl(tcp->th_seq); - sel = aps->aps_sel[out]; - - /* switch to other set ? */ - if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) - sel = aps->aps_sel[out] = !sel; - - if (aps->aps_seqoff[sel]) { - seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; - if (seq1 > seq2) { - seq2 = aps->aps_seqoff[sel]; - seq1 += seq2; - tcp->th_seq = htonl(seq1); - ch = 1; - } - } - - if (inc && (seq1 > aps->aps_seqmin[!sel])) { - aps->aps_seqmin[!sel] = seq1 + nlen - 1; - aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; - } - - /***/ - - seq1 = ntohl(tcp->th_ack); - sel = aps->aps_sel[1 - out]; - - /* switch to other set ? */ - if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) - sel = aps->aps_sel[1 - out] = !sel; - - if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { - seq2 = aps->aps_ackoff[sel]; - tcp->th_ack = htonl(seq1 - seq2); - ch = 1; - } - } else { - seq1 = ntohl(tcp->th_seq); - sel = aps->aps_sel[out]; - - /* switch to other set ? */ - if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) - sel = aps->aps_sel[out] = !sel; - - if (aps->aps_ackoff[sel]) { - seq2 = aps->aps_ackmin[sel] - - aps->aps_ackoff[sel]; - if (seq1 > seq2) { - seq2 = aps->aps_ackoff[sel]; - seq1 += seq2; - tcp->th_seq = htonl(seq1); - ch = 1; - } - } - - if (inc && (seq1 > aps->aps_ackmin[!sel])) { - aps->aps_ackmin[!sel] = seq1 + nlen - 1; - aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; - } - - /***/ - - seq1 = ntohl(tcp->th_ack); - sel = aps->aps_sel[1 - out]; - - /* switch to other set ? */ - if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) - sel = aps->aps_sel[1 - out] = !sel; - - if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { - seq2 = aps->aps_seqoff[sel]; - tcp->th_ack = htonl(seq1 - seq2); - ch = 1; - } - } - return ch ? 2 : 0; -} - - -int appr_init() -{ - aproxy_t *ap; - int err = 0; - - for (ap = ap_proxies; ap->apr_p; ap++) { - err = (*ap->apr_init)(); - if (err != 0) - break; - } - return err; -} - - -void appr_unload() -{ - aproxy_t *ap; - - for (ap = ap_proxies; ap->apr_p; ap++) - if (ap->apr_fini) - (*ap->apr_fini)(); - for (ap = ap_proxylist; ap; ap = ap->apr_next) - if (ap->apr_fini) - (*ap->apr_fini)(); -} diff --git a/sys/netinet/ip_proxy.h b/sys/netinet/ip_proxy.h deleted file mode 100644 index 59a94412063..00000000000 --- a/sys/netinet/ip_proxy.h +++ /dev/null @@ -1,158 +0,0 @@ -/* $OpenBSD: ip_proxy.h,v 1.9 2001/01/17 04:47:15 fgsch Exp $ */ - -/* - * Copyright (C) 1997-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * $IPFilter: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $ - */ - -#ifndef __IP_PROXY_H__ -#define __IP_PROXY_H__ - -#ifndef SOLARIS -#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) -#endif - -#ifndef APR_LABELLEN -#define APR_LABELLEN 16 -#endif -#define AP_SESS_SIZE 53 - -struct nat; -struct ipnat; - -typedef struct ap_tcp { - u_short apt_sport; /* source port */ - u_short apt_dport; /* destination port */ - short apt_sel[2]; /* {seq,ack}{off,min} set selector */ - short apt_seqoff[2]; /* sequence # difference */ - tcp_seq apt_seqmin[2]; /* don't change seq-off until after this */ - short apt_ackoff[2]; /* sequence # difference */ - tcp_seq apt_ackmin[2]; /* don't change seq-off until after this */ - u_char apt_state[2]; /* connection state */ -} ap_tcp_t; - -typedef struct ap_udp { - u_short apu_sport; /* source port */ - u_short apu_dport; /* destination port */ -} ap_udp_t; - -typedef struct ap_session { - struct aproxy *aps_apr; - union { - struct ap_tcp apu_tcp; - struct ap_udp apu_udp; - } aps_un; - u_int aps_flags; - U_QUAD_T aps_bytes; /* bytes sent */ - U_QUAD_T aps_pkts; /* packets sent */ - void *aps_nat; /* pointer back to nat struct */ - void *aps_data; /* private data */ - int aps_p; /* protocol */ - int aps_psiz; /* size of private data */ - struct ap_session *aps_hnext; - struct ap_session *aps_next; -} ap_session_t; - -#define aps_sport aps_un.apu_tcp.apt_sport -#define aps_dport aps_un.apu_tcp.apt_dport -#define aps_sel aps_un.apu_tcp.apt_sel -#define aps_seqoff aps_un.apu_tcp.apt_seqoff -#define aps_seqmin aps_un.apu_tcp.apt_seqmin -#define aps_state aps_un.apu_tcp.apt_state -#define aps_ackoff aps_un.apu_tcp.apt_ackoff -#define aps_ackmin aps_un.apu_tcp.apt_ackmin - - -typedef struct aproxy { - struct aproxy *apr_next; - char apr_label[APR_LABELLEN]; /* Proxy label # */ - u_char apr_p; /* protocol */ - int apr_ref; /* +1 per rule referencing it */ - int apr_flags; - int (* apr_init) __P((void)); - void (* apr_fini) __P((void)); - int (* apr_new) __P((fr_info_t *, ip_t *, - ap_session_t *, struct nat *)); - int (* apr_inpkt) __P((fr_info_t *, ip_t *, - ap_session_t *, struct nat *)); - int (* apr_outpkt) __P((fr_info_t *, ip_t *, - ap_session_t *, struct nat *)); -} aproxy_t; - -#define APR_DELETE 1 - -#define APR_ERR(x) (((x) & 0xffff) << 16) -#define APR_EXIT(x) (((x) >> 16) & 0xffff) -#define APR_INC(x) ((x) & 0xffff) - -#define FTP_BUFSZ 160 -/* - * For the ftp proxy. - */ -typedef struct ftpside { - char *ftps_rptr; - char *ftps_wptr; - u_32_t ftps_seq; - u_32_t ftps_len; - int ftps_junk; - char ftps_buf[FTP_BUFSZ]; -} ftpside_t; - -typedef struct ftpinfo { - u_int ftp_passok; - ftpside_t ftp_side[2]; -} ftpinfo_t; - -/* - * Real audio proxy structure and #defines - */ -typedef struct { - int rap_seenpna; - int rap_seenver; - int rap_version; - int rap_eos; /* End Of Startup */ - int rap_gotid; - int rap_gotlen; - int rap_mode; - int rap_sdone; - u_short rap_plport; - u_short rap_prport; - u_short rap_srport; - char rap_svr[19]; - u_32_t rap_sbf; /* flag to indicate which of the 19 bytes have - * been filled - */ - tcp_seq rap_sseq; -} raudio_t; - -#define RA_ID_END 0 -#define RA_ID_UDP 1 -#define RA_ID_ROBUST 7 - -#define RAP_M_UDP 1 -#define RAP_M_ROBUST 2 -#define RAP_M_TCP 4 -#define RAP_M_UDP_ROBUST (RAP_M_UDP|RAP_M_ROBUST) - - -extern ap_session_t *ap_sess_tab[AP_SESS_SIZE]; -extern ap_session_t *ap_sess_list; -extern aproxy_t ap_proxies[]; -extern int ippr_ftp_pasvonly; - -extern int appr_add __P((aproxy_t *)); -extern int appr_del __P((aproxy_t *)); -extern int appr_init __P((void)); -extern void appr_unload __P((void)); -extern int appr_ok __P((ip_t *, tcphdr_t *, struct ipnat *)); -extern void appr_free __P((aproxy_t *)); -extern void aps_free __P((ap_session_t *)); -extern int appr_check __P((ip_t *, fr_info_t *, struct nat *)); -extern aproxy_t *appr_match __P((u_int, char *)); - -#endif /* __IP_PROXY_H__ */ diff --git a/sys/netinet/ip_raudio_pxy.c b/sys/netinet/ip_raudio_pxy.c deleted file mode 100644 index 2c15281ffa6..00000000000 --- a/sys/netinet/ip_raudio_pxy.c +++ /dev/null @@ -1,312 +0,0 @@ -/* $OpenBSD: ip_raudio_pxy.c,v 1.9 2001/05/08 19:58:02 fgsch Exp $ */ - -/* - * $IPFilter: ip_raudio_pxy.c,v 1.7.2.4 2001/04/03 15:45:15 darrenr Exp $ - */ -#if SOLARIS && defined(_KERNEL) -extern kmutex_t ipf_rw; -#endif - -#define IPF_RAUDIO_PROXY - - -int ippr_raudio_init __P((void)); -int ippr_raudio_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_raudio_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_raudio_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); - -static frentry_t raudiofr; - - -/* - * Real Audio application proxy initialization. - */ -int ippr_raudio_init() -{ - bzero((char *)&raudiofr, sizeof(raudiofr)); - raudiofr.fr_ref = 1; - raudiofr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; - return 0; -} - - -/* - * Setup for a new proxy to handle Real Audio. - */ -int ippr_raudio_new(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - raudio_t *rap; - - - KMALLOCS(aps->aps_data, void *, sizeof(raudio_t)); - if (aps->aps_data == NULL) - return -1; - - bzero(aps->aps_data, sizeof(raudio_t)); - rap = aps->aps_data; - aps->aps_psiz = sizeof(raudio_t); - rap->rap_mode = RAP_M_TCP; /* default is for TCP */ - return 0; -} - - - -int ippr_raudio_out(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - raudio_t *rap = aps->aps_data; - unsigned char membuf[512 + 1], *s; - u_short id = 0; - int off, dlen; - tcphdr_t *tcp; - int len = 0; - mb_t *m; -#if SOLARIS - mb_t *m1; -#endif - - /* - * If we've already processed the start messages, then nothing left - * for the proxy to do. - */ - if (rap->rap_eos == 1) - return 0; - - tcp = (tcphdr_t *)fin->fin_dp; - off = (ip->ip_hl << 2) + (tcp->th_off << 2); - bzero(membuf, sizeof(membuf)); -#if SOLARIS - m = fin->fin_qfm; - - dlen = msgdsize(m) - off; - if (dlen <= 0) - return 0; - dlen = MIN(sizeof(membuf), dlen); - copyout_mblk(m, off, dlen, (char *)membuf); -#else - m = *(mb_t **)fin->fin_mp; - - dlen = mbufchainlen(m) - off; - if (dlen <= 0) - return 0; - dlen = MIN(sizeof(membuf), dlen); - m_copydata(m, off, dlen, (char *)membuf); -#endif - /* - * In all the startup parsing, ensure that we don't go outside - * the packet buffer boundary. - */ - /* - * Look for the start of connection "PNA" string if not seen yet. - */ - if (rap->rap_seenpna == 0) { - s = (u_char *)memstr("PNA", (char *)membuf, 3, dlen); - if (s == NULL) - return 0; - s += 3; - rap->rap_seenpna = 1; - } else - s = membuf; - - /* - * Directly after the PNA will be the version number of this - * connection. - */ - if (rap->rap_seenpna == 1 && rap->rap_seenver == 0) { - if ((s + 1) - membuf < dlen) { - rap->rap_version = (*s << 8) | *(s + 1); - s += 2; - rap->rap_seenver = 1; - } else - return 0; - } - - /* - * Now that we've been past the PNA and version number, we're into the - * startup messages block. This ends when a message with an ID of 0. - */ - while ((rap->rap_eos == 0) && ((s + 1) - membuf < dlen)) { - if (rap->rap_gotid == 0) { - id = (*s << 8) | *(s + 1); - s += 2; - rap->rap_gotid = 1; - if (id == RA_ID_END) { - rap->rap_eos = 1; - break; - } - } else if (rap->rap_gotlen == 0) { - len = (*s << 8) | *(s + 1); - s += 2; - rap->rap_gotlen = 1; - } - - if (rap->rap_gotid == 1 && rap->rap_gotlen == 1) { - if (id == RA_ID_UDP) { - rap->rap_mode &= ~RAP_M_TCP; - rap->rap_mode |= RAP_M_UDP; - rap->rap_plport = (*s << 8) | *(s + 1); - } else if (id == RA_ID_ROBUST) { - rap->rap_mode |= RAP_M_ROBUST; - rap->rap_prport = (*s << 8) | *(s + 1); - } - s += len; - rap->rap_gotlen = 0; - rap->rap_gotid = 0; - } - } - return 0; -} - - -int ippr_raudio_in(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - unsigned char membuf[IPF_MAXPORTLEN + 1], *s; - tcphdr_t *tcp, tcph, *tcp2 = &tcph; - raudio_t *rap = aps->aps_data; - struct in_addr swa, swb; - int off, dlen, slen; - int a1, a2, a3, a4; - u_short sp, dp; - fr_info_t fi; - tcp_seq seq; - nat_t *ipn; - u_char swp; - mb_t *m; -#if SOLARIS - mb_t *m1; -#endif - - /* - * Wait until we've seen the end of the start messages and even then - * only proceed further if we're using UDP. If they want to use TCP - * then data is sent back on the same channel that is already open. - */ - if (rap->rap_sdone != 0) - return 0; - - tcp = (tcphdr_t *)fin->fin_dp; - off = (ip->ip_hl << 2) + (tcp->th_off << 2); - m = *(mb_t **)fin->fin_mp; - -#if SOLARIS - m = fin->fin_qfm; - - dlen = msgdsize(m) - off; - if (dlen <= 0) - return 0; - bzero(membuf, sizeof(membuf)); - copyout_mblk(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); -#else - dlen = mbufchainlen(m) - off; - if (dlen <= 0) - return 0; - bzero(membuf, sizeof(membuf)); - m_copydata(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); -#endif - - seq = ntohl(tcp->th_seq); - /* - * Check to see if the data in this packet is of interest to us. - * We only care for the first 19 bytes coming back from the server. - */ - if (rap->rap_sseq == 0) { - s = (u_char *)memstr("PNA", (char *)membuf, 3, dlen); - if (s == NULL) - return 0; - a1 = s - membuf; - dlen -= a1; - a1 = 0; - rap->rap_sseq = seq; - a2 = MIN(dlen, sizeof(rap->rap_svr)); - } else if (seq <= rap->rap_sseq + sizeof(rap->rap_svr)) { - /* - * seq # which is the start of data and from that the offset - * into the buffer array. - */ - a1 = seq - rap->rap_sseq; - a2 = MIN(dlen, sizeof(rap->rap_svr)); - a2 -= a1; - s = membuf; - } else - return 0; - - for (a3 = a1, a4 = a2; (a4 > 0) && (a3 < 19) && (a3 >= 0); a4--,a3++) { - rap->rap_sbf |= (1 << a3); - rap->rap_svr[a3] = *s++; - } - - if ((rap->rap_sbf != 0x7ffff) || (!rap->rap_eos)) /* 19 bits */ - return 0; - rap->rap_sdone = 1; - - s = (u_char *)rap->rap_svr + 11; - if (((*s << 8) | *(s + 1)) == RA_ID_ROBUST) { - s += 2; - rap->rap_srport = (*s << 8) | *(s + 1); - } - - swp = ip->ip_p; - swa = ip->ip_src; - swb = ip->ip_dst; - - ip->ip_p = IPPROTO_UDP; - ip->ip_src = nat->nat_inip; - ip->ip_dst = nat->nat_oip; - - bcopy((char *)fin, (char *)&fi, sizeof(fi)); - bzero((char *)tcp2, sizeof(*tcp2)); - tcp2->th_off = 5; - fi.fin_dp = (char *)tcp2; - fi.fin_fr = &raudiofr; - fi.fin_dlen = sizeof(*tcp2); - tcp2->th_win = htons(8192); - slen = ip->ip_len; - ip->ip_len = fin->fin_hlen + sizeof(*tcp); - - if (((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) && - (rap->rap_srport != 0)) { - dp = rap->rap_srport; - sp = rap->rap_prport; - tcp2->th_sport = htons(sp); - tcp2->th_dport = htons(dp); - fi.fin_data[0] = dp; - fi.fin_data[1] = sp; - ipn = nat_new(nat->nat_ptr, ip, &fi, - IPN_UDP | (sp ? 0 : FI_W_SPORT), NAT_OUTBOUND); - if (ipn != NULL) { - ipn->nat_age = fr_defnatage; - (void) fr_addstate(ip, &fi, sp ? 0 : FI_W_SPORT); - } - } - - if ((rap->rap_mode & RAP_M_UDP) == RAP_M_UDP) { - sp = rap->rap_plport; - tcp2->th_sport = htons(sp); - tcp2->th_dport = 0; /* XXX - don't specify remote port */ - fi.fin_data[0] = sp; - fi.fin_data[1] = 0; - ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_UDP|FI_W_DPORT, - NAT_OUTBOUND); - if (ipn != NULL) { - ipn->nat_age = fr_defnatage; - (void) fr_addstate(ip, &fi, FI_W_DPORT); - } - } - - ip->ip_p = swp; - ip->ip_len = slen; - ip->ip_src = swa; - ip->ip_dst = swb; - return 0; -} diff --git a/sys/netinet/ip_rcmd_pxy.c b/sys/netinet/ip_rcmd_pxy.c deleted file mode 100644 index b3113f563a1..00000000000 --- a/sys/netinet/ip_rcmd_pxy.c +++ /dev/null @@ -1,175 +0,0 @@ -/* $OpenBSD: ip_rcmd_pxy.c,v 1.5 2001/01/17 04:47:16 fgsch Exp $ */ - -/* - * $IPFilter: ip_rcmd_pxy.c,v 1.4.2.4 2000/11/01 14:34:20 darrenr Exp $ - */ -/* - * Simple RCMD transparent proxy for in-kernel use. For use with the NAT - * code. - */ -#if SOLARIS && defined(_KERNEL) -extern kmutex_t ipf_rw; -#endif - -#define isdigit(x) ((x) >= '0' && (x) <= '9') - -#define IPF_RCMD_PROXY - - -int ippr_rcmd_init __P((void)); -int ippr_rcmd_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -int ippr_rcmd_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); -u_short ipf_rcmd_atoi __P((char *)); -int ippr_rcmd_portmsg __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *)); - -static frentry_t rcmdfr; - - -/* - * RCMD application proxy initialization. - */ -int ippr_rcmd_init() -{ - bzero((char *)&rcmdfr, sizeof(rcmdfr)); - rcmdfr.fr_ref = 1; - rcmdfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; - return 0; -} - - -/* - * Setup for a new RCMD proxy. - */ -int ippr_rcmd_new(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; - - aps->aps_psiz = sizeof(u_32_t); - KMALLOCS(aps->aps_data, u_32_t *, sizeof(u_32_t)); - if (aps->aps_data == NULL) - return -1; - *(u_32_t *)aps->aps_data = 0; - aps->aps_sport = tcp->th_sport; - aps->aps_dport = tcp->th_dport; - return 0; -} - - -/* - * ipf_rcmd_atoi - implement a simple version of atoi - */ -u_short ipf_rcmd_atoi(ptr) -char *ptr; -{ - register char *s = ptr, c; - register u_short i = 0; - - while ((c = *s++) && isdigit(c)) { - i *= 10; - i += c - '0'; - } - return i; -} - - -int ippr_rcmd_portmsg(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - char portbuf[8], *s; - struct in_addr swip; - u_short sp, dp; - int off, dlen; - tcphdr_t *tcp, tcph, *tcp2 = &tcph; - fr_info_t fi; - nat_t *ipn; - mb_t *m; -#if SOLARIS - mb_t *m1; -#endif - - tcp = (tcphdr_t *)fin->fin_dp; - - if (tcp->th_flags & TH_SYN) { - *(u_32_t *)aps->aps_data = htonl(ntohl(tcp->th_seq) + 1); - return 0; - } - - if ((*(u_32_t *)aps->aps_data != 0) && - (tcp->th_seq != *(u_32_t *)aps->aps_data)) - return 0; - - off = (ip->ip_hl << 2) + (tcp->th_off << 2); - -#if SOLARIS - m = fin->fin_qfm; - - dlen = msgdsize(m) - off; - bzero(portbuf, sizeof(portbuf)); - copyout_mblk(m, off, MIN(sizeof(portbuf), dlen), portbuf); -#else - m = *(mb_t **)fin->fin_mp; - dlen = mbufchainlen(m) - off; - bzero(portbuf, sizeof(portbuf)); - m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); -#endif - - portbuf[sizeof(portbuf) - 1] = '\0'; - s = portbuf; - sp = ipf_rcmd_atoi(s); - if (!sp) - return 0; - - /* - * Add skeleton NAT entry for connection which will come back the - * other way. - */ - sp = htons(sp); - dp = htons(fin->fin_data[1]); - ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp, 0); - if (ipn == NULL) { - int slen; - - slen = ip->ip_len; - ip->ip_len = fin->fin_hlen + sizeof(*tcp); - bcopy((char *)fin, (char *)&fi, sizeof(fi)); - bzero((char *)tcp2, sizeof(*tcp2)); - tcp2->th_win = htons(8192); - tcp2->th_sport = sp; - tcp2->th_dport = 0; /* XXX - don't specify remote port */ - tcp2->th_off = 5; - fi.fin_data[0] = ntohs(sp); - fi.fin_data[1] = 0; - fi.fin_dp = (char *)tcp2; - fi.fin_dlen = sizeof(*tcp2); - swip = ip->ip_src; - ip->ip_src = nat->nat_inip; - ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, - NAT_OUTBOUND); - if (ipn != NULL) { - ipn->nat_age = fr_defnatage; - fi.fin_fr = &rcmdfr; - (void) fr_addstate(ip, &fi, FI_W_DPORT); - } - ip->ip_len = slen; - ip->ip_src = swip; - } - return 0; -} - - -int ippr_rcmd_out(fin, ip, aps, nat) -fr_info_t *fin; -ip_t *ip; -ap_session_t *aps; -nat_t *nat; -{ - return ippr_rcmd_portmsg(fin, ip, aps, nat); -} diff --git a/sys/netinet/ip_state.c b/sys/netinet/ip_state.c deleted file mode 100644 index 6a3f5954138..00000000000 --- a/sys/netinet/ip_state.c +++ /dev/null @@ -1,1913 +0,0 @@ -/* $OpenBSD: ip_state.c,v 1.27 2001/04/07 01:06:28 fgsch Exp $ */ - -/* - * Copyright (C) 1995-2001 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ip_state.c,v 2.30.2.30 2001/04/06 12:31:21 darrenr Exp $"; -#endif - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> -#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \ - defined(_KERNEL) -# include "opt_ipfilter_log.h" -#endif -#if defined(_KERNEL) && defined(__FreeBSD_version) && \ - (__FreeBSD_version >= 400000) && !defined(KLD_MODULE) -#include "opt_inet6.h" -#endif -#if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) -# include <stdio.h> -# include <stdlib.h> -# include <string.h> -#else -# ifdef linux -# include <linux/kernel.h> -# include <linux/module.h> -# endif -#endif -#if (defined(KERNEL) || defined(_KERNEL)) && (__FreeBSD_version >= 220000) -# include <sys/filio.h> -# include <sys/fcntl.h> -# if (__FreeBSD_version >= 300000) && !defined(IPFILTER_LKM) -# include "opt_ipfilter.h" -# endif -#else -# include <sys/ioctl.h> -#endif -#include <sys/time.h> -#include <sys/uio.h> -#ifndef linux -# include <sys/protosw.h> -#endif -#include <sys/socket.h> -#if (defined(_KERNEL) || defined(KERNEL)) && !defined(linux) -# include <sys/systm.h> -#endif -#if !defined(__SVR4) && !defined(__svr4__) -# ifndef linux -# include <sys/mbuf.h> -# endif -#else -# include <sys/filio.h> -# include <sys/byteorder.h> -# ifdef _KERNEL -# include <sys/dditypes.h> -# endif -# include <sys/stream.h> -# include <sys/kmem.h> -#endif - -#include <net/if.h> -#ifdef sun -# include <net/af.h> -#endif -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#ifndef linux -# include <netinet/ip_var.h> -# include <netinet/tcp_fsm.h> -#endif -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_frag.h> -#include <netinet/ip_proxy.h> -#include <netinet/ip_state.h> -#ifdef USE_INET6 -#include <netinet/icmp6.h> -#endif -#if (__FreeBSD_version >= 300000) -# include <sys/malloc.h> -# if (defined(_KERNEL) || defined(KERNEL)) && !defined(IPFILTER_LKM) -# include <sys/libkern.h> -# include <sys/systm.h> -# endif -#endif - -#ifndef MIN -# define MIN(a,b) (((a)<(b))?(a):(b)) -#endif - -#define TCP_CLOSE (TH_FIN|TH_RST) - -static ipstate_t **ips_table = NULL; -static ipstate_t *ips_list = NULL; -static int ips_num = 0; -static int ips_wild = 0; -static ips_stat_t ips_stats; -#if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern KRWLOCK_T ipf_state, ipf_mutex; -extern kmutex_t ipf_rw; -#endif - -#ifdef USE_INET6 -static frentry_t *fr_checkicmp6matchingstate __P((ip6_t *, fr_info_t *)); -#endif -static int fr_matchsrcdst __P((ipstate_t *, union i6addr, union i6addr, - fr_info_t *, tcphdr_t *)); -static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *)); -static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *)); -static int fr_state_flush __P((int)); -static ips_stat_t *fr_statetstats __P((void)); -static void fr_delstate __P((ipstate_t *)); -static int fr_state_remove __P((caddr_t)); -static void fr_ipsmove __P((ipstate_t **, ipstate_t *, u_int)); -int fr_stputent __P((caddr_t)); -int fr_stgetent __P((caddr_t)); -void fr_stinsert __P((ipstate_t *)); - - -#define FIVE_DAYS (2 * 5 * 86400) /* 5 days: half closed session */ - -#define TCP_MSL 240 /* 2 minutes */ -u_long fr_tcpidletimeout = FIVE_DAYS, - fr_tcpclosewait = 2 * TCP_MSL, - fr_tcplastack = 2 * TCP_MSL, - fr_tcptimeout = 2 * TCP_MSL, - fr_tcpclosed = 120, - fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */ - fr_udptimeout = 240, - fr_udpacktimeout = 24, - fr_icmptimeout = 120, - fr_icmpacktimeout = 12; -int fr_statemax = IPSTATE_MAX, - fr_statesize = IPSTATE_SIZE; -int fr_state_doflush = 0, - fr_state_lock = 0; - -static int icmpreplytype4[ICMP_MAXTYPE + 1]; - -int fr_stateinit() -{ - int i; - - KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *)); - if (ips_table != NULL) - bzero((char *)ips_table, fr_statesize * sizeof(ipstate_t *)); - else - return -1; - - /* fill icmp reply type table */ - for (i = 0; i <= ICMP_MAXTYPE; i++) - icmpreplytype4[i] = -1; - icmpreplytype4[ICMP_ECHO] = ICMP_ECHOREPLY; - icmpreplytype4[ICMP_TSTAMP] = ICMP_TSTAMPREPLY; - icmpreplytype4[ICMP_IREQ] = ICMP_IREQREPLY; - icmpreplytype4[ICMP_MASKREQ] = ICMP_MASKREPLY; - - return 0; -} - - -static ips_stat_t *fr_statetstats() -{ - ips_stats.iss_active = ips_num; - ips_stats.iss_table = ips_table; - ips_stats.iss_list = ips_list; - return &ips_stats; -} - - -/* - * flush state tables. two actions currently defined: - * which == 0 : flush all state table entries - * which == 1 : flush TCP connections which have started to close but are - * stuck for some reason. - */ -static int fr_state_flush(which) -int which; -{ - register ipstate_t *is, **isp; -#if defined(_KERNEL) && !SOLARIS - int s; -#endif - int delete, removed = 0; - - SPL_NET(s); - for (isp = &ips_list; (is = *isp); ) { - delete = 0; - - switch (which) - { - case 0 : - delete = 1; - break; - case 1 : - if (is->is_p != IPPROTO_TCP) - break; - if ((is->is_state[0] != TCPS_ESTABLISHED) || - (is->is_state[1] != TCPS_ESTABLISHED)) - delete = 1; - break; - } - - if (delete) { - if (is->is_p == IPPROTO_TCP) - ips_stats.iss_fin++; - else - ips_stats.iss_expire++; -#ifdef IPFILTER_LOG - ipstate_log(is, ISL_FLUSH); -#endif - fr_delstate(is); - removed++; - } else - isp = &is->is_next; - } - SPL_X(s); - return removed; -} - - -static int fr_state_remove(data) -caddr_t data; -{ - ipstate_t *sp, st; - int error; - - sp = &st; - error = IRCOPYPTR(data, (caddr_t)&st, sizeof(st)); - if (error) - return EFAULT; - - for (sp = ips_list; sp; sp = sp->is_next) - if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) && - !bcmp((char *)&sp->is_src, (char *)&st.is_src, - sizeof(st.is_src)) && - !bcmp((char *)&sp->is_dst, (char *)&st.is_src, - sizeof(st.is_dst)) && - !bcmp((char *)&sp->is_ps, (char *)&st.is_ps, - sizeof(st.is_ps))) { - WRITE_ENTER(&ipf_state); -#ifdef IPFILTER_LOG - ipstate_log(sp, ISL_REMOVE); -#endif - fr_delstate(sp); - RWLOCK_EXIT(&ipf_state); - return 0; - } - return ESRCH; -} - - -int fr_state_ioctl(data, cmd, mode) -caddr_t data; -#if defined(__NetBSD__) || defined(__OpenBSD__) -u_long cmd; -#else -int cmd; -#endif -int mode; -{ - int arg, ret, error = 0; - - switch (cmd) - { - case SIOCDELST : - error = fr_state_remove(data); - break; - case SIOCIPFFL : - error = IRCOPY(data, (caddr_t)&arg, sizeof(arg)); - if (error) - break; - if (arg == 0 || arg == 1) { - WRITE_ENTER(&ipf_state); - ret = fr_state_flush(arg); - RWLOCK_EXIT(&ipf_state); - error = IWCOPY((caddr_t)&ret, data, sizeof(ret)); - } else - error = EINVAL; - break; -#ifdef IPFILTER_LOG - case SIOCIPFFB : - if (!(mode & FWRITE)) - error = EPERM; - else { - int tmp; - - tmp = ipflog_clear(IPL_LOGSTATE); - IWCOPY((char *)&tmp, data, sizeof(tmp)); - } - break; -#endif - case SIOCGETFS : - error = IWCOPYPTR((caddr_t)fr_statetstats(), data, - sizeof(ips_stat_t)); - break; - case FIONREAD : -#ifdef IPFILTER_LOG - arg = (int)iplused[IPL_LOGSTATE]; - error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg)); -#endif - break; - case SIOCSTLCK : - error = fr_lock(data, &fr_state_lock); - break; - case SIOCSTPUT : - if (!fr_state_lock) { - error = EACCES; - break; - } - error = fr_stputent(data); - break; - case SIOCSTGET : - if (!fr_state_lock) { - error = EACCES; - break; - } - error = fr_stgetent(data); - break; - default : - error = EINVAL; - break; - } - return error; -} - - -int fr_stgetent(data) -caddr_t data; -{ - register ipstate_t *is, *isn; - ipstate_save_t ips, *ipsp; - int error; - - error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp)); - if (error) - return EFAULT; - error = IRCOPY((caddr_t)ipsp, (caddr_t)&ips, sizeof(ips)); - if (error) - return EFAULT; - - isn = ips.ips_next; - if (!isn) { - isn = ips_list; - if (isn == NULL) { - if (ips.ips_next == NULL) - return ENOENT; - return 0; - } - } else { - /* - * Make sure the pointer we're copying from exists in the - * current list of entries. Security precaution to prevent - * copying of random kernel data. - */ - for (is = ips_list; is; is = is->is_next) - if (is == isn) - break; - if (!is) - return ESRCH; - } - ips.ips_next = isn->is_next; - bcopy((char *)isn, (char *)&ips.ips_is, sizeof(ips.ips_is)); - if (isn->is_rule) - bcopy((char *)isn->is_rule, (char *)&ips.ips_fr, - sizeof(ips.ips_fr)); - error = IWCOPY((caddr_t)&ips, ipsp, sizeof(ips)); - if (error) - error = EFAULT; - return error; -} - - -int fr_stputent(data) -caddr_t data; -{ - register ipstate_t *is, *isn; - ipstate_save_t ips, *ipsp; - int error, out; - frentry_t *fr; - - error = IRCOPY(data, (caddr_t)&ipsp, sizeof(ipsp)); - if (error) - return EFAULT; - error = IRCOPY((caddr_t)ipsp, (caddr_t)&ips, sizeof(ips)); - if (error) - return EFAULT; - - KMALLOC(isn, ipstate_t *); - if (isn == NULL) - return ENOMEM; - - bcopy((char *)&ips.ips_is, (char *)isn, sizeof(*isn)); - fr = isn->is_rule; - if (fr != NULL) { - if (isn->is_flags & FI_NEWFR) { - KMALLOC(fr, frentry_t *); - if (fr == NULL) { - KFREE(isn); - return ENOMEM; - } - bcopy((char *)&ips.ips_fr, (char *)fr, sizeof(*fr)); - out = fr->fr_flags & FR_OUTQUE ? 1 : 0; - isn->is_rule = fr; - ips.ips_is.is_rule = fr; - if (*fr->fr_ifname) { - fr->fr_ifa = GETUNIT(fr->fr_ifname, fr->fr_v); - if (fr->fr_ifa == NULL) - fr->fr_ifa = (void *)-1; -#ifdef _KERNEL - else { - strncpy(isn->is_ifname[out], - IFNAME(fr->fr_ifa), IFNAMSIZ); - isn->is_ifp[out] = fr->fr_ifa; - } -#endif - } else - fr->fr_ifa = NULL; - /* - * send a copy back to userland of what we ended up - * to allow for verification. - */ - error = IWCOPY((caddr_t)&ips, ipsp, sizeof(ips)); - if (error) { - KFREE(isn); - KFREE(fr); - return EFAULT; - } - } else { - for (is = ips_list; is; is = is->is_next) - if (is->is_rule == fr) - break; - if (!is) { - KFREE(isn); - return ESRCH; - } - } - } - fr_stinsert(isn); - return 0; -} - - -void fr_stinsert(is) -register ipstate_t *is; -{ - register u_int hv = is->is_hv; - - MUTEX_INIT(&is->is_lock, "ipf state entry", NULL); - - is->is_ifname[0][sizeof(is->is_ifname[0]) - 1] = '\0'; - if (is->is_ifname[0][0] != '\0') { - is->is_ifp[0] = GETUNIT(is->is_ifname[0], is->is_v); - } - is->is_ifname[1][sizeof(is->is_ifname[0]) - 1] = '\0'; - if (is->is_ifname[1][0] != '\0') { - is->is_ifp[1] = GETUNIT(is->is_ifname[1], is->is_v); - } - - /* - * add into list table. - */ - if (ips_list) - ips_list->is_pnext = &is->is_next; - is->is_pnext = &ips_list; - is->is_next = ips_list; - ips_list = is; - if (ips_table[hv]) - ips_table[hv]->is_phnext = &is->is_hnext; - else - ips_stats.iss_inuse++; - is->is_phnext = ips_table + hv; - is->is_hnext = ips_table[hv]; - ips_table[hv] = is; - ips_num++; -} - - -/* - * Create a new ipstate structure and hang it off the hash table. - */ -ipstate_t *fr_addstate(ip, fin, flags) -ip_t *ip; -fr_info_t *fin; -u_int flags; -{ - register tcphdr_t *tcp = NULL; - register ipstate_t *is; - register u_int hv; - ipstate_t ips; - u_int pass; - int out; - - if (fr_state_lock || (fin->fin_off & IP_OFFMASK) || - (fin->fin_fi.fi_fl & FI_SHORT)) - return NULL; - if (ips_num == fr_statemax) { - ips_stats.iss_max++; - fr_state_doflush = 1; - return NULL; - } - out = fin->fin_out; - is = &ips; - bzero((char *)is, sizeof(*is)); - ips.is_age = 1; - ips.is_state[0] = 0; - ips.is_state[1] = 0; - /* - * Copy and calculate... - */ - hv = (is->is_p = fin->fin_fi.fi_p); - is->is_src = fin->fin_fi.fi_src; - hv += is->is_saddr; - is->is_dst = fin->fin_fi.fi_dst; - hv += is->is_daddr; -#ifdef USE_INET6 - if (fin->fin_v == 6) { - if (is->is_p == IPPROTO_ICMPV6) { - if (IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) - flags |= FI_W_DADDR; - if (out) - hv -= is->is_daddr; - else - hv -= is->is_saddr; - } - } -#endif - - switch (is->is_p) - { -#ifdef USE_INET6 - case IPPROTO_ICMPV6 : -#endif - case IPPROTO_ICMP : - { - struct icmp *ic = (struct icmp *)fin->fin_dp; - -#ifdef USE_INET6 - if ((is->is_p == IPPROTO_ICMPV6) && - ((ic->icmp_type & ICMP6_INFOMSG_MASK) == 0)) - return NULL; -#endif - switch (ic->icmp_type) - { -#ifdef USE_INET6 - case ICMP6_ECHO_REQUEST : - is->is_icmp.ics_type = ICMP6_ECHO_REPLY; - hv += (is->is_icmp.ics_id = ic->icmp_id); - hv += (is->is_icmp.ics_seq = ic->icmp_seq); - break; - case ICMP6_MEMBERSHIP_QUERY : - case ND_ROUTER_SOLICIT : - case ND_NEIGHBOR_SOLICIT : - is->is_icmp.ics_type = ic->icmp_type + 1; - break; -#endif - case ICMP_ECHO : - case ICMP_TSTAMP : - case ICMP_IREQ : - case ICMP_MASKREQ : - is->is_icmp.ics_type = ic->icmp_type; - hv += (is->is_icmp.ics_id = ic->icmp_id); - hv += (is->is_icmp.ics_seq = ic->icmp_seq); - break; - default : - return NULL; - } - ATOMIC_INCL(ips_stats.iss_icmp); - is->is_age = fr_icmptimeout; - break; - } - case IPPROTO_TCP : - { - tcp = (tcphdr_t *)fin->fin_dp; - - if (tcp->th_flags & TH_RST) - return NULL; - /* - * The endian of the ports doesn't matter, but the ack and - * sequence numbers do as we do mathematics on them later. - */ - is->is_dport = tcp->th_dport; - is->is_sport = tcp->th_sport; - if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) { - hv += tcp->th_dport; - hv += tcp->th_sport; - } - is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen - - (tcp->th_off << 2) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); - is->is_maxsend = is->is_send; - is->is_dend = 0; - is->is_maxdwin = 1; - is->is_maxswin = ntohs(tcp->th_win); - if (is->is_maxswin == 0) - is->is_maxswin = 1; - /* - * If we're creating state for a starting connection, start the - * timer on it as we'll never see an error if it fails to - * connect. - */ - ATOMIC_INCL(ips_stats.iss_tcp); - break; - } - case IPPROTO_UDP : - { - tcp = (tcphdr_t *)fin->fin_dp; - - is->is_dport = tcp->th_dport; - is->is_sport = tcp->th_sport; - if ((flags & (FI_W_DPORT|FI_W_SPORT)) == 0) { - hv += tcp->th_dport; - hv += tcp->th_sport; - } - ATOMIC_INCL(ips_stats.iss_udp); - is->is_age = fr_udptimeout; - break; - } - default : - return NULL; - } - - KMALLOC(is, ipstate_t *); - if (is == NULL) { - ATOMIC_INCL(ips_stats.iss_nomem); - return NULL; - } - bcopy((char *)&ips, (char *)is, sizeof(*is)); - hv %= fr_statesize; - is->is_hv = hv; - is->is_rule = fin->fin_fr; - if (is->is_rule != NULL) { - ATOMIC_INC32(is->is_rule->fr_ref); - pass = is->is_rule->fr_flags; - } else - pass = fr_flags; - WRITE_ENTER(&ipf_state); - - is->is_pass = pass; - is->is_pkts = 1; - is->is_bytes = fin->fin_dlen + fin->fin_hlen; - /* - * We want to check everything that is a property of this packet, - * but we don't (automatically) care about it's fragment status as - * this may change. - */ - is->is_v = fin->fin_fi.fi_v; - is->is_opt = fin->fin_fi.fi_optmsk; - is->is_optmsk = 0xffffffff; - is->is_sec = fin->fin_fi.fi_secmsk; - is->is_secmsk = 0xffff; - is->is_auth = fin->fin_fi.fi_auth; - is->is_authmsk = 0xffff; - is->is_flags = fin->fin_fi.fi_fl & FI_CMP; - is->is_flags |= FI_CMP << 4; - is->is_flags |= flags & (FI_WILDP|FI_WILDA); - if (flags & (FI_WILDP|FI_WILDA)) - ips_wild++; - is->is_ifp[1 - out] = NULL; - is->is_ifp[out] = fin->fin_ifp; -#ifdef _KERNEL - strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), IFNAMSIZ); -#endif - is->is_ifname[1 - out][0] = '\0'; - if (pass & FR_LOGFIRST) - is->is_pass &= ~(FR_LOGFIRST|FR_LOG); - fr_stinsert(is); - if (is->is_p == IPPROTO_TCP) { - MUTEX_ENTER(&is->is_lock); - fr_tcp_age(&is->is_age, is->is_state, fin, - 0); /* 0 = packet from the source */ - MUTEX_EXIT(&is->is_lock); - } -#ifdef IPFILTER_LOG - ipstate_log(is, ISL_NEW); -#endif - RWLOCK_EXIT(&ipf_state); - fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); - if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); - return is; -} - - - -/* - * check to see if a packet with TCP headers fits within the TCP window. - * change timeout depending on whether new packet is a SYN-ACK returning for a - * SYN or a RST or FIN which indicate time to close up shop. - */ -int fr_tcpstate(is, fin, ip, tcp) -register ipstate_t *is; -fr_info_t *fin; -ip_t *ip; -tcphdr_t *tcp; -{ - register tcp_seq seq, ack, end; - register int ackskew; - tcpdata_t *fdata, *tdata; - u_short win, maxwin; - int ret = 0; - int source; - - /* - * Find difference between last checked packet and this packet. - */ - source = IP6EQ(fin->fin_fi.fi_src, is->is_src); - fdata = &is->is_tcp.ts_data[!source]; - tdata = &is->is_tcp.ts_data[source]; - seq = ntohl(tcp->th_seq); - ack = ntohl(tcp->th_ack); - win = ntohs(tcp->th_win); - end = seq + fin->fin_dlen - (tcp->th_off << 2) + - ((tcp->th_flags & TH_SYN) ? 1 : 0) + - ((tcp->th_flags & TH_FIN) ? 1 : 0); - - MUTEX_ENTER(&is->is_lock); - if (fdata->td_end == 0) { - /* - * Must be a (outgoing) SYN-ACK in reply to a SYN. - */ - fdata->td_end = end; - fdata->td_maxwin = 1; - fdata->td_maxend = end + 1; - } - - if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ - ack = tdata->td_end; - } else if (((tcp->th_flags & (TH_ACK|TH_RST)) == (TH_ACK|TH_RST)) && - (ack == 0)) { - /* gross hack to get around certain broken tcp stacks */ - ack = tdata->td_end; - } - - if (seq == end) - seq = end = fdata->td_end; - - maxwin = tdata->td_maxwin; - ackskew = tdata->td_end - ack; - -#define SEQ_GE(a,b) ((int)((a) - (b)) >= 0) -#define SEQ_GT(a,b) ((int)((a) - (b)) > 0) - if ((SEQ_GE(fdata->td_maxend, end)) && - (SEQ_GE(seq, fdata->td_end - maxwin)) && -/* XXX what about big packets */ -#define MAXACKWINDOW 66000 - (ackskew >= -MAXACKWINDOW) && - (ackskew <= MAXACKWINDOW)) { - /* if ackskew < 0 then this should be due to fragented - * packets. There is no way to know the length of the - * total packet in advance. - * We do know the total length from the fragment cache though. - * Note however that there might be more sessions with - * exactly the same source and destination paramters in the - * state cache (and source and destination is the only stuff - * that is saved in the fragment cache). Note further that - * some TCP connections in the state cache are hashed with - * sport and dport as well which makes it not worthwhile to - * look for them. - * Thus, when ackskew is negative but still seems to belong - * to this session, we bump up the destinations end value. - */ - if (ackskew < 0) - tdata->td_end = ack; - - /* update max window seen */ - if (fdata->td_maxwin < win) - fdata->td_maxwin = win; - if (SEQ_GT(end, fdata->td_end)) - fdata->td_end = end; - if (SEQ_GE(ack + win, tdata->td_maxend)) { - tdata->td_maxend = ack + win; - if (win == 0) - tdata->td_maxend++; - } - - ATOMIC_INCL(ips_stats.iss_hits); - /* - * Nearing end of connection, start timeout. - */ - /* source ? 0 : 1 -> !source */ - fr_tcp_age(&is->is_age, is->is_state, fin, !source); - ret = 1; - } - MUTEX_EXIT(&is->is_lock); - return ret; -} - - -static int fr_matchsrcdst(is, src, dst, fin, tcp) -ipstate_t *is; -union i6addr src, dst; -fr_info_t *fin; -tcphdr_t *tcp; -{ - int ret = 0, rev, out, flags; - u_short sp, dp; - void *ifp; - - rev = fin->fin_rev = IP6NEQ(is->is_dst, dst); - ifp = fin->fin_ifp; - out = fin->fin_out; - - if (tcp != NULL) { - flags = is->is_flags; - sp = tcp->th_sport; - dp = tcp->th_dport; - } else { - flags = is->is_flags & FI_WILDA; - sp = 0; - dp = 0; - } - - if (rev == 0) { - if (!out) { - if (is->is_ifpin == NULL || is->is_ifpin == ifp) - ret = 1; - } else { - if (is->is_ifpout == NULL || is->is_ifpout == ifp) - ret = 1; - } - } else { - if (out) { - if (is->is_ifpin == NULL || is->is_ifpin == ifp) - ret = 1; - } else { - if (is->is_ifpout == NULL || is->is_ifpout == ifp) - ret = 1; - } - } - if (ret == 0) - return 0; - ret = 0; - - if (rev == 0) { - if ( - (IP6EQ(is->is_dst, dst) || (flags & FI_W_DADDR)) && - (IP6EQ(is->is_src, src) || (flags & FI_W_SADDR)) && - (!tcp || ((sp == is->is_sport || flags & FI_W_SPORT) && - (dp == is->is_dport || flags & FI_W_DPORT)))) { - ret = 1; - } - } else { - if ( - (IP6EQ(is->is_dst, src) || (flags & FI_W_DADDR)) && - (IP6EQ(is->is_src, dst) || (flags & FI_W_SADDR)) && - (!tcp || ((sp == is->is_dport || flags & FI_W_DPORT) && - (dp == is->is_sport || flags & FI_W_SPORT)))) { - ret = 1; - } - } - if (ret == 0) - return 0; - - /* - * Whether or not this should be here, is questionable, but the aim - * is to get this out of the main line. - */ - if (tcp == NULL) - flags = is->is_flags & (FI_CMP|(FI_CMP<<4)); - - if (((fin->fin_fi.fi_fl & (flags >> 4)) != (flags & FI_CMP)) || - ((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || - ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || - ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth)) - return 0; - - if ((flags & (FI_W_SPORT|FI_W_DPORT))) { - if ((flags & FI_W_SPORT) != 0) { - if (rev == 0) { - is->is_sport = sp; - is->is_send = htonl(tcp->th_seq); - } else { - is->is_sport = dp; - is->is_send = htonl(tcp->th_ack); - } - is->is_maxsend = is->is_send + 1; - } else if ((flags & FI_W_DPORT) != 0) { - if (rev == 0) { - is->is_dport = dp; - is->is_dend = htonl(tcp->th_ack); - } else { - is->is_dport = sp; - is->is_dend = htonl(tcp->th_seq); - } - is->is_maxdend = is->is_dend + 1; - } - is->is_flags &= ~(FI_W_SPORT|FI_W_DPORT); - ips_wild--; - } - - ret = -1; - - if (!rev) { - if (out) { - if (!is->is_ifpout) - ret = 1; - } else { - if (!is->is_ifpin) - ret = 0; - } - } else { - if (out) { - if (!is->is_ifpin) - ret = 0; - } else { - if (!is->is_ifpout) - ret = 1; - } - } - - if (ret >= 0) { - is->is_ifp[ret] = ifp; -#ifdef _KERNEL - strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), - sizeof(is->is_ifname[1])); -#endif - } -#ifdef _KERNEL - if (ret >= 0) { - strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), - sizeof(is->is_ifname[1])); - } -#endif - return 1; -} - -static int fr_matchicmpqueryreply(v, is, icmp) -int v; -ipstate_t *is; -icmphdr_t *icmp; -{ - if (v == 4) { - /* - * If we matched its type on the way in, then when going out - * it will still be the same type. - */ - if (((icmp->icmp_type == is->is_type) || - (icmpreplytype4[is->is_type] == icmp->icmp_type)) && - (icmp->icmp_id == is->is_icmp.ics_id) && - (icmp->icmp_seq == is->is_icmp.ics_seq)) { - return 1; - }; - } -#ifdef USE_INET6 - else if (is->is_v == 6) { - if ((is->is_type == ICMP6_ECHO_REPLY) && - (icmp->icmp_type == ICMP6_ECHO_REQUEST) && - (icmp->icmp_id == is->is_icmp.ics_id) && - (icmp->icmp_seq == is->is_icmp.ics_seq)) { - return 1; - }; - } -#endif - return 0; -} - -static frentry_t *fr_checkicmpmatchingstate(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - register ipstate_t *is, **isp; - register u_short sport, dport; - register u_char pr; - union i6addr dst, src; - struct icmp *ic; - u_short savelen; - icmphdr_t *icmp; - fr_info_t ofin; - int type, len; - tcphdr_t *tcp; - frentry_t *fr; - ip_t *oip; - u_int hv; - - /* - * Does it at least have the return (basic) IP header ? - * Only a basic IP header (no options) should be with - * an ICMP error header. - */ - if (((ip->ip_v != 4) || (ip->ip_hl != 5)) || - (fin->fin_plen < ICMPERR_MINPKTLEN)) - return NULL; - ic = (struct icmp *)fin->fin_dp; - type = ic->icmp_type; - /* - * If it's not an error type, then return - */ - if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) && - (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) && - (type != ICMP_PARAMPROB)) - return NULL; - - oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN); - if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) - return NULL; - - /* - * Sanity checks. - */ - len = fin->fin_dlen - ICMPERR_ICMPHLEN; - if ((len <= 0) || ((oip->ip_hl << 2) > len)) - return NULL; - - /* - * Is the buffer big enough for all of it ? It's the size of the IP - * header claimed in the encapsulated part which is of concern. It - * may be too big to be in this buffer but not so big that it's - * outside the ICMP packet, leading to TCP deref's causing problems. - * This is possible because we don't know how big oip_hl is when we - * do the pullup early in fr_check() and thus can't gaurantee it is - * all here now. - */ -#ifdef _KERNEL - { - mb_t *m; - -# if SOLARIS - m = fin->fin_qfm; - if ((char *)oip + len > (char *)m->b_wptr) - return NULL; -# else - m = *(mb_t **)fin->fin_mp; - if ((char *)oip + len > (char *)ip + m->m_len) - return NULL; -# endif - } -#endif - - /* - * in the IPv4 case we must zero the i6addr union otherwise - * the IP6EQ and IP6NEQ macros produce the wrong results because - * of the 'junk' in the unused part of the union - */ - bzero((char *)&src, sizeof(src)); - bzero((char *)&dst, sizeof(dst)); - - if (oip->ip_p == IPPROTO_ICMP) { - icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); - - /* - * a ICMP error can only be generated as a result of an - * ICMP query, not as the response on an ICMP error - * - * XXX theoretically ICMP_ECHOREP and the other reply's are - * ICMP query's as well, but adding them here seems strange XXX - */ - if ((icmp->icmp_type != ICMP_ECHO) && - (icmp->icmp_type != ICMP_TSTAMP) && - (icmp->icmp_type != ICMP_IREQ) && - (icmp->icmp_type != ICMP_MASKREQ)) - return NULL; - - /* - * perform a lookup of the ICMP packet in the state table - */ - hv = (pr = oip->ip_p); - src.in4 = oip->ip_src; - hv += src.in4.s_addr; - dst.in4 = oip->ip_dst; - hv += dst.in4.s_addr; - hv += icmp->icmp_id; - hv += icmp->icmp_seq; - hv %= fr_statesize; - - savelen = oip->ip_len; - oip->ip_len = len; - ofin.fin_v = 4; - fr_makefrip(oip->ip_hl << 2, oip, &ofin); - oip->ip_len = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ - - READ_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) - if ((is->is_p == pr) && (is->is_v == 4) && - fr_matchsrcdst(is, src, dst, &ofin, NULL) && - fr_matchicmpqueryreply(is->is_v, is, icmp)) { - ips_stats.iss_hits++; - is->is_pkts++; - is->is_bytes += ip->ip_len; - fr = is->is_rule; - RWLOCK_EXIT(&ipf_state); - return fr; - } - RWLOCK_EXIT(&ipf_state); - return NULL; - }; - - if ((oip->ip_p != IPPROTO_TCP) && (oip->ip_p != IPPROTO_UDP)) - return NULL; - - tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); - dport = tcp->th_dport; - sport = tcp->th_sport; - - hv = (pr = oip->ip_p); - src.in4 = oip->ip_src; - hv += src.in4.s_addr; - dst.in4 = oip->ip_dst; - hv += dst.in4.s_addr; - hv += dport; - hv += sport; - hv %= fr_statesize; - /* - * we make an fin entry to be able to feed it to - * matchsrcdst note that not all fields are encessary - * but this is the cleanest way. Note further we fill - * in fin_mp such that if someone uses it we'll get - * a kernel panic. fr_matchsrcdst does not use this. - * - * watch out here, as ip is in host order and oip in network - * order. Any change we make must be undone afterwards. - */ - savelen = oip->ip_len; - oip->ip_len = len; - ofin.fin_v = 4; - fr_makefrip(oip->ip_hl << 2, oip, &ofin); - oip->ip_len = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ - READ_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { - /* - * Only allow this icmp though if the - * encapsulated packet was allowed through the - * other way around. Note that the minimal amount - * of info present does not allow for checking against - * tcp internals such as seq and ack numbers. - */ - if ((is->is_p == pr) && (is->is_v == 4) && - fr_matchsrcdst(is, src, dst, &ofin, tcp)) { - fr = is->is_rule; - ips_stats.iss_hits++; - is->is_pkts++; - is->is_bytes += fin->fin_plen; - /* - * we deliberately do not touch the timeouts - * for the accompanying state table entry. - * It remains to be seen if that is correct. XXX - */ - RWLOCK_EXIT(&ipf_state); - return fr; - } - } - RWLOCK_EXIT(&ipf_state); - return NULL; -} - - -static void fr_ipsmove(isp, is, hv) -ipstate_t **isp, *is; -u_int hv; -{ - u_int hvm; - - hvm = is->is_hv; - /* - * Remove the hash from the old location... - */ - if (is->is_hnext) - is->is_hnext->is_phnext = isp; - *isp = is->is_hnext; - if (ips_table[hvm] == NULL) - ips_stats.iss_inuse--; - - /* - * ...and put the hash in the new one. - */ - hvm = hv % fr_statesize; - is->is_hv = hvm; - isp = &ips_table[hvm]; - if (*isp) - (*isp)->is_phnext = &is->is_hnext; - else - ips_stats.iss_inuse++; - is->is_phnext = isp; - is->is_hnext = *isp; - *isp = is; -} - - -/* - * Check if a packet has a registered state. - */ -frentry_t *fr_checkstate(ip, fin) -ip_t *ip; -fr_info_t *fin; -{ - union i6addr dst, src; - register ipstate_t *is, **isp; - register u_char pr; - u_int hv, hvm, hlen, tryagain, pass, v; - struct icmp *ic; - frentry_t *fr; - tcphdr_t *tcp; - - if (fr_state_lock || (fin->fin_off & IP_OFFMASK) || - (fin->fin_fi.fi_fl & FI_SHORT)) - return NULL; - - is = NULL; - hlen = fin->fin_hlen; - tcp = (tcphdr_t *)((char *)ip + hlen); - ic = (struct icmp *)tcp; - hv = (pr = fin->fin_fi.fi_p); - src = fin->fin_fi.fi_src; - dst = fin->fin_fi.fi_dst; - hv += src.in4.s_addr; - hv += dst.in4.s_addr; - - /* - * Search the hash table for matching packet header info. - */ - v = fin->fin_fi.fi_v; - switch (fin->fin_fi.fi_p) - { -#ifdef USE_INET6 - case IPPROTO_ICMPV6 : - if (v == 6) { - if (fin->fin_out) - hv -= dst.in4.s_addr; - else - hv -= src.in4.s_addr; - if ((ic->icmp_type == ICMP6_ECHO_REQUEST) || - (ic->icmp_type == ICMP6_ECHO_REPLY)) { - hv += ic->icmp_id; - hv += ic->icmp_seq; - } - } -#endif - case IPPROTO_ICMP : - if (v == 4) { - hv += ic->icmp_id; - hv += ic->icmp_seq; - } - hv %= fr_statesize; - READ_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { - if ((is->is_p == pr) && (is->is_v == v) && - fr_matchsrcdst(is, src, dst, fin, NULL) && - fr_matchicmpqueryreply(v, is, ic)) { - if (fin->fin_rev) - is->is_age = fr_icmpacktimeout; - else - is->is_age = fr_icmptimeout; - break; - } - } - if (is != NULL) - break; - RWLOCK_EXIT(&ipf_state); - /* - * No matching icmp state entry. Perhaps this is a - * response to another state entry. - */ -#ifdef USE_INET6 - if (v == 6) - fr = fr_checkicmp6matchingstate((ip6_t *)ip, fin); - else -#endif - fr = fr_checkicmpmatchingstate(ip, fin); - if (fr) - return fr; - break; - case IPPROTO_TCP : - { - register u_short dport, sport; - register int i; - - i = tcp->th_flags; - /* - * Just plain ignore RST flag set with either FIN or SYN. - */ - if ((i & TH_RST) && - ((i & (TH_FIN|TH_SYN|TH_RST)) != TH_RST)) - break; - case IPPROTO_UDP : - dport = tcp->th_dport; - sport = tcp->th_sport; - tryagain = 0; - hv += dport; - hv += sport; - READ_ENTER(&ipf_state); -retry_tcpudp: - hvm = hv % fr_statesize; - for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext) - if ((is->is_p == pr) && (is->is_v == v) && - fr_matchsrcdst(is, src, dst, fin, tcp)) { - if ((pr == IPPROTO_TCP)) { - if (!fr_tcpstate(is, fin, ip, tcp)) { - continue; - } - } if ((pr == IPPROTO_UDP)) { - if (fin->fin_rev) - is->is_age = fr_udpacktimeout; - else - is->is_age = fr_udptimeout; - } - break; - } - if (is != NULL) { - if (tryagain && - !(is->is_flags & (FI_WILDP|FI_WILDA))) { - hv += dport; - hv += sport; - fr_ipsmove(isp, is, hv); - MUTEX_DOWNGRADE(&ipf_state); - } - break; - } - RWLOCK_EXIT(&ipf_state); - if (!tryagain && ips_wild) { - hv -= dport; - hv -= sport; - tryagain = 1; - WRITE_ENTER(&ipf_state); - goto retry_tcpudp; - } - break; - } - default : - break; - } - if (is == NULL) { - ATOMIC_INCL(ips_stats.iss_miss); - return NULL; - } - MUTEX_ENTER(&is->is_lock); - is->is_bytes += fin->fin_plen; - ips_stats.iss_hits++; - is->is_pkts++; - MUTEX_EXIT(&is->is_lock); - fr = is->is_rule; - fin->fin_fr = fr; - pass = is->is_pass; -#ifndef _KERNEL - if (tcp->th_flags & TCP_CLOSE) - fr_delstate(is); -#endif - RWLOCK_EXIT(&ipf_state); - if ((fin->fin_fi.fi_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); - return fr; -} - - -void ip_statesync(ifp) -void *ifp; -{ - register ipstate_t *is; - - WRITE_ENTER(&ipf_state); - for (is = ips_list; is; is = is->is_next) { - if (is->is_ifpin == ifp) { - is->is_ifpin = GETUNIT(is->is_ifname[0], is->is_v); - if (!is->is_ifpin) - is->is_ifpin = (void *)-1; - } - if (is->is_ifpout == ifp) { - is->is_ifpout = GETUNIT(is->is_ifname[1], is->is_v); - if (!is->is_ifpout) - is->is_ifpout = (void *)-1; - } - } - RWLOCK_EXIT(&ipf_state); -} - - -/* - * Must always be called with fr_ipfstate held as a write lock. - */ -static void fr_delstate(is) -ipstate_t *is; -{ - frentry_t *fr; - - if (is->is_flags & (FI_WILDP|FI_WILDA)) - ips_wild--; - if (is->is_next) - is->is_next->is_pnext = is->is_pnext; - *is->is_pnext = is->is_next; - if (is->is_hnext) - is->is_hnext->is_phnext = is->is_phnext; - *is->is_phnext = is->is_hnext; - if (ips_table[is->is_hv] == NULL) - ips_stats.iss_inuse--; - - fr = is->is_rule; - if (fr != NULL) { - fr->fr_ref--; - if (fr->fr_ref == 0) { - KFREE(fr); - } - } -#ifdef _KERNEL - MUTEX_DESTROY(&is->is_lock); -#endif - KFREE(is); - ips_num--; -} - - -/* - * Free memory in use by all state info. kept. - */ -void fr_stateunload() -{ - register ipstate_t *is; - - WRITE_ENTER(&ipf_state); - while ((is = ips_list)) - fr_delstate(is); - ips_stats.iss_inuse = 0; - ips_num = 0; - RWLOCK_EXIT(&ipf_state); - KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); - ips_table = NULL; -} - - -/* - * Slowly expire held state for thingslike UDP and ICMP. Timeouts are set - * in expectation of this being called twice per second. - */ -void fr_timeoutstate() -{ - register ipstate_t *is, **isp; -#if defined(_KERNEL) && !SOLARIS - int s; -#endif - - SPL_NET(s); - WRITE_ENTER(&ipf_state); - for (isp = &ips_list; (is = *isp); ) - if (is->is_age && !--is->is_age) { - if (is->is_p == IPPROTO_TCP) - ips_stats.iss_fin++; - else - ips_stats.iss_expire++; -#ifdef IPFILTER_LOG - ipstate_log(is, ISL_EXPIRE); -#endif - fr_delstate(is); - } else - isp = &is->is_next; - if (fr_state_doflush) { - (void) fr_state_flush(1); - fr_state_doflush = 0; - } - RWLOCK_EXIT(&ipf_state); - SPL_X(s); -} - - -/* - * Original idea freom Pradeep Krishnan for use primarily with NAT code. - * (pkrishna@netcom.com) - * - * Rewritten by Arjan de Vet <Arjan.deVet@adv.iae.nl>, 2000-07-29: - * - * - (try to) base state transitions on real evidence only, - * i.e. packets that are sent and have been received by ipfilter; - * diagram 18.12 of TCP/IP volume 1 by W. Richard Stevens was used. - * - * - deal with half-closed connections correctly; - * - * - store the state of the source in state[0] such that ipfstat - * displays the state as source/dest instead of dest/source; the calls - * to fr_tcp_age have been changed accordingly. - * - * Parameters: - * - * state[0] = state of source (host that initiated connection) - * state[1] = state of dest (host that accepted the connection) - * - * dir == 0 : a packet from source to dest - * dir == 1 : a packet from dest to source - * - */ -void fr_tcp_age(age, state, fin, dir) -u_long *age; -u_char *state; -fr_info_t *fin; -int dir; -{ - tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp; - u_char flags = tcp->th_flags; - int dlen, ostate; - - ostate = state[1 - dir]; - - dlen = fin->fin_plen - fin->fin_hlen - (tcp->th_off << 2); - - if (flags & TH_RST) { - if (!(tcp->th_flags & TH_PUSH) && !dlen) { - *age = fr_tcpclosed; - state[dir] = TCPS_CLOSED; - } else { - *age = fr_tcpclosewait; - state[dir] = TCPS_CLOSE_WAIT; - } - return; - } - - *age = fr_tcptimeout; /* default 4 mins */ - - switch(state[dir]) - { - case TCPS_CLOSED: /* 0 */ - if ((flags & TH_OPENING) == TH_OPENING) { - /* - * 'dir' received an S and sends SA in response, - * CLOSED -> SYN_RECEIVED - */ - state[dir] = TCPS_SYN_RECEIVED; - *age = fr_tcptimeout; - } else if ((flags & (TH_SYN|TH_ACK)) == TH_SYN) { - /* 'dir' sent S, CLOSED -> SYN_SENT */ - state[dir] = TCPS_SYN_SENT; - *age = fr_tcptimeout; - } - /* - * The next piece of code makes it possible to get - * already established connections into the state table - * after a restart or reload of the filter rules; this - * does not work when a strict 'flags S keep state' is - * used for tcp connections of course - */ - if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { - /* we saw an A, guess 'dir' is in ESTABLISHED mode */ - state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; - } - /* - * TODO: besides regular ACK packets we can have other - * packets as well; it is yet to be determined how we - * should initialize the states in those cases - */ - break; - - case TCPS_LISTEN: /* 1 */ - /* NOT USED */ - break; - - case TCPS_SYN_SENT: /* 2 */ - if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { - /* - * We see an A from 'dir' which is in SYN_SENT - * state: 'dir' sent an A in response to an SA - * which it received, SYN_SENT -> ESTABLISHED - */ - state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; - } else if (flags & TH_FIN) { - /* - * We see an F from 'dir' which is in SYN_SENT - * state and wants to close its side of the - * connection; SYN_SENT -> FIN_WAIT_1 - */ - state[dir] = TCPS_FIN_WAIT_1; - *age = fr_tcpidletimeout; /* or fr_tcptimeout? */ - } else if ((flags & TH_OPENING) == TH_OPENING) { - /* - * We see an SA from 'dir' which is already in - * SYN_SENT state, this means we have a - * simultaneous open; SYN_SENT -> SYN_RECEIVED - */ - state[dir] = TCPS_SYN_RECEIVED; - *age = fr_tcptimeout; - } - break; - - case TCPS_SYN_RECEIVED: /* 3 */ - if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) { - /* - * We see an A from 'dir' which was in SYN_RECEIVED - * state so it must now be in established state, - * SYN_RECEIVED -> ESTABLISHED - */ - state[dir] = TCPS_ESTABLISHED; - *age = fr_tcpidletimeout; - } else if (flags & TH_FIN) { - /* - * We see an F from 'dir' which is in SYN_RECEIVED - * state and wants to close its side of the connection; - * SYN_RECEIVED -> FIN_WAIT_1 - */ - state[dir] = TCPS_FIN_WAIT_1; - *age = fr_tcpidletimeout; - } - break; - - case TCPS_ESTABLISHED: /* 4 */ - if (flags & TH_FIN) { - /* - * 'dir' closed its side of the connection; this - * gives us a half-closed connection; - * ESTABLISHED -> FIN_WAIT_1 - */ - state[dir] = TCPS_FIN_WAIT_1; - *age = fr_tcphalfclosed; - } else if (flags & TH_ACK) { - /* an ACK, should we exclude other flags here? */ - if (ostate == TCPS_FIN_WAIT_1) { - /* - * We know the other side did an active close, - * so we are ACKing the recvd FIN packet (does - * the window matching code guarantee this?) - * and go into CLOSE_WAIT state; this gives us - * a half-closed connection - */ - state[dir] = TCPS_CLOSE_WAIT; - *age = fr_tcphalfclosed; - } else if (ostate < TCPS_CLOSE_WAIT) - /* - * Still a fully established connection, - * reset timeout - */ - *age = fr_tcpidletimeout; - } - break; - - case TCPS_CLOSE_WAIT: /* 5 */ - if (flags & TH_FIN) { - /* - * Application closed and 'dir' sent a FIN, we're now - * going into LAST_ACK state - */ - *age = fr_tcplastack; - state[dir] = TCPS_LAST_ACK; - } else { - /* - * We remain in CLOSE_WAIT because the other side has - * closed already and we did not close our side yet; - * reset timeout - */ - *age = fr_tcphalfclosed; - } - break; - - case TCPS_FIN_WAIT_1: /* 6 */ - if ((flags & TH_ACK) && ostate > TCPS_CLOSE_WAIT) { - /* - * If the other side is not active anymore it has sent - * us a FIN packet that we are ack'ing now with an ACK; - * this means both sides have now closed the connection - * and we go into TIME_WAIT - */ - /* - * XXX: how do we know we really are ACKing the FIN - * packet here? does the window code guarantee that? - */ - state[dir] = TCPS_TIME_WAIT; - *age = fr_tcptimeout; - } else - /* - * We closed our side of the connection already but the - * other side is still active (ESTABLISHED/CLOSE_WAIT); - * continue with this half-closed connection - */ - *age = fr_tcphalfclosed; - break; - - case TCPS_CLOSING: /* 7 */ - /* NOT USED */ - break; - - case TCPS_LAST_ACK: /* 8 */ - if (flags & TH_ACK) { - if ((flags & TH_PUSH) || dlen) - /* - * There is still data to be delivered, reset - * timeout - */ - *age = fr_tcplastack; - } - /* - * We cannot detect when we go out of LAST_ACK state to CLOSED - * because that is based on the reception of ACK packets; - * ipfilter can only detect that a packet has been sent by a - * host - */ - break; - - case TCPS_FIN_WAIT_2: /* 9 */ - /* NOT USED */ - break; - - case TCPS_TIME_WAIT: /* 10 */ - /* we're in 2MSL timeout now */ - break; - } -} - - -#ifdef IPFILTER_LOG -void ipstate_log(is, type) -struct ipstate *is; -u_int type; -{ - struct ipslog ipsl; - void *items[1]; - size_t sizes[1]; - int types[1]; - - ipsl.isl_type = type; - ipsl.isl_pkts = is->is_pkts; - ipsl.isl_bytes = is->is_bytes; - ipsl.isl_src = is->is_src; - ipsl.isl_dst = is->is_dst; - ipsl.isl_p = is->is_p; - ipsl.isl_v = is->is_v; - ipsl.isl_flags = is->is_flags; - if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { - ipsl.isl_sport = is->is_sport; - ipsl.isl_dport = is->is_dport; - if (ipsl.isl_p == IPPROTO_TCP) { - ipsl.isl_state[0] = is->is_state[0]; - ipsl.isl_state[1] = is->is_state[1]; - } - } else if (ipsl.isl_p == IPPROTO_ICMP) - ipsl.isl_itype = is->is_icmp.ics_type; - else { - ipsl.isl_ps.isl_filler[0] = 0; - ipsl.isl_ps.isl_filler[1] = 0; - } - items[0] = &ipsl; - sizes[0] = sizeof(ipsl); - types[0] = 0; - - (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); -} -#endif - - -#ifdef USE_INET6 -frentry_t *fr_checkicmp6matchingstate(ip, fin) -ip6_t *ip; -fr_info_t *fin; -{ - register ipstate_t *is, **isp; - register u_short sport, dport; - register u_char pr; - struct icmp6_hdr *ic, *oic; - union i6addr dst, src; - u_short savelen; - fr_info_t ofin; - tcphdr_t *tcp; - frentry_t *fr; - ip6_t *oip; - int type; - u_int hv; - - /* - * Does it at least have the return (basic) IP header ? - * Only a basic IP header (no options) should be with - * an ICMP error header. - */ - if ((fin->fin_v != 6) || (fin->fin_plen < ICMP6ERR_MINPKTLEN)) - return NULL; - ic = (struct icmp6_hdr *)fin->fin_dp; - type = ic->icmp6_type; - /* - * If it's not an error type, then return - */ - if ((type != ICMP6_DST_UNREACH) && (type != ICMP6_PACKET_TOO_BIG) && - (type != ICMP6_TIME_EXCEEDED) && (type != ICMP6_PARAM_PROB)) - return NULL; - - oip = (ip6_t *)((char *)ic + ICMPERR_ICMPHLEN); - if (fin->fin_plen < sizeof(*oip)) - return NULL; - - if (oip->ip6_nxt == IPPROTO_ICMPV6) { - oic = (struct icmp6_hdr *)(oip + 1); - /* - * a ICMP error can only be generated as a result of an - * ICMP query, not as the response on an ICMP error - * - * XXX theoretically ICMP_ECHOREP and the other reply's are - * ICMP query's as well, but adding them here seems strange XXX - */ - if (!(oic->icmp6_type & ICMP6_INFOMSG_MASK)) - return NULL; - - /* - * perform a lookup of the ICMP packet in the state table - */ - hv = (pr = oip->ip6_nxt); - src.in6 = oip->ip6_src; - hv += src.in4.s_addr; - dst.in6 = oip->ip6_dst; - hv += dst.in4.s_addr; - hv += oic->icmp6_id; - hv += oic->icmp6_seq; - hv %= fr_statesize; - - oip->ip6_plen = ntohs(oip->ip6_plen); - ofin.fin_v = 6; - fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); - oip->ip6_plen = htons(oip->ip6_plen); - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ - - READ_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) - if ((is->is_p == pr) && - (oic->icmp6_id == is->is_icmp.ics_id) && - (oic->icmp6_seq == is->is_icmp.ics_seq) && - fr_matchsrcdst(is, src, dst, &ofin, NULL)) { - /* - * in the state table ICMP query's are stored - * with the type of the corresponding ICMP - * response. Correct here - */ - if (((is->is_type == ICMP6_ECHO_REPLY) && - (oic->icmp6_type == ICMP6_ECHO_REQUEST)) || - (is->is_type - 1 == oic->icmp6_type )) { - ips_stats.iss_hits++; - is->is_pkts++; - is->is_bytes += fin->fin_plen; - return is->is_rule; - } - } - RWLOCK_EXIT(&ipf_state); - - return NULL; - }; - - if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP)) - return NULL; - tcp = (tcphdr_t *)(oip + 1); - dport = tcp->th_dport; - sport = tcp->th_sport; - - hv = (pr = oip->ip6_nxt); - src.in6 = oip->ip6_src; - hv += src.in4.s_addr; - dst.in6 = oip->ip6_dst; - hv += dst.in4.s_addr; - hv += dport; - hv += sport; - hv %= fr_statesize; - /* - * we make an fin entry to be able to feed it to - * matchsrcdst note that not all fields are encessary - * but this is the cleanest way. Note further we fill - * in fin_mp such that if someone uses it we'll get - * a kernel panic. fr_matchsrcdst does not use this. - * - * watch out here, as ip is in host order and oip in network - * order. Any change we make must be undone afterwards. - */ - savelen = oip->ip6_plen; - oip->ip6_plen = ip->ip6_plen - sizeof(*ip) - ICMPERR_ICMPHLEN; - ofin.fin_v = 6; - fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin); - oip->ip6_plen = savelen; - ofin.fin_ifp = fin->fin_ifp; - ofin.fin_out = !fin->fin_out; - ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ - READ_ENTER(&ipf_state); - for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) { - /* - * Only allow this icmp though if the - * encapsulated packet was allowed through the - * other way around. Note that the minimal amount - * of info present does not allow for checking against - * tcp internals such as seq and ack numbers. - */ - if ((is->is_p == pr) && (is->is_v == 6) && - fr_matchsrcdst(is, src, dst, &ofin, tcp)) { - fr = is->is_rule; - ips_stats.iss_hits++; - /* - * we must swap src and dst here because the icmp - * comes the other way around - */ - is->is_pkts++; - is->is_bytes += fin->fin_plen; - /* - * we deliberately do not touch the timeouts - * for the accompanying state table entry. - * It remains to be seen if that is correct. XXX - */ - RWLOCK_EXIT(&ipf_state); - return fr; - } - } - RWLOCK_EXIT(&ipf_state); - return NULL; -} -#endif diff --git a/sys/netinet/ip_state.h b/sys/netinet/ip_state.h deleted file mode 100644 index f025ef00cff..00000000000 --- a/sys/netinet/ip_state.h +++ /dev/null @@ -1,202 +0,0 @@ -/* $OpenBSD: ip_state.h,v 1.18 2001/02/06 17:29:31 fgsch Exp $ */ - -/* - * Copyright (C) 1995-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $IPFilter: ip_state.h,v 2.13.2.2 2000/08/23 11:01:31 darrenr Exp $ - */ -#ifndef __IP_STATE_H__ -#define __IP_STATE_H__ - -#if defined(__STDC__) || defined(__GNUC__) -# define SIOCDELST _IOW('r', 61, struct ipstate *) -#else -# define SIOCDELST _IOW(r, 61, struct ipstate *) -#endif - -#ifndef IPSTATE_SIZE -# define IPSTATE_SIZE 5737 -#endif - -#ifndef IPSTATE_MAX -# define IPSTATE_MAX 4013 /* Maximum number of states held */ -#endif - -#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ - (((s1) == (d2)) && ((d1) == (s2)))) -#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ - (s2).s_addr, (d2).s_addr) - - -typedef struct udpstate { - u_short us_sport; - u_short us_dport; -} udpstate_t; - -typedef struct icmpstate { - u_short ics_id; - u_short ics_seq; - u_char ics_type; -} icmpstate_t; - -typedef struct tcpdata { - u_32_t td_end; - u_32_t td_maxend; - u_short td_maxwin; -} tcpdata_t; - -typedef struct tcpstate { - u_short ts_sport; - u_short ts_dport; - tcpdata_t ts_data[2]; - u_char ts_state[2]; -} tcpstate_t; - -typedef struct ipstate { - struct ipstate *is_next; - struct ipstate **is_pnext; - struct ipstate *is_hnext; - struct ipstate **is_phnext; - u_long is_age; - u_int is_pass; - U_QUAD_T is_pkts; - U_QUAD_T is_bytes; - void *is_ifp[2]; - frentry_t *is_rule; - union i6addr is_src; - union i6addr is_dst; - u_char is_p; /* Protocol */ - u_char is_v; - u_int is_hv; - u_32_t is_flags; - u_32_t is_opt; /* packet options set */ - u_32_t is_optmsk; /* " " mask */ - u_short is_sec; /* security options set */ - u_short is_secmsk; /* " " mask */ - u_short is_auth; /* authentication options set */ - u_short is_authmsk; /* " " mask */ - union { - icmpstate_t is_ics; - tcpstate_t is_ts; - udpstate_t is_us; - } is_ps; - char is_ifname[2][IFNAMSIZ]; -#if SOLARIS || defined(__sgi) - kmutex_t is_lock; -#endif -} ipstate_t; - -#define is_saddr is_src.in4.s_addr -#define is_daddr is_dst.in4.s_addr -#define is_icmp is_ps.is_ics -#define is_type is_icmp.ics_type -#define is_code is_icmp.ics_code -#define is_tcp is_ps.is_ts -#define is_udp is_ps.is_us -#define is_send is_tcp.ts_data[0].td_end -#define is_dend is_tcp.ts_data[1].td_end -#define is_maxswin is_tcp.ts_data[0].td_maxwin -#define is_maxdwin is_tcp.ts_data[1].td_maxwin -#define is_maxsend is_tcp.ts_data[0].td_maxend -#define is_maxdend is_tcp.ts_data[1].td_maxend -#define is_sport is_tcp.ts_sport -#define is_dport is_tcp.ts_dport -#define is_state is_tcp.ts_state -#define is_ifpin is_ifp[0] -#define is_ifpout is_ifp[1] - -#define TH_OPENING (TH_SYN|TH_ACK) -/* - * is_flags: - * Bits 0 - 3 are use as a mask with the current packet's bits to check for - * whether it is short, tcp/udp, a fragment or the presence of IP options. - * Bits 4 - 7 are set from the initial packet and contain what the packet - * anded with bits 0-3 must match. - * Bits 8,9 are used to indicate wildcard source/destination port matching. - */ - -typedef struct ipstate_save { - void *ips_next; - struct ipstate ips_is; - struct frentry ips_fr; -} ipstate_save_t; - -#define ips_rule ips_is.is_rule - - -typedef struct ipslog { - U_QUAD_T isl_pkts; - U_QUAD_T isl_bytes; - union i6addr isl_src; - union i6addr isl_dst; - u_short isl_type; - union { - u_short isl_filler[2]; - u_short isl_ports[2]; - u_short isl_icmp; - } isl_ps; - u_char isl_v; - u_char isl_p; - u_char isl_flags; - u_char isl_state[2]; -} ipslog_t; - -#define isl_sport isl_ps.isl_ports[0] -#define isl_dport isl_ps.isl_ports[1] -#define isl_itype isl_ps.isl_icmp - -#define ISL_NEW 0 -#define ISL_EXPIRE 0xffff -#define ISL_FLUSH 0xfffe -#define ISL_REMOVE 0xfffd - - -typedef struct ips_stat { - u_long iss_hits; - u_long iss_miss; - u_long iss_max; - u_long iss_tcp; - u_long iss_udp; - u_long iss_icmp; - u_long iss_nomem; - u_long iss_expire; - u_long iss_fin; - u_long iss_active; - u_long iss_logged; - u_long iss_logfail; - u_long iss_inuse; - ipstate_t **iss_table; - ipstate_t *iss_list; -} ips_stat_t; - - -extern u_long fr_tcpidletimeout; -extern u_long fr_tcpclosewait; -extern u_long fr_tcplastack; -extern u_long fr_tcptimeout; -extern u_long fr_tcpclosed; -extern u_long fr_tcphalfclosed; -extern u_long fr_udptimeout; -extern u_long fr_icmptimeout; -extern int fr_state_lock; -extern int fr_stateinit __P((void)); -extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); -extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); -extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); -extern void ip_statesync __P((void *)); -extern void fr_timeoutstate __P((void)); -extern void fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int)); -extern void fr_stateunload __P((void)); -extern void ipstate_log __P((struct ipstate *, u_int)); -#if defined(__NetBSD__) || defined(__OpenBSD__) -extern int fr_state_ioctl __P((caddr_t, u_long, int)); -#else -extern int fr_state_ioctl __P((caddr_t, int, int)); -#endif - -#endif /* __IP_STATE_H__ */ diff --git a/sys/netinet/ipl.h b/sys/netinet/ipl.h deleted file mode 100644 index 9baf5e3b5e8..00000000000 --- a/sys/netinet/ipl.h +++ /dev/null @@ -1,19 +0,0 @@ -/* $OpenBSD: ipl.h,v 1.15 2001/05/08 19:58:02 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2001 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * @(#)ipl.h 1.21 6/5/96 - * $IPFilter: ipl.h,v 2.15.2.19 2001/04/06 12:21:28 darrenr Exp $ - */ - -#ifndef __IPL_H__ -#define __IPL_H__ - -#define IPL_VERSION "IP Filter: v3.4.17" - -#endif diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index 2a2dac56d80..45aeb5579d4 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.77 2001/05/29 21:41:23 millert Exp $ +# $OpenBSD: Makefile,v 1.78 2001/05/30 02:11:04 deraadt Exp $ # not yet done: catman @@ -6,8 +6,8 @@ SUBDIR= ac accton adduser amd arp bootpd bootpgw bootpef bootptest \ chroot config cron dev_mkdb dhcp \ - edquota gspa httpd inetd iostat ipfs \ - ipftest ipmon ipsend kgmon kvm_mkdb lpr \ + edquota gspa httpd inetd iostat \ + kgmon kvm_mkdb lpr \ mailwrapper map-mbone mrinfo mopd mrouted mtrace mtree named \ netgroup_mkdb openssl pkg pkg_install portmap ppp pppd pppoe pstat \ pwd_mkdb quot quotaon rarpd rbootd rdconfig rdate repquota rmt \ diff --git a/usr.sbin/ipfs/Makefile b/usr.sbin/ipfs/Makefile deleted file mode 100644 index 1f4d4359651..00000000000 --- a/usr.sbin/ipfs/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2001/01/17 06:31:06 fgsch Exp $ - -PROG= ipfs -MAN= ipfs.8 - -CFLAGS+=-I${.CURDIR}/../../sbin/ipf - -.include <bsd.prog.mk> diff --git a/usr.sbin/ipfs/ipfs.8 b/usr.sbin/ipfs/ipfs.8 deleted file mode 100644 index e321feed9d7..00000000000 --- a/usr.sbin/ipfs/ipfs.8 +++ /dev/null @@ -1,121 +0,0 @@ -.\" $OpenBSD: ipfs.8,v 1.3 2001/01/30 04:29:08 kjell Exp $ -.\" -.TH IPFS 8 -.SH NAME -ipfs \- saves and restores information for NAT and state tables. -.SH SYNOPSIS -.B ipfs -[-nv] -l -.PP -.B ipfs -[-nv] -u -.PP -.B ipfs -[-nv] [ -.B \-d -<\fIdirname\fP> -] -R -.PP -.B ipfs -[-nv] [ -.B \-d -<\fIdirname\fP> -] -W -.PP -.B ipfs -[-nNSv] [ -.B \-f -<\fIfilename\fP> -] -r -.PP -.B ipfs -[-nNSv] [ -.B \-f -<\fIfilename\fP> -] -w -.PP -.B ipfs -[-nNSv] -.B \-f -<\fIfilename\fP> -.B \-i -<if1>,<if2> -.SH DESCRIPTION -.PP -\fBipfs\fP allows state information created for NAT entries and rules using -\fIkeep state\fP to be locked (modification prevented) and then saved to disk, -allowing for the system to experience a reboot, followed by the restoration -of that information, resulting in connections not being interrupted. -.SH OPTIONS -.TP -.B \-d -Change the default directory used with -.B \-R -and -.B \-W -options for saving state information. -.B \-n -Don't actually take any action that would effect information stored in -the kernel or on disk. -.TP -.B \-v -Provides a verbose description of what's being done. -.TP -.B \-N -Operate on NAT information. -.TP -.B \-S -Operate on filtering state information. -.TP -.B \-u -Unlock state tables in the kernel. -.TP -.B \-l -Unlock state tables in the kernel. -.TP -.B \-r -Read information in from the specified file and load it into the -kernel. This requires the state tables to have already been locked -and does not change the lock once comlete. -.TP -.B \-w -Write information out to the specified file and from the kernel. -This requires the state tables to have already been locked -and does not change the lock once comlete. -.TP -.B \-R -Restores all saved state information, if any, from two files, -\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP -directory unless otherwise specified the -.B \-d -option is used. The state tables are locked at the beginning of this -operation and unlocked once complete. -.TP -.B \-W -Saves in-kernel state information, if any, out to two files, -\fIipstate.ipf\fP and \fIipnat.ipf\fP, stored in the \fI/var/db/ipf\fP -directory unless otherwise specified the -.B \-d -option is used. The state tables are locked at the beginning of this -operation and unlocked once complete. -.DT -.SH FILES -/var/db/ipf/ipstate.ipf -.br -/var/db/ipf/ipnat.ipf -.br -/dev/ipl -.br -/dev/ipstate -.br -/dev/ipnat -.SH SEE ALSO -ipf(8), ipl(4), ipmon(8), ipnat(8) -.SH DIAGNOSTICS -.PP -Perhaps the -W and -R operations should set the locking but rather than -undo it, restore it to what it was previously. Fragment table information -is currently not saved. -.SH BUGS -.PP -If you find any, please send email to me at darrenr@pobox.com diff --git a/usr.sbin/ipfs/ipfs.c b/usr.sbin/ipfs/ipfs.c deleted file mode 100644 index 093ca5dad06..00000000000 --- a/usr.sbin/ipfs/ipfs.c +++ /dev/null @@ -1,795 +0,0 @@ -/* $OpenBSD: ipfs.c,v 1.3 2001/01/30 04:29:08 kjell Exp $ */ - -/* - * Copyright (C) 1999 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#ifdef __FreeBSD__ -# include <osreldate.h> -#endif -#include <stdio.h> -#include <unistd.h> -#include <string.h> -#include <fcntl.h> -#include <errno.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <sys/param.h> -#include <sys/file.h> -#include <stdlib.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <sys/time.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netinet/ip.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_state.h> -#include "ipf.h" - -#if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $"; -#endif - -#ifndef IPF_SAVEDIR -# define IPF_SAVEDIR "/var/db/ipf" -#endif -#ifndef IPF_NATFILE -# define IPF_NATFILE "ipnat.ipf" -#endif -#ifndef IPF_STATEFILE -# define IPF_STATEFILE "ipstate.ipf" -#endif - -#if !defined(__SVR4) && defined(__GNUC__) -extern char *index __P((const char *, int)); -#endif - -extern char *optarg; - -int main __P((int, char *[])); -void usage __P((void)); -int changestateif __P((char *, char *)); -int changenatif __P((char *, char *)); -int readstate __P((int, char *)); -int readnat __P((int, char *)); -int writestate __P((int, char *)); -int opendevice __P((char *)); -void closedevice __P((int)); -int setlock __P((int, int)); -int writeall __P((char *)); -int readall __P((char *)); -int writenat __P((int, char *)); - -int opts = 0; - - -void usage() -{ - fprintf(stderr, "usage: ipfs [-nv] -l\n"); - fprintf(stderr, "usage: ipfs [-nv] -u\n"); - fprintf(stderr, "usage: ipfs [-nv] [-d <dir>] -R\n"); - fprintf(stderr, "usage: ipfs [-nv] [-d <dir>] -W\n"); - fprintf(stderr, "usage: ipfs [-nNSv] [-f <file>] -r\n"); - fprintf(stderr, "usage: ipfs [-nNSv] [-f <file>] -w\n"); - fprintf(stderr, "usage: ipfs [-nNSv] -f <filename> -i <if1>,<if2>\n"); - exit(1); -} - - -/* - * Change interface names in state information saved out to disk. - */ -int changestateif(ifs, fname) -char *ifs, *fname; -{ - int fd, olen, nlen, rw; - ipstate_save_t ips; - off_t pos; - char *s; - - s = strchr(ifs, ','); - if (!s) - usage(); - *s++ = '\0'; - nlen = strlen(s); - olen = strlen(ifs); - if (nlen >= sizeof(ips.ips_is.is_ifname) || - olen >= sizeof(ips.ips_is.is_ifname)) - usage(); - - fd = open(fname, O_RDWR); - if (fd == -1) { - perror("open"); - exit(1); - } - - for (pos = 0; read(fd, &ips, sizeof(ips)) == sizeof(ips); ) { - rw = 0; - if (!strncmp(ips.ips_is.is_ifname[0], ifs, olen + 1)) { - strcpy(ips.ips_is.is_ifname[0], s); - rw = 1; - } - if (!strncmp(ips.ips_is.is_ifname[1], ifs, olen + 1)) { - strcpy(ips.ips_is.is_ifname[1], s); - rw = 1; - } - if (rw == 1) { - if (lseek(fd, pos, SEEK_SET) != pos) { - perror("lseek"); - exit(1); - } - if (write(fd, &ips, sizeof(ips)) != sizeof(ips)) { - perror("write"); - exit(1); - } - } - pos = lseek(fd, 0, SEEK_CUR); - } - close(fd); - - return 0; -} - - -/* - * Change interface names in NAT information saved out to disk. - */ -int changenatif(ifs, fname) -char *ifs, *fname; -{ - int fd, olen, nlen, rw; - nat_save_t ipn; - nat_t *nat; - off_t pos; - char *s; - - s = strchr(ifs, ','); - if (!s) - usage(); - *s++ = '\0'; - nlen = strlen(s); - olen = strlen(ifs); - nat = &ipn.ipn_nat; - if (nlen >= sizeof(nat->nat_ifname) || olen >= sizeof(nat->nat_ifname)) - usage(); - - fd = open(fname, O_RDWR); - if (fd == -1) { - perror("open"); - exit(1); - } - - for (pos = 0; read(fd, &ipn, sizeof(ipn)) == sizeof(ipn); ) { - rw = 0; - if (!strncmp(nat->nat_ifname, ifs, olen + 1)) { - strcpy(nat->nat_ifname, s); - rw = 1; - } - if (rw == 1) { - if (lseek(fd, pos, SEEK_SET) != pos) { - perror("lseek"); - exit(1); - } - if (write(fd, &ipn, sizeof(ipn)) != sizeof(ipn)) { - perror("write"); - exit(1); - } - } - pos = lseek(fd, 0, SEEK_CUR); - } - close(fd); - - return 0; -} - - -int main(argc,argv) -int argc; -char *argv[]; -{ - int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; - char *dirname = NULL, *filename = NULL, *ifs = NULL; - - while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1) - switch (c) - { - case 'd' : - if ((set == 0) && !dirname && !filename) - dirname = optarg; - else - usage(); - break; - case 'f' : - if ((set == 0) && !dirname && !filename) - filename = optarg; - else - usage(); - break; - case 'i' : - ifs = optarg; - set = 1; - break; - case 'l' : - if (filename || dirname || set) - usage(); - lock = 1; - set = 1; - break; - case 'n' : - opts |= OPT_DONOTHING; - break; - case 'N' : - if ((ns > 0) || dirname || (rw != -1) || set) - usage(); - ns = 0; - set = 1; - break; - case 'r' : - if ((ns > 0) || dirname || (rw != -1)) - usage(); - rw = 0; - set = 1; - break; - case 'R' : - rw = 2; - set = 1; - break; - case 'S' : - if ((ns > 0) || dirname || (rw != -1) || set) - usage(); - ns = 1; - set = 1; - break; - case 'u' : - if (filename || dirname || set) - usage(); - lock = 0; - set = 1; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'w' : - if ((ns > 0) || dirname || (rw != -1) || (ns == -1)) - usage(); - rw = 1; - set = 1; - break; - case 'W' : - rw = 3; - set = 1; - break; - case '?' : - default : - usage(); - } - - if (ifs) { - if (!filename || ns<0) - usage(); - if (ns == 0) - return changenatif(ifs, filename); - else - return changestateif(ifs, filename); - } - - if ((ns >= 0) || (lock >= 0)) { - if (lock >= 0) - devfd = opendevice(NULL); - else if (ns >= 0) { - if (ns == 1) - devfd = opendevice(IPL_STATE); - else if (ns == 0) - devfd = opendevice(IPL_NAT); - } - if (devfd == -1) - exit(1); - } - - if (lock >= 0) - err = setlock(devfd, lock); - else if (rw >= 0) { - if (rw & 1) { /* WRITE */ - if (rw & 2) - err = writeall(dirname); - else { - if (ns == 0) - err = writenat(devfd, filename); - else if (ns == 1) - err = writestate(devfd, filename); - } - } else { - if (rw & 2) - err = readall(dirname); - else { - if (ns == 0) - err = readnat(devfd, filename); - else if (ns == 1) - err = readstate(devfd, filename); - } - } - } - return err; -} - - -int opendevice(ipfdev) -char *ipfdev; -{ - int fd = -1; - - if (opts & OPT_DONOTHING) - return -2; - - if (!ipfdev) - ipfdev = IPL_NAME; - - if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfdev, O_RDONLY)) == -1) - perror("open device"); - return fd; -} - - -void closedevice(fd) -int fd; -{ - close(fd); -} - - -int setlock(fd, lock) -int fd, lock; -{ - if (opts & OPT_VERBOSE) - printf("Turn lock %s\n", lock ? "on" : "off"); - if (!(opts & OPT_DONOTHING)) { - if (ioctl(fd, SIOCSTLCK, &lock) == -1) { - perror("SIOCSTLCK"); - return 1; - } - if (opts & OPT_VERBOSE) - printf("Lock now %s\n", lock ? "on" : "off"); - } - return 0; -} - - -int writestate(fd, file) -int fd; -char *file; -{ - ipstate_save_t ips, *ipsp; - int wfd = -1; - - if (!file) - file = IPF_STATEFILE; - - wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); - if (wfd == -1) { - fprintf(stderr, "%s ", file); - perror("state:open"); - return 1; - } - - ipsp = &ips; - bzero((char *)ipsp, sizeof(ips)); - - do { - if (opts & OPT_VERBOSE) - printf("Getting state from addr %p\n", ips.ips_next); - if (ioctl(fd, SIOCSTGET, &ipsp)) { - if (errno == ENOENT) - break; - perror("state:SIOCSTGET"); - close(wfd); - return 1; - } - if (opts & OPT_VERBOSE) - printf("Got state next %p\n", ips.ips_next); - if (write(wfd, ipsp, sizeof(ips)) != sizeof(ips)) { - perror("state:write"); - close(wfd); - return 1; - } - } while (ips.ips_next != NULL); - close(wfd); - - return 0; -} - - -int readstate(fd, file) -int fd; -char *file; -{ - ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL; - int sfd = -1, i; - - if (!file) - file = IPF_STATEFILE; - - sfd = open(file, O_RDONLY, 0600); - if (sfd == -1) { - fprintf(stderr, "%s ", file); - perror("open"); - return 1; - } - - bzero((char *)&ips, sizeof(ips)); - - /* - * 1. Read all state information in. - */ - do { - i = read(sfd, &ips, sizeof(ips)); - if (i == -1) { - perror("read"); - close(sfd); - return 1; - } - if (i == 0) - break; - if (i != sizeof(ips)) { - fprintf(stderr, "incomplete read: %d != %d\n", i, - (int)sizeof(ips)); - close(sfd); - return 1; - } - is = (ipstate_save_t *)malloc(sizeof(*is)); - if(!is) { - fprintf(stderr, "malloc failed\n"); - return 1; - } - - bcopy((char *)&ips, (char *)is, sizeof(ips)); - - /* - * Check to see if this is the first state entry that will - * reference a particular rule and if so, flag it as such - * else just adjust the rule pointer to become a pointer to - * the other. We do this so we have a means later for tracking - * who is referencing us when we get back the real pointer - * in is_rule after doing the ioctl. - */ - for (is1 = ipshead; is1 != NULL; is1 = is1->ips_next) - if (is1->ips_rule == is->ips_rule) - break; - if (is1 == NULL) - is->ips_is.is_flags |= FI_NEWFR; - else - is->ips_rule = (void *)&is1->ips_rule; - - /* - * Use a tail-queue type list (add things to the end).. - */ - is->ips_next = NULL; - if (!ipshead) - ipshead = is; - if (ipstail) - ipstail->ips_next = is; - ipstail = is; - } while (1); - - close(sfd); - - for (is = ipshead; is; is = is->ips_next) { - if (opts & OPT_VERBOSE) - printf("Loading new state table entry\n"); - if (is->ips_is.is_flags & FI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Loading new filter rule\n"); - } - if (!(opts & OPT_DONOTHING)) - if (ioctl(fd, SIOCSTPUT, &is)) { - perror("SIOCSTPUT"); - return 1; - } - - if (is->ips_is.is_flags & FI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Real rule addr %p\n", is->ips_rule); - for (is1 = is->ips_next; is1; is1 = is1->ips_next) - if (is1->ips_rule == (frentry_t *)&is->ips_rule) - is1->ips_rule = is->ips_rule; - } - } - - return 0; -} - - -int readnat(fd, file) -int fd; -char *file; -{ - nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL, *ipnp; - int nfd = -1, i; - nat_t *nat; - - if (!file) - file = IPF_NATFILE; - - nfd = open(file, O_RDONLY); - if (nfd == -1) { - fprintf(stderr, "%s ", file); - perror("nat:open"); - return 1; - } - - bzero((char *)&ipn, sizeof(ipn)); - - /* - * 1. Read all state information in. - */ - do { - i = read(nfd, &ipn, sizeof(ipn)); - if (i == -1) { - perror("read"); - close(nfd); - return 1; - } - if (i == 0) - break; - if (i != sizeof(ipn)) { - fprintf(stderr, "incomplete read: %d != %d\n", i, - (int)sizeof(ipn)); - close(nfd); - return 1; - } - - if (ipn.ipn_dsize > 0) { - char *s = ipnp->ipn_data; - int n = ipnp->ipn_dsize; - - n -= sizeof(ipnp->ipn_data); - in = malloc(sizeof(*in) + n); - if (!in) - break; - - s += sizeof(ipnp->ipn_data); - i = read(nfd, s, n); - if (i == 0) - break; - if (i != n) { - fprintf(stderr, "incomplete read: %d != %d\n", - i, n); - close(nfd); - return 1; - } - } else - in = (nat_save_t *)malloc(sizeof(*in)); - bcopy((char *)&ipnp, (char *)in, sizeof(ipn)); - - /* - * Check to see if this is the first state entry that will - * reference a particular rule and if so, flag it as such - * else just adjust the rule pointer to become a pointer to - * the other. We do this so we have a means later for tracking - * who is referencing us when we get back the real pointer - * in is_rule after doing the ioctl. - */ - nat = &in->ipn_nat; - if (nat->nat_fr != NULL) { - for (in1 = ipnhead; in1 != NULL; in1 = in1->ipn_next) - if (in1->ipn_rule == nat->nat_fr) - break; - if (in1 == NULL) - nat->nat_flags |= FI_NEWFR; - else - nat->nat_fr = &in1->ipn_fr; - } - - /* - * Use a tail-queue type list (add things to the end).. - */ - in->ipn_next = NULL; - if (!ipnhead) - ipnhead = in; - if (ipntail) - ipntail->ipn_next = in; - ipntail = in; - } while (1); - - close(nfd); - - for (in = ipnhead; in; in = in->ipn_next) { - if (opts & OPT_VERBOSE) - printf("Loading new NAT table entry\n"); - nat = &in->ipn_nat; - if (nat->nat_flags & FI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Loading new filter rule\n"); - } - if (!(opts & OPT_DONOTHING)) - if (ioctl(fd, SIOCSTPUT, &in)) { - perror("SIOCSTPUT"); - return 1; - } - - if (nat->nat_flags & FI_NEWFR) { - if (opts & OPT_VERBOSE) - printf("Real rule addr %p\n", nat->nat_fr); - for (in1 = in->ipn_next; in1; in1 = in1->ipn_next) - if (in1->ipn_rule == &in->ipn_fr) - in1->ipn_rule = nat->nat_fr; - } - } - - return 0; -} - - -int writenat(fd, file) -int fd; -char *file; -{ - nat_save_t *ipnp = NULL, *next = NULL; - int nfd = -1; - natget_t ng; - - if (!file) - file = IPF_NATFILE; - - nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); - if (nfd == -1) { - fprintf(stderr, "%s ", file); - perror("nat:open"); - return 1; - } - - - do { - if (opts & OPT_VERBOSE) - printf("Getting nat from addr %p\n", ipnp); - ng.ng_ptr = next; - ng.ng_sz = 0; - if (ioctl(fd, SIOCSTGSZ, &ng)) { - perror("nat:SIOCSTGSZ"); - close(nfd); - return 1; - } - - if (opts & OPT_VERBOSE) - printf("NAT size %d from %p\n", ng.ng_sz, ng.ng_ptr); - - if (ng.ng_sz == 0) - break; - - if (!ipnp) - ipnp = malloc(ng.ng_sz); - else - ipnp = realloc((char *)ipnp, ng.ng_sz); - if (!ipnp) { - fprintf(stderr, - "malloc for %d bytes failed\n", ng.ng_sz); - break; - } - - bzero((char *)ipnp, ng.ng_sz); - ipnp->ipn_next = next; - if (ioctl(fd, SIOCSTGET, &ipnp)) { - if (errno == ENOENT) - break; - perror("nat:SIOCSTGET"); - close(nfd); - return 1; - } - - if (opts & OPT_VERBOSE) - printf("Got nat next %p\n", ipnp->ipn_next); - if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) { - perror("nat:write"); - close(nfd); - return 1; - } - next = ipnp->ipn_next; - } while (ipnp && next); - close(nfd); - - return 0; -} - - -int writeall(dirname) -char *dirname; -{ - int fd, devfd; - - if (!dirname) - dirname = IPF_SAVEDIR; - - if (chdir(dirname)) { - perror("chdir(IPF_SAVEDIR)"); - return 1; - } - - fd = opendevice(NULL); - if (fd == -1) - return 1; - if (setlock(fd, 1)) { - close(fd); - return 1; - } - - devfd = opendevice(IPL_STATE); - if (devfd == -1) - return 1; - if (writestate(devfd, NULL)) - return 1; - close(devfd); - - devfd = opendevice(IPL_NAT); - if (devfd == -1) - return 1; - if (writenat(devfd, NULL)) - return 1; - close(devfd); - - if (setlock(fd, 0)) { - close(fd); - return 1; - } - - return 0; -} - - -int readall(dirname) -char *dirname; -{ - int fd, devfd; - - if (!dirname) - dirname = IPF_SAVEDIR; - - if (chdir(dirname)) { - perror("chdir(IPF_SAVEDIR)"); - return 1; - } - - fd = opendevice(NULL); - if (fd == -1) - return 1; - if (setlock(fd, 1)) { - close(fd); - return 1; - } - - devfd = opendevice(IPL_STATE); - if (devfd == -1) - return 1; - if (readstate(devfd, NULL)) - return 1; - close(devfd); - - devfd = opendevice(IPL_NAT); - if (devfd == -1) - return 1; - if (readnat(devfd, NULL)) - return 1; - close(devfd); - - if (setlock(fd, 0)) { - close(fd); - return 1; - } - - return 0; -} diff --git a/usr.sbin/ipftest/Makefile b/usr.sbin/ipftest/Makefile deleted file mode 100644 index a7c087a9a78..00000000000 --- a/usr.sbin/ipftest/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 2001/01/17 06:01:21 fgsch Exp $ - -PROG= ipftest -MAN= ipftest.1 -SRCS= ipt.c fil.c ipft_hx.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c \ - ipft_tx.c misc.c parse.c opt.c ip_frag.c ip_nat.c ip_state.c \ - ip_auth.c ip_fil.c ip_proxy.c facpri.c natparse.c common.c ifaddr.c - -.PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../../sbin/ipfstat \ - ${.CURDIR}/../../sys/netinet ${.CURDIR}/../../sbin/ipnat - -CFLAGS+=-I${.CURDIR}/../../sbin/ipf \ - -I${.CURDIR} - -.include <bsd.prog.mk> diff --git a/usr.sbin/ipftest/ipft_ef.c b/usr.sbin/ipftest/ipft_ef.c deleted file mode 100644 index ac243cc9503..00000000000 --- a/usr.sbin/ipftest/ipft_ef.c +++ /dev/null @@ -1,156 +0,0 @@ -/* $OpenBSD: ipft_ef.c,v 1.16 2001/01/30 04:31:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ - -/* - icmp type - lnth proto source destination src port dst port - -etherfind -n - - 60 tcp 128.250.20.20 128.250.133.13 2419 telnet - -etherfind -n -t - - 0.32 91 04 131.170.1.10 128.250.133.13 - 0.33 566 udp 128.250.37.155 128.250.133.3 901 901 -*/ -#include <stdio.h> -#include <string.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/param.h> -#include <sys/time.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <net/if.h> -#include <netdb.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include "ipf.h" -#include "ipt.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipft_ef.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; -#endif - -static int etherf_open __P((char *)); -static int etherf_close __P((void)); -static int etherf_readip __P((char *, int, char **, int *)); - -struct ipread etherf = { etherf_open, etherf_close, etherf_readip }; - -static FILE *efp = NULL; -static int efd = -1; - - -static int etherf_open(fname) -char *fname; -{ - if (efd != -1) - return efd; - - if (!strcmp(fname, "-")) { - efd = 0; - efp = stdin; - } else { - efd = open(fname, O_RDONLY); - efp = fdopen(efd, "r"); - } - return efd; -} - - -static int etherf_close() -{ - return close(efd); -} - - -static int etherf_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - struct tcpiphdr pkt; - ip_t *ip = (ip_t *)&pkt; - struct protoent *p = NULL; - char src[16], dst[16], sprt[16], dprt[16]; - char lbuf[128], len[8], prot[8], time[8], *s; - int slen, extra = 0, i, n; - - if (!fgets(lbuf, sizeof(lbuf) - 1, efp)) - return 0; - - if ((s = strchr(lbuf, '\n'))) - *s = '\0'; - lbuf[sizeof(lbuf)-1] = '\0'; - - bzero(&pkt, sizeof(pkt)); - - if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, - sprt, dprt)) != 6) - if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time, - len, prot, src, dst, sprt, dprt)) != 7) - return -1; - - ip->ip_p = atoi(prot); - if (ip->ip_p == 0) { - if (!(p = getprotobyname(prot))) - return -1; - ip->ip_p = p->p_proto; - } - - switch (ip->ip_p) { - case IPPROTO_TCP : - case IPPROTO_UDP : - s = strtok(NULL, " :"); - ip->ip_len += atoi(s); - if (p->p_proto == IPPROTO_TCP) - extra = sizeof(struct tcphdr); - else if (p->p_proto == IPPROTO_UDP) - extra = sizeof(struct udphdr); - break; -#ifdef IGMP - case IPPROTO_IGMP : - extra = sizeof(struct igmp); - break; -#endif - case IPPROTO_ICMP : - extra = sizeof(struct icmp); - break; - default : - break; - } - - (void) inet_aton(src, &ip->ip_src); - (void) inet_aton(dst, &ip->ip_dst); - ip->ip_len = atoi(len); - ip->ip_hl = sizeof(ip_t); - - slen = ip->ip_hl + extra; - i = MIN(cnt, slen); - bcopy((char *)&pkt, buf, i); - return i; -} diff --git a/usr.sbin/ipftest/ipft_hx.c b/usr.sbin/ipftest/ipft_hx.c deleted file mode 100644 index 64d8e514e90..00000000000 --- a/usr.sbin/ipftest/ipft_hx.c +++ /dev/null @@ -1,174 +0,0 @@ -/* $OpenBSD: ipft_hx.c,v 1.14 2001/01/30 04:31:01 kjell Exp $ */ - -/* - * Copyright (C) 1995-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <ctype.h> -#include <assert.h> -#include <string.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/param.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/udp.h> -#include <netinet/tcp.h> -#include <netinet/ip_icmp.h> -#include <net/if.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include "ipf.h" -#include "ipt.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipft_hx.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; -#endif - -extern int opts; - -static int hex_open __P((char *)); -static int hex_close __P((void)); -static int hex_readip __P((char *, int, char **, int *)); -static char *readhex __P((char *, char *)); - -struct ipread iphex = { hex_open, hex_close, hex_readip }; -static FILE *tfp = NULL; -static int tfd = -1; - -static int hex_open(fname) -char *fname; -{ - if (tfp && tfd != -1) { - rewind(tfp); - return tfd; - } - - if (!strcmp(fname, "-")) { - tfd = 0; - tfp = stdin; - } else { - tfd = open(fname, O_RDONLY); - if (tfd != -1) - tfp = fdopen(tfd, "r"); - } - return tfd; -} - - -static int hex_close() -{ - int cfd = tfd; - - tfd = -1; - return close(cfd); -} - - -static int hex_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - register char *s, *t, *u; - char line[513]; - ip_t *ip; - - ip = (ip_t *)buf; - while (fgets(line, sizeof(line)-1, tfp)) { - if ((s = index(line, '\n'))) { - if (s == line) - return (char *)ip - buf; - *s = '\0'; - } - if ((s = index(line, '#'))) - *s = '\0'; - if (!*line) - continue; - if (!(opts & OPT_BRIEF)) { - printf("input: %s\n", line); - fflush(stdout); - } - - /* - * interpret start of line as possibly "[ifname]" or - * "[in/out,ifname]". - */ - if (ifn) - *ifn = NULL; - if (dir) - *dir = 0; - if ((*buf == '[') && (s = index(line, ']'))) { - t = buf + 1; - if (t - s > 0) { - if ((u = index(t, ',')) && (u < s)) { - u++; - if (ifn) - *ifn = u; - if (dir) { - if (*t == 'i') - *dir = 0; - else if (*t == 'o') - *dir = 1; - } - } else if (ifn) - *ifn = t; - *s++ = '\0'; - } - } else - s = line; - ip = (ip_t *)readhex(s, (char *)ip); - } - return -1; -} - - -static char *readhex(src, dst) -register char *src, *dst; -{ - int state = 0; - char c; - - while ((c = *src++)) { - if (isspace(c)) { - if (state) { - dst++; - state = 0; - } - continue; - } else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || - (c >= 'A' && c <= 'F')) { - c = isdigit(c) ? (c - '0') : (toupper(c) - 55); - if (state == 0) { - *dst = (c << 4); - state++; - } else { - *dst++ |= c; - state = 0; - } - } else - break; - } - return dst; -} diff --git a/usr.sbin/ipftest/ipft_pc.c b/usr.sbin/ipftest/ipft_pc.c deleted file mode 100644 index 1ce697153e6..00000000000 --- a/usr.sbin/ipftest/ipft_pc.c +++ /dev/null @@ -1,236 +0,0 @@ -/* $OpenBSD: ipft_pc.c,v 1.18 2001/01/30 04:31:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <string.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/param.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include "ipf.h" -#include "pcap.h" -#include "ipt.h" - -#if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: ipft_pc.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; -#endif - -struct llc { - int lc_sz; /* LLC header length */ - int lc_to; /* LLC Type offset */ - int lc_tl; /* LLC Type length */ -}; - -/* - * While many of these maybe the same, some do have different header formats - * which make this useful. - */ -#define DLT_MAX 14 - -static struct llc llcs[DLT_MAX] = { - { 0, 0, 0 }, /* DLT_NULL */ - { 14, 12, 2 }, /* DLT_E10MB */ - { 0, 0, 0 }, /* DLT_EN3MB */ - { 0, 0, 0 }, /* DLT_AX25 */ - { 0, 0, 0 }, /* DLT_PRONET */ - { 0, 0, 0 }, /* DLT_CHAOS */ - { 0, 0, 0 }, /* DLT_IEEE802 */ - { 0, 0, 0 }, /* DLT_ARCNET */ - { 0, 0, 0 }, /* DLT_SLIP */ - { 0, 0, 0 }, /* DLT_PPP */ - { 0, 0, 0 }, /* DLT_FDDI */ - { 0, 0, 0 }, /* DLT_ATMRFC1483 */ - { 0, 0, 0 }, /* DLT_LOOP */ - { 0, 0, 0 } /* DLT_ENC */ -}; - -static int pcap_open __P((char *)); -static int pcap_close __P((void)); -static int pcap_readip __P((char *, int, char **, int *)); -static void swap_hdr __P((pcaphdr_t *)); -static int pcap_read_rec __P((struct pcap_pkthdr *)); - -static int pfd = -1, s_type = -1, swapped = 0; - -struct ipread pcap = { pcap_open, pcap_close, pcap_readip }; - -#define SWAPLONG(y) \ - ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) -#define SWAPSHORT(y) \ - ( (((y)&0xff)<<8) | (((y)&0xff00)>>8) ) - -static void swap_hdr(p) -pcaphdr_t *p; -{ - p->pc_v_maj = SWAPSHORT(p->pc_v_maj); - p->pc_v_min = SWAPSHORT(p->pc_v_min); - p->pc_zone = SWAPLONG(p->pc_zone); - p->pc_sigfigs = SWAPLONG(p->pc_sigfigs); - p->pc_slen = SWAPLONG(p->pc_slen); - p->pc_type = SWAPLONG(p->pc_type); -} - -static int pcap_open(fname) -char *fname; -{ - pcaphdr_t ph; - int fd; - - if (pfd != -1) - return pfd; - - if (!strcmp(fname, "-")) - fd = 0; - else if ((fd = open(fname, O_RDONLY)) == -1) - return -1; - - if (read(fd, (char *)&ph, sizeof(ph)) != sizeof(ph)) - return -2; - - if (ph.pc_id != TCPDUMP_MAGIC) { - if (SWAPLONG(ph.pc_id) != TCPDUMP_MAGIC) { - (void) close(fd); - return -2; - } - swapped = 1; - swap_hdr(&ph); - } - - if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) { - (void) close(fd); - return -2; - } - - pfd = fd; - s_type = ph.pc_type; - printf("opened pcap file %s:\n", fname); - printf("\tid: %08x version: %d.%d type: %d snap %d\n", - ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen); - - return fd; -} - - -static int pcap_close() -{ - return close(pfd); -} - - -/* - * read in the header (and validate) which should be the first record - * in a pcap file. - */ -static int pcap_read_rec(rec) -struct pcap_pkthdr *rec; -{ - int n, p; - - if (read(pfd, (char *)rec, sizeof(*rec)) != sizeof(*rec)) - return -2; - - if (swapped) { - rec->ph_clen = SWAPLONG(rec->ph_clen); - rec->ph_len = SWAPLONG(rec->ph_len); - rec->ph_ts.tv_sec = SWAPLONG(rec->ph_ts.tv_sec); - rec->ph_ts.tv_usec = SWAPLONG(rec->ph_ts.tv_usec); - } - p = rec->ph_clen; - n = MIN(p, rec->ph_len); - if (!n || n < 0) - return -3; - - return p; -} - - -#ifdef notyet -/* - * read an entire pcap packet record. only the data part is copied into - * the available buffer, with the number of bytes copied returned. - */ -static int pcap_read(buf, cnt) -char *buf; -int cnt; -{ - struct pcap_pkthdr rec; - static char *bufp = NULL; - int i, n; - - if ((i = pcap_read_rec(&rec)) <= 0) - return i; - - if (!bufp) - bufp = malloc(i); - else - bufp = realloc(bufp, i); - - if (read(pfd, bufp, i) != i) - return -2; - - n = MIN(i, cnt); - bcopy(bufp, buf, n); - return n; -} -#endif - - -/* - * return only an IP packet read into buf - */ -static int pcap_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - static char *bufp = NULL; - struct pcap_pkthdr rec; - struct llc *l; - char *s, ty[4]; - int i, n; - - do { - if ((i = pcap_read_rec(&rec)) <= 0) - return i; - - if (!bufp) - bufp = malloc(i); - else - bufp = realloc(bufp, i); - s = bufp; - - if (read(pfd, s, i) != i) - return -2; - - l = &llcs[s_type]; - i -= l->lc_sz; - s += l->lc_to; - bcopy(s, ty, l->lc_tl); - s += l->lc_tl; - } while (ty[0] != 0x8 && ty[1] != 0); - n = MIN(i, cnt); - bcopy(s, buf, n); - return n; -} diff --git a/usr.sbin/ipftest/ipft_sn.c b/usr.sbin/ipftest/ipft_sn.c deleted file mode 100644 index 3c8318afeab..00000000000 --- a/usr.sbin/ipftest/ipft_sn.c +++ /dev/null @@ -1,215 +0,0 @@ -/* $OpenBSD: ipft_sn.c,v 1.15 2001/01/30 04:31:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ - -/* - * Written to comply with the recent RFC 1761 from Sun. - */ -#include <stdio.h> -#include <string.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/param.h> -#include <sys/time.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include "ipf.h" -#include "snoop.h" -#include "ipt.h" - -#if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: ipft_sn.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; -#endif - -struct llc { - int lc_sz; /* LLC header length */ - int lc_to; /* LLC Type offset */ - int lc_tl; /* LLC Type length */ -}; - -/* - * While many of these maybe the same, some do have different header formats - * which make this useful. - */ -static struct llc llcs[SDL_MAX+1] = { - { 0, 0, 0 }, /* SDL_8023 */ - { 0, 0, 0 }, /* SDL_8024 */ - { 0, 0, 0 }, /* SDL_8025 */ - { 0, 0, 0 }, /* SDL_8026 */ - { 14, 12, 2 }, /* SDL_ETHER */ - { 0, 0, 0 }, /* SDL_HDLC */ - { 0, 0, 0 }, /* SDL_CHSYNC */ - { 0, 0, 0 }, /* SDL_IBMCC */ - { 0, 0, 0 }, /* SDL_FDDI */ - { 0, 0, 0 }, /* SDL_OTHER */ -}; - -static int snoop_open __P((char *)); -static int snoop_close __P((void)); -static int snoop_readip __P((char *, int, char **, int *)); - -static int sfd = -1, s_type = -1; -static int snoop_read_rec __P((struct snooppkt *)); - -struct ipread snoop = { snoop_open, snoop_close, snoop_readip }; - - -static int snoop_open(fname) -char *fname; -{ - struct snoophdr sh; - int fd; - - if (sfd != -1) - return sfd; - - if (!strcmp(fname, "-")) - fd = 0; - else if ((fd = open(fname, O_RDONLY)) == -1) - return -1; - - if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh)) - return -2; - - if (sh.s_v != SNOOP_VERSION || - sh.s_type < 0 || sh.s_type > SDL_MAX) { - (void) close(fd); - return -2; - } - - sfd = fd; - s_type = sh.s_type; - printf("opened snoop file %s:\n", fname); - printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, sh.s_v, s_type); - - return fd; -} - - -static int snoop_close() -{ - return close(sfd); -} - - -/* - * read in the header (and validate) which should be the first record - * in a snoop file. - */ -static int snoop_read_rec(rec) -struct snooppkt *rec; -{ - int n, p; - - if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec)) - return -2; - - if (rec->sp_ilen > rec->sp_plen || rec->sp_plen < sizeof(*rec)) - return -2; - - p = rec->sp_plen - sizeof(*rec); - n = MIN(p, rec->sp_ilen); - if (!n || n < 0) - return -3; - - return p; -} - - -#ifdef notyet -/* - * read an entire snoop packet record. only the data part is copied into - * the available buffer, with the number of bytes copied returned. - */ -static int snoop_read(buf, cnt) -char *buf; -int cnt; -{ - struct snooppkt rec; - static char *bufp = NULL; - int i, n; - - if ((i = snoop_read_rec(&rec)) <= 0) - return i; - - if (!bufp) - bufp = malloc(i); - else - bufp = realloc(bufp, i); - - if (read(sfd, bufp, i) != i) - return -2; - - n = MIN(i, cnt); - bcopy(bufp, buf, n); - return n; -} -#endif - - -/* - * return only an IP packet read into buf - */ -static int snoop_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - static char *bufp = NULL; - struct snooppkt rec; - struct llc *l; - char ty[4], *s; - int i, n; - - do { - if ((i = snoop_read_rec(&rec)) <= 0) - return i; - - if (!bufp) - bufp = malloc(i); - else - bufp = realloc(bufp, i); - s = bufp; - - if (read(sfd, s, i) != i) - return -2; - - l = &llcs[s_type]; - i -= l->lc_to; - s += l->lc_to; - /* - * XXX - bogus assumption here on the part of the time field - * that it won't be greater than 4 bytes and the 1st two will - * have the values 8 and 0 for IP. Should be a table of - * these too somewhere. Really only works for SDL_ETHER. - */ - bcopy(s, ty, l->lc_tl); - } while (ty[0] != 0x8 && ty[1] != 0); - - i -= l->lc_tl; - s += l->lc_tl; - n = MIN(i, cnt); - bcopy(s, buf, n); - - return n; -} diff --git a/usr.sbin/ipftest/ipft_td.c b/usr.sbin/ipftest/ipft_td.c deleted file mode 100644 index 3c79dbcf499..00000000000 --- a/usr.sbin/ipftest/ipft_td.c +++ /dev/null @@ -1,193 +0,0 @@ -/* $OpenBSD: ipft_td.c,v 1.16 2001/01/30 04:31:01 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ - -/* -tcpdump -n - -00:05:47.816843 128.231.76.76.3291 > 224.2.252.231.36573: udp 36 (encap) - -tcpdump -nq - -00:33:48.410771 192.73.213.11.1463 > 224.2.248.153.59360: udp 31 (encap) - -tcpdump -nqt - -128.250.133.13.23 > 128.250.20.20.2419: tcp 27 - -tcpdump -nqtt - -123456789.1234567 128.250.133.13.23 > 128.250.20.20.2419: tcp 27 - -tcpdump -nqte - -8:0:20:f:65:f7 0:0:c:1:8a:c5 81: 128.250.133.13.23 > 128.250.20.20.2419: tcp 27 - -*/ -#include <stdio.h> -#include <string.h> -#if !defined(__SVR4) && !defined(__GNUC__) -#include <strings.h> -#endif -#include <sys/types.h> -#include <sys/param.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <net/if.h> -#include <netdb.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include "ipf.h" -#include "ipt.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipft_td.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; -#endif - -static int tcpd_open __P((char *)); -static int tcpd_close __P((void)); -static int tcpd_readip __P((char *, int, char **, int *)); -static int count_dots __P((char *)); - -struct ipread tcpd = { tcpd_open, tcpd_close, tcpd_readip }; - -static FILE *tfp = NULL; -static int tfd = -1; - - -static int tcpd_open(fname) -char *fname; -{ - if (tfd != -1) - return tfd; - - if (!strcmp(fname, "-")) { - tfd = 0; - tfp = stdin; - } else { - tfd = open(fname, O_RDONLY); - tfp = fdopen(tfd, "r"); - } - return tfd; -} - - -static int tcpd_close() -{ - (void) fclose(tfp); - return close(tfd); -} - - -static int count_dots(str) -char *str; -{ - int i = 0; - - while (*str) - if (*str++ == '.') - i++; - return i; -} - - -static int tcpd_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - struct tcpiphdr pkt; - ip_t *ip = (ip_t *)&pkt; - struct protoent *p; - char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; - char lbuf[160], *s; - int n, dots, slen, extra = 0; - - if (!fgets(lbuf, sizeof(lbuf) - 1, tfp)) - return 0; - - if ((s = strchr(lbuf, '\n'))) - *s = '\0'; - lbuf[sizeof(lbuf)-1] = '\0'; - - bzero(&pkt, sizeof(pkt)); - - if ((n = sscanf(lbuf, "%s > %s: %s", src, dst, misc)) != 3) - if ((n = sscanf(lbuf, "%s %s > %s: %s", - time, src, dst, misc)) != 4) - if ((n = sscanf(lbuf, "%s %s: %s > %s: %s", - link1, link2, src, dst, misc)) != 5) { - n = sscanf(lbuf, "%s %s %s: %s > %s: %s", - time, link1, link2, src, dst, misc); - if (n != 6) - return -1; - } - - if ((dots = count_dots(dst)) == 4) { - s = strrchr(src, '.'); - *s++ = '\0'; - (void) inet_aton(src, &ip->ip_src); - pkt.ti_sport = htons(atoi(s)); - *--s = '.'; - s = strrchr(dst, '.'); - - *s++ = '\0'; - (void) inet_aton(src, &ip->ip_dst); - pkt.ti_dport = htons(atoi(s)); - *--s = '.'; - - } else { - (void) inet_aton(src, &ip->ip_src); - (void) inet_aton(src, &ip->ip_dst); - } - ip->ip_len = ip->ip_hl = sizeof(ip_t); - - s = strtok(misc, " :"); - if ((p = getprotobyname(s))) { - ip->ip_p = p->p_proto; - - switch (p->p_proto) { - case IPPROTO_TCP : - case IPPROTO_UDP : - s = strtok(NULL, " :"); - ip->ip_len += atoi(s); - if (p->p_proto == IPPROTO_TCP) - extra = sizeof(struct tcphdr); - else if (p->p_proto == IPPROTO_UDP) - extra = sizeof(struct udphdr); - break; -#ifdef IGMP - case IPPROTO_IGMP : - extra = sizeof(struct igmp); - break; -#endif - case IPPROTO_ICMP : - extra = sizeof(struct icmp); - break; - default : - break; - } - } - slen = ip->ip_hl + extra + ip->ip_len; - return slen; -} diff --git a/usr.sbin/ipftest/ipft_tx.c b/usr.sbin/ipftest/ipft_tx.c deleted file mode 100644 index 18548abe243..00000000000 --- a/usr.sbin/ipftest/ipft_tx.c +++ /dev/null @@ -1,352 +0,0 @@ -/* $OpenBSD: ipft_tx.c,v 1.19 2001/01/30 04:31:02 kjell Exp $ */ - -/* - * Copyright (C) 1995-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <ctype.h> -#include <assert.h> -#include <string.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/param.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/udp.h> -#include <netinet/tcp.h> -#include <netinet/ip_icmp.h> -#include <arpa/inet.h> -#include <net/if.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include "ipf.h" -#include "ipt.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $"; -#endif - -extern int opts; - -static char *tx_proto = ""; - -static int text_open __P((char *)), text_close __P((void)); -static int text_readip __P((char *, int, char **, int *)); -static int parseline __P((char *, ip_t *, char **, int *)); - -static char _tcp_flagset[] = "FSRPAUEC"; -static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, - TH_ACK, TH_URG, TH_ECN, TH_CWR }; - -struct ipread iptext = { text_open, text_close, text_readip }; -static FILE *tfp = NULL; -static int tfd = -1; - -static u_32_t tx_hostnum __P((char *, int *)); -static u_short tx_portnum __P((char *)); - - -/* - * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_addr() call - */ -static u_32_t tx_hostnum(host, resolved) -char *host; -int *resolved; -{ - struct hostent *hp; - struct netent *np; - - *resolved = 0; - if (!strcasecmp("any",host)) - return 0L; - if (isdigit(*host)) - return inet_addr(host); - - if (!(hp = gethostbyname(host))) { - if (!(np = getnetbyname(host))) { - *resolved = -1; - fprintf(stderr, "can't resolve hostname: %s\n", host); - return 0; - } - return htonl(np->n_net); - } - return *(u_32_t *)hp->h_addr; -} - - -/* - * find the port number given by the name, either from getservbyname() or - * straight atoi() - */ -static u_short tx_portnum(name) -char *name; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - - if (isdigit(*name)) - return (u_short)atoi(name); - if (!tx_proto) - tx_proto = "tcp/udp"; - if (strcasecmp(tx_proto, "tcp/udp")) { - sp = getservbyname(name, tx_proto); - if (sp) - return ntohs(sp->s_port); - (void) fprintf(stderr, "unknown service \"%s\".\n", name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - (void) fprintf(stderr, "unknown tcp/udp service \"%s\".\n", - name); - return 0; - } - if (p1 != sp2->s_port) { - (void) fprintf(stderr, "%s %d/tcp is a different port to ", - name, p1); - (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); - return 0; - } - return ntohs(p1); -} - - -char *tx_icmptypes[] = { - "echorep", (char *)NULL, (char *)NULL, "unreach", "squench", - "redir", (char *)NULL, (char *)NULL, "echo", "routerad", - "routersol", "timex", "paramprob", "timest", "timestrep", - "inforeq", "inforep", "maskreq", "maskrep", "END" -}; - -static int text_open(fname) -char *fname; -{ - if (tfp && tfd != -1) { - rewind(tfp); - return tfd; - } - - if (!strcmp(fname, "-")) { - tfd = 0; - tfp = stdin; - } else { - tfd = open(fname, O_RDONLY); - if (tfd != -1) - tfp = fdopen(tfd, "r"); - } - return tfd; -} - - -static int text_close() -{ - int cfd = tfd; - - tfd = -1; - return close(cfd); -} - - -static int text_readip(buf, cnt, ifn, dir) -char *buf, **ifn; -int cnt, *dir; -{ - register char *s; - ip_t *ip; - char line[513]; - - ip = (ip_t *)buf; - *ifn = NULL; - while (fgets(line, sizeof(line)-1, tfp)) { - if ((s = index(line, '\n'))) - *s = '\0'; - if ((s = index(line, '\r'))) - *s = '\0'; - if ((s = index(line, '#'))) - *s = '\0'; - if (!*line) - continue; - if (!(opts & OPT_BRIEF)) - printf("input: %s\n", line); - *ifn = NULL; - *dir = 0; - if (!parseline(line, (ip_t *)buf, ifn, dir)) -#if 0 - return sizeof(*ip) + sizeof(tcphdr_t); -#else - return sizeof(ip_t); -#endif - } - return -1; -} - -static int parseline(line, ip, ifn, out) -char *line; -ip_t *ip; -char **ifn; -int *out; -{ - tcphdr_t th, *tcp = &th; - struct icmp icmp, *ic = &icmp; - char *cps[20], **cpp, c, ipopts[68]; - int i, r; - - if (*ifn) - free(*ifn); - bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip)); - bzero((char *)tcp, sizeof(*tcp)); - bzero((char *)ic, sizeof(*ic)); - bzero(ipopts, sizeof(ipopts)); - ip->ip_hl = sizeof(*ip) >> 2; - ip->ip_v = IPVERSION; - for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; ) - cps[++i] = strtok(NULL, " \b\t\r\n"); - if (i < 2) - return 1; - - cpp = cps; - - c = **cpp; - if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) { - fprintf(stderr, "bad direction \"%s\"\n", *cpp); - return 1; - } - *out = (tolower(c) == 'o') ? 1 : 0; - cpp++; - - if (!strcasecmp(*cpp, "on")) { - cpp++; - if (!*cpp) - return 1; - *ifn = strdup(*cpp++); - } - - c = **cpp; - ip->ip_len = sizeof(ip_t); - if (!strcasecmp(*cpp, "tcp") || !strcasecmp(*cpp, "udp") || - !strcasecmp(*cpp, "icmp")) { - if (c == 't') { - ip->ip_p = IPPROTO_TCP; - ip->ip_len += sizeof(struct tcphdr); - tx_proto = "tcp"; - } else if (c == 'u') { - ip->ip_p = IPPROTO_UDP; - ip->ip_len += sizeof(struct udphdr); - tx_proto = "udp"; - } else { - ip->ip_p = IPPROTO_ICMP; - ip->ip_len += sizeof(struct icmp); - tx_proto = "icmp"; - } - cpp++; - } else if (isdigit(**cpp) && !index(*cpp, '.')) { - ip->ip_p = atoi(*cpp); - cpp++; - } else - ip->ip_p = IPPROTO_IP; - - if (!*cpp) - return 1; - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) { - char *last; - - last = index(*cpp, ','); - if (!last) { - fprintf(stderr, "tcp/udp with no source port\n"); - return 1; - } - *last++ = '\0'; - tcp->th_sport = htons(tx_portnum(last)); - } - ip->ip_src.s_addr = tx_hostnum(*cpp, &r); - cpp++; - if (!*cpp) - return 1; - - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) { - char *last; - - last = index(*cpp, ','); - if (!last) { - fprintf(stderr, "tcp/udp with no destination port\n"); - return 1; - } - *last++ = '\0'; - tcp->th_dport = htons(tx_portnum(last)); - } - ip->ip_dst.s_addr = tx_hostnum(*cpp, &r); - cpp++; - if (*cpp && ip->ip_p == IPPROTO_TCP) { - extern char _tcp_flagset[]; - extern u_char _tcp_flags[]; - char *s, *t; - - for (s = *cpp; *s; s++) - if ((t = index(_tcp_flagset, *s))) - tcp->th_flags |= _tcp_flags[t - _tcp_flagset]; - if (tcp->th_flags) - cpp++; - assert(tcp->th_flags != 0); - tcp->th_win = htons(4096); - tcp->th_off = sizeof(*tcp) >> 2; - } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { - extern char *tx_icmptypes[]; - char **s, *t; - int i; - - for (s = tx_icmptypes, i = 0; !*s || strcmp(*s, "END"); - s++, i++) - if (*s && !strncasecmp(*cpp, *s, strlen(*s))) { - ic->icmp_type = i; - if ((t = index(*cpp, ','))) - ic->icmp_code = atoi(t+1); - cpp++; - break; - } - } - - if (*cpp && !strcasecmp(*cpp, "opt")) { - u_long olen; - - cpp++; - olen = buildopts(*cpp, ipopts, (ip->ip_hl - 5) << 2); - if (olen) { - bcopy(ipopts, (char *)(ip + 1), olen); - ip->ip_hl += olen >> 2; - } - } - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - bcopy((char *)tcp, ((char *)ip) + (ip->ip_hl << 2), - sizeof(*tcp)); - else if (ip->ip_p == IPPROTO_ICMP) - bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2), - sizeof(*ic)); - ip->ip_len = htons(ip->ip_len); - return 0; -} diff --git a/usr.sbin/ipftest/ipftest.1 b/usr.sbin/ipftest/ipftest.1 deleted file mode 100644 index 4f12bd10a4b..00000000000 --- a/usr.sbin/ipftest/ipftest.1 +++ /dev/null @@ -1,164 +0,0 @@ -.\" $OpenBSD: ipftest.1,v 1.16 2000/11/09 17:53:14 aaron Exp $ -.Dd May 23, 1999 -.Dt IPFTEST 1 -.Os -.Sh NAME -.Nm ipftest -.Nd test packet filter rules with arbitrary input -.Sh SYNOPSIS -.Nm ipftest -.Op Fl vbdPSTEHX -.Op Fl I Ar interface -.Fl r -.Ar filename -.Op Fl i Ar filename -.Sh DESCRIPTION -With -.Nm -operators can see the effects of an -.Nm ipf -filter ruleset on test packets, rather than having to observe -the effects of the -ruleset on live traffic. -This can reduce the disruptions experienced -during the development and refinement of secure IP environments. -.Pp -.Nm -reads test packets from -.Ar stdin -or the file specified by the -.Fl i -option, applies the ruleset specified by the -.Fl r -option to each, and generates information about the effect of the ruleset on -each packet to -.Ar stdout . -.Pp -Captured or handcrafted packets to be tested can be supplied -in a variety of formats. -See the options -.Fl P , -.Fl S , -.Fl T , -.Fl H , -and -.Fl E -for details. -In addition the -.Fl X -option gives -.Nm -the ability to use its own text description format to generate -.Dq fake -packets. -The format used is: -.Bd -ragged -in|out on -.Ar if -.Op tcp|udp|icmp -.Ar srchost -.Op , Ar port -.Ar dsthost -.Op , Ar port -.Op Fl FSRPAU -.Ed -.Pp -This allows for input or output ICMP, TCP, or UDP packets to be generated for -any interface. -For TCP or UDP it allows the specification of source and -destination ports. -For TCP it allows the specification of TCP flags. -Some examples are: -.Bd -literal -offset indent -# a UDP packet coming in on le0 -in on le0 udp 10.1.1.1,2210 10.2.1.5,23 -# an IP packet coming in on le0 from localhost - hmm :) -in on le0 localhost 10.4.12.1 -# a TCP packet going out of le0 with the SYN flag set. -out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S -.Ed -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl v -Verbose mode. -This provides more information about which parts of rule -matching the packet passes and fails. -.It Fl d -Turn on filter rule debugging. -Currently, this only shows what caused -the rule to not match in the IP header checking (addresses/netmasks, etc). -.It Fl b -Cause the output to be a one word description of the result of passing -the packet through the filter: pass, block or nomatch. -This is used in the regression testing. -.It Fl I Ar interface -Set the interface name (used in rule matching) to be the name supplied. -This is useful with the -.Fl P , Fl S -and -.Fl E -options, where it is -not otherwise possible to associate a packet with an interface. -Normal -.Dq text packets -can override this setting. -.It Fl P -The input file is in -the binary format produced using libpcap -(i.e., -.Xr tcpdump -version 3). -Packets are read from this file as being input (for rule purposes). -An interface may be specified using -.Fl I . -.It Fl S -The input file is in -.Dq snoop -format (see RFC 1761). -Packets are read -from this file and used as input from any interface. -This is perhaps the most useful input type, currently. -.It Fl T -The input file is text output from -.Xr tcpdump . -The text formats which -are currently supported are those which result from the following -.Xr tcpdump -option combinations: -.Bd -literal -offset indent -tcpdump -n -tcpdump -nq -tcpdump -nqt -tcpdump -nqtt -tcpdump -nqte -.Ed -.It Fl H -The input file is hex digits, representing the binary makeup of the -packets. -No length correction is made if an incorrect length is put in -the IP header. -.It Fl X -The input file is composed of text descriptions of IP packets. -.It Fl E -The input file is text output from etherfind. -The text formats which -are currently supported are those which result from the following etherfind -option combinations: -.Bd -literal -offset indent -etherfind -n -etherfind -n -t -.Ed -.It Fl i Ar filename -Specify the filename from which to take input. -Default is stdin. -.It Fl r Ar filename -Specify the filename from which to read filter rules. -.El -.Sh SEE ALSO -.Xr ipf 5 , -.Xr ipf 8 , -.Xr tcpdump 8 -.Sh BUGS -Not all of the input formats are capable of introducing a -wide enough variety of packets to be useful in testing. diff --git a/usr.sbin/ipftest/ipt.c b/usr.sbin/ipftest/ipt.c deleted file mode 100644 index 9cd04817000..00000000000 --- a/usr.sbin/ipftest/ipt.c +++ /dev/null @@ -1,264 +0,0 @@ -/* $OpenBSD: ipt.c,v 1.19 2001/01/30 04:31:02 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#ifdef __FreeBSD__ -# include <osreldate.h> -#endif -#include <stdio.h> -#include <assert.h> -#include <string.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi) -#include <strings.h> -#else -#if !defined(__sgi) -#include <sys/byteorder.h> -#endif -#include <sys/file.h> -#endif -#include <sys/param.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/udp.h> -#include <netinet/tcp.h> -#include <netinet/ip_icmp.h> -#include <net/if.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include <netinet/ip_nat.h> -#include <netinet/ip_state.h> -#include "ipf.h" -#include "ipt.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipt.c,v 2.6 2000/03/13 22:10:25 darrenr Exp $"; -#endif - -extern char *optarg; -extern struct frentry *ipfilter[2][2]; -extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; -extern struct ifnet *get_unit __P((char *, int)); -extern void init_ifp __P((void)); -extern ipnat_t *natparse __P((char *, int)); -extern int fr_running; - -int opts = 0; -#ifdef USE_INET6 -int use_inet6 = 0; -#endif -int main __P((int, char *[])); - -int main(argc,argv) -int argc; -char *argv[]; -{ - struct ipread *r = &iptext; - u_long buf[2048]; - struct ifnet *ifp; - char *rules = NULL, *datain = NULL, *iface = NULL; - ip_t *ip; - int fd, i, dir = 0, c; - - while ((c = getopt(argc, argv, "6bdEHi:I:NoPr:STvX")) != -1) - switch (c) - { -#ifdef USE_INET6 - case '6' : - use_inet6 = 1; - break; -#endif - case 'b' : - opts |= OPT_BRIEF; - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'i' : - datain = optarg; - break; - case 'I' : - iface = optarg; - break; - case 'o' : - opts |= OPT_SAVEOUT; - break; - case 'r' : - rules = optarg; - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'E' : - r = ðerf; - break; - case 'H' : - r = &iphex; - break; - case 'N' : - opts |= OPT_NAT; - break; - case 'P' : - r = &pcap; - break; - case 'S' : - r = &snoop; - break; - case 'T' : - r = &tcpd; - break; - case 'X' : - r = &iptext; - break; - } - - if (!rules) { - (void)fprintf(stderr,"no rule file present\n"); - exit(-1); - } - - nat_init(); - fr_stateinit(); - initparse(); - fr_running = 1; - - if (rules) { - char line[513], *s; - void *fr; - FILE *fp; - int linenum = 0; - - if (!strcmp(rules, "-")) - fp = stdin; - else if (!(fp = fopen(rules, "r"))) { - (void)fprintf(stderr, "couldn't open %s\n", rules); - exit(-1); - } - if (!(opts & OPT_BRIEF)) - (void)printf("opening rule file \"%s\"\n", rules); - while (fgets(line, sizeof(line)-1, fp)) { - linenum++; - /* - * treat both CR and LF as EOL - */ - if ((s = index(line, '\n'))) - *s = '\0'; - if ((s = index(line, '\r'))) - *s = '\0'; - /* - * # is comment marker, everything after is a ignored - */ - if ((s = index(line, '#'))) - *s = '\0'; - - if (!*line) - continue; - - /* fake an `ioctl' call :) */ - - if ((opts & OPT_NAT) != 0) { - if (!(fr = natparse(line, linenum))) - continue; - i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, - (caddr_t)&fr, - FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(ADNAT,%p,1) = %d\n", - fr, i); - } else { - if (!(fr = parse(line, linenum))) - continue; - i = IPL_EXTERN(ioctl)(0, SIOCADAFR, - (caddr_t)&fr, - FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(ADAFR,%p,1) = %d\n", - fr, i); - } - } - (void)fclose(fp); - } - - if (opts & OPT_SAVEOUT) - init_ifp(); - - if (datain) - fd = (*r->r_open)(datain); - else - fd = (*r->r_open)("-"); - - if (fd < 0) - exit(-1); - - ip = (ip_t *)buf; - while ((i = (*r->r_readip)((char *)buf, sizeof(buf), - &iface, &dir)) > 0) { - ifp = iface ? get_unit(iface, ip->ip_v) : NULL; - ip->ip_off = ntohs(ip->ip_off); - ip->ip_len = ntohs(ip->ip_len); - i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf); - if ((opts & OPT_NAT) == 0) - switch (i) - { - case -2 : - (void)printf("auth"); - break; - case -1 : - (void)printf("block"); - break; - case 0 : - (void)printf("pass"); - break; - case 1 : - (void)printf("nomatch"); - break; - } - - if (!(opts & OPT_BRIEF)) { - putchar(' '); - printpacket((ip_t *)buf); - printf("--------------"); - } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) - printpacket((ip_t *)buf); -#ifndef linux - if (dir && ifp && ip->ip_v) -# ifdef __sgi - (*ifp->if_output)(ifp, (void *)buf, NULL); -# else - (*ifp->if_output)(ifp, (void *)buf, NULL, 0); -# endif -#endif - if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) - putchar('\n'); - dir = 0; - } - (*r->r_close)(); - return 0; -} diff --git a/usr.sbin/ipftest/ipt.h b/usr.sbin/ipftest/ipt.h deleted file mode 100644 index 73d4bd0309d..00000000000 --- a/usr.sbin/ipftest/ipt.h +++ /dev/null @@ -1,41 +0,0 @@ -/* $OpenBSD: ipt.h,v 1.11 2001/01/17 06:01:23 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $IPFilter: ipt.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $ - */ - -#ifndef __IPT_H__ -#define __IPT_H__ - -#ifndef __P -# define P_DEF -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - -#include <fcntl.h> - - -struct ipread { - int (*r_open) __P((char *)); - int (*r_close) __P((void)); - int (*r_readip) __P((char *, int, char **, int *)); -}; - -extern void debug __P((char *, ...)); -extern void verbose __P((char *, ...)); - -#ifdef P_DEF -# undef __P -# undef P_DEF -#endif - -#endif /* __IPT_H__ */ diff --git a/usr.sbin/ipftest/misc.c b/usr.sbin/ipftest/misc.c deleted file mode 100644 index 261619ae38e..00000000000 --- a/usr.sbin/ipftest/misc.c +++ /dev/null @@ -1,116 +0,0 @@ -/* $OpenBSD: misc.c,v 1.14 2001/01/30 04:31:02 kjell Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if (SOLARIS2 >= 7) -# define _SYS_VARARGS_H -# define _VARARGS_H -#endif -#if defined(__STDC__) -# include <stdarg.h> -#else -# include <varargs.h> -#endif -#include <stdio.h> -#include <assert.h> -#include <string.h> -#include <sys/types.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/param.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/ip.h> -#include <netinet/udp.h> -#include <netinet/tcp.h> -#include <netinet/ip_icmp.h> -#include <net/if.h> -#include <netdb.h> -#include <arpa/nameser.h> -#include <resolv.h> -#include <netinet/ip_fil_compat.h> -#include <netinet/tcpip.h> -#include <netinet/ip_fil.h> -#include "ipf.h" -#include "ipt.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: misc.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $"; -#endif - -extern int opts; - - -void printpacket(ip) -ip_t *ip; -{ - tcphdr_t *tcp; - - tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2)); - printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p); - if (ip->ip_off & IP_OFFMASK) - printf(" @%d", ip->ip_off << 3); - (void)printf(" %s", inet_ntoa(ip->ip_src)); - if (!(ip->ip_off & IP_OFFMASK)) - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - (void)printf(",%d", ntohs(tcp->th_sport)); - (void)printf(" > "); - (void)printf("%s", inet_ntoa(ip->ip_dst)); - if (!(ip->ip_off & IP_OFFMASK)) - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - (void)printf(",%d", ntohs(tcp->th_dport)); - putchar('\n'); -} - - -#if defined(__STDC__) -void verbose(char *fmt, ...) -#else -void verbose(fmt, va_alist) -char *fmt; -va_dcl -#endif -{ - va_list pvar; - - va_start(pvar, fmt); - if (opts & OPT_VERBOSE) - vprintf(fmt, pvar); - va_end(pvar); -} - - -#ifdef __STDC__ -void debug(char *fmt, ...) -#else -void debug(fmt, va_alist) -char *fmt; -va_dcl -#endif -{ - va_list pvar; - - va_start(pvar, fmt); - if (opts & OPT_DEBUG) - vprintf(fmt, pvar); - va_end(pvar); -} diff --git a/usr.sbin/ipftest/pcap.h b/usr.sbin/ipftest/pcap.h deleted file mode 100644 index 2496ac09e65..00000000000 --- a/usr.sbin/ipftest/pcap.h +++ /dev/null @@ -1,37 +0,0 @@ -/* $OpenBSD: pcap.h,v 1.11 2001/01/17 06:01:23 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $IPFilter: pcap.h,v 2.2 2000/03/13 22:10:27 darrenr Exp $ - */ -/* - * This header file is constructed to match the version described by - * PCAP_VERSION_MAJ. - * - * The structure largely derives from libpcap which wouldn't include - * nicely without bpf. - */ -typedef struct pcap_filehdr { - u_int pc_id; - u_short pc_v_maj; - u_short pc_v_min; - u_int pc_zone; - u_int pc_sigfigs; - u_int pc_slen; - u_int pc_type; -} pcaphdr_t; - -#define TCPDUMP_MAGIC 0xa1b2c3d4 - -#define PCAP_VERSION_MAJ 2 - -typedef struct pcap_pkthdr { - struct timeval ph_ts; - u_int ph_clen; - u_int ph_len; -} pcappkt_t; - diff --git a/usr.sbin/ipftest/snoop.h b/usr.sbin/ipftest/snoop.h deleted file mode 100644 index cbed990015c..00000000000 --- a/usr.sbin/ipftest/snoop.h +++ /dev/null @@ -1,49 +0,0 @@ -/* $OpenBSD: snoop.h,v 1.10 2001/01/17 06:01:23 fgsch Exp $ */ - -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ - -#ifndef __SNOOP_H__ -#define __SNOOP_H__ - -/* - * written to comply with the RFC (1761) from Sun. - * $IPFilter: snoop.h,v 2.2 2000/03/13 22:10:27 darrenr Exp $ - */ -struct snoophdr { - char s_id[8]; - int s_v; - int s_type; -}; - -#define SNOOP_VERSION 2 - -#define SDL_8023 0 -#define SDL_8024 1 -#define SDL_8025 2 -#define SDL_8026 3 -#define SDL_ETHER 4 -#define SDL_HDLC 5 -#define SDL_CHSYNC 6 -#define SDL_IBMCC 7 -#define SDL_FDDI 8 -#define SDL_OTHER 9 - -#define SDL_MAX 9 - - -struct snooppkt { - int sp_olen; - int sp_ilen; - int sp_plen; - int sp_drop; - int sp_sec; - int sp_usec; -}; - -#endif /* __SNOOP_H__ */ diff --git a/usr.sbin/ipsend/Makefile b/usr.sbin/ipsend/Makefile deleted file mode 100644 index 7d87e4ed022..00000000000 --- a/usr.sbin/ipsend/Makefile +++ /dev/null @@ -1,5 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 1997/09/21 11:43:47 deraadt Exp $ - -SUBDIR= ipsend ipresend iptest - -.include <bsd.subdir.mk> diff --git a/usr.sbin/ipsend/common/44arp.c b/usr.sbin/ipsend/common/44arp.c deleted file mode 100644 index 751a03549d3..00000000000 --- a/usr.sbin/ipsend/common/44arp.c +++ /dev/null @@ -1,111 +0,0 @@ -/* $OpenBSD: 44arp.c,v 1.3 2001/01/17 06:01:24 fgsch Exp $ */ - -/* - * Based upon 4.4BSD's /usr/sbin/arp - */ -#include <unistd.h> -#include <string.h> -#include <stdlib.h> -#include <sys/param.h> -#include <sys/file.h> -#include <sys/socket.h> -#include <sys/sysctl.h> -#include <net/if.h> -#include <net/if_dl.h> -#include <net/if_types.h> -#include <net/route.h> -#include <netinet/in.h> -#include <netinet/if_ether.h> -#include <arpa/inet.h> -#include <netdb.h> -#include <errno.h> -#include <nlist.h> -#include <stdio.h> -#include <netinet/in.h> -#include <netinet/ip_var.h> -#include <netinet/tcp.h> -#if __FreeBSD_version >= 300000 -# include <net/if_var.h> -#endif -#include "ipsend.h" -#include "iplang.h" - - -/* - * lookup host and return - * its IP address in address - * (4 bytes) - */ -int resolve(host, address) -char *host, *address; -{ - struct hostent *hp; - u_long add; - - add = inet_addr(host); - if (add == -1) - { - if (!(hp = gethostbyname(host))) - { - fprintf(stderr, "unknown host: %s\n", host); - return -1; - } - bcopy((char *)hp->h_addr, (char *)address, 4); - return 0; - } - bcopy((char*)&add, address, 4); - return 0; -} - - -int arp(addr, eaddr) -char *addr, *eaddr; -{ - int mib[6]; - size_t needed; - char *lim, *buf, *next; - struct rt_msghdr *rtm; - struct sockaddr_inarp *sin; - struct sockaddr_dl *sdl; - -#ifdef IPSEND - if (arp_getipv4(addr, ether) == 0) - return 0; -#endif - - mib[0] = CTL_NET; - mib[1] = PF_ROUTE; - mib[2] = 0; - mib[3] = AF_INET; - mib[4] = NET_RT_FLAGS; - mib[5] = RTF_LLINFO; - if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1) - { - perror("route-sysctl-estimate"); - exit(-1); - } - if ((buf = malloc(needed)) == NULL) - { - perror("malloc"); - exit(-1); - } - if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1) - { - perror("actual retrieval of routing table"); - exit(-1); - } - lim = buf + needed; - for (next = buf; next < lim; next += rtm->rtm_msglen) - { - rtm = (struct rt_msghdr *)next; - sin = (struct sockaddr_inarp *)(rtm + 1); - sdl = (struct sockaddr_dl *)(sin + 1); - if (addr && !bcmp(addr, (char *)&sin->sin_addr, - sizeof(struct in_addr))) - { - bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen); - return 0; - } - } - return -1; -} diff --git a/usr.sbin/ipsend/common/ip.c b/usr.sbin/ipsend/common/ip.c deleted file mode 100644 index 86bd2fef8b9..00000000000 --- a/usr.sbin/ipsend/common/ip.c +++ /dev/null @@ -1,349 +0,0 @@ -/* $OpenBSD: ip.c,v 1.6 2001/01/17 06:01:24 fgsch Exp $ */ - -/* - * ip.c (C) 1995-1998 Darren Reed - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$IPFilter: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $"; -#endif -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <string.h> -#include <sys/types.h> -#include <netinet/in_systm.h> -#include <sys/socket.h> -#include <net/if.h> -#include <netinet/in.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#include <sys/param.h> -#ifndef linux -# include <netinet/if_ether.h> -# include <netinet/ip_var.h> -# if __FreeBSD_version >= 300000 -# include <net/if_var.h> -# endif -#endif -#include "ipsend.h" - - -static char *ipbuf = NULL, *ethbuf = NULL; - - -u_short chksum(buf,len) -u_short *buf; -int len; -{ - u_long sum = 0; - int nwords = len >> 1; - - for(; nwords > 0; nwords--) - sum += *buf++; - sum = (sum>>16) + (sum & 0xffff); - sum += (sum >>16); - return (~sum); -} - - -int send_ether(nfd, buf, len, gwip) -int nfd, len; -char *buf; -struct in_addr gwip; -{ - static struct in_addr last_gw; - static char last_arp[6] = { 0, 0, 0, 0, 0, 0}; - ether_header_t *eh; - char *s; - int err; - - if (!ethbuf) - ethbuf = (char *)calloc(1, 65536+1024); - s = ethbuf; - eh = (ether_header_t *)s; - - bcopy((char *)buf, s + sizeof(*eh), len); - if (gwip.s_addr == last_gw.s_addr) - bcopy(last_arp, (char *)A_A eh->ether_dhost, 6); - else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1) - { - perror("arp"); - return -2; - } - eh->ether_type = htons(ETHERTYPE_IP); - last_gw.s_addr = gwip.s_addr; - err = sendip(nfd, s, sizeof(*eh) + len); - return err; -} - - -/* - */ -int send_ip(nfd, mtu, ip, gwip, frag) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; -int frag; -{ - static struct in_addr last_gw; - static char last_arp[6] = { 0, 0, 0, 0, 0, 0}; - static u_short id = 0; - ether_header_t *eh; - ip_t ipsv; - int err, iplen; - - if (!ipbuf) - ipbuf = (char *)malloc(65536); - eh = (ether_header_t *)ipbuf; - - bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); - if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr)) - bcopy(last_arp, (char *)A_A eh->ether_dhost, 6); - else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1) - { - perror("arp"); - return -2; - } - bcopy((char *)A_A eh->ether_dhost, last_arp, sizeof(last_arp)); - eh->ether_type = htons(ETHERTYPE_IP); - - bcopy((char *)ip, (char *)&ipsv, sizeof(*ip)); - last_gw.s_addr = gwip.s_addr; - iplen = ip->ip_len; - ip->ip_len = htons(iplen); - if (!(frag & 2)) { - if (!ip->ip_v) - ip->ip_v = IPVERSION; - if (!ip->ip_id) - ip->ip_id = htons(id++); - if (!ip->ip_ttl) - ip->ip_ttl = 60; - } - - if (!frag || (sizeof(*eh) + iplen < mtu)) - { - ip->ip_sum = 0; - ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - - bcopy((char *)ip, ipbuf + sizeof(*eh), iplen); - err = sendip(nfd, ipbuf, sizeof(*eh) + iplen); - } - else - { - /* - * Actually, this is bogus because we're putting all IP - * options in every packet, which isn't always what should be - * done. Will do for now. - */ - ether_header_t eth; - char optcpy[48], ol; - char *s; - int i, sent = 0, ts, hlen, olen; - - hlen = ip->ip_hl << 2; - if (mtu < (hlen + 8)) { - fprintf(stderr, "mtu (%d) < ip header size (%d) + 8\n", - mtu, hlen); - fprintf(stderr, "can't fragment data\n"); - return -2; - } - ol = (ip->ip_hl << 2) - sizeof(*ip); - for (i = 0, s = (char*)(ip + 1); ol > 0; ) - if (*s == IPOPT_EOL) { - optcpy[i++] = *s; - break; - } else if (*s == IPOPT_NOP) { - s++; - ol--; - } else - { - olen = (int)(*(u_char *)(s + 1)); - ol -= olen; - if (IPOPT_COPIED(*s)) - { - bcopy(s, optcpy + i, olen); - i += olen; - s += olen; - } - } - if (i) - { - /* - * pad out - */ - while ((i & 3) && (i & 3) != 3) - optcpy[i++] = IPOPT_NOP; - if ((i & 3) == 3) - optcpy[i++] = IPOPT_EOL; - } - - bcopy((char *)eh, (char *)ð, sizeof(eth)); - s = (char *)ip + hlen; - iplen = ntohs(ip->ip_len) - hlen; - ip->ip_off |= htons(IP_MF); - - while (1) - { - if ((sent + (mtu - hlen)) >= iplen) - { - ip->ip_off ^= htons(IP_MF); - ts = iplen - sent; - } - else - ts = (mtu - hlen); - ip->ip_off &= htons(0xe000); - ip->ip_off |= htons(sent >> 3); - ts += hlen; - ip->ip_len = htons(ts); - ip->ip_sum = 0; - ip->ip_sum = chksum((u_short *)ip, hlen); - bcopy((char *)ip, ipbuf + sizeof(*eh), hlen); - bcopy(s + sent, ipbuf + sizeof(*eh) + hlen, ts - hlen); - err = sendip(nfd, ipbuf, sizeof(*eh) + ts); - - bcopy((char *)ð, ipbuf, sizeof(eth)); - sent += (ts - hlen); - if (!(ntohs(ip->ip_off) & IP_MF)) - break; - else if (!(ip->ip_off & htons(0x1fff))) - { - hlen = i + sizeof(*ip); - ip->ip_hl = (sizeof(*ip) + i) >> 2; - bcopy(optcpy, (char *)(ip + 1), i); - } - } - } - - bcopy((char *)&ipsv, (char *)ip, sizeof(*ip)); - return err; -} - - -/* - * send a tcp packet. - */ -int send_tcp(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; -{ - static tcp_seq iss = 2; - struct tcpiphdr *ti; - tcphdr_t *t; - int thlen, i, iplen, hlen; - u_32_t lbuf[20]; - - iplen = ip->ip_len; - hlen = ip->ip_hl << 2; - t = (tcphdr_t *)((char *)ip + hlen); - ti = (struct tcpiphdr *)lbuf; - thlen = t->th_off << 2; - if (!thlen) - thlen = sizeof(tcphdr_t); - bzero((char *)ti, sizeof(*ti)); - ip->ip_p = IPPROTO_TCP; - ti->ti_pr = ip->ip_p; - ti->ti_src = ip->ip_src; - ti->ti_dst = ip->ip_dst; - bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen); - - if (!ti->ti_win) - ti->ti_win = htons(4096); - iss += 63; - - i = sizeof(struct tcpiphdr) / sizeof(long); - - if ((ti->ti_flags == TH_SYN) && !ntohs(ip->ip_off) && - (lbuf[i] != htonl(0x020405b4))) { - lbuf[i] = htonl(0x020405b4); - bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4, - iplen - thlen - hlen); - thlen += 4; - } - ti->ti_off = thlen >> 2; - ti->ti_len = htons(thlen); - ip->ip_len = hlen + thlen; - ti->ti_sum = 0; - ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); - - bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen); - return send_ip(nfd, mtu, ip, gwip, 1); -} - - -/* - * send a udp packet. - */ -int send_udp(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; -{ - struct tcpiphdr *ti; - int thlen; - u_long lbuf[20]; - - ti = (struct tcpiphdr *)lbuf; - bzero((char *)ti, sizeof(*ti)); - thlen = sizeof(udphdr_t); - ti->ti_pr = ip->ip_p; - ti->ti_src = ip->ip_src; - ti->ti_dst = ip->ip_dst; - bcopy((char *)ip + (ip->ip_hl << 2), - (char *)&ti->ti_sport, sizeof(udphdr_t)); - - ti->ti_len = htons(thlen); - ip->ip_len = (ip->ip_hl << 2) + thlen; - ti->ti_sum = 0; - ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); - - bcopy((char *)&ti->ti_sport, - (char *)ip + (ip->ip_hl << 2), sizeof(udphdr_t)); - return send_ip(nfd, mtu, ip, gwip, 1); -} - - -/* - * send an icmp packet. - */ -int send_icmp(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; -{ - struct icmp *ic; - - ic = (struct icmp *)((char *)ip + (ip->ip_hl << 2)); - - ic->icmp_cksum = 0; - ic->icmp_cksum = chksum((u_short *)ic, sizeof(struct icmp)); - - return send_ip(nfd, mtu, ip, gwip, 1); -} - - -int send_packet(nfd, mtu, ip, gwip) -int nfd, mtu; -ip_t *ip; -struct in_addr gwip; -{ - switch (ip->ip_p) - { - case IPPROTO_TCP : - return send_tcp(nfd, mtu, ip, gwip); - case IPPROTO_UDP : - return send_udp(nfd, mtu, ip, gwip); - case IPPROTO_ICMP : - return send_icmp(nfd, mtu, ip, gwip); - default : - return send_ip(nfd, mtu, ip, gwip, 1); - } -} diff --git a/usr.sbin/ipsend/common/iplang.h b/usr.sbin/ipsend/common/iplang.h deleted file mode 100644 index e52fd4be33f..00000000000 --- a/usr.sbin/ipsend/common/iplang.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: iplang.h,v 1.2 2001/01/17 06:01:25 fgsch Exp $ */ - -/* - * Copyright (C) 1997-1998 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -typedef struct iface { - int if_MTU; - char *if_name; - struct in_addr if_addr; - struct ether_addr if_eaddr; - struct iface *if_next; - int if_fd; -} iface_t; - - -typedef struct send { - struct iface *snd_if; - struct in_addr snd_gw; -} send_t; - - -typedef struct arp { - struct in_addr arp_addr; - struct ether_addr arp_eaddr; - struct arp *arp_next; -} arp_t; - - -typedef struct aniphdr { - union { - ip_t *ahu_ip; - char *ahu_data; - tcphdr_t *ahu_tcp; - udphdr_t *ahu_udp; - icmphdr_t *ahu_icmp; - } ah_un; - int ah_optlen; - int ah_lastopt; - int ah_p; - size_t ah_len; - struct aniphdr *ah_next; - struct aniphdr *ah_prev; -} aniphdr_t; - -#define ah_ip ah_un.ahu_ip -#define ah_data ah_un.ahu_data -#define ah_tcp ah_un.ahu_tcp -#define ah_udp ah_un.ahu_udp -#define ah_icmp ah_un.ahu_icmp - -extern int get_arpipv4 __P((char *, char *)); - diff --git a/usr.sbin/ipsend/common/ipsend.h b/usr.sbin/ipsend/common/ipsend.h deleted file mode 100644 index e6e64917df6..00000000000 --- a/usr.sbin/ipsend/common/ipsend.h +++ /dev/null @@ -1,71 +0,0 @@ -/* $OpenBSD: ipsend.h,v 1.4 2001/01/30 14:58:23 kjell Exp $ */ - -/* - * ipsend.h (C) 1997-1998 Darren Reed - * - * This was written to test what size TCP fragments would get through - * various TCP/IP packet filters, as used in IP firewalls. In certain - * conditions, enough of the TCP header is missing for unpredictable - * results unless the filter is aware that this can happen. - * - * The author provides this program as-is, with no gaurantee for its - * suitability for any specific purpose. The author takes no responsibility - * for the misuse/abuse of this program and provides it for the sole purpose - * of testing packet filter policies. This file maybe distributed freely - * providing it is not modified and that this notice remains in tact. - * - */ -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - -#include "ip_fil_compat.h" -#ifdef linux -#include <linux/sockios.h> -#endif -#include "tcpip.h" -#include "ipt.h" -#include "ipf.h" - -extern int resolve __P((char *, char *)); -extern int arp __P((char *, char *)); -extern u_short chksum __P((u_short *, int)); -extern int send_ether __P((int, char *, int, struct in_addr)); -extern int send_ip __P((int, int, ip_t *, struct in_addr, int)); -extern int send_tcp __P((int, int, ip_t *, struct in_addr)); -extern int send_udp __P((int, int, ip_t *, struct in_addr)); -extern int send_icmp __P((int, int, ip_t *, struct in_addr)); -extern int send_packet __P((int, int, ip_t *, struct in_addr)); -extern int send_packets __P((char *, int, ip_t *, struct in_addr)); -extern u_short seclevel __P((char *)); -extern u_32_t buildopts __P((char *, char *, int)); -extern int addipopt __P((char *, struct ipopt_names *, int, char *)); -extern int initdevice __P((char *, int, int)); -extern int sendip __P((int, char *, int)); -#ifdef linux -extern struct sock *find_tcp __P((int, struct tcpiphdr *)); -#else -extern struct tcpcb *find_tcp __P((int, struct tcpiphdr *)); -#endif -extern int ip_resend __P((char *, int, struct ipread *, struct in_addr, char *)); - -extern void ip_test1 __P((char *, int, ip_t *, struct in_addr, int)); -extern void ip_test2 __P((char *, int, ip_t *, struct in_addr, int)); -extern void ip_test3 __P((char *, int, ip_t *, struct in_addr, int)); -extern void ip_test4 __P((char *, int, ip_t *, struct in_addr, int)); -extern void ip_test5 __P((char *, int, ip_t *, struct in_addr, int)); -extern void ip_test6 __P((char *, int, ip_t *, struct in_addr, int)); -extern void ip_test7 __P((char *, int, ip_t *, struct in_addr, int)); -extern int do_socket __P((char *, int, struct tcpiphdr *, struct in_addr)); -extern int openkmem __P((void)); -extern int kmemcpy __P((char *, void *, int)); - -#define KMCPY(a,b,c) kmemcpy((char *)(a), (void *)(b), (int)(c)) - -#ifndef OPT_RAW -#define OPT_RAW 0x80000 -#endif diff --git a/usr.sbin/ipsend/common/sbpf.c b/usr.sbin/ipsend/common/sbpf.c deleted file mode 100644 index fc4c0e85c2b..00000000000 --- a/usr.sbin/ipsend/common/sbpf.c +++ /dev/null @@ -1,144 +0,0 @@ -/* $OpenBSD: sbpf.c,v 1.5 2001/01/17 06:01:25 fgsch Exp $ */ - -/* - * (C)opyright 1995-1998 Darren Reed. (from tcplog) - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <unistd.h> -#include <stdlib.h> -#include <ctype.h> -#include <signal.h> -#include <errno.h> -#include <sys/types.h> -#include <sys/param.h> -#include <sys/mbuf.h> -#include <sys/time.h> -#include <sys/timeb.h> -#include <sys/socket.h> -#include <sys/file.h> -#include <sys/ioctl.h> -#if BSD < 199103 -#include <sys/fcntlcom.h> -#endif -#if (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -#else -# include <sys/dir.h> -#endif -#include <net/bpf.h> - -#include <net/if.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_var.h> -#include <netinet/udp.h> -#include <netinet/udp_var.h> -#include <netinet/tcp.h> -#include "ipsend.h" - -#if !defined(lint) -static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: sbpf.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; -#endif - -/* - * the code herein is dervied from libpcap. - */ -static u_char *buf = NULL; -static int bufsize = 0, timeout = 1; - - -int initdevice(device, sport, tout) -char *device; -int sport, tout; -{ - struct bpf_version bv; - struct timeval to; - struct ifreq ifr; - char bpfname[16]; - int fd, i; - - fd = 0; /* shutup gcc */ - - for (i = 0; i < 16; i++) - { - (void) sprintf(bpfname, "/dev/bpf%d", i); - if ((fd = open(bpfname, O_RDWR)) >= 0) - break; - } - if (i == 16) - { - fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); - return -1; - } - - if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) - { - perror("BIOCVERSION"); - return -1; - } - if (bv.bv_major != BPF_MAJOR_VERSION || - bv.bv_minor < BPF_MINOR_VERSION) - { - fprintf(stderr, "kernel bpf (v%d.%d) filter out of date:\n", - bv.bv_major, bv.bv_minor); - fprintf(stderr, "current version: %d.%d\n", - BPF_MAJOR_VERSION, BPF_MINOR_VERSION); - return -1; - } - - (void) strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); - if (ioctl(fd, BIOCSETIF, &ifr) == -1) - { - fprintf(stderr, "%s(%d):", ifr.ifr_name, fd); - perror("BIOCSETIF"); - exit(1); - } - /* - * get kernel buffer size - */ - if (ioctl(fd, BIOCGBLEN, &bufsize) == -1) - { - perror("BIOCSBLEN"); - exit(-1); - } - buf = (u_char*)malloc(bufsize); - /* - * set the timeout - */ - timeout = tout; - to.tv_sec = 1; - to.tv_usec = 0; - if (ioctl(fd, BIOCSRTIMEOUT, (caddr_t)&to) == -1) - { - perror("BIOCSRTIMEOUT"); - exit(-1); - } - - (void) ioctl(fd, BIOCFLUSH, 0); - return fd; -} - - -/* - * output an IP packet onto a fd opened for /dev/bpf - */ -int sendip(fd, pkt, len) -int fd, len; -char *pkt; -{ - if (write(fd, pkt, len) == -1) - { - perror("send"); - return -1; - } - - return len; -} diff --git a/usr.sbin/ipsend/common/sock.c b/usr.sbin/ipsend/common/sock.c deleted file mode 100644 index 8c169cef19a..00000000000 --- a/usr.sbin/ipsend/common/sock.c +++ /dev/null @@ -1,410 +0,0 @@ -/* $OpenBSD: sock.c,v 1.4 2001/01/17 06:01:25 fgsch Exp $ */ - -/* - * sock.c (C) 1995-1998 Darren Reed - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darrenr Exp $"; -#endif -#include <stdio.h> -#include <unistd.h> -#include <string.h> -#include <stdlib.h> -#include <stddef.h> -#include <pwd.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/param.h> -#include <sys/stat.h> -#ifndef ultrix -#include <fcntl.h> -#endif -#if (__FreeBSD_version >= 300000) -# include <sys/dirent.h> -#else -# include <sys/dir.h> -#endif -#define _KERNEL -#define KERNEL -#ifdef ultrix -# undef LOCORE -# include <sys/smp_lock.h> -#endif -#include <sys/file.h> -#undef _KERNEL -#undef KERNEL -#include <nlist.h> -#include <sys/user.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/proc.h> -#if !defined(ultrix) && !defined(hpux) -# include <kvm.h> -#endif -#ifdef sun -#include <sys/systm.h> -#include <sys/session.h> -#endif -#if BSD >= 199103 -#include <sys/sysctl.h> -#include <sys/filedesc.h> -#include <paths.h> -#endif -#include <math.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <net/if.h> -#include <net/route.h> -#include <netinet/ip_var.h> -#include <netinet/in_pcb.h> -#include <netinet/tcp_timer.h> -#include <netinet/tcp_var.h> -#include "ipsend.h" - -int nproc; -struct proc *proc; - -#ifndef KMEM -# ifdef _PATH_KMEM -# define KMEM _PATH_KMEM -# endif -#endif -#ifndef KERNEL -# ifdef _PATH_UNIX -# define KERNEL _PATH_UNIX -# endif -#endif -#ifndef KMEM -# define KMEM "/dev/kmem" -#endif -#ifndef KERNEL -# define KERNEL "/vmunix" -#endif - - -#if BSD < 199103 -static struct proc *getproc __P((void)); -#else -static struct kinfo_proc *getproc __P((void)); -#endif - - -int kmemcpy(buf, pos, n) -char *buf; -void *pos; -int n; -{ - static int kfd = -1; - off_t offset = (u_long)pos; - - if (kfd == -1) - kfd = open(KMEM, O_RDONLY); - - if (lseek(kfd, offset, SEEK_SET) == -1) - { - perror("lseek"); - return -1; - } - if (read(kfd, buf, n) == -1) - { - perror("read"); - return -1; - } - return n; -} - -struct nlist names[4] = { - { "_proc" }, - { "_nproc" }, -#ifdef ultrix - { "_u" }, -#else - { NULL }, -#endif - { NULL } - }; - -#if BSD < 199103 -static struct proc *getproc() -{ - struct proc *p; - pid_t pid = getpid(); - int siz, n; - - n = nlist(KERNEL, names); - if (n != 0) - { - fprintf(stderr, "nlist(%#x) == %d\n", names, n); - return NULL; - } - if (KMCPY(&nproc, names[1].n_value, sizeof(nproc)) == -1) - { - fprintf(stderr, "read nproc (%#x)\n", names[1].n_value); - return NULL; - } - siz = nproc * sizeof(struct proc); - if (KMCPY(&p, names[0].n_value, sizeof(p)) == -1) - { - fprintf(stderr, "read(%#x,%#x,%d) proc\n", - names[0].n_value, &p, sizeof(p)); - return NULL; - } - proc = (struct proc *)malloc(siz); - if (KMCPY(proc, p, siz) == -1) - { - fprintf(stderr, "read(%#x,%#x,%d) proc\n", - p, proc, siz); - return NULL; - } - - p = proc; - - for (n = nproc; n; n--, p++) - if (p->p_pid == pid) - break; - if (!n) - return NULL; - - return p; -} - - -struct tcpcb *find_tcp(fd, ti) -int fd; -struct tcpiphdr *ti; -{ - struct tcpcb *t; - struct inpcb *i; - struct socket *s; - struct user *up; - struct proc *p; - struct file *f, **o; - - if (!(p = getproc())) - return NULL; -printf("fl %x ty %x cn %d mc %d\n", -f->f_flag, f->f_type, f->f_count, f->f_msgcount); - up = (struct user *)malloc(sizeof(*up)); -#ifndef ultrix - if (KMCPY(up, p->p_uarea, sizeof(*up)) == -1) - { - fprintf(stderr, "read(%#x,%#x) failed\n", p, p->p_uarea); - return NULL; - } -#else - if (KMCPY(up, names[2].n_value, sizeof(*up)) == -1) - { - fprintf(stderr, "read(%#x,%#x) failed\n", p, names[2].n_value); - return NULL; - } -#endif - - o = (struct file **)calloc(1, sizeof(*o) * (up->u_lastfile + 1)); - if (KMCPY(o, up->u_ofile, (up->u_lastfile + 1) * sizeof(*o)) == -1) - { - fprintf(stderr, "read(%#x,%#x,%d) - u_ofile - failed\n", - up->u_ofile, o, sizeof(*o)); - return NULL; - } - f = (struct file *)calloc(1, sizeof(*f)); - if (KMCPY(f, o[fd], sizeof(*f)) == -1) - { - fprintf(stderr, "read(%#x,%#x,%d) - o[fd] - failed\n", - up->u_ofile[fd], f, sizeof(*f)); - return NULL; - } - - s = (struct socket *)calloc(1, sizeof(*s)); - if (KMCPY(s, f->f_data, sizeof(*s)) == -1) - { - fprintf(stderr, "read(%#x,%#x,%d) - f_data - failed\n", - o[fd], s, sizeof(*s)); - return NULL; - } - - i = (struct inpcb *)calloc(1, sizeof(*i)); - if (KMCPY(i, s->so_pcb, sizeof(*i)) == -1) - { - fprintf(stderr, "kvm_read(%#x,%#x,%d) - so_pcb - failed\n", - s->so_pcb, i, sizeof(*i)); - return NULL; - } - - t = (struct tcpcb *)calloc(1, sizeof(*t)); - if (KMCPY(t, i->inp_ppcb, sizeof(*t)) == -1) - { - fprintf(stderr, "read(%#x,%#x,%d) - inp_ppcb - failed\n", - i->inp_ppcb, t, sizeof(*t)); - return NULL; - } - return (struct tcpcb *)i->inp_ppcb; -} -#else -static struct kinfo_proc *getproc() -{ - static struct kinfo_proc kp; - pid_t pid = getpid(); - int mib[4]; - size_t n; - - mib[0] = CTL_KERN; - mib[1] = KERN_PROC; - mib[2] = KERN_PROC_PID; - mib[3] = pid; - - n = sizeof(kp); - if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1) - { - perror("sysctl"); - return NULL; - } - return &kp; -} - - -struct tcpcb *find_tcp(tfd, ti) -int tfd; -struct tcpiphdr *ti; -{ - struct tcpcb *t; - struct inpcb *i; - struct socket *s; - struct filedesc *fd; - struct kinfo_proc *p; - struct file *f, **o; - - if (!(p = getproc())) - return NULL; - - fd = (struct filedesc *)malloc(sizeof(*fd)); -#if defined( __FreeBSD_version) && __FreeBSD_version >= 500013 - if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1) - { - fprintf(stderr, "read(%#lx,%#lx) failed\n", - (u_long)p, (u_long)p->ki_fd); - return NULL; - } -#else - if (KMCPY(fd, p->kp_proc.p_fd, sizeof(*fd)) == -1) - { - fprintf(stderr, "read(%#lx,%#lx) failed\n", - (u_long)p, (u_long)p->kp_proc.p_fd); - return NULL; - } -#endif - - o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1)); - if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1) - { - fprintf(stderr, "read(%#lx,%#lx,%lu) - u_ofile - failed\n", - (u_long)fd->fd_ofiles, (u_long)o, (u_long)sizeof(*o)); - return NULL; - } - f = (struct file *)calloc(1, sizeof(*f)); - if (KMCPY(f, o[tfd], sizeof(*f)) == -1) - { - fprintf(stderr, "read(%#lx,%#lx,%lu) - o[tfd] - failed\n", - (u_long)o[tfd], (u_long)f, (u_long)sizeof(*f)); - return NULL; - } - - s = (struct socket *)calloc(1, sizeof(*s)); - if (KMCPY(s, f->f_data, sizeof(*s)) == -1) - { - fprintf(stderr, "read(%#lx,%#lx,%lu) - f_data - failed\n", - (u_long)f->f_data, (u_long)s, (u_long)sizeof(*s)); - return NULL; - } - - i = (struct inpcb *)calloc(1, sizeof(*i)); - if (KMCPY(i, s->so_pcb, sizeof(*i)) == -1) - { - fprintf(stderr, "kvm_read(%#lx,%#lx,%lu) - so_pcb - failed\n", - (u_long)s->so_pcb, (u_long)i, (u_long)sizeof(*i)); - return NULL; - } - - t = (struct tcpcb *)calloc(1, sizeof(*t)); - if (KMCPY(t, i->inp_ppcb, sizeof(*t)) == -1) - { - fprintf(stderr, "read(%#lx,%#lx,%lu) - inp_ppcb - failed\n", - (u_long)i->inp_ppcb, (u_long)t, (u_long)sizeof(*t)); - return NULL; - } - return (struct tcpcb *)i->inp_ppcb; -} -#endif /* BSD < 199301 */ - -int do_socket(dev, mtu, ti, gwip) -char *dev; -int mtu; -struct tcpiphdr *ti; -struct in_addr gwip; -{ - struct sockaddr_in rsin, lsin; - struct tcpcb *t, tcb; - int fd, nfd, len; - - printf("Dest. Port: %d\n", ti->ti_dport); - - fd = socket(AF_INET, SOCK_STREAM, 0); - if (fd == -1) - { - perror("socket"); - return -1; - } - - if (fcntl(fd, F_SETFL, FNDELAY) == -1) - { - perror("fcntl"); - return -1; - } - - bzero((char *)&lsin, sizeof(lsin)); - lsin.sin_family = AF_INET; - bcopy((char *)&ti->ti_src, (char *)&lsin.sin_addr, - sizeof(struct in_addr)); - if (bind(fd, (struct sockaddr *)&lsin, sizeof(lsin)) == -1) - { - perror("bind"); - return -1; - } - len = sizeof(lsin); - (void) getsockname(fd, (struct sockaddr *)&lsin, &len); - ti->ti_sport = lsin.sin_port; - printf("sport %d\n", ntohs(lsin.sin_port)); - nfd = initdevice(dev, ntohs(lsin.sin_port), 1); - - if (!(t = find_tcp(fd, ti))) - return -1; - - bzero((char *)&rsin, sizeof(rsin)); - rsin.sin_family = AF_INET; - bcopy((char *)&ti->ti_dst, (char *)&rsin.sin_addr, - sizeof(struct in_addr)); - rsin.sin_port = ti->ti_dport; - if (connect(fd, (struct sockaddr *)&rsin, sizeof(rsin)) == -1 && - errno != EINPROGRESS) - { - perror("connect"); - return -1; - } - KMCPY(&tcb, t, sizeof(tcb)); - ti->ti_win = tcb.rcv_adv; - ti->ti_seq = tcb.snd_nxt - 1; - ti->ti_ack = tcb.rcv_nxt; - - if (send_tcp(nfd, mtu, (ip_t *)ti, gwip) == -1) - return -1; - (void)write(fd, "Hello World\n", 12); - sleep(2); - close(fd); - return 0; -} diff --git a/usr.sbin/ipsend/ipresend/Makefile b/usr.sbin/ipsend/ipresend/Makefile deleted file mode 100644 index f75d2ed2c40..00000000000 --- a/usr.sbin/ipsend/ipresend/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 1999/02/21 23:11:05 tholo Exp $ - -PROG= ipresend -BINDIR= /usr/sbin -MAN= ipresend.1 -SRCS= ipresend.c resend.c \ - ipft_ef.c ipft_hx.c ipft_pc.c ipft_sn.c ipft_td.c ipft_tx.c opt.c \ - sock.c 44arp.c sbpf.c ip.c -CFLAGS+= -DDOSOCKET -I${.CURDIR}/../common -I${.CURDIR}/../../ipftest \ - -I${.CURDIR}/../../../sbin/ipf \ - -I${.CURDIR}/../../../sys/netinet -.PATH: ${.CURDIR}/../common ${.CURDIR}/../../ipftest \ - ${.CURDIR}/../../../sbin/ipf - -.include <bsd.prog.mk> diff --git a/usr.sbin/ipsend/ipresend/ipresend.1 b/usr.sbin/ipsend/ipresend/ipresend.1 deleted file mode 100644 index c380c638d2e..00000000000 --- a/usr.sbin/ipsend/ipresend/ipresend.1 +++ /dev/null @@ -1,119 +0,0 @@ -./" $OpenBSD: ipresend.1,v 1.10 2000/11/09 17:53:15 aaron Exp $ -.Dd October 9, 1999 -.Dt IPRESEND 1 -.Os -.Sh NAME -.Nm ipresend -.Nd resend IP packets out to network -.Sh SYNOPSIS -.Nm ipsend -.Op Fl EHPRSTX -.Op Fl d Ar device -.Op Fl g Ar gateway -.Op Fl m Ar mtu -.Op Fl r Ar filename -.Sh DESCRIPTION -.Nm -was designed to allow captured packets to be resent -onto the network for use in testing. -.Nm -supports a -number of different file formats as input, including saved snoop and -.Xr tcpdump 8 -binary data. -.Pp -.Nm -must be run as root. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl d Ar interface -Set the interface name to be the name supplied. -This is useful with the -.Fl P , -.Fl S , -.Fl T , -and -.Fl E -options, where it is not otherwise possible -to associate a packet with an interface. -Normal -.Sq text packets -can override this setting. -.It Fl g Ar gateway -Specify the hostname of the gateway through which to route packets. -This is required whenever the destination host isn't directly attached to the -same network as the host from which you're sending. -.It Fl m Ar mtu -Set the MTU used when sending out packets to -.Ar mtu . -This option allows you -to set a fake MTU, allowing the simulation of network interfaces with small -MTU's. -.It Fl r Ar filename -Specify the filename from which to take input. -Default is -.Va stdin . -.It Fl E -The input file is to be text output from etherfind. -The text formats which -are currently supported are those which result from the following etherfind -option combinations: -.Bd -literal -offset indent -etherfind -n -etherfind -n -t -.Ed -.It Fl H -The input file is to be hex digits, representing the binary makeup of the -packet. -No length correction is made if an incorrect length is put in -the IP header. -.It Fl P -The input file specified by -.Fl r -is a binary file produced using libpcap -(i.e., -.Xr tcpdump 8 -version 3). -Packets are read from this file as being input (for rule purposes). -.It Fl R -When sending packets out, send them out -.Sq raw -(the way they came in). -The only real significance here is that it will expect the link layer (i.e., -Ethernet) headers to be prepended to the IP packet being output. -.It Fl S -The input file is to be in -.Sq snoop -format (see -.Tn RFC 1761 ) . -Packets are read -from this file and used as input from any interface. -This is perhaps the most useful input type, currently. -.It Fl T -The input file is to be text output from -.Xr tcpdump 8 . -The text formats which -are currently supported are those which result from the following -.Xr tcpdump 8 -option combinations: -.Bd -literal -offset indent -tcpdump -n -tcpdump -nq -tcpdump -nqt -tcpdump -nqtt -tcpdump -nqte -.Ed -.It Fl X -The input file is composed of text descriptions of IP packets. -.El -.Sh SEE ALSO -.Xr ipftest 1 , -.Xr ipresend 1 , -.Xr iptest 1 , -.Xr bpf 4 , -.Xr tcpdump 8 -.Sh BUGS -Not all of the input formats are sufficiently capable of introducing a -wide enough variety of packets for them to be all useful in testing. -If you find any, please send email to me at darrenr@cyber.com.au diff --git a/usr.sbin/ipsend/ipresend/ipresend.c b/usr.sbin/ipsend/ipresend/ipresend.c deleted file mode 100644 index 5a4c4ba4aeb..00000000000 --- a/usr.sbin/ipsend/ipresend/ipresend.c +++ /dev/null @@ -1,168 +0,0 @@ -/* $OpenBSD: ipresend.c,v 1.5 2001/01/17 06:01:25 fgsch Exp $ */ - -/* - * ipresend.c (C) 1995-1998 Darren Reed - * - * This was written to test what size TCP fragments would get through - * various TCP/IP packet filters, as used in IP firewalls. In certain - * conditions, enough of the TCP header is missing for unpredictable - * results unless the filter is aware that this can happen. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipresend.c,v 2.1 1999/08/04 17:31:05 darrenr Exp $"; -#endif -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <netdb.h> -#include <string.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include "ipsend.h" - - -extern char *optarg; -extern int optind; -#ifndef NO_IPF -extern struct ipread snoop, pcap, etherf, iphex, tcpd, iptext; -#endif - -int opts = 0; -#ifndef DEFAULT_DEVICE -# ifdef linux -char default_device[] = "eth0"; -# else -# ifdef sun -char default_device[] = "le0"; -# else -# ifdef ultrix -char default_device[] = "ln0"; -# else -# ifdef __bsdi__ -char default_device[] = "ef0"; -# else -# ifdef __sgi -char default_device[] = "ec0"; -# else -char default_device[] = "lan0"; -# endif -# endif -# endif -# endif -# endif -#else -char default_device[] = DEFAULT_DEVICE; -#endif - - -static void usage __P((char *)); -int main __P((int, char **)); - - -static void usage(prog) -char *prog; -{ - fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\ -\t\t-r filename\tsnoop data file to resend\n\ -\t\t-R filename\tlibpcap data file to resend\n\ -\toptions:\n\ -\t\t-d device\tSend out on this device\n\ -\t\t-g gateway\tIP gateway to use if non-local dest.\n\ -\t\t-m mtu\t\tfake MTU to use when sending out\n\ -", prog); - exit(1); -} - - -int main(argc, argv) -int argc; -char **argv; -{ - struct in_addr gwip; - struct ipread *ipr = NULL; - char *name = argv[0], *gateway = NULL, *dev = NULL; - char *resend = NULL; - int mtu = 1500, c; - - while ((c = getopt(argc, argv, "EHPRSTXd:g:m:r:")) != -1) - switch (c) - { - case 'd' : - dev = optarg; - break; - case 'g' : - gateway = optarg; - break; - case 'm' : - mtu = atoi(optarg); - if (mtu < 28) - { - fprintf(stderr, "mtu must be > 28\n"); - exit(1); - } - case 'r' : - resend = optarg; - break; - case 'R' : - opts |= OPT_RAW; - break; -#ifndef NO_IPF - case 'E' : - ipr = ðerf; - break; - case 'H' : - ipr = &iphex; - break; - case 'P' : - ipr = &pcap; - break; - case 'S' : - ipr = &snoop; - break; - case 'T' : - ipr = &tcpd; - break; - case 'X' : - ipr = &iptext; - break; -#endif - default : - fprintf(stderr, "Unknown option \"%c\"\n", c); - usage(name); - } - - if (!ipr || !resend) - usage(name); - - gwip.s_addr = 0; - if (gateway && resolve(gateway, (char *)&gwip) == -1) - { - fprintf(stderr,"Cant resolve %s\n", gateway); - exit(2); - } - - if (!dev) - dev = default_device; - - printf("Device: %s\n", dev); - printf("Gateway: %s\n", inet_ntoa(gwip)); - printf("mtu: %d\n", mtu); - - return ip_resend(dev, mtu, ipr, gwip, resend); -} diff --git a/usr.sbin/ipsend/ipresend/resend.c b/usr.sbin/ipsend/ipresend/resend.c deleted file mode 100644 index 7890062250d..00000000000 --- a/usr.sbin/ipsend/ipresend/resend.c +++ /dev/null @@ -1,144 +0,0 @@ -/* $OpenBSD: resend.c,v 1.4 2001/01/17 06:01:26 fgsch Exp $ */ - -/* - * resend.c (C) 1995-1998 Darren Reed - * - * This was written to test what size TCP fragments would get through - * various TCP/IP packet filters, as used in IP firewalls. In certain - * conditions, enough of the TCP header is missing for unpredictable - * results unless the filter is aware that this can happen. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $"; -#endif -#include <stdio.h> -#include <netdb.h> -#include <string.h> -#include <stdlib.h> -#include <unistd.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <net/if.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#ifndef linux -# include <netinet/ip_var.h> -# include <netinet/if_ether.h> -# if __FreeBSD_version >= 300000 -# include <net/if_var.h> -# endif -#endif -#include "ipsend.h" - -extern int opts; - -static u_char pbuf[65536]; /* 1 big packet */ -void printpacket __P((ip_t *)); - - -void printpacket(ip) -ip_t *ip; -{ - tcphdr_t *t; - int i, j; - - t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2)); - if (ip->ip_tos) - printf("tos %#x ", ip->ip_tos); - if (ip->ip_off & 0x3fff) - printf("frag @%#x ", (ip->ip_off & 0x1fff) << 3); - printf("len %d id %d ", ip->ip_len, ip->ip_id); - printf("ttl %d p %d src %s", ip->ip_ttl, ip->ip_p, - inet_ntoa(ip->ip_src)); - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - printf(",%d", t->th_sport); - printf(" dst %s", inet_ntoa(ip->ip_dst)); - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - printf(",%d", t->th_dport); - if (ip->ip_p == IPPROTO_TCP) { - printf(" seq %lu:%lu flags ", - (u_long)t->th_seq, (u_long)t->th_ack); - for (j = 0, i = 1; i < 256; i *= 2, j++) - if (t->th_flags & i) - printf("%c", "FSRPAU--"[j]); - } - putchar('\n'); -} - - -int ip_resend(dev, mtu, r, gwip, datain) -char *dev; -int mtu; -struct in_addr gwip; -struct ipread *r; -char *datain; -{ - ether_header_t *eh; - char dhost[6]; - ip_t *ip; - int fd, wfd = initdevice(dev, 0, 5), len, i; - - if (datain) - fd = (*r->r_open)(datain); - else - fd = (*r->r_open)("-"); - - if (fd < 0) - exit(-1); - - ip = (struct ip *)pbuf; - eh = (ether_header_t *)malloc(sizeof(*eh)); - - bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); - if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1)) - { - perror("arp"); - return -2; - } - - while ((i = (*r->r_readip)((char *)pbuf, sizeof(pbuf), NULL, NULL)) > 0) - { - if (!(opts & OPT_RAW)) { - len = ntohs(ip->ip_len); - eh = (ether_header_t *)realloc((char *)eh, sizeof(*eh) + len); - eh->ether_type = htons((u_short)ETHERTYPE_IP); - if (!gwip.s_addr) { - if (arp((char *)&gwip, - (char *)A_A eh->ether_dhost) == -1) { - perror("arp"); - continue; - } - } else - bcopy(dhost, (char *)A_A eh->ether_dhost, - sizeof(dhost)); - if (!ip->ip_sum) - ip->ip_sum = chksum((u_short *)ip, - ip->ip_hl << 2); - bcopy(ip, (char *)(eh + 1), len); - len += sizeof(*eh); - printpacket(ip); - } else { - eh = (ether_header_t *)pbuf; - len = i; - } - - if (sendip(wfd, (char *)eh, len) == -1) - { - perror("send_packet"); - break; - } - } - (*r->r_close)(); - return 0; -} diff --git a/usr.sbin/ipsend/ipsend/Makefile b/usr.sbin/ipsend/ipsend/Makefile deleted file mode 100644 index 28427d93ce4..00000000000 --- a/usr.sbin/ipsend/ipsend/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 1998/01/26 19:46:23 weingart Exp $ - -PROG= ipsend -BINDIR= /usr/sbin -MAN= ipsend.1 ipsend.5 -SRCS= ipsend.c ip.c ipsopt.c sbpf.c sock.c 44arp.c iplang_y.y iplang_l.l -CFLAGS+= -DDOSOCKET -I${.CURDIR}/../common -I${.CURDIR}/../../ipftest \ - -I${.CURDIR}/../../../sbin/ipf -I${.CURDIR}/../../../sys/netinet \ - -I${.OBJDIR} - -LDADD = -lfl -CLEANFILES+=y.tab.h - -.PATH: ${.CURDIR}/../common - -.include <bsd.prog.mk> diff --git a/usr.sbin/ipsend/ipsend/iplang_l.l b/usr.sbin/ipsend/ipsend/iplang_l.l deleted file mode 100644 index ac570e80115..00000000000 --- a/usr.sbin/ipsend/ipsend/iplang_l.l +++ /dev/null @@ -1,324 +0,0 @@ -%{ -/* $OpenBSD: iplang_l.l,v 1.3 2001/01/30 14:58:23 kjell Exp $ */ - -/* - * Copyright (C) 1997-1998 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * $IPFilter: iplang_l.l,v 2.2 2000/02/18 00:18:05 darrenr Exp $ - */ -#include <stdio.h> -#include <string.h> -#include <sys/param.h> -#if defined(__SVR4) || defined(__sysv__) -#include <sys/stream.h> -#endif -#include <sys/types.h> -#include <netinet/in_systm.h> -#include <netinet/in.h> -#include "y.tab.h" -#include "ip_fil_compat.h" -#include "ipf.h" - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - -extern int opts; - -int lineNum = 0, ipproto = 0, oldipproto = 0, next = -1, laststate = 0; -int *prstack = NULL, numpr = 0, state = 0, token = 0; - -void yyerror __P((char *)); -void push_proto __P((void)); -void pop_proto __P((void)); -int next_state __P((int, int)); -int next_item __P((int)); -int save_token __P((void)); -void swallow __P((void)); -int yylex __P((void)); - -struct wordtab { - char *word; - int state; - int next; -}; - -struct wordtab words[] = { - { "interface", IL_INTERFACE, -1 }, - { "iface", IL_INTERFACE, -1 }, - { "name", IL_IFNAME, IL_TOKEN }, - { "ifname", IL_IFNAME, IL_TOKEN }, - { "router", IL_DEFROUTER, IL_TOKEN }, - { "mtu", IL_MTU, IL_NUMBER }, - { "eaddr", IL_EADDR, IL_TOKEN }, - { "v4addr", IL_V4ADDR, IL_TOKEN }, - { "ipv4", IL_IPV4, -1 }, - { "v", IL_V4V, IL_TOKEN }, - { "proto", IL_V4PROTO, IL_TOKEN }, - { "hl", IL_V4HL, IL_TOKEN }, - { "id", IL_V4ID, IL_TOKEN }, - { "ttl", IL_V4TTL, IL_TOKEN }, - { "tos", IL_V4TOS, IL_TOKEN }, - { "src", IL_V4SRC, IL_TOKEN }, - { "dst", IL_V4DST, IL_TOKEN }, - { "opt", IL_OPT, -1 }, - { "len", IL_LEN, IL_TOKEN }, - { "off", IL_OFF, IL_TOKEN }, - { "sum", IL_SUM, IL_TOKEN }, - { "tcp", IL_TCP, -1 }, - { "sport", IL_SPORT, IL_TOKEN }, - { "dport", IL_DPORT, IL_TOKEN }, - { "seq", IL_TCPSEQ, IL_TOKEN }, - { "ack", IL_TCPACK, IL_TOKEN }, - { "flags", IL_TCPFL, IL_TOKEN }, - { "urp", IL_TCPURP, IL_TOKEN }, - { "win", IL_TCPWIN, IL_TOKEN }, - { "udp", IL_UDP, -1 }, - { "send", IL_SEND, -1 }, - { "via", IL_VIA, IL_TOKEN }, - { "arp", IL_ARP, -1 }, - { "data", IL_DATA, -1 }, - { "value", IL_DVALUE, IL_TOKEN }, - { "file", IL_DFILE, IL_TOKEN }, - { "nop", IL_IPO_NOP, -1 }, - { "eol", IL_IPO_EOL, -1 }, - { "rr", IL_IPO_RR, -1 }, - { "zsu", IL_IPO_ZSU, -1 }, - { "mtup", IL_IPO_MTUP, -1 }, - { "mtur", IL_IPO_MTUR, -1 }, - { "encode", IL_IPO_ENCODE, -1 }, - { "ts", IL_IPO_TS, -1 }, - { "tr", IL_IPO_TR, -1 }, - { "sec", IL_IPO_SEC, -1 }, - { "secclass", IL_IPO_SECCLASS, IL_TOKEN }, - { "lsrr", IL_IPO_LSRR, -1 }, - { "esec", IL_IPO_ESEC, -1 }, - { "cipso", IL_IPO_CIPSO, -1 }, - { "satid", IL_IPO_SATID, -1 }, - { "ssrr", IL_IPO_SSRR, -1 }, - { "addext", IL_IPO_ADDEXT, -1 }, - { "visa", IL_IPO_VISA, -1 }, - { "imitd", IL_IPO_IMITD, -1 }, - { "eip", IL_IPO_EIP, -1 }, - { "finn", IL_IPO_FINN, -1 }, - { "mss", IL_TCPO_MSS, IL_TOKEN }, - { "wscale", IL_TCPO_WSCALE, IL_TOKEN }, - { "reserv-4", IL_IPS_RESERV4, -1 }, - { "topsecret", IL_IPS_TOPSECRET, -1 }, - { "secret", IL_IPS_SECRET, -1 }, - { "reserv-3", IL_IPS_RESERV3, -1 }, - { "confid", IL_IPS_CONFID, -1 }, - { "unclass", IL_IPS_UNCLASS, -1 }, - { "reserv-2", IL_IPS_RESERV2, -1 }, - { "reserv-1", IL_IPS_RESERV1, -1 }, - { "icmp", IL_ICMP, -1 }, - { "type", IL_ICMPTYPE, -1 }, - { "code", IL_ICMPCODE, -1 }, - { "echorep", IL_ICMP_ECHOREPLY, -1 }, - { "unreach", IL_ICMP_UNREACH, -1 }, - { "squench", IL_ICMP_SOURCEQUENCH, -1 }, - { "redir", IL_ICMP_REDIRECT, -1 }, - { "echo", IL_ICMP_ECHO, -1 }, - { "routerad", IL_ICMP_ROUTERADVERT, -1 }, - { "routersol", IL_ICMP_ROUTERSOLICIT, -1 }, - { "timex", IL_ICMP_TIMXCEED, -1 }, - { "paramprob", IL_ICMP_PARAMPROB, -1 }, - { "timest", IL_ICMP_TSTAMP, -1 }, - { "timestrep", IL_ICMP_TSTAMPREPLY, -1 }, - { "inforeq", IL_ICMP_IREQ, -1 }, - { "inforep", IL_ICMP_IREQREPLY, -1 }, - { "maskreq", IL_ICMP_MASKREQ, -1 }, - { "maskrep", IL_ICMP_MASKREPLY, -1 }, - { "net-unr", IL_ICMP_UNREACH_NET, -1 }, - { "host-unr", IL_ICMP_UNREACH_HOST, -1 }, - { "proto-unr", IL_ICMP_UNREACH_PROTOCOL, -1 }, - { "port-unr", IL_ICMP_UNREACH_PORT, -1 }, - { "needfrag", IL_ICMP_UNREACH_NEEDFRAG, -1 }, - { "srcfail", IL_ICMP_UNREACH_SRCFAIL, -1 }, - { "net-unk", IL_ICMP_UNREACH_NET_UNKNOWN, -1 }, - { "host-unk", IL_ICMP_UNREACH_HOST_UNKNOWN, -1 }, - { "isolate", IL_ICMP_UNREACH_ISOLATED, -1 }, - { "net-prohib", IL_ICMP_UNREACH_NET_PROHIB, -1 }, - { "host-prohib", IL_ICMP_UNREACH_HOST_PROHIB, -1 }, - { "net-tos", IL_ICMP_UNREACH_TOSNET, -1 }, - { "host-tos", IL_ICMP_UNREACH_TOSHOST, -1 }, - { "filter-prohib", IL_ICMP_UNREACH_FILTER_PROHIB, -1 }, - { "host-preced", IL_ICMP_UNREACH_HOST_PRECEDENCE, -1 }, - { "cutoff-preced", IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1 }, - { "net-redir", IL_ICMP_REDIRECT_NET, -1 }, - { "host-redir", IL_ICMP_REDIRECT_HOST, -1 }, - { "tos-net-redir", IL_ICMP_REDIRECT_TOSNET, -1 }, - { "tos-host-redir", IL_ICMP_REDIRECT_TOSHOST, -1 }, - { "intrans", IL_ICMP_TIMXCEED_INTRANS, -1 }, - { "reass", IL_ICMP_TIMXCEED_REASS, -1 }, - { "optabsent", IL_ICMP_PARAMPROB_OPTABSENT, -1 }, - { "otime", IL_ICMP_OTIME, -1 }, - { "rtime", IL_ICMP_RTIME, -1 }, - { "ttime", IL_ICMP_TTIME, -1 }, - { "icmpseq", IL_ICMP_SEQ, -1 }, - { "icmpid", IL_ICMP_SEQ, -1 }, - { ".", IL_DOT, -1 }, - { NULL, 0, 0 } -}; -%} -white [ \t\r]+ -%% -{white} ; -\n { lineNum++; swallow(); } -\{ { push_proto(); return next_item('{'); } -\} { pop_proto(); return next_item('}'); } -; { return next_item(';'); } -[0-9]+ { return next_item(IL_NUMBER); } -[0-9a-fA-F] { return next_item(IL_HEXDIGIT); } -: { return next_item(IL_COLON); } -#[^\n]* { return next_item(IL_COMMENT); } -[^ \{\}\n\t;:{}]* { return next_item(IL_TOKEN); } -\"[^\"]*\" { return next_item(IL_TOKEN); } -%% -void yyerror(msg) -char *msg; -{ - fprintf(stderr, "%s error at \"%s\", line %d\n", msg, yytext, - lineNum + 1); - exit(1); -} - - -void push_proto() -{ - numpr++; - if (!prstack) - prstack = (int *)malloc(sizeof(int)); - else - prstack = (int *)realloc((char *)prstack, numpr * sizeof(int)); - prstack[numpr - 1] = oldipproto; -} - - -void pop_proto() -{ - numpr--; - ipproto = prstack[numpr]; - if (!numpr) { - free(prstack); - prstack = NULL; - return; - } - prstack = (int *)realloc((char *)prstack, numpr * sizeof(int)); -} - - -int save_token() -{ - - yylval.str = strdup(yytext); - return IL_TOKEN; -} - - -int next_item(nstate) -int nstate; -{ - struct wordtab *wt; - - if (opts & OPT_DEBUG) - printf("text=[%s] id=%d next=%d\n", yytext, nstate, next); - if (next == IL_TOKEN) { - next = -1; - return save_token(); - } - token++; - - for (wt = words; wt->word; wt++) - if (!strcasecmp(wt->word, yytext)) - return next_state(wt->state, wt->next); - if (opts & OPT_DEBUG) - printf("unknown keyword=[%s]\n", yytext); - next = -1; - if (nstate == IL_NUMBER) - yylval.num = atoi(yytext); - token++; - return nstate; -} - - -int next_state(nstate, fornext) -int nstate, fornext; -{ - next = fornext; - - switch (nstate) - { - case IL_IPV4 : - case IL_TCP : - case IL_UDP : - case IL_ICMP : - case IL_DATA : - case IL_INTERFACE : - case IL_ARP : - oldipproto = ipproto; - ipproto = nstate; - break; - case IL_SUM : - if (ipproto == IL_IPV4) - nstate = IL_V4SUM; - else if (ipproto == IL_TCP) - nstate = IL_TCPSUM; - else if (ipproto == IL_UDP) - nstate = IL_UDPSUM; - break; - case IL_OPT : - if (ipproto == IL_IPV4) - nstate = IL_V4OPT; - else if (ipproto == IL_TCP) - nstate = IL_TCPOPT; - break; - case IL_IPO_NOP : - if (ipproto == IL_TCP) - nstate = IL_TCPO_NOP; - break; - case IL_IPO_EOL : - if (ipproto == IL_TCP) - nstate = IL_TCPO_EOL; - break; - case IL_IPO_TS : - if (ipproto == IL_TCP) - nstate = IL_TCPO_TS; - break; - case IL_OFF : - if (ipproto == IL_IPV4) - nstate = IL_V4OFF; - else if (ipproto == IL_TCP) - nstate = IL_TCPOFF; - break; - case IL_LEN : - if (ipproto == IL_IPV4) - nstate = IL_V4LEN; - else if (ipproto == IL_UDP) - nstate = IL_UDPLEN; - break; - } - return nstate; -} - - -void swallow() -{ - int c; - - c = input(); - - if (c == '#') { - while ((c != '\n') && (c != EOF)) - c = input(); - } - unput(c); -} diff --git a/usr.sbin/ipsend/ipsend/iplang_y.y b/usr.sbin/ipsend/ipsend/iplang_y.y deleted file mode 100644 index 6ec6307c9c1..00000000000 --- a/usr.sbin/ipsend/ipsend/iplang_y.y +++ /dev/null @@ -1,1869 +0,0 @@ -%{ -/* $OpenBSD: iplang_y.y,v 1.3 2001/01/30 14:58:23 kjell Exp $ */ - -/* - * Copyright (C) 1997-1998 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * $IPFilter: iplang_y.y,v 2.2.2.1 2000/08/05 14:43:39 darrenr Exp $ - */ - -#include <stdio.h> -#include <string.h> -#include <fcntl.h> -#if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#else -#include <sys/byteorder.h> -#endif -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/param.h> -#include <sys/time.h> -#include <stdlib.h> -#include <unistd.h> -#include <stddef.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip_icmp.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <net/if.h> -#ifndef linux -#include <netinet/if_ether.h> -#endif -#include <netdb.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <resolv.h> -#include <ctype.h> -#include "ipsend.h" -#include "ip_fil_compat.h" -#include "ipf.h" -#include "iplang.h" - -#if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \ - __FreeBSD_version < 400020) -extern struct ether_addr *ether_aton __P((char *)); -#endif - -extern int opts; -extern struct ipopt_names ionames[]; -extern int state, state, lineNum, token; -extern int yylineno; -extern char yytext[]; -extern FILE *yyin; -int yylex __P((void)); -#define YYDEBUG 1 -#if !defined(ultrix) && !defined(hpux) -int yydebug = 1; -#else -extern int yydebug; -#endif - -iface_t *iflist = NULL, **iftail = &iflist; -iface_t *cifp = NULL; -arp_t *arplist = NULL, **arptail = &arplist, *carp = NULL; -struct in_addr defrouter; -send_t sending; -char *sclass = NULL; -u_short c_chksum __P((u_short *, u_int, u_long)); -u_long p_chksum __P((u_short *, u_int)); - -u_long ipbuffer[67584/sizeof(u_long)]; /* 66K */ -aniphdr_t *aniphead = NULL, *canip = NULL, **aniptail = &aniphead; -ip_t *ip = NULL; -udphdr_t *udp = NULL; -tcphdr_t *tcp = NULL; -icmphdr_t *icmp = NULL; - -struct statetoopt { - int sto_st; - int sto_op; -}; - -struct in_addr getipv4addr __P((char *arg)); -u_short getportnum __P((char *, char *)); -struct ether_addr *geteaddr __P((char *, struct ether_addr *)); -void *new_header __P((int)); -void free_aniplist __P((void)); -void inc_anipheaders __P((int)); -void new_data __P((void)); -void set_datalen __P((char **)); -void set_datafile __P((char **)); -void set_data __P((char **)); -void new_packet __P((void)); -void set_ipv4proto __P((char **)); -void set_ipv4src __P((char **)); -void set_ipv4dst __P((char **)); -void set_ipv4off __P((char **)); -void set_ipv4v __P((char **)); -void set_ipv4hl __P((char **)); -void set_ipv4ttl __P((char **)); -void set_ipv4tos __P((char **)); -void set_ipv4id __P((char **)); -void set_ipv4sum __P((char **)); -void set_ipv4len __P((char **)); -void new_tcpheader __P((void)); -void set_tcpsport __P((char **)); -void set_tcpdport __P((char **)); -void set_tcpseq __P((char **)); -void set_tcpack __P((char **)); -void set_tcpoff __P((char **)); -void set_tcpurp __P((char **)); -void set_tcpwin __P((char **)); -void set_tcpsum __P((char **)); -void set_tcpflags __P((char **)); -void set_tcpopt __P((int, char **)); -void end_tcpopt __P((void)); -void new_udpheader __P((void)); -void set_udplen __P((char **)); -void set_udpsum __P((char **)); -void prep_packet __P((void)); -void packet_done __P((void)); -void new_interface __P((void)); -void check_interface __P((void)); -void set_ifname __P((char **)); -void set_ifmtu __P((int)); -void set_ifv4addr __P((char **)); -void set_ifeaddr __P((char **)); -void new_arp __P((void)); -void set_arpeaddr __P((char **)); -void set_arpv4addr __P((char **)); -void reset_send __P((void)); -void set_sendif __P((char **)); -void set_sendvia __P((char **)); -void set_defaultrouter __P((char **)); -void new_icmpheader __P((void)); -void set_icmpcode __P((int)); -void set_icmptype __P((int)); -void set_icmpcodetok __P((char **)); -void set_icmptypetok __P((char **)); -void set_icmpid __P((int)); -void set_icmpseq __P((int)); -void set_icmpotime __P((int)); -void set_icmprtime __P((int)); -void set_icmpttime __P((int)); -void set_icmpmtu __P((int)); -void set_redir __P((int, char **)); -void new_ipv4opt __P((void)); -void set_icmppprob __P((int)); -void add_ipopt __P((int, void *)); -void end_ipopt __P((void)); -void set_secclass __P((char **)); -void free_anipheader __P((void)); -void end_ipv4 __P((void)); -void end_icmp __P((void)); -void end_udp __P((void)); -void end_tcp __P((void)); -void end_data __P((void)); -void yyerror __P((char *)); -void iplang __P((FILE *)); -int arp_getipv4 __P((char *, char *)); -int yyparse __P((void)); -%} -%union { - char *str; - int num; -} -%token <num> IL_NUMBER -%type <num> number digits optnumber -%token <str> IL_TOKEN -%type <str> token optoken -%token IL_HEXDIGIT IL_COLON IL_DOT IL_EOF IL_COMMENT -%token IL_INTERFACE IL_IFNAME IL_MTU IL_EADDR -%token IL_IPV4 IL_V4PROTO IL_V4SRC IL_V4DST IL_V4OFF IL_V4V IL_V4HL IL_V4TTL -%token IL_V4TOS IL_V4SUM IL_V4LEN IL_V4OPT IL_V4ID -%token IL_TCP IL_SPORT IL_DPORT IL_TCPFL IL_TCPSEQ IL_TCPACK IL_TCPOFF -%token IL_TCPWIN IL_TCPSUM IL_TCPURP IL_TCPOPT IL_TCPO_NOP IL_TCPO_EOL -%token IL_TCPO_MSS IL_TCPO_WSCALE IL_TCPO_TS -%token IL_UDP IL_UDPLEN IL_UDPSUM -%token IL_ICMP IL_ICMPTYPE IL_ICMPCODE -%token IL_SEND IL_VIA -%token IL_ARP -%token IL_DEFROUTER -%token IL_SUM IL_OFF IL_LEN IL_V4ADDR IL_OPT -%token IL_DATA IL_DLEN IL_DVALUE IL_DFILE -%token IL_IPO_NOP IL_IPO_RR IL_IPO_ZSU IL_IPO_MTUP IL_IPO_MTUR IL_IPO_EOL -%token IL_IPO_TS IL_IPO_TR IL_IPO_SEC IL_IPO_LSRR IL_IPO_ESEC -%token IL_IPO_SATID IL_IPO_SSRR IL_IPO_ADDEXT IL_IPO_VISA IL_IPO_IMITD -%token IL_IPO_EIP IL_IPO_FINN IL_IPO_SECCLASS IL_IPO_CIPSO IL_IPO_ENCODE -%token <str> IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3 -%token <str> IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1 -%token IL_ICMP_ECHOREPLY IL_ICMP_UNREACH IL_ICMP_UNREACH_NET -%token IL_ICMP_UNREACH_HOST IL_ICMP_UNREACH_PROTOCOL IL_ICMP_UNREACH_PORT -%token IL_ICMP_UNREACH_NEEDFRAG IL_ICMP_UNREACH_SRCFAIL -%token IL_ICMP_UNREACH_NET_UNKNOWN IL_ICMP_UNREACH_HOST_UNKNOWN -%token IL_ICMP_UNREACH_ISOLATED IL_ICMP_UNREACH_NET_PROHIB -%token IL_ICMP_UNREACH_HOST_PROHIB IL_ICMP_UNREACH_TOSNET -%token IL_ICMP_UNREACH_TOSHOST IL_ICMP_UNREACH_FILTER_PROHIB -%token IL_ICMP_UNREACH_HOST_PRECEDENCE IL_ICMP_UNREACH_PRECEDENCE_CUTOFF -%token IL_ICMP_SOURCEQUENCH IL_ICMP_REDIRECT IL_ICMP_REDIRECT_NET -%token IL_ICMP_REDIRECT_HOST IL_ICMP_REDIRECT_TOSNET -%token IL_ICMP_REDIRECT_TOSHOST IL_ICMP_ECHO IL_ICMP_ROUTERADVERT -%token IL_ICMP_ROUTERSOLICIT IL_ICMP_TIMXCEED IL_ICMP_TIMXCEED_INTRANS -%token IL_ICMP_TIMXCEED_REASS IL_ICMP_PARAMPROB IL_ICMP_PARAMPROB_OPTABSENT -%token IL_ICMP_TSTAMP IL_ICMP_TSTAMPREPLY IL_ICMP_IREQ IL_ICMP_IREQREPLY -%token IL_ICMP_MASKREQ IL_ICMP_MASKREPLY IL_ICMP_SEQ IL_ICMP_ID -%token IL_ICMP_OTIME IL_ICMP_RTIME IL_ICMP_TTIME - -%% -file: line - | line file - | IL_COMMENT - | IL_COMMENT file - ; - -line: iface - | arp - | send - | defrouter - | ipline - ; - -iface: ifhdr '{' ifaceopts '}' ';' { check_interface(); } - ; - -ifhdr: IL_INTERFACE { new_interface(); } - ; - -ifaceopts: - ifaceopt - | ifaceopt ifaceopts - ; - -ifaceopt: - IL_IFNAME token { set_ifname(&$2); } - | IL_MTU number { set_ifmtu($2); } - | IL_V4ADDR token { set_ifv4addr(&$2); } - | IL_EADDR token { set_ifeaddr(&$2); } - ; - -send: sendhdr '{' sendbody '}' ';' { packet_done(); } - | sendhdr ';' { packet_done(); } - ; - -sendhdr: - IL_SEND { reset_send(); } - ; - -sendbody: - sendopt - | sendbody sendopt - ; - -sendopt: - IL_IFNAME token { set_sendif(&$2); } - | IL_VIA token { set_sendvia(&$2); } - ; - -arp: arphdr '{' arpbody '}' ';' - ; - -arphdr: IL_ARP { new_arp(); } - ; - -arpbody: - arpopt - | arpbody arpopt - ; - -arpopt: IL_V4ADDR token { set_arpv4addr(&$2); } - | IL_EADDR token { set_arpeaddr(&$2); } - ; - -defrouter: - IL_DEFROUTER token { set_defaultrouter(&$2); } - ; - -bodyline: - ipline - | tcp tcpline - | udp udpline - | icmp icmpline - | data dataline - ; - -ipline: ipv4 '{' ipv4body '}' ';' { end_ipv4(); } - ; - -ipv4: IL_IPV4 { new_packet(); } - -ipv4body: - ipv4type - | ipv4type ipv4body - | bodyline - ; - -ipv4type: - IL_V4PROTO token { set_ipv4proto(&$2); } - | IL_V4SRC token { set_ipv4src(&$2); } - | IL_V4DST token { set_ipv4dst(&$2); } - | IL_V4OFF token { set_ipv4off(&$2); } - | IL_V4V token { set_ipv4v(&$2); } - | IL_V4HL token { set_ipv4hl(&$2); } - | IL_V4ID token { set_ipv4id(&$2); } - | IL_V4TTL token { set_ipv4ttl(&$2); } - | IL_V4TOS token { set_ipv4tos(&$2); } - | IL_V4SUM token { set_ipv4sum(&$2); } - | IL_V4LEN token { set_ipv4len(&$2); } - | ipv4opt '{' ipv4optlist '}' ';' { end_ipopt(); } - ; - -tcp: IL_TCP { new_tcpheader(); } - ; - -tcpline: - '{' tcpheader '}' ';' { end_tcp(); } - ; - -tcpheader: - tcpbody - | tcpbody tcpheader - | bodyline - ; - -tcpbody: - IL_SPORT token { set_tcpsport(&$2); } - | IL_DPORT token { set_tcpdport(&$2); } - | IL_TCPSEQ token { set_tcpseq(&$2); } - | IL_TCPACK token { set_tcpack(&$2); } - | IL_TCPOFF token { set_tcpoff(&$2); } - | IL_TCPURP token { set_tcpurp(&$2); } - | IL_TCPWIN token { set_tcpwin(&$2); } - | IL_TCPSUM token { set_tcpsum(&$2); } - | IL_TCPFL token { set_tcpflags(&$2); } - | IL_TCPOPT '{' tcpopts '}' ';' { end_tcpopt(); } - ; - -tcpopts: - | tcpopt tcpopts - ; - -tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); } - | IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); } - | IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);} - | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_WSCALE,&$2);} - | IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);} - ; - -udp: IL_UDP { new_udpheader(); } - ; - -udpline: - '{' udpheader '}' ';' { end_udp(); } - ; - - -udpheader: - udpbody - | udpbody udpheader - | bodyline - ; - -udpbody: - IL_SPORT token { set_tcpsport(&$2); } - | IL_DPORT token { set_tcpdport(&$2); } - | IL_UDPLEN token { set_udplen(&$2); } - | IL_UDPSUM token { set_udpsum(&$2); } - ; - -icmp: IL_ICMP { new_icmpheader(); } - ; - -icmpline: - '{' icmpbody '}' ';' { end_icmp(); } - ; - -icmpbody: - icmpheader - | icmpheader bodyline - ; - -icmpheader: - IL_ICMPTYPE icmptype - | IL_ICMPTYPE icmptype icmpcode - ; - -icmpcode: - IL_ICMPCODE token { set_icmpcodetok(&$2); } - ; - -icmptype: - IL_ICMP_ECHOREPLY ';' { set_icmptype(ICMP_ECHOREPLY); } - | IL_ICMP_ECHOREPLY '{' icmpechoopts '}' ';' - | unreach - | IL_ICMP_SOURCEQUENCH ';' { set_icmptype(ICMP_SOURCEQUENCH); } - | redirect - | IL_ICMP_ROUTERADVERT ';' { set_icmptype(ICMP_ROUTERADVERT); } - | IL_ICMP_ROUTERSOLICIT ';' { set_icmptype(ICMP_ROUTERSOLICIT); } - | IL_ICMP_ECHO ';' { set_icmptype(ICMP_ECHO); } - | IL_ICMP_ECHO '{' icmpechoopts '}' ';' - | IL_ICMP_TIMXCEED ';' { set_icmptype(ICMP_TIMXCEED); } - | IL_ICMP_TIMXCEED '{' exceed '}' ';' - | IL_ICMP_TSTAMP ';' { set_icmptype(ICMP_TSTAMP); } - | IL_ICMP_TSTAMPREPLY ';' { set_icmptype(ICMP_TSTAMPREPLY); } - | IL_ICMP_TSTAMPREPLY '{' icmptsopts '}' ';' - | IL_ICMP_IREQ ';' { set_icmptype(ICMP_IREQ); } - | IL_ICMP_IREQREPLY ';' { set_icmptype(ICMP_IREQREPLY); } - | IL_ICMP_IREQREPLY '{' data dataline '}' ';' - | IL_ICMP_MASKREQ ';' { set_icmptype(ICMP_MASKREQ); } - | IL_ICMP_MASKREPLY ';' { set_icmptype(ICMP_MASKREPLY); } - | IL_ICMP_MASKREPLY '{' token '}' ';' - | IL_ICMP_PARAMPROB ';' { set_icmptype(ICMP_PARAMPROB); } - | IL_ICMP_PARAMPROB '{' paramprob '}' ';' - | IL_TOKEN ';' { set_icmptypetok(&$1); } - ; - -icmpechoopts: - | icmpechoopts icmpecho - ; - -icmpecho: - IL_ICMP_SEQ number { set_icmpseq($2); } - | IL_ICMP_ID number { set_icmpid($2); } - ; - -icmptsopts: - | icmptsopts icmpts ';' - ; - -icmpts: IL_ICMP_OTIME number { set_icmpotime($2); } - | IL_ICMP_RTIME number { set_icmprtime($2); } - | IL_ICMP_TTIME number { set_icmpttime($2); } - ; - -unreach: - IL_ICMP_UNREACH - | IL_ICMP_UNREACH '{' unreachopts '}' ';' - ; - -unreachopts: - IL_ICMP_UNREACH_NET line - | IL_ICMP_UNREACH_HOST line - | IL_ICMP_UNREACH_PROTOCOL line - | IL_ICMP_UNREACH_PORT line - | IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu($2); } - | IL_ICMP_UNREACH_SRCFAIL line - | IL_ICMP_UNREACH_NET_UNKNOWN line - | IL_ICMP_UNREACH_HOST_UNKNOWN line - | IL_ICMP_UNREACH_ISOLATED line - | IL_ICMP_UNREACH_NET_PROHIB line - | IL_ICMP_UNREACH_HOST_PROHIB line - | IL_ICMP_UNREACH_TOSNET line - | IL_ICMP_UNREACH_TOSHOST line - | IL_ICMP_UNREACH_FILTER_PROHIB line - | IL_ICMP_UNREACH_HOST_PRECEDENCE line - | IL_ICMP_UNREACH_PRECEDENCE_CUTOFF line - ; - -redirect: - IL_ICMP_REDIRECT - | IL_ICMP_REDIRECT '{' redirectopts '}' ';' - ; - -redirectopts: - | IL_ICMP_REDIRECT_NET token { set_redir(0, &$2); } - | IL_ICMP_REDIRECT_HOST token { set_redir(1, &$2); } - | IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &$2); } - | IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &$2); } - ; - -exceed: - IL_ICMP_TIMXCEED_INTRANS line - | IL_ICMP_TIMXCEED_REASS line - ; - -paramprob: - IL_ICMP_PARAMPROB_OPTABSENT - | IL_ICMP_PARAMPROB_OPTABSENT paraprobarg - -paraprobarg: - '{' number '}' ';' { set_icmppprob($2); } - ; - -ipv4opt: IL_V4OPT { new_ipv4opt(); } - ; - -ipv4optlist: - | ipv4opts ipv4optlist - ; - -ipv4opts: - IL_IPO_NOP ';' { add_ipopt(IL_IPO_NOP, NULL); } - | IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &$2); } - | IL_IPO_ZSU ';' { add_ipopt(IL_IPO_ZSU, NULL); } - | IL_IPO_MTUP ';' { add_ipopt(IL_IPO_MTUP, NULL); } - | IL_IPO_MTUR ';' { add_ipopt(IL_IPO_MTUR, NULL); } - | IL_IPO_ENCODE ';' { add_ipopt(IL_IPO_ENCODE, NULL); } - | IL_IPO_TS ';' { add_ipopt(IL_IPO_TS, NULL); } - | IL_IPO_TR ';' { add_ipopt(IL_IPO_TR, NULL); } - | IL_IPO_SEC ';' { add_ipopt(IL_IPO_SEC, NULL); } - | IL_IPO_SECCLASS secclass { add_ipopt(IL_IPO_SECCLASS, sclass); } - | IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&$2); } - | IL_IPO_ESEC ';' { add_ipopt(IL_IPO_ESEC, NULL); } - | IL_IPO_CIPSO ';' { add_ipopt(IL_IPO_CIPSO, NULL); } - | IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&$2);} - | IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&$2); } - | IL_IPO_ADDEXT ';' { add_ipopt(IL_IPO_ADDEXT, NULL); } - | IL_IPO_VISA ';' { add_ipopt(IL_IPO_VISA, NULL); } - | IL_IPO_IMITD ';' { add_ipopt(IL_IPO_IMITD, NULL); } - | IL_IPO_EIP ';' { add_ipopt(IL_IPO_EIP, NULL); } - | IL_IPO_FINN ';' { add_ipopt(IL_IPO_FINN, NULL); } - ; - -secclass: - IL_IPS_RESERV4 ';' { set_secclass(&$1); } - | IL_IPS_TOPSECRET ';' { set_secclass(&$1); } - | IL_IPS_SECRET ';' { set_secclass(&$1); } - | IL_IPS_RESERV3 ';' { set_secclass(&$1); } - | IL_IPS_CONFID ';' { set_secclass(&$1); } - | IL_IPS_UNCLASS ';' { set_secclass(&$1); } - | IL_IPS_RESERV2 ';' { set_secclass(&$1); } - | IL_IPS_RESERV1 ';' { set_secclass(&$1); } - ; - -data: IL_DATA { new_data(); } - ; - -dataline: - '{' databody '}' ';' { end_data(); } - ; - -databody: dataopts - | dataopts databody - ; - -dataopts: - IL_DLEN token { set_datalen(&$2); } - | IL_DVALUE token { set_data(&$2); } - | IL_DFILE token { set_datafile(&$2); } - ; - -token: IL_TOKEN ';' - ; - -optoken: ';' { $$ = ""; } - | token - ; - -number: digits ';' - ; - -optnumber: ';' { $$ = 0; } - | number - ; - -digits: IL_NUMBER - | digits IL_NUMBER - ; -%% - -struct statetoopt toipopts[] = { - { IL_IPO_NOP, IPOPT_NOP }, - { IL_IPO_RR, IPOPT_RR }, - { IL_IPO_ZSU, IPOPT_ZSU }, - { IL_IPO_MTUP, IPOPT_MTUP }, - { IL_IPO_MTUR, IPOPT_MTUR }, - { IL_IPO_ENCODE, IPOPT_ENCODE }, - { IL_IPO_TS, IPOPT_TS }, - { IL_IPO_TR, IPOPT_TR }, - { IL_IPO_SEC, IPOPT_SECURITY }, - { IL_IPO_SECCLASS, IPOPT_SECURITY }, - { IL_IPO_LSRR, IPOPT_LSRR }, - { IL_IPO_ESEC, IPOPT_E_SEC }, - { IL_IPO_CIPSO, IPOPT_CIPSO }, - { IL_IPO_SATID, IPOPT_SATID }, - { IL_IPO_SSRR, IPOPT_SSRR }, - { IL_IPO_ADDEXT, IPOPT_ADDEXT }, - { IL_IPO_VISA, IPOPT_VISA }, - { IL_IPO_IMITD, IPOPT_IMITD }, - { IL_IPO_EIP, IPOPT_EIP }, - { IL_IPO_FINN, IPOPT_FINN }, - { 0, 0 } -}; - -struct statetoopt tosecopts[] = { - { IL_IPS_RESERV4, IPSO_CLASS_RES4 }, - { IL_IPS_TOPSECRET, IPSO_CLASS_TOPS }, - { IL_IPS_SECRET, IPSO_CLASS_SECR }, - { IL_IPS_RESERV3, IPSO_CLASS_RES3 }, - { IL_IPS_CONFID, IPSO_CLASS_CONF }, - { IL_IPS_UNCLASS, IPSO_CLASS_UNCL }, - { IL_IPS_RESERV2, IPSO_CLASS_RES2 }, - { IL_IPS_RESERV1, IPSO_CLASS_RES1 }, - { 0, 0 } -}; - -#ifdef bsdi -struct ether_addr * -ether_aton(s) - char *s; -{ - static struct ether_addr n; - u_int i[6]; - - if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1], - &i[2], &i[3], &i[4], &i[5]) == 6) { - n.ether_addr_octet[0] = (u_char)i[0]; - n.ether_addr_octet[1] = (u_char)i[1]; - n.ether_addr_octet[2] = (u_char)i[2]; - n.ether_addr_octet[3] = (u_char)i[3]; - n.ether_addr_octet[4] = (u_char)i[4]; - n.ether_addr_octet[5] = (u_char)i[5]; - return &n; - } - return NULL; -} -#endif - - -struct in_addr getipv4addr(arg) -char *arg; -{ - struct hostent *hp; - struct in_addr in; - - in.s_addr = 0xffffffff; - - if ((hp = gethostbyname(arg))) - bcopy(hp->h_addr, &in.s_addr, sizeof(struct in_addr)); - else - in.s_addr = inet_addr(arg); - return in; -} - - -u_short getportnum(pr, name) -char *pr, *name; -{ - struct servent *sp; - - if (!(sp = getservbyname(name, pr))) - return htons(atoi(name)); - return sp->s_port; -} - - -struct ether_addr *geteaddr(arg, buf) -char *arg; -struct ether_addr *buf; -{ - struct ether_addr *e; - -#if !defined(hpux) && !defined(linux) - e = ether_aton(arg); - if (!e) - fprintf(stderr, "Invalid ethernet address: %s\n", arg); - else -# ifdef __FreeBSD__ - bcopy(e->octet, buf->octet, sizeof(e->octet)); -# else - bcopy(e->ether_addr_octet, buf->ether_addr_octet, - sizeof(e->ether_addr_octet)); -# endif - return e; -#else - return NULL; -#endif -} - - -void *new_header(type) -int type; -{ - aniphdr_t *aip, *oip = canip; - int sz = 0; - - aip = (aniphdr_t *)calloc(1, sizeof(*aip)); - *aniptail = aip; - aniptail = &aip->ah_next; - aip->ah_p = type; - aip->ah_prev = oip; - canip = aip; - - if (type == IPPROTO_UDP) - sz = sizeof(udphdr_t); - else if (type == IPPROTO_TCP) - sz = sizeof(tcphdr_t); - else if (type == IPPROTO_ICMP) - sz = sizeof(icmphdr_t); - else if (type == IPPROTO_IP) - sz = sizeof(ip_t); - - if (oip) - canip->ah_data = oip->ah_data + oip->ah_len; - else - canip->ah_data = (char *)ipbuffer; - - /* - * Increase the size fields in all wrapping headers. - */ - for (aip = aniphead; aip; aip = aip->ah_next) { - aip->ah_len += sz; - if (aip->ah_p == IPPROTO_IP) - aip->ah_ip->ip_len += sz; - else if (aip->ah_p == IPPROTO_UDP) - aip->ah_udp->uh_ulen += sz; - } - return (void *)canip->ah_data; -} - - -void free_aniplist() -{ - aniphdr_t *aip, **aipp = &aniphead; - - while ((aip = *aipp)) { - *aipp = aip->ah_next; - free(aip); - } - aniptail = &aniphead; -} - - -void inc_anipheaders(inc) -int inc; -{ - aniphdr_t *aip; - - for (aip = aniphead; aip; aip = aip->ah_next) { - aip->ah_len += inc; - if (aip->ah_p == IPPROTO_IP) - aip->ah_ip->ip_len += inc; - else if (aip->ah_p == IPPROTO_UDP) - aip->ah_udp->uh_ulen += inc; - } -} - - -void new_data() -{ - (void) new_header(-1); - canip->ah_len = 0; -} - - -void set_datalen(arg) -char **arg; -{ - int len; - - len = strtol(*arg, NULL, 0); - inc_anipheaders(len); - free(*arg); - *arg = NULL; -} - - -void set_data(arg) -char **arg; -{ - u_char *s = (u_char *)*arg, *t = (u_char *)canip->ah_data, c; - int len = 0, todo = 0, quote = 0, val = 0; - - while ((c = *s++)) { - if (todo) { - if (isdigit(c)) { - todo--; - if (c > '7') { - fprintf(stderr, "octal with %c!\n", c); - break; - } - val <<= 3; - val |= (c - '0'); - } - if (!isdigit(c) || !todo) { - *t++ = (u_char)(val & 0xff); - todo = 0; - } - if (todo) - continue; - } - if (quote) { - if (isdigit(c)) { - todo = 2; - if (c > '7') { - fprintf(stderr, "octal with %c!\n", c); - break; - } - val = (c - '0'); - } else { - switch (c) - { - case '\"' : - *t++ = '\"'; - break; - case '\\' : - *t++ = '\\'; - break; - case 'n' : - *t++ = '\n'; - break; - case 'r' : - *t++ = '\r'; - break; - case 't' : - *t++ = '\t'; - break; - } - } - quote = 0; - continue; - } - - if (c == '\\') - quote = 1; - else - *t++ = c; - } - if (todo) - *t++ = (u_char)(val & 0xff); - if (quote) - *t++ = '\\'; - len = t - (u_char *)canip->ah_data; - inc_anipheaders(len - canip->ah_len); - canip->ah_len = len; -} - - -void set_datafile(arg) -char **arg; -{ - struct stat sb; - char *file = *arg; - int fd, len; - - if ((fd = open(file, O_RDONLY)) == -1) { - perror("open"); - exit(-1); - } - - if (fstat(fd, &sb) == -1) { - perror("fstat"); - exit(-1); - } - - if ((sb.st_size + aniphead->ah_len ) > 65535) { - fprintf(stderr, "data file %s too big to include.\n", file); - close(fd); - return; - } - if ((len = read(fd, canip->ah_data, sb.st_size)) == -1) { - perror("read"); - close(fd); - return; - } - inc_anipheaders(len); - canip->ah_len += len; - close(fd); -} - - -void new_packet() -{ - static u_short id = 0; - - if (!aniphead) - bzero((char *)ipbuffer, sizeof(ipbuffer)); - - ip = (ip_t *)new_header(IPPROTO_IP); - ip->ip_v = IPVERSION; - ip->ip_hl = sizeof(ip_t) >> 2; - ip->ip_len = sizeof(ip_t); - ip->ip_ttl = 63; - ip->ip_id = htons(id++); -} - - -void set_ipv4proto(arg) -char **arg; -{ - struct protoent *pr; - - if ((pr = getprotobyname(*arg))) - ip->ip_p = pr->p_proto; - else - if (!(ip->ip_p = atoi(*arg))) - fprintf(stderr, "unknown protocol %s\n", *arg); - free(*arg); - *arg = NULL; -} - - -void set_ipv4src(arg) -char **arg; -{ - ip->ip_src = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -void set_ipv4dst(arg) -char **arg; -{ - ip->ip_dst = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -void set_ipv4off(arg) -char **arg; -{ - ip->ip_off = htons(strtol(*arg, NULL, 0)); - free(*arg); - *arg = NULL; -} - - -void set_ipv4v(arg) -char **arg; -{ - ip->ip_v = strtol(*arg, NULL, 0); - free(*arg); - *arg = NULL; -} - - -void set_ipv4hl(arg) -char **arg; -{ - int newhl, inc; - - newhl = strtol(*arg, NULL, 0); - inc = (newhl - ip->ip_hl) << 2; - ip->ip_len += inc; - ip->ip_hl = newhl; - canip->ah_len += inc; - free(*arg); - *arg = NULL; -} - - -void set_ipv4ttl(arg) -char **arg; -{ - ip->ip_ttl = strtol(*arg, NULL, 0); - free(*arg); - *arg = NULL; -} - - -void set_ipv4tos(arg) -char **arg; -{ - ip->ip_tos = strtol(*arg, NULL, 0); - free(*arg); - *arg = NULL; -} - - -void set_ipv4id(arg) -char **arg; -{ - ip->ip_id = htons(strtol(*arg, NULL, 0)); - free(*arg); - *arg = NULL; -} - - -void set_ipv4sum(arg) -char **arg; -{ - ip->ip_sum = strtol(*arg, NULL, 0); - free(*arg); - *arg = NULL; -} - - -void set_ipv4len(arg) -char **arg; -{ - int len; - - len = strtol(*arg, NULL, 0); - inc_anipheaders(len - ip->ip_len); - ip->ip_len = len; - free(*arg); - *arg = NULL; -} - - -void new_tcpheader() -{ - - if ((ip->ip_p) && (ip->ip_p != IPPROTO_TCP)) { - fprintf(stderr, "protocol %d specified with TCP!\n", ip->ip_p); - return; - } - ip->ip_p = IPPROTO_TCP; - - tcp = (tcphdr_t *)new_header(IPPROTO_TCP); - tcp->th_win = htons(4096); - tcp->th_off = sizeof(*tcp) >> 2; -} - - -void set_tcpsport(arg) -char **arg; -{ - u_short *port; - char *pr; - - if (ip->ip_p == IPPROTO_UDP) { - port = &udp->uh_sport; - pr = "udp"; - } else { - port = &tcp->th_sport; - pr = "udp"; - } - - *port = getportnum(pr, *arg); - free(*arg); - *arg = NULL; -} - - -void set_tcpdport(arg) -char **arg; -{ - u_short *port; - char *pr; - - if (ip->ip_p == IPPROTO_UDP) { - port = &udp->uh_dport; - pr = "udp"; - } else { - port = &tcp->th_dport; - pr = "udp"; - } - - *port = getportnum(pr, *arg); - free(*arg); - *arg = NULL; -} - - -void set_tcpseq(arg) -char **arg; -{ - tcp->th_seq = htonl(strtol(*arg, NULL, 0)); - free(*arg); - *arg = NULL; -} - - -void set_tcpack(arg) -char **arg; -{ - tcp->th_ack = htonl(strtol(*arg, NULL, 0)); - free(*arg); - *arg = NULL; -} - - -void set_tcpoff(arg) -char **arg; -{ - int off; - - off = strtol(*arg, NULL, 0); - inc_anipheaders((off - tcp->th_off) << 2); - tcp->th_off = off; - free(*arg); - *arg = NULL; -} - - -void set_tcpurp(arg) -char **arg; -{ - tcp->th_urp = htons(strtol(*arg, NULL, 0)); - free(*arg); - *arg = NULL; -} - - -void set_tcpwin(arg) -char **arg; -{ - tcp->th_win = htons(strtol(*arg, NULL, 0)); - free(*arg); - *arg = NULL; -} - - -void set_tcpsum(arg) -char **arg; -{ - tcp->th_sum = strtol(*arg, NULL, 0); - free(*arg); - *arg = NULL; -} - - -void set_tcpflags(arg) -char **arg; -{ - static char flags[] = "ASURPF"; - static int flagv[] = { TH_ACK, TH_SYN, TH_URG, TH_RST, TH_PUSH, - TH_FIN } ; - char *s, *t; - - for (s = *arg; *s; s++) - if (!(t = strchr(flags, *s))) { - if (s - *arg) { - fprintf(stderr, "unknown TCP flag %c\n", *s); - break; - } - tcp->th_flags = strtol(*arg, NULL, 0); - break; - } else - tcp->th_flags |= flagv[t - flags]; - free(*arg); - *arg = NULL; -} - - -void set_tcpopt(state, arg) -int state; -char **arg; -{ - u_char *s; - int val, len, val2, pad, optval; - - if (arg && *arg) - val = atoi(*arg); - else - val = 0; - - s = (u_char *)tcp + sizeof(*tcp) + canip->ah_optlen; - switch (state) - { - case IL_TCPO_EOL : - optval = 0; - len = 1; - break; - case IL_TCPO_NOP : - optval = 1; - len = 1; - break; - case IL_TCPO_MSS : - optval = 2; - len = 4; - break; - case IL_TCPO_WSCALE : - optval = 3; - len = 3; - break; - case IL_TCPO_TS : - optval = 8; - len = 10; - break; - default : - optval = 0; - len = 0; - break; - } - - if (len > 1) { - /* - * prepend padding - if required. - */ - if (len & 3) - for (pad = 4 - (len & 3); pad; pad--) { - *s++ = 1; - canip->ah_optlen++; - } - /* - * build tcp option - */ - *s++ = (u_char)optval; - *s++ = (u_char)len; - if (len > 2) { - if (len == 3) { /* 1 byte - char */ - *s++ = (u_char)val; - } else if (len == 4) { /* 2 bytes - short */ - *s++ = (u_char)((val >> 8) & 0xff); - *s++ = (u_char)(val & 0xff); - } else if (len >= 6) { /* 4 bytes - long */ - val2 = htonl(val); - bcopy((char *)&val2, s, 4); - } - s += (len - 2); - } - } else - *s++ = (u_char)optval; - - canip->ah_lastopt = optval; - canip->ah_optlen += len; - - if (arg && *arg) { - free(*arg); - *arg = NULL; - } -} - - -void end_tcpopt() -{ - int pad; - char *s = (char *)tcp; - - s += sizeof(*tcp) + canip->ah_optlen; - /* - * pad out so that we have a multiple of 4 bytes in size fo the - * options. make sure last byte is EOL. - */ - if (canip->ah_optlen & 3) { - if (canip->ah_lastopt != 1) { - for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { - *s++ = 1; - canip->ah_optlen++; - } - canip->ah_optlen++; - } else { - s -= 1; - - for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { - *s++ = 1; - canip->ah_optlen++; - } - } - *s++ = 0; - } - tcp->th_off = (sizeof(*tcp) + canip->ah_optlen) >> 2; - inc_anipheaders(canip->ah_optlen); -} - - -void new_udpheader() -{ - if ((ip->ip_p) && (ip->ip_p != IPPROTO_UDP)) { - fprintf(stderr, "protocol %d specified with UDP!\n", ip->ip_p); - return; - } - ip->ip_p = IPPROTO_UDP; - - udp = (udphdr_t *)new_header(IPPROTO_UDP); - udp->uh_ulen = sizeof(*udp); -} - - -void set_udplen(arg) -char **arg; -{ - int len; - - len = strtol(*arg, NULL, 0); - inc_anipheaders(len - udp->uh_ulen); - udp->uh_ulen = len; - free(*arg); - *arg = NULL; -} - - -void set_udpsum(arg) -char **arg; -{ - udp->uh_sum = strtol(*arg, NULL, 0); - free(*arg); - *arg = NULL; -} - - -void prep_packet() -{ - iface_t *ifp; - struct in_addr gwip; - - ifp = sending.snd_if; - if (!ifp) { - fprintf(stderr, "no interface defined for sending!\n"); - return; - } - if (ifp->if_fd == -1) - ifp->if_fd = initdevice(ifp->if_name, 0, 5); - gwip = sending.snd_gw; - if (!gwip.s_addr) - gwip = aniphead->ah_ip->ip_dst; - (void) send_ip(ifp->if_fd, ifp->if_MTU, (ip_t *)ipbuffer, gwip, 2); -} - - -void packet_done() -{ - char outline[80]; - int i, j, k; - u_char *s = (u_char *)ipbuffer, *t = (u_char *)outline; - - if (opts & OPT_VERBOSE) { - ip->ip_len = htons(ip->ip_len); - for (i = ntohs(ip->ip_len), j = 0; i; i--, j++, s++) { - if (j && !(j & 0xf)) { - *t++ = '\n'; - *t = '\0'; - fputs(outline, stdout); - fflush(stdout); - t = (u_char *)outline; - *t = '\0'; - } - sprintf((char *)t, "%02x", *s & 0xff); - t += 2; - if (!((j + 1) & 0xf)) { - s -= 15; - sprintf((char *)t, " "); - t += 8; - for (k = 16; k; k--, s++) - *t++ = (isprint(*s) ? *s : '.'); - s--; - } - - if ((j + 1) & 0xf) - *t++ = ' ';; - } - - if (j & 0xf) { - for (k = 16 - (j & 0xf); k; k--) { - *t++ = ' '; - *t++ = ' '; - *t++ = ' '; - } - sprintf((char *)t, " "); - t += 7; - s -= j & 0xf; - for (k = j & 0xf; k; k--, s++) - *t++ = (isprint(*s) ? *s : '.'); - *t++ = '\n'; - *t = '\0'; - } - fputs(outline, stdout); - fflush(stdout); - ip->ip_len = ntohs(ip->ip_len); - } - - prep_packet(); - free_aniplist(); -} - - -void new_interface() -{ - cifp = (iface_t *)calloc(1, sizeof(iface_t)); - *iftail = cifp; - iftail = &cifp->if_next; - cifp->if_fd = -1; -} - - -void check_interface() -{ - if (!cifp->if_name || !*cifp->if_name) - fprintf(stderr, "No interface name given!\n"); - if (!cifp->if_MTU || !*cifp->if_name) - fprintf(stderr, "Interface %s has an MTU of 0!\n", - cifp->if_name); -} - - -void set_ifname(arg) -char **arg; -{ - cifp->if_name = *arg; - *arg = NULL; -} - - -void set_ifmtu(arg) -int arg; -{ - cifp->if_MTU = arg; -} - - -void set_ifv4addr(arg) -char **arg; -{ - cifp->if_addr = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -void set_ifeaddr(arg) -char **arg; -{ - (void) geteaddr(*arg, &cifp->if_eaddr); - free(*arg); - *arg = NULL; -} - - -void new_arp() -{ - carp = (arp_t *)calloc(1, sizeof(arp_t)); - *arptail = carp; - arptail = &carp->arp_next; -} - - -void set_arpeaddr(arg) -char **arg; -{ - (void) geteaddr(*arg, &carp->arp_eaddr); - free(*arg); - *arg = NULL; -} - - -void set_arpv4addr(arg) -char **arg; -{ - carp->arp_addr = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -int arp_getipv4(ip, addr) -char *ip; -char *addr; -{ - arp_t *a; - - for (a = arplist; a; a = a->arp_next) - if (!bcmp(ip, (char *)&a->arp_addr, 4)) { - bcopy((char *)&a->arp_eaddr, addr, 6); - return 0; - } - return -1; -} - - -void reset_send() -{ - sending.snd_if = iflist; - sending.snd_gw = defrouter; -} - - -void set_sendif(arg) -char **arg; -{ - iface_t *ifp; - - for (ifp = iflist; ifp; ifp = ifp->if_next) - if (ifp->if_name && !strcmp(ifp->if_name, *arg)) - break; - sending.snd_if = ifp; - if (!ifp) - fprintf(stderr, "couldn't find interface %s\n", *arg); - free(*arg); - *arg = NULL; -} - - -void set_sendvia(arg) -char **arg; -{ - sending.snd_gw = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -void set_defaultrouter(arg) -char **arg; -{ - defrouter = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -void new_icmpheader() -{ - if ((ip->ip_p) && (ip->ip_p != IPPROTO_ICMP)) { - fprintf(stderr, "protocol %d specified with ICMP!\n", - ip->ip_p); - return; - } - ip->ip_p = IPPROTO_ICMP; - icmp = (icmphdr_t *)new_header(IPPROTO_ICMP); -} - - -void set_icmpcode(code) -int code; -{ - icmp->icmp_code = code; -} - - -void set_icmptype(type) -int type; -{ - icmp->icmp_type = type; -} - - -static char *icmpcodes[] = { - "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail", - "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", - "net-tos", "host-tos", NULL }; - -void set_icmpcodetok(code) -char **code; -{ - char *s; - int i; - - for (i = 0; (s = icmpcodes[i]); i++) - if (!strcmp(s, *code)) { - icmp->icmp_code = i; - break; - } - if (!s) - fprintf(stderr, "unknown ICMP code %s\n", *code); - free(*code); - *code = NULL; -} - - -static char *icmptypes[] = { - "echorep", (char *)NULL, (char *)NULL, "unreach", "squench", - "redir", (char *)NULL, (char *)NULL, "echo", (char *)NULL, - (char *)NULL, "timex", "paramprob", "timest", "timestrep", - "inforeq", "inforep", "maskreq", "maskrep", "END" -}; - -void set_icmptypetok(type) -char **type; -{ - char *s; - int i, done = 0; - - for (i = 0; !(s = icmptypes[i]) || strcmp(s, "END"); i++) - if (s && !strcmp(s, *type)) { - icmp->icmp_type = i; - done = 1; - break; - } - if (!done) - fprintf(stderr, "unknown ICMP type %s\n", *type); - free(*type); - *type = NULL; -} - - -void set_icmpid(arg) -int arg; -{ - icmp->icmp_id = htons(arg); -} - - -void set_icmpseq(arg) -int arg; -{ - icmp->icmp_seq = htons(arg); -} - - -void set_icmpotime(arg) -int arg; -{ - icmp->icmp_otime = htonl(arg); -} - - -void set_icmprtime(arg) -int arg; -{ - icmp->icmp_rtime = htonl(arg); -} - - -void set_icmpttime(arg) -int arg; -{ - icmp->icmp_ttime = htonl(arg); -} - - -void set_icmpmtu(arg) -int arg; -{ -#if BSD >= 199306 - icmp->icmp_nextmtu = htons(arg); -#endif -} - - -void set_redir(redir, arg) -int redir; -char **arg; -{ - icmp->icmp_code = redir; - icmp->icmp_gwaddr = getipv4addr(*arg); - free(*arg); - *arg = NULL; -} - - -void set_icmppprob(num) -int num; -{ - icmp->icmp_pptr = num; -} - - -void new_ipv4opt() -{ - new_header(-2); -} - - -void add_ipopt(state, ptr) -int state; -void *ptr; -{ - struct ipopt_names *io; - struct statetoopt *sto; - char numbuf[16], *arg, **param = ptr; - int inc, hlen; - - if (state == IL_IPO_RR || state == IL_IPO_SATID) { - if (param) - sprintf(numbuf, "%d", *(int *)param); - else - strcpy(numbuf, "0"); - arg = numbuf; - } else - arg = param ? *param : NULL; - - if (canip->ah_next) { - fprintf(stderr, "cannot specify options after data body\n"); - return; - } - for (sto = toipopts; sto->sto_st; sto++) - if (sto->sto_st == state) - break; - if (!sto || !sto->sto_st) { - fprintf(stderr, "No mapping for state %d to IP option\n", - state); - return; - } - - hlen = sizeof(ip_t) + canip->ah_optlen; - for (io = ionames; io->on_name; io++) - if (io->on_value == sto->sto_op) - break; - canip->ah_lastopt = io->on_value; - - if (io->on_name) { - inc = addipopt((char *)ip + hlen, io, hlen - sizeof(ip_t),arg); - if (inc > 0) { - while (inc & 3) { - ((char *)ip)[sizeof(*ip) + inc] = IPOPT_NOP; - canip->ah_lastopt = IPOPT_NOP; - inc++; - } - hlen += inc; - } - } - - canip->ah_optlen = hlen - sizeof(ip_t); - - if (state != IL_IPO_RR && state != IL_IPO_SATID) - if (param && *param) { - free(*param); - *param = NULL; - } - sclass = NULL; -} - - -void end_ipopt() -{ - int pad; - char *s, *buf = (char *)ip; - - /* - * pad out so that we have a multiple of 4 bytes in size fo the - * options. make sure last byte is EOL. - */ - if (canip->ah_lastopt == IPOPT_NOP) { - buf[sizeof(*ip) + canip->ah_optlen - 1] = IPOPT_EOL; - } else if (canip->ah_lastopt != IPOPT_EOL) { - s = buf + sizeof(*ip) + canip->ah_optlen; - - for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { - *s++ = IPOPT_NOP; - *s = IPOPT_EOL; - canip->ah_optlen++; - } - canip->ah_optlen++; - } else { - s = buf + sizeof(*ip) + canip->ah_optlen - 1; - - for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { - *s++ = IPOPT_NOP; - *s = IPOPT_EOL; - canip->ah_optlen++; - } - } - ip->ip_hl = (sizeof(*ip) + canip->ah_optlen) >> 2; - inc_anipheaders(canip->ah_optlen); - free_anipheader(); -} - - -void set_secclass(arg) -char **arg; -{ - sclass = *arg; - *arg = NULL; -} - - -void free_anipheader() -{ - aniphdr_t *aip; - - aip = canip; - if ((canip = aip->ah_prev)) { - canip->ah_next = NULL; - aniptail = &canip->ah_next; - } - - if (canip) - free(aip); -} - - -void end_ipv4() -{ - aniphdr_t *aip; - - ip->ip_sum = 0; - ip->ip_len = htons(ip->ip_len); - ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - ip->ip_len = ntohs(ip->ip_len); - free_anipheader(); - for (aip = aniphead, ip = NULL; aip; aip = aip->ah_next) - if (aip->ah_p == IPPROTO_IP) - ip = aip->ah_ip; -} - - -void end_icmp() -{ - aniphdr_t *aip; - - icmp->icmp_cksum = 0; - icmp->icmp_cksum = chksum((u_short *)icmp, canip->ah_len); - free_anipheader(); - for (aip = aniphead, icmp = NULL; aip; aip = aip->ah_next) - if (aip->ah_p == IPPROTO_ICMP) - icmp = aip->ah_icmp; -} - - -void end_udp() -{ - u_long sum; - aniphdr_t *aip; - ip_t iptmp; - - bzero((char *)&iptmp, sizeof(iptmp)); - iptmp.ip_p = ip->ip_p; - iptmp.ip_src = ip->ip_src; - iptmp.ip_dst = ip->ip_dst; - iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2)); - sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp)); - udp->uh_ulen = htons(udp->uh_ulen); - udp->uh_sum = c_chksum((u_short *)udp, (u_int)ntohs(iptmp.ip_len), sum); - free_anipheader(); - for (aip = aniphead, udp = NULL; aip; aip = aip->ah_next) - if (aip->ah_p == IPPROTO_UDP) - udp = aip->ah_udp; -} - - -void end_tcp() -{ - u_long sum; - aniphdr_t *aip; - ip_t iptmp; - - bzero((char *)&iptmp, sizeof(iptmp)); - iptmp.ip_p = ip->ip_p; - iptmp.ip_src = ip->ip_src; - iptmp.ip_dst = ip->ip_dst; - iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2)); - sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp)); - tcp->th_sum = 0; - tcp->th_sum = c_chksum((u_short *)tcp, (u_int)ntohs(iptmp.ip_len), sum); - free_anipheader(); - for (aip = aniphead, tcp = NULL; aip; aip = aip->ah_next) - if (aip->ah_p == IPPROTO_TCP) - tcp = aip->ah_tcp; -} - - -void end_data() -{ - free_anipheader(); -} - - -void iplang(fp) -FILE *fp; -{ - yyin = fp; - - yydebug = (opts & OPT_DEBUG) ? 1 : 0; - - while (!feof(fp)) - yyparse(); -} - - -u_short c_chksum(buf, len, init) -u_short *buf; -u_int len; -u_long init; -{ - u_long sum = init; - int nwords = len >> 1; - - for(; nwords > 0; nwords--) - sum += *buf++; - sum = (sum>>16) + (sum & 0xffff); - sum += (sum >>16); - return (~sum); -} - - -u_long p_chksum(buf,len) -u_short *buf; -u_int len; -{ - u_long sum = 0; - int nwords = len >> 1; - - for(; nwords > 0; nwords--) - sum += *buf++; - return sum; -} diff --git a/usr.sbin/ipsend/ipsend/ipsend.1 b/usr.sbin/ipsend/ipsend/ipsend.1 deleted file mode 100644 index 550d0318031..00000000000 --- a/usr.sbin/ipsend/ipsend/ipsend.1 +++ /dev/null @@ -1,90 +0,0 @@ -.\" $OpenBSD: ipsend.1,v 1.7 2000/11/08 19:37:35 aaron Exp $ -.Dd August 22, 2000 -.Dt IPSEND 1 -\!\" Originally by Darren Reed <darrenr@cyber.com.au> -.Os -.Sh NAME -.Nm ipsend -.Nd sends IP packets -.Sh SYNOPSIS -.Nm ipsend -.Op Ar -dITUv -.Op Ar -i interface -.Op Ar -f offset -.Op Ar -g gateway -.Op Ar -m MTU -.Op Ar -o option -.Op Ar -P protocol -.Op Ar -s source -.Op Ar -t dest port -.Op Ar -w window -.Op destination -.Op TCP-flags -.Sh DESCRIPTION -.Pp -.Nm -can be compiled in two ways. The first is used to send one-off -packets to a destination host, using command line options to specify various -attributes present in the headers. The destination must be given at the -last command line option, except for when TCP flags are specified as -a combination of A, S, F, U, P and R, last. -.Pp -The other way it may be compiled, with DOSOCKET defined, is to allow an -attempt at making a TCP connection using a with ipsend resending the SYN -packet as per the command line options. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl d -Enable debugging mode. -.It Fl f Ar offset -Allows the IP offset field in the IP header to be set to an arbitrary -value, which can be specified in decimal or hexadecimal. -.It Fl g Ar gateway -Specify the hostname of the gateway through which to route packets. This -is required whenever the destination host isn't directly attached to the -same network as the host from which you're sending. -.It Fl i Ar interface -Set the interface name to be the name supplied. -.It Fl m Ar MTU -Specify the MTU to be used when sending out packets. This option allows you -to set a fake MTU, allowing the simulation of network interfaces with small -MTU's without setting them so. -.It Fl o Ar option -Specify options to be included at the end of the IP header. An EOL option -is automatically appended and need not be given. If an option would also -have data associated with it (source as an IP number for a lsrr option), then -this will not be initialised. -.It Fl s Ar source -Set the source address in the packet to that provided - maybe either a -hostname or IP number. -.It Fl t Ar dest.port -Set the destination port for TCP/UDP packets. -.It Fl w Ar window -Set the window size for TCP packets. -.It Fl I -Set the protocol to ICMP. -.It Fl P -Set the protocol to the value given. If the parameter is a name, the name -is looked up in the -.Pa /etc/protocols -file. -.It Fl T -Set the protocol to TCP. -.It Fl U -Set the protocol to UDP. -.It Fl v -Enable verbose mode. -.El -.Sh SEE ALSO -.Xr ipsend 1 -.Xr ipresend 1 -.Xr iptest 1 -.Xr protocols 4 -.Xr bpf 4 -.Sh DIAGNOSTICS -.Pp -Needs to be run as root. -.Sh BUGS -.Pp -If you find any, please send email to me at darrenr@cyber.com.au diff --git a/usr.sbin/ipsend/ipsend/ipsend.5 b/usr.sbin/ipsend/ipsend/ipsend.5 deleted file mode 100644 index 89aee11281a..00000000000 --- a/usr.sbin/ipsend/ipsend/ipsend.5 +++ /dev/null @@ -1,399 +0,0 @@ -.\" $OpenBSD: ipsend.5,v 1.5 2000/03/14 21:31:36 aaron Exp $ -.TH IPSEND 5 -.SH NAME -ipsend \- IP packet description language -.SH DESCRIPTION -The \fBipsend\fP program expects, with the \fB-L\fP option, input to be a -text file which fits the grammar described below. The purpose of this -grammar is to allow IP packets to be described in an arbitrary way which -also allows encapsulation to be so done to an arbitrary level. -.SH GRAMMAR -.LP -.nf -line ::= iface | arp | send | defrouter | ipv4line . - -iface ::= ifhdr "{" ifaceopts "}" ";" . -ifhdr ::= "interface" | "iface" . -ifaceopts ::= "ifname" name | "mtu" mtu | "v4addr" ipaddr | - "eaddr" eaddr . - -send ::= "send" ";" | "send" "{" sendbodyopts "}" ";" . -sendbodyopts ::= sendbody [ sendbodyopts ] . -sendbody ::= "ifname" name | "via" ipaddr . - -defrouter ::= "router" ipaddr . - -arp ::= "arp" "{" arpbodyopts "}" ";" . -arpbodyopts ::= arpbody [ arpbodyopts ] . -arpbody ::= "v4addr" ipaddr | "eaddr" eaddr . - -bodyline ::= ipv4line | tcpline | udpline | icmpline | dataline . - -ipv4line ::= "ipv4" "{" ipv4bodyopts "}" ";" . -ipv4bodyopts ::= ipv4body [ ipv4bodyopts ] | bodyline . -ipv4body ::= "proto" protocol | "src" ipaddr | "dst" ipaddr | - "off" number | "v" number | "hl" number| "id" number | - "ttl" number | "tos" number | "sum" number | "len" number | - "opt" "{" ipv4optlist "}" ";" . -ipv4optlist ::= ipv4option [ ipv4optlist ] . -ipv4optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | - "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | - "ssrr" | "addext" | "visa" | "imitd" | "eip" | "finn" | - "secclass" ipv4secclass. -ipv4secclass := "unclass" | "confid" | "reserv-1" | "reserv-2" | - "reserv-3" | "reserv-4" | "secret" | "topsecret" . - -tcpline ::= "tcp" "{" tcpbodyopts "}" ";" . -tcpbodyopts ::= tcpbody [ tcpbodyopts ] | bodyline . -tcpbody ::= "sport" port | "dport" port | "seq" number | "ack" number | - "off" number | "urp" number | "win" number | "sum" number | - "flags" tcpflags | data . - -udpline ::= "udp" "{" udpbodyopts "}" ";" . -udpbodyopts ::= udpbody [ udpbodyopts ] | bodyline . -udpbody ::= "sport" port | "dport" port | "len" number | "sum" number | - data . - -icmpline ::= "icmp" "{" icmpbodyopts "}" ";" . -icmpbodyopts ::= icmpbody [ icmpbodyopts ] | bodyline . -icmpbody ::= "type" icmptype [ "code" icmpcode ] . -icmptype ::= "echorep" | "echorep" "{" echoopts "}" ";" | "unreach" | - "unreach" "{" unreachtype "}" ";" | "squench" | "redir" | - "redir" "{" redirtype "}" ";" | "echo" "{" echoopts "}" ";" | - "echo" | "routerad" | "routersol" | "timex" | - "timex" "{" timextype "}" ";" | "paramprob" | - "paramprob" "{" parapptype "}" ";" | "timest" | "timestrep" | - "inforeq" | "inforep" | "maskreq" | "maskrep" . - -echoopts ::= echoopts [ icmpechoopts ] . -unreachtype ::= "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | - "filter-prohib" | "host-preced" | "cutoff-preced" . -redirtype ::= "net-redir" | "host-redir" | "tos-net-redir" | - "tos-host-redir" . -timextype ::= "intrans" | "reass" . -paramptype ::= "optabsent" . - -data ::= "data" "{" databodyopts "}" ";" . -databodyopts ::= "len" number | "value" string | "file" filename . - -icmpechoopts ::= "icmpseq" number | "icmpid" number . -.fi -.SH COMMANDS -.PP -Before sending any packets or defining any packets, it is necessary to -describe the interface(s) which will be used to send packets out. -.TP -.B interface -is used to describe a network interface. The description included need -not match the actual configuration currently employed by the operating -system. -.TP -.B send -is used to actually send out a packet across the network. If the -destination is not specified, it will attempt to send the packet -directly out on the network to the destination without routing it. -.TP -.B router -configures the default router for ipsend, as distinct from the default -route installed in the kernel. -.TP -.B ipv4 -is used to describe an IP (version 4) packet. IP header fields can be -specified, including options, followed by a data section which may contain -further protocol headers. -.SH IPV4 -.TP -.B hl <number> -manually specifies the IP header length (automatically adjusts with the -presence of IP options and defaults to 5); -.TP -.B v <number> -set the IP version. Default is 4. -.TP -.B tos <number> -set the type of service (TOS) field in the IP header. Default is 0. -.TP -.B len <number> -manually specifies the length of the IP packet. The length will automatically -be adjusted to accomodate data or further protocol headers. -.TP -.B off <number> -sets the fragment offset field of the IP packet. Default is 0. -.TP -.B ttl <number> -sets the time to live (TTL) field of the IP header. Default is 60. -.TP -.B proto <protocol> -sets the protocol field of the IP header. The protocol can either be a -number or a name found in \fB/etc/protocols\fP. -.TP -.B sum -manually specifies the checksum for the IP header. If left unset (0), it -will be calculated prior to being sent. -.TP -.B src -manually specifies the source address of the IP header. If left unset, it -will default to the host's IP address. -.TP -.B dst -sets the destination of the IP packet. The default is 0.0.0.0. -.TP -.B opt -is used to include IP options in the IP header. -.TP -.B tcp -is used to indicate the a TCP protocol header is to follow. See the \fBTCP\fP -section for TCP header options. -.TP -.B udp -is used to indicate the a UDP protocol header is to follow. See the \fBUDP\fP -section for UDP header options. -.TP -.B icmp -is used to indicate the a ICMP protocol header is to follow. See the -\fBICMP\fP section for ICMP header options. -.TP -.B data -is used to indicate that raw data is to be included in the IP packet. See the -\fBDATA\fP section for details on options available. -.SH "IPv4 Options" -these keywords indicate that the releveant IP option should be added to the -IP header (the header length field will be adjusted appropriately). -.TP -.B nop -No Operation [RFC 791] (space filler). -.TP -.B rr <number> -Record Router [RFC 791]. The number given specifies the number of -\fBbytes\fP to be used for storage. This should be a multiple of 4 for -proper operation. -.TP -.B zsu -Experimental Measurement. -.TP -.B mtup [RFC 1191]. -MTU Probe. -.TP -.B mtur [RFC 1191]. -MTU Ready. -.TP -.B encode -.TP -.B ts -Timestamp [RFC 791]. -.TP -.B tr -Traceroute [RFC 1393]. -.TP -.B "sec-class <security-level>, sec" -Security [RFC 1108]. This option specifies the security label for the packet. -Using \fBsec\fP sets up the framework of the security option but unless -\fBsec-class\fP is given, the level may not be set. -.TP -.B "lsrr <ip-address>" -Loose Source Route [RFC 791]. -.TP -.B e-sec -Extended Security [RFC 1108]. -.TP -.B cipso -Commercial Security. -.TP -.B satid -Stream ID [RFC 791]. -.TP -.B "ssrr <ip-address>" -Strict Source Route [RFC 791]. -.TP -.B addext -Address Extension -.TP -.B visa -Expermental Access Control. -.TP -.B imitd -IMI Traffic Descriptor. -.TP -.B eip -[RFC 1358]. -.TP -.B finn -Experimental Flow Control. -.SH TCP -.TP -.B sport <port> -sets the source port to the number/name given. Default is 0. -.TP -.B dport <port> -sets the destination port to the number/name given. Default is 0. -.TP -.B seq <number> -sets the sequence number to the number specified. Default is 0. -.TP -.B ack <number> -sets the acknowledge number to the number specified. Default is 0. -.TP -.B off <number> -sets the offset value for the start of data to the number specified. This -implies the size of the TCP header. It is automatically adjusted if TCP -options are included and defaults to 5. -.TP -.B urp <number> -sets the value of the urgent data pointer to the number specified. Default -is 0. -.TP -.B win <number> -sets the size of the TCP window to the number specified. Default is 4096. -.TP -.B sum <number> -manually specifies the checksum for the TCP pseudo-header and data. If left -unset, it defaults to 0 and is automatically calculated. -.TP -.B flags <tcp-flags> -sets the TCP flags field to match the flags specified. Valid flags are -"S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH). -.TP -.B opt -indicates that TCP header options follow. As TCP options are added to the -TCP header, the \fBoff\fP field is updated to match. -.TP -.B data -indicates that a data section is to follow and is to be included as raw -data, being appended to the header. -.SH "TCP options" -With a TCP header, it is possible to append a number of header options. -The TCP header offset will be updated automatically to reflect the change -in size. The valid options are: \fBnop\fP No Operation, -\fBeol\fP End Of (option) List, \fBmss [ size ]\fP Maximum Segment Size - this -sets the maximum receivable size of a packet containing data, -\fBwscale\fP Window Scale, \fBts\fP Timestamp. -.SH UDP -.TP -.B sport <port> -sets the source port to the number/name given. Default is 0. -.TP -.B dport <port> -sets the destination port to the number/name given. Default is 0. -.TP -.B len <number> -manually specifies the length of the UDP header and data. If left unset, -it is automatically adjusted to match the header presence and any data if -present. -.TP -.B sum <number> -manually specifies the checksum for the UDP pseudo-header and data. If left -unset, it defaults to 0 and is automatically calculated. -.TP -.B data -indicates that a data section is to follow and is to be included as raw -data, being appended to the header. -.SH ICMP -.TP -.B type <icmptype> -sets the ICMP type according the to the icmptype tag. This may either be -a number or one of the recognised tags (see the \fBICMP TYPES\fP section for a -list of names recognised). -.TP -.B code <icmpcode> -sets the ICMP code. -.TP -.B data -indicates that a data section is to follow and is to be included as raw -data, being appended to the header. -.SH DATA -Each of the following extend the packet in a different way. \fBLen\fP just -increases the length (without adding any content), \fBvalue\fP uses a string -and \fBfile\fP a file. -.TP -.B len <number> -extend the length of the packet by \fBnumber\fP bytes (without filling those -bytes with any particular data). -.TP -.B value <string> -indicates that the string provided should be added to the current packet as -data. A string may be a consecutive list of characters and numbers (with -no whitespace) or bounded by "'s (may not contain them, even if \\'d). -The \\ character is recognised with the appropriate C escaped values, including -octal numbers. -.TP -.B file <filename> -reads data in from the specified file and appends it to the current packet. -If the new total length would exceed 64k, an error will be reported. -.SH "ICMP TYPES" -.TP -.B echorep -Eecho Reply. -.TP -.B "unreach [ unreachable-code ]" -Generic Unreachable error. This is used to indicate that an error has -occurred whilst trying to send the packet across the network and that the -destination cannot be reached. The unreachable code names are: -\fBnet-unr\fP network unreachable, \fBhost-unr\fP host unreachable, -\fBproto-unr\fP protocol unreachable, \fBport-unr\fP port unreachable, -\fBneedfrag\fP, \fBsrcfail\fP source route failed, -\fBnet-unk\fP network unknown, \fBhost-unk\fP host unknown, -\fBisolate\fP, \fBnet-prohib\fP administratively prohibited contact with -network, -\fBhost-prohib\fP administratively prohibited contact with host, -\fBnet-tos\fP network unreachable with given TOS, -\fBhost-tos\fP host unreachable with given TOS, -\fBfilter-prohib\fP packet prohibited by packet filter, -\fBhost-preced\fP, -\fBcutoff-preced\fP. -.TP -.B squench -Source Quence. -.TP -.B "redir [ redirect-code ]" -Redirect (routing). This is used to indicate that the route being chosen -for forwarding the packet is suboptimal and that the sender of the packet -should be routing packets via another route. The redirect code names are: -\fBnet-redir\fP redirect packets for a network, -\fBhost-redir\fP redirect packets for a host, -\fBtos-net-redir\fP redirect packets for a network with a given TOS, -\fBtos-host-redir\fP redirect packets for a host with a given TOS. -.TP -.B echo -Echo. -.TP -.B routerad -Router Advertisment. -.TP -.B routersol -Router solicitation. -.TP -.B "timex [ timexceed-code ]" -Time Exceeded. This is used to indicate that the packet failed to reach the -destination because it was in transit too long (i.e., ttl reached 0). The -valid code names are: \fBintrans\fP, -\fBreass\fP could not reassemble packet from fragments within a given time. -.TP -.B "paramprob [ paramprob-code ]" -Parameter problem. There is only one available parameter problem code name: -\fBoptabsent\fP. -.TP -.B timest -Time stamp request. -.TP -.B "timestrep [ { timestamp-code } ]" -Time stamp reply. In a timestamp reply, it is possible to supply the -following values: \fBrtime\fP, \fBotime\fP, \fBttime\fP. -.TP -.B inforeq -Information request. -.TP -.B inforep -Information reply. -.TP -.B maskreq -Address mask request. -.TP -.B maskrep -Address mask reply. -.SH FILES -/etc/protocols -/etc/services -/etc/hosts -.SH SEE ALSO diff --git a/usr.sbin/ipsend/ipsend/ipsend.c b/usr.sbin/ipsend/ipsend/ipsend.c deleted file mode 100644 index 43eedf46dbe..00000000000 --- a/usr.sbin/ipsend/ipsend/ipsend.c +++ /dev/null @@ -1,402 +0,0 @@ -/* $OpenBSD: ipsend.c,v 1.7 2001/01/17 06:01:26 fgsch Exp $ */ - -/* - * ipsend.c (C) 1995-1998 Darren Reed - * - * This was written to test what size TCP fragments would get through - * various TCP/IP packet filters, as used in IP firewalls. In certain - * conditions, enough of the TCP header is missing for unpredictable - * results unless the filter is aware that this can happen. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipsend.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $"; -#endif -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <netdb.h> -#include <string.h> -#include <sys/param.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include "ipsend.h" -#include "ipf.h" - - -extern char *optarg; -extern int optind; -extern void iplang __P((FILE *)); - -char options[68]; -int opts; -#ifdef linux -char default_device[] = "eth0"; -#else -# ifdef sun -char default_device[] = "le0"; -# else -# ifdef ultrix -char default_device[] = "ln0"; -# else -# ifdef __bsdi__ -char default_device[] = "ef0"; -# else -# ifdef __sgi -char default_device[] = "ec0"; -# else -char default_device[] = "lan0"; -# endif -# endif -# endif -# endif -#endif - - -static void usage __P((char *)); -static void do_icmp __P((ip_t *, char *)); -int main __P((int, char **)); - - -static void usage(prog) -char *prog; -{ - fprintf(stderr, "Usage: %s [options] dest [flags]\n\ -\toptions:\n\ -\t\t-d\tdebug mode\n\ -\t\t-i device\tSend out on this device\n\ -\t\t-f fragflags\tcan set IP_MF or IP_DF\n\ -\t\t-g gateway\tIP gateway to use if non-local dest.\n\ -\t\t-I code,type[,gw[,dst[,src]]]\tSet ICMP protocol\n\ -\t\t-m mtu\t\tfake MTU to use when sending out\n\ -\t\t-P protocol\tSet protocol by name\n\ -\t\t-s src\t\tsource address for IP packet\n\ -\t\t-T\t\tSet TCP protocol\n\ -\t\t-t port\t\tdestination port\n\ -\t\t-U\t\tSet UDP protocol\n\ -\t\t-v\tverbose mode\n\ -\t\t-w <window>\tSet the TCP window size\n\ -", prog); - fprintf(stderr, "Usage: %s [-dv] -L <filename>\n\ -\toptions:\n\ -\t\t-d\tdebug mode\n\ -\t\t-L filename\tUse IP language for sending packets\n\ -\t\t-v\tverbose mode\n\ -", prog); - exit(1); -} - - -static void do_icmp(ip, args) -ip_t *ip; -char *args; -{ - struct icmp *ic; - char *s; - - ip->ip_p = IPPROTO_ICMP; - ip->ip_len += sizeof(*ic); - ic = (struct icmp *)(ip + 1); - bzero((char *)ic, sizeof(*ic)); - if (!(s = strchr(args, ','))) - { - fprintf(stderr, "ICMP args missing: ,\n"); - return; - } - *s++ = '\0'; - ic->icmp_type = atoi(args); - ic->icmp_code = atoi(s); - if (ic->icmp_type == ICMP_REDIRECT && strchr(s, ',')) - { - char *t; - - t = strtok(s, ","); - t = strtok(NULL, ","); - if (resolve(t, (char *)&ic->icmp_gwaddr) == -1) - { - fprintf(stderr,"Cant resolve %s\n", t); - exit(2); - } - if ((t = strtok(NULL, ","))) - { - if (resolve(t, (char *)&ic->icmp_ip.ip_dst) == -1) - { - fprintf(stderr,"Cant resolve %s\n", t); - exit(2); - } - if ((t = strtok(NULL, ","))) - { - if (resolve(t, - (char *)&ic->icmp_ip.ip_src) == -1) - { - fprintf(stderr,"Cant resolve %s\n", t); - exit(2); - } - } - } - } -} - - -int send_packets(dev, mtu, ip, gwip) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -{ - u_short sport = 0; - int wfd; - - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - sport = ((struct tcpiphdr *)ip)->ti_sport; - wfd = initdevice(dev, sport, 5); - - return send_packet(wfd, mtu, ip, gwip); -} - - -int main(argc, argv) -int argc; -char **argv; -{ - FILE *langfile = NULL; - struct tcpiphdr *ti; - struct in_addr gwip; - tcphdr_t *tcp; - ip_t *ip; - char *name = argv[0], host[MAXHOSTNAMELEN + 1]; - char *gateway = NULL, *dev = NULL; - char *src = NULL, *dst, *s; - int mtu = 1500, olen = 0, c, nonl = 0; - - /* - * 65535 is maximum packet size...you never know... - */ - ip = (ip_t *)calloc(1, 65536); - ti = (struct tcpiphdr *)ip; - tcp = (tcphdr_t *)&ti->ti_sport; - ip->ip_len = sizeof(*ip); - ip->ip_hl = sizeof(*ip) >> 2; - - while ((c = getopt(argc, argv, "I:L:P:TUdf:i:g:m:o:s:t:vw:")) != -1) - switch (c) - { - case 'I' : - nonl++; - if (ip->ip_p) - { - fprintf(stderr, "Protocol already set: %d\n", - ip->ip_p); - break; - } - do_icmp(ip, optarg); - break; - case 'L' : - if (nonl) { - fprintf(stderr, - "Incorrect usage of -L option.\n"); - usage(name); - } - if (!strcmp(optarg, "-")) - langfile = stdin; - else if (!(langfile = fopen(optarg, "r"))) { - fprintf(stderr, "can't open file %s\n", - optarg); - exit(1); - } - iplang(langfile); - return 0; - case 'P' : - { - struct protoent *p; - - nonl++; - if (ip->ip_p) - { - fprintf(stderr, "Protocol already set: %d\n", - ip->ip_p); - break; - } - if ((p = getprotobyname(optarg))) - ip->ip_p = p->p_proto; - else - fprintf(stderr, "Unknown protocol: %s\n", - optarg); - break; - } - case 'T' : - nonl++; - if (ip->ip_p) - { - fprintf(stderr, "Protocol already set: %d\n", - ip->ip_p); - break; - } - ip->ip_p = IPPROTO_TCP; - ip->ip_len += sizeof(tcphdr_t); - break; - case 'U' : - nonl++; - if (ip->ip_p) - { - fprintf(stderr, "Protocol already set: %d\n", - ip->ip_p); - break; - } - ip->ip_p = IPPROTO_UDP; - ip->ip_len += sizeof(udphdr_t); - break; - case 'd' : - opts |= OPT_DEBUG; - break; - case 'f' : - nonl++; - ip->ip_off = strtol(optarg, NULL, 0); - break; - case 'g' : - nonl++; - gateway = optarg; - break; - case 'i' : - nonl++; - dev = optarg; - break; - case 'm' : - nonl++; - mtu = atoi(optarg); - if (mtu < 28) - { - fprintf(stderr, "mtu must be > 28\n"); - exit(1); - } - break; - case 'o' : - nonl++; - olen = buildopts(optarg, options, (ip->ip_hl - 5) << 2); - break; - case 's' : - nonl++; - src = optarg; - break; - case 't' : - nonl++; - if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) - tcp->th_dport = htons(atoi(optarg)); - break; - case 'v' : - opts |= OPT_VERBOSE; - break; - case 'w' : - nonl++; - if (ip->ip_p == IPPROTO_TCP) - tcp->th_win = atoi(optarg); - else - fprintf(stderr, "set protocol to TCP first\n"); - break; - default : - fprintf(stderr, "Unknown option \"%c\"\n", c); - usage(name); - } - - if (argc - optind < 1) - usage(name); - dst = argv[optind++]; - - if (!src) - { - gethostname(host, sizeof(host)); - src = host; - } - - if (resolve(src, (char *)&ip->ip_src) == -1) - { - fprintf(stderr,"Cant resolve %s\n", src); - exit(2); - } - - if (resolve(dst, (char *)&ip->ip_dst) == -1) - { - fprintf(stderr,"Cant resolve %s\n", dst); - exit(2); - } - - if (!gateway) - gwip = ip->ip_dst; - else if (resolve(gateway, (char *)&gwip) == -1) - { - fprintf(stderr,"Cant resolve %s\n", gateway); - exit(2); - } - - if (olen) - { - caddr_t ipo = (caddr_t)ip; - - printf("Options: %d\n", olen); - ti = (struct tcpiphdr *)malloc(olen + ip->ip_len); - bcopy((char *)ip, (char *)ti, sizeof(*ip)); - ip = (ip_t *)ti; - ip->ip_hl = (olen >> 2); - bcopy(options, (char *)(ip + 1), olen); - bcopy((char *)tcp, (char *)(ip + 1) + olen, sizeof(*tcp)); - ip->ip_len += olen; - bcopy((char *)ip, (char *)ipo, ip->ip_len); - ip = (ip_t *)ipo; - tcp = (tcphdr_t *)((char *)(ip + 1) + olen); - } - - if (ip->ip_p == IPPROTO_TCP) - for (s = argv[optind]; s && (c = *s); s++) - switch(c) - { - case 'S' : case 's' : - tcp->th_flags |= TH_SYN; - break; - case 'A' : case 'a' : - tcp->th_flags |= TH_ACK; - break; - case 'F' : case 'f' : - tcp->th_flags |= TH_FIN; - break; - case 'R' : case 'r' : - tcp->th_flags |= TH_RST; - break; - case 'P' : case 'p' : - tcp->th_flags |= TH_PUSH; - break; - case 'U' : case 'u' : - tcp->th_flags |= TH_URG; - break; - } - - if (!dev) - dev = default_device; - printf("Device: %s\n", dev); - printf("Source: %s\n", inet_ntoa(ip->ip_src)); - printf("Dest: %s\n", inet_ntoa(ip->ip_dst)); - printf("Gateway: %s\n", inet_ntoa(gwip)); - if (ip->ip_p == IPPROTO_TCP && tcp->th_flags) - printf("Flags: %#x\n", tcp->th_flags); - printf("mtu: %d\n", mtu); - -#ifdef DOSOCKET - if (tcp->th_dport) - return do_socket(dev, mtu, ti, gwip); -#endif - return send_packets(dev, mtu, (ip_t *)ti, gwip); -} diff --git a/usr.sbin/ipsend/ipsend/ipsopt.c b/usr.sbin/ipsend/ipsend/ipsopt.c deleted file mode 100644 index f24b5b00cc4..00000000000 --- a/usr.sbin/ipsend/ipsend/ipsopt.c +++ /dev/null @@ -1,197 +0,0 @@ -/* $OpenBSD: ipsopt.c,v 1.3 2001/01/17 06:01:27 fgsch Exp $ */ - -/* - * Copyright (C) 1995-1998 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr Exp $"; -#endif -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#include <netinet/tcp.h> -#include <arpa/inet.h> -#include "ipsend.h" - - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif - - -struct ipopt_names ionames[] = { - { IPOPT_EOL, 0x01, 1, "eol" }, - { IPOPT_NOP, 0x02, 1, "nop" }, - { IPOPT_RR, 0x04, 3, "rr" }, /* 1 route */ - { IPOPT_TS, 0x08, 8, "ts" }, /* 1 TS */ - { IPOPT_SECURITY, 0x08, 11, "sec-level" }, - { IPOPT_LSRR, 0x10, 7, "lsrr" }, /* 1 route */ - { IPOPT_SATID, 0x20, 4, "satid" }, - { IPOPT_SSRR, 0x40, 7, "ssrr" }, /* 1 route */ - { 0, 0, 0, NULL } /* must be last */ -}; - -struct ipopt_names secnames[] = { - { IPOPT_SECUR_UNCLASS, 0x0100, 0, "unclass" }, - { IPOPT_SECUR_CONFID, 0x0200, 0, "confid" }, - { IPOPT_SECUR_EFTO, 0x0400, 0, "efto" }, - { IPOPT_SECUR_MMMM, 0x0800, 0, "mmmm" }, - { IPOPT_SECUR_RESTR, 0x1000, 0, "restr" }, - { IPOPT_SECUR_SECRET, 0x2000, 0, "secret" }, - { IPOPT_SECUR_TOPSECRET, 0x4000,0, "topsecret" }, - { 0, 0, 0, NULL } /* must be last */ -}; - - -u_short seclevel(slevel) -char *slevel; -{ - struct ipopt_names *so; - - for (so = secnames; so->on_name; so++) - if (!strcasecmp(slevel, so->on_name)) - break; - - if (!so->on_name) { - fprintf(stderr, "no such security level: %s\n", slevel); - return 0; - } - return so->on_value; -} - - -int addipopt(op, io, len, class) -char *op; -struct ipopt_names *io; -int len; -char *class; -{ - struct in_addr ipadr; - int olen = len, srr = 0; - u_short val; - u_char lvl; - char *s = op, *t; - - if ((len + io->on_siz) > 48) { - fprintf(stderr, "options too long\n"); - return 0; - } - len += io->on_siz; - *op++ = io->on_value; - if (io->on_siz > 1) { - /* - * Allow option to specify RR buffer length in bytes. - */ - if (io->on_value == IPOPT_RR) { - val = (class && *class) ? atoi(class) : 4; - *op++ = val + io->on_siz; - len += val; - } else - *op++ = io->on_siz; - *op++ = IPOPT_MINOFF; - - while (class && *class) { - t = NULL; - switch (io->on_value) - { - case IPOPT_SECURITY : - lvl = seclevel(class); - *(op - 1) = lvl; - break; - case IPOPT_LSRR : - case IPOPT_SSRR : - if ((t = strchr(class, ','))) - *t = '\0'; - ipadr.s_addr = inet_addr(class); - srr++; - bcopy((char *)&ipadr, op, sizeof(ipadr)); - op += sizeof(ipadr); - break; - case IPOPT_SATID : - val = atoi(class); - bcopy((char *)&val, op, 2); - break; - } - - if (t) - *t++ = ','; - class = t; - } - if (srr) - s[IPOPT_OLEN] = IPOPT_MINOFF - 1 + 4 * srr; - if (io->on_value == IPOPT_RR) - op += val; - else - op += io->on_siz - 3; - } - return len - olen; -} - - -u_32_t buildopts(cp, op, len) -char *cp, *op; -int len; -{ - struct ipopt_names *io; - u_32_t msk = 0; - char *s, *t; - int inc, lastop = -1; - - for (s = strtok(cp, ","); s; s = strtok(NULL, ",")) { - if ((t = strchr(s, '='))) - *t++ = '\0'; - for (io = ionames; io->on_name; io++) { - if (strcasecmp(s, io->on_name) || (msk & io->on_bit)) - continue; - lastop = io->on_value; - if ((inc = addipopt(op, io, len, t))) { - op += inc; - len += inc; - } - msk |= io->on_bit; - break; - } - if (!io->on_name) { - fprintf(stderr, "unknown IP option name %s\n", s); - return 0; - } - } - - if (len & 3) { - while (len & 3) { - *op++ = ((len & 3) == 3) ? IPOPT_EOL : IPOPT_NOP; - len++; - } - } else { - if (lastop != IPOPT_EOL) { - if (lastop == IPOPT_NOP) - *(op - 1) = IPOPT_EOL; - else { - *op++ = IPOPT_NOP; - *op++ = IPOPT_NOP; - *op++ = IPOPT_NOP; - *op = IPOPT_EOL; - len += 4; - } - } - } - return len; -} diff --git a/usr.sbin/ipsend/iptest/Makefile b/usr.sbin/ipsend/iptest/Makefile deleted file mode 100644 index 829a0ca4690..00000000000 --- a/usr.sbin/ipsend/iptest/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 1998/01/26 04:17:08 dgregor Exp $ - -PROG= iptest -BINDIR= /usr/sbin -MAN= iptest.1 -SRCS= iptest.c iptests.c ip.c sbpf.c sock.c 44arp.c -CFLAGS+= -DDOSOCKET -I${.CURDIR}/../common -I${.CURDIR}/../../ipftest \ - -I${.CURDIR}/../../../sys/netinet -I${.CURDIR}/../../../sbin/ipf -.PATH: ${.CURDIR}/../common - -.include <bsd.prog.mk> diff --git a/usr.sbin/ipsend/iptest/iptest.1 b/usr.sbin/ipsend/iptest/iptest.1 deleted file mode 100644 index a92913d9c4f..00000000000 --- a/usr.sbin/ipsend/iptest/iptest.1 +++ /dev/null @@ -1,177 +0,0 @@ -.\" $OpenBSD: iptest.1,v 1.5 2000/04/12 21:47:53 aaron Exp $ -.Dd October 8, 1999 -.Dt IPTEST 1 -.Os -.Sh NAME -.Nm iptest -.Nd automatically generate packets to test IP functionality -.Sh SYNOPSIS -.Nm iptest -.Op Fl 1234567 -.Op Fl d Ar device -.Op Fl g Ar gateway -.Op Fl m Ar mtu -.Op Fl p Ar pointtest -.Op Fl s Ar src -.Ar destination -.Sh DESCRIPTION -.Nm -generates a series of IP packets to -.Ar destination -via -.Ar gateway -using the interface -.Ar device . -The packets generated test various aspects of IP functionality. -.Pp -By default all tests are done, using the interface -.Sq lan0 . -This interface does not normally exist on -.Ox -so an existing interface must be specified with the -.Fl d -option. -To limit the tests to a single group or to a single test within a group the -.Fl 1234567 -and -.Fl p -options are available. It is not possible to specify more than one -test group or point test at a time. -.Pp -.Nm -must be run as root. -.Ss Options -.Bl -tag -width "-r " -.It Fl 1 -IP header tests. This group of tests generates packets with the IP -header fields set to invalid values given other packet characteristics. -The point tests are: -.Pp -.Bl -tag -width "10 " -compact -offset indent -.It 1 -ip_hl < ip_len -.It 2 -ip_hl > ip_len -.It 3 -ip_v < 4 -.It 4 -ip_v > 4 -.It 5 -ip_len < packetsize, long packets -.It 6 -ip_len > packet size, short packets -.It 7 -Zero length fragments -.It 8 -packet > 64k after reassembly -.It 9 -IP offset with MSB set -.It 10 -ttl variations -.El -.It Fl 2 -IP options tests. This group of tests generates packets with the IP -options constructed with invalid values given other packet characteristics. -The point tests are: -.Pp -.Bl -tag -compact -width "1 " -offset indent -.It 1 -option length > packet length -.It 2 -option length = 0 -.El -.It Fl 3 -ICMP tests. This group of tests generates packets with the ICMP -header fields set to non-standard values. -The point tests are: -.Pp -.Bl -tag -compact -width "1 " -offset indent -.It 1 -ICMP types 0-31 & 255 -.It 2 -type 3 & codes 0-31 -.It 3 -type 4 & codes 0, 127, 128, 255 -.It 4 -type 5 & codes 0, 127, 128, 255 -.It 5 -types 8-10, 13-18 with codes 0, 127, 128 and 255 -.It 6 -type 12 & codes 0, 127, 128, 129, 255 -.It 7 -type 3 & codes 9-10, 13-14 and 17-18 - shortened packets -.El -.It Fl 4 -UDP tests. This group of tests generates packets with the UDP -header fields set to non-standard values. The point tests are: -.Pp -.Bl -tag -width "1 " -compact -offset indent -.It 1 -UDP length > packet size -.It 2 -UDP length < packetsize -.It 3 -sport = 0, 1, 32767, 32768, 65535 -.It 4 -dport = 0, 1, 32767, 32768, 65535 -.It 5 -sizeof(struct ip) <= MTU <= sizeof(struct udphdr) + sizeof(struct ip) -.El -.It Fl 5 -TCP tests. This group of tests generates packets with the TCP -header fields set to non-standard values. The point tests are: -.Pp -.Bl -tag -width "1 " -compact -offset indent -.It 1 -TCP flags variations, all combinations -.It 2 -seq = 0, 0x7fffffff, 0x8000000, 0xa0000000, 0xffffffff -.It 3 -ack = 0, 0x7fffffff, 0x8000000, 0xa0000000, 0xffffffff -.It 4 -SYN packet with window of 0, 32768, 65535 -.It 5 -set urgent pointer to 1, 0x7fff, 0x8000, 0xffff -.It 6 -data offset -.It 7 -sport = 0, 1, 32767, 32768, 65535 -.It 8 -dport = 0, 1, 32767, 32768, 65535 -.El -.It Fl 6 -Overlapping fragments test. This test generates a large number of fragments in -an attempt to exhaust the network buffers used for holding packets for later -reassembly. -.Pp -WARNING: this may crash or cause serious performance degradation -to the target host. -.It Fl 7 -Random packets. This test generates 1024 random IP packets with only -the IP version, checksum, length and IP offset field correct. -.It Fl d Ar device -Set the interface name to be the name supplied. -.It Fl g Ar gateway -Specify the hostname of the gateway through which to route packets. This -is required whenever the destination host isn't directly attached to the -same network as the host from which you're sending. -.It Fl m Ar mtu -Set the MTU used when sending out packets to -.Ar mtu . -This option lets you -set a fake MTU, allowing the simulation of network interfaces with small -MTU's. -.It Fl p Ar pointtest -Run point test -.Ar pointtest -of the test group. -.It Fl s Ar src -Specify the source address of the IP packets as -.Ar src -.El -.Sh SEE ALSO -.Xr ipsend 1 , -.Xr ipresend 1 , -.Xr bpf 4 -.Sh BUGS -If you find any, please send email to me at darrenr@cyber.com.au diff --git a/usr.sbin/ipsend/iptest/iptest.c b/usr.sbin/ipsend/iptest/iptest.c deleted file mode 100644 index 4130925e6d4..00000000000 --- a/usr.sbin/ipsend/iptest/iptest.c +++ /dev/null @@ -1,227 +0,0 @@ -/* $OpenBSD: iptest.c,v 1.6 2001/01/17 06:11:15 fgsch Exp $ */ - -/* - * ipsend.c (C) 1995-1998 Darren Reed - * - * This was written to test what size TCP fragments would get through - * various TCP/IP packet filters, as used in IP firewalls. In certain - * conditions, enough of the TCP header is missing for unpredictable - * results unless the filter is aware that this can happen. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: iptest.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $"; -#endif -#include <stdio.h> -#include <netdb.h> -#include <unistd.h> -#include <stdlib.h> -#include <string.h> -#include <sys/param.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#ifndef linux -#include <netinet/ip_var.h> -#endif -#ifdef linux -#include <linux/sockios.h> -#endif -#include "ipsend.h" - - -extern char *optarg; -extern int optind; - -char options[68]; -#ifdef linux -char default_device[] = "eth0"; -#else -# ifdef sun -char default_device[] = "le0"; -# else -# ifdef ultrix -char default_device[] = "ln0"; -# else -# ifdef __bsdi__ -char default_device[] = "ef0"; -# else -# ifdef __sgi -char default_device[] = "ec0"; -# else -char default_device[] = "lan0"; -# endif -# endif -# endif -# endif -#endif - -static void usage __P((char *)); -int main __P((int, char **)); - - -static void usage(prog) -char *prog; -{ - fprintf(stderr, "Usage: %s [options] dest\n\ -\toptions:\n\ -\t\t-d device\tSend out on this device\n\ -\t\t-g gateway\tIP gateway to use if non-local dest.\n\ -\t\t-m mtu\t\tfake MTU to use when sending out\n\ -\t\t-p pointtest\t\n\ -\t\t-s src\t\tsource address for IP packet\n\ -\t\t-1 \t\tPerform test 1 (IP header)\n\ -\t\t-2 \t\tPerform test 2 (IP options)\n\ -\t\t-3 \t\tPerform test 3 (ICMP)\n\ -\t\t-4 \t\tPerform test 4 (UDP)\n\ -\t\t-5 \t\tPerform test 5 (TCP)\n\ -\t\t-6 \t\tPerform test 6 (overlapping fragments)\n\ -\t\t-7 \t\tPerform test 7 (random packets)\n\ -", prog); - exit(1); -} - - -int main(argc, argv) -int argc; -char **argv; -{ - struct tcpiphdr *ti; - struct in_addr gwip; - ip_t *ip; - char *name = argv[0], host[MAXHOSTNAMELEN + 1]; - char *gateway = NULL, *dev = NULL; - char *src = NULL, *dst; - int mtu = 1500, tests = 0, pointtest = 0, c; - - /* - * 65535 is maximum packet size...you never know... - */ - ip = (ip_t *)calloc(1, 65536); - ti = (struct tcpiphdr *)ip; - ip->ip_len = sizeof(*ip); - ip->ip_hl = sizeof(*ip) >> 2; - - while ((c = getopt(argc, argv, "1234567d:g:m:p:s:")) != -1) - switch (c) - { - case '1' : - case '2' : - case '3' : - case '4' : - case '5' : - case '6' : - case '7' : - tests = c - '0'; - break; - case 'd' : - dev = optarg; - break; - case 'g' : - gateway = optarg; - break; - case 'm' : - mtu = atoi(optarg); - if (mtu < 28) - { - fprintf(stderr, "mtu must be > 28\n"); - exit(1); - } - break; - case 'p' : - pointtest = atoi(optarg); - break; - case 's' : - src = optarg; - break; - default : - fprintf(stderr, "Unknown option \"%c\"\n", c); - usage(name); - } - - if ((argc <= optind) || !argv[optind]) - usage(name); - dst = argv[optind++]; - - if (!src) - { - gethostname(host, sizeof(host)); - host[sizeof(host) - 1] = '\0'; - src = host; - } - - if (resolve(dst, (char *)&ip->ip_dst) == -1) - { - fprintf(stderr,"Cant resolve %s\n", dst); - exit(2); - } - - if (resolve(src, (char *)&ip->ip_src) == -1) - { - fprintf(stderr,"Cant resolve %s\n", src); - exit(2); - } - - if (!gateway) - gwip = ip->ip_dst; - else if (resolve(gateway, (char *)&gwip) == -1) - { - fprintf(stderr,"Cant resolve %s\n", gateway); - exit(2); - } - - - if (!dev) - dev = default_device; - printf("Device: %s\n", dev); - printf("Source: %s\n", inet_ntoa(ip->ip_src)); - printf("Dest: %s\n", inet_ntoa(ip->ip_dst)); - printf("Gateway: %s\n", inet_ntoa(gwip)); - printf("mtu: %d\n", mtu); - - switch (tests) - { - case 1 : - ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - case 2 : - ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - case 3 : - ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - case 4 : - ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - case 5 : - ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - case 6 : - ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - case 7 : - ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - default : - ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest); - ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest); - ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest); - ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest); - ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest); - ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest); - ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); - break; - } - return 0; -} diff --git a/usr.sbin/ipsend/iptest/iptests.c b/usr.sbin/ipsend/iptest/iptests.c deleted file mode 100644 index 5148ca1a6c3..00000000000 --- a/usr.sbin/ipsend/iptest/iptests.c +++ /dev/null @@ -1,1341 +0,0 @@ -/* $OpenBSD: iptests.c,v 1.3 2001/01/17 06:01:27 fgsch Exp $ */ - -/* - * Copyright (C) 1993-1998 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: iptests.c,v 2.1 1999/08/04 17:31:09 darrenr Exp $"; -#endif -#include <stdio.h> -#include <unistd.h> -#include <stdlib.h> -#include <string.h> -#include <sys/types.h> -#include <sys/time.h> -#include <sys/param.h> -#define _KERNEL -#define KERNEL -#if !defined(solaris) && !defined(linux) && !defined(__sgi) -# include <sys/file.h> -#else -# ifdef solaris -# include <sys/dditypes.h> -# endif -#endif -#undef _KERNEL -#undef KERNEL -#if !defined(solaris) && !defined(linux) && !defined(__sgi) -# include <nlist.h> -# include <sys/user.h> -# include <sys/proc.h> -#endif -#if !defined(ultrix) && !defined(hpux) && !defined(linux) && !defined(__sgi) -# include <kvm.h> -#endif -#ifndef ultrix -# include <sys/socket.h> -#endif -#if defined(solaris) -# include <sys/stream.h> -#endif -#include <sys/socketvar.h> -#ifdef sun -#include <sys/systm.h> -#include <sys/session.h> -#endif -#if BSD >= 199103 -# include <sys/sysctl.h> -# include <sys/filedesc.h> -# include <paths.h> -#endif -#include <netinet/in_systm.h> -#include <sys/socket.h> -#include <net/if.h> -#if defined(linux) && (LINUX >= 0200) -# include <asm/atomic.h> -#endif -#if !defined(linux) -# include <net/route.h> -#else -# define __KERNEL__ /* because there's a macro not wrapped by this */ -# include <net/route.h> /* in this file :-/ */ -#endif -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netinet/ip.h> -#include <netinet/tcp.h> -#include <netinet/udp.h> -#include <netinet/ip_icmp.h> -#ifndef linux -# include <netinet/ip_var.h> -# include <netinet/in_pcb.h> -# include <netinet/tcp_timer.h> -# include <netinet/tcp_var.h> -#endif -#if defined(__SVR4) || defined(__svr4__) || defined(__sgi) -# include <sys/sysmacros.h> -#endif -#include "ipsend.h" - - -#define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \ - (void) select(0, NULL, NULL, NULL, &tv) - - -void ip_test1(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - struct timeval tv; - udphdr_t *u; - int nfd, i = 0, len, id = getpid(); - - ip->ip_hl = sizeof(*ip) >> 2; - ip->ip_v = IPVERSION; - ip->ip_tos = 0; - ip->ip_off = 0; - ip->ip_ttl = 60; - ip->ip_p = IPPROTO_UDP; - ip->ip_sum = 0; - u = (udphdr_t *)(ip + 1); - u->uh_sport = htons(1); - u->uh_dport = htons(9); - u->uh_sum = 0; - u->uh_ulen = htons(sizeof(*u) + 4); - ip->ip_len = sizeof(*ip) + ntohs(u->uh_ulen); - len = ip->ip_len; - nfd = initdevice(dev, u->uh_sport, 1); - - if (!ptest || (ptest == 1)) { - /* - * Part1: hl < len - */ - ip->ip_id = 0; - printf("1.1. sending packets with ip_hl < ip_len\n"); - for (i = 0; i < ((sizeof(*ip) + ntohs(u->uh_ulen)) >> 2); i++) { - ip->ip_hl = i >> 2; - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 2)) { - /* - * Part2: hl > len - */ - ip->ip_id = 0; - printf("1.2. sending packets with ip_hl > ip_len\n"); - for (; i < ((sizeof(*ip) * 2 + ntohs(u->uh_ulen)) >> 2); i++) { - ip->ip_hl = i >> 2; - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 3)) { - /* - * Part3: v < 4 - */ - ip->ip_id = 0; - printf("1.3. ip_v < 4\n"); - ip->ip_hl = sizeof(*ip) >> 2; - for (i = 0; i < 4; i++) { - ip->ip_v = i; - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 4)) { - /* - * Part4: v > 4 - */ - ip->ip_id = 0; - printf("1.4. ip_v > 4\n"); - for (i = 5; i < 16; i++) { - ip->ip_v = i; - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 5)) { - /* - * Part5: len < packet - */ - ip->ip_id = 0; - ip->ip_v = IPVERSION; - i = ip->ip_len + 1; - printf("1.5.0 ip_len < packet size (size++, long packets)\n"); - for (; i < (ip->ip_len * 2); i++) { - ip->ip_id = htons(id++); - ip->ip_sum = 0; - ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - (void) send_ether(nfd, (char *)ip, i, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - printf("1.5.1 ip_len < packet size (ip_len-, short packets)\n"); - for (i = len; i > 0; i--) { - ip->ip_id = htons(id++); - ip->ip_len = i; - ip->ip_sum = 0; - ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - (void) send_ether(nfd, (char *)ip, len, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 6)) { - /* - * Part6: len > packet - */ - ip->ip_id = 0; - printf("1.6.0 ip_len > packet size (increase ip_len)\n"); - for (i = len + 1; i < (len * 2); i++) { - ip->ip_id = htons(id++); - ip->ip_len = i; - ip->ip_sum = 0; - ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - (void) send_ether(nfd, (char *)ip, len, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - ip->ip_len = len; - printf("1.6.1 ip_len > packet size (size--, short packets)\n"); - for (i = len; i > 0; i--) { - ip->ip_id = htons(id++); - ip->ip_sum = 0; - ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); - (void) send_ether(nfd, (char *)ip, i, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 7)) { - /* - * Part7: 0 length fragment - */ - printf("1.7.0 Zero length fragments (ip_off = 0x2000)\n"); - ip->ip_id = 0; - ip->ip_len = sizeof(*ip); - ip->ip_off = htons(IP_MF); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("1.7.1 Zero length fragments (ip_off = 0x3000)\n"); - ip->ip_id = 0; - ip->ip_len = sizeof(*ip); - ip->ip_off = htons(IP_MF); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("1.7.2 Zero length fragments (ip_off = 0xa000)\n"); - ip->ip_id = 0; - ip->ip_len = sizeof(*ip); - ip->ip_off = htons(0xa000); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("1.7.3 Zero length fragments (ip_off = 0x0100)\n"); - ip->ip_id = 0; - ip->ip_len = sizeof(*ip); - ip->ip_off = htons(0x0100); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - } - - if (!ptest || (ptest == 8)) { - struct timeval tv; - - gettimeofday(&tv, NULL); - srand(tv.tv_sec ^ getpid() ^ tv.tv_usec); - /* - * Part8.1: 63k packet + 1k fragment at offset 0x1ffe - * Mark it as being ICMP (so it doesn't get junked), but - * don't bother about the ICMP header, we're not worrying - * about that here. - */ - ip->ip_p = IPPROTO_ICMP; - ip->ip_off = htons(IP_MF); - u->uh_dport = htons(9); - ip->ip_id = htons(id++); - printf("1.8.1 63k packet + 1k fragment at offset 0x1ffe\n"); - ip->ip_len = 768 + 20 + 8; - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - - ip->ip_len = MIN(768 + 20, mtu - 68); - i = 512; - for (; i < (63 * 1024 + 768); i += 768) { - ip->ip_off = htons(IP_MF | (i >> 3)); - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - ip->ip_len = 896 + 20; - ip->ip_off = htons(i >> 3); - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - putchar('\n'); - fflush(stdout); - - /* - * Part8.2: 63k packet + 1k fragment at offset 0x1ffe - * Mark it as being ICMP (so it doesn't get junked), but - * don't bother about the ICMP header, we're not worrying - * about that here. (Lossage here) - */ - ip->ip_p = IPPROTO_ICMP; - ip->ip_off = htons(IP_MF); - u->uh_dport = htons(9); - ip->ip_id = htons(id++); - printf("1.8.2 63k packet + 1k fragment at offset 0x1ffe\n"); - ip->ip_len = 768 + 20 + 8; - if ((rand() & 0x1f) != 0) { - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - } else - printf("skip 0\n"); - - ip->ip_len = MIN(768 + 20, mtu - 68); - i = 512; - for (; i < (63 * 1024 + 768); i += 768) { - ip->ip_off = htons(IP_MF | (i >> 3)); - if ((rand() & 0x1f) != 0) { - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - } else - printf("skip %d\n", i); - fflush(stdout); - PAUSE(); - } - ip->ip_len = 896 + 20; - ip->ip_off = htons(i >> 3); - if ((rand() & 0x1f) != 0) { - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - } else - printf("skip\n"); - putchar('\n'); - fflush(stdout); - - /* - * Part8.3: 33k packet - test for not dealing with -ve length - * Mark it as being ICMP (so it doesn't get junked), but - * don't bother about the ICMP header, we're not worrying - * about that here. - */ - ip->ip_p = IPPROTO_ICMP; - ip->ip_off = htons(IP_MF); - u->uh_dport = htons(9); - ip->ip_id = htons(id++); - printf("1.8.3 33k packet\n"); - ip->ip_len = 768 + 20 + 8; - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - - ip->ip_len = MIN(768 + 20, mtu - 68); - i = 512; - for (; i < (32 * 1024 + 768); i += 768) { - ip->ip_off = htons(IP_MF | (i >> 3)); - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - ip->ip_len = 896 + 20; - ip->ip_off = htons(i >> 3); - (void) send_ip(nfd, mtu, ip, gwip, 1); - printf("%d\r", i); - putchar('\n'); - fflush(stdout); - } - - ip->ip_len = len; - ip->ip_off = 0; - if (!ptest || (ptest == 9)) { - /* - * Part9: off & 0x8000 == 0x8000 - */ - ip->ip_id = 0; - ip->ip_off = htons(0x8000); - printf("1.9. ip_off & 0x8000 == 0x8000\n"); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - } - - ip->ip_off = 0; - - if (!ptest || (ptest == 10)) { - /* - * Part10: ttl = 255 - */ - ip->ip_id = 0; - ip->ip_ttl = 255; - printf("1.10.0 ip_ttl = 255\n"); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - ip->ip_ttl = 128; - printf("1.10.1 ip_ttl = 128\n"); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - ip->ip_ttl = 0; - printf("1.10.2 ip_ttl = 0\n"); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - } - - (void) close(nfd); -} - - -void ip_test2(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - struct timeval tv; - int nfd; - u_char *s; - - s = (u_char *)(ip + 1); - nfd = initdevice(dev, htons(1), 1); - - ip->ip_hl = 6; - ip->ip_len = ip->ip_hl << 2; - s[IPOPT_OPTVAL] = IPOPT_NOP; - s++; - if (!ptest || (ptest == 1)) { - /* - * Test 1: option length > packet length, - * header length == packet length - */ - s[IPOPT_OPTVAL] = IPOPT_TS; - s[IPOPT_OLEN] = 4; - s[IPOPT_OFFSET] = IPOPT_MINOFF; - ip->ip_p = IPPROTO_IP; - printf("2.1 option length > packet length\n"); - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - } - - ip->ip_hl = 7; - ip->ip_len = ip->ip_hl << 2; - if (!ptest || (ptest == 1)) { - /* - * Test 2: options have length = 0 - */ - printf("2.2.1 option length = 0, RR\n"); - s[IPOPT_OPTVAL] = IPOPT_RR; - s[IPOPT_OLEN] = 0; - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("2.2.2 option length = 0, TS\n"); - s[IPOPT_OPTVAL] = IPOPT_TS; - s[IPOPT_OLEN] = 0; - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("2.2.3 option length = 0, SECURITY\n"); - s[IPOPT_OPTVAL] = IPOPT_SECURITY; - s[IPOPT_OLEN] = 0; - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("2.2.4 option length = 0, LSRR\n"); - s[IPOPT_OPTVAL] = IPOPT_LSRR; - s[IPOPT_OLEN] = 0; - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("2.2.5 option length = 0, SATID\n"); - s[IPOPT_OPTVAL] = IPOPT_SATID; - s[IPOPT_OLEN] = 0; - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - - printf("2.2.6 option length = 0, SSRR\n"); - s[IPOPT_OPTVAL] = IPOPT_SSRR; - s[IPOPT_OLEN] = 0; - (void) send_ip(nfd, mtu, ip, gwip, 1); - fflush(stdout); - PAUSE(); - } - - (void) close(nfd); -} - - -/* - * test 3 (ICMP) - */ -void ip_test3(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - static int ict1[10] = { 8, 9, 10, 13, 14, 15, 16, 17, 18, 0 }; - static int ict2[8] = { 3, 9, 10, 13, 14, 17, 18, 0 }; - struct timeval tv; - struct icmp *icp; - int nfd, i; - - ip->ip_hl = sizeof(*ip) >> 2; - ip->ip_v = IPVERSION; - ip->ip_tos = 0; - ip->ip_off = 0; - ip->ip_ttl = 60; - ip->ip_p = IPPROTO_ICMP; - ip->ip_sum = 0; - ip->ip_len = sizeof(*ip) + sizeof(*icp); - icp = (struct icmp *)((char *)ip + (ip->ip_hl << 2)); - nfd = initdevice(dev, htons(1), 1); - - if (!ptest || (ptest == 1)) { - /* - * Type 0 - 31, 255, code = 0 - */ - bzero((char *)icp, sizeof(*icp)); - for (i = 0; i < 32; i++) { - icp->icmp_type = i; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.1.%d ICMP type %d code 0 (all 0's)\r", i, i); - } - icp->icmp_type = 255; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.1.%d ICMP type %d code 0 (all 0's)\r", i, 255); - putchar('\n'); - } - - if (!ptest || (ptest == 2)) { - /* - * Type 3, code = 0 - 31 - */ - icp->icmp_type = 3; - for (i = 0; i < 32; i++) { - icp->icmp_code = i; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.2.%d ICMP type 3 code %d (all 0's)\r", i, i); - } - } - - if (!ptest || (ptest == 3)) { - /* - * Type 4, code = 0,127,128,255 - */ - icp->icmp_type = 4; - icp->icmp_code = 0; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.3.1 ICMP type 4 code 0 (all 0's)\r"); - icp->icmp_code = 127; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.3.2 ICMP type 4 code 127 (all 0's)\r"); - icp->icmp_code = 128; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.3.3 ICMP type 4 code 128 (all 0's)\r"); - icp->icmp_code = 255; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.3.4 ICMP type 4 code 255 (all 0's)\r"); - } - - if (!ptest || (ptest == 4)) { - /* - * Type 5, code = 0,127,128,255 - */ - icp->icmp_type = 5; - icp->icmp_code = 0; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.4.1 ICMP type 5 code 0 (all 0's)\r"); - icp->icmp_code = 127; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.4.2 ICMP type 5 code 127 (all 0's)\r"); - icp->icmp_code = 128; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.4.3 ICMP type 5 code 128 (all 0's)\r"); - icp->icmp_code = 255; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.4.4 ICMP type 5 code 255 (all 0's)\r"); - } - - if (!ptest || (ptest == 5)) { - /* - * Type 8-10;13-18, code - 0,127,128,255 - */ - for (i = 0; ict1[i]; i++) { - icp->icmp_type = ict1[i]; - icp->icmp_code = 0; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type 5 code 0 (all 0's)\r", - i * 4); - icp->icmp_code = 127; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type 5 code 127 (all 0's)\r", - i * 4 + 1); - icp->icmp_code = 128; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type 5 code 128 (all 0's)\r", - i * 4 + 2); - icp->icmp_code = 255; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type 5 code 255 (all 0's)\r", - i * 4 + 3); - } - putchar('\n'); - } - - if (!ptest || (ptest == 6)) { - /* - * Type 12, code - 0,127,128,129,255 - */ - icp->icmp_type = 12; - icp->icmp_code = 0; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.6.1 ICMP type 12 code 0 (all 0's)\r"); - icp->icmp_code = 127; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.6.2 ICMP type 12 code 127 (all 0's)\r"); - icp->icmp_code = 128; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.6.3 ICMP type 12 code 128 (all 0's)\r"); - icp->icmp_code = 129; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.6.4 ICMP type 12 code 129 (all 0's)\r"); - icp->icmp_code = 255; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.6.5 ICMP type 12 code 255 (all 0's)\r"); - putchar('\n'); - } - - if (!ptest || (ptest == 7)) { - /* - * Type 3;9-10;13-14;17-18 - shorter packets - */ - ip->ip_len = sizeof(*ip) + sizeof(*icp) / 2; - for (i = 0; ict2[i]; i++) { - icp->icmp_type = ict1[i]; - icp->icmp_code = 0; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type %d code 0 (all 0's)\r", - i * 4, icp->icmp_type); - icp->icmp_code = 127; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type %d code 127 (all 0's)\r", - i * 4 + 1, icp->icmp_type); - icp->icmp_code = 128; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type %d code 128 (all 0's)\r", - i * 4 + 2, icp->icmp_type); - icp->icmp_code = 255; - (void) send_icmp(nfd, mtu, ip, gwip); - PAUSE(); - printf("3.5.%d ICMP type %d code 127 (all 0's)\r", - i * 4 + 3, icp->icmp_type); - } - putchar('\n'); - } -} - - -/* Perform test 4 (UDP) */ - -void ip_test4(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - struct timeval tv; - udphdr_t *u; - int nfd, i; - - - ip->ip_hl = sizeof(*ip) >> 2; - ip->ip_v = IPVERSION; - ip->ip_tos = 0; - ip->ip_off = 0; - ip->ip_ttl = 60; - ip->ip_p = IPPROTO_UDP; - ip->ip_sum = 0; - u = (udphdr_t *)((char *)ip + (ip->ip_hl << 2)); - u->uh_sport = htons(1); - u->uh_dport = htons(1); - u->uh_ulen = htons(sizeof(*u) + 4); - nfd = initdevice(dev, u->uh_sport, 1); - - if (!ptest || (ptest == 1)) { - /* - * Test 1. ulen > packet - */ - u->uh_ulen = htons(sizeof(*u) + 4); - ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); - printf("4.1 UDP uh_ulen > packet size - short packets\n"); - for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) { - u->uh_ulen = htons(i); - (void) send_udp(nfd, 1500, ip, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 2)) { - /* - * Test 2. ulen < packet - */ - u->uh_ulen = htons(sizeof(*u) + 4); - ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); - printf("4.2 UDP uh_ulen < packet size - short packets\n"); - for (i = ntohs(u->uh_ulen) * 2; i > sizeof(*u) + 4; i--) { - ip->ip_len = i; - (void) send_udp(nfd, 1500, ip, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 3)) { - /* - * Test 3: sport = 0, sport = 1, sport = 32767 - * sport = 32768, sport = 65535 - */ - u->uh_ulen = sizeof(*u) + 4; - ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); - printf("4.3.1 UDP sport = 0\n"); - u->uh_sport = 0; - (void) send_udp(nfd, 1500, ip, gwip); - printf("0\n"); - fflush(stdout); - PAUSE(); - printf("4.3.2 UDP sport = 1\n"); - u->uh_sport = htons(1); - (void) send_udp(nfd, 1500, ip, gwip); - printf("1\n"); - fflush(stdout); - PAUSE(); - printf("4.3.3 UDP sport = 32767\n"); - u->uh_sport = htons(32767); - (void) send_udp(nfd, 1500, ip, gwip); - printf("32767\n"); - fflush(stdout); - PAUSE(); - printf("4.3.4 UDP sport = 32768\n"); - u->uh_sport = htons(32768); - (void) send_udp(nfd, 1500, ip, gwip); - printf("32768\n"); - putchar('\n'); - fflush(stdout); - PAUSE(); - printf("4.3.5 UDP sport = 65535\n"); - u->uh_sport = htons(65535); - (void) send_udp(nfd, 1500, ip, gwip); - printf("65535\n"); - fflush(stdout); - PAUSE(); - } - - if (!ptest || (ptest == 4)) { - /* - * Test 4: dport = 0, dport = 1, dport = 32767 - * dport = 32768, dport = 65535 - */ - u->uh_ulen = ntohs(sizeof(*u) + 4); - u->uh_sport = htons(1); - ip->ip_len = (ip->ip_hl << 2) + ntohs(u->uh_ulen); - printf("4.4.1 UDP dport = 0\n"); - u->uh_dport = 0; - (void) send_udp(nfd, 1500, ip, gwip); - printf("0\n"); - fflush(stdout); - PAUSE(); - printf("4.4.2 UDP dport = 1\n"); - u->uh_dport = htons(1); - (void) send_udp(nfd, 1500, ip, gwip); - printf("1\n"); - fflush(stdout); - PAUSE(); - printf("4.4.3 UDP dport = 32767\n"); - u->uh_dport = htons(32767); - (void) send_udp(nfd, 1500, ip, gwip); - printf("32767\n"); - fflush(stdout); - PAUSE(); - printf("4.4.4 UDP dport = 32768\n"); - u->uh_dport = htons(32768); - (void) send_udp(nfd, 1500, ip, gwip); - printf("32768\n"); - fflush(stdout); - PAUSE(); - printf("4.4.5 UDP dport = 65535\n"); - u->uh_dport = htons(65535); - (void) send_udp(nfd, 1500, ip, gwip); - printf("65535\n"); - fflush(stdout); - PAUSE(); - } - - if (!ptest || (ptest == 5)) { - /* - * Test 5: sizeof(ip_t) <= MTU <= sizeof(udphdr_t) + - * sizeof(ip_t) - */ - printf("4.5 UDP 20 <= MTU <= 32\n"); - for (i = sizeof(*ip); i <= ntohs(u->uh_ulen); i++) { - (void) send_udp(nfd, i, ip, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } -} - - -/* Perform test 5 (TCP) */ - -void ip_test5(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - struct timeval tv; - tcphdr_t *t; - int nfd, i; - - t = (tcphdr_t *)((char *)ip + (ip->ip_hl << 2)); -#ifndef linux - t->th_x2 = 0; -#endif - t->th_off = 0; - t->th_sport = htons(1); - t->th_dport = htons(1); - t->th_win = htons(4096); - t->th_urp = 0; - t->th_sum = 0; - t->th_seq = htonl(1); - t->th_ack = 0; - ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); - nfd = initdevice(dev, t->th_sport, 1); - - if (!ptest || (ptest == 1)) { - /* - * Test 1: flags variations, 0 - 3f - */ - t->th_off = sizeof(*t) >> 2; - printf("5.1 Test TCP flag combinations\n"); - for (i = 0; i <= (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN); - i++) { - t->th_flags = i; - (void) send_tcp(nfd, mtu, ip, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - } - - if (!ptest || (ptest == 2)) { - t->th_flags = TH_SYN; - /* - * Test 2: seq = 0, seq = 1, seq = 0x7fffffff, seq=0x80000000, - * seq = 0xa000000, seq = 0xffffffff - */ - printf("5.2.1 TCP seq = 0\n"); - t->th_seq = htonl(0); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.2.2 TCP seq = 1\n"); - t->th_seq = htonl(1); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.2.3 TCP seq = 0x7fffffff\n"); - t->th_seq = htonl(0x7fffffff); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.2.4 TCP seq = 0x80000000\n"); - t->th_seq = htonl(0x80000000); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.2.5 TCP seq = 0xc0000000\n"); - t->th_seq = htonl(0xc0000000); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.2.6 TCP seq = 0xffffffff\n"); - t->th_seq = htonl(0xffffffff); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - } - - if (!ptest || (ptest == 3)) { - t->th_flags = TH_ACK; - /* - * Test 3: ack = 0, ack = 1, ack = 0x7fffffff, ack = 0x8000000 - * ack = 0xa000000, ack = 0xffffffff - */ - printf("5.3.1 TCP ack = 0\n"); - t->th_ack = 0; - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.3.2 TCP ack = 1\n"); - t->th_ack = htonl(1); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.3.3 TCP ack = 0x7fffffff\n"); - t->th_ack = htonl(0x7fffffff); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.3.4 TCP ack = 0x80000000\n"); - t->th_ack = htonl(0x80000000); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.3.5 TCP ack = 0xc0000000\n"); - t->th_ack = htonl(0xc0000000); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.3.6 TCP ack = 0xffffffff\n"); - t->th_ack = htonl(0xffffffff); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - } - - if (!ptest || (ptest == 4)) { - t->th_flags = TH_SYN; - /* - * Test 4: win = 0, win = 32768, win = 65535 - */ - printf("5.4.1 TCP win = 0\n"); - t->th_seq = htonl(0); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.4.2 TCP win = 32768\n"); - t->th_seq = htonl(0x7fff); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.4.3 TCP win = 65535\n"); - t->th_win = htons(0xffff); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - } - -#if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \ - !defined(__sgi) - { - struct tcpcb *tcbp, tcb; - struct tcpiphdr ti; - struct sockaddr_in sin; - int fd, slen; - - bzero((char *)&sin, sizeof(sin)); - - for (i = 1; i < 63; i++) { - fd = socket(AF_INET, SOCK_STREAM, 0); - bzero((char *)&sin, sizeof(sin)); - sin.sin_addr.s_addr = ip->ip_dst.s_addr; - sin.sin_port = htons(i); - sin.sin_family = AF_INET; - if (!connect(fd, (struct sockaddr *)&sin, sizeof(sin))) - break; - close(fd); - } - - if (i == 63) { - printf("Couldn't open a TCP socket between ports 1 and 63\n"); - printf("to host %s for test 5 and 6 - skipping.\n", - inet_ntoa(ip->ip_dst)); - goto skip_five_and_six; - } - - bcopy((char *)ip, (char *)&ti, sizeof(*ip)); - t->th_dport = htons(i); - slen = sizeof(sin); - if (!getsockname(fd, (struct sockaddr *)&sin, &slen)) - t->th_sport = sin.sin_port; - if (!(tcbp = find_tcp(fd, &ti))) { - printf("Can't find PCB\n"); - goto skip_five_and_six; - } - KMCPY(&tcb, tcbp, sizeof(tcb)); - ti.ti_win = tcb.rcv_adv; - ti.ti_seq = htonl(tcb.snd_nxt - 1); - ti.ti_ack = tcb.rcv_nxt; - - if (!ptest || (ptest == 5)) { - /* - * Test 5: urp - */ - t->th_flags = TH_ACK|TH_URG; - printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n", - ntohs(t->th_sport), ntohs(t->th_dport)); - t->th_urp = htons(1); - (void) send_tcp(nfd, mtu, ip, gwip); - PAUSE(); - - t->th_seq = htonl(tcb.snd_nxt); - ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1; - t->th_urp = htons(0x7fff); - (void) send_tcp(nfd, mtu, ip, gwip); - PAUSE(); - t->th_urp = htons(0x8000); - (void) send_tcp(nfd, mtu, ip, gwip); - PAUSE(); - t->th_urp = htons(0xffff); - (void) send_tcp(nfd, mtu, ip, gwip); - PAUSE(); - t->th_urp = 0; - t->th_flags &= ~TH_URG; - ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); - } - - if (!ptest || (ptest == 6)) { - /* - * Test 6: data offset, off = 0, off is inside, off is outside - */ - t->th_flags = TH_ACK; - printf("5.6.1 TCP off = 1-15, len = 40\n"); - for (i = 1; i < 16; i++) { - ti.ti_off = ntohs(i); - (void) send_tcp(nfd, mtu, ip, gwip); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); - } - - (void) close(fd); - } -skip_five_and_six: -#endif - t->th_seq = htonl(1); - t->th_ack = htonl(1); - t->th_off = 0; - - if (!ptest || (ptest == 7)) { - t->th_flags = TH_SYN; - /* - * Test 7: sport = 0, sport = 1, sport = 32767 - * sport = 32768, sport = 65535 - */ - printf("5.7.1 TCP sport = 0\n"); - t->th_sport = 0; - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.7.2 TCP sport = 1\n"); - t->th_sport = htons(1); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.7.3 TCP sport = 32767\n"); - t->th_sport = htons(32767); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.7.4 TCP sport = 32768\n"); - t->th_sport = htons(32768); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.7.5 TCP sport = 65535\n"); - t->th_sport = htons(65535); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - } - - if (!ptest || (ptest == 8)) { - t->th_sport = htons(1); - t->th_flags = TH_SYN; - /* - * Test 8: dport = 0, dport = 1, dport = 32767 - * dport = 32768, dport = 65535 - */ - printf("5.8.1 TCP dport = 0\n"); - t->th_dport = 0; - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.8.2 TCP dport = 1\n"); - t->th_dport = htons(1); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.8.3 TCP dport = 32767\n"); - t->th_dport = htons(32767); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.8.4 TCP dport = 32768\n"); - t->th_dport = htons(32768); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - - printf("5.8.5 TCP dport = 65535\n"); - t->th_dport = htons(65535); - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - } - - /* LAND attack - self connect, so make src & dst ip/port the same */ - if (!ptest || (ptest == 9)) { - printf("5.9 TCP LAND attack. sport = 25, dport = 25\n"); - /* chose SMTP port 25 */ - t->th_sport = htons(25); - t->th_dport = htons(25); - t->th_flags = TH_SYN; - ip->ip_src = ip->ip_dst; - (void) send_tcp(nfd, mtu, ip, gwip); - fflush(stdout); - PAUSE(); - } - - /* TCP options header checking */ - /* 0 length options, etc */ -} - - -/* Perform test 6 (exhaust mbuf test) */ - -void ip_test6(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - struct timeval tv; - udphdr_t *u; - int nfd, i, j, k; - - ip->ip_v = IPVERSION; - ip->ip_tos = 0; - ip->ip_off = 0; - ip->ip_ttl = 60; - ip->ip_p = IPPROTO_UDP; - ip->ip_sum = 0; - u = (udphdr_t *)(ip + 1); - u->uh_sport = htons(1); - u->uh_dport = htons(9); - u->uh_sum = 0; - - nfd = initdevice(dev, u->uh_sport, 1); - u->uh_ulen = htons(7168); - - printf("6. Exhaustive mbuf test.\n"); - printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n"); - printf(" Total of around 8,900 packets\n"); - for (i = 0; i < 128; i++) { - /* - * First send the entire packet in 768 byte chunks. - */ - ip->ip_len = sizeof(*ip) + 768 + sizeof(*u); - ip->ip_hl = sizeof(*ip) >> 2; - ip->ip_off = htons(IP_MF); - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d %d\r", i, 0); - fflush(stdout); - PAUSE(); - /* - * And again using 128 byte chunks. - */ - ip->ip_len = sizeof(*ip) + 128 + sizeof(*u); - ip->ip_off = htons(IP_MF); - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d %d\r", i, 0); - fflush(stdout); - PAUSE(); - - for (j = 768; j < 3584; j += 768) { - ip->ip_len = sizeof(*ip) + 768; - ip->ip_off = htons(IP_MF|(j>>3)); - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d %d\r", i, j); - fflush(stdout); - PAUSE(); - - ip->ip_len = sizeof(*ip) + 128; - for (k = j - 768; k < j; k += 128) { - ip->ip_off = htons(IP_MF|(k>>3)); - (void) send_ip(nfd, 1500, ip, gwip, 1); - printf("%d %d\r", i, k); - fflush(stdout); - PAUSE(); - } - } - } - putchar('\n'); -} - - -/* Perform test 7 (random packets) */ - -static u_long tbuf[64]; - -void ip_test7(dev, mtu, ip, gwip, ptest) -char *dev; -int mtu; -ip_t *ip; -struct in_addr gwip; -int ptest; -{ - ip_t *pip; - struct timeval tv; - int nfd, i, j; - u_char *s; - - nfd = initdevice(dev, 0, 1); - pip = (ip_t *)tbuf; - - srand(time(NULL) ^ (getpid() * getppid())); - - printf("7. send 1024 random IP packets.\n"); - - for (i = 0; i < 512; i++) { - for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++) - *s = (rand() >> 13) & 0xff; - pip->ip_v = IPVERSION; - bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst, - sizeof(struct in_addr)); - pip->ip_sum = 0; - pip->ip_len &= 0xff; - (void) send_ip(nfd, mtu, pip, gwip, 0); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); - - for (i = 0; i < 512; i++) { - for (s = (u_char *)pip, j = 0; j < sizeof(tbuf); j++, s++) - *s = (rand() >> 13) & 0xff; - pip->ip_v = IPVERSION; - pip->ip_off &= htons(0xc000); - bcopy((char *)&ip->ip_dst, (char *)&pip->ip_dst, - sizeof(struct in_addr)); - pip->ip_sum = 0; - pip->ip_len &= 0xff; - (void) send_ip(nfd, mtu, pip, gwip, 0); - printf("%d\r", i); - fflush(stdout); - PAUSE(); - } - putchar('\n'); -} |