summaryrefslogtreecommitdiff
path: root/sbin/ipf
diff options
context:
space:
mode:
authorkstailey <kstailey@cvs.openbsd.org>1997-02-26 04:35:41 +0000
committerkstailey <kstailey@cvs.openbsd.org>1997-02-26 04:35:41 +0000
commitfe48d49210bf2dafb4dc4734d5ba6d66e7ca1289 (patch)
treee4e09ba236341aae7f9826444e0c7654ab4a3fda /sbin/ipf
parent7cc376c2e47d6d08ae14d312fe5a21a8f6a275cf (diff)
version 1.3.8
Diffstat (limited to 'sbin/ipf')
-rw-r--r--sbin/ipf/ipf.c86
-rw-r--r--sbin/ipf/ipf.h2
-rw-r--r--sbin/ipf/parse.c96
3 files changed, 134 insertions, 50 deletions
diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c
index 3d4eb97381f..260fc731a1d 100644
--- a/sbin/ipf/ipf.c
+++ b/sbin/ipf/ipf.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: ipf.c,v 1.10 1997/02/26 04:35:39 kstailey Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
*
@@ -13,6 +14,9 @@
#if !defined(__SVR4) && !defined(__GNUC__)
#include <strings.h>
#endif
+#if !defined(__SVR4) && defined(__GNUC__) && !defined(__OpenBSD__)
+extern char *index();
+#endif
#include <sys/types.h>
#include <sys/param.h>
#include <sys/file.h>
@@ -32,13 +36,13 @@
#include <resolv.h>
#include "ipf.h"
-#ifndef lint
+#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ipf.c,v 1.9 1997/01/29 01:28:03 deraadt Exp $";
+static char rcsid[] = "$DRId: ipf.c,v 2.0.1.2 1997/02/04 14:37:46 darrenr Exp $";
#endif
#if SOLARIS
-void frsync();
+void frsync(), blockunknown();
#endif
void zerostats();
@@ -50,14 +54,15 @@ static int fd = -1;
static void procfile(), flushfilter(), set_state();
static void packetlogon(), swapactive(), showstats();
+static char *getline();
int main(argc,argv)
int argc;
char *argv[];
{
- int c;
+ char c;
- while ((c = getopt(argc, argv, "AsInopvdryf:F:l:EDzZ")) != -1) {
+ while ((c = getopt(argc, argv, "AdDEf:F:Il:noprsUvyzZ")) != -1) {
switch (c)
{
case 'E' :
@@ -99,6 +104,11 @@ char *argv[];
case 's' :
swapactive();
break;
+#if SOLARIS
+ case 'U' :
+ blockunknown();
+ break;
+#endif
case 'v' :
opts |= OPT_VERBOSE;
break;
@@ -168,12 +178,12 @@ char *name, *file;
if (!strcmp(file, "-"))
fp = stdin;
else if (!(fp = fopen(file, "r"))) {
- fprintf(stderr, "%s: fopen(%s) failed: %s", name, file,
+ fprintf(stderr, "%s: fopen(%s) failed: %s\n", name, file,
STRERROR(errno));
exit(1);
}
- while (fgets(line, sizeof(line)-1, fp)) {
+ while (getline(line, sizeof(line)-1, fp)) {
/*
* treat both CR and LF as EOL
*/
@@ -217,9 +227,11 @@ char *name, *file;
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, add, fr) == -1)
perror("ioctl(SIOCZRLST)");
- else
- printf("hits %d bytes %d\n",
+ else {
+ printf("hits %ld bytes %ld ",
fr->fr_hits, fr->fr_bytes);
+ printfr(fr);
+ }
} else if ((opts & OPT_REMOVE) &&
!(opts & OPT_DONOTHING)) {
if (ioctl(fd, del, fr) == -1)
@@ -233,11 +245,33 @@ char *name, *file;
(void)fclose(fp);
}
+/*
+ * Similar to fgets(3) but can handle '\\'
+ */
+static char *getline(str, size, file)
+register char *str;
+size_t size;
+FILE *file;
+{
+ register char *p;
+
+ do {
+ for (p = str;; p+= strlen(p) - 1) {
+ if (!fgets(p, size, file))
+ return(NULL);
+ p[strlen(p) -1] = '\0';
+ if (p[strlen(p) - 1] != '\\')
+ break;
+ }
+ } while (*str == '\0' || *str == '\n');
+ return(str);
+}
+
static void packetlogon(opt)
char *opt;
{
- int err, flag;
+ int err, flag = 0;
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
if ((err = ioctl(fd, SIOCGETFF, &flag)))
@@ -246,7 +280,7 @@ char *opt;
printf("log flag is currently %#x\n", flag);
}
- flag = 0;
+ flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
if (strchr(opt, 'p')) {
flag |= FF_LOGPASS;
@@ -370,3 +404,33 @@ friostat_t *fp;
fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
}
+
+
+#if SOLARIS
+void blockunknown()
+{
+ int flag;
+
+ if (opendevice() == -1)
+ return;
+
+ if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
+ if (ioctl(fd, SIOCGETFF, &flag))
+ perror("ioctl(SIOCGETFF)");
+
+ printf("log flag is currently %#x\n", flag);
+ }
+
+ flag ^= FF_BLOCKNONIP;
+
+ if (opendevice() != -2 && ioctl(fd, SIOCSETFF, &flag))
+ perror("ioctl(SIOCSETFF)");
+
+ if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
+ if (ioctl(fd, SIOCGETFF, &flag))
+ perror("ioctl(SIOCGETFF)");
+
+ printf("log flag is now %#x\n", flag);
+ }
+}
+#endif
diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h
index c2873895b55..7980f227692 100644
--- a/sbin/ipf/ipf.h
+++ b/sbin/ipf/ipf.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ipf.h 1.12 6/5/96
- * $Id: ipf.h,v 1.6 1997/02/11 22:23:39 kstailey Exp $
+ * $DRId: ipf.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $
*/
#ifndef SOLARIS
diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c
index 19e093bf390..c3f0a7ceb04 100644
--- a/sbin/ipf/parse.c
+++ b/sbin/ipf/parse.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: parse.c,v 1.9 1997/02/26 04:35:40 kstailey Exp $ */
/*
* (C)opyright 1993-1996 by Darren Reed.
*
@@ -32,9 +33,9 @@
#include "ipf.h"
#include <ctype.h>
-#ifndef lint
+#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: parse.c,v 1.8 1997/01/17 07:12:18 millert Exp $";
+static char rcsid[] = "$DRId: parse.c,v 2.0.1.2 1997/02/17 13:59:44 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@@ -47,6 +48,8 @@ u_char tcp_flags();
struct frentry *parse();
void binprint(), printfr();
int addicmp(), extras(), hostmask(), ports(), icmpcode(), addkeep();
+int to_interface();
+
char *proto = NULL;
char flagset[] = "FSRPAU";
@@ -75,6 +78,11 @@ char *line;
u_char ch;
int i, cnt = 1;
+ while (*line && isspace(*line))
+ line++;
+ if (!*line)
+ return NULL;
+
bzero((char *)&fil, sizeof(fil));
fil.fr_mip.fi_v = 0xf;
fil.fr_ip.fi_v = 4;
@@ -95,15 +103,8 @@ char *line;
cpp = cps;
if (**cpp == '@')
fil.fr_hits = atoi(*cpp++ + 1) + 1;
- /*
- * does it start with one of the two possible first words ?
- */
- if (strcasecmp("block",*cpp) && strcasecmp("pass",*cpp) &&
- strcasecmp("log",*cpp) && strcasecmp("count",*cpp)) {
- (void)fprintf(stderr, "unknown keyword (%s)\n", *cpp);
- return NULL;
- }
- if (**cpp == 'b') {
+
+ if (!strcasecmp("block", *cpp)) {
fil.fr_flags = FR_BLOCK;
if (!strncasecmp(*(cpp+1), "return-icmp", 11)) {
fil.fr_flags |= FR_RETICMP;
@@ -121,11 +122,11 @@ char *line;
fil.fr_flags |= FR_RETRST;
cpp++;
}
- } else if (**cpp == 'c')
+ } else if (!strcasecmp("count", *cpp)) {
fil.fr_flags = FR_ACCOUNT;
- else if (**cpp == 'p') {
+ } else if (!strcasecmp("pass", *cpp)) {
fil.fr_flags = FR_PASS;
- } else if (**cpp == 'l') {
+ } else if (!strcasecmp("log", *cpp)) {
fil.fr_flags = FR_LOG;
if (!strcasecmp(*(cpp+1), "body")) {
fil.fr_flags |= FR_LOGBODY;
@@ -135,14 +136,29 @@ char *line;
fil.fr_flags |= FR_LOGFIRST;
cpp++;
}
+ } else {
+ /*
+ * Doesn't start with one of the action words
+ */
+ (void)fprintf(stderr, "unknown keyword (%s)\n", *cpp);
+ return NULL;
}
cpp++;
if (!strcasecmp("in", *cpp))
fil.fr_flags |= FR_INQUE;
- else if (!strcasecmp("out", *cpp))
+ else if (!strcasecmp("out", *cpp)) {
fil.fr_flags |= FR_OUTQUE;
- else {
+ if (fil.fr_flags & FR_RETICMP) {
+ (void)fprintf(stderr,
+ "Can only use return-icmp with 'in'\n");
+ return NULL;
+ } else if (fil.fr_flags & FR_RETRST) {
+ (void)fprintf(stderr,
+ "Can only use return-rst with 'in'\n");
+ return NULL;
+ }
+ } else {
(void)fprintf(stderr,
"missing 'in'/'out' keyword (%s)\n", *cpp);
return NULL;
@@ -164,6 +180,15 @@ char *line;
fil.fr_flags |= FR_LOGFIRST;
cpp++;
}
+ if (!strcasecmp(*cpp, "or-block")) {
+ if (!(fil.fr_flags & FR_PASS)) {
+ (void)fprintf(stderr,
+ "or-block must be used with pass\n");
+ return NULL;
+ }
+ fil.fr_flags |= FR_LOGORBLOCK;
+ cpp++;
+ }
}
if (!strcasecmp("quick", *cpp)) {
@@ -172,7 +197,7 @@ char *line;
}
*fil.fr_ifname = '\0';
- if (!strcasecmp(*cpp, "on")) {
+ if (*cpp && !strcasecmp(*cpp, "on")) {
if (!*++cpp) {
(void)fprintf(stderr, "interface name missing\n");
return NULL;
@@ -191,16 +216,6 @@ char *line;
}
if (*cpp) {
-#if SOLARIS
- if (!strcasecmp(*cpp, "dup-to") ||
- !strcasecmp(*cpp, "to") ||
- !strcasecmp(*cpp, "fastroute")) {
- (void) fprintf(stderr,
- "%s not supported under SunOS5\n",
- *cpp);
- return NULL;
- }
-#endif
if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
cpp++;
if (to_interface(&fil.fr_dif, *cpp))
@@ -218,7 +233,7 @@ char *line;
}
}
}
- if (!strcasecmp(*cpp, "tos")) {
+ if (*cpp && !strcasecmp(*cpp, "tos")) {
if (!*++cpp) {
(void)fprintf(stderr, "tos missing value\n");
return NULL;
@@ -228,7 +243,7 @@ char *line;
cpp++;
}
- if (!strcasecmp(*cpp, "ttl")) {
+ if (*cpp && !strcasecmp(*cpp, "ttl")) {
if (!*++cpp) {
(void)fprintf(stderr, "ttl missing hopcount value\n");
return NULL;
@@ -242,7 +257,7 @@ char *line;
* check for "proto <protoname>" only decode udp/tcp/icmp as protoname
*/
proto = NULL;
- if (!strcasecmp(*cpp, "proto")) {
+ if (*cpp && !strcasecmp(*cpp, "proto")) {
if (!*++cpp) {
(void)fprintf(stderr, "protocol name missing\n");
return NULL;
@@ -282,6 +297,10 @@ char *line;
* get the from host and bit mask to use against packets
*/
+ if (!*cpp) {
+ fprintf(stderr, "missing source specification\n");
+ return NULL;
+ }
if (!strcasecmp(*cpp, "all")) {
cpp++;
if (!*cpp)
@@ -687,21 +706,21 @@ struct frentry *fr;
!strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) ||
!strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) ||
!strncasecmp(**cp, "short", 5))) {
- if (***cp == 'n') {
+ if (***cp == 'n' || ***cp == 'N') {
notopt = 1;
(*cp)++;
continue;
- } else if (***cp == 'i') {
+ } else if (***cp == 'i' || ***cp == 'I') {
if (!notopt)
fr->fr_ip.fi_fl |= FI_OPTIONS;
fr->fr_mip.fi_fl |= FI_OPTIONS;
goto nextopt;
- } else if (***cp == 'f') {
+ } else if (***cp == 'f' || ***cp == 'F') {
if (!notopt)
fr->fr_ip.fi_fl |= FI_FRAG;
fr->fr_mip.fi_fl |= FI_FRAG;
goto nextopt;
- } else if (***cp == 'o') {
+ } else if (***cp == 'o' || ***cp == 'O') {
if (!*(*cp + 1)) {
(void)fprintf(stderr,
"opt missing arguements\n");
@@ -711,7 +730,7 @@ struct frentry *fr;
if (!(opts = optname(cp, &secmsk)))
return -1;
oflags = FI_OPTIONS;
- } else if (***cp == 's') {
+ } else if (***cp == 's' || ***cp == 'S') {
if (fr->fr_tcpf) {
(void) fprintf(stderr,
"short cannot be used with TCP flags\n");
@@ -980,9 +999,9 @@ struct frentry *fp;
return -1;
}
- if (***cp == 's')
+ if (***cp == 's' || ***cp == 'S')
fp->fr_flags |= FR_KEEPSTATE;
- else if (***cp == 'f')
+ else if (***cp == 'f' || ***cp == 'F')
fp->fr_flags |= FR_KEEPFRAG;
(*cp)++;
return 0;
@@ -1057,7 +1076,6 @@ struct frentry *fp;
static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
"<>", "><"};
struct protoent *p;
- frdest_t *fdp;
int ones = 0, pr;
char *s;
u_char *t;
@@ -1098,6 +1116,8 @@ struct frentry *fp;
(void)printf("body ");
if (fp->fr_flags & FR_LOGFIRST)
(void)printf("first ");
+ if (fp->fr_flags & FR_LOGORBLOCK)
+ (void)printf("or-block ");
}
if (fp->fr_flags & FR_QUICK)
(void)printf("quick ");