diff options
| author | dm <dm@cvs.openbsd.org> | 1996-05-10 21:41:01 +0000 |
|---|---|---|
| committer | dm <dm@cvs.openbsd.org> | 1996-05-10 21:41:01 +0000 |
| commit | 76242ad5ccbbf411a0dfd66daab39d9a460c09dc (patch) | |
| tree | 92b555bd9197bb7976ae825d415f70d567c37170 /sbin/ipf | |
| parent | 75774d963fafaaaa2cf697156d616e2ebe3db3c8 (diff) | |
ipfilter 3.0.4
Diffstat (limited to 'sbin/ipf')
| -rw-r--r-- | sbin/ipf/ipf.4 | 3 | ||||
| -rw-r--r-- | sbin/ipf/ipf.c | 4 | ||||
| -rw-r--r-- | sbin/ipf/ipf.h | 5 | ||||
| -rw-r--r-- | sbin/ipf/opt.c | 6 | ||||
| -rw-r--r-- | sbin/ipf/parse.c | 202 |
5 files changed, 152 insertions, 68 deletions
diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4 index f9c65e77c32..011e0a017d7 100644 --- a/sbin/ipf/ipf.4 +++ b/sbin/ipf/ipf.4 @@ -30,8 +30,7 @@ The variations, SIOCADAFR vs SIOCADIFR, allow operation on the two lists, active and inactive, respectively. All of these ioctl's are implemented as being routing ioctls and thus the same rules for the various routing ioctls and the file descriptor are employed, mainly being that the fd must -be that of the device associated with the module (ie /dev/ipl). In addition -to this, these ioctl's will only succeed if made as root. +be that of the device associated with the module (ie /dev/ipl). .LP .PP The three groups of ioctls above perform adding rules to the end of the diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c index 92fe2e6ee06..af2a985b2ab 100644 --- a/sbin/ipf/ipf.c +++ b/sbin/ipf/ipf.c @@ -34,7 +34,7 @@ extern char *index(); #include "ipf.h" #ifndef lint -static char sccsid[] = "@(#)ipf.c 1.21 1/14/96 (C) 1993-1995 Darren Reed"; +static char sccsid[] = "@(#)ipf.c 1.22 2/3/96 (C) 1993-1995 Darren Reed"; #endif #if SOLARIS @@ -139,6 +139,8 @@ char *file; if (opts & OPT_DEBUG) printf("add %x del %x\n", add, del); + initparse(); + if (!strcmp(file, "-")) fp = stdin; else if (!(fp = fopen(file, "r"))) { diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h index 794f98c71e3..e0946b864c4 100644 --- a/sbin/ipf/ipf.h +++ b/sbin/ipf/ipf.h @@ -5,7 +5,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * @(#)ipf.h 1.9 1/7/96 + * @(#)ipf.h 1.11 4/10/96 */ #define OPT_REMOVE 0x0001 @@ -22,10 +22,11 @@ #define OPT_FRSTATES FR_KEEPFRAG /* 0x1000 */ #define OPT_IPSTATES FR_KEEPSTATE /* 0x2000 */ #define OPT_INACTIVE FR_INACTIVE /* 0x4000 */ +#define OPT_SHOWLINENO 0x8000 extern struct frentry *parse(); -extern void printfr(), binprint(); +extern void printfr(), binprint(), initparse(); #if defined(__SVR4) || defined(__svr4__) #define index strchr diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c index 8e90965928e..3b475a4aec3 100644 --- a/sbin/ipf/opt.c +++ b/sbin/ipf/opt.c @@ -21,7 +21,7 @@ #include "ipf.h" #ifndef lint -static char sccsid[] = "@(#)opt.c 1.6 11/11/95 (C) 1993-1995 Darren Reed"; +static char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; #endif extern int opts; @@ -58,7 +58,7 @@ struct ipopt_names secclass[] = { { IPSO_CLASS_CONF, 0x10, 0, "confid" }, { IPSO_CLASS_UNCL, 0x20, 0, "unclass" }, { IPSO_CLASS_RES2, 0x40, 0, "reserv-2" }, - { IPSO_CLASS_RES1, 0x40, 0, "reserv-1" }, + { IPSO_CLASS_RES1, 0x80, 0, "reserv-1" }, { 0, 0, 0, NULL } /* must be last */ }; @@ -107,7 +107,7 @@ char *cp, *op; if (t && !strcasecmp(s, "sec-class")) { lvl = seclevel(t); - *op = lvl; + *(op - 1) = lvl; } op += io->on_siz - 3; if (len & 3) { diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index efea74e9d57..f3cf027a825 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1996 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -32,7 +32,7 @@ #include <ctype.h> #ifndef lint -static char sccsid[] ="@(#)parse.c 1.33 1/14/96 (C) 1993 Darren Reed"; +static char sccsid[] ="@(#)parse.c 1.41 4/10/96 (C) 1993-1996 Darren Reed"; #endif extern struct ipopt_names ionames[], secclass[]; @@ -352,7 +352,7 @@ char *line; /* * Keep something... */ - if (*cpp && !strcasecmp(*cpp, "keep")) + while (*cpp && !strcasecmp(*cpp, "keep")) if (addkeep(&cpp, &fil)) return NULL; @@ -375,7 +375,14 @@ char *line; "no protocol given for TCP/UDP comparisons\n"); return NULL; } - +/* + if ((fil.fr_flags & FR_KEEPFRAG) && + (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) { + (void)fprintf(stderr, + "must use 'with frags' with 'keep frags'\n"); + return NULL; + } +*/ return &fil; } @@ -401,7 +408,7 @@ u_char *cp; return -1; if (index(s, '.')) *msk = inet_addr(s); - else { + if (!index(s, '.') && !index(s, 'x')) { /* * set x most significant bits */ @@ -410,6 +417,9 @@ u_char *cp; *msk |= ntohl(inet_addr("128.0.0.0")); } *msk = htonl(*msk); + } else { + if (inet_aton(s, (struct in_addr *)msk) == -1) + return -1; } *sa = hostnum(**seg, &resolved) & *msk; if (resolved == -1) @@ -427,10 +437,8 @@ u_char *cp; return -1; (*seg)++; (*seg)++; - if (index(**seg, '.')) - *msk = inet_addr(**seg); - else - *msk = (u_long)strtol(**seg, NULL, 0); + if (inet_aton(**seg, (struct in_addr *)msk) == -1) + return -1; (*seg)++; *sa &= *msk; return ports(seg, pp, cp, tp); @@ -490,9 +498,9 @@ u_char *cp; if (!*seg || !**seg || !***seg) return 0; - if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(seg + 2)) { + if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; - if (isdigit(***seg) && *(seg + 2)) { + if (isdigit(***seg) && *(*seg + 2)) { *pp = portnum(**seg); (*seg)++; if (!strcmp(**seg, "<>")) @@ -539,13 +547,13 @@ char *name; u_short p1 = 0; if (isdigit(*name)) - return htons((u_short)atoi(name)); + return (u_short)atoi(name); if (!proto) proto = "tcp/udp"; if (strcasecmp(proto, "tcp/udp")) { sp = getservbyname(name, proto); if (sp) - return sp->s_port; + return ntohs(sp->s_port); (void) fprintf(stderr, "unknown service \"%s\".\n", name); return 0; } @@ -564,7 +572,7 @@ char *name; (void) fprintf(stderr, "%s %d/udp\n", name, sp->s_port); return 0; } - return p1; + return ntohs(p1); } @@ -616,13 +624,21 @@ struct frentry *fr; !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) || !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) || !strncasecmp(**cp, "short", 5))) { - if (***cp == 'n') + if (***cp == 'n') { notopt = 1; - else if (***cp == 'i') - oflags = FI_OPTIONS; - else if (***cp == 'f') - oflags = FI_FRAG; - else if (***cp == 'o') { + (*cp)++; + continue; + } else if (***cp == 'i') { + if (!notopt) + fr->fr_ip.fi_fl |= FI_OPTIONS; + fr->fr_mip.fi_fl |= FI_OPTIONS; + goto nextopt; + } else if (***cp == 'f') { + if (!notopt) + fr->fr_ip.fi_fl |= FI_FRAG; + fr->fr_mip.fi_fl |= FI_FRAG; + goto nextopt; + } else if (***cp == 'o') { if (!*(*cp + 1)) { (void)fprintf(stderr, "opt missing arguements\n"); @@ -638,12 +654,23 @@ struct frentry *fr; "short cannot be used with TCP flags\n"); return -1; } - oflags = FI_SHORT; + + if (!notopt) + fr->fr_ip.fi_fl |= FI_SHORT; + fr->fr_mip.fi_fl |= FI_SHORT; + goto nextopt; } else return -1; - fr->fr_mip.fi_fl |= oflags; - fr->fr_mip.fi_optmsk |= opts; + if (!notopt || !opts) + fr->fr_mip.fi_fl |= oflags; + if (notopt) + if (!secmsk) + fr->fr_mip.fi_optmsk |= opts; + else + fr->fr_mip.fi_optmsk |= (opts & ~0x0100); + else + fr->fr_mip.fi_optmsk |= opts; fr->fr_mip.fi_secmsk |= secmsk; if (notopt) { @@ -655,6 +682,8 @@ struct frentry *fr; fr->fr_ip.fi_optmsk |= opts; fr->fr_ip.fi_secmsk |= secmsk; } +nextopt: + notopt = 0; opts = 0; oflags = 0; secmsk = 0; @@ -714,26 +743,72 @@ u_short *sp; } -void optprint(optmsk, secmsk) -u_char optmsk, secmsk; +void optprint(secmsk, secbits, optmsk, optbits) +u_short secmsk, secbits; +u_long optmsk, optbits; { struct ipopt_names *io, *so; - char *s = "", *t = ""; + char *s; + int secflag = 0; - printf("opt "); + s = "opt "; for (io = ionames; io->on_name; io++) - if (io->on_bit & optmsk) { - printf("%s%s", s, io->on_name); - s = ","; + if ((io->on_bit & optmsk) && + ((io->on_bit & optmsk) == (io->on_bit & optbits))) { + if ((io->on_value != IPOPT_SECURITY) || + (!secmsk && !secbits)) { + printf("%s%s", s, io->on_name); + if (io->on_value == IPOPT_SECURITY) + io++; + s = ","; + } else + secflag = 1; } - if (secmsk) { - putchar(' '); + + + if (secmsk & secbits) { + printf("%ssec-class", s); + s = " "; for (so = secclass; so->on_name; so++) - if (secmsk & so->on_bit) { - printf("%s%s", t, so->on_name); - t = ","; + if ((secmsk & so->on_bit) && + ((io->on_bit & secmsk) == (io->on_bit & secbits))) { + printf("%s%s", s, so->on_name); + s = ","; } } + + if (strcmp(s, "opt ")) + putchar(' '); + if ((optmsk && (optmsk != optbits)) || + (secmsk && (secmsk != secbits))) { + s = " "; + printf("not opt"); + if (optmsk != optbits) { + for (io = ionames; io->on_name; io++) + if ((io->on_bit & optmsk) && + ((io->on_bit & optmsk) != + (io->on_bit & optbits))) { + if ((io->on_value != IPOPT_SECURITY) || + (!secmsk && !secbits)) { + printf("%s%s", s, io->on_name); + s = ","; + } else + io++; + } + } + + if (secmsk != secbits) { + printf("%ssec-class", s); + s = " "; + for (so = secclass; so->on_name; so++) + if ((so->on_bit & secmsk) && + ((so->on_bit & secmsk) != + (so->on_bit & secbits))) { + printf("%s%s", s, so->on_name); + s = ","; + } + } + } } char *icmptypes[] = { @@ -890,15 +965,17 @@ int pr, port; struct servent *sv = NULL, *sv1 = NULL; if (pr == -1) { - if ((sv = getservbyport(htons(port), "tcp"))) { + if ((sv = getservbyport(port, "tcp"))) { strncpy(buf, sv->s_name, sizeof(buf)-1); buf[sizeof(buf)-1] = '\0'; - sv1 = getservbyport(htons(port), "udp"); - if (sv1 && !strcasecmp(buf, sv->s_name)) - return buf; + sv1 = getservbyport(port, "udp"); + sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? + NULL : sv1; } + if (sv) + return buf; } else if (pr && (p = getprotobynumber(pr))) { - if ((sv = getservbyport(htons(port), p->p_name))) { + if ((sv = getservbyport(port, p->p_name))) { strncpy(buf, sv->s_name, sizeof(buf)-1); buf[sizeof(buf)-1] = '\0'; return buf; @@ -937,7 +1014,8 @@ struct frentry *fp; (void)printf(" return-icmp"); if (fp->fr_icode) if (fp->fr_icode <= MAX_ICMPCODE) - printf("(%s)",icmpcodes[fp->fr_icode]); + printf("(%s)", + icmpcodes[(int)fp->fr_icode]); else printf("(%d)", fp->fr_icode); } @@ -972,7 +1050,7 @@ struct frentry *fp; if (fp->fr_ip.fi_fl & FI_TCPUDP) { (void)printf("proto tcp/udp "); pr = -1; - } else if ((pr = fp->fr_proto)) { + } else if ((pr = fp->fr_mip.fi_p)) { if ((p = getprotobynumber(fp->fr_proto))) (void)printf("proto %s ", p->p_name); else @@ -988,13 +1066,13 @@ struct frentry *fp; else (void)printf("/%d ", ones); } - if (fp->fr_sport) + if (fp->fr_scmp) if (fp->fr_scmp == FR_INRANGE || fp->fr_scmp == FR_OUTRANGE) - (void)printf("port %d %s %d ", ntohs(fp->fr_sport), - pcmp1[fp->fr_scmp], ntohs(fp->fr_stop)); + (void)printf("port %d %s %d ", fp->fr_sport, + pcmp1[fp->fr_scmp], fp->fr_stop); else (void)printf("port %s %s ", pcmp1[fp->fr_scmp], - portname(pr, ntohs(fp->fr_sport))); + portname(pr, fp->fr_sport)); if (!fp->fr_dst.s_addr & !fp->fr_dmsk.s_addr) (void)printf("to any "); else { @@ -1004,25 +1082,29 @@ struct frentry *fp; else (void)printf("/%d ", ones); } - if (fp->fr_dport) { + if (fp->fr_dcmp) { if (fp->fr_dcmp == FR_INRANGE || fp->fr_dcmp == FR_OUTRANGE) - (void)printf("port %d %s %d ", ntohs(fp->fr_dport), - pcmp1[fp->fr_dcmp], ntohs(fp->fr_dtop)); + (void)printf("port %d %s %d ", fp->fr_dport, + pcmp1[fp->fr_dcmp], fp->fr_dtop); else (void)printf("port %s %s ", pcmp1[fp->fr_dcmp], - portname(pr, ntohs(fp->fr_dport))); + portname(pr, fp->fr_dport)); } - if (fp->fr_mip.fi_fl & (FI_SHORT|FI_OPTIONS|FI_FRAG)) { + if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) || + (fp->fr_mip.fi_fl & ~FI_TCPUDP) || + fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || + fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) { (void)printf("with "); - if (fp->fr_mip.fi_fl & FI_OPTIONS) { - if (fp->fr_ip.fi_optmsk) - optprint(fp->fr_ip.fi_optmsk, - fp->fr_ip.fi_secmsk); - else { - if (!(fp->fr_ip.fi_fl & FI_OPTIONS)) - (void)printf("not "); - (void)printf("ipopt "); - } + if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || + fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) + optprint(fp->fr_mip.fi_secmsk, + fp->fr_ip.fi_secmsk, + fp->fr_mip.fi_optmsk, + fp->fr_ip.fi_optmsk); + else if (fp->fr_mip.fi_fl & FI_OPTIONS) { + if (!(fp->fr_ip.fi_fl & FI_OPTIONS)) + (void)printf("not "); + (void)printf("ipopt "); } if (fp->fr_mip.fi_fl & FI_SHORT) { if (!(fp->fr_ip.fi_fl & FI_SHORT)) |