Import of Darren Reed's IPFilter 3.3.4, including OpenBSD patches.

Many, many enhancements and improvements, including new in-kernel
proxies, enhancements to logging, and many bugfixes.

Note: Man pages have not yet been re-converted to mdoc.

1 files changed, 177 insertions, 86 deletions

diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c
index bf6c9e6f222..f44289ac67d 100644
--- a/usr.sbin/ipmon/ipmon.c
+++ b/usr.sbin/ipmon/ipmon.c
@@ -1,4 +1,5 @@
-/*	$OpenBSD: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt Exp $
+/* $OpenBSD: ipmon.c,v 1.20 1999/12/15 05:20:25 kjell Exp $ */
+/*
  * Copyright (C) 1993-1998 by Darren Reed.
  *
  * Redistribution and use in source and binary forms are permitted
@@ -6,8 +7,8 @@
  * to the original author and the contributors.
  */
 #if !defined(lint)
-static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-1997 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt Exp $";
+static const char sccsid[] = "@(#)ipmon.c	1.21 6/5/96 (C)1993-1998 Darren Reed";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.20 1999/12/15 05:20:25 kjell Exp $";
 #endif
 
 #ifndef SOLARIS
@@ -27,15 +28,18 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt
 #include <string.h>
 #include <fcntl.h>
 #include <errno.h>
-#include <sys/types.h>
 #if !defined(__SVR4) && !defined(__svr4__)
-#include <strings.h>
-#include <signal.h>
-#include <sys/dir.h>
+# if (__FreeBSD_version >= 300000)
+#  include <sys/dirent.h>
+# else
+#  include <sys/dir.h>
+# endif
 #else
-#include <sys/filio.h>
-#include <sys/byteorder.h>
+# include <sys/filio.h>
+# include <sys/byteorder.h>
 #endif
+#include <strings.h>
+#include <signal.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <netinet/in.h>
@@ -51,7 +55,6 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt
 #include <sys/uio.h>
 #ifndef linux
 # include <sys/protosw.h>
-# include <sys/user.h>
 # include <netinet/ip_var.h>
 #endif
 
@@ -60,11 +63,8 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt
 
 #include <ctype.h>
 #include <syslog.h>
-#if defined(__OpenBSD__)
-# include <netinet/ip_fil_compat.h>
-#else
-# include <netinet/ip_compat.h>
-#endif
+
+#include <netinet/ip_fil_compat.h>
 #include <netinet/tcpip.h>
 #include <netinet/ip_fil.h>
 #include <netinet/ip_proxy.h>
@@ -120,19 +120,26 @@ static	char	*logfile = NULL;
 static	int	donehup = 0;
 static	void	usage __P((char *));
 static	void	handlehup __P((int));
-static	void	write_pid __P((char *));
 static	void	flushlogs __P((char *, FILE *));
 static	void	print_log __P((int, FILE *, char *, int));
 static	void	print_ipflog __P((FILE *, char *, int));
 static	void	print_natlog __P((FILE *, char *, int));
 static	void	print_statelog __P((FILE *, char *, int));
 static	void	dumphex __P((FILE *, u_char *, int));
-static	int	read_log __P((int, int *, char *, int, FILE *));
+static	int	read_log __P((int, int *, char *, int));
+static	void	write_pid __P((char *));
+
 char	*hostname __P((int, struct in_addr));
-char	*portname __P((int, char *, u_short));
+char	*portname __P((int, char *, u_int));
 int	main __P((int, char *[]));
 
 static	void	logopts __P((int, char *));
+static	void	init_tabs __P((void));
+static	char	*getproto __P((u_int));
+
+static	char	**protocols = NULL;
+static	char	**udp_ports = NULL;
+static	char	**tcp_ports = NULL;
 
 
 #define	OPT_SYSLOG	0x001
@@ -145,7 +152,7 @@ static	void	logopts __P((int, char *));
 #define	OPT_STATE	0x100
 #define	OPT_FILTER	0x200
 #define	OPT_PORTNUM	0x400
-#define	OPT_ALL		(OPT_NAT|OPT_STATE|OPT_FILTER)
+#define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
 
 #ifndef	LOGFAC
 #define	LOGFAC	LOG_LOCAL0
@@ -157,16 +164,94 @@ int sig;
 {
 	FILE	*fp;
 
+	signal(SIGHUP, handlehup);
 	if (logfile && (fp = fopen(logfile, "a")))
 		newlog = fp;
+	init_tabs();
 	donehup = 1;
 }
 
 
-static int read_log(fd, lenp, buf, bufsize, log)
+static void init_tabs()
+{
+	struct	protoent	*p;
+	struct	servent	*s;
+	char	*name, **tab;
+	u_int	port;
+
+	if (protocols != NULL) {
+		free(protocols);
+		protocols = NULL;
+	}
+	protocols = (char **)malloc(256 * sizeof(*protocols));
+	if (protocols != NULL) {
+		bzero((char *)protocols, 256 * sizeof(*protocols));
+
+		setprotoent(1);
+		while ((p = getprotoent()) != NULL)
+			if (p->p_proto >= 0 && p->p_proto <= 255 &&
+			    p->p_name != NULL)
+				protocols[p->p_proto] = strdup(p->p_name);
+		endprotoent();
+	}
+
+	if (udp_ports != NULL) {
+		free(udp_ports);
+		udp_ports = NULL;
+	}
+	udp_ports = (char **)malloc(65536 * sizeof(*udp_ports));
+	if (udp_ports != NULL)
+		bzero((char *)udp_ports, 65536 * sizeof(*udp_ports));
+
+	if (tcp_ports != NULL) {
+		free(tcp_ports);
+		tcp_ports = NULL;
+	}
+	tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports));
+	if (tcp_ports != NULL)
+		bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports));
+
+	setservent(1);
+	while ((s = getservent()) != NULL) {
+		if (s->s_proto == NULL)
+			continue;
+		else if (!strcmp(s->s_proto, "tcp")) {
+			port = (u_int)s->s_port;
+			name = s->s_name;
+			tab = tcp_ports;
+		} else if (!strcmp(s->s_proto, "udp")) {
+			port = (u_int)s->s_port;
+			name = s->s_name;
+			tab = udp_ports;
+		} else
+			continue;
+		if ((port < 0 || port > 65535) || (name == NULL))
+			continue;
+		tab[port] = strdup(name);
+	}
+	endservent();
+}
+
+
+static char *getproto(p)
+u_int p;
+{
+	static char pnum[4];
+	char *s;
+
+	p &= 0xff;
+	s = protocols ? protocols[p] : NULL;
+	if (s == NULL) {
+		sprintf(pnum, "%u", p);
+		s = pnum;
+	}
+	return s;
+}
+
+
+static int read_log(fd, lenp, buf, bufsize)
 int fd, bufsize, *lenp;
 char *buf;
-FILE *log;
 {
 	int	nr;
 
@@ -215,18 +300,24 @@ struct	in_addr	ip;
 char	*portname(res, proto, port)
 int	res;
 char	*proto;
-u_short	port;
+u_int	port;
 {
 	static	char	pname[8];
-	struct	servent	*serv;
+	char	*s;
 
-	(void) sprintf(pname, "%hu", htons(port));
+	port = ntohs(port);
+	port &= 0xffff;
+	(void) sprintf(pname, "%u", port);
 	if (!res || (opts & OPT_PORTNUM))
 		return pname;
-	serv = getservbyport((int)port, proto);
-	if (!serv)
-		return pname;
-	return serv->s_name;
+	s = NULL;
+	if (!strcmp(proto, "tcp"))
+		s = tcp_ports[port];
+	else if (!strcmp(proto, "udp"))
+		s = udp_ports[port];
+	if (s == NULL)
+		s = pname;
+	return s;
 }
 
 
@@ -323,13 +414,13 @@ int	blen;
 	t += strlen(t);
 
 	(void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip),
-		portname(res, NULL, nl->nl_inport));
+		portname(res, NULL, (u_int)nl->nl_inport));
 	t += strlen(t);
 	(void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip),
-		portname(res, NULL, nl->nl_outport));
+		portname(res, NULL, (u_int)nl->nl_outport));
 	t += strlen(t);
 	(void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip),
-		portname(res, NULL, nl->nl_origport));
+		portname(res, NULL, (u_int)nl->nl_origport));
 	t += strlen(t);
 	if (nl->nl_type == NL_EXPIRE) {
 #ifdef	USE_QUAD_T
@@ -357,8 +448,7 @@ int	blen;
 {
 	struct	ipslog *sl;
 	iplog_t	*ipl = (iplog_t *)buf;
-	struct	protoent *pr;
-	char	*t = line, *proto, pname[6];
+	char	*t = line, *proto;
 	struct	tm	*tm;
 	int	res, i, len;
 
@@ -380,8 +470,9 @@ int	blen;
 	if (sl->isl_type == ISL_NEW)
 		strcpy(t, "STATE:NEW ");
 	else if (sl->isl_type == ISL_EXPIRE) {
-		if (sl->isl_state[0] > TCPS_ESTABLISHED ||
-		    sl->isl_state[1] > TCPS_ESTABLISHED)
+		if ((sl->isl_p == IPPROTO_TCP) &&
+		    (sl->isl_state[0] > TCPS_ESTABLISHED ||
+		     sl->isl_state[1] > TCPS_ESTABLISHED))
 			strcpy(t, "STATE:CLOSE ");
 		else
 			strcpy(t, "STATE:EXPIRE ");
@@ -391,21 +482,16 @@ int	blen;
 		sprintf(t, "Type: %d ", sl->isl_type);
 	t += strlen(t);
 
-	pr = getprotobynumber((int)sl->isl_p);
-	if (!pr) {
-		proto = pname;
-		sprintf(proto, "%d", (u_int)sl->isl_p);
-	} else
-		proto = pr->p_name;
+	proto = getproto(sl->isl_p);
 
 	if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) {
 		(void) sprintf(t, "%s,%s -> ",
 			hostname(res, sl->isl_src),
-			portname(res, proto, sl->isl_sport));
+			portname(res, proto, (u_int)sl->isl_sport));
 		t += strlen(t);
 		(void) sprintf(t, "%s,%s PR %s",
 			hostname(res, sl->isl_dst),
-			portname(res, proto, sl->isl_dport), proto);
+			portname(res, proto, (u_int)sl->isl_dport), proto);
 	} else if (sl->isl_p == IPPROTO_ICMP) {
 		(void) sprintf(t, "%s -> ", hostname(res, sl->isl_src));
 		t += strlen(t);
@@ -487,11 +573,10 @@ FILE	*log;
 char	*buf;
 int	blen;
 {
-	struct	protoent *pr;
 	tcphdr_t	*tp;
 	struct	icmp	*ic;
 	struct	tm	*tm;
-	char	c[3], pname[8], *t, *proto;
+	char	*t, *proto;
 	u_short	hl, p;
 	int	i, lvl, res, len;
 	ip_t	*ipc, *ip;
@@ -531,49 +616,50 @@ int	blen;
 	(defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux)
 	len = (int)sizeof(ipf->fl_ifname);
 	(void) sprintf(t, "%*.*s", len, len, ipf->fl_ifname);
+	t += strlen(t);
+# if SOLARIS
+	if (isalpha(*(t - 1)))
+		*t++ = '0' + ipf->fl_unit;
+# endif
 #else
 	for (len = 0; len < 3; len++)
-		if (!ipf->fl_ifname[len])
+		if (ipf->fl_ifname[len] == '\0')
 			break;
 	if (ipf->fl_ifname[len])
 		len++;
 	(void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit);
-#endif
 	t += strlen(t);
+#endif
 	(void) sprintf(t, " @%hu:%hu ", ipf->fl_group, ipf->fl_rule + 1);
-	pr = getprotobynumber((int)p);
-	if (!pr) {
-		proto = pname;
-		sprintf(proto, "%d", (u_int)p);
-	} else
-		proto = pr->p_name;
+	t += strlen(t);
+	proto = getproto(p);
 
  	if (ipf->fl_flags & FF_SHORT) {
-		c[0] = 'S';
+		*t++ = 'S';
 		lvl = LOG_ERR;
 	} else if (ipf->fl_flags & FR_PASS) {
 		if (ipf->fl_flags & FR_LOGP)
-			c[0] = 'p';
+			*t++ = 'p';
 		else
-			c[0] = 'P';
+			*t++ = 'P';
 		lvl = LOG_NOTICE;
 	} else if (ipf->fl_flags & FR_BLOCK) {
 		if (ipf->fl_flags & FR_LOGB)
-			c[0] = 'b';
+			*t++ = 'b';
 		else
-			c[0] = 'B';
+			*t++ = 'B';
 		lvl = LOG_WARNING;
 	} else if (ipf->fl_flags & FF_LOGNOMATCH) {
-		c[0] = 'n';
+		*t++ = 'n';
 		lvl = LOG_NOTICE;
 	} else {
-		c[0] = 'L';
+		*t++ = 'L';
 		lvl = LOG_INFO;
 	}
-	c[1] = ' ';
-	c[2] = '\0';
-	(void) strcat(line, c);
-	t = line + strlen(line);
+	if (ipf->fl_loglevel != 0xffff)
+		lvl = ipf->fl_loglevel;
+	*t++ = ' ';
+	*t = '\0';
 
 	if ((p == IPPROTO_TCP || p == IPPROTO_UDP) &&
 	    !(ip->ip_off & IP_OFFMASK)) {
@@ -581,11 +667,11 @@ int	blen;
 		if (!(ipf->fl_flags & (FI_SHORT << 16))) {
 			(void) sprintf(t, "%s,%s -> ",
 				hostname(res, ip->ip_src),
-				portname(res, proto, tp->th_sport));
+				portname(res, proto, (u_int)tp->th_sport));
 			t += strlen(t);
 			(void) sprintf(t, "%s,%s PR %s len %hu %hu ",
 				hostname(res, ip->ip_dst),
-				portname(res, proto, tp->th_dport),
+				portname(res, proto, (u_int)tp->th_dport),
 				proto, hl, ip->ip_len);
 			t += strlen(t);
 
@@ -596,9 +682,9 @@ int	blen;
 						*t++ = tcpfl[i].flag;
 				if (opts & OPT_VERBOSE) {
 					(void) sprintf(t, " %lu %lu %hu",
-						(u_long)tp->th_seq,
-						(u_long)tp->th_ack,
-						tp->th_win);
+						(u_long)(ntohl(tp->th_seq)),
+						(u_long)(ntohl(tp->th_ack)),
+						ntohs(tp->th_win));
 					t += strlen(t);
 				}
 			}
@@ -610,7 +696,7 @@ int	blen;
 				hostname(res, ip->ip_dst), proto,
 				hl, ip->ip_len);
 		}
-	} else if (p == IPPROTO_ICMP) {
+	} else if ((p == IPPROTO_ICMP) && !(ip->ip_off & IP_OFFMASK)) {
 		ic = (struct icmp *)((char *)ip + hl);
 		(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
 		t += strlen(t);
@@ -625,22 +711,16 @@ int	blen;
 			ipc = &ic->icmp_ip;
 			tp = (tcphdr_t *)((char *)ipc + hl);
 
-			p = (u_short)ipc->ip_p;
-			pr = getprotobynumber((int)p);
-			if (!pr) {
-				proto = pname;
-				(void) sprintf(proto, "%d", (int)p);
-			} else
-				proto = pr->p_name;
+			proto = getproto(ipc->ip_p);
 
 			t += strlen(t);
 			(void) sprintf(t, " for %s,%s -",
 				hostname(res, ipc->ip_src),
-				portname(res, proto, tp->th_sport));
+				portname(res, proto, (u_int)tp->th_sport));
 			t += strlen(t);
 			(void) sprintf(t, " %s,%s PR %s len %hu %hu",
 				hostname(res, ipc->ip_dst),
-				portname(res, proto, tp->th_dport),
+				portname(res, proto, (u_int)tp->th_dport),
 				proto, ipc->ip_hl << 2, ipc->ip_len);
 		}
 	} else {
@@ -668,6 +748,11 @@ int	blen;
 		t += strlen(t);
 	}
 
+	if (ipf->fl_flags & FR_INQUE)
+		strcpy(t, " IN");
+	else if (ipf->fl_flags & FR_OUTQUE)
+		strcpy(t, " OUT");
+	t += strlen(t);
 	*t++ = '\n';
 	*t++ = '\0';
 	if (opts & OPT_SYSLOG)
@@ -675,7 +760,7 @@ int	blen;
 	else
 		(void) fprintf(log, "%s", line);
 	if (opts & OPT_HEXHDR)
-		dumphex(log, (u_char *)buf, sizeof(iplog_t));
+		dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
 	if (opts & OPT_HEXBODY)
 		dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
 }
@@ -712,14 +797,14 @@ static void flushlogs(file, log)
 char *file;
 FILE *log;
 {
-	int	fd, cmd, flushed = 0;
+	int	fd, flushed = 0;
 
 	if ((fd = open(file, O_RDWR)) == -1) {
 		(void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno));
 		exit(-1);
 	}
 
-	if (ioctl(fd, cmd, &flushed) == 0) {
+	if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
 		printf("%d bytes flushed from log buffer\n",
 			flushed);
 		fflush(stdout);
@@ -793,7 +878,7 @@ char *argv[];
 		switch (c)
 		{
 		case 'a' :
-			opts |= OPT_ALL;
+			opts |= OPT_LOGALL;
 			fdt[0] = IPL_LOGIPF;
 			fdt[1] = IPL_LOGNAT;
 			fdt[2] = IPL_LOGSTATE;
@@ -839,7 +924,10 @@ char *argv[];
 			s = strrchr(argv[0], '/');
 			if (s == NULL)
 				s = argv[0];
+			else
+				s++;
 			openlog(s, LOG_NDELAY|LOG_PID, LOGFAC);
+			s = NULL;
 			opts |= OPT_SYSLOG;
 			log = NULL;
 			break;
@@ -866,6 +954,8 @@ char *argv[];
 			usage(argv[0]);
 		}
 
+	init_tabs();
+
 	/*
 	 * Default action is to only open the filter log file.
 	 */
@@ -905,9 +995,10 @@ char *argv[];
 			exit(-1);
 		}
 		setvbuf(log, NULL, _IONBF, 0);
-	}
+	} else
+		log = NULL;
 
-	if (make_daemon && (log != stdout)) {
+	if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) {
 		if (fork() > 0)
 			exit(0);
 		write_pid(pidfile);
@@ -941,7 +1032,7 @@ char *argv[];
 				continue;
 			nr += tr;
 
-			tr = read_log(fd[i], &n, buf, sizeof(buf), log);
+			tr = read_log(fd[i], &n, buf, sizeof(buf));
 			if (donehup) {
 				donehup = 0;
 				if (newlog) {