diff options
| author | Kjell Wooding <kjell@cvs.openbsd.org> | 1999-12-15 05:20:28 +0000 |
|---|---|---|
| committer | Kjell Wooding <kjell@cvs.openbsd.org> | 1999-12-15 05:20:28 +0000 |
| commit | 0d8d81d8f58d6f5eae36373c100a2562a3d9c879 (patch) | |
| tree | b3707c6aa857b4476407ab2400656c7c43045937 /usr.sbin | |
| parent | b31112257bf9b07ac5f126920d34834e580e789f (diff) | |
Import of Darren Reed's IPFilter 3.3.4, including OpenBSD patches.
Many, many enhancements and improvements, including new in-kernel
proxies, enhancements to logging, and many bugfixes.
Note: Man pages have not yet been re-converted to mdoc.
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/ipftest/Makefile | 6 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipft_ef.c | 10 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipft_hx.c | 10 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipft_pc.c | 12 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipft_sn.c | 12 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipft_td.c | 10 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipft_tx.c | 17 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipt.c | 92 | ||||
| -rw-r--r-- | usr.sbin/ipftest/ipt.h | 23 | ||||
| -rw-r--r-- | usr.sbin/ipftest/misc.c | 26 | ||||
| -rw-r--r-- | usr.sbin/ipftest/pcap.h | 4 | ||||
| -rw-r--r-- | usr.sbin/ipftest/snoop.h | 4 | ||||
| -rw-r--r-- | usr.sbin/ipmon/ipmon.c | 263 |
13 files changed, 300 insertions, 189 deletions
diff --git a/usr.sbin/ipftest/Makefile b/usr.sbin/ipftest/Makefile index 2e6697dac82..c70bce0dd64 100644 --- a/usr.sbin/ipftest/Makefile +++ b/usr.sbin/ipftest/Makefile @@ -1,13 +1,13 @@ -# $OpenBSD: Makefile,v 1.6 1998/09/15 10:05:46 pattonme Exp $ +# $OpenBSD: Makefile,v 1.7 1999/12/15 05:20:26 kjell Exp $ PROG= ipftest MAN= ipftest.1 SRCS= ipt.c fil.c ipft_hx.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c \ ipft_tx.c misc.c parse.c opt.c ip_frag.c ip_nat.c ip_state.c \ - ip_auth.c ip_fil.c ip_proxy.c + ip_auth.c ip_fil.c ip_proxy.c facpri.c natparse.c .PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../../sbin/ipfstat \ - ${.CURDIR}/../../sys/netinet + ${.CURDIR}/../../sys/netinet ${.CURDIR}/../../sbin/ipnat CFLAGS+=-I${.CURDIR}/../../sbin/ipf \ -I${.CURDIR} diff --git a/usr.sbin/ipftest/ipft_ef.c b/usr.sbin/ipftest/ipft_ef.c index 7cb02ef6c38..5cff7b076ad 100644 --- a/usr.sbin/ipftest/ipft_ef.c +++ b/usr.sbin/ipftest/ipft_ef.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_ef.c,v 1.10 1999/02/05 05:58:45 deraadt Exp $ */ +/* $OpenBSD: ipft_ef.c,v 1.11 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -45,18 +45,14 @@ etherfind -n -t #include <netinet/ip_icmp.h> #include <net/if.h> #include <netdb.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.10 1999/02/05 05:58:45 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.11 1999/12/15 05:20:26 kjell Exp $"; #endif static int etherf_open __P((char *)); diff --git a/usr.sbin/ipftest/ipft_hx.c b/usr.sbin/ipftest/ipft_hx.c index 7f4410cbfd5..36595779516 100644 --- a/usr.sbin/ipftest/ipft_hx.c +++ b/usr.sbin/ipftest/ipft_hx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_hx.c,v 1.8 1999/02/05 05:58:46 deraadt Exp $ */ +/* $OpenBSD: ipft_hx.c,v 1.9 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -36,18 +36,14 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.8 1999/02/05 05:58:46 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.9 1999/12/15 05:20:26 kjell Exp $"; #endif extern int opts; diff --git a/usr.sbin/ipftest/ipft_pc.c b/usr.sbin/ipftest/ipft_pc.c index 3fe1a198105..4e516699e5a 100644 --- a/usr.sbin/ipftest/ipft_pc.c +++ b/usr.sbin/ipftest/ipft_pc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_pc.c,v 1.12 1999/02/05 05:58:46 deraadt Exp $ */ +/* $OpenBSD: ipft_pc.c,v 1.13 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -27,18 +27,14 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include "ipf.h" -#include "ipt.h" #include "pcap.h" +#include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.12 1999/02/05 05:58:46 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.13 1999/12/15 05:20:26 kjell Exp $"; #endif struct llc { diff --git a/usr.sbin/ipftest/ipft_sn.c b/usr.sbin/ipftest/ipft_sn.c index 3da1b2d7f6b..421ca51e369 100644 --- a/usr.sbin/ipftest/ipft_sn.c +++ b/usr.sbin/ipftest/ipft_sn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_sn.c,v 1.9 1999/02/05 05:58:46 deraadt Exp $ */ +/* $OpenBSD: ipft_sn.c,v 1.10 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -31,18 +31,14 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <net/if.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include "ipf.h" -#include "ipt.h" #include "snoop.h" +#include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.9 1999/02/05 05:58:46 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 1.10 1999/12/15 05:20:26 kjell Exp $"; #endif struct llc { diff --git a/usr.sbin/ipftest/ipft_td.c b/usr.sbin/ipftest/ipft_td.c index a45a4285412..335ff525c36 100644 --- a/usr.sbin/ipftest/ipft_td.c +++ b/usr.sbin/ipftest/ipft_td.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_td.c,v 1.10 1999/02/05 05:58:46 deraadt Exp $ */ +/* $OpenBSD: ipft_td.c,v 1.11 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -54,18 +54,14 @@ tcpdump -nqte #include <netinet/ip_icmp.h> #include <net/if.h> #include <netdb.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.10 1999/02/05 05:58:46 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.11 1999/12/15 05:20:26 kjell Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/usr.sbin/ipftest/ipft_tx.c b/usr.sbin/ipftest/ipft_tx.c index 9f5c8395f25..7c3ec85fe04 100644 --- a/usr.sbin/ipftest/ipft_tx.c +++ b/usr.sbin/ipftest/ipft_tx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipft_tx.c,v 1.12 1999/02/05 05:58:46 deraadt Exp $ */ +/* $OpenBSD: ipft_tx.c,v 1.13 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1995-1998 by Darren Reed. * @@ -37,18 +37,14 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.12 1999/02/05 05:58:46 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.13 1999/12/15 05:20:26 kjell Exp $"; #endif extern int opts; @@ -201,7 +197,7 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 - return sizeof(struct tcpiphdr); + return sizeof(*ip) + sizeof(tcphdr_t); #else return sizeof(ip_t); #endif @@ -268,6 +264,9 @@ int *out; tx_proto = "icmp"; } cpp++; + } else if (isdigit(**cpp) && !index(*cpp, '.')) { + ip->ip_p = atoi(*cpp); + cpp++; } else ip->ip_p = IPPROTO_IP; @@ -314,6 +313,7 @@ int *out; cpp++; assert(tcp->th_flags != 0); tcp->th_win = htons(4096); + tcp->th_off = sizeof(*tcp) >> 2; } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; @@ -346,5 +346,6 @@ int *out; else if (ip->ip_p == IPPROTO_ICMP) bcopy((char *)ic, ((char *)ip) + (ip->ip_hl << 2), sizeof(*ic)); + ip->ip_len = htons(ip->ip_len); return 0; } diff --git a/usr.sbin/ipftest/ipt.c b/usr.sbin/ipftest/ipt.c index e60bc8f954e..dee57e5d113 100644 --- a/usr.sbin/ipftest/ipt.c +++ b/usr.sbin/ipftest/ipt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipt.c,v 1.13 1999/02/05 05:58:47 deraadt Exp $ */ +/* $OpenBSD: ipt.c,v 1.14 1999/12/15 05:20:26 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -46,19 +46,17 @@ #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include <netinet/ip_fil.h> +#include <netinet/ip_nat.h> +#include <netinet/ip_state.h> #include "ipf.h" #include "ipt.h" #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 1.13 1999/02/05 05:58:47 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 1.14 1999/12/15 05:20:26 kjell Exp $"; #endif extern char *optarg; @@ -66,6 +64,7 @@ extern struct frentry *ipfilter[2][2]; extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *)); extern void init_ifp __P((void)); +extern ipnat_t *natparse __P((char *, int)); int opts = 0; int main __P((int, char *[])); @@ -75,13 +74,13 @@ int argc; char *argv[]; { struct ipread *r = &iptext; - u_long buf[64]; + u_long buf[2048]; struct ifnet *ifp; char *rules = NULL, *datain = NULL, *iface = NULL; ip_t *ip; int fd, i, dir = 0, c; - while ((c = getopt(argc, argv, "bdEHi:I:oPr:STvX")) != -1) + while ((c = getopt(argc, argv, "bdEHi:I:NoPr:STvX")) != -1) switch (c) { case 'b' : @@ -111,6 +110,9 @@ char *argv[]; case 'H' : r = &iphex; break; + case 'N' : + opts |= OPT_NAT; + break; case 'P' : r = &pcap; break; @@ -130,12 +132,15 @@ char *argv[]; exit(-1); } + nat_init(); + fr_stateinit(); initparse(); if (rules) { - struct frentry *fr; char line[513], *s; + void *fr; FILE *fp; + int linenum = 0; if (!strcmp(rules, "-")) fp = stdin; @@ -146,6 +151,7 @@ char *argv[]; if (!(opts & OPT_BRIEF)) (void)printf("opening rule file \"%s\"\n", rules); while (fgets(line, sizeof(line)-1, fp)) { + linenum++; /* * treat both CR and LF as EOL */ @@ -162,14 +168,27 @@ char *argv[]; if (!*line) continue; - if (!(fr = parse(line))) - continue; /* fake an `ioctl' call :) */ - i = IPL_EXTERN(ioctl)(0, SIOCADDFR, (caddr_t)fr, FWRITE|FREAD); - if (opts & OPT_DEBUG) - fprintf(stderr, - "iplioctl(SIOCADDFR,%p,1) = %d\n", - fr, i); + + if ((opts & OPT_NAT) != 0) { + if (!(fr = natparse(line, linenum))) + continue; + i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT, + fr, FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADNAT,%p,1) = %d\n", + fr, i); + } else { + if (!(fr = parse(line, linenum))) + continue; + i = IPL_EXTERN(ioctl)(0, SIOCADDFR, fr, + FWRITE|FREAD); + if (opts & OPT_DEBUG) + fprintf(stderr, + "iplioctl(ADDFR,%p,1) = %d\n", + fr, i); + } } (void)fclose(fp); } @@ -191,26 +210,30 @@ char *argv[]; ifp = iface ? get_unit(iface) : NULL; ip->ip_off = ntohs(ip->ip_off); ip->ip_len = ntohs(ip->ip_len); - switch (fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf)) - { - case -2 : - (void)printf("auth"); - break; - case -1 : - (void)printf("block"); - break; - case 0 : - (void)printf("pass"); - break; - case 1 : - (void)printf("nomatch"); - break; - } + i = fr_check(ip, ip->ip_hl << 2, ifp, dir, (mb_t **)&buf); + if ((opts & OPT_NAT) == 0) + switch (i) + { + case -2 : + (void)printf("auth"); + break; + case -1 : + (void)printf("block"); + break; + case 0 : + (void)printf("pass"); + break; + case 1 : + (void)printf("nomatch"); + break; + } + if (!(opts & OPT_BRIEF)) { putchar(' '); printpacket((ip_t *)buf); printf("--------------"); - } + } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) + printpacket((ip_t *)buf); #ifndef linux if (dir && ifp && ip->ip_v) # ifdef __sgi @@ -219,7 +242,8 @@ char *argv[]; (*ifp->if_output)(ifp, (void *)buf, NULL, 0); # endif #endif - putchar('\n'); + if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF)) + putchar('\n'); dir = 0; } (*r->r_close)(); diff --git a/usr.sbin/ipftest/ipt.h b/usr.sbin/ipftest/ipt.h index bba64f94f4a..bd49742d9ef 100644 --- a/usr.sbin/ipftest/ipt.h +++ b/usr.sbin/ipftest/ipt.h @@ -1,23 +1,27 @@ -/* $OpenBSD: ipt.h,v 1.6 1999/02/05 05:58:47 deraadt Exp $ */ +/* $OpenBSD: ipt.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: ipt.h,v 1.6 1999/02/05 05:58:47 deraadt Exp $ + * $Id: ipt.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ */ #ifndef __IPT_H__ #define __IPT_H__ -#include <fcntl.h> -#ifdef __STDC__ -#include <stdarg.h> -#else -#include <varargs.h> +#ifndef __P +# define P_DEF +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () +# endif #endif +#include <fcntl.h> + struct ipread { int (*r_open) __P((char *)); @@ -28,4 +32,9 @@ struct ipread { extern void debug __P((char *, ...)); extern void verbose __P((char *, ...)); +#ifdef P_DEF +# undef __P +# undef P_DEF +#endif + #endif /* __IPT_H__ */ diff --git a/usr.sbin/ipftest/misc.c b/usr.sbin/ipftest/misc.c index 7de936cd95a..ba2ec314100 100644 --- a/usr.sbin/ipftest/misc.c +++ b/usr.sbin/ipftest/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.8 1999/02/05 05:58:47 deraadt Exp $ */ +/* $OpenBSD: misc.c,v 1.9 1999/12/15 05:20:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -6,6 +6,15 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ +#if (SOLARIS2 >= 7) +# define _SYS_VARARGS_H +# define _VARARGS_H +#endif +#if defined(__STDC__) +# include <stdarg.h> +#else +# include <varargs.h> +#endif #include <stdio.h> #include <assert.h> #include <string.h> @@ -36,11 +45,7 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include <netinet/ip_fil.h> #include "ipf.h" @@ -48,7 +53,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 1.8 1999/02/05 05:58:47 deraadt Exp $"; +static const char rcsid[] = "@(#)$Id: misc.c,v 1.9 1999/12/15 05:20:27 kjell Exp $"; #endif extern int opts; @@ -60,9 +65,9 @@ ip_t *ip; tcphdr_t *tcp; tcp = (struct tcphdr *)((char *)ip + (ip->ip_hl << 2)); - printf("ip %d(%d) %d ", ip->ip_len, ip->ip_hl << 2, ip->ip_p); + printf("ip %d(%d) %d", ip->ip_len, ip->ip_hl << 2, ip->ip_p); if (ip->ip_off & IP_OFFMASK) - printf("@%d", ip->ip_off << 3); + printf(" @%d", ip->ip_off << 3); (void)printf(" %s", inet_ntoa(ip->ip_src)); if (!(ip->ip_off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) @@ -75,7 +80,8 @@ ip_t *ip; putchar('\n'); } -#ifdef __STDC__ + +#if defined(__STDC__) void verbose(char *fmt, ...) #else void verbose(fmt, va_alist) diff --git a/usr.sbin/ipftest/pcap.h b/usr.sbin/ipftest/pcap.h index 170d0288f22..451c8496417 100644 --- a/usr.sbin/ipftest/pcap.h +++ b/usr.sbin/ipftest/pcap.h @@ -1,11 +1,11 @@ -/* $OpenBSD: pcap.h,v 1.6 1999/02/05 05:58:47 deraadt Exp $ */ +/* $OpenBSD: pcap.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $Id: pcap.h,v 1.6 1999/02/05 05:58:47 deraadt Exp $ + * $Id: pcap.h,v 1.7 1999/12/15 05:20:27 kjell Exp $ */ /* * This header file is constructed to match the version described by diff --git a/usr.sbin/ipftest/snoop.h b/usr.sbin/ipftest/snoop.h index c715f6b232b..5442ef1b4b8 100644 --- a/usr.sbin/ipftest/snoop.h +++ b/usr.sbin/ipftest/snoop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: snoop.h,v 1.5 1999/02/05 05:58:47 deraadt Exp $ */ +/* $OpenBSD: snoop.h,v 1.6 1999/12/15 05:20:27 kjell Exp $ */ /* * Copyright (C) 1993-1998 by Darren Reed. * @@ -12,7 +12,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 1.5 1999/02/05 05:58:47 deraadt Exp $ + * $Id: snoop.h,v 1.6 1999/12/15 05:20:27 kjell Exp $ */ struct snoophdr { char s_id[8]; diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c index bf6c9e6f222..f44289ac67d 100644 --- a/usr.sbin/ipmon/ipmon.c +++ b/usr.sbin/ipmon/ipmon.c @@ -1,4 +1,5 @@ -/* $OpenBSD: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt Exp $ +/* $OpenBSD: ipmon.c,v 1.20 1999/12/15 05:20:25 kjell Exp $ */ +/* * Copyright (C) 1993-1998 by Darren Reed. * * Redistribution and use in source and binary forms are permitted @@ -6,8 +7,8 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt Exp $"; +static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.20 1999/12/15 05:20:25 kjell Exp $"; #endif #ifndef SOLARIS @@ -27,15 +28,18 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt #include <string.h> #include <fcntl.h> #include <errno.h> -#include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) -#include <strings.h> -#include <signal.h> -#include <sys/dir.h> +# if (__FreeBSD_version >= 300000) +# include <sys/dirent.h> +# else +# include <sys/dir.h> +# endif #else -#include <sys/filio.h> -#include <sys/byteorder.h> +# include <sys/filio.h> +# include <sys/byteorder.h> #endif +#include <strings.h> +#include <signal.h> #include <stdlib.h> #include <stddef.h> #include <netinet/in.h> @@ -51,7 +55,6 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt #include <sys/uio.h> #ifndef linux # include <sys/protosw.h> -# include <sys/user.h> # include <netinet/ip_var.h> #endif @@ -60,11 +63,8 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.19 1999/11/25 23:16:20 deraadt #include <ctype.h> #include <syslog.h> -#if defined(__OpenBSD__) -# include <netinet/ip_fil_compat.h> -#else -# include <netinet/ip_compat.h> -#endif + +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include <netinet/ip_fil.h> #include <netinet/ip_proxy.h> @@ -120,19 +120,26 @@ static char *logfile = NULL; static int donehup = 0; static void usage __P((char *)); static void handlehup __P((int)); -static void write_pid __P((char *)); static void flushlogs __P((char *, FILE *)); static void print_log __P((int, FILE *, char *, int)); static void print_ipflog __P((FILE *, char *, int)); static void print_natlog __P((FILE *, char *, int)); static void print_statelog __P((FILE *, char *, int)); static void dumphex __P((FILE *, u_char *, int)); -static int read_log __P((int, int *, char *, int, FILE *)); +static int read_log __P((int, int *, char *, int)); +static void write_pid __P((char *)); + char *hostname __P((int, struct in_addr)); -char *portname __P((int, char *, u_short)); +char *portname __P((int, char *, u_int)); int main __P((int, char *[])); static void logopts __P((int, char *)); +static void init_tabs __P((void)); +static char *getproto __P((u_int)); + +static char **protocols = NULL; +static char **udp_ports = NULL; +static char **tcp_ports = NULL; #define OPT_SYSLOG 0x001 @@ -145,7 +152,7 @@ static void logopts __P((int, char *)); #define OPT_STATE 0x100 #define OPT_FILTER 0x200 #define OPT_PORTNUM 0x400 -#define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER) +#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 @@ -157,16 +164,94 @@ int sig; { FILE *fp; + signal(SIGHUP, handlehup); if (logfile && (fp = fopen(logfile, "a"))) newlog = fp; + init_tabs(); donehup = 1; } -static int read_log(fd, lenp, buf, bufsize, log) +static void init_tabs() +{ + struct protoent *p; + struct servent *s; + char *name, **tab; + u_int port; + + if (protocols != NULL) { + free(protocols); + protocols = NULL; + } + protocols = (char **)malloc(256 * sizeof(*protocols)); + if (protocols != NULL) { + bzero((char *)protocols, 256 * sizeof(*protocols)); + + setprotoent(1); + while ((p = getprotoent()) != NULL) + if (p->p_proto >= 0 && p->p_proto <= 255 && + p->p_name != NULL) + protocols[p->p_proto] = strdup(p->p_name); + endprotoent(); + } + + if (udp_ports != NULL) { + free(udp_ports); + udp_ports = NULL; + } + udp_ports = (char **)malloc(65536 * sizeof(*udp_ports)); + if (udp_ports != NULL) + bzero((char *)udp_ports, 65536 * sizeof(*udp_ports)); + + if (tcp_ports != NULL) { + free(tcp_ports); + tcp_ports = NULL; + } + tcp_ports = (char **)malloc(65536 * sizeof(*tcp_ports)); + if (tcp_ports != NULL) + bzero((char *)tcp_ports, 65536 * sizeof(*tcp_ports)); + + setservent(1); + while ((s = getservent()) != NULL) { + if (s->s_proto == NULL) + continue; + else if (!strcmp(s->s_proto, "tcp")) { + port = (u_int)s->s_port; + name = s->s_name; + tab = tcp_ports; + } else if (!strcmp(s->s_proto, "udp")) { + port = (u_int)s->s_port; + name = s->s_name; + tab = udp_ports; + } else + continue; + if ((port < 0 || port > 65535) || (name == NULL)) + continue; + tab[port] = strdup(name); + } + endservent(); +} + + +static char *getproto(p) +u_int p; +{ + static char pnum[4]; + char *s; + + p &= 0xff; + s = protocols ? protocols[p] : NULL; + if (s == NULL) { + sprintf(pnum, "%u", p); + s = pnum; + } + return s; +} + + +static int read_log(fd, lenp, buf, bufsize) int fd, bufsize, *lenp; char *buf; -FILE *log; { int nr; @@ -215,18 +300,24 @@ struct in_addr ip; char *portname(res, proto, port) int res; char *proto; -u_short port; +u_int port; { static char pname[8]; - struct servent *serv; + char *s; - (void) sprintf(pname, "%hu", htons(port)); + port = ntohs(port); + port &= 0xffff; + (void) sprintf(pname, "%u", port); if (!res || (opts & OPT_PORTNUM)) return pname; - serv = getservbyport((int)port, proto); - if (!serv) - return pname; - return serv->s_name; + s = NULL; + if (!strcmp(proto, "tcp")) + s = tcp_ports[port]; + else if (!strcmp(proto, "udp")) + s = udp_ports[port]; + if (s == NULL) + s = pname; + return s; } @@ -323,13 +414,13 @@ int blen; t += strlen(t); (void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip), - portname(res, NULL, nl->nl_inport)); + portname(res, NULL, (u_int)nl->nl_inport)); t += strlen(t); (void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip), - portname(res, NULL, nl->nl_outport)); + portname(res, NULL, (u_int)nl->nl_outport)); t += strlen(t); (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), - portname(res, NULL, nl->nl_origport)); + portname(res, NULL, (u_int)nl->nl_origport)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T @@ -357,8 +448,7 @@ int blen; { struct ipslog *sl; iplog_t *ipl = (iplog_t *)buf; - struct protoent *pr; - char *t = line, *proto, pname[6]; + char *t = line, *proto; struct tm *tm; int res, i, len; @@ -380,8 +470,9 @@ int blen; if (sl->isl_type == ISL_NEW) strcpy(t, "STATE:NEW "); else if (sl->isl_type == ISL_EXPIRE) { - if (sl->isl_state[0] > TCPS_ESTABLISHED || - sl->isl_state[1] > TCPS_ESTABLISHED) + if ((sl->isl_p == IPPROTO_TCP) && + (sl->isl_state[0] > TCPS_ESTABLISHED || + sl->isl_state[1] > TCPS_ESTABLISHED)) strcpy(t, "STATE:CLOSE "); else strcpy(t, "STATE:EXPIRE "); @@ -391,21 +482,16 @@ int blen; sprintf(t, "Type: %d ", sl->isl_type); t += strlen(t); - pr = getprotobynumber((int)sl->isl_p); - if (!pr) { - proto = pname; - sprintf(proto, "%d", (u_int)sl->isl_p); - } else - proto = pr->p_name; + proto = getproto(sl->isl_p); if (sl->isl_p == IPPROTO_TCP || sl->isl_p == IPPROTO_UDP) { (void) sprintf(t, "%s,%s -> ", hostname(res, sl->isl_src), - portname(res, proto, sl->isl_sport)); + portname(res, proto, (u_int)sl->isl_sport)); t += strlen(t); (void) sprintf(t, "%s,%s PR %s", hostname(res, sl->isl_dst), - portname(res, proto, sl->isl_dport), proto); + portname(res, proto, (u_int)sl->isl_dport), proto); } else if (sl->isl_p == IPPROTO_ICMP) { (void) sprintf(t, "%s -> ", hostname(res, sl->isl_src)); t += strlen(t); @@ -487,11 +573,10 @@ FILE *log; char *buf; int blen; { - struct protoent *pr; tcphdr_t *tp; struct icmp *ic; struct tm *tm; - char c[3], pname[8], *t, *proto; + char *t, *proto; u_short hl, p; int i, lvl, res, len; ip_t *ipc, *ip; @@ -531,49 +616,50 @@ int blen; (defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux) len = (int)sizeof(ipf->fl_ifname); (void) sprintf(t, "%*.*s", len, len, ipf->fl_ifname); + t += strlen(t); +# if SOLARIS + if (isalpha(*(t - 1))) + *t++ = '0' + ipf->fl_unit; +# endif #else for (len = 0; len < 3; len++) - if (!ipf->fl_ifname[len]) + if (ipf->fl_ifname[len] == '\0') break; if (ipf->fl_ifname[len]) len++; (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); -#endif t += strlen(t); +#endif (void) sprintf(t, " @%hu:%hu ", ipf->fl_group, ipf->fl_rule + 1); - pr = getprotobynumber((int)p); - if (!pr) { - proto = pname; - sprintf(proto, "%d", (u_int)p); - } else - proto = pr->p_name; + t += strlen(t); + proto = getproto(p); if (ipf->fl_flags & FF_SHORT) { - c[0] = 'S'; + *t++ = 'S'; lvl = LOG_ERR; } else if (ipf->fl_flags & FR_PASS) { if (ipf->fl_flags & FR_LOGP) - c[0] = 'p'; + *t++ = 'p'; else - c[0] = 'P'; + *t++ = 'P'; lvl = LOG_NOTICE; } else if (ipf->fl_flags & FR_BLOCK) { if (ipf->fl_flags & FR_LOGB) - c[0] = 'b'; + *t++ = 'b'; else - c[0] = 'B'; + *t++ = 'B'; lvl = LOG_WARNING; } else if (ipf->fl_flags & FF_LOGNOMATCH) { - c[0] = 'n'; + *t++ = 'n'; lvl = LOG_NOTICE; } else { - c[0] = 'L'; + *t++ = 'L'; lvl = LOG_INFO; } - c[1] = ' '; - c[2] = '\0'; - (void) strcat(line, c); - t = line + strlen(line); + if (ipf->fl_loglevel != 0xffff) + lvl = ipf->fl_loglevel; + *t++ = ' '; + *t = '\0'; if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & IP_OFFMASK)) { @@ -581,11 +667,11 @@ int blen; if (!(ipf->fl_flags & (FI_SHORT << 16))) { (void) sprintf(t, "%s,%s -> ", hostname(res, ip->ip_src), - portname(res, proto, tp->th_sport)); + portname(res, proto, (u_int)tp->th_sport)); t += strlen(t); (void) sprintf(t, "%s,%s PR %s len %hu %hu ", hostname(res, ip->ip_dst), - portname(res, proto, tp->th_dport), + portname(res, proto, (u_int)tp->th_dport), proto, hl, ip->ip_len); t += strlen(t); @@ -596,9 +682,9 @@ int blen; *t++ = tcpfl[i].flag; if (opts & OPT_VERBOSE) { (void) sprintf(t, " %lu %lu %hu", - (u_long)tp->th_seq, - (u_long)tp->th_ack, - tp->th_win); + (u_long)(ntohl(tp->th_seq)), + (u_long)(ntohl(tp->th_ack)), + ntohs(tp->th_win)); t += strlen(t); } } @@ -610,7 +696,7 @@ int blen; hostname(res, ip->ip_dst), proto, hl, ip->ip_len); } - } else if (p == IPPROTO_ICMP) { + } else if ((p == IPPROTO_ICMP) && !(ip->ip_off & IP_OFFMASK)) { ic = (struct icmp *)((char *)ip + hl); (void) sprintf(t, "%s -> ", hostname(res, ip->ip_src)); t += strlen(t); @@ -625,22 +711,16 @@ int blen; ipc = &ic->icmp_ip; tp = (tcphdr_t *)((char *)ipc + hl); - p = (u_short)ipc->ip_p; - pr = getprotobynumber((int)p); - if (!pr) { - proto = pname; - (void) sprintf(proto, "%d", (int)p); - } else - proto = pr->p_name; + proto = getproto(ipc->ip_p); t += strlen(t); (void) sprintf(t, " for %s,%s -", hostname(res, ipc->ip_src), - portname(res, proto, tp->th_sport)); + portname(res, proto, (u_int)tp->th_sport)); t += strlen(t); (void) sprintf(t, " %s,%s PR %s len %hu %hu", hostname(res, ipc->ip_dst), - portname(res, proto, tp->th_dport), + portname(res, proto, (u_int)tp->th_dport), proto, ipc->ip_hl << 2, ipc->ip_len); } } else { @@ -668,6 +748,11 @@ int blen; t += strlen(t); } + if (ipf->fl_flags & FR_INQUE) + strcpy(t, " IN"); + else if (ipf->fl_flags & FR_OUTQUE) + strcpy(t, " OUT"); + t += strlen(t); *t++ = '\n'; *t++ = '\0'; if (opts & OPT_SYSLOG) @@ -675,7 +760,7 @@ int blen; else (void) fprintf(log, "%s", line); if (opts & OPT_HEXHDR) - dumphex(log, (u_char *)buf, sizeof(iplog_t)); + dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf)); if (opts & OPT_HEXBODY) dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen); } @@ -712,14 +797,14 @@ static void flushlogs(file, log) char *file; FILE *log; { - int fd, cmd, flushed = 0; + int fd, flushed = 0; if ((fd = open(file, O_RDWR)) == -1) { (void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno)); exit(-1); } - if (ioctl(fd, cmd, &flushed) == 0) { + if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { printf("%d bytes flushed from log buffer\n", flushed); fflush(stdout); @@ -793,7 +878,7 @@ char *argv[]; switch (c) { case 'a' : - opts |= OPT_ALL; + opts |= OPT_LOGALL; fdt[0] = IPL_LOGIPF; fdt[1] = IPL_LOGNAT; fdt[2] = IPL_LOGSTATE; @@ -839,7 +924,10 @@ char *argv[]; s = strrchr(argv[0], '/'); if (s == NULL) s = argv[0]; + else + s++; openlog(s, LOG_NDELAY|LOG_PID, LOGFAC); + s = NULL; opts |= OPT_SYSLOG; log = NULL; break; @@ -866,6 +954,8 @@ char *argv[]; usage(argv[0]); } + init_tabs(); + /* * Default action is to only open the filter log file. */ @@ -905,9 +995,10 @@ char *argv[]; exit(-1); } setvbuf(log, NULL, _IONBF, 0); - } + } else + log = NULL; - if (make_daemon && (log != stdout)) { + if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) { if (fork() > 0) exit(0); write_pid(pidfile); @@ -941,7 +1032,7 @@ char *argv[]; continue; nr += tr; - tr = read_log(fd[i], &n, buf, sizeof(buf), log); + tr = read_log(fd[i], &n, buf, sizeof(buf)); if (donehup) { donehup = 0; if (newlog) { |