summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authordm <dm@cvs.openbsd.org>1996-01-25 05:41:50 +0000
committerdm <dm@cvs.openbsd.org>1996-01-25 05:41:50 +0000
commitd22510d35a65326e6c28cf24898e75ebb43f1702 (patch)
tree39d26580cbebbf88b26b3ce8999199204095ce79 /usr.sbin
parent1dc3867108ccbee4e608e89a62fa5e5fbfa194c3 (diff)
IP filter 3.0.1
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/ipftest/Makefile7
-rw-r--r--usr.sbin/ipftest/fil.c534
-rw-r--r--usr.sbin/ipftest/ipft_ef.c2
-rw-r--r--usr.sbin/ipftest/ipft_pc.c4
-rw-r--r--usr.sbin/ipftest/ipft_sn.c4
-rw-r--r--usr.sbin/ipftest/ipft_td.c6
-rw-r--r--usr.sbin/ipftest/ipft_tx.c13
-rw-r--r--usr.sbin/ipftest/ipt.c12
-rw-r--r--usr.sbin/ipftest/misc.c5
-rw-r--r--usr.sbin/ipmon/Makefile3
-rw-r--r--usr.sbin/ipmon/ipmon.c34
-rw-r--r--usr.sbin/ipsend/Makefile2
12 files changed, 58 insertions, 568 deletions
diff --git a/usr.sbin/ipftest/Makefile b/usr.sbin/ipftest/Makefile
index 723b31469d7..adfc9c02561 100644
--- a/usr.sbin/ipftest/Makefile
+++ b/usr.sbin/ipftest/Makefile
@@ -1,8 +1,9 @@
PROG= ipftest
MAN= ipftest.1
-SRCS= ipt.c fil.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c ipft_tx.c misc.c parse.c opt.c
-.PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../../sbin/ipfstat
-CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -I${.CURDIR}/../../sbin/ipf
+SRCS= ipt.c fil.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c ipft_tx.c \
+ misc.c parse.c opt.c ip_frag.c ip_nat.c ip_state.c
+.PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../../sbin/ipfstat ${.CURDIR}/../../sys/netinet
+CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -I${.CURDIR}/../../sbin/ipf -I${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
diff --git a/usr.sbin/ipftest/fil.c b/usr.sbin/ipftest/fil.c
deleted file mode 100644
index b485678d5a7..00000000000
--- a/usr.sbin/ipftest/fil.c
+++ /dev/null
@@ -1,534 +0,0 @@
-/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
- *
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
- */
-#ifndef lint
-static char sccsid[] = "@(#)fil.c 1.18 10/24/95 (C) 1993-1995 Darren Reed";
-#endif
-
-#ifndef linux
-# include <sys/errno.h>
-# include <sys/types.h>
-# include <sys/param.h>
-# include <sys/file.h>
-# include <sys/ioctl.h>
-# if defined(_KERNEL) || defined(KERNEL)
-# include <sys/systm.h>
-# endif
-# include <sys/uio.h>
-# if !defined(__SVR4) && !defined(__svr4__)
-# include <sys/dir.h>
-# include <sys/mbuf.h>
-# else
-# include <sys/byteorder.h>
-# include <sys/dditypes.h>
-# include <sys/stream.h>
-# endif
-# include <sys/protosw.h>
-# include <sys/socket.h>
-# include <net/if.h>
-# ifdef sun
-# include <net/af.h>
-# endif
-# include <net/route.h>
-# include <netinet/in.h>
-# include <netinet/in_systm.h>
-# include <netinet/ip.h>
-# include <netinet/ip_var.h>
-# include <netinet/tcp.h>
-# include <netinet/udp.h>
-# include <netinet/tcpip.h>
-# include <netinet/ip_icmp.h>
-#endif
-#include <netinet/ip_fil.h>
-#ifndef MIN
-#define MIN(a,b) (((a)<(b))?(a):(b))
-#endif
-
-#ifndef _KERNEL
-#include "ipf.h"
-extern int opts;
-extern void debug(), verbose();
-
-#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; }
-#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; }
-#define FR_VERBOSE(verb_pr) verbose verb_pr
-#define FR_DEBUG(verb_pr) debug verb_pr
-#else
-#define FR_IFVERBOSE(ex,second,verb_pr) ;
-#define FR_IFDEBUG(ex,second,verb_pr) ;
-#define FR_VERBOSE(verb_pr)
-#define FR_DEBUG(verb_pr)
-
-extern int ipl_unreach, ipllog();
-#endif
-
-struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
-struct frentry *filterin[2] = { NULL, NULL },
- *filterout[2] = { NULL, NULL };
-int fr_flags = 0, fr_active = 0;
-int fr_check();
-
-
-/*
- * bit values for identifying presence of individual IP options
- */
-struct optlist ipopts[20] = {
- { IPOPT_NOP, 0x000001 },
- { IPOPT_RR, 0x000002 },
- { IPOPT_ZSU, 0x000004 },
- { IPOPT_MTUP, 0x000008 },
- { IPOPT_MTUR, 0x000010 },
- { IPOPT_ENCODE, 0x000020 },
- { IPOPT_TS, 0x000040 },
- { IPOPT_TR, 0x000080 },
- { IPOPT_SECURITY, 0x000100 },
- { IPOPT_LSRR, 0x000200 },
- { IPOPT_E_SEC, 0x000400 },
- { IPOPT_CIPSO, 0x000800 },
- { IPOPT_SATID, 0x001000 },
- { IPOPT_SSRR, 0x002000 },
- { IPOPT_ADDEXT, 0x004000 },
- { IPOPT_VISA, 0x008000 },
- { IPOPT_IMITD, 0x010000 },
- { IPOPT_EIP, 0x020000 },
- { IPOPT_FINN, 0x040000 },
- { 0, 0x000000 }
-};
-
-/*
- * bit values for identifying presence of individual IP security options
- */
-struct optlist secopt[8] = {
- { IPSO_CLASS_RES4, 0x01 },
- { IPSO_CLASS_TOPS, 0x02 },
- { IPSO_CLASS_SECR, 0x04 },
- { IPSO_CLASS_RES3, 0x08 },
- { IPSO_CLASS_CONF, 0x10 },
- { IPSO_CLASS_UNCL, 0x20 },
- { IPSO_CLASS_RES2, 0x40 },
- { IPSO_CLASS_RES1, 0x80 }
-};
-
-
-/*
- * compact the IP header into a structure which contains just the info.
- * which is useful for comparing IP headers with.
- */
-struct fr_ip *fr_makefrip(hlen, ip)
-int hlen;
-ip_t *ip;
-{
- static struct fr_ip fi;
- struct optlist *op;
- u_short optmsk = 0, secmsk = 0, auth = 0;
- int i, mv, ol, off;
- u_char *s, opt;
-
- fi.fi_fl = 0;
- fi.fi_v = ip->ip_v;
- fi.fi_tos = ip->ip_tos;
- (*(((u_short *)&fi) + 1)) = (*(((u_short *)ip) + 4));
- (*(((u_long *)&fi) + 1)) = (*(((u_long *)ip) + 3));
- (*(((u_long *)&fi) + 2)) = (*(((u_long *)ip) + 4));
-
- if (hlen > sizeof(struct ip))
- fi.fi_fl |= FI_OPTIONS;
- off = (ip->ip_off & 0x1fff) << 3;
- if (ip->ip_off & 0x3fff)
- fi.fi_fl |= FI_FRAG;
- switch (ip->ip_p)
- {
- case IPPROTO_ICMP :
- if ((!IPMINLEN(ip, icmp) && !off) ||
- (off && off < sizeof(struct icmp)))
- fi.fi_fl |= FI_SHORT;
- break;
- case IPPROTO_TCP :
- fi.fi_fl |= FI_TCPUDP;
- if ((!IPMINLEN(ip, tcphdr) && !off) ||
- (off && off < sizeof(struct tcphdr)))
- fi.fi_fl |= FI_SHORT;
- break;
- case IPPROTO_UDP :
- fi.fi_fl |= FI_TCPUDP;
- if ((!IPMINLEN(ip, udphdr) && !off) ||
- (off && off < sizeof(struct udphdr)))
- fi.fi_fl |= FI_SHORT;
- break;
- default :
- break;
- }
-
- for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) {
- if (!(opt = *s))
- break;
- ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1);
- if (opt > 1 && (ol < 0 || ol > hlen))
- break;
- for (i = 9, mv = 4; mv >= 0; ) {
- op = ipopts + i;
- if (opt == (u_char)op->ol_val) {
- optmsk |= op->ol_bit;
- if (opt == IPOPT_SECURITY) {
- struct optlist *sp;
- u_char sec;
- int j, m;
-
- sec = *(s + 3); /* classification */
- for (j = 3, m = 2; m >= 0; ) {
- sp = secopt + j;
- if (sec == sp->ol_val) {
- secmsk |= sp->ol_bit;
- auth = *(s + 3);
- auth *= 256;
- auth += *(s + 4);
- break;
- }
- if (sec < sp->ol_val)
- j -= m--;
- else
- j += m--;
- }
- }
- break;
- }
- if (opt < op->ol_val)
- i -= mv--;
- else
- i += mv--;
- }
- hlen -= ol;
- s += ol;
- }
- if (auth && !(auth & 0x0100))
- auth &= 0xff00;
- fi.fi_optmsk = optmsk;
- fi.fi_secmsk = secmsk;
- fi.fi_auth = auth;
- return &fi;
-}
-
-
-/*
- * check an IP packet for TCP/UDP characteristics such as ports and flags.
- */
-int fr_tcpudpchk(ip, tcp, fr)
-ip_t *ip;
-tcphdr_t *tcp;
-struct frentry *fr;
-{
- register u_short po, tup;
- register char i;
- int err = 1;
-
- /*
- * Both ports should *always* be in the first fragment.
- * So far, I cannot find any cases where they can not be.
- *
- * compare destination ports
- */
- if ((i = (int)fr->fr_dcmp)) {
- po = ntohs(fr->fr_dport);
- tup = ntohs(tcp->th_dport);
- /*
- * Do opposite test to that required and
- * continue if that succeeds.
- */
- if (!--i && tup != po) /* EQUAL */
- err = 0;
- else if (!--i && tup == po) /* NOTEQUAL */
- err = 0;
- else if (!--i && tup >= po) /* LESSTHAN */
- err = 0;
- else if (!--i && tup <= po) /* GREATERTHAN */
- err = 0;
- else if (!--i && tup > po) /* LT or EQ */
- err = 0;
- else if (!--i && tup < po) /* GT or EQ */
- err = 0;
- else if (!--i && /* Out of range */
- (tup >= po && tup <= ntohs(fr->fr_dtop)))
- err = 0;
- else if (!--i && /* In range */
- (tup <= po || tup >= ntohs(fr->fr_dtop)))
- err = 0;
- }
- /*
- * compare source ports
- */
- if (err && (i = (int)fr->fr_scmp)) {
- po = ntohs(fr->fr_sport);
- tup = ntohs(tcp->th_sport);
- if (!--i && tup != po)
- err = 0;
- else if (!--i && tup == po)
- err = 0;
- else if (!--i && tup >= po)
- err = 0;
- else if (!--i && tup <= po)
- err = 0;
- else if (!--i && tup > po)
- err = 0;
- else if (!--i && tup < po)
- err = 0;
- else if (!--i && /* Out of range */
- (tup >= po && tup <= ntohs(fr->fr_stop)))
- err = 0;
- else if (!--i && /* In range */
- (tup <= po || tup >= ntohs(fr->fr_stop)))
- err = 0;
- }
-
- /*
- * If we don't have all the TCP/UDP header, then how can we
- * expect to do any sort of match on it ? If we were looking for
- * TCP flags, then NO match. If not, then match (which should
- * satisfy the "short" class too).
- */
- if (err)
- if (ip->ip_p == IPPROTO_TCP) {
- if (!IPMINLEN(ip, tcphdr))
- return !(fr->fr_tcpf);
- /*
- * Match the flags ? If not, abort this match.
- */
- if (fr->fr_tcpf &&
- fr->fr_tcpf != (tcp->th_flags & fr->fr_tcpfm)) {
- FR_DEBUG(("f. %#x & %#x != %#x\n",
- tcp->th_flags, fr->fr_tcpfm,
- fr->fr_tcpf));
- err = 0;
- }
- }
- else if (!IPMINLEN(ip, udphdr)) /* must be UDP */
- return 1;
- return err;
-}
-
-/*
- * Check the input/output list of rules for a match and result.
- * Could be per interface, but this gets real nasty when you don't have
- * kernel sauce.
- */
-int fr_scanlist(pass, ip, hlen, ifp, out, rule)
-int pass;
-ip_t *ip;
-int hlen, out;
-struct ifnet *ifp;
-u_short *rule;
-{
- register struct frentry *fr;
- register struct fr_ip *fi;
- tcphdr_t *tcp;
- int rulen;
-
- *rule = 1;
- tcp = (tcphdr_t *)((char *)ip + hlen);
- fr = (out) ? filterout[fr_active] : filterin[fr_active];
- fi = fr_makefrip(hlen, ip);
-
- for (rulen = 0; fr; fr = fr->fr_next, rulen++) {
- /*
- * In all checks below, a null (zero) value in the
- * filter struture is taken to mean a wildcard.
- *
- * check that we are working for the right interface
- */
-#ifdef _KERNEL
- if (fr->fr_ifa && fr->fr_ifa != ifp)
- continue;
-#else
- if (opts & (OPT_VERBOSE|OPT_DEBUG))
- printf("\n");
- FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b'));
- if (ifp && *fr->fr_ifname && strcasecmp(ifp->if_name,
- fr->fr_ifname))
- continue;
- FR_VERBOSE((":i"));
-#endif
- {
- register u_long *ld, *lm, *lip;
- register int i;
-
- lip = (u_long *)fi;
- lm = (u_long *)&fr->fr_mip;
- ld = (u_long *)&fr->fr_ip;
- i = ((lip[0] & lm[0]) != ld[0]);
- FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n",
- lip[0], lm[0], ld[0]));
- i |= ((lip[1] & lm[1]) != ld[1]);
- FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n",
- lip[1], lm[1], ld[1]));
- i |= ((lip[2] & lm[2]) != ld[2]);
- FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n",
- lip[2], lm[2], ld[2]));
- i |= ((lip[3] & lm[3]) != ld[3]);
- FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n",
- lip[3], lm[3], ld[3]));
- i |= ((lip[4] & lm[4]) != ld[4]);
- FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n",
- lip[4], lm[4], ld[4]));
- if (i)
- continue;
- }
-
- /*
- * If a fragment, then only the first has what we're looking
- * for here...
- */
- if (!(ip->ip_off & 0x1fff)) {
- if ((fi->fi_fl & FI_TCPUDP) &&
- !fr_tcpudpchk(ip, tcp, fr))
- continue;
- else if (ip->ip_p == IPPROTO_ICMP &&
- (*(u_short *)((char *)ip + hlen) &
- fr->fr_icmpm) != fr->fr_icmp) {
- FR_DEBUG(("i. %#x & %#x != %#x\n",
- *(u_short *)((char *)ip + hlen),
- fr->fr_icmpm, fr->fr_icmp));
- continue;
- }
- } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_icmpm ||
- fr->fr_tcpfm)
- continue;
- FR_VERBOSE(("*"));
- /*
- * Just log this packet...
- */
- if (fr->fr_flags & FR_LOG) {
-#ifdef IPFILTER_LOG
- if (!ipllog(hlen, fr->fr_flags, ip, ifp, *rule))
- frstats[out].fr_skip++;
- frstats[out].fr_pkl++;
-#endif /* IPFILTER_LOG */
- } else
- pass = fr->fr_flags;
- FR_DEBUG(("pass %#x\n", pass));
- fr->fr_hits++;
- *rule = rulen;
- if (pass & FR_QUICK)
- break;
- }
- return pass;
-}
-
-
-/*
- * frcheck - filter check
- * check using source and destination addresses/pors in a packet whether
- * or not to pass it on or not.
- */
-int fr_check(ip, hlen, ifp, out
-#if SOLARIS && defined(_KERNEL)
-, qif, q)
-qif_t *qif;
-queue_t *q;
-#else
-)
-#endif
-ip_t *ip;
-int hlen;
-struct ifnet *ifp;
-int out;
-{
- int pass = FR_NOMATCH;
- int sl;
- u_short rule;
-
- SPLNET(sl);
-
- pass = fr_scanlist(pass, ip, hlen, ifp, out, &rule);
- if (pass == FR_NOMATCH) {
- frstats[out].fr_nom++;
-#ifdef NOMATCH
- pass |= NOMATCH;
-#endif
- }
-
-#ifdef IPFILTER_LOG
- if ((pass & FR_LOGP) ||
- ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) {
- if (!(pass & FR_LOGP))
- pass |= FF_LOGPASS << 8;
- if (!ipllog(hlen, pass, ip, ifp, rule))
- frstats[out].fr_skip++;
- frstats[out].fr_ppkl++;
- } else if ((pass & FR_LOGB) ||
- ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) {
- if (!(pass & FR_LOGB))
- pass |= FF_LOGBLOCK << 8;
- if (!ipllog(hlen, pass, ip, ifp, rule))
- frstats[out].fr_skip++;
- frstats[out].fr_bpkl++;
- }
-#endif /* IPFILTER_LOG */
- SPLX(sl);
- if (pass & FR_PASS)
- frstats[out].fr_pass++;
- else if (pass & FR_BLOCK) {
- frstats[out].fr_block++;
- /*
- * Should we return an ICMP packet to indicate error
- * status passing through the packet filter ?
- * XXX - copy mbuf as icmp_error() calls mfree() - fix this
- * later, but preserve backward compatibility for now.
- */
-#ifdef _KERNEL
- if (pass & FR_RETICMP) {
-# if SOLARIS
- icmp_error(q, ip, ICMP_UNREACH, ipl_unreach, qif,
- ip->ip_src);
-# else
- struct mbuf *copy;
-
- copy = m_copy(dtom(ip), 0, imin((int)ip->ip_len, 64));
-# if BSD < 199103
- icmp_error(mtod(copy, struct ip *),
- ICMP_UNREACH, ipl_unreach, ifp, ip->ip_src);
-# else
- icmp_error(copy, ICMP_UNREACH, ipl_unreach,
- ip->ip_src.s_addr, ifp);
-# endif
-# endif
- frstats[0].fr_ret++;
- } else if (pass & FR_RETRST && IPMINLEN(ip, tcphdr)) {
-# if SOLARIS
- if (send_reset(ip, qif, q) == 0)
-# else
- if (send_reset(ip) == 0)
-# endif
- frstats[1].fr_ret++;
- }
-#else
- if (pass & FR_RETICMP) {
- verbose("- ICMP unreachable sent\n");
- frstats[0].fr_ret++;
- } else if (pass & FR_RETRST && IPMINLEN(ip, tcphdr)) {
- verbose("- TCP RST sent\n");
- frstats[1].fr_ret++;
- }
-#endif
- }
-#ifdef _KERNEL
- return (pass & FR_PASS) ? 0 : -1;
-#else
- if (pass & FR_NOMATCH)
- return 1;
- if (pass & FR_PASS)
- return 0;
- return -1;
-#endif
-}
-
-
-#ifndef _KERNEL
-int ipllog()
-{
- verbose("l");
- return 1;
-}
-#endif
diff --git a/usr.sbin/ipftest/ipft_ef.c b/usr.sbin/ipftest/ipft_ef.c
index fb8f67215b8..8c0df1f719f 100644
--- a/usr.sbin/ipftest/ipft_ef.c
+++ b/usr.sbin/ipftest/ipft_ef.c
@@ -41,7 +41,7 @@ etherfind -n -t
#include <netinet/tcpip.h>
#include <net/if.h>
#include <netdb.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include "ipf.h"
#include "ipt.h"
diff --git a/usr.sbin/ipftest/ipft_pc.c b/usr.sbin/ipftest/ipft_pc.c
index 06af91f4897..18bd29fa95a 100644
--- a/usr.sbin/ipftest/ipft_pc.c
+++ b/usr.sbin/ipftest/ipft_pc.c
@@ -25,7 +25,7 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include "ipf.h"
#include "ipt.h"
#include "pcap.h"
@@ -122,6 +122,7 @@ struct pcap_pkthdr *rec;
}
+#ifdef notyet
/*
* read an entire pcap packet record. only the data part is copied into
* the available buffer, with the number of bytes copied returned.
@@ -149,6 +150,7 @@ int cnt;
bcopy(bufp, buf, n);
return n;
}
+#endif
/*
diff --git a/usr.sbin/ipftest/ipft_sn.c b/usr.sbin/ipftest/ipft_sn.c
index b94a477e61b..68978d8dc37 100644
--- a/usr.sbin/ipftest/ipft_sn.c
+++ b/usr.sbin/ipftest/ipft_sn.c
@@ -28,7 +28,7 @@
#include <netinet/tcp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include "ipf.h"
#include "ipt.h"
#include "snoop.h"
@@ -125,6 +125,7 @@ struct snooppkt *rec;
}
+#ifdef notyet
/*
* read an entire snoop packet record. only the data part is copied into
* the available buffer, with the number of bytes copied returned.
@@ -152,6 +153,7 @@ int cnt;
bcopy(bufp, buf, n);
return n;
}
+#endif
/*
diff --git a/usr.sbin/ipftest/ipft_td.c b/usr.sbin/ipftest/ipft_td.c
index 3ddee115192..7d9ea2b8849 100644
--- a/usr.sbin/ipftest/ipft_td.c
+++ b/usr.sbin/ipftest/ipft_td.c
@@ -50,17 +50,17 @@ tcpdump -nqte
#include <netinet/tcpip.h>
#include <net/if.h>
#include <netdb.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include "ipf.h"
#include "ipt.h"
#ifndef lint
-static char sccsid[] = "@(#)ipft_td.c 1.6 10/15/95 (C)1995 Darren Reed";
+static char sccsid[] = "@(#)ipft_td.c 1.7 1/12/96 (C)1995 Darren Reed";
#endif
static int tcpd_open(), tcpd_close(), tcpd_readip();
#ifdef NEED_INET_ATON
-static u_long inet_aton();
+extern u_long inet_aton();
#else
#include <arpa/inet.h>
#endif
diff --git a/usr.sbin/ipftest/ipft_tx.c b/usr.sbin/ipftest/ipft_tx.c
index 4ca44a8380e..a77c52b5ff9 100644
--- a/usr.sbin/ipftest/ipft_tx.c
+++ b/usr.sbin/ipftest/ipft_tx.c
@@ -6,6 +6,7 @@
* to the original author and the contributors.
*/
#include <stdio.h>
+#include <ctype.h>
#include <assert.h>
#include <string.h>
#if !defined(__SVR4) && !defined(__svr4__)
@@ -29,7 +30,7 @@
#include <netinet/ip_icmp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
@@ -37,10 +38,12 @@
#include "ipt.h"
#ifndef lint
-static char sccsid[] = "@(#)ipft_tx.c 1.2 10/17/95 (C) 1993 Darren Reed";
+static char sccsid[] = "@(#)ipft_tx.c 1.5 1/12/96 (C) 1993 Darren Reed";
#endif
extern int opts;
+extern u_short portnum();
+extern u_long buildopts();
static int text_open(), text_close(), text_readip(), parseline();
@@ -120,7 +123,7 @@ int *out;
tcphdr_t th, *tcp = &th;
struct icmp icmp, *ic = &icmp;
char *cps[20], **cpp, c, opts[68];
- int i;
+ int i, r;
bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip));
bzero((char *)tcp, sizeof(*tcp));
@@ -184,7 +187,7 @@ int *out;
*last++ = '\0';
tcp->th_sport = portnum(last);
}
- ip->ip_src.s_addr = hostnum(*cpp);
+ ip->ip_src.s_addr = hostnum(*cpp, &r);
cpp++;
if (!*cpp)
return 1;
@@ -200,7 +203,7 @@ int *out;
*last++ = '\0';
tcp->th_dport = portnum(last);
}
- ip->ip_dst.s_addr = hostnum(*cpp);
+ ip->ip_dst.s_addr = hostnum(*cpp, &r);
cpp++;
if (*cpp && ip->ip_p == IPPROTO_TCP) {
extern char flagset[];
diff --git a/usr.sbin/ipftest/ipt.c b/usr.sbin/ipftest/ipt.c
index bbb5d2a3e5f..f25165063c8 100644
--- a/usr.sbin/ipftest/ipt.c
+++ b/usr.sbin/ipftest/ipt.c
@@ -1,5 +1,5 @@
/*
- * (C)opyright 1993,1994,1995 by Darren Reed.
+ * (C)opyright 1993-1996 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
@@ -29,7 +29,7 @@
#include <netinet/ip_icmp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
@@ -39,12 +39,12 @@
#include <ctype.h>
#ifndef lint
-static char sccsid[] = "@(#)ipt.c 1.13 11/11/95 (C) 1993 Darren Reed";
+static char sccsid[] = "@(#)ipt.c 1.15 1/7/96 (C) 1993-1996 Darren Reed";
#endif
extern int fr_check();
extern char *optarg;
-extern struct frentry *filterin[], *filterout[];
+extern struct frentry *ipfilter[2][2];
extern struct ipread snoop, etherf, tcpd, pcap, iptext;
extern void debug(), verbose();
@@ -148,12 +148,12 @@ char *argv[];
f = (struct frentry *)malloc(sizeof(*f));
if (fr->fr_flags & FR_INQUE) {
if (!ft_in)
- ft_in = filterin[0] = f;
+ ft_in = ipfilter[0][0] = f;
else
ft_in->fr_next = f, ft_in = f;
} else if (fr->fr_flags & FR_OUTQUE) {
if (!ft_out)
- ft_out = filterout[0] = f;
+ ft_out = ipfilter[1][0] = f;
else
ft_out->fr_next = f, ft_out = f;
}
diff --git a/usr.sbin/ipftest/misc.c b/usr.sbin/ipftest/misc.c
index 89a9883c4d7..6329cd483b4 100644
--- a/usr.sbin/ipftest/misc.c
+++ b/usr.sbin/ipftest/misc.c
@@ -21,6 +21,7 @@
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
+#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip_var.h>
#include <netinet/ip.h>
@@ -29,7 +30,7 @@
#include <netinet/ip_icmp.h>
#include <netinet/tcpip.h>
#include <net/if.h>
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
#include <netdb.h>
#include <arpa/nameser.h>
#include <resolv.h>
@@ -37,7 +38,7 @@
#include "ipt.h"
#ifndef lint
-static char sccsid[] = "@(#)misc.c 1.1 10/15/95 (C) 1995 Darren Reed";
+static char sccsid[] = "@(#)misc.c 1.2 1/12/96 (C) 1995 Darren Reed";
#endif
void debug(), verbose();
diff --git a/usr.sbin/ipmon/Makefile b/usr.sbin/ipmon/Makefile
index 1a743162356..e14e3d60103 100644
--- a/usr.sbin/ipmon/Makefile
+++ b/usr.sbin/ipmon/Makefile
@@ -1,6 +1,7 @@
PROG= ipmon
MAN= ipmon.8
-CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -DLOGFAC=LOG_LOCAL0
+CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -DLOGFAC=LOG_LOCAL0 \
+ -I${.CURDIR}/../../sys/netinet
.include <bsd.prog.mk>
diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c
index 0ba67d2f252..101f2aa58eb 100644
--- a/usr.sbin/ipmon/ipmon.c
+++ b/usr.sbin/ipmon/ipmon.c
@@ -39,10 +39,10 @@
#include <arpa/inet.h>
#ifndef lint
-static char sccsid[] = "@(#)ipmon.c 1.13 11/11/95 (C)1995 Darren Reed";
+static char sccsid[] = "@(#)ipmon.c 1.16 1/12/96 (C)1995 Darren Reed";
#endif
-#include <netinet/ip_fil.h>
+#include "ip_fil.h"
struct flags {
int value;
@@ -122,7 +122,7 @@ int opts;
tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900);
t += strlen(t);
}
- (void) sprintf(t, "%02d:%02d:%02d.%-.6d %c%c%d @%d ",
+ (void) sprintf(t, "%02d:%02d:%02d.%-.6ld %c%c%ld @%hd ",
tm->tm_hour, tm->tm_min, tm->tm_sec, lp->usec,
lp->ifname[0], lp->ifname[1], lp->unit, lp->rule);
pr = getprotobynumber((int)p);
@@ -132,7 +132,7 @@ int opts;
} else
proto = pr->p_name;
- if (lp->flags & (FI_SHORT << 16)) {
+ if (lp->flags & (FI_SHORT << 20)) {
c[0] = 'S';
lvl = LOG_ERR;
} else if (lp->flags & FR_PASS) {
@@ -147,6 +147,9 @@ int opts;
else
c[0] = 'B';
lvl = LOG_WARNING;
+ } else if (lp->flags & FF_LOGNOMATCH) {
+ c[0] = 'n';
+ lvl = LOG_NOTICE;
} else {
c[0] = 'L';
lvl = LOG_INFO;
@@ -155,6 +158,10 @@ int opts;
c[2] = '\0';
(void) strcat(line, c);
t = line + strlen(line);
+#if SOLARIS
+ ip->ip_off = ntohs(ip->ip_off);
+ ip->ip_len = ntohs(ip->ip_len);
+#endif
if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) {
tp = (struct tcphdr *)((char *)ip + hl);
@@ -163,21 +170,23 @@ int opts;
hostname(res, ip->ip_src),
portname(res, proto, tp->th_sport));
t += strlen(t);
- (void) sprintf(t, "%s,%s PR %s len %hu (%hu) ",
+ (void) sprintf(t, "%s,%s PR %s len %hu %hu ",
hostname(res, ip->ip_dst),
portname(res, proto, tp->th_dport),
proto, hl, ip->ip_len);
t += strlen(t);
- if (p == IPPROTO_TCP)
+ if (p == IPPROTO_TCP) {
+ *t++ = '-';
for (i = 0; tcpfl[i].value; i++)
if (tp->th_flags & tcpfl[i].value)
*t++ = tcpfl[i].flag;
+ }
*t = '\0';
} else {
(void) sprintf(t, "%s -> ", hostname(res, ip->ip_src));
t += strlen(t);
- (void) sprintf(t, "%s PR %s len %hu (%hu)",
+ (void) sprintf(t, "%s PR %s len %hu %hu",
hostname(res, ip->ip_dst), proto,
hl, ip->ip_len);
}
@@ -209,7 +218,7 @@ int opts;
hostname(res, ipc->ip_src),
portname(res, proto, tp->th_sport));
t += strlen(t);
- (void) sprintf(t, " %s,%s PR %s len %hu (%hu)",
+ (void) sprintf(t, " %s,%s PR %s len %hu %hu",
hostname(res, ipc->ip_dst),
portname(res, proto, tp->th_dport),
proto, ipc->ip_hl << 2, ipc->ip_len);
@@ -221,8 +230,9 @@ int opts;
hostname(res, ip->ip_dst), proto, hl, ip->ip_len);
t += strlen(t);
if (ip->ip_off & 0x1fff)
- (void) sprintf(t, " frag %s%hu@%hu",
+ (void) sprintf(t, " frag %s%s%hu@%hu",
ip->ip_off & IP_MF ? "+" : "",
+ ip->ip_off & IP_DF ? "-" : "",
ip->ip_len - hl, (ip->ip_off & 0x1fff) << 3);
}
t += strlen(t);
@@ -255,7 +265,11 @@ char *argv[];
switch (c)
{
case 'f' :
- (void) ioctl(fd, SIOCIPFFB, &flushed);
+ if (ioctl(fd, SIOCIPFFB, &flushed) == 0) {
+ printf("%d bytes flushed from log buffer\n",
+ flushed);
+ fflush(stdout);
+ }
break;
case 'N' :
opts |= 2;
diff --git a/usr.sbin/ipsend/Makefile b/usr.sbin/ipsend/Makefile
index 7555119420f..7d279e58224 100644
--- a/usr.sbin/ipsend/Makefile
+++ b/usr.sbin/ipsend/Makefile
@@ -2,7 +2,7 @@ PROG= ipsend
NOMAN=
SRCS= iptests.c ip.c ipsend.c ipsopt.c resend.c sbpf.c sock.c 44arp.c ipft_sn.c ipft_pc.c
.PATH: ${.CURDIR}/../../usr.sbin/ipftest
-CFLAGS+= -DDOSOCKET -I${.CURDIR}/../../usr.sbin/ipftest -I${.CURDIR}/../../sbin/ipf
+CFLAGS+= -DDOSOCKET -I${.CURDIR}/../../usr.sbin/ipftest -I${.CURDIR}/../../sbin/ipf -I${.CURDIR}/../../sys/netinet
LDADD+= -lpcap