diff options
author | dm <dm@cvs.openbsd.org> | 1996-01-25 05:41:50 +0000 |
---|---|---|
committer | dm <dm@cvs.openbsd.org> | 1996-01-25 05:41:50 +0000 |
commit | d22510d35a65326e6c28cf24898e75ebb43f1702 (patch) | |
tree | 39d26580cbebbf88b26b3ce8999199204095ce79 /usr.sbin | |
parent | 1dc3867108ccbee4e608e89a62fa5e5fbfa194c3 (diff) |
IP filter 3.0.1
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/ipftest/Makefile | 7 | ||||
-rw-r--r-- | usr.sbin/ipftest/fil.c | 534 | ||||
-rw-r--r-- | usr.sbin/ipftest/ipft_ef.c | 2 | ||||
-rw-r--r-- | usr.sbin/ipftest/ipft_pc.c | 4 | ||||
-rw-r--r-- | usr.sbin/ipftest/ipft_sn.c | 4 | ||||
-rw-r--r-- | usr.sbin/ipftest/ipft_td.c | 6 | ||||
-rw-r--r-- | usr.sbin/ipftest/ipft_tx.c | 13 | ||||
-rw-r--r-- | usr.sbin/ipftest/ipt.c | 12 | ||||
-rw-r--r-- | usr.sbin/ipftest/misc.c | 5 | ||||
-rw-r--r-- | usr.sbin/ipmon/Makefile | 3 | ||||
-rw-r--r-- | usr.sbin/ipmon/ipmon.c | 34 | ||||
-rw-r--r-- | usr.sbin/ipsend/Makefile | 2 |
12 files changed, 58 insertions, 568 deletions
diff --git a/usr.sbin/ipftest/Makefile b/usr.sbin/ipftest/Makefile index 723b31469d7..adfc9c02561 100644 --- a/usr.sbin/ipftest/Makefile +++ b/usr.sbin/ipftest/Makefile @@ -1,8 +1,9 @@ PROG= ipftest MAN= ipftest.1 -SRCS= ipt.c fil.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c ipft_tx.c misc.c parse.c opt.c -.PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../../sbin/ipfstat -CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -I${.CURDIR}/../../sbin/ipf +SRCS= ipt.c fil.c ipft_sn.c ipft_ef.c ipft_td.c ipft_pc.c ipft_tx.c \ + misc.c parse.c opt.c ip_frag.c ip_nat.c ip_state.c +.PATH: ${.CURDIR}/../../sbin/ipf ${.CURDIR}/../../sbin/ipfstat ${.CURDIR}/../../sys/netinet +CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -I${.CURDIR}/../../sbin/ipf -I${.CURDIR}/../../sys/netinet .include <bsd.prog.mk> diff --git a/usr.sbin/ipftest/fil.c b/usr.sbin/ipftest/fil.c deleted file mode 100644 index b485678d5a7..00000000000 --- a/usr.sbin/ipftest/fil.c +++ /dev/null @@ -1,534 +0,0 @@ -/* - * (C)opyright 1993,1994,1995 by Darren Reed. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - */ -#ifndef lint -static char sccsid[] = "@(#)fil.c 1.18 10/24/95 (C) 1993-1995 Darren Reed"; -#endif - -#ifndef linux -# include <sys/errno.h> -# include <sys/types.h> -# include <sys/param.h> -# include <sys/file.h> -# include <sys/ioctl.h> -# if defined(_KERNEL) || defined(KERNEL) -# include <sys/systm.h> -# endif -# include <sys/uio.h> -# if !defined(__SVR4) && !defined(__svr4__) -# include <sys/dir.h> -# include <sys/mbuf.h> -# else -# include <sys/byteorder.h> -# include <sys/dditypes.h> -# include <sys/stream.h> -# endif -# include <sys/protosw.h> -# include <sys/socket.h> -# include <net/if.h> -# ifdef sun -# include <net/af.h> -# endif -# include <net/route.h> -# include <netinet/in.h> -# include <netinet/in_systm.h> -# include <netinet/ip.h> -# include <netinet/ip_var.h> -# include <netinet/tcp.h> -# include <netinet/udp.h> -# include <netinet/tcpip.h> -# include <netinet/ip_icmp.h> -#endif -#include <netinet/ip_fil.h> -#ifndef MIN -#define MIN(a,b) (((a)<(b))?(a):(b)) -#endif - -#ifndef _KERNEL -#include "ipf.h" -extern int opts; -extern void debug(), verbose(); - -#define FR_IFVERBOSE(ex,second,verb_pr) if (ex) { verbose verb_pr; second; } -#define FR_IFDEBUG(ex,second,verb_pr) if (ex) { debug verb_pr; second; } -#define FR_VERBOSE(verb_pr) verbose verb_pr -#define FR_DEBUG(verb_pr) debug verb_pr -#else -#define FR_IFVERBOSE(ex,second,verb_pr) ; -#define FR_IFDEBUG(ex,second,verb_pr) ; -#define FR_VERBOSE(verb_pr) -#define FR_DEBUG(verb_pr) - -extern int ipl_unreach, ipllog(); -#endif - -struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; -struct frentry *filterin[2] = { NULL, NULL }, - *filterout[2] = { NULL, NULL }; -int fr_flags = 0, fr_active = 0; -int fr_check(); - - -/* - * bit values for identifying presence of individual IP options - */ -struct optlist ipopts[20] = { - { IPOPT_NOP, 0x000001 }, - { IPOPT_RR, 0x000002 }, - { IPOPT_ZSU, 0x000004 }, - { IPOPT_MTUP, 0x000008 }, - { IPOPT_MTUR, 0x000010 }, - { IPOPT_ENCODE, 0x000020 }, - { IPOPT_TS, 0x000040 }, - { IPOPT_TR, 0x000080 }, - { IPOPT_SECURITY, 0x000100 }, - { IPOPT_LSRR, 0x000200 }, - { IPOPT_E_SEC, 0x000400 }, - { IPOPT_CIPSO, 0x000800 }, - { IPOPT_SATID, 0x001000 }, - { IPOPT_SSRR, 0x002000 }, - { IPOPT_ADDEXT, 0x004000 }, - { IPOPT_VISA, 0x008000 }, - { IPOPT_IMITD, 0x010000 }, - { IPOPT_EIP, 0x020000 }, - { IPOPT_FINN, 0x040000 }, - { 0, 0x000000 } -}; - -/* - * bit values for identifying presence of individual IP security options - */ -struct optlist secopt[8] = { - { IPSO_CLASS_RES4, 0x01 }, - { IPSO_CLASS_TOPS, 0x02 }, - { IPSO_CLASS_SECR, 0x04 }, - { IPSO_CLASS_RES3, 0x08 }, - { IPSO_CLASS_CONF, 0x10 }, - { IPSO_CLASS_UNCL, 0x20 }, - { IPSO_CLASS_RES2, 0x40 }, - { IPSO_CLASS_RES1, 0x80 } -}; - - -/* - * compact the IP header into a structure which contains just the info. - * which is useful for comparing IP headers with. - */ -struct fr_ip *fr_makefrip(hlen, ip) -int hlen; -ip_t *ip; -{ - static struct fr_ip fi; - struct optlist *op; - u_short optmsk = 0, secmsk = 0, auth = 0; - int i, mv, ol, off; - u_char *s, opt; - - fi.fi_fl = 0; - fi.fi_v = ip->ip_v; - fi.fi_tos = ip->ip_tos; - (*(((u_short *)&fi) + 1)) = (*(((u_short *)ip) + 4)); - (*(((u_long *)&fi) + 1)) = (*(((u_long *)ip) + 3)); - (*(((u_long *)&fi) + 2)) = (*(((u_long *)ip) + 4)); - - if (hlen > sizeof(struct ip)) - fi.fi_fl |= FI_OPTIONS; - off = (ip->ip_off & 0x1fff) << 3; - if (ip->ip_off & 0x3fff) - fi.fi_fl |= FI_FRAG; - switch (ip->ip_p) - { - case IPPROTO_ICMP : - if ((!IPMINLEN(ip, icmp) && !off) || - (off && off < sizeof(struct icmp))) - fi.fi_fl |= FI_SHORT; - break; - case IPPROTO_TCP : - fi.fi_fl |= FI_TCPUDP; - if ((!IPMINLEN(ip, tcphdr) && !off) || - (off && off < sizeof(struct tcphdr))) - fi.fi_fl |= FI_SHORT; - break; - case IPPROTO_UDP : - fi.fi_fl |= FI_TCPUDP; - if ((!IPMINLEN(ip, udphdr) && !off) || - (off && off < sizeof(struct udphdr))) - fi.fi_fl |= FI_SHORT; - break; - default : - break; - } - - for (s = (u_char *)(ip + 1), hlen -= sizeof(*ip); hlen; ) { - if (!(opt = *s)) - break; - ol = (opt == IPOPT_NOP) ? 1 : (int)*(s+1); - if (opt > 1 && (ol < 0 || ol > hlen)) - break; - for (i = 9, mv = 4; mv >= 0; ) { - op = ipopts + i; - if (opt == (u_char)op->ol_val) { - optmsk |= op->ol_bit; - if (opt == IPOPT_SECURITY) { - struct optlist *sp; - u_char sec; - int j, m; - - sec = *(s + 3); /* classification */ - for (j = 3, m = 2; m >= 0; ) { - sp = secopt + j; - if (sec == sp->ol_val) { - secmsk |= sp->ol_bit; - auth = *(s + 3); - auth *= 256; - auth += *(s + 4); - break; - } - if (sec < sp->ol_val) - j -= m--; - else - j += m--; - } - } - break; - } - if (opt < op->ol_val) - i -= mv--; - else - i += mv--; - } - hlen -= ol; - s += ol; - } - if (auth && !(auth & 0x0100)) - auth &= 0xff00; - fi.fi_optmsk = optmsk; - fi.fi_secmsk = secmsk; - fi.fi_auth = auth; - return &fi; -} - - -/* - * check an IP packet for TCP/UDP characteristics such as ports and flags. - */ -int fr_tcpudpchk(ip, tcp, fr) -ip_t *ip; -tcphdr_t *tcp; -struct frentry *fr; -{ - register u_short po, tup; - register char i; - int err = 1; - - /* - * Both ports should *always* be in the first fragment. - * So far, I cannot find any cases where they can not be. - * - * compare destination ports - */ - if ((i = (int)fr->fr_dcmp)) { - po = ntohs(fr->fr_dport); - tup = ntohs(tcp->th_dport); - /* - * Do opposite test to that required and - * continue if that succeeds. - */ - if (!--i && tup != po) /* EQUAL */ - err = 0; - else if (!--i && tup == po) /* NOTEQUAL */ - err = 0; - else if (!--i && tup >= po) /* LESSTHAN */ - err = 0; - else if (!--i && tup <= po) /* GREATERTHAN */ - err = 0; - else if (!--i && tup > po) /* LT or EQ */ - err = 0; - else if (!--i && tup < po) /* GT or EQ */ - err = 0; - else if (!--i && /* Out of range */ - (tup >= po && tup <= ntohs(fr->fr_dtop))) - err = 0; - else if (!--i && /* In range */ - (tup <= po || tup >= ntohs(fr->fr_dtop))) - err = 0; - } - /* - * compare source ports - */ - if (err && (i = (int)fr->fr_scmp)) { - po = ntohs(fr->fr_sport); - tup = ntohs(tcp->th_sport); - if (!--i && tup != po) - err = 0; - else if (!--i && tup == po) - err = 0; - else if (!--i && tup >= po) - err = 0; - else if (!--i && tup <= po) - err = 0; - else if (!--i && tup > po) - err = 0; - else if (!--i && tup < po) - err = 0; - else if (!--i && /* Out of range */ - (tup >= po && tup <= ntohs(fr->fr_stop))) - err = 0; - else if (!--i && /* In range */ - (tup <= po || tup >= ntohs(fr->fr_stop))) - err = 0; - } - - /* - * If we don't have all the TCP/UDP header, then how can we - * expect to do any sort of match on it ? If we were looking for - * TCP flags, then NO match. If not, then match (which should - * satisfy the "short" class too). - */ - if (err) - if (ip->ip_p == IPPROTO_TCP) { - if (!IPMINLEN(ip, tcphdr)) - return !(fr->fr_tcpf); - /* - * Match the flags ? If not, abort this match. - */ - if (fr->fr_tcpf && - fr->fr_tcpf != (tcp->th_flags & fr->fr_tcpfm)) { - FR_DEBUG(("f. %#x & %#x != %#x\n", - tcp->th_flags, fr->fr_tcpfm, - fr->fr_tcpf)); - err = 0; - } - } - else if (!IPMINLEN(ip, udphdr)) /* must be UDP */ - return 1; - return err; -} - -/* - * Check the input/output list of rules for a match and result. - * Could be per interface, but this gets real nasty when you don't have - * kernel sauce. - */ -int fr_scanlist(pass, ip, hlen, ifp, out, rule) -int pass; -ip_t *ip; -int hlen, out; -struct ifnet *ifp; -u_short *rule; -{ - register struct frentry *fr; - register struct fr_ip *fi; - tcphdr_t *tcp; - int rulen; - - *rule = 1; - tcp = (tcphdr_t *)((char *)ip + hlen); - fr = (out) ? filterout[fr_active] : filterin[fr_active]; - fi = fr_makefrip(hlen, ip); - - for (rulen = 0; fr; fr = fr->fr_next, rulen++) { - /* - * In all checks below, a null (zero) value in the - * filter struture is taken to mean a wildcard. - * - * check that we are working for the right interface - */ -#ifdef _KERNEL - if (fr->fr_ifa && fr->fr_ifa != ifp) - continue; -#else - if (opts & (OPT_VERBOSE|OPT_DEBUG)) - printf("\n"); - FR_VERBOSE(("%c", (pass & FR_PASS) ? 'p' : 'b')); - if (ifp && *fr->fr_ifname && strcasecmp(ifp->if_name, - fr->fr_ifname)) - continue; - FR_VERBOSE((":i")); -#endif - { - register u_long *ld, *lm, *lip; - register int i; - - lip = (u_long *)fi; - lm = (u_long *)&fr->fr_mip; - ld = (u_long *)&fr->fr_ip; - i = ((lip[0] & lm[0]) != ld[0]); - FR_IFDEBUG(i,continue,("0. %#08x & %#08x != %#08x\n", - lip[0], lm[0], ld[0])); - i |= ((lip[1] & lm[1]) != ld[1]); - FR_IFDEBUG(i,continue,("1. %#08x & %#08x != %#08x\n", - lip[1], lm[1], ld[1])); - i |= ((lip[2] & lm[2]) != ld[2]); - FR_IFDEBUG(i,continue,("2. %#08x & %#08x != %#08x\n", - lip[2], lm[2], ld[2])); - i |= ((lip[3] & lm[3]) != ld[3]); - FR_IFDEBUG(i,continue,("3. %#08x & %#08x != %#08x\n", - lip[3], lm[3], ld[3])); - i |= ((lip[4] & lm[4]) != ld[4]); - FR_IFDEBUG(i,continue,("4. %#08x & %#08x != %#08x\n", - lip[4], lm[4], ld[4])); - if (i) - continue; - } - - /* - * If a fragment, then only the first has what we're looking - * for here... - */ - if (!(ip->ip_off & 0x1fff)) { - if ((fi->fi_fl & FI_TCPUDP) && - !fr_tcpudpchk(ip, tcp, fr)) - continue; - else if (ip->ip_p == IPPROTO_ICMP && - (*(u_short *)((char *)ip + hlen) & - fr->fr_icmpm) != fr->fr_icmp) { - FR_DEBUG(("i. %#x & %#x != %#x\n", - *(u_short *)((char *)ip + hlen), - fr->fr_icmpm, fr->fr_icmp)); - continue; - } - } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_icmpm || - fr->fr_tcpfm) - continue; - FR_VERBOSE(("*")); - /* - * Just log this packet... - */ - if (fr->fr_flags & FR_LOG) { -#ifdef IPFILTER_LOG - if (!ipllog(hlen, fr->fr_flags, ip, ifp, *rule)) - frstats[out].fr_skip++; - frstats[out].fr_pkl++; -#endif /* IPFILTER_LOG */ - } else - pass = fr->fr_flags; - FR_DEBUG(("pass %#x\n", pass)); - fr->fr_hits++; - *rule = rulen; - if (pass & FR_QUICK) - break; - } - return pass; -} - - -/* - * frcheck - filter check - * check using source and destination addresses/pors in a packet whether - * or not to pass it on or not. - */ -int fr_check(ip, hlen, ifp, out -#if SOLARIS && defined(_KERNEL) -, qif, q) -qif_t *qif; -queue_t *q; -#else -) -#endif -ip_t *ip; -int hlen; -struct ifnet *ifp; -int out; -{ - int pass = FR_NOMATCH; - int sl; - u_short rule; - - SPLNET(sl); - - pass = fr_scanlist(pass, ip, hlen, ifp, out, &rule); - if (pass == FR_NOMATCH) { - frstats[out].fr_nom++; -#ifdef NOMATCH - pass |= NOMATCH; -#endif - } - -#ifdef IPFILTER_LOG - if ((pass & FR_LOGP) || - ((pass & FR_PASS) && (fr_flags & FF_LOGPASS))) { - if (!(pass & FR_LOGP)) - pass |= FF_LOGPASS << 8; - if (!ipllog(hlen, pass, ip, ifp, rule)) - frstats[out].fr_skip++; - frstats[out].fr_ppkl++; - } else if ((pass & FR_LOGB) || - ((pass & FR_BLOCK) && (fr_flags & FF_LOGBLOCK))) { - if (!(pass & FR_LOGB)) - pass |= FF_LOGBLOCK << 8; - if (!ipllog(hlen, pass, ip, ifp, rule)) - frstats[out].fr_skip++; - frstats[out].fr_bpkl++; - } -#endif /* IPFILTER_LOG */ - SPLX(sl); - if (pass & FR_PASS) - frstats[out].fr_pass++; - else if (pass & FR_BLOCK) { - frstats[out].fr_block++; - /* - * Should we return an ICMP packet to indicate error - * status passing through the packet filter ? - * XXX - copy mbuf as icmp_error() calls mfree() - fix this - * later, but preserve backward compatibility for now. - */ -#ifdef _KERNEL - if (pass & FR_RETICMP) { -# if SOLARIS - icmp_error(q, ip, ICMP_UNREACH, ipl_unreach, qif, - ip->ip_src); -# else - struct mbuf *copy; - - copy = m_copy(dtom(ip), 0, imin((int)ip->ip_len, 64)); -# if BSD < 199103 - icmp_error(mtod(copy, struct ip *), - ICMP_UNREACH, ipl_unreach, ifp, ip->ip_src); -# else - icmp_error(copy, ICMP_UNREACH, ipl_unreach, - ip->ip_src.s_addr, ifp); -# endif -# endif - frstats[0].fr_ret++; - } else if (pass & FR_RETRST && IPMINLEN(ip, tcphdr)) { -# if SOLARIS - if (send_reset(ip, qif, q) == 0) -# else - if (send_reset(ip) == 0) -# endif - frstats[1].fr_ret++; - } -#else - if (pass & FR_RETICMP) { - verbose("- ICMP unreachable sent\n"); - frstats[0].fr_ret++; - } else if (pass & FR_RETRST && IPMINLEN(ip, tcphdr)) { - verbose("- TCP RST sent\n"); - frstats[1].fr_ret++; - } -#endif - } -#ifdef _KERNEL - return (pass & FR_PASS) ? 0 : -1; -#else - if (pass & FR_NOMATCH) - return 1; - if (pass & FR_PASS) - return 0; - return -1; -#endif -} - - -#ifndef _KERNEL -int ipllog() -{ - verbose("l"); - return 1; -} -#endif diff --git a/usr.sbin/ipftest/ipft_ef.c b/usr.sbin/ipftest/ipft_ef.c index fb8f67215b8..8c0df1f719f 100644 --- a/usr.sbin/ipftest/ipft_ef.c +++ b/usr.sbin/ipftest/ipft_ef.c @@ -41,7 +41,7 @@ etherfind -n -t #include <netinet/tcpip.h> #include <net/if.h> #include <netdb.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include "ipf.h" #include "ipt.h" diff --git a/usr.sbin/ipftest/ipft_pc.c b/usr.sbin/ipftest/ipft_pc.c index 06af91f4897..18bd29fa95a 100644 --- a/usr.sbin/ipftest/ipft_pc.c +++ b/usr.sbin/ipftest/ipft_pc.c @@ -25,7 +25,7 @@ #include <netinet/tcp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include "ipf.h" #include "ipt.h" #include "pcap.h" @@ -122,6 +122,7 @@ struct pcap_pkthdr *rec; } +#ifdef notyet /* * read an entire pcap packet record. only the data part is copied into * the available buffer, with the number of bytes copied returned. @@ -149,6 +150,7 @@ int cnt; bcopy(bufp, buf, n); return n; } +#endif /* diff --git a/usr.sbin/ipftest/ipft_sn.c b/usr.sbin/ipftest/ipft_sn.c index b94a477e61b..68978d8dc37 100644 --- a/usr.sbin/ipftest/ipft_sn.c +++ b/usr.sbin/ipftest/ipft_sn.c @@ -28,7 +28,7 @@ #include <netinet/tcp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include "ipf.h" #include "ipt.h" #include "snoop.h" @@ -125,6 +125,7 @@ struct snooppkt *rec; } +#ifdef notyet /* * read an entire snoop packet record. only the data part is copied into * the available buffer, with the number of bytes copied returned. @@ -152,6 +153,7 @@ int cnt; bcopy(bufp, buf, n); return n; } +#endif /* diff --git a/usr.sbin/ipftest/ipft_td.c b/usr.sbin/ipftest/ipft_td.c index 3ddee115192..7d9ea2b8849 100644 --- a/usr.sbin/ipftest/ipft_td.c +++ b/usr.sbin/ipftest/ipft_td.c @@ -50,17 +50,17 @@ tcpdump -nqte #include <netinet/tcpip.h> #include <net/if.h> #include <netdb.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include "ipf.h" #include "ipt.h" #ifndef lint -static char sccsid[] = "@(#)ipft_td.c 1.6 10/15/95 (C)1995 Darren Reed"; +static char sccsid[] = "@(#)ipft_td.c 1.7 1/12/96 (C)1995 Darren Reed"; #endif static int tcpd_open(), tcpd_close(), tcpd_readip(); #ifdef NEED_INET_ATON -static u_long inet_aton(); +extern u_long inet_aton(); #else #include <arpa/inet.h> #endif diff --git a/usr.sbin/ipftest/ipft_tx.c b/usr.sbin/ipftest/ipft_tx.c index 4ca44a8380e..a77c52b5ff9 100644 --- a/usr.sbin/ipftest/ipft_tx.c +++ b/usr.sbin/ipftest/ipft_tx.c @@ -6,6 +6,7 @@ * to the original author and the contributors. */ #include <stdio.h> +#include <ctype.h> #include <assert.h> #include <string.h> #if !defined(__SVR4) && !defined(__svr4__) @@ -29,7 +30,7 @@ #include <netinet/ip_icmp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> @@ -37,10 +38,12 @@ #include "ipt.h" #ifndef lint -static char sccsid[] = "@(#)ipft_tx.c 1.2 10/17/95 (C) 1993 Darren Reed"; +static char sccsid[] = "@(#)ipft_tx.c 1.5 1/12/96 (C) 1993 Darren Reed"; #endif extern int opts; +extern u_short portnum(); +extern u_long buildopts(); static int text_open(), text_close(), text_readip(), parseline(); @@ -120,7 +123,7 @@ int *out; tcphdr_t th, *tcp = &th; struct icmp icmp, *ic = &icmp; char *cps[20], **cpp, c, opts[68]; - int i; + int i, r; bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip)); bzero((char *)tcp, sizeof(*tcp)); @@ -184,7 +187,7 @@ int *out; *last++ = '\0'; tcp->th_sport = portnum(last); } - ip->ip_src.s_addr = hostnum(*cpp); + ip->ip_src.s_addr = hostnum(*cpp, &r); cpp++; if (!*cpp) return 1; @@ -200,7 +203,7 @@ int *out; *last++ = '\0'; tcp->th_dport = portnum(last); } - ip->ip_dst.s_addr = hostnum(*cpp); + ip->ip_dst.s_addr = hostnum(*cpp, &r); cpp++; if (*cpp && ip->ip_p == IPPROTO_TCP) { extern char flagset[]; diff --git a/usr.sbin/ipftest/ipt.c b/usr.sbin/ipftest/ipt.c index bbb5d2a3e5f..f25165063c8 100644 --- a/usr.sbin/ipftest/ipt.c +++ b/usr.sbin/ipftest/ipt.c @@ -1,5 +1,5 @@ /* - * (C)opyright 1993,1994,1995 by Darren Reed. + * (C)opyright 1993-1996 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -29,7 +29,7 @@ #include <netinet/ip_icmp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <arpa/inet.h> @@ -39,12 +39,12 @@ #include <ctype.h> #ifndef lint -static char sccsid[] = "@(#)ipt.c 1.13 11/11/95 (C) 1993 Darren Reed"; +static char sccsid[] = "@(#)ipt.c 1.15 1/7/96 (C) 1993-1996 Darren Reed"; #endif extern int fr_check(); extern char *optarg; -extern struct frentry *filterin[], *filterout[]; +extern struct frentry *ipfilter[2][2]; extern struct ipread snoop, etherf, tcpd, pcap, iptext; extern void debug(), verbose(); @@ -148,12 +148,12 @@ char *argv[]; f = (struct frentry *)malloc(sizeof(*f)); if (fr->fr_flags & FR_INQUE) { if (!ft_in) - ft_in = filterin[0] = f; + ft_in = ipfilter[0][0] = f; else ft_in->fr_next = f, ft_in = f; } else if (fr->fr_flags & FR_OUTQUE) { if (!ft_out) - ft_out = filterout[0] = f; + ft_out = ipfilter[1][0] = f; else ft_out->fr_next = f, ft_out = f; } diff --git a/usr.sbin/ipftest/misc.c b/usr.sbin/ipftest/misc.c index 89a9883c4d7..6329cd483b4 100644 --- a/usr.sbin/ipftest/misc.c +++ b/usr.sbin/ipftest/misc.c @@ -21,6 +21,7 @@ #include <sys/socket.h> #include <sys/ioctl.h> #include <netinet/in.h> +#include <arpa/inet.h> #include <netinet/in_systm.h> #include <netinet/ip_var.h> #include <netinet/ip.h> @@ -29,7 +30,7 @@ #include <netinet/ip_icmp.h> #include <netinet/tcpip.h> #include <net/if.h> -#include <netinet/ip_fil.h> +#include "ip_fil.h" #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> @@ -37,7 +38,7 @@ #include "ipt.h" #ifndef lint -static char sccsid[] = "@(#)misc.c 1.1 10/15/95 (C) 1995 Darren Reed"; +static char sccsid[] = "@(#)misc.c 1.2 1/12/96 (C) 1995 Darren Reed"; #endif void debug(), verbose(); diff --git a/usr.sbin/ipmon/Makefile b/usr.sbin/ipmon/Makefile index 1a743162356..e14e3d60103 100644 --- a/usr.sbin/ipmon/Makefile +++ b/usr.sbin/ipmon/Makefile @@ -1,6 +1,7 @@ PROG= ipmon MAN= ipmon.8 -CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -DLOGFAC=LOG_LOCAL0 +CFLAGS+=-DIPL_NAME=\"/dev/ipl\" -DLOGFAC=LOG_LOCAL0 \ + -I${.CURDIR}/../../sys/netinet .include <bsd.prog.mk> diff --git a/usr.sbin/ipmon/ipmon.c b/usr.sbin/ipmon/ipmon.c index 0ba67d2f252..101f2aa58eb 100644 --- a/usr.sbin/ipmon/ipmon.c +++ b/usr.sbin/ipmon/ipmon.c @@ -39,10 +39,10 @@ #include <arpa/inet.h> #ifndef lint -static char sccsid[] = "@(#)ipmon.c 1.13 11/11/95 (C)1995 Darren Reed"; +static char sccsid[] = "@(#)ipmon.c 1.16 1/12/96 (C)1995 Darren Reed"; #endif -#include <netinet/ip_fil.h> +#include "ip_fil.h" struct flags { int value; @@ -122,7 +122,7 @@ int opts; tm->tm_mday, tm->tm_mon + 1, tm->tm_year + 1900); t += strlen(t); } - (void) sprintf(t, "%02d:%02d:%02d.%-.6d %c%c%d @%d ", + (void) sprintf(t, "%02d:%02d:%02d.%-.6ld %c%c%ld @%hd ", tm->tm_hour, tm->tm_min, tm->tm_sec, lp->usec, lp->ifname[0], lp->ifname[1], lp->unit, lp->rule); pr = getprotobynumber((int)p); @@ -132,7 +132,7 @@ int opts; } else proto = pr->p_name; - if (lp->flags & (FI_SHORT << 16)) { + if (lp->flags & (FI_SHORT << 20)) { c[0] = 'S'; lvl = LOG_ERR; } else if (lp->flags & FR_PASS) { @@ -147,6 +147,9 @@ int opts; else c[0] = 'B'; lvl = LOG_WARNING; + } else if (lp->flags & FF_LOGNOMATCH) { + c[0] = 'n'; + lvl = LOG_NOTICE; } else { c[0] = 'L'; lvl = LOG_INFO; @@ -155,6 +158,10 @@ int opts; c[2] = '\0'; (void) strcat(line, c); t = line + strlen(line); +#if SOLARIS + ip->ip_off = ntohs(ip->ip_off); + ip->ip_len = ntohs(ip->ip_len); +#endif if ((p == IPPROTO_TCP || p == IPPROTO_UDP) && !(ip->ip_off & 0x1fff)) { tp = (struct tcphdr *)((char *)ip + hl); @@ -163,21 +170,23 @@ int opts; hostname(res, ip->ip_src), portname(res, proto, tp->th_sport)); t += strlen(t); - (void) sprintf(t, "%s,%s PR %s len %hu (%hu) ", + (void) sprintf(t, "%s,%s PR %s len %hu %hu ", hostname(res, ip->ip_dst), portname(res, proto, tp->th_dport), proto, hl, ip->ip_len); t += strlen(t); - if (p == IPPROTO_TCP) + if (p == IPPROTO_TCP) { + *t++ = '-'; for (i = 0; tcpfl[i].value; i++) if (tp->th_flags & tcpfl[i].value) *t++ = tcpfl[i].flag; + } *t = '\0'; } else { (void) sprintf(t, "%s -> ", hostname(res, ip->ip_src)); t += strlen(t); - (void) sprintf(t, "%s PR %s len %hu (%hu)", + (void) sprintf(t, "%s PR %s len %hu %hu", hostname(res, ip->ip_dst), proto, hl, ip->ip_len); } @@ -209,7 +218,7 @@ int opts; hostname(res, ipc->ip_src), portname(res, proto, tp->th_sport)); t += strlen(t); - (void) sprintf(t, " %s,%s PR %s len %hu (%hu)", + (void) sprintf(t, " %s,%s PR %s len %hu %hu", hostname(res, ipc->ip_dst), portname(res, proto, tp->th_dport), proto, ipc->ip_hl << 2, ipc->ip_len); @@ -221,8 +230,9 @@ int opts; hostname(res, ip->ip_dst), proto, hl, ip->ip_len); t += strlen(t); if (ip->ip_off & 0x1fff) - (void) sprintf(t, " frag %s%hu@%hu", + (void) sprintf(t, " frag %s%s%hu@%hu", ip->ip_off & IP_MF ? "+" : "", + ip->ip_off & IP_DF ? "-" : "", ip->ip_len - hl, (ip->ip_off & 0x1fff) << 3); } t += strlen(t); @@ -255,7 +265,11 @@ char *argv[]; switch (c) { case 'f' : - (void) ioctl(fd, SIOCIPFFB, &flushed); + if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { + printf("%d bytes flushed from log buffer\n", + flushed); + fflush(stdout); + } break; case 'N' : opts |= 2; diff --git a/usr.sbin/ipsend/Makefile b/usr.sbin/ipsend/Makefile index 7555119420f..7d279e58224 100644 --- a/usr.sbin/ipsend/Makefile +++ b/usr.sbin/ipsend/Makefile @@ -2,7 +2,7 @@ PROG= ipsend NOMAN= SRCS= iptests.c ip.c ipsend.c ipsopt.c resend.c sbpf.c sock.c 44arp.c ipft_sn.c ipft_pc.c .PATH: ${.CURDIR}/../../usr.sbin/ipftest -CFLAGS+= -DDOSOCKET -I${.CURDIR}/../../usr.sbin/ipftest -I${.CURDIR}/../../sbin/ipf +CFLAGS+= -DDOSOCKET -I${.CURDIR}/../../usr.sbin/ipftest -I${.CURDIR}/../../sbin/ipf -I${.CURDIR}/../../sys/netinet LDADD+= -lpcap |