diff options
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/ipf/HISTORY | 241 | ||||
-rw-r--r-- | sbin/ipf/Makefile | 4 | ||||
-rw-r--r-- | sbin/ipf/common.c | 606 | ||||
-rw-r--r-- | sbin/ipf/facpri.c | 6 | ||||
-rw-r--r-- | sbin/ipf/facpri.h | 6 | ||||
-rw-r--r-- | sbin/ipf/ifaddr.c | 82 | ||||
-rw-r--r-- | sbin/ipf/ifaddr.h | 9 | ||||
-rw-r--r-- | sbin/ipf/ipf.c | 123 | ||||
-rw-r--r-- | sbin/ipf/ipf.h | 34 | ||||
-rw-r--r-- | sbin/ipf/opt.c | 10 | ||||
-rw-r--r-- | sbin/ipf/parse.c | 549 | ||||
-rw-r--r-- | sbin/ipfstat/Makefile | 6 | ||||
-rw-r--r-- | sbin/ipfstat/fils.c | 998 | ||||
-rw-r--r-- | sbin/ipfstat/kmem.c | 18 | ||||
-rw-r--r-- | sbin/ipfstat/kmem.h | 11 | ||||
-rw-r--r-- | sbin/ipnat/Makefile | 4 | ||||
-rw-r--r-- | sbin/ipnat/ipnat.c | 191 | ||||
-rw-r--r-- | sbin/ipnat/natparse.c | 737 |
18 files changed, 2290 insertions, 1345 deletions
diff --git a/sbin/ipf/HISTORY b/sbin/ipf/HISTORY index 5c81d705dab..0bcb7fb4110 100644 --- a/sbin/ipf/HISTORY +++ b/sbin/ipf/HISTORY @@ -1,4 +1,4 @@ -# $OpenBSD: HISTORY,v 1.9 2000/08/10 05:50:27 kjell Exp $ +# $OpenBSD: HISTORY,v 1.10 2001/01/17 05:00:57 fgsch Exp $ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. @@ -7,9 +7,11 @@ # in providing a very available location for the IP Filter home page and # distribution center. # -# Thanks to Tel.Net Media for allowing me to maintain and further develop -# IP Filter as part of my job and supplying Sun equipment for testing the -# move to 64bits and Gigabit Ethernet. +# Thanks to Hewlett Packard for making it possible to port IP Filter to +# HP-UX 11.00. +# +# Thanks to Tel.Net Media for supplying me with equipment to ensure that +# IP Filter continues to work on Solaris/sparc64. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. @@ -21,52 +23,239 @@ # and especially those who have found the time to port IP Filter to new # platforms. # -3.3.18 08/08/2000 - Released +3.4.15 17/12/2000 - Released + +add minimum ttl filtering (to be replaced later by return-icmp-as-dest +for all ICMP packets matching state entries). + +fix NAT'ing of fragments + +fix sanity checks for ICMPV6 + +fix up compiling on IRIX 6.2 with IDF/IDL installed + +3.4.14 02/11/2000 - Released + +cause flushing NAT table to generate log records the same as state flush +does. + +fix ftp proxy port/pasv + +fix problem where nat_{in,out}lookup() would release a write lock when it +didn't need to. + +add check for ipf6.conf in Solaris ipfboot + +3.4.13 28/10/2000 - Released + +fix introduced bug with ICMP packets being rejected when valid + +fix bug with proxy's that don't set fin_dlen correctly when calling +fr_addstate() + +3.4.12 26/10/2000 - Released + +fix installing into FreeBSD-4.1 + +fix FTP proxy bug where it'd hang and make NAT slightly more efficient + +fix general compiling errors/warnings on various platforms + +don't access ICMP data fields that aren't there + +3.4.11 09/10/2000 - Released + +return NULL for IPv6 access control lists if it is disabled rather than +random garbage. + +fix for getting protocol & packet length for IPv6 packets for pullup. + +update plog script from version 0.8 to version 0.10 + +patch from Frank Volf adding fix_datacksum() to NAT code, enhancing the +capabilities for "fixing" checksums. + +3.4.10 03/09/2000 - Released -fix up command checking in the ftp proxy +merge patch from Frank Volf for ICMP nat handling of TCP/UDP data `errors' -fix getting the version from the kernel for solaris +getline() adjusts linenum now + +add tcphalfclosed timeout + +fill in icmp_nextmtu field if it is defined on the platform + +RST generation fix from guido + +force 32bit compile for gcc on solaris if it can't generate 64bit code + +encase logging when fr_chksrc == 2 in #ifdef IPFILTER_LOG + +fix up line wrap problems in plog script + +fix ICMP packet handling to not drop valid ICMP errors + +freebsd 5.0 compat changes + +3.4.9 08/08/2000 - Released + +implement new aging mechanism in fr_tcp_age() fix icmp state checking bug -print out better information for ICMP packets in ipmon +revamp buildsunos script and build both sparcv7/sparcv9 for Solaris +if on an Ultra with a 64bit system & compiler (Caseper Dik) open ipfilter device read only if we know we can -3.3.17 08/07/2000 - Released +print out better information for ICMP packets in ipmon + +move checking for source spoofed packets to a point where we can generate +logs of them + +return EFAULT from ircopyptr/iwcopyptr + +don't do ioctl(SIOCGETFS) for auth stats + +fix up freeing mbufs for post-4.3BSD + +fix returning of inc from ftp proxy + +fix bugs with ipfs -R/-W (Caseper Dik) + +3.4.8 19/07/2000 - Released + +create fake opt_inet6.h for FreeBSD-4 compile as LKM + +add #ifdef's for KLD_MODULE sanity + +NAT fastroute'd packets which come out of return-* + +fix upper/lower case crap in ftp proxy and get seq# checking fixed up. -increase default state table sizes +3.4.7 08/07/2000 - Released + +make "ipf -y" lookup NAT if's which are unknown + +prepend line numbers to ioctl error messages in ipf/ipnat don't apply patches to FreeBSD twice -fix parsing of icmp code when using words +allow for ip_len to be on an unaligned boundary early on in fr_precheck fix printing of icmp code when it is 0 -add compatibility #ifdef for FreeBSD's CSUM_DELAY_DATA +correct printing of port numbers in map rules with from/to + +don't allow fr_func to be called at securelevel > 0 or rules to be added +if securelevel > 0 if they have a non-zero fr_func. + +3.4.6 11/06/2000 - Released + +add extra regression tests for new nat functionality + +place restrictions on using '!' in map/rdr rules + +fix up solaris compile problems + +3.4.5 10/06/2000 - Released + +mention -sl in ipfstat.8 + +fix/support '!' in from/to rules (rdr) for NAT + +add from/to support to rdr NAT rules + +don't send ICMP errors in response to ICMP errors -3.3.16 23/05/2000 - Released +fix sunos5 compilation for "ipfstat-top" and cleanup ipfboot + +input accounting list used for both outbound and inbound packets + +3.4.4 23/05/2000 - Released don't add TCP state if it is an RST packet and (attempt) to send out RST/ICMP packets in a manner that bypasses IP Filter. add patch to work with 4.0_STABLE delayed checksums -3.3.15 20/05/2000 - Released - -fix destination being 0/32 in NAT map rules +3.4.3 20/05/2000 - Released fix ipmon -F -3.3.14 10/05/2000 - Released +don't truncate IPv6 packets on Solaris + +fix keep state for ICMP ECHO + +add some NAT stats and use def_nat_age rather than DEF_NAT_AGE + +don't make ftp proxy drop packets + +use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be +swapped back. + +fix up RST generation for non-Solaris + +get "short" flag right for IPv6 + +3.4.2 - 10/5/2000 - Released Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun ignore previous NAT mappings for 0/0 and 0/32 rules -struct friostat got too big for SunOS4 +bring in a completely new ftp proxy + +allow NAT to cause packets to be dropped. + +add NetBSD callout support for 1.4-current -3.3.13 26/04/2000 - Released +3.4.1 - 30/4/2000 - Released + +add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX + +don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined + +Solaris must use copyin() for all types of ioctl() args + +fix up screen/tty when leaving "top mode" of ipfstat + +linked list for maptable not setup correctly in nat_hostmap() + +check for maptable rather than nat_table[1] to see if malloc for maptable +succeeded in nat_init + +fix handling of map NAT rules with "from/to" host specs + +fix printout out of source address when using "from/to" with map rules + +convert ip_len back to network byte order, not plen, for solaris as ip_len +may have been changed by NAT and plen won't reflect this + +3.4 - 27/4/2000 - Released + +source address spoofing can be turned on (fr_chksrc) without using +filter rules + +group numbers are now 32bits in size, up from 16bits + +IPv6 filtering available + +add frank volf's state-top patches + +add load splitting and round-robin attribute to redirect rules + +FreeBSD-4.0 support (including KLD) + +add top-style operation mode for ipfstat (-t) + +add save/restore of IP Filter state/NAT information (ipfs) + +further ftp proxy security checks + +support for adding and removing proxies at runtime + +3.3.13 26/04/2000 - Released Fix parsing of "range" with "portmap" @@ -76,7 +265,7 @@ Fix NAT timeouts for ICMP packets SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) -3.3.12 16/03/2000 - Released +3.3.12 16/03/2000 - Released tighten up ftp proxy behaviour. sigh. yuck. hate. @@ -89,7 +278,7 @@ erroneously. fix bug with the spl level not being reset when returning EIO from iplioctl due to ipfilter not being initialized yet. -3.3.11 04/03/2000 - Released +3.3.11 04/03/2000 - Released make "or-block" work with lines that start with "log" @@ -97,6 +286,7 @@ fix up parsing and printing of rules with syslog levels in them fix from Cy Schubert for calling of apr_fini only if non-null + 3.3.10 24/02/2000 - Released * fix back from guido for state tracking interfaces @@ -105,10 +295,10 @@ fix from Cy Schubert for calling of apr_fini only if non-null * if attaching fails and we can abort, then cleanup when doing so. -Julian Yip (julian@computer.org): +julian@computer.org: * solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. * ipf.c (packetlogon): use flag to store the return value from get_flags. -* ipmon.c (init_tabs): Generate cleanup so we do not have to cast +* ipmon.c (init_tabs): General cleanup so we do not have to cast an int s->s_port to u_int port and try to check if the u_int port is less than zero. @@ -200,11 +390,6 @@ fix yet another problem with real audio. 3.3.4 4/12/1999 - Released -patches from Guido: fix panic in ip_state:fr_checkicmpmatchingstate(), fix -byte order problem in ip_id (host order when called from ip_input(), vs -network byte order when called from ip_output()) and fix a problem where the -fragment cache was never timedout early. - fix up the real audio proxy to properly setup state information and NAT entries, thanks to Laine Stump for testing/advice/fixes. diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile index d4061995d59..ed7af593210 100644 --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.9 2000/04/26 21:03:59 deraadt Exp $ +# $OpenBSD: Makefile,v 1.10 2001/01/17 05:00:57 fgsch Exp $ PROG= ipf MAN= ipf.8 ipf.4 ipf.5 -SRCS= ipf.c parse.c opt.c facpri.c ifaddr.c +SRCS= ipf.c parse.c opt.c facpri.c common.c ifaddr.c .include <bsd.prog.mk> diff --git a/sbin/ipf/common.c b/sbin/ipf/common.c new file mode 100644 index 00000000000..569d6e0427f --- /dev/null +++ b/sbin/ipf/common.c @@ -0,0 +1,606 @@ +/* $OpenBSD: common.c,v 1.1 2001/01/17 05:00:57 fgsch Exp $ */ + +/* + * Copyright (C) 1993-2000 by Darren Reed. + * + * Redistribution and use in source and binary forms are permitted + * provided that this notice is preserved and due credit is given + * to the original author and the contributors. + */ +#include <sys/types.h> +#if !defined(__SVR4) && !defined(__svr4__) +#include <strings.h> +#else +#include <sys/byteorder.h> +#endif +#include <sys/param.h> +#include <sys/time.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/tcp.h> +#include <net/if.h> +#if __FreeBSD_version >= 300000 +# include <net/if_var.h> +#endif +#include <stdio.h> +#include <string.h> +#include <limits.h> +#include <stdlib.h> +#include <unistd.h> +#include <stddef.h> +#include <netdb.h> +#include <arpa/nameser.h> +#include <arpa/inet.h> +#include <resolv.h> +#include <ctype.h> +#include <syslog.h> +#include <netinet/ip_compat.h> +#include <netinet/ip_fil.h> +#include "ipf.h" +#include "facpri.h" + +#if defined(__OpenBSD__) +#include "ifaddr.h" +#endif + +#if !defined(lint) +static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $"; +#endif + +extern struct ipopt_names ionames[], secclass[]; +extern int opts; +#ifdef USE_INET6 +extern int use_inet6; +#endif + + +char *proto = NULL; +char flagset[] = "FSRPAU"; +u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; + +#ifdef USE_INET6 +void fill6bits __P((int, u_32_t *)); +int count6bits __P((u_32_t *)); +#endif + +static char thishost[MAXHOSTNAMELEN]; + + +void initparse() +{ + gethostname(thishost, sizeof(thishost)); + thishost[sizeof(thishost) - 1] = '\0'; +} + + +int genmask(msk, mskp) +char *msk; +u_32_t *mskp; +{ + char *endptr = NULL; +#ifdef USE_INET6 + u_32_t addr; +#endif + int bits; + + if (index(msk, '.') || index(msk, 'x') || index(msk, ':')) { + /* possibly of the form xxx.xxx.xxx.xxx + * or 0xYYYYYYYY */ +#ifdef USE_INET6 + if (use_inet6) { + if (inet_pton(AF_INET6, msk, &addr) != 1) + return -1; + } else +#endif + if (inet_aton(msk, (struct in_addr *)mskp) == 0) + return -1; + } else { + /* + * set x most significant bits + */ + bits = (int)strtol(msk, &endptr, 0); +#ifdef USE_INET6 + if ((*endptr != '\0') || + ((bits > 32) && !use_inet6) || (bits < 0) || + ((bits > 128) && use_inet6)) +#else + if (*endptr != '\0' || bits > 32 || bits < 0) +#endif + return -1; +#ifdef USE_INET6 + if (use_inet6) + fill6bits(bits, mskp); + else +#endif + if (bits == 0) + *mskp = 0; + else + *mskp = htonl(0xffffffff << (32 - bits)); + } + return 0; +} + + + +#ifdef USE_INET6 +void fill6bits(bits, msk) +int bits; +u_32_t *msk; +{ + int i; + + for (i = 0; bits >= 32 && i < 4 ; ++i, bits -= 32) + msk[i] = 0xffffffff; + + if (bits > 0 && i < 4) + msk[i++] = htonl(0xffffffff << (32 - bits)); + + while (i < 4) + msk[i++] = 0; +} +#endif + + +/* + * returns -1 if neither "hostmask/num" or "hostmask mask addr" are + * found in the line segments, there is an error processing this information, + * or there is an error processing ports information. + */ +int hostmask(seg, sa, msk, pp, cp, tp, linenum) +char ***seg; +u_32_t *sa, *msk; +u_short *pp, *tp; +int *cp; +int linenum; +{ + struct in_addr maskaddr; + char *s; + + /* + * is it possibly hostname/num ? + */ + if ((s = index(**seg, '/')) || + ((s = index(**seg, ':')) && !index(s + 1, ':'))) { + *s++ = '\0'; + if (genmask(s, msk) == -1) { + fprintf(stderr, "%d: bad mask (%s)\n", linenum, s); + return -1; + } + if (hostnum(sa, **seg, linenum) == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); + return -1; + } + *sa &= *msk; + (*seg)++; + return ports(seg, pp, cp, tp, linenum); + } + + /* + * look for extra segments if "mask" found in right spot + */ + if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) { + if (hostnum(sa, **seg, linenum) == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); + return -1; + } + (*seg)++; + (*seg)++; + if (inet_aton(**seg, &maskaddr) == 0) { + fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg); + return -1; + } + *msk = maskaddr.s_addr; + (*seg)++; + *sa &= *msk; + return ports(seg, pp, cp, tp, linenum); + } + + if (**seg) { + if (hostnum(sa, **seg, linenum) == -1) { + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); + return -1; + } + (*seg)++; +#ifdef USE_INET6 + if (use_inet6) { + u_32_t k = 0; + if (sa[0] || sa[1] || sa[2] || sa[3]) + k = 0xffffffff; + msk[0] = msk[1] = msk[2] = msk[3] = k; + } + else +#endif + *msk = *sa ? 0xffffffff : 0; + return ports(seg, pp, cp, tp, linenum); + } + fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); + return -1; +} + +/* + * returns an ip address as a long var as a result of either a DNS lookup or + * straight inet_addr() call + */ +int hostnum(ipa, host, linenum) +u_32_t *ipa; +char *host; +int linenum; +{ + struct hostent *hp; + struct netent *np; + struct in_addr ip; + + if (!strcasecmp("any", host)) + return 0; +#ifdef USE_INET6 + if (use_inet6) { + if (inet_pton(AF_INET6, host, ipa) == 1) + return 0; + else + return -1; + } +#endif + if (isdigit(*host) && inet_aton(host, &ip)) { + *ipa = ip.s_addr; + return 0; + } + + if (!strcasecmp("<thishost>", host)) + host = thishost; + +#if defined(__OpenBSD__) + if (if_addr(host, &ip)) + return *ipa = ip.s_addr; +#endif + + if (!(hp = gethostbyname(host))) { + if (!(np = getnetbyname(host))) { + fprintf(stderr, "%d: can't resolve hostname: %s\n", + linenum, host); + return -1; + } + *ipa = htonl(np->n_net); + return 0; + } + *ipa = *(u_32_t *)hp->h_addr; + return 0; +} + + +/* + * check for possible presence of the port fields in the line + */ +int ports(seg, pp, cp, tp, linenum) +char ***seg; +u_short *pp, *tp; +int *cp; +int linenum; +{ + int comp = -1; + + if (!*seg || !**seg || !***seg) + return 0; + if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { + (*seg)++; + if (isalnum(***seg) && *(*seg + 2)) { + if (portnum(**seg, pp, linenum) == 0) + return -1; + (*seg)++; + if (!strcmp(**seg, "<>")) + comp = FR_OUTRANGE; + else if (!strcmp(**seg, "><")) + comp = FR_INRANGE; + else { + fprintf(stderr, + "%d: unknown range operator (%s)\n", + linenum, **seg); + return -1; + } + (*seg)++; + if (**seg == NULL) { + fprintf(stderr, "%d: missing 2nd port value\n", + linenum); + return -1; + } + if (portnum(**seg, tp, linenum) == 0) + return -1; + } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) + comp = FR_EQUAL; + else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) + comp = FR_NEQUAL; + else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt")) + comp = FR_LESST; + else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt")) + comp = FR_GREATERT; + else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le")) + comp = FR_LESSTE; + else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) + comp = FR_GREATERTE; + else { + fprintf(stderr, "%d: unknown comparator (%s)\n", + linenum, **seg); + return -1; + } + if (comp != FR_OUTRANGE && comp != FR_INRANGE) { + (*seg)++; + if (portnum(**seg, pp, linenum) == 0) + return -1; + } + *cp = comp; + (*seg)++; + } + return 0; +} + + +/* + * find the port number given by the name, either from getservbyname() or + * straight atoi(). Return 1 on success, 0 on failure + */ +int portnum(name, port, linenum) +char *name; +u_short *port; +int linenum; +{ + struct servent *sp, *sp2; + u_short p1 = 0; + int i; + + if (isdigit(*name)) { + if (ratoi(name, &i, 0, USHRT_MAX)) { + *port = (u_short)i; + return 1; + } + fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name); + return 0; + } + if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) { + sp = getservbyname(name, proto); + if (sp) { + *port = ntohs(sp->s_port); + return 1; + } + fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); + return 0; + } + sp = getservbyname(name, "tcp"); + if (sp) + p1 = sp->s_port; + sp2 = getservbyname(name, "udp"); + if (!sp || !sp2) { + fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", + linenum, name); + return 0; + } + if (p1 != sp2->s_port) { + fprintf(stderr, "%d: %s %d/tcp is a different port to ", + linenum, name, p1); + fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); + return 0; + } + *port = ntohs(p1); + return 1; +} + + +u_char tcp_flags(flgs, mask, linenum) +char *flgs; +u_char *mask; +int linenum; +{ + u_char tcpf = 0, tcpfm = 0, *fp = &tcpf; + char *s, *t; + + if (*flgs == '0') { + s = strchr(flgs, '/'); + if (s) + *s++ = '\0'; + tcpf = strtol(flgs, NULL, 0); + fp = &tcpfm; + } else + s = flgs; + + for (; *s; s++) { + if (*s == '/' && fp == &tcpf) { + fp = &tcpfm; + if (*(s + 1) == '0') + break; + continue; + } + if (!(t = index(flagset, *s))) { + fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s); + return 0; + } + *fp |= flags[t - flagset]; + } + + if (s && *s == '0') + tcpfm = strtol(s, NULL, 0); + + if (!tcpfm) + tcpfm = 0xff; + *mask = tcpfm; + return tcpf; +} + + +/* + * count consecutive 1's in bit mask. If the mask generated by counting + * consecutive 1's is different to that passed, return -1, else return # + * of bits. + */ +int countbits(ip) +u_32_t ip; +{ + u_32_t ipn; + int cnt = 0, i, j; + + ip = ipn = ntohl(ip); + for (i = 32; i; i--, ipn *= 2) + if (ipn & 0x80000000) + cnt++; + else + break; + ipn = 0; + for (i = 32, j = cnt; i; i--, j--) { + ipn *= 2; + if (j > 0) + ipn++; + } + if (ipn == ip) + return cnt; + return -1; +} + + +#ifdef USE_INET6 +int count6bits(msk) +u_32_t *msk; +{ + int i = 0, k; + u_32_t j; + + for (k = 3; k >= 0; k--) + if (msk[k] == 0xffffffff) + i += 32; + else { + for (j = msk[k]; j; j <<= 1) + if (j & 0x80000000) + i++; + } + return i; +} +#endif + + +char *portname(pr, port) +int pr, port; +{ + static char buf[32]; + struct protoent *p = NULL; + struct servent *sv = NULL, *sv1 = NULL; + + if (pr == -1) { + if ((sv = getservbyport(htons(port), "tcp"))) { + strncpy(buf, sv->s_name, sizeof(buf)-1); + buf[sizeof(buf)-1] = '\0'; + sv1 = getservbyport(htons(port), "udp"); + sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? + NULL : sv1; + } + if (sv) + return buf; + } else if (pr && (p = getprotobynumber(pr))) { + if ((sv = getservbyport(htons(port), p->p_name))) { + strncpy(buf, sv->s_name, sizeof(buf)-1); + buf[sizeof(buf)-1] = '\0'; + return buf; + } + } + + (void) sprintf(buf, "%d", port); + return buf; +} + + +int ratoi(ps, pi, min, max) +char *ps; +int *pi, min, max; +{ + int i; + char *pe; + + i = (int)strtol(ps, &pe, 0); + if (*pe != '\0' || i < min || i > max) + return 0; + *pi = i; + return 1; +} + + +int ratoui(ps, pi, min, max) +char *ps; +u_int *pi, min, max; +{ + u_int i; + char *pe; + + i = (u_int)strtol(ps, &pe, 0); + if (*pe != '\0' || i < min || i > max) + return 0; + *pi = i; + return 1; +} + + +void printhostmask(v, addr, mask) +int v; +u_32_t *addr, *mask; +{ + struct in_addr ipa; + int ones; + +#ifdef USE_INET6 + if (v == 6) { + ones = count6bits(mask); + if (ones == 0 && !addr[0] && !addr[1] && !addr[2] && !addr[3]) + printf("any"); + else { + char ipbuf[64]; + printf("%s/%d", + inet_ntop(AF_INET6, addr, ipbuf, sizeof(ipbuf)), + ones); + } + } + else +#endif + if (!*addr && !*mask) + printf("any"); + else { + ipa.s_addr = *addr; + printf("%s", inet_ntoa(ipa)); + if ((ones = countbits(*mask)) == -1) { + ipa.s_addr = *mask; + printf("/%s", inet_ntoa(ipa)); + } else + printf("/%d", ones); + } +} + + +void printportcmp(pr, frp) +int pr; +frpcmp_t *frp; +{ + static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=", + "<>", "><"}; + + if (frp->frp_cmp == FR_INRANGE || frp->frp_cmp == FR_OUTRANGE) + printf(" port %d %s %d", frp->frp_port, + pcmp1[frp->frp_cmp], frp->frp_top); + else + printf(" port %s %s", pcmp1[frp->frp_cmp], + portname(pr, frp->frp_port)); +} + + +void printbuf(buf, len, zend) +char *buf; +int len, zend; +{ + char *s, c; + int i; + + for (s = buf, i = len; i; i--) { + c = *s++; + if (isprint(c)) + putchar(c); + else + printf("\\%03o", c); + if ((c == '\0') && zend) + break; + } +} diff --git a/sbin/ipf/facpri.c b/sbin/ipf/facpri.c index 00434b42a0f..4333b4345fd 100644 --- a/sbin/ipf/facpri.c +++ b/sbin/ipf/facpri.c @@ -1,7 +1,7 @@ -/* $OpenBSD: facpri.c,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: facpri.c,v 1.5 2001/01/17 05:00:58 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -21,7 +21,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$IPFilter: facpri.c,v 1.2 1999/08/01 11:10:45 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: facpri.c,v 1.3 2000/03/13 22:10:18 darrenr Exp $"; #endif typedef struct table { diff --git a/sbin/ipf/facpri.h b/sbin/ipf/facpri.h index 8f819136b34..68621f5b4a2 100644 --- a/sbin/ipf/facpri.h +++ b/sbin/ipf/facpri.h @@ -1,12 +1,12 @@ -/* $OpenBSD: facpri.h,v 1.4 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: facpri.h,v 1.5 2001/01/17 05:00:58 fgsch Exp $ */ /* - * Copyright (C) 1999 by Darren Reed. + * Copyright (C) 1999-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $IPFilter: facpri.h,v 1.2 1999/08/01 11:10:46 darrenr Exp $ + * $IPFilter: facpri.h,v 1.3 2000/03/13 22:10:18 darrenr Exp $ */ #ifndef __FACPRI_H__ diff --git a/sbin/ipf/ifaddr.c b/sbin/ipf/ifaddr.c index 3f162c361a3..5e4d46242ef 100644 --- a/sbin/ipf/ifaddr.c +++ b/sbin/ipf/ifaddr.c @@ -1,14 +1,13 @@ -/* $OpenBSD: ifaddr.c,v 1.5 2000/04/05 05:35:28 kjell Exp $ */ +/* $OpenBSD: ifaddr.c,v 1.6 2001/01/17 05:00:58 fgsch Exp $ */ + #include <sys/types.h> -#include <sys/ioctl.h> #include <sys/socket.h> -#include <net/if.h> +#include <sys/ioctl.h> #include <netinet/in.h> +#include <net/if.h> +#include <arpa/inet.h> +#include <string.h> #include <err.h> -#include <stdlib.h> -#include <unistd.h> -#include "ifaddr.h" - /* * if_addr(): @@ -19,58 +18,27 @@ * suggests inclusion into other platforms. The closest alternative is * to define /etc/networks with suitable values. */ -int if_addr(name, ap) -char *name; -struct in_addr *ap; +int if_addr(name, ap) + char *name; + struct in_addr *ap; { - struct ifconf ifc; - struct ifreq ifreq, *ifr; - char *inbuf = NULL; - int s, i, len = 8192; + struct sockaddr_in *sin; + struct ifreq ifr; + int s; + + if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { + warn("socket"); + return (0); + } + + strncpy(ifr.ifr_name, name, IFNAMSIZ); + ifr.ifr_name[IFNAMSIZ - 1] = '\0'; - if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { - warn("socket"); - return 0; - } + if (ioctl(s, SIOCGIFADDR, &ifr) < 0) + return (0); - while (1) { - ifc.ifc_len = len; - ifc.ifc_buf = inbuf = realloc(inbuf, len); - if (inbuf == NULL) - err(1, "malloc"); - if (ioctl(s, SIOCGIFCONF, &ifc) < 0) { - warn("SIOCGIFCONF"); - goto if_addr_lose; - } - if (ifc.ifc_len + sizeof(ifreq) < len) - break; - len *= 2; - } - ifr = ifc.ifc_req; - ifreq.ifr_name[0] = '\0'; - for (i = 0; i < ifc.ifc_len; ) { - ifr = (struct ifreq *)((caddr_t)ifc.ifc_req + i); - i += sizeof(ifr->ifr_name) + - (ifr->ifr_addr.sa_len > sizeof(struct sockaddr) - ? ifr->ifr_addr.sa_len - : sizeof(struct sockaddr)); - ifreq = *ifr; - if (ioctl(s, SIOCGIFADDR, (caddr_t)ifr) < 0) - continue; - if (ifr->ifr_addr.sa_family != AF_INET) - continue; - if (!strcmp(name, ifr->ifr_name)) { - struct sockaddr_in *sin; - close(s); - free(inbuf); - sin = (struct sockaddr_in *)&ifr->ifr_addr; - *ap = sin->sin_addr; - return (1); - } - } + sin = (struct sockaddr_in *)&ifr.ifr_addr; + *ap = sin->sin_addr; -if_addr_lose: - close(s); - free(inbuf); - return 0; + return (1); } diff --git a/sbin/ipf/ifaddr.h b/sbin/ipf/ifaddr.h index bb882dcddf7..34e01f42fc5 100644 --- a/sbin/ipf/ifaddr.h +++ b/sbin/ipf/ifaddr.h @@ -1,8 +1,3 @@ -/* $OpenBSD: ifaddr.h,v 1.5 2000/04/05 05:35:28 kjell Exp $ */ +/* $OpenBSD: ifaddr.h,v 1.6 2001/01/17 05:00:58 fgsch Exp $ */ -#ifndef __IFADDR_H__ -#define __IFADDR_H__ - -int if_addr __P((char *, struct in_addr *)); - -#endif +int if_addr __P((char *, struct in_addr *)); diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c index 9a978846565..f012e109a8f 100644 --- a/sbin/ipf/ipf.c +++ b/sbin/ipf/ipf.c @@ -1,7 +1,7 @@ -/* $OpenBSD: ipf.c,v 1.24 2000/04/12 21:51:48 kjell Exp $ */ +/* $OpenBSD: ipf.c,v 1.25 2001/01/17 05:00:58 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -36,15 +36,16 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> -#include <netinet/ip_fil_compat.h> +#include <netinet/ip_compat.h> #include <netinet/ip_fil.h> #include <netinet/ip_nat.h> +#include <netinet/ip_state.h> #include "ipf.h" #include <netinet/ipl.h> #if !defined(lint) -static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.2.2.1 2000/02/16 14:40:39 darrenr Exp $"; +static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$IPFilter: ipf.c,v 2.10.2.5 2000/10/25 10:37:11 darrenr Exp $"; #endif #if SOLARIS @@ -55,14 +56,15 @@ extern char *index __P((const char *, int)); #endif extern char *optarg; -extern int optind; -extern int optreset; void frsync __P((void)); void zerostats __P((void)); int main __P((int, char *[])); int opts = 0; +#ifdef USE_INET6 +int use_inet6 = 0; +#endif static int fd = -1; @@ -71,25 +73,16 @@ static void set_state __P((u_int)), showstats __P((friostat_t *)); static void packetlogon __P((char *)), swapactive __P((void)); static int opendevice __P((char *)); static void closedevice __P((void)); -static char *getline __P((char *, size_t, FILE *)); +static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; static void usage __P((void)); static void showversion __P((void)); static int get_flags __P((void)); -#if SOLARIS -#define OPTS "AdDEf:F:Il:noPrsUvVyzZ" -#else -#define OPTS "AdDEf:F:Il:noPrsvVyzZ" -#endif static void usage() { -#if SOLARIS - fprintf(stderr, "usage: ipf [-AdDEInoPrsUvVyzZ] %s %s %s\n", -#else - fprintf(stderr, "usage: ipf [-AdDEInoPrsvVyzZ] %s %s %s\n", -#endif + fprintf(stderr, "usage: ipf [-6AdDEInoPrsUvVyzZ] %s %s %s\n", "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } @@ -101,15 +94,16 @@ char *argv[]; { int c; - while ((c = getopt(argc, argv, OPTS)) != -1) - if (c == '?') - usage(); - - optreset = 1; - optind = 1; - while ((c = getopt(argc, argv, OPTS)) != -1) { + while ((c = getopt(argc, argv, "6AdDEf:F:Il:noPrsUvVyzZ")) != -1) { switch (c) { + case '?' : + usage(); +#ifdef USE_INET6 + case '6' : + use_inet6 = 1; + break; +#endif case 'A' : opts &= ~OPT_INACTIVE; break; @@ -138,7 +132,6 @@ char *argv[]; opts |= OPT_DONOTHING; break; case 'o' : - opts |= OPT_OUTQUE; break; case 'P' : ipfname = IPL_AUTH; @@ -191,7 +184,7 @@ char *ipfdev; if (!(opts & OPT_DONOTHING) && fd == -1) if ((fd = open(ipfdev, O_RDWR)) == -1) - if ((fd = open(ipfname, O_RDONLY)) == -1) + if ((fd = open(ipfdev, O_RDONLY)) == -1) perror("open device"); return fd; } @@ -209,7 +202,7 @@ static int get_flags() int i; if ((opendevice(ipfname) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { - perror("SIOCFRENB"); + perror("SIOCGETFF"); return 0; } return i; @@ -220,8 +213,13 @@ static void set_state(enable) u_int enable; { if (opendevice(ipfname) != -2) - if (ioctl(fd, SIOCFRENB, &enable) == -1) - perror("SIOCFRENB"); + if (ioctl(fd, SIOCFRENB, &enable) == -1) { + if (errno == EBUSY) + fprintf(stderr, + "IP FIlter: already initialized\n"); + else + perror("SIOCFRENB"); + } return; } @@ -256,8 +254,7 @@ char *name, *file; exit(1); } - while (getline(line, sizeof(line), fp)) { - linenum++; + while (getline(line, sizeof(line), fp, &linenum)) { /* * treat CR as EOL. LF is converted to NUL by getline(). */ @@ -299,24 +296,31 @@ char *name, *file; if ((opts & OPT_ZERORULEST) && !(opts & OPT_DONOTHING)) { - if (ioctl(fd, add, fr) == -1) + if (ioctl(fd, add, &fr) == -1) { + fprintf(stderr, "%d:", linenum); perror("ioctl(SIOCZRLST)"); - else { + } else { #ifdef USE_QUAD_T printf("hits %qd bytes %qd ", + (long long)fr->fr_hits, + (long long)fr->fr_bytes); #else printf("hits %ld bytes %ld ", -#endif fr->fr_hits, fr->fr_bytes); +#endif printfr(fr); } } else if ((opts & OPT_REMOVE) && !(opts & OPT_DONOTHING)) { - if (ioctl(fd, del, fr) == -1) - perror("ioctl(SIOCDELFR)"); + if (ioctl(fd, del, &fr) == -1) { + fprintf(stderr, "%d:", linenum); + perror("ioctl(delete rule)"); + } } else if (!(opts & OPT_DONOTHING)) { - if (ioctl(fd, add, fr) == -1) - perror("ioctl(SIOCADDFR)"); + if (ioctl(fd, add, &fr) == -1) { + fprintf(stderr, "%d:", linenum); + perror("ioctl(add/insert rule)"); + } } } } @@ -332,16 +336,17 @@ char *name, *file; * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. * Returns NULL if error occured, EOF encounterd or input line is too long. */ -static char *getline(str, size, file) +static char *getline(str, size, file, linenum) register char *str; size_t size; FILE *file; +int *linenum; { char *p; int s, len; do { - for (p = str, s = size;; p += len, s -= len) { + for (p = str, s = size;; p += (len - 1), s -= (len - 1)) { /* * if an error occured, EOF was encounterd, or there * was no room to put NUL, return NULL. @@ -349,12 +354,22 @@ FILE *file; if (fgets(p, s, file) == NULL) return (NULL); len = strlen(p); + if (p[len - 1] != '\n') { + p[len] = '\0'; + break; + } + (*linenum)++; p[len - 1] = '\0'; - if (p[len - 1] != '\\') + if (len < 2 || p[len - 2] != '\\') break; - size -= len; + else + /* + * Convert '\\' to a space so words don't + * run together + */ + p[len - 2] = ' '; } - } while (*str == '\0' || *str == '\n'); + } while (*str == '\0'); return (str); } @@ -468,13 +483,14 @@ void frsync() void zerostats() { friostat_t fio; + friostat_t *fiop = &fio; if (opendevice(ipfname) != -2) { - if (ioctl(fd, SIOCFRZST, &fio) == -1) { + if (ioctl(fd, SIOCFRZST, &fiop) == -1) { perror("ioctl(SIOCFRZST)"); exit(-1); } - showstats(&fio); + showstats(fiop); } } @@ -542,15 +558,24 @@ static void blockunknown() static void showversion() { struct friostat fio; + struct friostat *fiop=&fio; u_32_t flags; char *s; + int vfd; - printf("ipf: %s (%d)\n", IPL_VERSION, sizeof(frentry_t)); + printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t)); + + if ((vfd = open(ipfname, O_RDONLY)) == -1) { + perror("open device"); + return; + } - if (opendevice(ipfname) != -2 && ioctl(fd, SIOCGETFS, &fio)) { - perror("ioctl(SIOCGETFS"); + if (ioctl(vfd, SIOCGETFS, &fiop)) { + perror("ioctl(SIOCGETFS)"); + close(vfd); return; } + close(vfd); flags = get_flags(); printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h index f4f8c5d7d00..164bacda75f 100644 --- a/sbin/ipf/ipf.h +++ b/sbin/ipf/ipf.h @@ -1,14 +1,14 @@ -/* $OpenBSD: ipf.h,v 1.14 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: ipf.h,v 1.15 2001/01/17 05:00:59 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ipf.h 1.12 6/5/96 - * $IPFilter: ipf.h,v 2.1.2.1 1999/10/05 12:59:25 darrenr Exp $ + * $IPFilter: ipf.h,v 2.9.2.2 2000/05/06 11:20:20 darrenr Exp $ */ #ifndef __IPF_H__ @@ -39,6 +39,14 @@ #define OPT_RAW 0x080000 #define OPT_NAT 0x100000 #define OPT_GROUPS 0x200000 +#define OPT_STATETOP 0x400000 +#define OPT_FLUSH 0x800000 +#define OPT_CLEAR 0x1000000 +#define OPT_NODO 0x80000000 + +#define OPT_STAT OPT_FRSTATES +#define OPT_LIST OPT_SHOWLIST + #ifndef __P # ifdef __STDC__ @@ -48,6 +56,8 @@ # endif #endif +struct frpcmp; + #ifdef ultrix extern char *strdup __P((char *)); #endif @@ -67,10 +77,26 @@ struct ipopt_names { }; +extern char *proto; +extern char flagset[]; +extern u_char flags[]; + +extern u_char tcp_flags __P((char *, u_char *, int)); +extern int countbits __P((u_32_t)); +extern int ratoi __P((char *, int *, int, int)); +extern int ratoui __P((char *, u_int *, u_int, u_int)); +extern int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, int *, + u_short *, int)); +extern int ports __P((char ***, u_short *, int *, u_short *, int)); +extern char *portname __P((int, int)); extern u_32_t buildopts __P((char *, char *, int)); -extern u_32_t hostnum __P((char *, int *, int)); +extern int genmask __P((char *, u_32_t *)); +extern int hostnum __P((u_32_t *, char *, int)); extern u_32_t optname __P((char ***, u_short *, int)); extern void printpacket __P((ip_t *)); +extern void printportcmp __P((int, struct frpcmp *)); +extern void printhostmask __P((int, u_32_t *, u_32_t *)); +extern void printbuf __P((char *, int, int)); #if SOLARIS extern int inet_aton __P((const char *, struct in_addr *)); extern int gethostname __P((char *, int )); diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c index 99fbcda9529..38a414bc5c8 100644 --- a/sbin/ipf/opt.c +++ b/sbin/ipf/opt.c @@ -1,7 +1,7 @@ -/* $OpenBSD: opt.c,v 1.14 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: opt.c,v 1.15 2001/01/17 05:00:59 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -22,14 +22,14 @@ #include <netinet/tcp.h> #include <net/if.h> #include <arpa/inet.h> -#include <netinet/ip_fil_compat.h> +#include <netinet/ip_compat.h> #include <netinet/tcpip.h> #include <netinet/ip_fil.h> #include "ipf.h" #if !defined(lint) -static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-1995 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: opt.c,v 2.1 1999/08/04 17:30:15 darrenr Exp $"; +static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$IPFilter: opt.c,v 2.2 2000/03/13 22:10:26 darrenr Exp $"; #endif extern int opts; diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index 9b6b38f10c5..1ff6e70069d 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,7 +1,7 @@ -/* $OpenBSD: parse.c,v 1.35 2000/08/10 05:50:27 kjell Exp $ */ +/* $OpenBSD: parse.c,v 1.36 2001/01/17 05:00:59 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -36,56 +36,35 @@ #include <resolv.h> #include <ctype.h> #include <syslog.h> -#include <netinet/ip_fil_compat.h> +#include <netinet/ip_compat.h> #include <netinet/ip_fil.h> #include "ipf.h" #include "facpri.h" #if !defined(lint) -static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.1.2.14 2000/06/21 14:50:52 darrenr Exp $"; +static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; extern int opts; +#ifdef USE_INET6 +extern int use_inet6; +#endif -int portnum __P((char *, u_short *, int)); -u_char tcp_flags __P((char *, u_char *, int)); int addicmp __P((char ***, struct frentry *, int)); int extras __P((char ***, struct frentry *, int)); -char ***seg; -u_long *sa, *msk; -u_short *pp, *tp; -u_char *cp; - -int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, u_char *, - u_short *, int)); -int ports __P((char ***, u_short *, u_char *, u_short *, int)); + int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int)); int to_interface __P((frdest_t *, char *, int)); void print_toif __P((char *, frdest_t *)); void optprint __P((u_short *, u_long, u_long)); -int countbits __P((u_32_t)); -char *portname __P((int, int)); -int ratoi __P((char *, int *, int, int)); -int loglevel __P((char **, u_short *, int)); +int loglevel __P((char **, u_int *, int)); void printlog __P((frentry_t *)); -#if defined(__OpenBSD__) -extern int if_addr __P((char *, struct in_addr *)); -#endif - -char *proto = NULL; -char flagset[] = "FSRPAU"; -u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; - -static char thishost[MAXHOSTNAMELEN]; - - -void initparse() -{ - gethostname(thishost, sizeof(thishost)); -} +extern char *proto; +extern char flagset[]; +extern u_char flags[]; /* parse() @@ -99,8 +78,8 @@ int linenum; static struct frentry fil; struct protoent *p = NULL; char *cps[31], **cpp, *endptr; - u_char ch; - int i, cnt = 1, j; + int i, cnt = 1, j, ch; + u_int k; while (*line && isspace(*line)) line++; @@ -109,7 +88,11 @@ int linenum; bzero((char *)&fil, sizeof(fil)); fil.fr_mip.fi_v = 0xf; +#ifdef USE_INET6 + fil.fr_ip.fi_v = use_inet6 ? 6 : 4; +#else fil.fr_ip.fi_v = 4; +#endif fil.fr_loglevel = 0xffff; /* @@ -176,8 +159,8 @@ int linenum; fil.fr_flags |= FR_PREAUTH; } else if (!strcasecmp("skip", *cpp)) { cpp++; - if (ratoi(*cpp, &i, 0, USHRT_MAX)) - fil.fr_skip = i; + if (ratoui(*cpp, &k, 0, UINT_MAX)) + fil.fr_skip = k; else { fprintf(stderr, "%d: integer must follow skip\n", linenum); @@ -265,43 +248,6 @@ int linenum; cpp++; } if (*cpp && !strcasecmp(*cpp, "level")) { - int fac, pri; - char *s; - - fac = 0; - pri = 0; - if (!*++cpp) { - fprintf(stderr, "%d: %s\n", linenum, - "missing identifier after level"); - return NULL; - } - s = index(*cpp, '.'); - if (s) { - *s++ = '\0'; - fac = fac_findname(*cpp); - if (fac == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown facility", *cpp); - return NULL; - } - pri = pri_findname(s); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", s); - return NULL; - } - } else { - pri = pri_findname(*cpp); - if (pri == -1) { - fprintf(stderr, "%d: %s %s\n", linenum, - "Unknown priority", *cpp); - return NULL; - } - } - fil.fr_loglevel = fac|pri; - cpp++; - } - if (*cpp && !strcasecmp(*cpp, "level")) { if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) return NULL; cpp++; @@ -450,16 +396,17 @@ int linenum; linenum); return NULL; } - ch = 0; if (**cpp == '!') { fil.fr_flags |= FR_NOTSRCIP; (*cpp)++; } + ch = 0; if (hostmask(&cpp, (u_32_t *)&fil.fr_src, (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch, &fil.fr_stop, linenum)) { return NULL; } + fil.fr_scmp = ch; if (!*cpp) { fprintf(stderr, "%d: missing to fields\n", linenum); @@ -521,7 +468,8 @@ int linenum; /* * extras... */ - if (*cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and"))) + if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") || + !strcasecmp(*cpp, "and"))) if (extras(&cpp, &fil, linenum)) return NULL; @@ -556,8 +504,8 @@ int linenum; fprintf(stderr, "%d: head without group #\n", linenum); return NULL; } - if (ratoi(*cpp, &i, 0, USHRT_MAX)) - fil.fr_grhead = i; + if (ratoui(*cpp, &k, 0, UINT_MAX)) + fil.fr_grhead = (u_32_t)k; else { fprintf(stderr, "%d: invalid group (%s)\n", linenum, *cpp); @@ -575,8 +523,8 @@ int linenum; linenum); return NULL; } - if (ratoi(*cpp, &i, 0, USHRT_MAX)) - fil.fr_group = i; + if (ratoui(*cpp, &k, 0, UINT_MAX)) + fil.fr_group = k; else { fprintf(stderr, "%d: invalid group (%s)\n", linenum, *cpp); @@ -630,7 +578,7 @@ int linenum; int loglevel(cpp, facpri, linenum) char **cpp; -u_short *facpri; +u_int *facpri; int linenum; { int fac, pri; @@ -677,15 +625,13 @@ frdest_t *fdp; char *to; int linenum; { - int r = 0; - char *s; + char *s; s = index(to, ':'); fdp->fd_ifp = NULL; if (s) { *s++ = '\0'; - fdp->fd_ip.s_addr = hostnum(s, &r, linenum); - if (r == -1) + if (hostnum((u_32_t *)&fdp->fd_ip, s, linenum) == -1) return -1; } (void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1); @@ -707,279 +653,6 @@ frdest_t *fdp; /* - * returns -1 if neither "hostmask/num" or "hostmask mask addr" are - * found in the line segments, there is an error processing this information, - * or there is an error processing ports information. - */ -int hostmask(seg, sa, msk, pp, cp, tp, linenum) -char ***seg; -u_32_t *sa, *msk; -u_short *pp, *tp; -u_char *cp; -int linenum; -{ - char *s, *endptr; - int bits = -1, resolved; - struct in_addr maskaddr; - - /* - * is it possibly hostname/num ? - */ - if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) { - *s++ = '\0'; - if (index(s, '.') || index(s, 'x')) { - /* possibly of the form xxx.xxx.xxx.xxx - * or 0xYYYYYYYY */ - if (inet_aton(s, &maskaddr) == 0) { - fprintf(stderr, "%d: bad mask (%s)\n", - linenum, s); - return -1; - } - *msk = maskaddr.s_addr; - } else { - /* - * set x most significant bits - */ - bits = (int)strtol(s, &endptr, 0); - if (*endptr != '\0' || bits > 32 || bits < 0) { - fprintf(stderr, "%d: bad mask (/%s)\n", - linenum, s); - return -1; - } - if (bits == 0) - *msk = 0; - else - *msk = htonl(0xffffffff << (32 - bits)); - } - *sa = hostnum(**seg, &resolved, linenum) & *msk; - if (resolved == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; - return ports(seg, pp, cp, tp, linenum); - } - - /* - * look for extra segments if "mask" found in right spot - */ - if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) { - *sa = hostnum(**seg, &resolved, linenum); - if (resolved == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; - (*seg)++; - if (inet_aton(**seg, &maskaddr) == 0) { - fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg); - return -1; - } - *msk = maskaddr.s_addr; - (*seg)++; - *sa &= *msk; - return ports(seg, pp, cp, tp, linenum); - } - - if (**seg) { - *sa = hostnum(**seg, &resolved, linenum); - if (resolved == -1) { - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; - } - (*seg)++; - *msk = (*sa ? inet_addr("255.255.255.255") : 0L); - *sa &= *msk; - return ports(seg, pp, cp, tp, linenum); - } - fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg); - return -1; -} - -/* - * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_addr() call - */ -u_32_t hostnum(host, resolved, linenum) -char *host; -int *resolved; -int linenum; -{ - struct hostent *hp; - struct netent *np; - struct in_addr ip; -#if defined(__OpenBSD__) - struct in_addr addr; -#endif - - *resolved = 0; - if (!strcasecmp("any", host)) - return 0; - if (isdigit(*host) && inet_aton(host, &ip)) - return ip.s_addr; - - if (!strcasecmp("<thishost>", host)) - host = thishost; - -#if defined(__OpenBSD__) - /* attempt a map from interface name to address */ - if (if_addr(host, &addr)) - return (u_32_t)addr.s_addr; -#endif - - if (!(hp = gethostbyname(host))) { - if (!(np = getnetbyname(host))) { - *resolved = -1; - fprintf(stderr, "%d: can't resolve hostname: %s\n", - linenum, host); - return 0; - } - return htonl(np->n_net); - } - return *(u_32_t *)hp->h_addr; -} - -/* - * check for possible presence of the port fields in the line - */ -int ports(seg, pp, cp, tp, linenum) -char ***seg; -u_short *pp, *tp; -u_char *cp; -int linenum; -{ - int comp = -1; - - if (!*seg || !**seg || !***seg) - return 0; - if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { - (*seg)++; - if (isdigit(***seg) && *(*seg + 2)) { - if (portnum(**seg, pp, linenum) == 0) - return -1; - (*seg)++; - if (!strcmp(**seg, "<>")) - comp = FR_OUTRANGE; - else if (!strcmp(**seg, "><")) - comp = FR_INRANGE; - else { - fprintf(stderr, - "%d: unknown range operator (%s)\n", - linenum, **seg); - return -1; - } - (*seg)++; - if (**seg == NULL) { - fprintf(stderr, "%d: missing 2nd port value\n", - linenum); - return -1; - } - if (portnum(**seg, tp, linenum) == 0) - return -1; - } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) - comp = FR_EQUAL; - else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) - comp = FR_NEQUAL; - else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt")) - comp = FR_LESST; - else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt")) - comp = FR_GREATERT; - else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le")) - comp = FR_LESSTE; - else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) - comp = FR_GREATERTE; - else { - fprintf(stderr, "%d: unknown comparator (%s)\n", - linenum, **seg); - return -1; - } - if (comp != FR_OUTRANGE && comp != FR_INRANGE) { - (*seg)++; - if (portnum(**seg, pp, linenum) == 0) - return -1; - } - *cp = comp; - (*seg)++; - } - return 0; -} - -/* - * find the port number given by the name, either from getservbyname() or - * straight atoi(). Return 1 on success, 0 on failure - */ -int portnum(name, port, linenum) -char *name; -u_short *port; -int linenum; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - int i; - if (isdigit(*name)) { - if (ratoi(name, &i, 0, USHRT_MAX)) { - *port = (u_short)i; - return 1; - } - fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name); - return 0; - } - if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) { - sp = getservbyname(name, proto); - if (sp) { - *port = ntohs(sp->s_port); - return 1; - } - fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", - linenum, name); - return 0; - } - if (p1 != sp2->s_port) { - fprintf(stderr, "%d: %s %d/tcp is a different port to ", - linenum, name, p1); - fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); - return 0; - } - *port = ntohs(p1); - return 1; -} - - -u_char tcp_flags(flgs, mask, linenum) -char *flgs; -u_char *mask; -int linenum; -{ - u_char tcpf = 0, tcpfm = 0, *fp = &tcpf; - char *s, *t; - - for (s = flgs; *s; s++) { - if (*s == '/' && fp == &tcpf) { - fp = &tcpfm; - continue; - } - if (!(t = index(flagset, *s))) { - fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s); - return 0; - } - *fp |= flags[t - flagset]; - } - if (!tcpfm) - tcpfm = 0xff; - *mask = tcpfm; - return tcpf; -} - - -/* * deal with extra bits on end of the line */ int extras(cp, fr, linenum) @@ -1000,8 +673,8 @@ int linenum; return -1; while (**cp && (!strncasecmp(**cp, "ipopt", 5) || - !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) || - !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) || + !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) || + !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) || !strncasecmp(**cp, "short", 5))) { if (***cp == 'n' || ***cp == 'N') { notopt = 1; @@ -1327,6 +1000,9 @@ struct frentry *fp; int linenum; { if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP && +#ifdef USE_INET6 + fp->fr_proto != IPPROTO_ICMPV6 && +#endif fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) { fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n", linenum); @@ -1339,8 +1015,7 @@ int linenum; linenum); return -1; } - - if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { + if (strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) { fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n", linenum, **cp); return -1; @@ -1356,77 +1031,16 @@ int linenum; /* - * count consecutive 1's in bit mask. If the mask generated by counting - * consecutive 1's is different to that passed, return -1, else return # - * of bits. - */ -int countbits(ip) -u_32_t ip; -{ - u_32_t ipn; - int cnt = 0, i, j; - - ip = ipn = ntohl(ip); - for (i = 32; i; i--, ipn *= 2) - if (ipn & 0x80000000) - cnt++; - else - break; - ipn = 0; - for (i = 32, j = cnt; i; i--, j--) { - ipn *= 2; - if (j > 0) - ipn++; - } - if (ipn == ip) - return cnt; - return -1; -} - - -char *portname(pr, port) -int pr, port; -{ - static char buf[32]; - struct protoent *p = NULL; - struct servent *sv = NULL, *sv1 = NULL; - - if (pr == -1) { - if ((sv = getservbyport(htons(port), "tcp"))) { - strncpy(buf, sv->s_name, sizeof(buf)-1); - buf[sizeof(buf)-1] = '\0'; - sv1 = getservbyport(htons(port), "udp"); - sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? - NULL : sv1; - } - if (sv) - return buf; - } else if (pr && (p = getprotobynumber(pr))) { - if ((sv = getservbyport(htons(port), p->p_name))) { - strncpy(buf, sv->s_name, sizeof(buf)-1); - buf[sizeof(buf)-1] = '\0'; - return buf; - } - } - - (void) sprintf(buf, "%d", port); - return buf; -} - - -/* * print the filter structure in a useful way */ void printfr(fp) struct frentry *fp; { - static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=", - "<>", "><"}; - struct protoent *p; - int ones = 0, pr; - char *s; - u_char *t; + struct protoent *p; u_short sec[2]; + char *s; + u_char *t; + int pr; if (fp->fr_flags & FR_PASS) printf("pass"); @@ -1467,6 +1081,7 @@ struct frentry *fp; printlog(fp); putchar(' '); } + if (fp->fr_flags & FR_QUICK) printf("quick "); @@ -1496,42 +1111,17 @@ struct frentry *fp; } printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); - if (!fp->fr_src.s_addr && !fp->fr_smsk.s_addr) - printf("any "); - else { - printf("%s", inet_ntoa(fp->fr_src)); - if ((ones = countbits(fp->fr_smsk.s_addr)) == -1) - printf("/%s ", inet_ntoa(fp->fr_smsk)); - else - printf("/%d ", ones); - } - if (fp->fr_scmp) { - if (fp->fr_scmp == FR_INRANGE || fp->fr_scmp == FR_OUTRANGE) - printf("port %d %s %d ", fp->fr_sport, - pcmp1[fp->fr_scmp], fp->fr_stop); - else - printf("port %s %s ", pcmp1[fp->fr_scmp], - portname(pr, fp->fr_sport)); - } + printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr, + (u_32_t *)&fp->fr_smsk.s_addr); + if (fp->fr_scmp) + printportcmp(pr, &fp->fr_tuc.ftu_src); + + printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); + printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr, + (u_32_t *)&fp->fr_dmsk.s_addr); + if (fp->fr_dcmp) + printportcmp(pr, &fp->fr_tuc.ftu_dst); - printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); - if (!fp->fr_dst.s_addr && !fp->fr_dmsk.s_addr) - printf("any"); - else { - printf("%s", inet_ntoa(fp->fr_dst)); - if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1) - printf("/%s", inet_ntoa(fp->fr_dmsk)); - else - printf("/%d", ones); - } - if (fp->fr_dcmp) { - if (fp->fr_dcmp == FR_INRANGE || fp->fr_dcmp == FR_OUTRANGE) - printf(" port %d %s %d", fp->fr_dport, - pcmp1[fp->fr_dcmp], fp->fr_dtop); - else - printf(" port %s %s", pcmp1[fp->fr_dcmp], - portname(pr, fp->fr_dport)); - } if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) || (fp->fr_mip.fi_fl & ~FI_TCPUDP) || fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk || @@ -1575,14 +1165,20 @@ struct frentry *fp; } if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) { printf(" flags "); - for (s = flagset, t = flags; *s; s++, t++) - if (fp->fr_tcpf & *t) - (void)putchar(*s); - if (fp->fr_tcpfm) { - (void)putchar('/'); + if (fp->fr_tcpf & ~TCPF_ALL) + printf("0x%x", fp->fr_tcpf); + else for (s = flagset, t = flags; *s; s++, t++) - if (fp->fr_tcpfm & *t) + if (fp->fr_tcpf & *t) (void)putchar(*s); + if (fp->fr_tcpfm) { + (void)putchar('/'); + if (fp->fr_tcpfm & ~TCPF_ALL) + printf("0x%x", fp->fr_tcpfm); + else + for (s = flagset, t = flags; *s; s++, t++) + if (fp->fr_tcpfm & *t) + (void)putchar(*s); } } @@ -1645,18 +1241,3 @@ frentry_t *fp; printf("%s", u); } } - - -int ratoi(ps, pi, min, max) -char *ps; -int *pi, min, max; -{ - int i; - char *pe; - - i = (int)strtol(ps, &pe, 0); - if (*pe != '\0' || i < min || i > max) - return 0; - *pi = i; - return 1; -} diff --git a/sbin/ipfstat/Makefile b/sbin/ipfstat/Makefile index ab29321d47e..60c98824ff7 100644 --- a/sbin/ipfstat/Makefile +++ b/sbin/ipfstat/Makefile @@ -1,11 +1,9 @@ -# $OpenBSD: Makefile,v 1.6 1999/12/16 07:38:45 kjell Exp $ +# $OpenBSD: Makefile,v 1.7 2001/01/17 05:01:00 fgsch Exp $ PROG= ipfstat MAN= ipfstat.8 -SRCS= fils.c parse.c opt.c kmem.c facpri.c ifaddr.c +SRCS= fils.c parse.c opt.c kmem.c facpri.c common.c ifaddr.c .PATH: ${.CURDIR}/../../sbin/ipf CFLAGS+=-I${.CURDIR}/../../sbin/ipf - - .include <bsd.prog.mk> diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c index 9f005ecb62f..cbf412089c3 100644 --- a/sbin/ipfstat/fils.c +++ b/sbin/ipfstat/fils.c @@ -1,7 +1,7 @@ -/* $OpenBSD: fils.c,v 1.22 2000/11/14 18:56:31 aaron Exp $ */ +/* $OpenBSD: fils.c,v 1.23 2001/01/17 05:01:00 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -19,11 +19,18 @@ #include <sys/time.h> #include <sys/param.h> #include <sys/file.h> +#if defined(STATETOP) && defined(sun) && !defined(__svr4__) && !defined(__SVR4) +#include <sys/select.h> +#endif #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <stddef.h> #include <nlist.h> +#ifdef STATETOP +#include <ctype.h> +#include <ncurses.h> +#endif #include <sys/socket.h> #include <sys/ioctl.h> #include <netinet/in.h> @@ -38,7 +45,11 @@ #include <arpa/nameser.h> #include <resolv.h> #include <netinet/tcp.h> -#include <netinet/ip_fil_compat.h> +#if defined(STATETOP) && !defined(linux) +# include <netinet/ip_var.h> +# include <netinet/tcp_fsm.h> +#endif +#include <netinet/ip_compat.h> #include <netinet/ip_fil.h> #include "ipf.h" #include <netinet/ip_proxy.h> @@ -46,16 +57,23 @@ #include <netinet/ip_frag.h> #include <netinet/ip_state.h> #include <netinet/ip_auth.h> +#ifdef STATETOP +#include <netinet/ipl.h> +#endif #include "kmem.h" #if defined(__NetBSD__) || (__OpenBSD__) # include <paths.h> #endif #if !defined(lint) -static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.2.2.7 2000/05/24 20:34:56 darrenr Exp $"; +static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$IPFilter: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $"; #endif +extern char *optarg; + +#define PRINTF (void)printf +#define FPRINTF (void)fprintf #define F_IN 0 #define F_OUT 1 #define F_AC 2 @@ -63,8 +81,34 @@ static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", "ipacct(in)", "ipacct(out)" }; int opts = 0; +#ifdef USE_INET6 +int use_inet6 = 0; +#endif + +#ifdef STATETOP +#define STSTRSIZE 80 +#define STGROWSIZE 16 -char *nlistf = NULL, *memf = NULL; +#define STSORT_PR 0 +#define STSORT_PKTS 1 +#define STSORT_BYTES 2 +#define STSORT_TTL 3 +#define STSORT_MAX STSORT_TTL +#define STSORT_DEFAULT STSORT_BYTES + + +typedef struct statetop { + union i6addr st_src; + union i6addr st_dst; + u_short st_sport; + u_short st_dport; + u_char st_p; + u_char st_state[2]; + U_QUAD_T st_pkts; + U_QUAD_T st_bytes; + u_long st_age; +} statetop_t; +#endif extern int main __P((int, char *[])); static void showstats __P((int, friostat_t *)); @@ -76,14 +120,49 @@ static void showgroups __P((friostat_t *)); static void Usage __P((char *)); static void printlist __P((frentry_t *)); static char *get_ifname __P((void *)); +static char *hostname __P((int, void *)); +static void parse_ipportstr __P((const char *, struct in_addr *, int *)); +#ifdef STATETOP +static void topipstates __P((int, struct in_addr, struct in_addr, int, int, int, int, int)); +static char *ttl_to_string __P((long)); +static int sort_p __P((const void *, const void *)); +static int sort_pkts __P((const void *, const void *)); +static int sort_bytes __P((const void *, const void *)); +static int sort_ttl __P((const void *, const void *)); +#endif + +static char *hostname(v, ip) +int v; +void *ip; +{ +#ifdef USE_INET6 + static char hostbuf[MAXHOSTNAMELEN+1]; +#endif + struct in_addr ipa; + + if (v == 4) { + ipa.s_addr = *(u_32_t *)ip; + return inet_ntoa(ipa); + } +#ifdef USE_INET6 + (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); + hostbuf[MAXHOSTNAMELEN] = '\0'; + return hostbuf; +#else + return "IPv6"; +#endif +} static void Usage(name) char *name; { - fprintf(stderr, - "usage: %s [-aAfghIinosv] [-d device] [-M core]\n", - name); +#ifdef USE_INET6 + fprintf(stderr, "Usage: %s [-6aAfhIinosv] [-d <device>]\n", name); +#else + fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name); +#endif + fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); exit(1); } @@ -93,25 +172,57 @@ int argc; char *argv[]; { fr_authstat_t frauthst; + fr_authstat_t *frauthstp = &frauthst; friostat_t fio; + friostat_t *fiop=&fio; ips_stat_t ipsst; + ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; + ipfrstat_t *ifrstp = &ifrst; char *name = NULL, *device = IPL_NAME; int c, fd; + struct protoent *proto; + + int protocol = -1; /* -1 = wild card for any protocol */ + int refreshtime = 1; /* default update time */ + int sport = -1; /* -1 = wild card for any source port */ + int dport = -1; /* -1 = wild card for any dest port */ + int topclosed = 0; /* do not show closed tcp sessions */ + struct in_addr saddr, daddr; + saddr.s_addr = INADDR_ANY; /* default any source addr */ + daddr.s_addr = INADDR_ANY; /* default any dest addr */ + + if (openkmem() == -1) + exit(-1); + + (void)setuid(getuid()); + (void)setgid(getgid()); - while ((c = getopt(argc, argv, "AafhgIinosvd:M:")) != -1) + while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:P:S:T:")) != -1) { switch (c) { +#ifdef USE_INET6 + case '6' : + use_inet6 = 1; + break; +#endif case 'a' : opts |= OPT_ACCNT|OPT_SHOWLIST; break; case 'A' : + device = IPAUTH_NAME; opts |= OPT_AUTHSTATS; break; + case 'C' : + topclosed = 1; + break; case 'd' : device = optarg; break; + case 'D' : + parse_ipportstr(optarg, &daddr, &dport); + break; case 'f' : opts |= OPT_FRSTATES; break; @@ -127,38 +238,59 @@ char *argv[]; case 'I' : opts |= OPT_INACTIVE; break; + case 'l' : + opts |= OPT_SHOWLIST; + break; case 'n' : opts |= OPT_SHOWLINENO; break; case 'o' : opts |= OPT_OUTQUE|OPT_SHOWLIST; break; + case 'P' : + if ((proto = getprotobyname(optarg)) != NULL) { + protocol = proto->p_proto; + } else if (!sscanf(optarg, "%ud", &protocol) || + (protocol < 0)) { + fprintf(stderr, "%s : Invalid protocol: %s\n", + argv[0], optarg); + exit(-2); + } + break; case 's' : opts |= OPT_IPSTATES; break; + case 'S' : + parse_ipportstr(optarg, &saddr, &sport); + break; + case 't' : +#ifdef STATETOP + opts |= OPT_STATETOP; + break; +#else + fprintf(stderr, + "%s : state top facility not compiled in\n", + argv[0]); + exit(-2); +#endif + case 'T' : + if (!sscanf(optarg, "%d", &refreshtime) || + (refreshtime <= 0)) { + fprintf(stderr, + "%s : Invalid refreshtime < 1 : %s\n", + argv[0], optarg); + exit(-2); + } + break; case 'v' : opts |= OPT_VERBOSE; break; - case 'M': - memf = optarg; - break; default : Usage(argv[0]); break; } } - if (nlistf != NULL || memf != NULL) { - (void)setuid(getuid()); - (void)setgid(getgid()); - } - - if (openkmem(nlistf, memf) == -1) - exit(-1); - - (void)setuid(getuid()); - (void)setgid(getgid()); - if ((fd = open(device, O_RDONLY)) < 0) { perror("open"); exit(-1); @@ -168,8 +300,8 @@ char *argv[]; bzero((char *)&ipsst, sizeof(ipsst)); bzero((char *)&ifrst, sizeof(ifrst)); - if (ioctl(fd, SIOCGETFS, &fio) == -1) { - perror("ioctl(SIOCGETFS)"); + if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, &fiop) == -1) { + perror("ioctl(ipf:SIOCGETFS)"); exit(-1); } if ((opts & OPT_IPSTATES)) { @@ -179,39 +311,44 @@ char *argv[]; perror("open"); exit(-1); } - if ((ioctl(sfd, SIOCGIPST, &ipsst) == -1)) { - perror("ioctl(SIOCGIPST)"); + if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) { + perror("ioctl(state:SIOCGETFS)"); exit(-1); } close(sfd); } - if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrst) == -1)) { + if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, &ifrstp) == -1)) { perror("ioctl(SIOCGFRST)"); exit(-1); } if (opts & OPT_VERBOSE) - printf("opts %#x name %s\n", opts, name ? name : "<>"); + PRINTF("opts %#x name %s\n", opts, name ? name : "<>"); if ((opts & OPT_AUTHSTATS) && - (ioctl(fd, SIOCATHST, &frauthst) == -1)) { + (ioctl(fd, SIOCATHST, &frauthstp) == -1)) { perror("ioctl(SIOCATHST)"); exit(-1); } - if (opts & OPT_SHOWLIST) { + if (opts & OPT_IPSTATES) { + showipstates(fd, ipsstp); + } else if (opts & OPT_SHOWLIST) { showlist(&fio); if ((opts & OPT_OUTQUE) && (opts & OPT_INQUE)){ opts &= ~OPT_OUTQUE; showlist(&fio); } } else { - if (opts & OPT_IPSTATES) - showipstates(fd, &ipsst); - else if (opts & OPT_FRSTATES) - showfrstates(fd, &ifrst); + if (opts & OPT_FRSTATES) + showfrstates(fd, ifrstp); +#ifdef STATETOP + else if (opts & OPT_STATETOP) + topipstates(fd, saddr, daddr, sport, dport, + protocol, refreshtime, topclosed); +#endif else if (opts & OPT_AUTHSTATS) - showauthstates(fd, &frauthst); + showauthstates(fd, frauthstp); else if (opts & OPT_GROUPS) showgroups(&fio); else @@ -234,67 +371,72 @@ struct friostat *fp; perror("ioctl(SIOCGETFF)"); #if SOLARIS - printf("dropped packets:\tin %lu\tout %lu\n", + PRINTF("dropped packets:\tin %lu\tout %lu\n", fp->f_st[0].fr_drop, fp->f_st[1].fr_drop); - printf("non-data packets:\tin %lu\tout %lu\n", + PRINTF("non-data packets:\tin %lu\tout %lu\n", fp->f_st[0].fr_notdata, fp->f_st[1].fr_notdata); - printf("no-data packets:\tin %lu\tout %lu\n", + PRINTF("no-data packets:\tin %lu\tout %lu\n", fp->f_st[0].fr_nodata, fp->f_st[1].fr_nodata); - printf("non-ip packets:\t\tin %lu\tout %lu\n", + PRINTF("non-ip packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_notip, fp->f_st[1].fr_notip); - printf(" bad packets:\t\tin %lu\tout %lu\n", + PRINTF(" bad packets:\t\tin %lu\tout %lu\n", fp->f_st[0].fr_bad, fp->f_st[1].fr_bad); - printf("copied messages:\tin %lu\tout %lu\n", + PRINTF("copied messages:\tin %lu\tout %lu\n", fp->f_st[0].fr_copy, fp->f_st[1].fr_copy); #endif - printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu", +#ifdef USE_INET6 + PRINTF(" IPv6 packets:\t\tin %lu out %lu\n", + fp->f_st[0].fr_ipv6[0], fp->f_st[0].fr_ipv6[1]); +#endif + PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[0].fr_block, fp->f_st[0].fr_pass, fp->f_st[0].fr_nom); - printf(" counted %lu short %lu\n", + PRINTF(" counted %lu short %lu\n", fp->f_st[0].fr_acct, fp->f_st[0].fr_short); - printf("output packets:\t\tblocked %lu passed %lu nomatch %lu", + PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[1].fr_block, fp->f_st[1].fr_pass, fp->f_st[1].fr_nom); - printf(" counted %lu short %lu\n", + PRINTF(" counted %lu short %lu\n", fp->f_st[1].fr_acct, fp->f_st[1].fr_short); - printf(" input packets logged:\tblocked %lu passed %lu\n", + PRINTF(" input packets logged:\tblocked %lu passed %lu\n", fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); - printf("output packets logged:\tblocked %lu passed %lu\n", + PRINTF("output packets logged:\tblocked %lu passed %lu\n", fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl); - printf(" packets logged:\tinput %lu output %lu\n", + PRINTF(" packets logged:\tinput %lu output %lu\n", fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl); - printf(" log failures:\t\tinput %lu output %lu\n", + PRINTF(" log failures:\t\tinput %lu output %lu\n", fp->f_st[0].fr_skip, fp->f_st[1].fr_skip); - printf("fragment state(in):\tkept %lu\tlost %lu\n", + PRINTF("fragment state(in):\tkept %lu\tlost %lu\n", fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr); - printf("fragment state(out):\tkept %lu\tlost %lu\n", + PRINTF("fragment state(out):\tkept %lu\tlost %lu\n", fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr); - printf("packet state(in):\tkept %lu\tlost %lu\n", + PRINTF("packet state(in):\tkept %lu\tlost %lu\n", fp->f_st[0].fr_ads, fp->f_st[0].fr_bads); - printf("packet state(out):\tkept %lu\tlost %lu\n", + PRINTF("packet state(out):\tkept %lu\tlost %lu\n", fp->f_st[1].fr_ads, fp->f_st[1].fr_bads); - printf("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n", + PRINTF("ICMP replies:\t%lu\tTCP RSTs sent:\t%lu\n", fp->f_st[0].fr_ret, fp->f_st[1].fr_ret); - printf("Result cache hits(in):\t%lu\t(out):\t%lu\n", + PRINTF("Invalid source(in):\t%lu\n", fp->f_st[0].fr_badsrc); + PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n", fp->f_st[0].fr_chit, fp->f_st[1].fr_chit); - printf("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n", + PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n", fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]); - printf("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n", + PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n", fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); - printf("Fastroute successes:\t%lu\tfailures:\t%lu\n", + PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", fp->f_froute[0], fp->f_froute[1]); - printf("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", + PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); - printf("Packet log flags set: (%#x)\n", frf); + PRINTF("Packet log flags set: (%#x)\n", frf); if (frf & FF_LOGPASS) - printf("\tpackets passed through filter\n"); + PRINTF("\tpackets passed through filter\n"); if (frf & FF_LOGBLOCK) - printf("\tpackets blocked by filter\n"); + PRINTF("\tpackets blocked by filter\n"); if (frf & FF_LOGNOMATCH) - printf("\tpackets not matched by filter\n"); + PRINTF("\tpackets not matched by filter\n"); if (!frf) - printf("\tnone\n"); + PRINTF("\tnone\n"); } @@ -314,18 +456,18 @@ frentry_t *fp; fp->fr_flags |= FR_OUTQUE; if (opts & (OPT_HITS|OPT_VERBOSE)) #ifdef USE_QUAD_T - printf("%qu ", fp->fr_hits); + PRINTF("%qu ", (unsigned long long) fp->fr_hits); #else - printf("%lu ", fp->fr_hits); + PRINTF("%lu ", fp->fr_hits); #endif if (opts & (OPT_ACCNT|OPT_VERBOSE)) #ifdef USE_QUAD_T - printf("%qu ", fp->fr_bytes); + PRINTF("%qu ", (unsigned long long) fp->fr_bytes); #else - printf("%lu ", fp->fr_bytes); + PRINTF("%lu ", fp->fr_bytes); #endif if (opts & OPT_SHOWLINENO) - printf("@%d ", n); + PRINTF("@%d ", n); printfr(fp); if (opts & OPT_VERBOSE) binprint(fp); @@ -355,24 +497,35 @@ struct friostat *fiop; } else if (opts & OPT_INQUE) fp = (struct frentry *)fiop->f_acctin[set]; else { - fprintf(stderr, "No -i or -o given with -a\n"); + FPRINTF(stderr, "No -i or -o given with -a\n"); return; } - } else if (opts & OPT_OUTQUE) { - i = F_OUT; - fp = (struct frentry *)fiop->f_fout[set]; - } else if (opts & OPT_INQUE) { - i = F_IN; - fp = (struct frentry *)fiop->f_fin[set]; - } else - return; + } else { +#ifdef USE_INET6 + if ((use_inet6) && (opts & OPT_OUTQUE)) { + i = F_OUT; + fp = (struct frentry *)fiop->f_fout6[set]; + } else if ((use_inet6) && (opts & OPT_INQUE)) { + i = F_IN; + fp = (struct frentry *)fiop->f_fin6[set]; + } else +#endif + if (opts & OPT_OUTQUE) { + i = F_OUT; + fp = (struct frentry *)fiop->f_fout[set]; + } else if (opts & OPT_INQUE) { + i = F_IN; + fp = (struct frentry *)fiop->f_fin[set]; + } else + return; + } if (opts & OPT_VERBOSE) - fprintf(stderr, "showlist:opts %#x i %d\n", opts, i); + FPRINTF(stderr, "showlist:opts %#x i %d\n", opts, i); if (opts & OPT_VERBOSE) - printf("fp %p set %d\n", fp, set); + PRINTF("fp %p set %d\n", fp, set); if (!fp) { - fprintf(stderr, "empty list for %s%s\n", + FPRINTF(stderr, "empty list for %s%s\n", (opts & OPT_INACTIVE) ? "inactive " : "", filters[i]); return; } @@ -385,126 +538,433 @@ int fd; ips_stat_t *ipsp; { ipstate_t *istab[IPSTATE_SIZE], ips; - int i; - printf("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", - ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); - printf("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, ipsp->iss_miss); - printf("\t%lu maximum\n\t%lu no memory\n\tbuckets in use\t%lu\n", - ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); - printf("\t%lu active\n\t%lu expired\n\t%lu closed\n", - ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); + if (!(opts & OPT_SHOWLIST)) { + PRINTF("IP states added:\n\t%lu TCP\n\t%lu UDP\n\t%lu ICMP\n", + ipsp->iss_tcp, ipsp->iss_udp, ipsp->iss_icmp); + PRINTF("\t%lu hits\n\t%lu misses\n", ipsp->iss_hits, + ipsp->iss_miss); + PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", + ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); + PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", + ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); + return; + } + if (kmemcpy((char *)istab, (u_long)ipsp->iss_table, sizeof(istab))) return; - for (i = 0; i < IPSTATE_SIZE; i++) { - while (istab[i]) { - if (kmemcpy((char *)&ips, (u_long)istab[i], - sizeof(ips)) == -1) - break; - printf("%s -> ", inet_ntoa(ips.is_src)); - printf("%s ttl %ld pass %#x pr %d state %d/%d\n", - inet_ntoa(ips.is_dst), ips.is_age, - ips.is_pass, ips.is_p, ips.is_state[0], - ips.is_state[1]); + + while (ipsp->iss_list) { + if (kmemcpy((char *)&ips, (u_long)ipsp->iss_list, sizeof(ips))) + break; + ipsp->iss_list = ips.is_next; + PRINTF("%s -> ", hostname(ips.is_v, &ips.is_src.in4)); + PRINTF("%s ttl %ld pass %#x pr %d state %d/%d\n", + hostname(ips.is_v, &ips.is_dst.in4), + ips.is_age, ips.is_pass, ips.is_p, + ips.is_state[0], ips.is_state[1]); #ifdef USE_QUAD_T - printf("\tpkts %qd bytes %qd", - ips.is_pkts, ips.is_bytes); + PRINTF("\tpkts %qu bytes %qu", + (unsigned long long) ips.is_pkts, + (unsigned long long) ips.is_bytes); #else - printf("\tpkts %ld bytes %ld", - ips.is_pkts, ips.is_bytes); + PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes); #endif - if (ips.is_p == IPPROTO_TCP) + if (ips.is_p == IPPROTO_TCP) #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) - printf("\t%hu -> %hu %x:%x %hu:%hu", - ntohs(ips.is_sport), - ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); + PRINTF("\t%hu -> %hu %x:%x %hu:%hu", + ntohs(ips.is_sport), ntohs(ips.is_dport), + ips.is_send, ips.is_dend, + ips.is_maxswin, ips.is_maxdwin); #else - printf("\t%hu -> %hu %lx:%lx %hu:%hu", - ntohs(ips.is_sport), - ntohs(ips.is_dport), - ips.is_send, ips.is_dend, - ips.is_maxswin, ips.is_maxdwin); + PRINTF("\t%hu -> %hu %x:%x %hu:%hu", + ntohs(ips.is_sport), ntohs(ips.is_dport), + ips.is_send, ips.is_dend, + ips.is_maxswin, ips.is_maxdwin); #endif - else if (ips.is_p == IPPROTO_UDP) - printf(" %hu -> %hu", ntohs(ips.is_sport), - ntohs(ips.is_dport)); - else if (ips.is_p == IPPROTO_ICMP) - printf(" %hu %hu %d", ips.is_icmp.ics_id, - ips.is_icmp.ics_seq, - ips.is_icmp.ics_type); - - printf("\n\t"); - - if (ips.is_pass & FR_PASS) { - printf("pass"); - } else if (ips.is_pass & FR_BLOCK) { - printf("block"); - switch (ips.is_pass & FR_RETMASK) - { - case FR_RETICMP : - printf(" return-icmp"); - break; - case FR_FAKEICMP : - printf(" return-icmp-as-dest"); - break; - case FR_RETRST : - printf(" return-rst"); - break; - default : - break; - } - } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { - printf("log"); - if (ips.is_pass & FR_LOGBODY) - printf(" body"); - if (ips.is_pass & FR_LOGFIRST) - printf(" first"); - } else if (ips.is_pass & FR_ACCOUNT) - printf("count"); - - if (ips.is_pass & FR_OUTQUE) - printf(" out"); - else - printf(" in"); - - if ((ips.is_pass & FR_LOG) != 0) { - printf(" log"); - if (ips.is_pass & FR_LOGBODY) - printf(" body"); - if (ips.is_pass & FR_LOGFIRST) - printf(" first"); - if (ips.is_pass & FR_LOGORBLOCK) - printf(" or-block"); + else if (ips.is_p == IPPROTO_UDP) + PRINTF(" %hu -> %hu", ntohs(ips.is_sport), + ntohs(ips.is_dport)); + else if (ips.is_p == IPPROTO_ICMP +#ifdef USE_INET6 + || ips.is_p == IPPROTO_ICMPV6 +#endif + ) + PRINTF(" %hu %hu %d", ips.is_icmp.ics_id, + ips.is_icmp.ics_seq, ips.is_icmp.ics_type); + + PRINTF("\n\t"); + + if (ips.is_pass & FR_PASS) { + PRINTF("pass"); + } else if (ips.is_pass & FR_BLOCK) { + PRINTF("block"); + switch (ips.is_pass & FR_RETMASK) + { + case FR_RETICMP : + PRINTF(" return-icmp"); + break; + case FR_FAKEICMP : + PRINTF(" return-icmp-as-dest"); + break; + case FR_RETRST : + PRINTF(" return-rst"); + break; + default : + break; } - if (ips.is_pass & FR_QUICK) - printf(" quick"); - if (ips.is_pass & FR_KEEPFRAG) - printf(" keep frags"); - /* a given; no? */ - if (ips.is_pass & FR_KEEPSTATE) - printf(" keep state"); - printf("\n"); - - printf("\tpkt_flags & %x(%x) = %x,\t", - ips.is_flags & 0xf, ips.is_flags, - ips.is_flags >> 4); - printf("\tpkt_options & %x = %x\n", ips.is_optmsk, - ips.is_opt); - printf("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", - ips.is_secmsk, ips.is_sec, ips.is_authmsk, - ips.is_auth); - istab[i] = ips.is_next; - printf("interfaces: in %s[%p] ", - get_ifname(ips.is_ifpin), ips.is_ifpin); - printf("out %s[%p]\n", - get_ifname(ips.is_ifpout), ips.is_ifpout); + } else if ((ips.is_pass & FR_LOGMASK) == FR_LOG) { + PRINTF("log"); + if (ips.is_pass & FR_LOGBODY) + PRINTF(" body"); + if (ips.is_pass & FR_LOGFIRST) + PRINTF(" first"); + } else if (ips.is_pass & FR_ACCOUNT) + PRINTF("count"); + + if (ips.is_pass & FR_OUTQUE) + PRINTF(" out"); + else + PRINTF(" in"); + + if ((ips.is_pass & FR_LOG) != 0) { + PRINTF(" log"); + if (ips.is_pass & FR_LOGBODY) + PRINTF(" body"); + if (ips.is_pass & FR_LOGFIRST) + PRINTF(" first"); + if (ips.is_pass & FR_LOGORBLOCK) + PRINTF(" or-block"); } + if (ips.is_pass & FR_QUICK) + PRINTF(" quick"); + if (ips.is_pass & FR_KEEPFRAG) + PRINTF(" keep frags"); + /* a given; no? */ + if (ips.is_pass & FR_KEEPSTATE) + PRINTF(" keep state"); + PRINTF("\tIPv%d", ips.is_v); + PRINTF("\n"); + + PRINTF("\tpkt_flags & %x(%x) = %x,\t", + ips.is_flags & 0xf, ips.is_flags, + ips.is_flags >> 4); + PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk, + ips.is_opt); + PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", + ips.is_secmsk, ips.is_sec, ips.is_authmsk, + ips.is_auth); + PRINTF("interfaces: in %s[%p] ", + get_ifname(ips.is_ifpin), ips.is_ifpin); + PRINTF("out %s[%p]\n", + get_ifname(ips.is_ifpout), ips.is_ifpout); } } +#ifdef STATETOP +static void topipstates(fd, saddr, daddr, sport, dport, protocol, + refreshtime, topclosed) +int fd; +struct in_addr saddr; +struct in_addr daddr; +int sport; +int dport; +int protocol; +int refreshtime; +int topclosed; +{ + char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; + int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; + int i, j, sfd, winx, tsentry, maxx, maxy, redraw = 0; + ipstate_t *istab[IPSTATE_SIZE], ips; + ips_stat_t ipsst, *ipsstp = &ipsst; + statetop_t *tstable = NULL, *tp; + struct timeval selecttimeout; + struct protoent *proto; + fd_set readfd; + char c = '\0'; + time_t t; + + /* open state device */ + if ((sfd = open(IPL_STATE, O_RDONLY)) == -1) { + perror("open"); + exit(-1); + } + + /* init ncurses stuff */ + initscr(); + cbreak(); + noecho(); + nodelay(stdscr, 1); + + /* repeat until user aborts */ + while ( 1 ) { + + /* get state table */ + bzero((char *)&ipsst, sizeof(&ipsst)); + if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) { + perror("ioctl(SIOCGETFS)"); + exit(-1); + } + if (kmemcpy((char *)istab, (u_long)ipsstp->iss_table, + sizeof(ips))) + return; + + /* clear the history */ + tsentry = -1; + + /* read the state table and store in tstable */ + while (ipsstp->iss_list) { + if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list, + sizeof(ips))) + break; + ipsstp->iss_list = ips.is_next; + + if (((saddr.s_addr == INADDR_ANY) || + (saddr.s_addr == ips.is_saddr)) && + ((daddr.s_addr == INADDR_ANY) || + (daddr.s_addr == ips.is_daddr)) && + ((protocol < 0) || (protocol == ips.is_p)) && + (((ips.is_p != IPPROTO_TCP) && + (ips.is_p != IPPROTO_UDP)) || + (((sport < 0) || + (htons(sport) == ips.is_sport)) && + ((dport < 0) || + (htons(dport) == ips.is_dport)))) && + (topclosed || (ips.is_p != IPPROTO_TCP) || + (ips.is_state[0] < TCPS_CLOSE_WAIT) || + (ips.is_state[1] < TCPS_CLOSE_WAIT))) { + /* + * if necessary make room for this state + * entry + */ + tsentry++; + if (!maxtsentries || + (tsentry == maxtsentries)) { + + maxtsentries += STGROWSIZE; + tstable = realloc(tstable, maxtsentries * sizeof(statetop_t)); + if (!tstable) { + perror("malloc"); + exit(-1); + } + } + + /* fill structure */ + tp = tstable + tsentry; + tp->st_src = ips.is_src; + tp->st_dst = ips.is_dst; + tp->st_p = ips.is_p; + tp->st_state[0] = ips.is_state[0]; + tp->st_state[1] = ips.is_state[1]; + tp->st_pkts = ips.is_pkts; + tp->st_bytes = ips.is_bytes; + tp->st_age = ips.is_age; + if ((ips.is_p == IPPROTO_TCP) || + (ips.is_p == IPPROTO_UDP)) { + tp->st_sport = ips.is_sport; + tp->st_dport = ips.is_dport; + } + + } + } + + + /* sort the array */ + if (tsentry != -1) + switch (sorting) + { + case STSORT_PR: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_p); + break; + case STSORT_PKTS: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_pkts); + break; + case STSORT_BYTES: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_bytes); + break; + case STSORT_TTL: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_ttl); + break; + default: + break; + } + + /* print title */ + erase(); + getmaxyx(stdscr, maxy, maxx); + attron(A_BOLD); + winx = 0; + move(winx,0); + sprintf(str1, "%s - state top", IPL_VERSION); + for(j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) + printw(" "); + printw("%s", str1); + attroff(A_BOLD); + + /* just for fun add a clock */ + move(winx, maxx - 8); + t = time(NULL); + strftime(str1, 80, "%T", localtime(&t)); + printw("%s\n", str1); + + /* + * print the display filters, this is placed in the loop, + * because someday I might add code for changing these + * while the programming is running :-) + */ + if (sport >= 0) + sprintf(str1, "%s,%d", inet_ntoa(saddr), sport); + else + sprintf(str1, "%s", inet_ntoa(saddr)); + + if (dport >= 0) + sprintf(str2, "%s,%d", inet_ntoa(daddr), dport); + else + sprintf(str2, "%s", inet_ntoa(daddr)); + + if (protocol < 0) + strcpy(str3, "any"); + else if ((proto = getprotobynumber(protocol)) != NULL) + sprintf(str3, "%s", proto->p_name); + else + sprintf(str3, "%d", protocol); + + switch (sorting) + { + case STSORT_PR: + sprintf(str4, "proto"); + break; + case STSORT_PKTS: + sprintf(str4, "# pkts"); + break; + case STSORT_BYTES: + sprintf(str4, "# bytes"); + break; + case STSORT_TTL: + sprintf(str4, "ttl"); + break; + default: + sprintf(str4, "unknown"); + break; + } + + if (reverse) + strcat(str4, " (reverse)"); + + winx += 2; + move(winx,0); + printw("Src = %s Dest = %s Proto = %s Sorted by = %s\n\n", + str1, str2, str3, str4); + + /* print column description */ + winx += 2; + move(winx,0); + attron(A_BOLD); + printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP", + "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl"); + attroff(A_BOLD); + + /* print all the entries */ + tp = tstable; + if (reverse) + tp += tsentry; + + for(i = 0; i <= tsentry; i++) { + /* print src/dest and port */ + if ((tp->st_p == IPPROTO_TCP) || + (tp->st_p == IPPROTO_UDP)) { + sprintf(str1, "%s,%hu", + inet_ntoa(tp->st_src.in4), + ntohs(tp->st_sport)); + sprintf(str2, "%s,%hu", + inet_ntoa(tp->st_dst.in4), + ntohs(tp->st_dport)); + } else { + sprintf(str1, "%s", inet_ntoa(tp->st_src.in4)); + sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4)); + } + winx++; + move(winx, 0); + printw("%-21s %-21s", str1, str2); + + /* print state */ + sprintf(str1, "%X/%X", tp->st_state[0], + tp->st_state[1]); + printw(" %3s", str1); + + /* print proto */ + proto = getprotobynumber(tp->st_p); + if (proto) { + strncpy(str1, proto->p_name, 4); + str1[4] = '\0'; + } else { + sprintf(str1, "%d", tp->st_p); + } + printw(" %4s", str1); + /* print #pkt/#bytes */ +#ifdef USE_QUAD_T + printw(" %7qu %9qu", (unsigned long long) tp->st_pkts, + (unsigned long long) tp->st_bytes); +#else + printw(" %7lu %9lu", tp->st_pkts, tp->st_bytes); +#endif + printw(" %9s", ttl_to_string(tp->st_age)); + + if (reverse) + tp--; + else + tp++; + } + + /* screen data structure is filled, now update the screen */ + if (redraw) + clearok(stdscr,1); + + refresh(); + if (redraw) { + clearok(stdscr,0); + redraw = 0; + } + + /* wait for key press or a 1 second time out period */ + selecttimeout.tv_sec = refreshtime; + selecttimeout.tv_usec = 0; + FD_ZERO(&readfd); + FD_SET(0, &readfd); + select(1, &readfd, NULL, NULL, &selecttimeout); + + /* if key pressed, read all waiting keys */ + if (FD_ISSET(0, &readfd)) + while ((c = wgetch(stdscr)) != ERR) { + if (tolower(c) == 'l') { + redraw = 1; + } else if (tolower(c) == 'q') { + nocbreak(); + endwin(); + exit(0); + } else if (tolower(c) == 'r') { + reverse = !reverse; + } else if (tolower(c) == 's') { + sorting++; + if (sorting > STSORT_MAX) + sorting = 0; + } + } + } /* while */ + + close(sfd); + + printw("\n"); + nocbreak(); + endwin(); +} +#endif static void showfrstates(fd, ifsp) int fd; @@ -514,11 +974,11 @@ ipfrstat_t *ifsp; frentry_t fr; int i; - printf("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", + PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); - printf("\t%lu no memory\n\t%lu already exist\n", + PRINTF("\t%lu no memory\n\t%lu already exist\n", ifsp->ifs_nomem, ifsp->ifs_exists); - printf("\t%lu inuse\n", ifsp->ifs_inuse); + PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_table, sizeof(ipfrtab))) return; for (i = 0; i < IPFT_SIZE; i++) @@ -526,12 +986,29 @@ ipfrstat_t *ifsp; if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], sizeof(ifr)) == -1) break; - printf("%s -> ", inet_ntoa(ifr.ipfr_src)); + PRINTF("%s -> ", hostname(4, &ifr.ipfr_src)); + if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, + sizeof(fr)) == -1) + break; + PRINTF("%s %d %d %d %#02x = %#x\n", + hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, + ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, + fr.fr_flags); + ipfrtab[i] = ifr.ipfr_next; + } + if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) + return; + for (i = 0; i < IPFT_SIZE; i++) + while (ipfrtab[i]) { + if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], + sizeof(ifr)) == -1) + break; + PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src)); if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, sizeof(fr)) == -1) break; - printf("%s %d %d %d %#02x = %#x\n", - inet_ntoa(ifr.ipfr_dst), ifr.ipfr_id, + PRINTF("%s %d %d %d %#02x = %#x\n", + hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, fr.fr_flags); ipfrtab[i] = ifr.ipfr_next; @@ -546,8 +1023,9 @@ fr_authstat_t *asp; frauthent_t *frap, fra; #ifdef USE_QUAD_T - printf("Authorisation hits: %qd\tmisses %qd\n", asp->fas_hits, - asp->fas_miss); + printf("Authorisation hits: %qu\tmisses %qu\n", + (unsigned long long) asp->fas_hits, + (unsigned long long) asp->fas_miss); #else printf("Authorisation hits: %ld\tmisses %ld\n", asp->fas_hits, asp->fas_miss); @@ -652,3 +1130,131 @@ struct friostat *fiop; printf("%hu\n", grp.fg_num); } } + +static void parse_ipportstr(argument, ip, port) +const char *argument; +struct in_addr *ip; +int *port; +{ + + char *s, *comma; + + /* make working copy of argument, Theoretically you must be able + * to write to optarg, but that seems very ugly to me.... + */ + if ((s = malloc(strlen(argument) + 1)) == NULL) + perror("malloc"); + strcpy(s, argument); + + /* get port */ + if ((comma = strchr(s, ',')) != NULL) { + if (!strcasecmp(s, "any")) { + *port = -1; + } else if (!sscanf(comma + 1, "%d", port) || + (*port < 0) || (*port > 65535)) { + fprintf(stderr, "Invalid port specfication in %s\n", + argument); + exit(-2); + } + *comma = '\0'; + } + + + /* get ip address */ + if (!strcasecmp(s, "any")) { + ip->s_addr = INADDR_ANY; + } else if (!inet_aton(s, ip)) { + fprintf(stderr, "Invalid IP address: %s\n", s); + exit(-2); + } + + /* free allocated memory */ + free(s); +} + + +#ifdef STATETOP +static char ttlbuf[STSTRSIZE]; + +static char *ttl_to_string(ttl) +long int ttl; +{ + + int hours, minutes, seconds; + + /* ttl is in half seconds */ + ttl /= 2; + + hours = ttl / 3600; + ttl = ttl % 3600; + minutes = ttl / 60; + seconds = ttl % 60; + + if (hours > 0 ) + sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds); + else + sprintf(ttlbuf, "%2d:%02d", minutes, seconds); + return ttlbuf; +} + + +static int sort_pkts(a, b) +const void *a; +const void *b; +{ + + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (ap->st_pkts == bp->st_pkts) + return 0; + else if (ap->st_pkts < bp->st_pkts) + return 1; + return -1; +} + + +static int sort_bytes(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (ap->st_bytes == bp->st_bytes) + return 0; + else if (ap->st_bytes < bp->st_bytes) + return 1; + return -1; +} + + +static int sort_p(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (ap->st_p == bp->st_p) + return 0; + else if (ap->st_p < bp->st_p) + return 1; + return -1; +} + + +static int sort_ttl(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (ap->st_age == bp->st_age) + return 0; + else if (ap->st_age < bp->st_age) + return 1; + return -1; +} +#endif diff --git a/sbin/ipfstat/kmem.c b/sbin/ipfstat/kmem.c index 0e04df3b9cc..7674d78999d 100644 --- a/sbin/ipfstat/kmem.c +++ b/sbin/ipfstat/kmem.c @@ -1,7 +1,7 @@ -/* $OpenBSD: kmem.c,v 1.15 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: kmem.c,v 1.16 2001/01/17 05:01:00 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -22,18 +22,14 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: kmem.c,v 2.1 1999/08/04 17:30:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: kmem.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $"; #endif static int kmemfd = -1; -int openkmem(nlistf, memf) -char *nlistf, *memf; +int openkmem() { - if (memf == NULL) - memf = KMEM; - - if ((kmemfd = open(memf,O_RDONLY)) == -1) + if ((kmemfd = open(KMEM,O_RDONLY)) == -1) { perror("kmeminit:open"); return -1; @@ -51,7 +47,7 @@ register int n; if (!n) return 0; if (kmemfd == -1) - if (openkmem(nlistf, memf) == -1) + if (openkmem() == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { @@ -82,7 +78,7 @@ register int n; if (!n) return 0; if (kmemfd == -1) - if (openkmem(nlistf, memf) == -1) + if (openkmem() == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { diff --git a/sbin/ipfstat/kmem.h b/sbin/ipfstat/kmem.h index bc01009e090..61b4ad24de4 100644 --- a/sbin/ipfstat/kmem.h +++ b/sbin/ipfstat/kmem.h @@ -1,12 +1,12 @@ -/* $OpenBSD: kmem.h,v 1.12 2000/03/13 23:40:19 kjell Exp $ */ +/* $OpenBSD: kmem.h,v 1.13 2001/01/17 05:01:01 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. - * $IPFilter: kmem.h,v 2.1 1999/08/04 17:30:10 darrenr Exp $ + * $IPFilter: kmem.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $ */ #ifndef __KMEM_H__ @@ -19,7 +19,7 @@ # define __P(x) () # endif #endif -extern int openkmem __P((char *, char *)); +extern int openkmem __P((void)); extern int kmemcpy __P((char *, long, int)); extern int kstrncpy __P((char *, long, int)); @@ -27,9 +27,6 @@ extern int kstrncpy __P((char *, long, int)); # include <paths.h> #endif -extern char *nlistf; -extern char *memf; - #ifdef _PATH_KMEM # define KMEM _PATH_KMEM #else diff --git a/sbin/ipnat/Makefile b/sbin/ipnat/Makefile index 10d4bf17f1b..3ed89451018 100644 --- a/sbin/ipnat/Makefile +++ b/sbin/ipnat/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.9 2000/04/26 21:04:00 deraadt Exp $ +# $OpenBSD: Makefile,v 1.10 2001/01/17 05:01:01 fgsch Exp $ PROG= ipnat MAN= ipnat.8 ipnat.4 ipnat.5 -SRCS= ipnat.c kmem.c natparse.c ifaddr.c +SRCS= ipnat.c kmem.c natparse.c common.c ifaddr.c .PATH: ${.CURDIR}/../ipfstat ${.CURDIR}/../ipf CFLAGS+=-I${.CURDIR}/../../sbin/ipfstat -I${.CURDIR}/../ipf diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c index 3cfc24a5892..9a3b9db453b 100644 --- a/sbin/ipnat/ipnat.c +++ b/sbin/ipnat/ipnat.c @@ -1,7 +1,7 @@ -/* $OpenBSD: ipnat.c,v 1.38 2000/08/10 05:50:27 kjell Exp $ */ +/* $OpenBSD: ipnat.c,v 1.39 2001/01/17 05:01:01 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -43,10 +43,11 @@ #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> -#include <netinet/ip_fil_compat.h> +#include <netinet/ip_compat.h> #include <netinet/ip_fil.h> #include <netinet/ip_proxy.h> #include <netinet/ip_nat.h> +#include "ipf.h" #include "kmem.h" #if defined(sun) && !SOLARIS2 @@ -58,26 +59,25 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.1.2.3 2000/07/27 13:07:07 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $"; #endif #if SOLARIS #define bzero(a,b) memset(a,0,b) #endif +#ifdef USE_INET6 +int use_inet6 = 0; +#endif + +static char thishost[MAXHOSTNAMELEN]; + extern char *optarg; -char *nlistf = NULL, *memf = NULL; extern ipnat_t *natparse __P((char *, int)); extern void natparsefile __P((int, char *, int)); extern void printnat __P((ipnat_t *, int, void *)); -#if defined(__OpenBSD__) -extern int if_addr __P((char *, struct in_addr *)); -#endif - -u_32_t hostnum __P((char *, int *, int)); -u_32_t hostmask __P((char *)); void dostats __P((int, int)), flushtable __P((int, int)); void usage __P((char *)); int countbits __P((u_32_t)); @@ -86,15 +86,6 @@ int main __P((int, char*[])); void printaps __P((ap_session_t *, int)); char *getsumd __P((u_32_t)); -#define OPT_REM 1 -#define OPT_NODO 2 -#define OPT_STAT 4 -#define OPT_LIST 8 -#define OPT_VERBOSE 16 -#define OPT_FLUSH 32 -#define OPT_CLEAR 64 -#define OPT_HITS 128 - void usage(name) char *name; @@ -124,12 +115,15 @@ char *argv[]; char *file = NULL; int fd = -1, opts = 0, c, mode = O_RDWR; - while ((c = getopt(argc, argv, "CFf:hlnrsv")) != -1) + while ((c = getopt(argc, argv, "CdFf:hlnrsv")) != -1) switch (c) { case 'C' : opts |= OPT_CLEAR; break; + case 'd' : + opts |= OPT_DEBUG; + break; case 'f' : file = optarg; break; @@ -148,7 +142,7 @@ char *argv[]; mode = O_RDONLY; break; case 'r' : - opts |= OPT_REM; + opts |= OPT_REMOVE; break; case 's' : opts |= OPT_STAT; @@ -161,6 +155,9 @@ char *argv[]; usage(argv[0]); } + gethostname(thishost, sizeof(thishost)); + thishost[sizeof(thishost) - 1] = '\0'; + if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, mode)) == -1) && ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, @@ -178,40 +175,12 @@ char *argv[]; } -/* - * count consecutive 1's in bit mask. If the mask generated by counting - * consecutive 1's is different to that passed, return -1, else return # - * of bits. - */ -int countbits(ip) -u_32_t ip; -{ - u_32_t ipn; - int cnt = 0, i, j; - - ip = ipn = ntohl(ip); - for (i = 32; i; i--, ipn *= 2) - if (ipn & 0x80000000) - cnt++; - else - break; - ipn = 0; - for (i = 32, j = cnt; i; i--, j--) { - ipn *= 2; - if (j > 0) - ipn++; - } - if (ipn == ip) - return cnt; - return -1; -} - - void printaps(aps, opts) ap_session_t *aps; int opts; { ap_session_t ap; + ftpinfo_t ftp; aproxy_t apr; raudio_t ra; @@ -223,7 +192,8 @@ int opts; apr.apr_p, apr.apr_ref, apr.apr_flags); printf("\t\tproto %d flags %#x bytes ", ap.aps_p, ap.aps_flags); #ifdef USE_QUAD_T - printf("%qu pkts %qu", ap.aps_bytes, ap.aps_pkts); + printf("%qu pkts %qu", (unsigned long long)ap.aps_bytes, + (unsigned long long)ap.aps_pkts); #else printf("%lu pkts %lu", ap.aps_bytes, ap.aps_pkts); #endif @@ -259,6 +229,29 @@ int opts; printf("\t\tMode: %#x\tSBF: %#x\n", ra.rap_mode, ra.rap_sbf); printf("\t\tPorts:pl %hu, pr %hu, sr %hu\n", ra.rap_plport, ra.rap_prport, ra.rap_srport); + } else if (!strcmp(apr.apr_label, "ftp") && + (ap.aps_psiz == sizeof(ftp))) { + if (kmemcpy((char *)&ftp, (long)ap.aps_data, sizeof(ftp))) + return; + printf("\tFTP Proxy:\n"); + printf("\t\tpassok: %d\n", ftp.ftp_passok); + ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; + ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; + printf("\tClient:\n"); + printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", + ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr, + ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len, + ftp.ftp_side[0].ftps_junk); + printf("\t\tbuf ["); + printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); + printf("]\n\tServer:\n"); + printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", + ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr, + ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len, + ftp.ftp_side[1].ftps_junk); + printf("\t\tbuf ["); + printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); + printf("]\n"); } } @@ -301,14 +294,13 @@ ipnat_t *ipnat; void dostats(fd, opts) int fd, opts; { - natstat_t ns; + natstat_t ns, *nsp = &ns; + nat_t **nt[2], *np, nat; ipnat_t ipn; - nat_t **nt[2], *np, nat; - int i = 0; bzero((char *)&ns, sizeof(ns)); - if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &ns) == -1) { + if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &nsp) == -1) { perror("ioctl(SIOCGNATS)"); return; } @@ -318,7 +310,10 @@ int fd, opts; ns.ns_mapped[0], ns.ns_mapped[1]); printf("added\t%lu\texpired\t%lu\n", ns.ns_added, ns.ns_expire); + printf("no memory\t%lu\tbad nat\t%lu\n", + ns.ns_memfail, ns.ns_badnat); printf("inuse\t%lu\nrules\t%lu\n", ns.ns_inuse, ns.ns_rules); + printf("wilds\t%u\n", ns.ns_wilds); if (opts & OPT_VERBOSE) printf("table %p list %p\n", ns.ns_table, ns.ns_list); } @@ -332,7 +327,8 @@ int fd, opts; } if (opts & OPT_HITS) printf("%d ", ipn.in_hits); - printnat(&ipn, opts & OPT_VERBOSE, (void *)ns.ns_list); + printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE), + (void *)ns.ns_list); ns.ns_list = ipn.in_next; } @@ -359,12 +355,19 @@ int fd, opts; printf("\n\tage %lu use %hu sumd %s/", nat.nat_age, nat.nat_use, getsumd(nat.nat_sumd[0])); - printf("%s pr %u bkt %d flags %x ", + printf("%s pr %u bkt %d/%d flags %x ", getsumd(nat.nat_sumd[1]), nat.nat_p, - i, nat.nat_flags); + (int)NAT_HASH_FN(nat.nat_inip.s_addr, + nat.nat_inport, + NAT_TABLE_SZ), + (int)NAT_HASH_FN(nat.nat_outip.s_addr, + nat.nat_outport, + NAT_TABLE_SZ), + nat.nat_flags); #ifdef USE_QUAD_T printf("bytes %qu pkts %qu", - nat.nat_bytes, nat.nat_pkts); + (unsigned long long)nat.nat_bytes, + (unsigned long long)nat.nat_pkts); #else printf("bytes %lu pkts %lu", nat.nat_bytes, nat.nat_pkts); @@ -383,68 +386,6 @@ int fd, opts; } -u_32_t hostmask(msk) -char *msk; -{ - int bits = -1; - u_32_t mask; - - if (!isdigit(*msk)) - return (u_32_t)-1; - if (strchr(msk, '.')) - return inet_addr(msk); - if (strchr(msk, 'x')) - return (u_32_t)strtol(msk, NULL, 0); - /* - * set x most significant bits - */ - for (mask = 0, bits = atoi(msk); bits; bits--) { - mask /= 2; - mask |= ntohl(inet_addr("128.0.0.0")); - } - mask = htonl(mask); - return mask; -} - - -/* - * returns an ip address as a long var as a result of either a DNS lookup or - * straight inet_addr() call - */ -u_32_t hostnum(host, resolved, linenum) -char *host; -int *resolved; -int linenum; -{ - struct hostent *hp; - struct netent *np; -#if defined(__OpenBSD__) - struct in_addr addr; -#endif - - *resolved = 0; - if (!strcasecmp("any", host)) - return 0L; - if (isdigit(*host)) - return inet_addr(host); - -#if defined(__OpenBSD__) - /* attempt a map from interface name to address */ - if (if_addr(host, &addr)) - return (u_32_t)addr.s_addr; -#endif - if (!(hp = gethostbyname(host))) { - if (!(np = getnetbyname(host))) { - *resolved = -1; - fprintf(stderr, "Line %d: can't resolve hostname: %s\n", linenum, host); - return 0; - } - return htonl(np->n_net); - } - return *(u_32_t *)hp->h_addr; -} - - void flushtable(fd, opts) int fd, opts; { @@ -452,15 +393,15 @@ int fd, opts; if (opts & OPT_FLUSH) { n = 0; - if (!(opts & OPT_NODO) && ioctl(fd, SIOCFLNAT, &n) == -1) + if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) perror("ioctl(SIOCFLNAT)"); else printf("%d entries flushed from NAT table\n", n); } if (opts & OPT_CLEAR) { - n = 0; - if (!(opts & OPT_NODO) && ioctl(fd, SIOCCNATL, &n) == -1) + n = 1; + if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) perror("ioctl(SIOCCNATL)"); else printf("%d entries flushed from NAT list\n", n); diff --git a/sbin/ipnat/natparse.c b/sbin/ipnat/natparse.c index 62c40794f15..5836f260d03 100644 --- a/sbin/ipnat/natparse.c +++ b/sbin/ipnat/natparse.c @@ -1,7 +1,7 @@ -/* $OpenBSD: natparse.c,v 1.6 2000/08/10 05:50:27 kjell Exp $ */ +/* $OpenBSD: natparse.c,v 1.7 2001/01/17 05:01:01 fgsch Exp $ */ /* - * Copyright (C) 1993-1998 by Darren Reed. + * Copyright (C) 1993-2000 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given @@ -41,10 +41,11 @@ #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> -#include <netinet/ip_fil_compat.h> +#include <netinet/ip_compat.h> #include <netinet/ip_fil.h> #include <netinet/ip_proxy.h> #include <netinet/ip_nat.h> +#include "ipf.h" #if defined(sun) && !SOLARIS2 # define STRERROR(x) sys_errlist[x] @@ -55,7 +56,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.3 2000/06/25 07:13:28 darrenr Exp $"; +static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $"; #endif @@ -64,27 +65,17 @@ static const char rcsid[] = "@(#)$IPFilter: natparse.c,v 1.2.2.3 2000/06/25 07:1 #endif extern int countbits __P((u_32_t)); -extern u_32_t hostnum __P((char *, int *, int)); +extern char *proto; ipnat_t *natparse __P((char *, int)); void printnat __P((ipnat_t *, int, void *)); void natparsefile __P((int, char *, int)); -u_32_t n_hostmask __P((char *)); -u_short n_portnum __P((char *, char *, int)); void nat_setgroupmap __P((struct ipnat *)); -#define OPT_REM 1 -#define OPT_NODO 2 -#define OPT_STAT 4 -#define OPT_LIST 8 -#define OPT_VERBOSE 16 -#define OPT_FLUSH 32 -#define OPT_CLEAR 64 - -void printnat(np, verbose, ptr) +void printnat(np, opts, ptr) ipnat_t *np; -int verbose; +int opts; void *ptr; { struct protoent *pr; @@ -94,16 +85,16 @@ void *ptr; switch (np->in_redir) { case NAT_REDIRECT : - printf("rdr "); + printf("rdr"); break; case NAT_MAP : - printf("map "); + printf("map"); break; case NAT_MAPBLK : - printf("map-block "); + printf("map-block"); break; case NAT_BIMAP : - printf("bimap "); + printf("bimap"); break; default : fprintf(stderr, "unknown value for in_redir: %#x\n", @@ -111,25 +102,56 @@ void *ptr; break; } + printf(" %s ", np->in_ifname); + + if (np->in_flags & IPN_FILTER) { + if (np->in_flags & IPN_NOTSRC) + printf("! "); + printf("from "); + if (np->in_redir == NAT_REDIRECT) { + printhostmask(4, (u_32_t *)&np->in_srcip, + (u_32_t *)&np->in_srcmsk); + if (np->in_scmp) + printportcmp(np->in_p, &np->in_tuc.ftu_src); + } else { + printhostmask(4, (u_32_t *)&np->in_inip, + (u_32_t *)&np->in_inmsk); + if (np->in_dcmp) + printportcmp(np->in_p, &np->in_tuc.ftu_dst); + } + + if (np->in_flags & IPN_NOTDST) + printf(" !"); + printf(" to "); + if (np->in_redir == NAT_REDIRECT) { + printhostmask(4, (u_32_t *)&np->in_outip, + (u_32_t *)&np->in_outmsk); + if (np->in_dcmp) + printportcmp(np->in_p, &np->in_tuc.ftu_dst); + } else { + printhostmask(4, (u_32_t *)&np->in_srcip, + (u_32_t *)&np->in_srcmsk); + if (np->in_scmp) + printportcmp(np->in_p, &np->in_tuc.ftu_src); + } + } + if (np->in_redir == NAT_REDIRECT) { - printf("%s ", np->in_ifname); - if (np->in_src[0].s_addr || np->in_src[1].s_addr) { - printf("from %s",inet_ntoa(np->in_src[0])); - bits = countbits(np->in_src[1].s_addr); + if (!(np->in_flags & IPN_FILTER)) { + printf("%s", inet_ntoa(np->in_out[0])); + bits = countbits(np->in_out[1].s_addr); if (bits != -1) printf("/%d ", bits); else - printf("/%s ", inet_ntoa(np->in_src[1])); + printf("/%s ", inet_ntoa(np->in_out[1])); + if (np->in_pmin) + printf("port %d", ntohs(np->in_pmin)); + if (np->in_pmax != np->in_pmin) + printf("- %d", ntohs(np->in_pmax)); } - printf("%s",inet_ntoa(np->in_out[0])); - bits = countbits(np->in_out[1].s_addr); - if (bits != -1) - printf("/%d ", bits); - else - printf("/%s ", inet_ntoa(np->in_out[1])); - if (np->in_pmin) - printf("port %d ", ntohs(np->in_pmin)); - printf("-> %s", inet_ntoa(np->in_in[0])); + printf(" -> %s", inet_ntoa(np->in_in[0])); + if (np->in_flags & IPN_SPLIT) + printf(",%s", inet_ntoa(np->in_in[1])); if (np->in_pnext) printf(" port %d", ntohs(np->in_pnext)); if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) @@ -138,21 +160,25 @@ void *ptr; printf(" tcp"); else if ((np->in_flags & IPN_UDP) == IPN_UDP) printf(" udp"); + if (np->in_flags & IPN_ROUNDR) + printf(" round-robin"); printf("\n"); - if (verbose) - printf("\t%p %lu %x %u %p %d\n", np->in_ifp, - np->in_space, np->in_flags, np->in_pnext, np, + if (opts & OPT_DEBUG) + printf("\t%p %lu %#x %u %p %d\n", np->in_ifp, + np->in_space, np->in_flags, np->in_pmax, np, np->in_use); } else { np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); - printf("%s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); - bits = countbits(np->in_in[1].s_addr); - if (bits != -1) - printf("%d ", bits); - else - printf("%s", inet_ntoa(np->in_in[1])); + if (!(np->in_flags & IPN_FILTER)) { + printf("%s/", inet_ntoa(np->in_in[0])); + bits = countbits(np->in_in[1].s_addr); + if (bits != -1) + printf("%d ", bits); + else + printf("%s", inet_ntoa(np->in_in[1])); + } printf(" -> "); - if (np->in_flags & IPN_RANGE) { + if (np->in_flags & IPN_IPRANGE) { printf("range %s-", inet_ntoa(np->in_out[0])); printf("%s", inet_ntoa(np->in_out[1])); } else { @@ -185,13 +211,13 @@ void *ptr; printf("%d", np->in_p); } else if (np->in_redir == NAT_MAPBLK) { printf(" ports %d", np->in_pmin); - if (verbose) + if (opts & OPT_VERBOSE) printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { printf(" portmap"); if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); - if (verbose) + if (opts & OPT_DEBUG) printf(" [%d:%d %d %d]", ntohs(np->in_pmin), ntohs(np->in_pmax), @@ -208,7 +234,7 @@ void *ptr; } } printf("\n"); - if (verbose) { + if (opts & OPT_DEBUG) { printf("\tifp %p space %lu nextip %s pnext %d", np->in_ifp, np->in_space, inet_ntoa(np->in_nextip), np->in_pnext); @@ -247,161 +273,221 @@ ipnat_t *natparse(line, linenum) char *line; int linenum; { - struct protoent *pr; static ipnat_t ipn; - char *s, *t; - char *shost, *snetm, *dhost, *proto, *srchost, *srcnetm; - char *dnetm = NULL, *dport = NULL, *tport = NULL; - int resolved; + struct protoent *pr; + char *dnetm = NULL, *dport = NULL; + char *s, *t, *cps[31], **cpp; + int i, cnt; - srchost = NULL; - srcnetm = NULL; - bzero((char *)&ipn, sizeof(ipn)); if ((s = strchr(line, '\n'))) *s = '\0'; if ((s = strchr(line, '#'))) *s = '\0'; + while (*line && isspace(*line)) + line++; if (!*line) return NULL; - if (!(s = strtok(line, " \t"))) + + bzero((char *)&ipn, sizeof(ipn)); + cnt = 0; + + for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++) + cps[++i] = strtok(NULL, " \b\t\r\n"); + + cps[i] = NULL; + + if (cnt < 3) { + fprintf(stderr, "%d: not enough segments in line\n", linenum); return NULL; - if (!strcasecmp(s, "map")) + } + + cpp = cps; + + if (!strcasecmp(*cpp, "map")) ipn.in_redir = NAT_MAP; - else if (!strcasecmp(s, "map-block")) + else if (!strcasecmp(*cpp, "map-block")) ipn.in_redir = NAT_MAPBLK; - else if (!strcasecmp(s, "rdr")) + else if (!strcasecmp(*cpp, "rdr")) ipn.in_redir = NAT_REDIRECT; - else if (!strcasecmp(s, "bimap")) + else if (!strcasecmp(*cpp, "bimap")) ipn.in_redir = NAT_BIMAP; else { fprintf(stderr, "%d: unknown mapping: \"%s\"\n", - linenum, s); + linenum, *cpp); return NULL; } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "%d: missing fields (interface)\n", - linenum); - return NULL; - } + cpp++; - strncpy(ipn.in_ifname, s, sizeof(ipn.in_ifname) - 1); + strncpy(ipn.in_ifname, *cpp, sizeof(ipn.in_ifname) - 1); ipn.in_ifname[sizeof(ipn.in_ifname) - 1] = '\0'; - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, "%d: missing fields (%s)\n", linenum, - ipn.in_redir ? "from source | destination" : "source"); - return NULL; - } + cpp++; - if ((ipn.in_redir == NAT_REDIRECT) && !strcasecmp(s, "from")) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (source address)\n", - linenum); + if (!strcasecmp(*cpp, "from") || (**cpp == '!')) { + if (!strcmp(*cpp, "!")) { + cpp++; + if (strcasecmp(*cpp, "from")) { + fprintf(stderr, "Missing from after !\n"); + return NULL; + } + ipn.in_flags |= IPN_NOTSRC; + } else if (**cpp == '!') { + if (strcasecmp(*cpp + 1, "from")) { + fprintf(stderr, "Missing from after !\n"); + return NULL; + } + ipn.in_flags |= IPN_NOTSRC; + } + if ((ipn.in_flags & IPN_NOTSRC) && + (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) { + fprintf(stderr, "Cannot use '! from' with map\n"); return NULL; } - srchost = s; - srcnetm = strrchr(srchost, '/'); + ipn.in_flags |= IPN_FILTER; + cpp++; + if (ipn.in_redir == NAT_REDIRECT) { + if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, + (u_32_t *)&ipn.in_srcmsk, + &ipn.in_sport, &ipn.in_scmp, + &ipn.in_stop, linenum)) { + return NULL; + } + } else { + if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, + (u_32_t *)&ipn.in_inmsk, + &ipn.in_sport, &ipn.in_scmp, + &ipn.in_stop, linenum)) { + return NULL; + } + } - if (srcnetm == NULL) { - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (source netmask)\n", - linenum); - return NULL; - } + if (!strcmp(*cpp, "!")) { + cpp++; + ipn.in_flags |= IPN_NOTDST; + } else if (**cpp == '!') { + (*cpp)++; + ipn.in_flags |= IPN_NOTDST; + } - if (strcasecmp(s, "netmask")) { - fprintf(stderr, - "%d: missing fields (netmask)\n", - linenum); + if (strcasecmp(*cpp, "to")) { + fprintf(stderr, "%d: unexpected keyword (%s) - to\n", + linenum, *cpp); + return NULL; + } + if ((ipn.in_flags & IPN_NOTDST) && + (ipn.in_redir & (NAT_REDIRECT))) { + fprintf(stderr, "Cannot use '! to' with rdr\n"); + return NULL; + } + + if (!*++cpp) { + fprintf(stderr, "%d: missing host after to\n", linenum); + return NULL; + } + if (ipn.in_redir == NAT_REDIRECT) { + if (hostmask(&cpp, (u_32_t *)&ipn.in_outip, + (u_32_t *)&ipn.in_outmsk, + &ipn.in_dport, &ipn.in_dcmp, + &ipn.in_dtop, linenum)) { + return NULL; + } + ipn.in_pmin = htons(ipn.in_dport); + } else { + if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, + (u_32_t *)&ipn.in_srcmsk, + &ipn.in_dport, &ipn.in_dcmp, + &ipn.in_dtop, linenum)) { + return NULL; + } + } + } else { + s = *cpp; + if (!s) + return NULL; + t = strchr(s, '/'); + if (!t) + return NULL; + *t++ = '\0'; + if (ipn.in_redir == NAT_REDIRECT) { + if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1) + return NULL; + if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) { return NULL; } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (source netmask)\n", - linenum); + } else { + if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) + return NULL; + if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) { return NULL; } - srcnetm = s; } - if (*srcnetm == '/') - *srcnetm++ = '\0'; + cpp++; + if (!*cpp) + return NULL; + } - /* re read the next word -- destination */ - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (destination)\n", linenum); + if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { + if (strcasecmp(*cpp, "port")) { + fprintf(stderr, "%d: missing fields - 1st port\n", + linenum); return NULL; } - } - - shost = s; + cpp++; - if (ipn.in_redir == NAT_REDIRECT) { - if (!(s = strtok(NULL, " \t"))) { + if (!*cpp) { fprintf(stderr, "%d: missing fields (destination port)\n", linenum); return NULL; } - if (strcasecmp(s, "port")) { - fprintf(stderr, "%d: missing fields (port)\n", linenum); - return NULL; - } + if (isdigit(**cpp) && (s = strchr(*cpp, '-'))) + *s++ = '\0'; + else + s = NULL; - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (destination port)\n", - linenum); + if (!portnum(*cpp, &ipn.in_pmin, linenum)) return NULL; + ipn.in_pmin = htons(ipn.in_pmin); + cpp++; + + if (!strcmp(*cpp, "-")) { + cpp++; + s = *cpp++; } - dport = s; + if (s) { + if (!portnum(s, &ipn.in_pmax, linenum)) + return NULL; + ipn.in_pmax = htons(ipn.in_pmax); + } else + ipn.in_pmax = ipn.in_pmin; } - - if (!(s = strtok(NULL, " \t"))) { + if (!*cpp) { fprintf(stderr, "%d: missing fields (->)\n", linenum); return NULL; } - if (!strcmp(s, "->")) { - snetm = strrchr(shost, '/'); - if (!snetm) { - fprintf(stderr, - "%d: missing fields (%s netmask)\n", linenum, - ipn.in_redir ? "destination" : "source"); - return NULL; - } - } else { - if (strcasecmp(s, "netmask")) { - fprintf(stderr, "%d: missing fields (netmask)\n", - linenum); - return NULL; - } - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (%s netmask)\n", linenum, - ipn.in_redir ? "destination" : "source"); - return NULL; - } - snetm = s; + if (strcmp(*cpp, "->")) { + fprintf(stderr, "%d: missing ->\n", linenum); + return NULL; } + cpp++; - if (!(s = strtok(NULL, " \t"))) { + if (!*cpp) { fprintf(stderr, "%d: missing fields (%s)\n", - linenum, ipn.in_redir ? "destination":"target"); + linenum, ipn.in_redir ? "destination" : "target"); return NULL; } if (ipn.in_redir == NAT_MAP) { - if (!strcasecmp(s, "range")) { - ipn.in_flags |= IPN_RANGE; - if (!(s = strtok(NULL, " \t"))) { + if (!strcasecmp(*cpp, "range")) { + cpp++; + ipn.in_flags |= IPN_IPRANGE; + if (!*cpp) { fprintf(stderr, "%d: missing fields (%s)\n", linenum, ipn.in_redir ? "destination":"target"); @@ -409,187 +495,167 @@ int linenum; } } } - dhost = s; - if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { - if (ipn.in_flags & IPN_RANGE) { - dnetm = strrchr(dhost, '-'); - if (dnetm == NULL) { - if (!(s = strtok(NULL, " \t"))) - dnetm = NULL; - else { - if (strcmp(s, "-")) - s = NULL; - else if ((s = strtok(NULL, " \t"))) { - dnetm = s; - } - } - } else - *dnetm++ = '\0'; - if (dnetm == NULL || *dnetm == '\0') { - fprintf(stderr, - "%d: desination range not specified\n", - linenum); - return NULL; - } - } else { - dnetm = strrchr(dhost, '/'); - if (dnetm == NULL) { - if (!(s = strtok(NULL, " \t"))) - dnetm = NULL; - else if (!strcasecmp(s, "netmask")) - if ((s = strtok(NULL, " \t")) != NULL) - dnetm = s; - } - if (dnetm == NULL) { - fprintf(stderr, - "%d: missing fields (dest netmask)\n", - linenum); - return NULL; - } - if (*dnetm == '/') - *dnetm++ = '\0'; + if (ipn.in_flags & IPN_IPRANGE) { + dnetm = strrchr(*cpp, '-'); + if (dnetm == NULL) { + cpp++; + if (*cpp && !strcmp(*cpp, "-") && *(cpp + 1)) + dnetm = *(cpp + 1); + } else + *dnetm++ = '\0'; + if (dnetm == NULL || *dnetm == '\0') { + fprintf(stderr, + "%d: desination range not specified\n", + linenum); + return NULL; + } + } else if (ipn.in_redir != NAT_REDIRECT) { + dnetm = strrchr(*cpp, '/'); + if (dnetm == NULL) { + cpp++; + if (*cpp && !strcasecmp(*cpp, "netmask")) + dnetm = *++cpp; + } + if (dnetm == NULL) { + fprintf(stderr, + "%d: missing fields (dest netmask)\n", + linenum); + return NULL; + } + if (*dnetm == '/') + *dnetm++ = '\0'; + } + + if (ipn.in_redir == NAT_REDIRECT) { + dnetm = strchr(*cpp, ','); + if (dnetm != NULL) { + ipn.in_flags |= IPN_SPLIT; + *dnetm++ = '\0'; } - s = strtok(NULL, " \t"); + if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) + return NULL; + } else { + if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) + return NULL; } + cpp++; if (ipn.in_redir & NAT_MAPBLK) { - if (s && strcasecmp(s, "ports")) { + if (*cpp && strcasecmp(*cpp, "ports")) { fprintf(stderr, "%d: expected \"ports\" - got \"%s\"\n", - linenum, s); + linenum, *cpp); return NULL; } - if (s != NULL) { - if ((s = strtok(NULL, " \t")) == NULL) - return NULL; - ipn.in_pmin = atoi(s); - s = strtok(NULL, " \t"); + cpp++; + if (*cpp) { + ipn.in_pmin = atoi(*cpp); + cpp++; } else ipn.in_pmin = 0; } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { - if (strrchr(dhost, '/') != NULL) { + if (strrchr(*cpp, '/') != NULL) { fprintf(stderr, "%d: No netmask supported in %s\n", linenum, "destination host for redirect"); return NULL; } /* If it's a in_redir, expect target port */ - if (!(s = strtok(NULL, " \t"))) { - fprintf(stderr, - "%d: missing fields (destination port)\n", - linenum); - return NULL; - } - if (strcasecmp(s, "port")) { - fprintf(stderr, "%d: missing fields (port)\n", - linenum); + if (strcasecmp(*cpp, "port")) { + fprintf(stderr, "%d: missing fields - 2nd port (%s)\n", + linenum, *cpp); return NULL; } - - if (!(s = strtok(NULL, " \t"))) { + cpp++; + if (!*cpp) { fprintf(stderr, "%d: missing fields (destination port)\n", linenum); return NULL; } - tport = s; + if (!portnum(*cpp, &ipn.in_pnext, linenum)) + return NULL; + ipn.in_pnext = htons(ipn.in_pnext); + cpp++; } if (dnetm && *dnetm == '/') *dnetm++ = '\0'; - if (snetm && *snetm == '/') - *snetm++ = '\0'; if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { - ipn.in_inip = hostnum(shost, &resolved, linenum); - if (resolved == -1) - return NULL; - ipn.in_inmsk = n_hostmask(snetm); - ipn.in_outip = hostnum(dhost, &resolved, linenum); - if (resolved == -1) - return NULL; - if (ipn.in_flags & IPN_RANGE) { - ipn.in_outmsk = hostnum(dnetm, &resolved, linenum); - if (resolved == -1) - return NULL; - } else - ipn.in_outmsk = n_hostmask(dnetm); - if (srchost) { - ipn.in_srcip = hostnum(srchost, &resolved, linenum); - if (resolved == -1) + if (ipn.in_flags & IPN_IPRANGE) { + if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm, + linenum) == -1) return NULL; - } - if (srcnetm) - ipn.in_srcmsk = n_hostmask(srcnetm); + } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) + return NULL; } else { - if (srchost) { - ipn.in_srcip = hostnum(srchost, &resolved, linenum); - if (resolved == -1) + if (ipn.in_flags & IPN_SPLIT) { + if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm, + linenum) == -1) return NULL; - } - if (srcnetm) - ipn.in_srcmsk = n_hostmask(srcnetm); - ipn.in_inip = hostnum(dhost, &resolved, linenum); - if (resolved == -1) + } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)) return NULL; - ipn.in_inmsk = n_hostmask("255.255.255.255"); - ipn.in_outip = hostnum(shost, &resolved, linenum); - if (resolved == -1) - return NULL; - ipn.in_outmsk = n_hostmask(snetm); - if (!(s = strtok(NULL, " \t"))) { + if (!*cpp) { ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */ proto = "tcp"; } else { - if (!strcasecmp(s, "tcp")) + if (!strcasecmp(*cpp, "tcp")) ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(s, "udp")) + else if (!strcasecmp(*cpp, "udp")) ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(s, "tcp/udp")) + else if (!strcasecmp(*cpp, "tcp/udp")) ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(s, "tcpudp")) + else if (!strcasecmp(*cpp, "tcpudp")) ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(s, "ip")) + else if (!strcasecmp(*cpp, "ip")) ipn.in_flags |= IPN_ANY; else { ipn.in_flags |= IPN_ANY; - if ((pr = getprotobyname(s))) + if ((pr = getprotobyname(*cpp))) ipn.in_p = pr->p_proto; else - ipn.in_p = atoi(s); + ipn.in_p = atoi(*cpp); + } + proto = *cpp; + cpp++; + + if (*cpp && !strcasecmp(*cpp, "round-robin")) { + cpp++; + ipn.in_flags |= IPN_ROUNDR; } - proto = s; - if ((s = strtok(NULL, " \t"))) { + + if (*cpp) { fprintf(stderr, "%d: extra junk at the end of rdr: %s\n", - linenum, s); + linenum, *cpp); return NULL; } } - ipn.in_pmin = n_portnum(dport, proto, linenum); - ipn.in_pmax = ipn.in_pmin; - ipn.in_pnext = n_portnum(tport, proto, linenum); - s = NULL; } - ipn.in_inip &= ipn.in_inmsk; - if ((ipn.in_flags & IPN_RANGE) == 0) + + if (!(ipn.in_flags & IPN_SPLIT)) + ipn.in_inip &= ipn.in_inmsk; + if ((ipn.in_flags & IPN_IPRANGE) == 0) ipn.in_outip &= ipn.in_outmsk; ipn.in_srcip &= ipn.in_srcmsk; if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); - if (!s) + if (!*cpp) return &ipn; if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: extra words at the end of bimap line: %s\n", - linenum, s); + linenum, *cpp); return NULL; } - if (!strcasecmp(s, "proxy")) { - if (!(s = strtok(NULL, " \t"))) { + + if (!strcasecmp(*cpp, "proxy")) { + cpp++; + if (!*cpp) { fprintf(stderr, "%d: missing parameter for \"proxy\"\n", linenum); @@ -597,17 +663,19 @@ int linenum; } dport = NULL; - if (!strcasecmp(s, "port")) { - if (!(s = strtok(NULL, " \t"))) { + if (!strcasecmp(*cpp, "port")) { + cpp++; + if (!*cpp) { fprintf(stderr, "%d: missing parameter for \"port\"\n", linenum); return NULL; } - dport = s; + dport = *cpp; + cpp++; - if (!(s = strtok(NULL, " \t"))) { + if (!*cpp) { fprintf(stderr, "%d: missing parameter for \"proxy\"\n", linenum); @@ -618,73 +686,86 @@ int linenum; "%d: missing keyword \"port\"\n", linenum); return NULL; } - if ((proto = index(s, '/'))) { + + if ((proto = index(*cpp, '/'))) { *proto++ = '\0'; if ((pr = getprotobyname(proto))) ipn.in_p = pr->p_proto; else ipn.in_p = atoi(proto); - if (dport) - ipn.in_dport = n_portnum(dport, proto, linenum); - } else { + } else ipn.in_p = 0; - if (dport) - ipn.in_dport = n_portnum(dport, NULL, linenum); - } - (void) strncpy(ipn.in_plabel, s, sizeof(ipn.in_plabel)); - if ((s = strtok(NULL, " \t"))) { + if (dport && !portnum(dport, &ipn.in_dport, linenum)) + return NULL; + ipn.in_dport = htons(ipn.in_dport); + + (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); + cpp++; + + if (*cpp) { fprintf(stderr, "%d: too many parameters for \"proxy\"\n", linenum); return NULL; } return &ipn; - } - if (strcasecmp(s, "portmap")) { + if (strcasecmp(*cpp, "portmap")) { fprintf(stderr, - "%d: expected \"portmap\" - got \"%s\"\n", linenum, s); + "%d: expected \"portmap\" - got \"%s\"\n", linenum, + *cpp); return NULL; } - if (!(s = strtok(NULL, " \t"))) + cpp++; + if (!*cpp) { + fprintf(stderr, "%d: missing expression following portmap\n", + linenum); return NULL; - if (!strcasecmp(s, "tcp")) + } + + if (!strcasecmp(*cpp, "tcp")) ipn.in_flags |= IPN_TCP; - else if (!strcasecmp(s, "udp")) + else if (!strcasecmp(*cpp, "udp")) ipn.in_flags |= IPN_UDP; - else if (!strcasecmp(s, "tcpudp")) + else if (!strcasecmp(*cpp, "tcpudp")) ipn.in_flags |= IPN_TCPUDP; - else if (!strcasecmp(s, "tcp/udp")) + else if (!strcasecmp(*cpp, "tcp/udp")) ipn.in_flags |= IPN_TCPUDP; else { fprintf(stderr, "%d: expected protocol name - got \"%s\"\n", - linenum, s); + linenum, *cpp); return NULL; } + proto = *cpp; + cpp++; - if (!(s = strtok(NULL, " \t"))) { + if (!*cpp) { fprintf(stderr, "%d: no port range found\n", linenum); return NULL; } - if (!strcasecmp(s, "auto")) { + if (!strcasecmp(*cpp, "auto")) { ipn.in_flags |= IPN_AUTOPORTMAP; ipn.in_pmin = htons(1024); ipn.in_pmax = htons(65535); nat_setgroupmap(&ipn); return &ipn; } - proto = s; - if (!(t = strchr(s, ':'))) { - fprintf(stderr, "%d: no port range in \"%s\"\n", linenum, s); + + if (!(t = strchr(*cpp, ':'))) { + fprintf(stderr, "%d: no port range in \"%s\"\n", + linenum, *cpp); return NULL; } *t++ = '\0'; - ipn.in_pmin = n_portnum(s, proto, linenum); - ipn.in_pmax = n_portnum(t, proto, linenum); + if (!portnum(*cpp, &ipn.in_pmin, linenum) || + !portnum(t, &ipn.in_pmax, linenum)) + return NULL; + ipn.in_pmin = htons(ipn.in_pmin); + ipn.in_pmax = htons(ipn.in_pmax); return &ipn; } @@ -709,7 +790,7 @@ int opts; fp = stdin; while (fgets(line, sizeof(line) - 1, fp)) { - linenum++; + linenum++; line[sizeof(line) - 1] = '\0'; if ((s = strchr(line, '\n'))) *s = '\0'; @@ -720,81 +801,21 @@ int opts; linenum, line); } else { if ((opts & OPT_VERBOSE) && np) - printnat(np, opts & OPT_VERBOSE, NULL); + printnat(np, opts, NULL); if (!(opts & OPT_NODO)) { - if (!(opts & OPT_REM)) { - if (ioctl(fd, SIOCADNAT, np) == -1) + if (!(opts & OPT_REMOVE)) { + if (ioctl(fd, SIOCADNAT, &np) == -1) { + fprintf(stderr, "%d:", + linenum); perror("ioctl(SIOCADNAT)"); - } else if (ioctl(fd, SIOCRMNAT, np) == -1) + } + } else if (ioctl(fd, SIOCRMNAT, &np) == -1) { + fprintf(stderr, "%d:", linenum); perror("ioctl(SIOCRMNAT)"); + } } } } if (fp != stdin) fclose(fp); } - - -u_32_t n_hostmask(msk) -char *msk; -{ - int bits = -1; - u_32_t mask; - - if (!isdigit(*msk)) - return (u_32_t)-1; - if (strchr(msk, '.')) - return inet_addr(msk); - if (strchr(msk, 'x')) -#if defined(sun) && !defined(__SVR4) && !defined(__svr4__) - return (u_32_t)htonl(strtol(msk, NULL, 0)); -#else - return (u_32_t)htonl(strtoul(msk, NULL, 0)); -#endif - /* - * set x most significant bits - */ - for (mask = 0, bits = atoi(msk); bits; bits--) { - mask /= 2; - mask |= ntohl(inet_addr("128.0.0.0")); - } - mask = htonl(mask); - return mask; -} - - -u_short n_portnum(name, proto, linenum) -char *name, *proto; -int linenum; -{ - struct servent *sp, *sp2; - u_short p1 = 0; - - if (isdigit(*name)) - return htons((u_short)atoi(name)); - if (!proto) - proto = "tcp/udp"; - if (strcasecmp(proto, "tcp/udp")) { - sp = getservbyname(name, proto); - if (sp) - return sp->s_port; - fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name); - return 0; - } - sp = getservbyname(name, "tcp"); - if (sp) - p1 = sp->s_port; - sp2 = getservbyname(name, "udp"); - if (!sp || !sp2) { - fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n", - linenum, name); - return 0; - } - if (p1 != sp2->s_port) { - fprintf(stderr, "%d: %s %d/tcp is a different port to ", - linenum, name, p1); - fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port); - return 0; - } - return p1; -} |