summaryrefslogtreecommitdiff
path: root/sbin
diff options
context:
space:
mode:
Diffstat (limited to 'sbin')
-rw-r--r--sbin/ipf/ipf.1103
-rw-r--r--sbin/ipf/ipf.46
-rw-r--r--sbin/ipf/ipf.5514
-rw-r--r--sbin/ipf/ipf.h12
-rw-r--r--sbin/ipfstat/fils.c34
-rw-r--r--sbin/ipfstat/ipfstat.869
-rw-r--r--sbin/ipfstat/kmem.c6
-rw-r--r--sbin/ipfstat/kmem.h2
-rw-r--r--sbin/ipnat/ipnat.140
-rw-r--r--sbin/ipnat/ipnat.46
-rw-r--r--sbin/ipnat/ipnat.56
-rw-r--r--sbin/ipnat/ipnat.c188
12 files changed, 661 insertions, 325 deletions
diff --git a/sbin/ipf/ipf.1 b/sbin/ipf/ipf.1
index 642d129b1c6..912d7ef475d 100644
--- a/sbin/ipf/ipf.1
+++ b/sbin/ipf/ipf.1
@@ -1,64 +1,101 @@
.TH IPF 1
.SH NAME
-ipf - alters packet filtering lists for IP packet input and ouput
+ipf \- alters packet filtering lists for IP packet input and ouput
.SH SYNOPSIS
-ipf [-AEDIsnovdrzZ] [-l <block|pass|nomatch>] [-F <i|o|a>]
--f <\fIfilename\fP> [ -f <\fIfilename\fP> [...]]
+.B ipf
+[
+.B \-AdDEInorsUvyzZ
+] [
+.B \-l
+<block|pass|nomatch>
+] [
+.B \-F
+<i|o|a>
+]
+.B \-f
+<\fIfilename\fP>
+[
+.B \-f
+<\fIfilename\fP>
+[...]]
.SH DESCRIPTION
.PP
-\fBipf\fP opens the filenames listed (treating "-" as stdin) and parses the
+\fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the
file for a set of rules which are to be added or removed from the packet
filter rule set.
.PP
Each rule processed by \fBipf\fP
-is added to the kernels internal lists if there are no parsing problems.
+is added to the kernel's internal lists if there are no parsing problems.
Rules are added to the end of the internal lists, matching the order in
which they appear when given to \fBipf\fP.
.SH OPTIONS
-.IP -A
-set the list to make changes to the active list (default).
-.IP -E
-Enable the filter (if disabled). Not effective for loadable kernel versions.
-.IP -D
+.TP
+.B \-A
+Set the list to make changes to the active list (default).
+.TP
+.B \-d
+Turn debug mode on. Causes a hexdump of filter rules to be generated as
+it processes each one.
+.TP
+.B \-D
Disable the filter (if enabled). Not effective for loadable kernel versions.
-.IP -F
-this option specifies which filter list to flush. The parameter should
+.TP
+.B \-E
+Enable the filter (if disabled). Not effective for loadable kernel versions.
+.TP
+.BR \-F \0<param>
+This option specifies which filter list to flush. The parameter should
either be "i" (input), "o" (output) or "a" (remove all filter rules).
Either a single letter or an entire word starting with the appropriate
letter maybe used. This option maybe before, or after, any other with
the order on the command line being that used to execute options.
-.IP -d
-turn debug mode on. Causes a hexdump of filter rules to be generated as
-it processes each one.
-.IP -f
-this option specifies which files
-\fBipf\fP should use to get input from for modifying the pack filter rule
+.TP
+.BR \-f \0<filename>
+This option specifies which files
+\fBipf\fP should use to get input from for modifying the packet filter rule
lists.
-.IP -I
-set the list to make changes to the inactive list.
-.IP -l
+.TP
+.B \-I
+Set the list to make changes to the inactive list.
+.TP
+.B \-l \0<param>
Use of the \fB-l\fP flag toggles default logging of packets. Valid
arguments to this option are \fBpass\fP, \fBblock\fP and \fBnomatch\fP.
When an option is set, any packet which exits filtering and matches the
set category is logged. This is most useful for causing all packets
which don't match any of the loaded rules to be logged.
-.IP -n
+.TP
+.B \-n
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
calls or doing anything which would alter the currently running kernel.
-.IP -o
+.TP
+.B \-o
Force rules by default to be added/deleted to/from the output list, rather
than the (default) input list.
-.IP -s
-swap the active filter list in use to be the "other" one.
-.IP -r
-remove matching filter rules rather than add them to the internal lists
-.IP -v
-turn verbose mode on. Displays information relating to rule processing.
-.IP -z
-for each rule in the input file, reset the statistics for it to zero and
+.TP
+.B \-r
+Remove matching filter rules rather than add them to the internal lists
+.TP
+.B \-s
+Swap the active filter list in use to be the "other" one.
+.TP
+.B \-U
+(SOLARIS 2 ONLY) Block packets travelling along the data stream which aren't
+recognised as IP packets. They will be printed out on the console.
+.TP
+.B \-v
+Turn verbose mode on. Displays information relating to rule processing.
+.TP
+.B \-y
+(SOLARIS 2 ONLY) Manually resync the in-kernel interface list maintained
+by IP Filter with the current interface status list.
+.TP
+.B \-z
+For each rule in the input file, reset the statistics for it to zero and
display the statistics prior to them being zero'd.
-.IP -Z
-zero global statistics held in the kernel for filtering only (this doesn't
+.TP
+.B \-Z
+Zero global statistics held in the kernel for filtering only (this doesn't
affect fragment or state statistics).
.DT
.SH SEE ALSO
diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4
index 5cbfbd001c5..ff17f4f7e33 100644
--- a/sbin/ipf/ipf.4
+++ b/sbin/ipf/ipf.4
@@ -1,6 +1,6 @@
.TH IPF 4
.SH NAME
-ipf - packet filtering kernel interface
+ipf \- packet filtering kernel interface
.SH SYNOPSIS
#include <sys/ip_fil.h>
.SH IOCTLS
@@ -26,11 +26,11 @@ However, the full complement is as follows:
ioctl(fd, SIOCIPFFL, int *)
.fi
.PP
-The variations, SIOCADAFR vs SIOCADIFR, allow operation on the two lists,
+The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
active and inactive, respectively. All of these ioctl's are implemented
as being routing ioctls and thus the same rules for the various routing
ioctls and the file descriptor are employed, mainly being that the fd must
-be that of the device associated with the module (ie /dev/ipl).
+be that of the device associated with the module (i.e., /dev/ipl).
.LP
.PP
The three groups of ioctls above perform adding rules to the end of the
diff --git a/sbin/ipf/ipf.5 b/sbin/ipf/ipf.5
index fc8cbd84e78..417a0eaa351 100644
--- a/sbin/ipf/ipf.5
+++ b/sbin/ipf/ipf.5
@@ -1,7 +1,6 @@
-.LP
.TH IPF 5
.SH NAME
-ipf - IP packet filtering format.
+ipf \- IP packet filter rule syntax
.SH DESCRIPTION
.PP
A rule file for \fBipf\fP may have any name or even be stdin. As
@@ -11,220 +10,304 @@ into \fBipf\fP. Thus, to remove all filters on input packets, the following
could be done:
.nf
-\fC# ipfstat -i | ipf -rf -\fP
+\fC# ipfstat \-i | ipf \-rf \-\fP
.fi
+.SH GRAMMAR
.PP
The format used by \fBipf\fP for construction of filtering rules can be
described using the following grammar in BNF:
\fC
.nf
-filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
- [ proto ] [ ip ] .
+filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
+
+insert = "@" decnumber .
+action = block | "pass" | log | "count" | call .
+in-out = "in" | "out" .
+options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
+match = [ tos ] [ ttl ] [ proto ] [ ip ] .
+keep = "keep state" | "keep frags" .
+
+block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
+log = "log" [ "body" ] [ "first" ] [ "or-block" ] .
+call = "call" [ "now" ] function-name .
+
+dup = "dup-to" interface-name[":"ipaddr] .
+froute = "fastroute" | "to" interface-name .
-insert = "@" decnumber .
-action = block | "pass" | log | "count" | call .
-in-out = "in" | "out" .
-options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
-tos = "tos" decnumber | "tos" hexnumber .
-ttl = "ttl" decnumber .
-proto = "proto" protocol .
-ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
+tos = "tos" decnumber | "tos" hexnumber .
+ttl = "ttl" decnumber .
+proto = "proto" protocol .
+ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-block = "block" [ "return-icmp"[return-code] | "return-rst" ] .
-log = "log" [ "body" ] [ "first" ] .
-call = "call" [ "now" ] function-name .
-dup = "dup-to" interface-name[":"ipaddr] .
-froute = "fastroute" | "to" interface-name .
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
-srcdst = "all" | fromto .
-fromto = "from" object "to" object .
+srcdst = "all" | fromto .
+fromto = "from" object "to" object .
-object = addr [ port-comp | port-range ] .
-addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
+object = addr [ port-comp | port-range ] .
+addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
port-comp = "port" compare port-num .
port-range = "port" port-num range port-num .
-flags = "flags" flag { flag } [ "/" flag { flag } ] .
-with = "with" | "and" .
-icmp = "icmp-type" icmp-type [ "code" decnumber ] .
+
+flags = "flags" flag { flag } [ "/" flag { flag } ] .
+with = "with" | "and" .
+icmp = "icmp-type" icmp-type [ "code" decnumber ] .
return-code = "("icmp-code")" .
-keep = "keep" "state" | "keep" "frags" .
-nummask = host-name [ "/" decnumber ] .
+nummask = host-name [ "/" decnumber ] .
host-name = ipaddr | hostname | "any" .
-ipaddr = host-num "." host-num "." host-num "." host-num .
+ipaddr = host-num "." host-num "." host-num "." host-num .
host-num = digit [ digit [ digit ] ] .
port-num = service-name | decnumber .
withopt = [ "not" | "no" ] opttype [ withopt ] .
opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
-optname = ipopts [ "," optname ] .
+optname = ipopts [ "," optname ] .
ipopts = optlist | "sec-class" [ secname ] .
-secname = seclvl [ "," secname ] .
+secname = seclvl [ "," secname ] .
seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
- "reserv-4" | "secret" | "topsecret" .
+ "reserv-4" | "secret" | "topsecret" .
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
- "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
- "inforep" | "maskreq" | "maskrep" | decnumber .
+ "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
+ "inforep" | "maskreq" | "maskrep" | decnumber .
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
- "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
- "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
-optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
- "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
- "visa" | "imitd" | "eip" | "finn" .
+ "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
+ "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
+optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
+ "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
+ "visa" | "imitd" | "eip" | "finn" .
hexnumber = "0" "x" hexstring .
hexstring = hexdigit [ hexstring ] .
decnumber = digit [ decnumber ] .
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
- "le" | "ge" .
-range = "<>" | "><" .
+ "le" | "ge" .
+range = "<>" | "><" .
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
-digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
-flag = "F" | "S" | "R" | "P" | "A" | "U" .
+digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
+flag = "F" | "S" | "R" | "P" | "A" | "U" .
.fi
.PP
-The "briefest" valid rule is of the form:
+This syntax is somewhat simplified for readability, some combinations
+that match this grammar are disallowed by the software because they do
+not make sense (such as tcp \fBflags\fP for non-TCP packets).
+.SH FILTER RULES
+.PP
+The "briefest" valid rules are (currently) no-ops and are of the form:
.nf
-
block in
pass in
log in
+ count in
.fi
.PP
-These can also be written like:
-.nf
- block in all pass in from any to any
-.fi
-.PP
-The action, one of either block, log or pass, indicates what to do with
-the packet if it matches the rest of the filter rule. Block indicates that
-the packet should be dropped here and not let through, log write the packet
-header to the \fBipl\fP packet logging psuedo-device (and has no further
-effect on validity of packet to be allowed through the filter) and pass which
-will allow the packet through. Each rule MUST have one of these three
-keywords.
-.PP
-In response to blocking a packet, the filter may be instructed to send a
-reply packet, either an ICMP unreachable (\fBreturn-icmp\fP)or a TCP
-"reset" (\fBreturn-rst\fP). An ICMP packet may be generated in response
-to any IP packet but a TCP reset may only be used with a rule which is
-being applied to TCP packets.
-.PP
-When a packet header is logged with the \fBlog\fP keyword, the optional
-\fBbody\fP keyword indicates that the first 128 bytes of the packet contents
-will be logged to the \fBipl\fP packet logging psuedo-device after the
-headers.
-.PP
-The next word must be either \fBin\fP or \fBout\fP. As each packet moving
-through the kernel is either an inbound packet or outbound, there is a
-requirement that each filter rule be explicitly stated as to which side of
-the IO it is to be used on.
-.PP
-The list of options is brief, and indeed all are optional. The presence
-of the \fBlog\fP option indicates, that should this be the last matching
-rule, the packet header will be written to the \fBipl\fP log. The \fBquick\fP
-option allows "short-cut" rules in order to speed up the filter. If a
-packet header matches a filter rule which is marked as \fBquick\fP, it will
-result in a quick-match and stop processing at this point. This is good for
-rules such as "block in quick from any to any with ipopts" which will match
-any packet with a non-standard header length (IP options present) and abort
-further processing, recording a match and also that the packet should be
-blocked. If this command is missing, the rule is taken to be a
-"fall-through" rule, meaning that the result of the match is used
-(block/pass) and that it will continue processing to see if there are any
-more matches. This allows for effects such as this:
-.LP
-.nf
- block in from any to any port < 6000
- pass in from any to any port >= 6000
- block in from any to port > 6003
-.fi
-.PP
-which sets up the range 6000-6003 as being permitted and all others being
-denied. Another (easier) way to do the same is:
-.LP
+These are supposed to be the same as, but currently differ from:
+.\" XXX How, why do they differ??
.nf
- block in from any to any port 6000 <> 6003
- pass in from any to any port 5999 >< 6004
+ block in all
+ pass in from any to any
+ log in all
+ count in all
.fi
.PP
-Note that both the "block" and "pass" are needed here to affect a result
-as a failed "block" does not imply a pass, only that the rule hasn't taken
-effect. To then allow ports < 1024, a rule such as:
-.LP
-.nf
- pass in quick from any to any port < 1024
-.fi
+Filter rules are checked in order, with the last matching rule
+determining the fate of the packet (but see the \fBquick\fP option,
+below).
.PP
-would be needed before the first block. Expect to see a "between" operator
-as soon as I can work out how to fit in in.
+Filters are installed by default at the end of the kernel's filter
+lists, prepending the rule with \fB@n\fP will cause it to be inserted
+as the n'th entry in the current list. This is especially useful when
+modifying and testing active filter rulesets. See ipf(1) for more
+information.
+.SH ACTIONS
.PP
-The \fBon\fP command allows an interface name to be incorporated into the
-matching procedure. That it is a match and not actually associated with
-the interface itself is a result of the way this was implemented. Indeed,
-there is nothing to stop you using this with every rule if you so wish.
-If it is absent, the rule is taken to be applied to a packet regardless of
-the interface it is present on.
+The action indicates what to do with the packet if it matches the rest
+of the filter rule. Each rule MUST have an action. The following
+actions are recognised:
+.TP
+.B block
+indicates that the packet should be flagged to be dropped. In response
+to blocking a packet, the filter may be instructed to send a reply
+packet, either an ICMP packet (\fBreturn-icmp\fP) or a TCP "reset"
+(\fBreturn-rst\fP). An ICMP packet may be generated in response to
+any IP packet, and its type may optionally be specified, but a TCP
+reset may only be used with a rule which is being applied to TCP
+packets.
+.TP
+.B pass
+will flag the packet to be let through the filter.
+.TP
+.B log
+causes the packet to be logged (as described in the LOGGING section
+below) and has no effect on whether the packet will be allowed through
+the filter.
+.TP
+.B count
+causes the packet to be included in the accounting statistics kept by
+the filter, and has no effect on whether the packet will be allowed through
+the filter. These statistics are viewable with ipfstat(8).
+.TP
+.B call
+this action is used to invoke the named function in the kernel, which
+must conform to a specific calling interface. Customised actions and
+semantics can thus be implemented to supplement those available. This
+feature is for use by knowledgeable hackers, and is not currently
+documented.
.PP
-The \fBall\fP command is essentially an alias for "from any to any" with
-no other commands.
+The next word must be either \fBin\fP or \fBout\fP. Each packet
+moving through the kernel is either inbound (just been received on an
+interface, and moving towards the kernel's protocol processing) or
+outbound (transmitted or forwarded by the stack, and on its way to an
+interface). There is a requirement that each filter rule explicitly
+state which side of the I/O it is to be used on.
+.SH OPTIONS
.PP
-Using \fBtos\fP, packets with different service capabilities can be filtered
-upon. Individual service levels or combinations can be filtered upon. The
+The list of options is brief, and all are indeed optional. Where
+options are used, they must be present in the order shown here. These
+are the currently supported options:
+.TP
+.B log
+indicates that, should this be the last matching rule, the packet
+header will be written to the \fBipl\fP log (as described in the
+LOGGING section below).
+.TP
+.B quick
+allows "short-cut" rules in order to speed up the filter or override
+later rules. If a packet matches a filter rule which is marked as
+\fBquick\fP, this rule will be the last rule checked, allowing a
+"short-circuit" path to avoid processing later rules for this
+packet. The current status of the packet (after any effects of the
+current rule) will determine whether it is passed or blocked.
+.IP
+If this option is missing, the rule is taken to be a "fall-through"
+rule, meaning that the result of the match (block/pass) is saved and
+that processing will continue to see if there are any more matches.
+.TP
+.B on
+allows an interface name to be incorporated into the matching
+procedure. Interface names are as printed by "netstat \-i". If this
+option is used, the rule will only match if the packet is going
+through that interface in the specified direction (in/out). If this
+option is absent, the rule is taken to be applied to a packet
+regardless of the interface it is present on (i.e. on all interfaces).
+Filter rulesets are common to all interfaces, rather than having a
+filter list for each interface.
+.IP
+This option is especially useful for simple IP-spoofing protection:
+packets should only be allowed to pass inbound on the interface from
+which the specified source address would be expected, others may be
+logged and/or dropped.
+.TP
+.B dup-to
+causes the packet to be copied, and the duplicate packet to be sent outbound on the specified interface, optionally with the destination IP address changed to that specified. This is useful for off-host logging, using a network sniffer.
+.TP
+.B to
+causes the packet to be moved to the outbound queue on the
+specified interface. This can be used to circumvent kernel routing
+decisions, and even to bypass the rest of the kernel processing of the
+packet (if applied to an inbound rule). It is thus possible to
+construct a firewall that behaves transparently, like a filtering hub
+or switch, rather than a router. The \fBfastroute\fP keyword is a
+synonym for this option.
+.SH MATCHING PARAMETERS
+.PP
+The keywords described in this section are used to describe attributes
+of the packet to be used when determining whether rules match or don't
+match. The following general-purpose attributes are provided for
+matching, and must be used in this order:
+.TP
+.B tos
+packets with different Type-Of-Service values can be filtered.
+Individual service levels or combinations can be filtered upon. The
value for the TOS mask can either be represented as a hex number or a
decimal integer value.
-.PP
-Packets may also be selected by their \fBttl\fP value. The value given in
+.\" XXX TOS mask?? not in grammar!
+.TP
+.B ttl
+packets may also be selected by their Time-To-Live value. The value given in
the filter rule must exactly match that in the packet for a match to occur.
This value can only be given as a decimal integer value.
+.TP
+.B proto
+allows a specific protocol to be matched against. All protocol names
+found in \fB/etc/protocols\fP are recognised and may be used.
+However, the protocol may also be given as a DECIMAL number, allowing
+for rules to match your own protocols, or new ones which would
+out-date any attempted listing.
+.IP
+The special protocol keyword \fBtcp/udp\fP may be used to match either
+a TCP or a UDP packet, and has been added as a convenience to save
+duplication of otherwise-identical rules.
+.\" XXX grammar should reflect this (/etc/protocols)
.PP
-The \fBproto\fP command allows a specific protocol to be matched against.
-All protocol names found in \fB/etc/protocols\fP are recognised and maybe
-used. However, the protocol may also be given as a DECIMAL number, allowing
-for rules to match your own protocols, or new ones which would out-date any
-attempted listing.
-.PP
-To match against BOTH source and destination addresses, the \fBfrom\fP and
-\fBto\fP commands are used. They both support a large variety of valid
-syntaxes, including the "x/y" format. There is a special case for the
-hostname \fBany\fP which is taken to be 0.0.0.0/0 and matches all IP numbers.
-If a \fBport\fP match is included, then it is only applied to TCP/UDP
-packets. If the \fBproto\fP command is left out, packets from both protocols
-are compared. The hostname may either be a valid hostname, from either the
-hosts file or DNS (depending on your configuration and library) or of the
-dotted numeric form. There is no special designation for networks but
-network names are recognised.
-.PP
-"x/y" indicates that a mask of y consecutive bits set is generated, starting
-with the MSB, so a value of 16 would give 0xffff0000.
+The \fBfrom\fP and \fBto\fP keywords are used to match against IP
+addresses (and optionally port numbers). Rules must specify BOTH
+source and destination parameters.
+.PP
+IP addresses may be specified in one of two ways: as a numerical
+address\fB/\fPmask, or as a hostname \fBmask\fP netmask. The hostname
+may either be a valid hostname, from either the hosts file or DNS
+(depending on your configuration and library) or of the dotted numeric
+form. There is no special designation for networks but network names
+are recognised. Note that having your filter rules depend on DNS
+results can introduce an avenue of attack, and is discouraged.
.PP
-"x mask y" indicates that the mask y is in dotted IP notation or a hexadecimal
-number of the form 0x12345678.
+There is a special case for the hostname \fBany\fP which is taken to
+be 0.0.0.0/0 (see below for mask syntax) and matches all IP addresses.
+Only the presence of "any" has an implied mask, in all other
+situations, a hostname MUST be accompanied by a mask. It is possible
+to give "any" a hostmask, but in the context of this language, it is
+non-sensical.
.PP
-Only the presence of "any" has an implied mask, in all other situations,
-a hostname MUST be accompanied by a mask. It is possible to give "any" a
-hostmask, but in the context of this language, it is non-sensical.
+The numerical format "x\fB/\fPy" indicates that a mask of y
+consecutive 1 bits set is generated, starting with the MSB, so a y value
+of 16 would give 0xffff0000. The symbolic "x \fBmask\fP y" indicates
+that the mask y is in dotted IP notation or a hexadecimal number of
+the form 0x12345678. Note that all the bits of the IP address
+indicated by the bitmask must match the address on the packet exactly;
+there isn't currently a way to invert the sense of the match, or to
+match ranges of IP addresses which do not express themselves easily as
+bitmasks (anthropomorphization; it's not just for breakfast anymore).
.PP
-When composing
-\fBport\fP comparisons, either the service name may be used or an integer
-port number.
+If a \fBport\fP match is included, for either or both of source and
+destination, then it is only applied to
+.\" XXX - "may only be" ? how does this apply to other protocols? will it not match, or will it be ignored?
+TCP and UDP packets. If there is no \fBproto\fP match parameter,
+packets from both protocols are compared. This is equivalent to "proto
+tcp/udp". When composing \fBport\fP comparisons, either the service
+name or an integer port number may be used. Port comparisons may be
+done in a number of forms, with a number of comparison operators, or
+port ranges may be specified. See the examples for more information.
.PP
-The \fBwith\fP command is used to nominate irregular attributes that some
-packets ma have associated with them. Alternatively, the keyword \fBand\fP
-maybe used in place of \fBwith\fP. This is provided to make the rules more
-readable and serves no other purpose. To filter IP options, in general,
-use \fBipopts\fP. For more specific filtering on IP options, individual
-options can be listed. When listed, all those listed must be found in a
-packet to cause a match.
+The \fBall\fP keyword is essentially a synonym for "from any to any"
+with no other match parameters.
.PP
-Before any option used after the \fBwith\fP keyword, the word \fBnot\fp
-maybe inserted to cause the filter rule to only match if the option(s) is
-not present.
-.PP
-The \fBflags\fP command is only effective for TCP filtering. Each of the
-letters possible represents one of the possible flags that can be set in the
-TCP header. The association is as follows:
+Following the source and destination matching parameters, the
+following additional parameters may be used:
+.TP
+.B with
+is used to match irregular attributes that some packets may have
+associated with them. To match the presence of IP options in general,
+use \fBwith ipopts\fP. To match packets that are too short to contain
+a complete header, use \fBwith short\fP. To match fragmented packets,
+use \fBwith frag\fP. For more specific filtering on IP options,
+individual options can be listed.
+.IP
+Before any parameter used after the \fBwith\fP keyword, the word
+\fBnot\fP or \fBno\fP may be inserted to cause the filter rule to only
+match if the option(s) is not present.
+.IP
+Multiple consecutive \fBwith\fP clauses are allowed. Alternatively,
+the keyword \fBand\fP may be used in place of \fBwith\fP, this is
+provided purely to make the rules more readable ("with ... and ...").
+When multiple clauses are listed, all those must match to cause a
+match of the rule.
+.\" XXX describe the options more specifically in a separate section
+.TP
+.B flags
+is only effective for TCP filtering. Each of the letters possible
+represents one of the possible flags that can be set in the TCP
+header. The association is as follows:
.LP
.nf
F - FIN
@@ -234,19 +317,22 @@ TCP header. The association is as follows:
A - ACK
U - URG
.fi
-.PP
-The various flag symbols maybe used in combination, so that "SA" would
-represent a SYN-ACK combination present in a packet. There is nothing
-preventing combinations, such as "SFR". However, to guard against weird
-abberations, it is necessary to state which flags you are filtering against.
-To allow this, it is possible to set a mask indicating which TCP flags you
-wich to compare (ie those you deem significant). This is done by appending
-"/<flags>" to the set of TCP flags you wish to match against. eg:
+.IP
+The various flag symbols may be used in combination, so that "SA"
+would represent a SYN-ACK combination present in a packet. There is
+nothing preventing the specification of combinations, such as "SFR",
+that would not normally be generated by law-abiding TCP
+implementations. However, to guard against weird aberrations, it is
+necessary to state which flags you are filtering against. To allow
+this, it is possible to set a mask indicating which TCP flags you wish
+to compare (i.e., those you deem significant). This is done by
+appending "/<flags>" to the set of TCP flags you wish to match
+against, e.g.:
.LP
.nf
... flags S
- # becomes "flags S/AUPRFS" and will match a
- # packet with ONLY the SYN flag set.
+ # becomes "flags S/AUPRFS" and will match
+ # packets with ONLY the SYN flag set.
... flags SA
# becomes "flags SA/AUPRFS" and will match any
@@ -258,20 +344,90 @@ wich to compare (ie those you deem significant). This is done by appending
# keyword action. "S/SA" will NOT match a packet
# with BOTH SYN and ACK set, but WILL match "SFP".
.fi
-.PP
-The next parameter set for the filter rule is the optional \fBicmp-type\fP.
-It is only effective when used with \fB"proto icmp"\fP and must NOT be used
-in conjuction with \fBflags\fP. There are a number of types which can be
-refered to by an abbreviation recognised by this language or the numbers
-with which they are associated can be used.
+.TP
+.B icmp-type
+is only effective when used with \fBproto icmp\fP and must NOT be used
+in conjuction with \fBflags\fP. There are a number of types, which can be
+referred to by an abbreviation recognised by this language, or the numbers
+with which they are associated can be used. The most important from
+a security point of view is the ICMP redirect.
+.SH KEEP HISTORY
.PP
The last parameter which can be set for a filter rule is whether on not to
-record state information for that packet, and what sort to keep. Either
-information relating to the packet's `flow' or if fragment details can be
-kept, allowing packets which match these to flow straight through, rather
+record historical information for that packet, and what sort to keep. The following information can be kept:
+.TP
+.B state
+keeps information about the flow of a communication session. State can
+be kept for TCP, UDP, and ICMP packets.
+.TP
+.B frags
+keeps information on fragmented packets, to be applied to later
+fragments.
+.PP
+allowing packets which match these to flow straight through, rather
than going through the access control list.
+.SH LOGGING
+.PP
+When a packet is logged, with either the \fBlog\fP action or option,
+the headers of the packet are written to the \fBipl\fP packet logging
+psuedo-device. Immediately following the \fBlog\fP keyword, the
+following qualifiers may be used (in order):
+.TP
+.B body
+indicates that the first 128 bytes of the packet contents will be
+logged after the headers.
+.TP
+.B first
+??
+.TP
+.B or-block
+indicates that, if for some reason the filter is unable to log the packet (such as the log reader being too slow) then the rule should be interpreted as if the action was \fBblock\fP for this packet.
+.PP
+See ipl(4) for the format of records written
+to this device. The ipmon(8) program can be used to read and format
+this log.
+.SH EXAMPLES
+.PP
+The \fBquick\fP option is good for rules such as:
+\fC
+.nf
+block in quick from any to any with ipopts
+.fi
+.PP
+which will match any packet with a non-standard header length (IP
+options present) and abort further processing of later rules,
+recording a match and also that the packet should be blocked.
+.PP
+The "fall-through" rule parsing allows for effects such as this:
+.LP
+.nf
+ block in from any to any port < 6000
+ pass in from any to any port >= 6000
+ block in from any to port > 6003
+.fi
+.PP
+which sets up the range 6000-6003 as being permitted and all others being
+denied. Note that the effect of the first rule is overridden by subsequent
+rules. Another (easier) way to do the same is:
+.LP
+.nf
+ block in from any to any port 6000 <> 6003
+ pass in from any to any port 5999 >< 6004
+.fi
+.PP
+Note that both the "block" and "pass" are needed here to effect a
+result as a failed match on the "block" action does not imply a pass,
+only that the rule hasn't taken effect. To then allow ports < 1024, a
+rule such as:
+.LP
+.nf
+ pass in quick from any to any port < 1024
+.fi
+.PP
+would be needed before the first block.
.SH FILES
/etc/services
+.br
/etc/hosts
.SH SEE ALSO
ipf(1), ipftest(1)
diff --git a/sbin/ipf/ipf.h b/sbin/ipf/ipf.h
index 86a60fa7adc..c2873895b55 100644
--- a/sbin/ipf/ipf.h
+++ b/sbin/ipf/ipf.h
@@ -6,9 +6,12 @@
* to the original author and the contributors.
*
* @(#)ipf.h 1.12 6/5/96
- * $Id: ipf.h,v 1.5 1996/07/18 05:11:02 dm Exp $
+ * $Id: ipf.h,v 1.6 1997/02/11 22:23:39 kstailey Exp $
*/
+#ifndef SOLARIS
+#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+#endif
#define OPT_REMOVE 0x00001
#define OPT_DEBUG 0x00002
#define OPT_OUTQUE FR_OUTQUE /* 0x0004 */
@@ -47,6 +50,9 @@ struct ipopt_names {
extern u_long hostnum(), optname();
extern void printpacket();
+#if SOLARIS
+extern int inet_aton();
+#endif
#ifdef sun
#define STRERROR(x) sys_errlist[x]
@@ -55,3 +61,7 @@ extern char *sys_errlist[];
#define STRERROR(x) strerror(x)
#endif
+#ifndef MIN
+#define MIN(a,b) ((a) > (b) ? (b) : (a))
+#endif
+
diff --git a/sbin/ipfstat/fils.c b/sbin/ipfstat/fils.c
index aaece1b4b9c..076f0fe815e 100644
--- a/sbin/ipfstat/fils.c
+++ b/sbin/ipfstat/fils.c
@@ -40,9 +40,9 @@
#include <paths.h>
#endif
-#ifndef lint
+#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: fils.c,v 1.7 1996/10/08 07:33:33 niklas Exp $";
+static char rcsid[] = "$Id: fils.c,v 1.8 1997/02/11 22:23:41 kstailey Exp $";
#endif
#ifdef _PATH_UNIX
#define VMUNIX _PATH_UNIX
@@ -124,7 +124,7 @@ char *argv[];
opts |= OPT_VERBOSE;
break;
default :
- Usage();
+ Usage(argv[0]);
break;
}
}
@@ -203,9 +203,10 @@ struct friostat *fp;
fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
PRINTF("output packets logged:\tblocked %lu passed %lu\n",
fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
- PRINTF(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
- fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
- fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
+ PRINTF(" packets logged:\tinput %lu output %lu\n",
+ fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl);
+ PRINTF(" log failures:\t\tinput %lu output %lu\n",
+ fp->f_st[0].fr_skip, fp->f_st[1].fr_skip);
PRINTF("fragment state(in):\tkept %lu\tlost %lu\n",
fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr);
PRINTF("fragment state(out):\tkept %lu\tlost %lu\n",
@@ -218,6 +219,10 @@ struct friostat *fp;
fp->f_st[0].fr_ret, fp->f_st[1].fr_ret);
PRINTF("Result cache hits(in):\t%lu\t(out):\t%lu\n",
fp->f_st[0].fr_chit, fp->f_st[1].fr_chit);
+ PRINTF("IN Pullups succeeded:\t%lu\tfailed:\t%lu\n",
+ fp->f_st[0].fr_pull[0], fp->f_st[0].fr_pull[1]);
+ PRINTF("OUT Pullups succeeded:\t%lu\tfailed:\t%lu\n",
+ fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]);
PRINTF("Packet log flags set: (%#x)\n", frf);
if (frf & FF_LOGPASS)
@@ -243,12 +248,11 @@ struct friostat *fiop;
set = 1 - set;
if (opts & OPT_ACCNT) {
i = F_AC;
- if (opts & OPT_INQUE)
- fp = (struct frentry *)fiop->f_acctin[set];
- else {
+ if (opts & OPT_OUTQUE) {
fp = (struct frentry *)fiop->f_acctout[set];
i++;
- }
+ } else if (opts & OPT_INQUE)
+ fp = (struct frentry *)fiop->f_acctin[set];
} else if (opts & OPT_OUTQUE) {
i = F_OUT;
fp = (struct frentry *)fiop->f_fout[set];
@@ -311,14 +315,16 @@ ips_stat_t *ipsp;
if (kmemcpy(&ips, istab[i], sizeof(ips)) == -1)
break;
PRINTF("%s -> ", inet_ntoa(ips.is_src));
- PRINTF("%s age %d pass %d pr %d\n",
+ PRINTF("%s age %d pass %d pr %d state %d/%d\n",
inet_ntoa(ips.is_dst), ips.is_age,
- ips.is_pass, ips.is_p);
+ ips.is_pass, ips.is_p, ips.is_state[0],
+ ips.is_state[1]);
if (ips.is_p == IPPROTO_TCP)
- PRINTF("\t%hu -> %hu %lu:%lu %hu\n",
+ PRINTF("\t%hu -> %hu %lu:%lu %hu:%hu\n",
ntohs(ips.is_sport),
ntohs(ips.is_dport),
- ips.is_seq, ips.is_ack, ips.is_win);
+ ips.is_seq, ips.is_ack,
+ ips.is_swin, ips.is_dwin);
else if (ips.is_p == IPPROTO_UDP)
PRINTF("\t%hu -> %hu\n", ntohs(ips.is_sport),
ntohs(ips.is_dport));
diff --git a/sbin/ipfstat/ipfstat.8 b/sbin/ipfstat/ipfstat.8
index 1b378541580..db23e39eed7 100644
--- a/sbin/ipfstat/ipfstat.8
+++ b/sbin/ipfstat/ipfstat.8
@@ -1,13 +1,17 @@
-.LP
.TH ipfstat 8
.SH NAME
-ipfstat - reports on packet filter statistics and filter list
+ipfstat \- reports on packet filter statistics and filter list
.SH SYNOPSIS
-ipfstat [-hIiovd:]
+.B ipfstat
+[
+.B \-hIinov
+] [
+.B \-d
+<device>
+]
.SH DESCRIPTION
-.LP
.PP
-\fBipfstat examines /dev/kmem using the symbols \fB_fr_flags\fP,
+\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
To run and work, it needs to be able to read both /dev/kmem and the
kernel itself. The kernel name defaults to \fB/vmunix\fP.
@@ -16,39 +20,52 @@ The default behaviour of \fBipfstat\fP
is to retrieve and display the accumulated statistics which have been
accumulated over time as the kernel has put packets through the filter.
.SH OPTIONS
-.IP -a
-display the accounting filter list and show bytes counted against each rule.
-.IP -d <device>
-use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
-.IP -f
-show fragment state information (statistics) and held state information (in
+.TP
+.B \-a
+Display the accounting filter list and show bytes counted against each rule.
+.TP
+.BR \-d \0<device>
+Use a device other than \fB/dev/ipl\fP for interfacing with the kernel.
+.TP
+.B \-f
+Show fragment state information (statistics) and held state information (in
the kernel) if any is present.
-.IP -h
-show per-rule the number of times each one scores a "hit". For use in
-combination with \fB-i\fP.
-.IP -i
-display the filter list used for the input side of the kernel IP processing.
-.IP -I
-swap between retrieving "inactive"/"active" filter list details. For use
-in combination with \fB-i\fP.
-.IP -o
-display the filter list used for the output side of the kernel IP processing.
-.IP -s
-show packet/flow state information (statistics) and held state information (in
+.TP
+.B \-h
+Show per-rule the number of times each one scores a "hit". For use in
+combination with \fB\-i\fP.
+.TP
+.B \-i
+Display the filter list used for the input side of the kernel IP processing.
+.TP
+.B \-I
+Swap between retrieving "inactive"/"active" filter list details. For use
+in combination with \fB\-i\fP.
+.TP
+.B \-n
+Show the "rule number" for each rule as it is printed.
+.TP
+.B \-o
+Display the filter list used for the output side of the kernel IP processing.
+.TP
+.B \-s
+Show packet/flow state information (statistics) and held state information (in
the kernel) if any is present.
-.IP -v
-turn verbose mode on. Displays more debugging information.
+.TP
+.B \-v
+Turn verbose mode on. Displays more debugging information.
.SH SYNOPSIS
The role of \fBipfstat\fP is to display current kernel statistics gathered
as a result of applying the filters in place (if any) to packets going in and
out of the kernel. This is the default operation when no command line
parameters are present.
.PP
-When supplied with either \fB-i\fP or \fB-o\fP, it will retrieve and display
+When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
the appropriate list of filter rules currently installed and in use by the
kernel.
.SH FILES
/dev/kmem
+.br
/vmunix
.SH SEE ALSO
ipf(1), ipfstat(1)
diff --git a/sbin/ipfstat/kmem.c b/sbin/ipfstat/kmem.c
index d11cee49aa6..638fa1cc40a 100644
--- a/sbin/ipfstat/kmem.c
+++ b/sbin/ipfstat/kmem.c
@@ -19,9 +19,9 @@
#define KMEM "/dev/kmem"
-#ifndef lint
+#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
-static char rcsid[] = "$Id: kmem.c,v 1.5 1996/12/17 23:50:51 niklas Exp $";
+static char rcsid[] = "$Id: kmem.c,v 1.6 1997/02/11 22:23:44 kstailey Exp $";
#endif
static int kmemfd = -1;
@@ -38,7 +38,7 @@ int openkmem()
int kmemcpy(buf, pos, n)
register char *buf;
-u_long pos;
+long pos;
register int n;
{
register int r;
diff --git a/sbin/ipfstat/kmem.h b/sbin/ipfstat/kmem.h
index fad02f30aa6..f0b4c44f226 100644
--- a/sbin/ipfstat/kmem.h
+++ b/sbin/ipfstat/kmem.h
@@ -4,7 +4,7 @@
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
- * $Id: kmem.h,v 1.3 1996/07/18 05:08:10 dm Exp $
+ * $Id: kmem.h,v 1.4 1997/02/11 22:23:46 kstailey Exp $
*/
extern int openkmem();
diff --git a/sbin/ipnat/ipnat.1 b/sbin/ipnat/ipnat.1
index 3721e658f8f..f3221a76b5a 100644
--- a/sbin/ipnat/ipnat.1
+++ b/sbin/ipnat/ipnat.1
@@ -1,11 +1,15 @@
-.TH IPFNAT 1
+.TH IPNAT 1
.SH NAME
-ipnat - user interface to the NAT
+ipnat \- user interface to the NAT
.SH SYNOPSIS
-ipnat [-lnrsv] -f <\fIfilename\fP>
+.B ipnat
+[
+.B \-lnrsvCF
+]
+.B \-f <\fIfilename\fP>
.SH DESCRIPTION
.PP
-\fBipnat\fP opens the filename given (treating "-" as stdin) and parses the
+\fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the
file for a set of rules which are to be added or removed from the IP NAT.
.PP
Each rule processed by \fBipnat\fP
@@ -13,17 +17,29 @@ is added to the kernels internal lists if there are no parsing problems.
Rules are added to the end of the internal lists, matching the order in
which they appear when given to \fBipnat\fP.
.SH OPTIONS
-.IP -l
+.TP
+.B \-C
+delete all entries in the current NAT listing (NAT rules)
+.TP
+.B \-F
+delete all active entries in the current NAT table (currently active
+NAT mappings)
+.TP
+.B \-l
Show the list of current NAT table entry mappings.
-.IP -n
+.TP
+.B \-n
This flag (no-change) prevents \fBipf\fP from actually making any ioctl
calls or doing anything which would alter the currently running kernel.
-.IP -s
-retrieve and display NAT statistics
-.IP -r
-remove matching NAT rules rather than add them to the internal lists
-.IP -v
-turn verbose mode on. Displays information relating to rule processing.
+.TP
+.B \-s
+Retrieve and display NAT statistics
+.TP
+.B \-r
+Remove matching NAT rules rather than add them to the internal lists
+.TP
+.B \-v
+Turn verbose mode on. Displays information relating to rule processing.
.DT
.SH SEE ALSO
ipfstat(1), ipftest(1), ipf(1), ipnat(4), ipnat(5)
diff --git a/sbin/ipnat/ipnat.4 b/sbin/ipnat/ipnat.4
index 2b1723d9dc9..79ab09b5356 100644
--- a/sbin/ipnat/ipnat.4
+++ b/sbin/ipnat/ipnat.4
@@ -1,6 +1,6 @@
.TH IPNAT 4
.SH NAME
-ipnat - Network Address Translation kernel interface
+ipnat \- Network Address Translation kernel interface
.SH SYNOPSIS
#include <sys/ip_fil.h>
.SH IOCTLS
@@ -20,7 +20,7 @@ supported.
These ioctl's are implemented as being routing ioctls and thus the same rules
for the various routing ioctls and the file descriptor are employed, mainly
being that the fd must be that of the device associated with the module
-(ie /dev/ipl).
+(i.e., /dev/ipl).
.LP
.PP
The strcture used with the NAT interface is described below:
@@ -85,4 +85,4 @@ typedef struct natstat {
It would be nice if there were more flexibility when adding and deleting
filter rules.
.SH SEE ALSO
-ipnat(1), ipfstat(1), ipf(1), ipf(4), ipnat(5)
+ipfstat(1), ipf(1), ipnat(1), ipf(4), ipnat(5)
diff --git a/sbin/ipnat/ipnat.5 b/sbin/ipnat/ipnat.5
index 51fdbee0def..80d8054c7cc 100644
--- a/sbin/ipnat/ipnat.5
+++ b/sbin/ipnat/ipnat.5
@@ -1,7 +1,6 @@
-.LP
.TH IPNAT 5
.SH NAME
-ipnat - IP NAT file format
+ipnat \- IP NAT file format
.SH DESCRIPTION
The format for files accepted by ipnat is described by the following grammar:
.LP
@@ -65,6 +64,7 @@ so that all TCP/UDP packets were port mapped and only other protocols, such as
ICMP, only have their IP# changed.
.SH FILES
/etc/services
+.br
/etc/hosts
.SH SEE ALSO
-ipnat(1), ipf(5), ipnat(4)
+ipnat(1), ipf(5), ipnat(4), ipnat(5)
diff --git a/sbin/ipnat/ipnat.c b/sbin/ipnat/ipnat.c
index 80c1f9834d2..afc22306a2e 100644
--- a/sbin/ipnat/ipnat.c
+++ b/sbin/ipnat/ipnat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipnat.c,v 1.9 1997/02/07 20:06:44 kstailey Exp $ */
+/* $OpenBSD: ipnat.c,v 1.10 1997/02/11 22:24:20 kstailey Exp $ */
/*
* (C)opyright 1993,1994,1995 by Darren Reed.
*
@@ -42,7 +42,7 @@
#include <netinet/tcp.h>
#include <net/if.h>
#include "ip_fil_compat.h"
-#include "ip_fil.h"
+#include "ip_fil.h" /* XXX needed? */
#include <netdb.h>
#include <arpa/nameser.h>
#include <arpa/inet.h>
@@ -50,10 +50,10 @@
#include "ip_nat.h"
#include <ctype.h>
-#if 0
-#ifndef lint
+
+#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-#endif
+static char rcsid[] = "Id: ipnat.c,v 2.0.1.7 1997/01/30 12:02:32 darrenr Exp";
#endif
#if SOLARIS
@@ -63,13 +63,21 @@ static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
extern char *optarg;
extern int kmemcpy();
-void dostats(), printnat(), parsefile();
+void dostats(), printnat(), parsefile(), flushtable();
+
+#define OPT_REM 1
+#define OPT_NODO 2
+#define OPT_STAT 4
+#define OPT_LIST 8
+#define OPT_VERBOSE 16
+#define OPT_FLUSH 32
+#define OPT_CLEAR 64
void usage(name)
char *name;
{
- fprintf(stderr, "%s: [-lnrsv] [-f filename]\n", name);
+ fprintf(stderr, "%s: [-CFlnrsv] [-f filename]\n", name);
exit(1);
}
@@ -81,40 +89,48 @@ char *argv[];
char *file = NULL, c;
int fd, opts = 1;
- while ((c = getopt(argc, argv, "f:lnrsv")) != -1)
+ while ((c = getopt(argc, argv, "CFf:lnrsv")) != -1)
switch (c)
{
+ case 'C' :
+ opts |= OPT_CLEAR;
+ break;
case 'f' :
file = optarg;
break;
+ case 'F' :
+ opts |= OPT_FLUSH;
+ break;
case 'l' :
- opts |= 8;
+ opts |= OPT_LIST;
break;
case 'n' :
- opts |= 2;
+ opts |= OPT_NODO;
break;
case 'r' :
- opts &= ~1;
+ opts &= ~OPT_REM;
break;
case 's' :
- opts |= 4;
+ opts |= OPT_STAT;
break;
case 'v' :
- opts |= 16;
+ opts |= OPT_VERBOSE;
break;
default :
usage(argv[0]);
}
- if (((fd = open(IPL_NAME, O_RDWR)) == -1) &&
+ if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) &&
((fd = open(IPL_NAME, O_RDONLY)) == -1)) {
perror("open");
exit(-1);
}
+ if (opts & (OPT_FLUSH|OPT_CLEAR))
+ flushtable(fd, opts);
if (file)
parsefile(fd, file, opts);
- if (opts & 12)
+ if (opts & (OPT_LIST|OPT_STAT))
dostats(fd, opts);
return 0;
}
@@ -149,9 +165,10 @@ u_long ip;
}
-void printnat(np, verbose)
+void printnat(np, verbose, ptr)
ipnat_t *np;
int verbose;
+void *ptr;
{
int bits;
@@ -164,14 +181,20 @@ int verbose;
printf("/%s ", inet_ntoa(np->in_out[1]));
if (np->in_pmin)
printf("port %d ", ntohs(np->in_pmin));
- printf("-> %s", inet_ntoa(np->in_in[0]),
- ntohs(np->in_pnext));
- if (np->in_pmax)
- printf(" port %d", ntohs(np->in_pmax));
+ printf("-> %s", inet_ntoa(np->in_in[0]));
+ if (np->in_pnext)
+ printf(" port %d", ntohs(np->in_pnext));
+ if (np->in_flags & IPN_TCPUDP)
+ printf(" tcp/udp");
+ else if (np->in_flags & IPN_TCP)
+ printf(" tcp");
+ else if (np->in_flags & IPN_UDP)
+ printf(" udp");
printf("\n");
if (verbose)
- printf("\t%x %u %x %u", (u_int)np->in_ifp,
- np->in_space, np->in_flags, np->in_pnext);
+ printf("\t%x %u %x %u %x %d\n", (u_int)np->in_ifp,
+ np->in_space, np->in_flags, np->in_pnext, np,
+ np->in_use);
} else {
np->in_nextip.s_addr = htonl(np->in_nextip.s_addr);
printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0]));
@@ -186,16 +209,16 @@ int verbose;
printf("%d ", bits);
else
printf("%s", inet_ntoa(np->in_out[1]));
- if (np->in_port[0] || np->in_port[1]) {
+ if (np->in_pmin || np->in_pmax) {
printf(" portmap");
- if (np->in_flags & IPN_TCPUDP)
+ if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
printf(" tcp/udp");
else if (np->in_flags & IPN_TCP)
printf(" tcp");
else if (np->in_flags & IPN_UDP)
printf(" udp");
- printf(" %d:%d", ntohs(np->in_port[0]),
- ntohs(np->in_port[1]));
+ printf(" %d:%d", ntohs(np->in_pmin),
+ ntohs(np->in_pmax));
}
printf("\n");
if (verbose)
@@ -206,58 +229,87 @@ int verbose;
}
+/*
+ * Get a nat filter type given its kernel address.
+ */
+char *getnattype(ipnat)
+ipnat_t *ipnat;
+{
+ ipnat_t ipnatbuff;
+
+ if (ipnat && kmemcpy(&ipnatbuff, ipnat, sizeof(ipnatbuff)))
+ return "???";
+
+ return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR";
+}
+
+
void dostats(fd, opts)
int fd, opts;
{
natstat_t ns;
ipnat_t ipn;
- nat_t **nt, *np, nat;
- int i;
+ nat_t **nt[2], *np, nat;
+ int i = 0;
- if (ioctl(fd, SIOCGNATS, &ns) == -1) {
+ bzero((char *)&ns, sizeof(ns));
+
+ if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &ns) == -1) {
perror("ioctl(SIOCGNATS)");
return;
}
- if (opts & 4) {
+
+ if (opts & OPT_STAT) {
printf("mapped\tin\t%lu\tout\t%lu\n",
ns.ns_mapped[0], ns.ns_mapped[1]);
printf("added\t%lu\texpired\t%lu\n",
ns.ns_added, ns.ns_expire);
printf("inuse\t%lu\n", ns.ns_inuse);
- if (opts & 16)
+ if (opts & OPT_VERBOSE)
printf("table %#x list %#x\n",
(u_int)ns.ns_table, (u_int)ns.ns_list);
}
- if (opts & 8) {
+ if (opts & OPT_LIST) {
+ printf("List of active MAP/Redirect filters:\n");
while (ns.ns_list) {
if (kmemcpy(&ipn, ns.ns_list, sizeof(ipn))) {
perror("kmemcpy");
break;
}
- printnat(&ipn, opts & 16);
+ printnat(&ipn, opts & OPT_VERBOSE, (void *)ns.ns_list);
ns.ns_list = ipn.in_next;
}
- nt = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
- if (kmemcpy(nt, ns.ns_table, sizeof(*nt) * NAT_SIZE)) {
+ nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE);
+ if (kmemcpy(nt[0], ns.ns_table[0], sizeof(**nt) * NAT_SIZE)) {
perror("kmemcpy");
return;
}
+
+ printf("\nList of active sessions:\n");
+
for (i = 0; i < NAT_SIZE; i++)
- for (np = nt[i]; np; np = nat.nat_next) {
+ for (np = nt[0][i]; np; np = nat.nat_hnext[0]) {
if (kmemcpy(&nat, np, sizeof(nat)))
break;
- printf("%s %hu <- -> ",
+
+ printf("%s %-15s %-5hu <- ->",
+ getnattype(nat.nat_ptr),
inet_ntoa(nat.nat_inip),
ntohs(nat.nat_inport));
- printf("%s %hu %hu %hu %lx [",
+ printf(" %-15s %-5hu",
inet_ntoa(nat.nat_outip),
- ntohs(nat.nat_outport),
- nat.nat_age, nat.nat_use,
- nat.nat_sumd);
- printf("%s %hu]\n", inet_ntoa(nat.nat_oip),
+ ntohs(nat.nat_outport));
+ printf(" [%s %hu]", inet_ntoa(nat.nat_oip),
ntohs(nat.nat_oport));
+ printf(" %d %hu %lx", nat.nat_age,
+ nat.nat_use, nat.nat_sumd);
+#if SOLARIS
+ printf(" %lx", nat.nat_ipsumd);
+#endif
+ putchar('\n');
}
+ free(nt[0]);
}
}
@@ -356,7 +408,8 @@ char *line;
{
static ipnat_t ipn;
char *s, *t;
- char *shost, *snetm, *dhost, *dnetm, *proto, *dport, *tport;
+ char *shost, *snetm, *dhost, *proto;
+ char *dnetm = NULL, *dport = NULL, *tport = NULL;
int resolved;
bzero((char *)&ipn, sizeof(ipn));
@@ -498,13 +551,21 @@ char *line;
if (ipn.in_redir == NAT_MAP) {
ipn.in_inip = hostnum(shost, &resolved);
+ if (resolved == -1)
+ return NULL;
ipn.in_inmsk = hostmask(snetm);
ipn.in_outip = hostnum(dhost, &resolved);
+ if (resolved == -1)
+ return NULL;
ipn.in_outmsk = hostmask(dnetm);
} else {
ipn.in_inip = hostnum(dhost, &resolved); /* Inside is target */
+ if (resolved == -1)
+ return NULL;
ipn.in_inmsk = hostmask("255.255.255.255");
ipn.in_outip = hostnum(shost, &resolved);
+ if (resolved == -1)
+ return NULL;
ipn.in_outmsk = hostmask(snetm);
if (!(s = strtok(NULL, " \t"))) {
ipn.in_flags = IPN_TCP; /* XXX- TCP only by default */
@@ -516,12 +577,20 @@ char *line;
ipn.in_flags = IPN_UDP;
else if (!strcasecmp(s, "tcp/udp"))
ipn.in_flags = IPN_TCPUDP;
+ else if (!strcasecmp(s, "tcpudp"))
+ ipn.in_flags = IPN_TCPUDP;
else {
fprintf(stderr,
"expected protocol - got \"%s\"\n", s);
return NULL;
}
proto = s;
+ if ((s = strtok(NULL, " \t"))) {
+ fprintf(stderr,
+ "extra junk at the end of rdr: %s\n",
+ s);
+ return NULL;
+ }
}
ipn.in_pmin = portnum(dport, proto); /* dest port */
ipn.in_pmax = ipn.in_pmin; /* NECESSARY of removing nats */
@@ -540,6 +609,8 @@ char *line;
ipn.in_flags = IPN_TCP;
else if (!strcasecmp(s, "udp"))
ipn.in_flags = IPN_UDP;
+ else if (!strcasecmp(s, "tcpudp"))
+ ipn.in_flags = IPN_TCPUDP;
else if (!strcasecmp(s, "tcp/udp"))
ipn.in_flags = IPN_TCPUDP;
else {
@@ -585,10 +656,10 @@ int opts;
if (*line)
fprintf(stderr, "%d: syntax error in \"%s\"\n",
linenum, line);
- } else if (!(opts & 2)) {
- if ((opts &16) && np)
- printnat(np, opts & 16);
- if (opts & 1) {
+ } else if (!(opts & OPT_NODO)) {
+ if ((opts & OPT_VERBOSE) && np)
+ printnat(np, opts & OPT_VERBOSE, NULL);
+ if (opts & OPT_REM) {
if (ioctl(fd, SIOCADNAT, np) == -1)
perror("ioctl(SIOCADNAT)");
} else if (ioctl(fd, SIOCRMNAT, np) == -1)
@@ -598,3 +669,26 @@ int opts;
}
fclose(stdin);
}
+
+
+void flushtable(fd, opts)
+int fd, opts;
+{
+ int n = 0;
+
+ if (opts & OPT_FLUSH) {
+ n = 0;
+ if (!(opts & OPT_NODO) && ioctl(fd, SIOCFLNAT, &n) == -1)
+ perror("ioctl(SIOCFLNAT)");
+ else
+ printf("%d entries flushed from NAT table\n", n);
+ }
+
+ if (opts & OPT_CLEAR) {
+ n = 0;
+ if (!(opts & OPT_NODO) && ioctl(fd, SIOCCNATL, &n) == -1)
+ perror("ioctl(SIOCCNATL)");
+ else
+ printf("%d entries flushed from NAT list\n", n);
+ }
+}