diff --git a/contrib/ipfilter/BugReport b/contrib/ipfilter/BugReport deleted file mode 100644 index 699483189012..000000000000 --- a/contrib/ipfilter/BugReport +++ /dev/null @@ -1,12 +0,0 @@ -Please submit this information at SourceForge using this URL: -http://sourceforge.net/tracker/?func=add&group_id=169098&atid=849053 - -Please also send an email to darrenr@reed.wattle.id.au. - -Some information that I generally find important: --------------------------- -* IP Filter Version -* Operating System and its Version -* Configuration: (LKM or compiled-into-kernel) -* Description of problem -* How to repeat diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY deleted file mode 100644 index 8b67de7bfe47..000000000000 --- a/contrib/ipfilter/HISTORY +++ /dev/null @@ -1,1830 +0,0 @@ -# -# NOTE: Quite a few patches and suggestions come from other sources, to whom -# I'm greatly indebted, even if no names are mentioned. -# -# Thanks to the Coombs Computing Unit at the ANU for their continued support -# in providing a very available location for the IP Filter home page and -# distribution center. -# -# Thanks also to all those who have contributed patches and other code, -# and especially those who have found the time to port IP Filter to new -# platforms. -# -5.1.2 - RELEASED - 22 Jul 2012 - -3546266 macro letters could be more consistent -3546265 not all of the state statistics are displayed -3546261 scripts for updating BSD environment out of date -3546260 compiler warnings about non-integer array subscript -3546259 asserting numdereflists == 0 is not correct -3546258 expression matching does not see IPF_EXP_END -3544317 ipnat/ipfstat are not using ipfexp_t -3545324 proxy checksum calculation is not hardware aware -3545321 FTP sequence number adjustment incorrectly applied -3545320 EPSV is not recognised -3545319 move nat rule creation to ip_proxy.c -3545317 better feedback of checksum requirements for proxies -3545314 ftp proxy levels do not make sense -3545312 EPRT is not supported by ftp proxy -3544318 ipnat.conf parsing ignores LHS address family -3545309 non-ipv6 safe proxies do not fail with ipv6 -3545323 NAT updates the source port twice -3545322 ipv6 nat rules cannot start proxies -3544314 bucket copyout tries to copy too much data -3544313 remove nat encap feature -3546248 compat rule pointer type mismatch -3546247 UDP hardware checksum offload not recognised -3545311 ifp_ifaddr does not find the first set address -3545310 ipmon needs ipl_sec on 64bit boundary -3545326 reference count changes made without lock -3544315 stateful matching does not use ipfexp_t -3543493 tokens are not flushed when disabled -3543487 NAT rules do not always release lookup objects -3543491 function comments in ip_state.c are old -3543404 ipnat.conf parsing uses family/ip version badly -3543403 incorrect line number printed in ipnat parsing errors -3543402 Not all NAT statistics are printed -3542979 NAT session list management is too simple -3542978 ipv4 and ipv6 nat insert have common hash insertion -3542977 ipnat_t refence tracking incomplete -3542975 proxies must use ipnat_t separately -3542980 printing ipv6 expressions is wrong -3542983 ippool cannot handle more than one ipv6 address -3543018 mask array shifted incorrectly. -3542974 reason for dropping packet is lost -3542982 line numbers not recorded/displayed correctly by ipf -3542981 exclamation mark cuases trouble with pools -3541655 test suite checksums incorrect -3541653 display proxy fail status correctly -3540993 IP header offset excluded in pullup calculations -3540994 pullupmsg does not work as required -3540992 pointer to ipv6 frag header not updated on pullup -3541645 netmask management adds /32 for /0 -3541637 ipnat parser does not zero port fields for non-port protocol -3541635 pool names cannot by numbers -3540995 IPv6 fragment tracking does not always work -3540996 printing of nextip for ipv6 nat rules is wrong -3540999 ipnat.conf parsing has trouble with icmpidmap for ipv6 -3540825 whois output parsing error for ipv6 -3540814 ipfd_lock serves no purpose -3540810 lookup objects need tail pointers -3540809 refactor hash table lookups for nat -3540819 radix tree does not work with ipv6 -3540820 mutex emulation should be logged -3540828 ipfstat filtering with -m fails tests -3536480 ippool could be more like the others -3536477 pool printing not uniform -3536483 flushing empty destination lists causes panic -3536481 more use of bzero after KMALLOC required -3536479 ipnat.conf line numbers not stored -3536484 Makefile missing dependency for ippool -3536199 TFTP proxy requires something extra -3536198 ICMP checksum out by one -3536203 ipnat does not return an error -3536201 ipf.conf parsing too address friendly -3536200 printing of bytes/packets not indented -3497941 ipv4 multicast detection incorrect on little endian -3535361 to interfaces printed out of order -3535363 ipf parser is inconsistent -3532306 deleting ipnat rules does not work -3532054 new error required for ipf_rx_create -3532053 icmp6 checksums wrong -3532052 icmpv6 state check with incorrect length -3531871 checksum verification wants too many icmp6 bytes -3531870 ipnat.conf parsing needs to support inet6 -3532048 error in ipf group parsing -3531868 ICMPV6 checksum not validated -3531893 ipftest exits without error for bad input -3531890 whois pool parsing builds bad structures -3531891 icmpv6 text parsing ignorant of icmp types -3531653 rewrite with icmp does not work -3530563 NAT operations fail with EPERM -3530544 first pass at gcc -Wextra cleanup -3530540 lookup create functions do not set error properly -3530539 ipf_main_soft_destroy doesn't need 2nd arg -3530541 reorder structure for better packing -3530543 ipnat purge needs documentation -3530515 BSD upgrade script required -3528029 ipmon bad-mutex panic -3530247 loading address pools light on input validation -3530255 radix tree delete uses wrong lookup -3530254 radix tree allocation support wrong -3530264 ipmon prints qd for some 64bit numbers -3530260 decapsulate rules not printed correctly. -3530266 ipfstat -v/-d flags confused -2939220 why a packet is blocked is not discernable -2939218 output interface not recorded -2941850 use of destination lists with to/dup-to beneficial -3457747 build errors introduced with radix change -3535360 timeout groups leak -3535359 memory leak with tokens -3535358 listing rules in groups requires tracking groups -3535357 rule head removal is problematic -3530259 not all ioctl error checked wth SIOCIPFINTERROR -3530258 error routine that uses fd required -3530253 inadequate function comment blocks -3530249 walking lookup tables leaks memory -3530241 extra lock padding required for freebsd -3529901 ipf returns 0 when rules fail to load -3529491 checksum validation could be better -3529486 tcp checksum wrong for ipv6 -3533779 ipv6 nat rules missing inet6 keyword -3532693 ipnat.conf rejects some ipv6 addresses -3532691 ipv4 should not be forced for icmp -3532689 ipv6 nat rules do not print inet6 -3532688 ipv6 address always printed with "to " -3532687 with v6hdrs not supported like with ipopts -3532686 ipf expressions do not work with ipv6 -3540825 whois output parsing error for ipv6 -3540818 NAT for certain IPv6 ICMP packets should not be allowed -3540815 memory leak with destination lists -3540814 ipfd_lock serves no purpose -3540810 lookup objects need tail pointers -3540809 refactor hash table lookups for nat -3540808 completed tokens do not stop iteration -3530492 address hash table name not used -3528029 ipmon bad-mutex panic -3530256 hook memory leaked -3530271 pools parsing produces badly formed address structures -3488061 cleanup for illumos build -3484434 SIOCIPFINTERROR must work for all devices -3484067 mandoc -Tlint warnings to be fixed -3483343 compile warning in ipfcomp.c -3482893 building without IPFILTER_LOG fails -3482765 building netbsd kernel without inet6 fails -3482116 ipf_check frees packet from ipftest -3481663 does not compile on solaris 11 - -5.1.1 - RELEASED - 9 May 2012 - -3481322 ip_fil_compat.c needs a cleanup -3481211 add user errors to dtrace -3481152 compatibility for 4.1 needs more work -3481153 PRIu64 problems on FreeBSD -3481155 ipnat listing incorrect -3480543 change leads to compat problems -3480538 compiler errors from earlier patch -3480537 ipf_instance_destroy is incomplete -3480536 _fini order leads to panic -3479991 compiler warnings about size mismatches -3479974 copyright dates are wrong (fix) -3479464 add support for leaks testing -3479457 %qu is not the prefered way -3479451 iterators leak memory -3479453 nat rules with pools leak -3479454 memory leak in hostmap table -3479461 load_hash uses memory after free -3479462 printpool leaks memory -3479452 missing FREE_MB_T to freembt leaks -3479450 ipfdetach is called when detached -3479448 group mapping rules memory leak -3479455 memory leak from tuning -3479458 ipf must be running in global zone -3479460 driver replace is wrong -3479459 radix tree tries to free null pointer -3479463 rwlock emulation does not free memory -3479465 parser leaks memory -3475959 hardware checksum not correctly used -3475426 ip pseudo checksum wrong -3473566 radix tree does not delete dups right -3472987 compile is not clean -3472337 not everything is zero'd -3472344 interface setup needs to be after insert -3472340 wildcard counter drops twice -3472338 change fastroute interface -3472335 kernel lock defines not placed correctly -3472324 ICMP INFOREQ/REPLY not handled -3472330 multicast packets tagged by address -3472333 ipf_deliverlocal called incorrectly -3472345 mutex debug could be more granular -3472761 building i19 regression is flawed -3456457 use of bsd tree.h needs to be removed -3460522 code cleanup required for building on freebsd -3459734 trade some cpu for memory -3457747 build errors introduced with radix change -3457804 build errors from removal of pcap-int,h -3440163 rewrite radix tree -3428004 snoop, tcpdump, etherfind readers are unused -3439495 ipf_rand_push never called (fix brackets) -3437732 getnattype does not need to use ipnat_t (fix variable name) -3437696 fr_cksum is a nightmare -3439061 ipf_send_ip doesn't need 3rd arg -3439059 ipid needs to be file local -3437740 complete buildout of fnew -3438575 add dtrace probes to block events -3438347 comment blocks missing softc -3437687 description of ipf_makefrip wrong -3438340 more stats as dtrace probes -3438316 free on nat structure uses fixed size -3437745 nat iterator using the wrong size -3437710 fail checksum verification if packet is short -3437696 fr_cksum is a nightmare -3437732 getnattype does not need to use ipnat_t -3437735 rename ipf_allocmbt to allocmbt -3437697 fr_family to version assignment is wrong -3437746 ap_session_t has unused fields -3437747 move softc structure to .h file (ip_state.c) -3437704 there is no DTRACE_PROBE5 -3437748 wrong interface in qpktinfo_t -3437729 create function to hexdump mb_t -3438273 msgdsize should be easier to read -3437683 object direction not set for 32bit -3433767 calling ip_cksum could be easier -3433764 left over locking -3428015 printing proxy data size is useless -3428013 add M_ADJ to hide adjmsg/m_adj -3428012 interface name is not always returned correctly -3428002 ip_ttl is too low -3427997 ipft readers do not set buffer length -3426558 resistence is futile -3424495 various copy-paste errors -1826936 shall we allow ipf to be as dumb as its admin -3424477 specfuncs needs to go -3424484 missing fr_checkv6sum -3424478 one entry at a time -2998760 auth rules do not mix well with to/dup-to/fastroute -3424195 add ctfmerge to sunos5 makefile -3424132 some dtrace probes to start with -3423812 makefile needs ip_frag.h for some files -3423817 reference count useful in verbose output -3423800 walking lists does not drop reference -3423805 fragmentation stats not reported correclty -3423808 ip addresses reportied incorrectly with ipfstat -f -3423821 track packets and bytes for fragmentation -3423803 attempt to double free rule -3423805 fragmentation stats not reported correctly -3422712 system panic with ipfstat -f -3422619 pullup counter bumped for every packet -3422608 dummy rtentry required to build -3422018 frflush next to ipf_fini_all is redundant -3422012 instance cleanup is not clean -3421845 instance name not set -3005622 ip_fil5.1.0 does not load on Solaris 10 U8 -2976332 stateful filtering is incompatible with ipv4 options -3387509 ipftest needs help construction ip packets with options -2998746 passp can never be null -3064034 mbuf clobbering problem with ipv6 -3105725 ipnat divide by zero panic -2998750 ipf_htent_insert can leak memory -3064034 mbuf clobbering problem with ipv6 -3105725 ipnat divie by zero panic - -5.1 - RELEASED - 9 May 2010 - -* See WhatsNew50.txt - -4.1 - RELEASED - 12 February 2004 - -4.0-BETA1 20 August 2003 - -support 0/32 and 0/0 on the RHS in redirect rules - -where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping -for bimap rules. - -allow NAT rule to match 'all' interfaces with * as interface name - -do mapping of ICMP sequence id#'s in pings - -allow default age for NAT entries to be set per NAT rule - -provide round robin selection of destination addresses for redirect - -ipmon can load a configuration file with instructions on actions -to take when a matching log entry is received - -now requires pfil to work on Solaris & HP-UX - -supports mapping outbound connections to a specific address/port - -support toggling of logging per ipfilter 'device' - -use queues to expire data rather than lists - -add MSN RPC proxy - -add IRC proxy - -support rules with dynamic ip addresses - -add ability to define a pool of addresses & networks which can then -be placed in a single rule - -support passing entire packet back to user program for authentication - -support master/slave for state information sharing - -reorganise generic code into a lib directory and make libipf.a - -user programs enforce version matching with the kernel - -supports window scaling if seen at TCP session setup - -generates C code from filter rules to compile in or load as native -machine code. - -supports loading rules comprised of BPF bytecode statements - -HP-UX 11 port completed - -and packets-per-second filtering - -add numerical tags to rules for filtering and display in ipmon output - -3.4.4 23/05/2000 - Released - -don't add TCP state if it is an RST packet and (attempt) to send out -RST/ICMP packets in a manner that bypasses IP Filter. - -add patch to work with 4.0_STABLE delayed checksums - -3.4.3 20/05/2000 - Released - -fix ipmon -F - -don't truncate IPv6 packets on Solaris - -fix keep state for ICMP ECHO - -add some NAT stats and use def_nat_age rather than DEF_NAT_AGE - -don't make ftp proxy drop packets - -use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be -swapped back. - -fix up RST generation for non-Solaris - -get "short" flag right for IPv6 - -3.4.2 - 10/5/2000 - Released - -Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun - -ignore previous NAT mappings for 0/0 and 0/32 rules - -bring in a completely new ftp proxy - -allow NAT to cause packets to be dropped. - -add NetBSD callout support for 1.4-current - -3.4.1 - 30/4/2000 - Released - -add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX - -don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined - -Solaris must use copyin() for all types of ioctl() args - -fix up screen/tty when leaving "top mode" of ipfstat - -linked list for maptable not setup correctly in nat_hostmap() - -check for maptable rather than nat_table[1] to see if malloc for maptable -succeeded in nat_init - -fix handling of map NAT rules with "from/to" host specs - -fix printout out of source address when using "from/to" with map rules - -convert ip_len back to network byte order, not plen, for solaris as ip_len -may have been changed by NAT and plen won't reflect this - -3.4 - 27/4/2000 - Released - -source address spoofing can be turned on (fr_chksrc) without using -filter rules - -group numbers are now 32bits in size, up from 16bits - -IPv6 filtering available - -add frank volf's state-top patches - -add load splitting and round-robin attribute to redirect rules - -FreeBSD-4.0 support (including KLD) - -add top-style operation mode for ipfstat (-t) - -add save/restore of IP Filter state/NAT information (ipfs) - -further ftp proxy security checks - -support for adding and removing proxies at runtime - -3.3.13 26/04/2000 - Released - -Fix parsing of "range" with "portmap" - -Relax checking of ftp replies, slightly. - -Fix NAT timeouts for ICMP packets - -SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) - -3.3.12 16/03/2000 - Released - -tighten up ftp proxy behaviour. sigh. yuck. hate. - -fix bug in range check for NAT where the last IP# was not used. - -fix problem with icmp codes > 127 in filter rules caused bad things to -happen and in particular, where #18 caused the rule to be printed -erroneously. - -fix bug with the spl level not being reset when returning EIO from -iplioctl due to ipfilter not being initialized yet. - -3.3.11 04/03/2000 - Released - -make "or-block" work with lines that start with "log" - -fix up parsing and printing of rules with syslog levels in them - -fix from Cy Schubert for calling of apr_fini only if non-null - - -3.3.10 24/02/2000 - Released - -* fix back from guido for state tracking interfaces - -* update for NetBSD pfil interface changes - -* if attaching fails and we can abort, then cleanup when doing so. - -julian@computer.org: -* solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. -* ipf.c (packetlogon): use flag to store the return value from get_flags. -* ipmon.c (init_tabs): General cleanup so we do not have to cast - an int s->s_port to u_int port and try to check if the u_int port - is less than zero. - -3.3.9 15/02/2000 - Released - -fix scheduling of bad locking in fr_addstate() used when we attach onto -a filter rule. - -fix up ip_statesync() with storing interface names in ipstate_t - -fix fr_running for LKM's - Eugene Polovnikov - -junk using pullupmsg() for solaris - it's next to useless for what we -need to do here anyway - and implement what we require. - -don't call fr_delstate() in fr_checkstate(), when compiled for a user -program, early but when we're finished with it (got fr & pass) - -ipnat(5) fix from Guido - -on solaris2, copy message and use that with filter if there is another -copy if it being used (db_ref > 1). bad for performance, but better -than causing a crash. - -patch for solaris8-fcs compile from Casper Dik - -3.3.8 01/02/2000 - Released - -fix state handling of SYN packets. - -add parsing recognition of extra icmp types/codes and fix handling of -icmp time stamps and mask requests - Frank volf - -3.3.7 25/01/2000 - Released - -sync on state information as well as NAT information when required - -record nat protocol in all nat log records - -don't reuse the IP# from an active NAT session if the IP# in the rule -has changed dynamically. - -lookup the protocol for NAT log information in ipmon and pass that to -portname. - -fix the bug with changing the outbound interface of a packet where it -would lead to a panic. - -use fr_running instead of ipl_inited. (sysctl name change on freebsd) - -return EIO if someone attempts an ioctl on state/nat if ipfilter is not -enabled. - -fix rule insertion bug - -make state flushing clean anything that's not fully established (4/4) - -call fr_state_flush() after we've released ipf_state so we don't generate -a recursive mutex acquisition panic - -fix parsing of icmp code after return-icmp/return-icmp-as-dest and add -some patches to enhance parsing strength - -3.3.6 28/12/1999 - Released - -add in missing rwlock release in fr_checkicmpmatchingstate() and fix check -for ICMP_ECHO to only be for packet, not state entry which we don't have yet. - -handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() - -fix size of friostat for SunOS4 - -fix bug in running off the end of a buffer in real audio proxy - -3.3.5 11/12/1999 - Released - -fix parsing of "log level" and printing it back out too - - is only present on Solaris2.6/7/8 - -use send_icmp_err rather than icmp_error to send back a frag-needed error -when doing PMTU - -do not use -b with add_drv on Solaris unless $BASEDIR is set. - -fix problem where source address in icmp replies is reversed - -fix yet another problem with real audio. - -3.3.4 4/12/1999 - Released - -fix up the real audio proxy to properly setup state information and NAT -entries, thanks to Laine Stump for testing/advice/fixes. - -fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent -FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this -routine. - -fix kinstall for BSDI - -support ICMP errors being allowed through for ICMP packets going out with -keep state enabled - -support hardware checksumming (gigabit ethernet cards) on Solaris thanks to -Tel.Net Media for providing hardware for testing. - -patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing -ICMP responses to ICMP packets in the keep state table. - -add in patches for hardware checksumming under solaris - -Solaris install scripts now use $BASEDIR as appropriate. - -add Solaris8 support - -fix "ipf -y" on solaris so that it rescans rules also for changes in -interface pointers - -let ipmon become a daemon with -D if it is using syslog - -fix parsing of return-icmp-as-dest(foo) - -add reference to ipfstat -g to ipfstat.8 - -ipf_mutex needs to be declared for irix in ip_fil.c - -3.3.3 22/10/1999 - Released - -add -g command line option to ipfstat to show groups still define. - -fix problem with fragment table not recording rule pointer when called -from state functions (fin_fr not set). - -fixup fastroute problems with keep state rules. - -load rules into inactive set first, so we don't disable things like NIS -lookups half way through processing - found by Kevin Littlejohn - -fix handling of unaligned ip pointer for solaris - -patch for fr_newauth from Rudi Sluijtman - -fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short - -3.3.2 23/09/1999 - Released - -patches from Scott Presnell to fix rcmd proxy - -patches from Greg to fix Solaris detachment of interfaces - -add openbsd compatibility fixes - -fix free'ing already freed memory in ipfr_slowtimer() - -fix for deferencing invalid memory in cleaning up after a device disappears - -3.3.1 14/8/1999 - Released - -remove include file sys/user.h for irix - -prevent people from running buildsunos directly - -fix up some problems with the saving of rule pointers so that NAT saves -that information in case it should need to call fr_addstate() from a proxy. - -fix up scanning for the end of FTP messages - -don't remove /etc/opt/ipf in postremove - -attempt to prevent people running buildsolaris script without doing a -"make solaris" - -fix timeout losing on freebsd3 - -3.3 7/8/1999 - Released - -NAT: information (rules, mappings) are stored in hash tables; setup some -basic NAT regression testing. - -display version name of installed kernel code when initializing. - -add -V command line option to ipf, showing version (program and kernel -module) as well as the run-status of the kernel code. - -fix problem with "log" rules actually affecting result of filtering. - -automatically use SUNWspro if available and on a 64bit Solaris system for -compiling. - -add kernel proxies for rcmd(3) and RealAudio (PNA) - -use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking -ip_slowtimo - -fix IP headers generated through parsing of text information - -fix NAT rules to be in the correct order again. - -make keep-state work with to/fastroute keywords and enforce usage of those -interfaces. - -update keep-state code with new algorithm from Guido - -add FreeBSD-3 support - -add return-icmp-as-dest option to retrun an ICMP packet using the original -destination as the source rather than a local IP address - -add "level [facility.]" option to filter language - -add changes from Guido to state code. - -add code to return EPERM if the device is opened for writing and we're -in securelevel 2 or greater. - -authentication code patches from Guido - -fix real audio proxy - -fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon -log output. - -fix bimap rules with hash tables - -update addresses used in NAT mappings for 0/32 rules for any protocol but TCP -if it changes on the interface - check every ip_natexpire() - -add redirect regression test - -count buckets used in the state hash table. - -fix sending of RST's with return-rst to use the ack number provided in -the packet being replied to in addition to the sequence number. - -fix to compile as a 64bit application on solaris7-64bit - -add NAT IP mapping to ranges of IP addresses that aren't CIDR specified - -fix calculation of in_space parameter for NAT - -fix `wrapping' when incrementing the next ip address for use in NAT - -fix free'ing of kernel memory in ip_natunload on solaris - -fix -l/-U command line options from interfering with each other - -fix fastroute under solaris2 and cleanup compilation for solaris7 - -add install scripts and compile cleanly on BSD/OS 4.0 - -safely open files in /tmp for writing device output when testing. - -fix uninitialized pointer bug in NAT - -fix SIOCZRLST (zero list rule stats) bug with groups - -change some usage of u_short to u_int in function calling - -fix compilation for Solaris7 (SUNWspro) - -change solaris makefiles to build for either sparc or i386 rather than -per-cpu (sun4u, etc). - -fixed bug in ipllog - -add patches from George Michaelson for FreeBSD 3.0 - -add patch from Guido to provide ICMP checking for known state in the same -manner as is done for NAT. - -enable FTP PASV proxying and enable wildcarding in NAT/state code for ports -for better PORT/PASV support with FTP. - -bring into main tree static nat features: map-block and "auto" portmapping. - -add in source host filtering for redirects (alan jones) - -3.2.10 22/11/98 - Released - -3.2.10beta9 17/11/98 - Released - -fix fr_tcpsum problems in handling mbufs with an odd number of bytes -and/or split across an mbuf boundary - -fix NAT list entry comparisons and allow multiple entries for the same -proxy (but on different ports). - -don't create duplicate NAT entries for repeated PORT commands. - -3.2.10beta8 14/11/98 - Released - -always exit an rwlock before expecting to enter it again on solaris - -fix loop in nat_new for pre-existing nat - -don't setup state for an ftp connection if creating nat fails. - -3.2.10beta7 05/11/98 - Released - -set fake window in ipft_tx.c to ensure code passes tests. - -cleaned up/enhanced ipnat -l/ipnat -lv output - -fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. - -Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather -than mutexes. - -3.2.10beta6 03/11/98 - Released - -fix mixed use of krwlock_t and kmutex_t on Solaris2 - -fix FTP proxy back up, splitting pasv code out of port code. - -3.2.10beta5 02/11/98 - Released - -fixed port translation in ICMP reply handling - -3.2.10beta4 01/11/98 - Released - -increase useful statistic collection on solaris - -filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris - -disable PASV reply translation for now - -fail with an error if we try to load a NAT rule with a non-existant - proxy name - Guido - -fix portmap usage with 0/0 and 0/32 map rules - -remove ap_unload/ap_expire - automatically done when NAT is cleaned up - -print "STATE:CLOSED" from ipmon if the connection progresses past established - rather than "STATE:EXPIRED" - -3.2.10beta3 26/10/98 - Released - -fixed traceroute/nat problem - -rewrote nat/proxy interface - -ipnat now lists associated proxy sessions for each NAT where applicable - -3.2.10beta2 13/10/98 - Released - -use KRWLOCK_T in place of krwlock_t for solaris as well as irix - -disable use of read-write lock acquisition by default - -add in mb_t for linux, non-kernel - -some changes to progress compilation on linux with glibc - -change PASV as well as PORT when passed through kernel ftp proxy. - -don't allow window to become 0 in tcp state code - -make ipmon compile cleaner - -irix patches - -3.2.10beta 11/09/98 - Released - -stop fr_tcpsum() thinking it has run out of data when it hasn't. - -stop solaris panics due to fin_dp being something wild. - -revisit usage of ATOMIC_*() - -log closing state of TCP connection in "keep state" - -fix fake-arp table code for ipsend. - -ipmon now writes pid to a file. - -fix "ipmon -a" to actually activate all logging devices. - -add patches for BSDOS4. - -perl scripts for log analysis donated. - -3.2.9 22/06/98 - Released - -fix byte order for ICMP packets generated on Solaris - -fix some locking problems. - -fix malloc bug in NAT (introduced in 3.2.8). - -patch from guido for state connections that get fragmented - -3.2.8 08/06/98 - Released - -use readers/writers locks in Solaris2 in place of some mutexes. - -Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) - -3.2.7 24/05/98 - Released - -u_long -> u_32_t conversions - -patches from Bernd Ernesti for NetBSD - -fixup ipmon to actually handle HUP's. - -Linux fixes from Michael H. Warfield (mhw@wittsend.com) - -update for keep state patch (not security related) - Guido - -dumphex() uses stdout rather than log - -3.2.6 18/05/98 - Released - -fix potential security loop hole in keep state code. - -update examples. - -3.2.5 09/05/98 - Released - -BSD/OS 3.1 .o files added for the kernel. - -fix sequence # skew vs window size check. - -fix minimum ICMP header size check. - -remove references to Cybersource. - -fix my email address. - -remove ntohl in ipnat - Thomas Tornblom - -3.2.4 09/04/98 - Released - -add script to make devices for /dev on BSD boxes - -fixup building into the kernel for FreeBSD 2.2.5 - -add -D command line option to ipmon to make it a daemon and SIGHUP causes -it to close and reopen the logfile - -fixup make clean and make package for SunOS5 - Marc Boucher - -postinstall keeps adding "minor=ipf ipl" - George Ross - -protected by IP Filter gif - Sergey Solyanik - -3.2.3 10/11/97 - Released - -fix some iplang bugs - -fix tcp checksum data overrun, sgi #define changes, -avoid infinite loop when nat'ing to single IP# - Marc Boucher - -fixup DEVFS usage for FreeBSD - -fix sunos5 "make clean" cleaning up too much - -3.2.2 28/11/97 - Released - -change packet matching to return actual error, if bad packet, to facilitate -ECONNRESET for TCP. - -allow ip:netmask in grammar too now - Guido - -assume IRIX has u_int32_t in sys/types.h (needed for R10000) - -rewrite parts of command line options for ipmon - -fix TCP urgent packet & offset testing and add LAND attack test for iptest - -fix grammar error in yacc grammar for iplang - -redirect (rdr) destination port bytes-wapped when it shouldn't be. - -general: fr_check now returns error code, such as EHOSTUNREACH or -ECONNRESET (attempt to make ECONNRESET work for locally outbound -packets). - -linux: enable return-rst, need to filter tcp retransmits which are sent - separately from normal packets - -memory leak plugged in ip_proxy.c - -BSDI compatibility patches from Guido - -tcp checksum fix - Marc Boucher - -recursive mutex and ioctl param fix - Marc Boucher - -3.2.1 12/11/97 - Released - -port to BSD/OS 3.0 - -port to Linux 2.0.31 - -patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher - -add "ipf -F s" and "ipf -F S" to flush state table entries. - -announce if logging is on or off when ip filter initializes. - -"ipf -F a" doesn't flush groups properly for Solaris. - -3.2 30/10/97 - Released - -ipnat doesn't successfully remove proxy mappings with "-rf" - -Alexander Romanyu - -use K&R C function style for solaris kernel code - -use m_adj() to decrease packet size in ftp proxy - -use mbufchainlen rather than msgdsize, -IRIX update - Marc Boucher - -fix NetBSD modunload bug (pfil_add_hook done twice) - -patches for OpenBSD 2.1 - Craig Bevins - -3.2beta10 24/10/97 - Released - -fix fragment table entries allocated for NAT. - -fix tcp checksum calculations over mbuf/mblk boundaries - -fix panic for blen < 0 in ftp kernel proxy - marc boucher - -fix flushing of rules which have been grouped. - -3.2beta9 20/10/97 - Released - -some nit picking on solaris2 with SUNWspro - Michael Lyle - -ftp kernel proxy patches from Marc Boucher - -3.2beta8 13/10/97 - Released - -add support for passing ICMP errors back through NAT. - -IRIX port update - Marc Boucher - -calculate correct MIN size of packet to log for UDP - Marc Boucher - -need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang - -copyright header fixups - -3.2beta7 23/09/97 - Released - -fickup problems introduced by prior merges & changes. - -3.2beta6 23/09/97 - Released - -patch for spin-reading race condition - Marc Boucher. - -IRIX port by Marc Boucher. - -compatibility updates for Linux to ipsend - -3.2beta5 13/09/97 - Released - -patches from Bernd Ernesti for NetBSD integration (mostly prototyping and -compiler warning things) - -ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it -changes. - -update manual pages and other documentation updates. - -3.2beta4 27/8/97 - Released - -enable setting IP and TCP options for iplang/ - -Solaris2 patches from Marc Boucher. - -add groups for filter rules. - -3.2beta3 21/8/97 - Released - -patches for Solaris2 (interface panic solution ?): fix FIONREAD and -replacing q_qinfo points - Marc Boucher - -change ipsend/* and ipsd/* copyright notices to be the same as ip filter's - -patch for SYN-ACK skew testing fix from Eric V. Smith - -3.2beta2 6/8/97 - Released - -make it load on Solaris 2.3 - -rewrote logging to remove solaris errors, introduced checking to see if the -same packet is logged successively. - -fix filter cache to work when there are no rules loaded. - -add "raw" option to ipresend to send entire ethernet frames. - -nat list corruption bug - NetBSD - Klaus Klein - -3.2beta1 5/7/97 - Released - -patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits -lossage, and other NetBSD bits. - -NetBSD 1.2G update. - -fixup fwtk patches and add protocol field for SIOCGNATL. - -rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with -fixes: -* rdr matched all packets of a given protocol (ignored ports). -* severe bug in nat_delete which caused system crash/freeze. - -change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use -the default CC - cc, not gcc) - -3.2alpha9 16/6/97 - Released - -added "skip" keyword. - -implement preauthentication of packets, as outlined by Guido. - -Make it compile as cleanly as possible with -Wall & general code cleanup - -getopt returns int, not char. Bernd Ernesti - -3.2alpha8 13/6/97 - Released - -code added to support "auth" rules which require a user program to allow them -through. First revision and much of the code came from Guido. - -hex output from ipmon doesn't goto syslog when recovering from out of sync -error. Luke Mewburn (lukem@connect.com.au) - -fix solaris2.6 lookup of destination ire's. - -ipnat doesn't throw away unused bits (after masking), causing it to -behave incorrectly. Carson Gaspar - -NAT code doesn't include inteface name when matching - Alexey Mavrin - - -replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. - -update install procedures to include ip_proxy.c - -mask out unused bits in NAT/RDR rules. - -use a generic type (u_32_t) for 32bit variables, rather than rely on -u_long being such - Jason Thorpe. - -create a local "netinet" directory and include from ~netinet/*" rather than -just "*" to make keeping the code working on ports easier. - -add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) - -documentation updates. - -NetBSD update from Jason Thorpe - -allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij - -ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram - - -3.2alpha7 25/5/97 - Released - -add strlen for pre-2.2 kernels - Doug Kite - -setup bits and pieces for compiling into a FreeBSD-2.2 kernel. - -split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. -mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). - -fix (negative) host matching in filtering. - -add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels -or later. - -make all the candidates for kernel compiling include "netinet/..." and build -a subdirectory "netinet" when compiling and symlink all .h files into this. - -add install make target to Makefile.ipsend - -3.2alpha6 8/5/97 - Released - -Add "!" (not) to hostname/ip matching. - -Automatically add packet info to the fragment cache if it is a fragment -and we're translating addreses for. - -Automatically add packet info to the fragment cache if it is a fragment -and we're "keeping state" for the packet. - -Solaris2 patches - Anthony Baxter (arb@connect.com.au) - -change install procedure for FreeBSD 2.2 to allow building to a kernel -which is different to the running kernel. - -add FIONREAD for Solaris2! - -when expiring NAT table entries, if we would set a time to fr_tcpclosed -(which is 1), make it fr_tcplaskack(20) so that the state tables have a -chance to clear up. - -3.2alpha5 - -add proxying skeleton support and sample ftp transparent proxy code. - -add printfs at startup to tell user what is happening. - -add packets & bytes for EXPIRE NAT log records. - -fix the "install-bsd" target in the root Makefile. Chris Williams - - -Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. - -3.2alpha4 2/4/97 - Released - -Some compiler warnings cleaned up. - -FreeBSD-2.2 patches for LKM completed. - -3.2alpha3 31/3/97 - Released - -ipmon changes: -N for reading NAT logfile, -S for reading state logfile. --a for reading all. -n now toggles hostname resolution. - -Add logging of new state entries and expiration of old state entries. -count log successes and failures. - -Add logging of new NAT entries and expiration of old NAT entries. -count log successes and failures. - -Use u_quad_t for records of bytes & packets where kept -(IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). - -Fixup use of CPU and DCPU in Makefiles. - -Fix broken 0/32 NAT mapping. Carl Makin - -3.2alpha2 - -Implement mapping to 0/32 as being an alias for automatically using the -interface's first IP address. - -Implement separate minor devices for both NAT and IP state code. - -Fully prototype all functions. - -Fix Makefile problem due to attempt to fix Sun compiling problems. - -3.1.10 23/3/97 - Released - -ipfstat -a requires a -i or -o command line option too. Print an error -when not present rather than attempt to do something. - -patch updates for SunOS4 for kernel compiling. -patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr - - -too many people hit their heads hard when compiling code into the kernel -that doesn't let any packets through. (fil.c - IPF_NOMATCH) - -icmp-type parsing doesn't return any errors when it isn't constructed -correctly. Neil Readwin - -Using "-conf" with modload on SunOS4 doesn't work. -Timothy Demarest - -Need to define ARCH in makefile for SunOS4 building. "make sunos4" -in INSTALL.SunOS is incorrect. James R Grinter -[all SunOS targets now run buildsunos] - -NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP -information. ArkanoiD - -Need to check for __FreeBSD_version being 199511 rather than 199607 -in mln_ipl.c. Eric Feillant - -3.1.9 8/3/97 - Released - -fixed incorrect lookup of active NAT entries. - -patch for ip_deq() wrong for pre 2.1.6 FreeBSD. -fyeung@fyeung8.netific.com (Francis Yeung) - -check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi -(erkki@vlsi.fi) - -text_readip returns the interface pointer pointing to text on stack - -Neil Readwin - -fix from Pradeep Krishnan for printout rules "with not opt sec". - -3.1.8 18/2/97 - Released - -Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and -compiling warnings about reuse of m0. - -prevent use of return-rst and return-icmp with rules blocking packets going -out, preventing panics in certain situations. - -loop forms in frag cache table - Yury Pshenychny - -should use SPLNET/SPLX around expire routines in NAT/frag/state code. - -redeclared malloc in 44arp.c - - -3.1.7 8/2/97 - Released - -Macros used for ntohs/htons supplied with gcc don't always work very well -when the assignment is the same variable being converted. - -Filter matching doesn't not match rule which checks tcp flags on packets -which are fragments - David Wilson - -3.1.7beta 30/1/97 - Released - -Fix up NAT bugs introduced in last major change (now tested), including -nat_delete(), nat_lookupredir(), checksum changes, etc. - -3.1.7alpha 30/1/97 - Released - -Many changes to NAT code, including contributions from Laurent Joncheray - - -Use "NO_SLEEP" when allocating memory under SunOS. - -Make kernel printf's nicer for BSD/SunOS4 - -Always do a checksum for packets being filtered going out and being -processed by fastroute. - -Leave kernel to play with cdevsw on *BSD systems with LKM's. - -ipnat.1 man page fixes. - -3.1.6 21/1/97 - Released - -Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" - -Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried -to free memory twice. - -NAT recalculates IP header checksum based on difference between IP#'s and -port numbers - should be just IP#'s (Solaris2 only) - -3.1.5 13/1/97 - Released - -fixed setting of NAT timeouts and use different timeouts for concurrent -TCP sessions using the same IP# mapping (when port mapping isn't used) - -multiple loading/unloading of LKM's doesn't clean up cdevsw properly for -*BSD systems. - -3.1.4 10/1/97 - Released - -add command line options -C and -F to ipnat to flush NAT list and table - -ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) - -NetBSD/FreeBSD kernel malloc changes - Daniel Carosone - -3.1.3 10/1/97 - Released - -NAT chains not constructed correctly in hash tables - Antony Y.R Lu -(antony@hawk.ee.ncku.edu.tw) - -Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 - -man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) - -ICMP header checksum update now included in NAT. - -Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. - -3.1.2 4/12/96 - Released - -ipmon doesn't use syslog all the time when given -s option - -fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro - -check the results of hostname resolution in ipnat - -"make *install" fixed for subdirectories. - -problems with "ARCH:=" and gnu make resolved - -parser reports an error for lines with whitespaces only rather than skipping -them. D.Carosone@abm.com.au (Daniel Carosone) - -patches for integration into NetBSD-current (post 1.2). - -add an option to allow non-IP packets going up/down the stream on Solaris2 -to be dropped. John Bass. - -3.1.2beta 21/11/96 - Released - -make ipsend compile on Linux 2.0.24 - -changes to TCP kept state algorithm, making it watch state on TCP -connections in both directions. Also use the same algorithm for NAT TCP. - --Wall cleanup - Bernd Ernesti - -added "or-block" for "pass .. log or-block" after a suggestion from -David Oppenheim (davido@optimation.com.au) - -added subdirectories for building IP Filter in SunOS5/BSD for different -cpu architecures - -Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 - -mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 - -3.1.1 28/10/96 - Released - -Installation script fixes and deinstall scripts for IP Filter on: -SunOS4/FreeBSD/NetBSD - -Man page fixes - Paul Dubois (dubois@primate.wisc.edu) - -Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) - -parsing isn't completely case insensitive - David Wilson -(davidw@optimation.com.au) - -Release ipl_mutex across uiomove() calls - -print entire rule entries out for "ipf -z" when zero'ing per-rule stats. - -ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik -(ts@polynet.lviv.ua) - -New algorithm for setting timeouts for TCP connection (more closely follow -TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) - -Track both window sizes for TCP connections through "keep state". - -Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel -(wezel@bio.vu.nl) - -3.1.1-beta2 6/10/96 - Released - -Solaris2 fastroute/dup-to/to now works - -ipmon `record' reading rewritten - -Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) - -Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson -(davidw@optimation.com.au) - -Michael Ryan (mike@NetworX.ie) reports the following: -* The Trumpet WinSock under Windows always sends its SYN packet with an ACK - value of 1, unlike any other implementation I've seen, which would set it - to zero. The "keep state" feature of IP Filter doesn't work when receiving - non-zero ACK values on new connection requests. -* */Makefile install rule doesn't install all the binaries/man pages -* Make ipnat use "tcp/udp" instead of "tcpudp" -* Print out "tcp/udp" properly -* ipnat "portmap tcp" matches "portmap udp" when adding/removing -* NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't - -3.1.1-beta 1/9/96 - Released - -add better detection of TCP connections closing to TCP state monitoring. - -fr_addstate() not called correctly for fragments. "keep state" and -"keep frag" code don't work together 100% - Songqing Cai -(songqing_cai@sterling.com) - -call to fr_addstate() incorrect for adding state in combination with keeping -fragment information - Songqing Cai (songqing_cai@sterling.com) - -KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood -(cgull@smoke.marlboro.vt.us) - -make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban -(dima@best.net) - -3.1.1-alpha 23/8/96 - Released - -kernel panic's when ICMP packets go through NAT code - -stats aren't zero'd properly with ipf -Z - -ipnat doesn't show port numbers correctly all the time and also add the -protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) - -fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) - -NetBSD-1.2 patches from - VaX#n8 - -Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) - -ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall -(nrh@tardis.ed.ac.uk) - -3.1.0 7/7/96 - Released - -Reformatted ipnat output to be compatible with it's input, so that -"ipnat -l | ipnat -rf -" is possible. - -3.1.0beta 30/6/96 - Released - -NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) - -kernel module must not be installed stripped (Solaris2), as created by -"make package" for Solaris2 - Peter Heimann -(peter@i3.informatik.rwth-aachen.de) - -3.1.0alpha 5/6/96 - Released - -include examples in package for solaris2 - -patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) - -removed trailing space from printouts of rules in ipf. - -ipresend supports the same range of inputs that ipftest does. - -sending a duplicate copy of a packet to another network devices is now -supported. ("dup-to") - -sending a packet to an arbitary interface is now supported, irrespective -of its actual route, with no ttl decrement. Can also be routed without -the ttl being decremented. ("to" and "fastroute"). - -"call" option added to support calling a generic function if a packet is -matched. - -show all (upto 4) recorded bytes from the interface name in logging from -ipmon. - -support for using unix file permissions for read/write access on the device -is now in place. - -recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen - -ipftest doesn't call initparse() for THISHOST - Catherine Allen -(cla@connect.com.au) - -Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) - -3.0.4 10/4/96 - Released - -looop in `parsing' IP packets with optlen 0 for ip options. - -rule number not initialized and resulted in unexpected results for state -maching. - -option parsing and printing bugs - Pradeep Krishnan - -3.0.4beta 25/3/96 - Released - -wouldn't parse "keep flags keep state" correctly. - -SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon - -patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems -from Thorsten Lockert - -b* functions in fil.c on Solaris 2.4 - -3.0.3 17/3/96 - Released - -added patches to support IP Filter initialisation when compiled into the -kernel. - -added -x option to ipmon to display hex dumps of logged packets. - -added -H option to ipftest to allow ascii-hex formatted input to specify -arbitary IP packets. - -Sending TCP RSTs as a response now work for Solaris2 x86 - -add patches to make IP Filter compile into NetBSD kernels properly. - -patch to stop SunOS 4.1.x kernels panicing with "data traps". - -ipfboot script unloads and reloads ipf module on Solaris2 if it is already -loaded into the kernel. - -Installation of IP Filter as a Solaris2 package is now supported. - -Man pages for ipnat.4, ipnat.5 added. - -added some more regression tests and fixed up IP Filter to pass the new tests -(previous versions failed some of the tests in set 12). - -IP option filter processing has changed so that saying "with opt lsrr" will -check only for that one, but not mask out other options, so a packet with -strict source routing, along with loose source routing will match all of -"with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". - -IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) - -patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) - -make install is incorrect - Julian Briggs (julian@lightwork.co.uk) - -strtol() returns 0x7fffffff for all negative numbers, -printfr() generates incorrect output for "opt sec-class *", -handling of "not opt xxx opt yyy" incorrect. -- Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) - -m_pullup() called only for input and not output; caused problems -with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) - -parsing problem for "port 1" and NetBSD patches incorrect - -Andreas Gustafsson (gson@guava.araneus.fi) - -3.0.2 4/2/96 - Released - -Corrected bug where NAT recalculates checksums for fragments. - -make NAT recalculate UDP checksums (rather than setting them to 0), -if they're non-zero. - -DNS patches - Real Page (Real.Page@Matrox.com) - -alteration of checksum recalculations in NAT code and addition of -redirection with NAT - Mike Neuman - -core dump, if tcp/udp is used with a port number and not service name, -in ipf - Mike Neuman (mcn@engarde.com) - -initparse() call, missing to prime "" hook - Craig Bishop - -3.0.1 14/1/96 - Released - -miscellaneous patches for Solaris2 - -3.0 14/1/96 - Released - -Patch included for FDDI, from Richard Ohnemus -(Richard_Ohnemus@dallas.csd.sterling.com) - -Code cleanup for release. - -3.0beta4 10/1/96 - -recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop - -recursive mutex in sending TCP RSTs fixed, reported by Tony Becker - -3.0beta3 9/1/96 - -FIxup for Solaris2.5 install and interface name bug in ipftest from -Julian Briggs (julian@lightwork.co.uk) - -Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) - -3.0beta2 7/1/96 - -Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. -Note, this isn't really what one would call IP account, when compared to -process accounting, sigh. - -Split up ipresend into iptest/ipresend/ipsend - -Added another m_pullup() inside fr_check() for BSD style kernels and -added some checks to ipllog() to not log more than is present (for short -packets). - -Fixed bug where failed hostname/netname resolution goes undetecte and -becomes 0.0.0.0 (any) (reported Guido van Rooij) - -3.0beta 11/11/95 - Released - -Rewrote the way rule testing is done, reducing the number of files needed and -generated. - -SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) - -Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 -BSD based Unixes (panic'd) - -Patches for FreeBSD/i86 ipmon from Riku Kalinen -(I think someone else already told me about these but they got lost :-/) - -Changed Makefile structure to build object files for different operating -systems in separate directories by default. - -BSDI has ef0 for first ethernet interface - -Allow for a "not" operator before optional keywords. - -The "rule number" was being incorrectly incremented every time it went through -the loop rather than when it matched a rule. - -2.8.2 24/10/95 - Released - -Fixed up problems with "textip" for doing lots of testing. - -Fixed bug in detection of "short" tcp/ip packets (all reported as being short). - -Solaris 2.4 port now works 100%. - -Man page errors reported and fixed. - -Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). - -Fixed ipmon output to put a space after the log-letter. - -Patch from Guido van Rooij to fix parsing problem. - -2.8.1 15/10/95 - Released - -Added ttl and tos filtering. - -Patches for fixing up compilation and port problems (little endian) -from Guido van Rooij . - -Man page problems reported and fixed by Carson Gaspar . - -ipsend doesn't compile properly on Solaris2.4 - -Lots of work done for Solaris2.4 to make it MT/MP safe and work. - -2.8 15/9/95 - Released - -ipmon can now send messages to syslogd (-s) and use names instead of -numbers (-N). - -IP packets are now "compiled" into a structure only containing filterable -bits. - -Added regression testing in the test/ subdirectory, using a new option -(-b) with the ipftest program. - -Added "nomatch" return to filter results. These are counted and show -up in reports from ipfstat. - -Moved filter code out of ip_fil.c and into fil.c - there is now only one -instance of it in the package. - -Added Solaris 2.4 support. - -Added IPSO basic security option filtering. - -Added name support for filtering on all 19 named IP options. - -Patches from Ivan Brawley to log packet contents as well as packet headers. - -Update for sun/conf.c.diff from Ivan Brawley - -Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, -along with a new ioctl, SIOCFRENB. -From: Dieter Dworkin Muller - -2.7.3 31/7.95 - Released - -Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). - -ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. - -Brought ipftest program upto date with actual filter code. - -Filter would cause a match to occur when it wasn't meant to if the packet -had short headers and was missing portions that should have been there. -Err, it would rightly not match on them, but their absence caused a match -when it shouldn't have been. - -2.7.2 26/7/95 - Released - -Problem with filtering just SYN flagged packets reported by -Dieter Dworkin Muller . To solve this -problem, added support for masking TCP flags for comparison "flags X/Y". - -2.7.1 9/7/95 - Released - -Added ip_dirbroadcast support for Sun ip_input.c - -Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are -better. - -2.7 7/7/95 - Released - -Added "return-rst" to return TCP RST's to TCP packets. - -Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. - -Added insertion of filter rules. Use "@<#>" at the beginning of a filter -to insert a rule at row #. - -Filter keeps track of how many times each rule is matched. - -Changed compile time things to match kernel option (IPFILTER_LKM & -IPFILTER_LOG). - -Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. -(No change required for 3.6) - -Now includes TCP fragments which start inside the TCP header as being short. -Added counting the number of times each rule is matched. - - -2.6 11/5/95 - Released - -Added -n option to ipf: when supplied, no changes are made to the kernel. - -Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. - -Rewrote filtering to use a more generic mask & match procedure for -checking if a packet matches a rule. - -2.5.2 27/4/95 - Released - -"tcp/udp" and a non-initialised pointer caused the "proto" to become -a `random' value; added "ip#/dotted.mask" notation to the BNF. -From Adam W. Feigin - -2.5.1 22/3/95 - Released - -"tcp/udp" had a strange effect (undesired) on getserv*() functions, -causing protocol/service lookups to fail. Reported by Matthew Green. - -2.5 17/3/95 - Released - -Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop -output through the ipftest program. Suggestions from: -Michael Ciavarella (mikec@phyto.apana.org.au) - -Conflicts occur when "general" filter rules are used for ports and the -lack of a "proto" when used with "port" matches other packets when only -TCP/UDP are implied. -Reported Matthew Green (mrg@fulcom.com.au); -reported & fixed 6-8/3/95 - -Added filtering of short TCP packets using "with short" 28/2/95 -(These can possibly slip by checks for the various flags). Short UDP -or ICMP are dropped to the floor and logged. - -Added filtering of fragmented packets using "with frag" 24/2/95 - -Port to NetBSD-current completed 20/2/95, using LKM. - -Added logging of the rule # which caused the logging to happen and the -interface on which the packet is currently as suggested by -Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 - -2.4 9/2/95 - Released -Fixed saving of IP headers in ICMP packets. - -2.3 29/1/95 -Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). -Fixed iplread() and iplsave() with help from Marc Huber. - -2.2 7/1/95 - Released -Added code from Marc Huber to allow it to allocate -its own major char number dynamically when modload'ing. Fixed up -use of <, >, <=, >= and >< for ports. - -2.1 21/12/94 - Released -repackaged to include the correct ip_output.c and ip_input.c *goof* - -2.0 18/12/94 - Released -added code to check for port ranges - complete. -rewrote to work as a loadable kernel module - complete. - -1.1 -added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. - -1.0 22/04/93 - Released -First release cut. diff --git a/contrib/ipfilter/LICENCE b/contrib/ipfilter/LICENCE deleted file mode 100644 index f4cc8ee76bfa..000000000000 --- a/contrib/ipfilter/LICENCE +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) 1993-2000 by Darren Reed. - * - * The author accepts no responsibility for the use of this software and - * provides it on an ``as is'' basis without express or implied warranty. - * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - * - * I hate legaleese, don't you ? - */ diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile deleted file mode 100644 index 1ac9c94a75dc..000000000000 --- a/contrib/ipfilter/Makefile +++ /dev/null @@ -1,410 +0,0 @@ -# -# Copyright (C) 2012 by Darren Reed. -# -# Redistribution and use in source and binary forms are permitted -# provided that this notice is preserved and due credit is given -# to the original author and the contributors. -# -# $FreeBSD$ -# Id: Makefile,v 2.76.2.24 2007/09/26 10:04:03 darrenr Exp $ -# -SHELL=/bin/sh -BINDEST=/usr/local/bin -SBINDEST=/sbin -MANDIR=/usr/local/man -#To test prototyping -CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Wunused -Wuninitialized -#CC=gcc -#CC=cc -Dconst= -DEBUG=-g -# -O -CFLAGS=-I$$(TOP) -D_BSD_SOURCE -CPU=`uname -m` -CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m` -OBJ=. -# -# To enable this to work as a Loadable Kernel Module... -# -IPFLKM=-DIPFILTER_LKM -# -# To enable logging of blocked/passed packets... -# -IPFLOG=-DIPFILTER_LOG -# -# To enable loading filter rules compiled to C code... -# -#COMPIPF=-DIPFILTER_COMPILED -# -# To enable IPFilter compatibility with older CLI utilities -# -#COMPATIPF=-DIPFILTER_COMPAT -# -# To enable synchronisation between IPFilter hosts -# -#SYNC=-DIPFILTER_SYNC -# -# The facility you wish to log messages from ipmon to syslogd with. -# -LOGFAC=-DLOGFAC=LOG_SECURITY -# -# To enable rules to be written with BPF syntax, uncomment these two lines. -# -# WARNING: If you're building a commercial product based on IPFilter, using -# this options *may* infringe at least one patent held by CheckPoint -# (5,606,668.) -# -#IPFBPF=-DIPFILTER_BPF -I/usr/local/include -#LIBBPF=-L/usr/local/lib -lpcap -# -# HP-UX and Solaris require this uncommented for BPF. -# -#BPFILTER=bpf_filter.o -# -# LINUXKERNEL is the path to the top of your Linux kernel source tree. -# By default IPFilter looks for /usr/src/linux, but you may have to change -# it to /usr/src/linux-2.4 or similar. -# -LINUXKERNEL=/usr/src/kernels/2.6.29.5-191.fc11.i586 -LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;i opt_inet6.h; \ - else \ - echo "#define INET6" > opt_inet6.h; \ - fi - if [ "x$(IPFBPF)" = "x" ] ; then \ - echo "#undef NBPF" > opt_bpf.h; \ - echo "#undef NBPFILTER" > opt_bpf.h; \ - echo "#undef DEV_BPF" > opt_bpf.h; \ - else \ - echo "#define NBPF" > opt_bpf.h; \ - echo "#define NBPFILTER" > opt_bpf.h; \ - echo "#define DEV_BPF" > opt_bpf.h; \ - fi - if [ x$(ENABLE_PFIL) = x ] ; then \ - echo "#undef PFIL_HOOKS" > opt_pfil.h; \ - else \ - echo "#define PFIL_HOOKS" > opt_pfil.h; \ - fi - - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..) -# (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) - -freebsd4 : include - if [ x$(INET6) = x ] ; then \ - echo "#undef INET6" > opt_inet6.h; \ - else \ - echo "#define INET6" > opt_inet6.h; \ - fi - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "LKMR=ipfrule.ko" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) - -freebsd3 freebsd30: include - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" "MLR=mlf_rule.o" LKM= LKMR=; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) - -netbsd: include - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - @if [ ! -d /sys -o ! -d /sys/arch ] ; then \ - echo "*****************************************************"; \ - echo "* *"; \ - echo "* Please extract source code to create /sys and *";\ - echo "* /sys/arch and run 'config GENERIC' *"; \ - echo "* *"; \ - echo "*****************************************************"; \ - exit 1; \ - fi - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..) -# (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) - -openbsd: include - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mlo_ipl.c" LKMR= "MLR=mlo_rule.o"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) - -freebsd20 freebsd21: include - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c" "MLR=mlf_rule.o"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) - -osf tru64: null include - make setup "TARGOS=OSF" "CPUDIR=`OSF/cpurev`" - (cd OSF/`OSF/cpurev`; make build TRU64=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "MACHASSERT=$(MACHASSERT)" "OSREV=`../cpurev`"; cd ..) - (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend build TRU64=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..) - -aix: null include - make setup "TARGOS=AIX" "CPUDIR=`AIX/cpurev`" - (cd AIX/`AIX/cpurev`; make build AIX=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "OSREV=`../cpurev`" BITS=`../bootbits.sh`; cd ..) -# (cd AIX/`AIX/cpurev`; make -f Makefile.ipsend build AIX=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..) - -bsd: include - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) - -bsdi bsdos: include - make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" - (cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= LKMR= ; cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend build "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..) - -irix IRIX: include - make setup TARGOS=IRIX CPUDIR=`IRIX/cpurev` - if [ "x${SGIREV}" = "x" ] ; then \ - make irix "SGIREV=-D_KMEMUSER -DIRIX=`IRIX/getrev`"; \ - else \ - (cd IRIX/`IRIX/cpurev`; smake -l -J 1 build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \ - (cd IRIX/`IRIX/cpurev`; make -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \ - fi - -setup: - -if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi - -rm -f $(TARGOS)/$(CPUDIR)/Makefile $(TARGOS)/$(CPUDIR)/Makefile.ipsend - -ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile - -ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend - -if [ -f $(TARGOS)/Makefile.common ] ; then \ - rm -f $(TARGOS)/$(CPUDIR)/Makefile.common; \ - ln -s ../Makefile.common $(TARGOS)/$(CPUDIR)/Makefile.common;\ - fi - -clean: clean-include - /bin/rm -rf h y.output - ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipflkm \ - vnode_if.h $(LKM) *~ - /bin/rm -rf sparcv7 sparcv9 mdbgen_build - (cd SunOS4; $(MAKE) TOP=.. clean) - -(cd SunOS5; $(MAKE) TOP=.. clean) - (cd BSD; $(MAKE) TOP=.. clean) - (cd HPUX; $(MAKE) BITS=32 TOP=.. clean) - (cd Linux; $(MAKE) TOP=.. clean) - (cd OSF; $(MAKE) TOP=.. clean) - (cd AIX; $(MAKE) TOP=.. clean) - if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; $(MAKE) clean); fi - [ -d test ] && (cd test; $(MAKE) clean) - (cd ipsend; $(MAKE) clean) - -clean-include: - sh -c 'if [ -d netinet ] ; then cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi' - sh -c 'if [ -d net ] ; then cd net; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi' - ${RM} -f netinet/done net/done - -clean-bsd: clean-include - (cd BSD; make TOP=.. clean) - -clean-hpux: clean-include - (cd HPUX; $(MAKE) BITS=32 clean) - -clean-osf: clean-include - (cd OSF; make clean) - -clean-aix: clean-include - (cd AIX; make clean) - -clean-linux: clean-include - (cd Linux; make clean) - -clean-sunos4: clean-include - (cd SunOS4; make clean) - -clean-sunos5: clean-include - (cd SunOS5; $(MAKE) clean) - /bin/rm -rf sparcv? - -clean-irix: clean-include - (cd IRIX; $(MAKE) clean) - -h/xti.h: - mkdir -p h - ln -s /usr/include/sys/xti.h h - -hpux: include h/xti.h - make setup CPUDIR=`HPUX/cpurev` TARGOS=HPUX - (cd HPUX/`HPUX/cpurev`; $(MAKE) build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..) - (cd HPUX/`HPUX/cpurev`; $(MAKE) -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..) - -sunos4 solaris1: - (cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) - (cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..) - -sunos5 solaris2: null - (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" INSTANCE=$(INSTANCE); cd ..) - (cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) - -linux: include - (cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..) - (cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..) -# (cd Linux; make -f Makefile.ipsend build LINUX=$(LINUX) TOP=.. "CC=$(CC)" $(MFLAGS); cd ..) - -install-linux: linux - (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) ROOTDIR=$(BUILDROOT) install ; cd ..) - -install-bsd: - (cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) - (cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) - -install-sunos4: solaris - (cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install) - -install-sunos5: solaris null - (cd SunOS5; $(MAKE) TOP=.. install) - -install-aix: - (cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) -# (cd AIX/`AIX/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) - -install-hpux: hpux - (cd HPUX/`HPUX/cpurev`; $(MAKE) CPU=$(CPU) TOP=../.. "BITS=`getconf KERNEL_BITS`" install) - -install-irix: irix - (cd IRIX; smake install CPU=$(CPU) TOP=.. $(DEST) $(MFLAGS) CPUDIR=`./cpurev`) - -install-osf install-tru64: - (cd OSF/`OSF/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) - -do-cvs: - find . -type d -name CVS -print | xargs /bin/rm -rf - find . -type f -name .cvsignore -print | xargs /bin/rm -f - /bin/rm -f ip_msnrpc_pxy.c ip_sunrpc_pxy.c - -ip_rules.c ip_rules.h: rules/ip_rules tools/ipfcomp.c - -./ipf -n -cc -f rules/ip_rules 2>/dev/null 1>&2 - -null: - @if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \ - echo 'Do not use GNU make (gmake) to compile IPFilter'; \ - exit 1; \ - fi - -@echo make ok - -mdb: - /bin/rm -rf mdbgen_build - mdbgen -D_KERNEL -DIPFILTER_LOG -DIPFILTER_LOOKUP -DSUNDDI \ - -DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \ - -I/home/dr146992/pfil -I/home/dr146992/ipf -f \ - /usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h diff --git a/contrib/ipfilter/NAT.FreeBSD b/contrib/ipfilter/NAT.FreeBSD deleted file mode 100644 index 4a1a7ede543c..000000000000 --- a/contrib/ipfilter/NAT.FreeBSD +++ /dev/null @@ -1,104 +0,0 @@ -These are Instructions for Configuring A FreeBSD Box For NAT -After you have installed IpFilter. - -You will need to change three files: - -/etc/rc.local -/etc/rc.conf -/etc/natrules - -You will have to: - -1) Load the kernel module -2) Make the ipnat rules -3) Load the ipnat rules -4) Enable routing between interfaces -5) Add static routes for the subnet ranges -6) Configure your network interfaces -7) reboot the computer for the changes to take effect. - -The FAQ was written by Chris Coleman -This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE -_________________________________________________________ -1) Loading the Kernel Module - -If you are using a Kernal Loadable Module you need to edit your -/etc/rc.local file and load the module at boot time. -use the line: - - modload /lkm/if_ipl.o - -If you are not loading a kernel module, skip this step. -_________________________________________________________ -2) Setting up the NAT Rules - -Make a file called /etc/natrules -put in the rules that you need for your system. - -If you want to use the whole 10 Network. Try: - -map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000 - -_________________________________________________________ -Here is an explaination of each part of the command: - -map starts the command. - -fpx0 is the interface with the real internet address. - -10.0.0.0 is the subnet you want to use. - -/8 is the subnet mask. ie 255.0.0.0 - -208.8.0.1 is the real ip address that you use. - -/32 is the subnet mask 255.255.255.255, ie only use this ip address. - -portmap tcp/udp 10000:65000 - tells it to use the ports to redirect the tcp/udp calls through - - -The one line should work for the whole network. -_________________________________________________________ -3) Loading the NAT Rules: - -The NAT Rules will need to be loaded every time the computer -reboots. - -In your /etc/rc.local put the line: - -ipnat -f /etc/natrules - -To check and see if it is loaded, as root type - ipnat -ls -_________________________________________________________ -4) Enable Routing between interfaces. - -Tell the kernel to route these addresses. - -in the rc.local file put the line: - -sysctl -w net.inet.ip.forwarding=1 - -_________________________________________________________ -5) Static Routes to Subnet Ranges - -Now you have to add a static routes for the subnet ranges. -Edit your /etc/sysconfig to add them at bootup. - -static_routes="foo" -route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1" - - -_________________________________________________________ -6) Make sure that you have your interfaces configured. - -I have two Intel Ether Express Pro B cards. -One is on 208.8.0.1 The other is on 10.0.0.1 - -You need to configure these in the /etc/sysconfig - -network_interfaces="fxp0 fxp1" -ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0" -ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0" -_________________________________________________________ diff --git a/contrib/ipfilter/README b/contrib/ipfilter/README deleted file mode 100644 index 8464af4c64d2..000000000000 --- a/contrib/ipfilter/README +++ /dev/null @@ -1,101 +0,0 @@ -IP Filter - What's this about ? -============================ -Web site: http://coombs.anu.edu.au/~avalon/ip-filter.html -How-to: http://www.obfuscation.org/ipf/ipf-howto.txt - - The idea behind this package is allow those who use Unix workstations as -routers (a common occurance in Universities it appears) to apply packet -filtering to packets going in and out of them. This package has been -tested on all versions of SunOS 4.1 and Solaris 2.4/2.5, running on Sparcs. -It is also quite possible for this small kernel extension to be installed -and used effectively on Sun workstations which don't route IP, just for -added security. It can also be integrated with the multicast patches. -It has also been tested successfully on all of the modern free BSDs as -well as BSDI, and SGI's IRIX 6.2. - - The filter keeps a rule list for both inbound and outbound sides of -the IP packet queue and a check is made as early as possible, aiming to -stop the packet before it even gets as far as being checked for source -route options. In the file "BNF", a set of rules for constructing filter -rules understood by this package is given. The files in the directory -"rules", "example.1" ... "example.sr" show example rules you might apply. - - In practise, I've successfully isolated a workstation from all -machines except the NFS file servers on its local subnets (yeah, ok, so -this doesn't really increase security, because of NFS, but you get the -drift on how it can be applied and used). I've also successfully -setup and maintained my own firewalls using it with TIS's Firewall Toolkit, -including using it on an mbone router. - - When using it with multicast IP, the calls to fr_check() should be -before the packet is unwrapped and after it is encapsulated. So the -filter routines will see the packet as a UDP packet, protocol XYZ. -Whether this is better or worse than having it filter on class D addresses -is debateable, but the idea behind this package is to be able to -discriminate between packets as they are on the 'wire', before they -get routed anywhere, etc. - - It is worth noting, that it is possible, using a small MTU and -generating tiny fragmented IP packets to generate a TCP packet which -doesn't contain enough information to filter on the "flags". Filtering -on these types of packets is possible, but under the more general case -of the packets being "short". ICMP and UDP packets which are too small -(they don't contain a complete header) are dropped and logged, no questions -asked. When filtering on fragmented packets, the last fragment will get -through for TCP/UDP/ICMP packets. - -Bugs/Problems -------------- -If you have a problem with IP Filter on your operating system, please email -a copy of the file "BugReport" with the details of your setup as required -and email to darrenr@pobox.com. - -Some general notes. -------------------- - To add/delete a rule from memory, access to the device in /dev is needed, -allowing non-root maintenaince. The filter list in kernel memory is built -from the kernel's heap. Each packet coming *in* or *out* is checked against -the appropriate list, rejects dropped, others passed through. Thus this will -work on an individual host, not just gateways. Presently there is only one -list for all interfaces, the changes required to make it a per-interface list -require more .o replacements for the kernel. When checking a packet, the -packet is compared to the entire list from top to bottom, the last matching -line being effective. - - -What does what ? ----------------- -if_fil.o (Loadable kernel module) - - additional kernel routines to check an access list as to whether - or not to drop or pass a packet. It currently defaults to pass - on all packets. - -ipfstat - - digs through your kernel (need to check #define VMUNIX in fils.c) - and /dev/kmem for the access filter list and mini stats table. - Obviously needs to be run priviledged if required. - -ipf - - reads the files passed as parameters as input files containing new - filter rules to add/delete to the kernel list. The lines are - inserted in order; the first line is inserted first, and ends up - first on the list. Subsequent invocations append to the list - unless specified otherwise. - -ipftest - - test the ruleset given by filename. Reads in the ruleset and then - waits for stdin. - - See the man pages (ipf.1, ipftest.1, ipfstat.8) for more detailed - information on what the above do. - -mkfilters - - suggests a set of filter rules to employ and suggests how to add - routes to back these up. - -BNF - - BNF rule set for the filter rules - -Darren Reed -darrenr@pobox.com -http://coombs.anu.edu.au/~avalon/ip-filter.html diff --git a/contrib/ipfilter/STYLE.TXT b/contrib/ipfilter/STYLE.TXT deleted file mode 100644 index 384bcec3d909..000000000000 --- a/contrib/ipfilter/STYLE.TXT +++ /dev/null @@ -1,57 +0,0 @@ - -Over time, I am moving all of the IPFilter code to what I consider a better -coding style than it had before. If you submit patches, I expect them to -conform as appropriate. - -Function Comments -================= -Preceeding each and every function, a comment block like this should -be present: - -/* ------------------------------------------------------------------------ */ -/* Function: function-name */ -/* Returns: return-type */ -/* Parameters: param1(I) - param1 is an input parameter */ -/* p2(O) - p2 is an output parameter passed as an arg */ -/* par3(IO) - par3 is a parameter which is both input and */ -/* output. Pointers to things which are used and */ -/* then get a result stored in them qualify here. */ -/* */ -/* Description about what the function does. This comment should explain */ -/* any gotchas or algorithms that are used which aren't obvious to the */ -/* casual reader. It should not be an excuse to not use comments inside */ -/* the function. */ -/* ------------------------------------------------------------------------ */ - - -Tab spacing -=========== -Tabs are to be at 8 characters. - - -Conditions -========== -All expressions which evaluate to a boolean for a test condition, such as -in an if()/while() statement must involve a boolean operation. Since C -has no native boolean type, this means that one of <,>,<=,>=,==,!= must -be present. Implied boolean evaluations are out. - -In code, the following is banned: - -if (x) -if (!x) -while ((a = b)) - -and should be replaced by: - -if (x != 0) -if (x == 0) -while ((a = b) != 0) - -If pointers are involved, always compare with NULL, ie.: - -if (x != NULL) -if (x == NULL) -while ((a = b) != NULL) - - diff --git a/contrib/ipfilter/WhatsNew50.txt b/contrib/ipfilter/WhatsNew50.txt deleted file mode 100644 index adbf0a99b4e0..000000000000 --- a/contrib/ipfilter/WhatsNew50.txt +++ /dev/null @@ -1,83 +0,0 @@ -What's new in 5.1 -================= - -General -------- -* all of the tuneables can now be set at any time, not just whilst disabled - or prior to loading rules; - -* group identifiers may now be a number or name (universal); - -* man pages rewritten - -* tunables can now be set via ipf.conf; - -Logging -------- -* ipmon.conf can now be used to generate SNMPv1 and SNMPv2 traps using - information from log entries from the kernel; - -NAT changes ------------ -* DNS proxy for the kernel that can block queries based on domain names; - -* FTP proxy can be configured to limit data connections to one or many - connections per client; - -* NAT on IPv6 is now supported; - -* rewrite command allows changing both the source and destination address - in a single NAT rule; - -* simple encapsulation can now be configured with ipnat.conf, - -* TFTP proxy now included; - -Packet Filtering ----------------- -* acceptance of ICMP packets for "keep state" rules can be refined through - the use of filtering rules; - -* alternative form for writing rules using simple filtering expressions; - -* CIPSO headers now recognised and analysed for filtering on DOI; - -* comments can now be a part of a rule and loaded into the kernel and - thus displayed with ipfstat; - -* decapsulation rules allow filtering on inner headers, providing they - are not encrypted; - -* interface names, aside from that the packet is on, can be present in - filter rules; - -* internally now a single list of filter rules, there is no longer an - IPv4 and IPv6 list; - -* rules can now be added with an expiration time, allowing for their - automatic removal after some period of time; - -* single file, ipf.conf, can now be used for both IPv4 and IPv6 rules; - -* stateful filtering now allows for limits to be placed on the number - of distinct hosts allowed per rule; - -Pools ------ -* addresses added to a pool via the command line (only!) can be given - an expiration timeout; - -* destination lists are a new type of address pool, primarily for use with - NAT rdr rules, supporting newer algorithms for target selection; - -* raw whois information saved to a file can be used to populate a pool; - -Solaris -------- -* support for use in zones with exclusive IP instances fully supported. - -Tools ------ -* use of matching expressions allows for refining what is displayed or - flushed; - diff --git a/contrib/ipfilter/Y2K b/contrib/ipfilter/Y2K deleted file mode 100644 index a8350a590070..000000000000 --- a/contrib/ipfilter/Y2K +++ /dev/null @@ -1,3 +0,0 @@ -IP Filter is Year 2000 (Y2K) Compliant. - -Darren diff --git a/contrib/ipfilter/arc4random.c b/contrib/ipfilter/arc4random.c deleted file mode 100644 index bdb6b2d9ba9a..000000000000 --- a/contrib/ipfilter/arc4random.c +++ /dev/null @@ -1,267 +0,0 @@ -/*- - * THE BEER-WARE LICENSE - * - * wrote this file. As long as you retain this notice you - * can do whatever you want with this stuff. If we meet some day, and you - * think this stuff is worth it, you can buy me a beer in return. - * - * Dan Moschuk - */ -#if !defined(SOLARIS2) -# include -#endif - -#include -#include -#ifdef __FreeBSD__ -# include -#endif -# include -#ifdef __FreeBSD__ -# include -#endif -#include -# include -#include - -#include -#include -#include -#include -#include "netinet/ip_compat.h" -#ifdef HAS_SYS_MD5_H -# include -#else -# include "md5.h" -#endif - -#ifdef NEED_LOCAL_RAND -#if !defined(__GNUC__) -# define __inline -#endif - -#define ARC4_RESEED_BYTES 65536 -#define ARC4_RESEED_SECONDS 300 -#define ARC4_KEYBYTES (256 / 8) - -static u_int8_t arc4_i, arc4_j; -static int arc4_numruns = 0; -static u_int8_t arc4_sbox[256]; -static time_t arc4_t_reseed; -static ipfmutex_t arc4_mtx; -static MD5_CTX md5ctx; - -static u_int8_t arc4_randbyte(void); -static int ipf_read_random(void *dest, int length); - -static __inline void -arc4_swap(u_int8_t *a, u_int8_t *b) -{ - u_int8_t c; - - c = *a; - *a = *b; - *b = c; -} - -/* - * Stir our S-box. - */ -static void -arc4_randomstir (void) -{ - u_int8_t key[256]; - int r, n; - struct timeval tv_now; - - /* - * XXX read_random() returns unsafe numbers if the entropy - * device is not loaded -- MarkM. - */ - r = ipf_read_random(key, ARC4_KEYBYTES); - GETKTIME(&tv_now); - MUTEX_ENTER(&arc4_mtx); - /* If r == 0 || -1, just use what was on the stack. */ - if (r > 0) { - for (n = r; n < sizeof(key); n++) - key[n] = key[n % r]; - } - - for (n = 0; n < 256; n++) { - arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256; - arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]); - } - - /* Reset for next reseed cycle. */ - arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS; - arc4_numruns = 0; - - /* - * Throw away the first N words of output, as suggested in the - * paper "Weaknesses in the Key Scheduling Algorithm of RC4" - * by Fluher, Mantin, and Shamir. (N = 768 in our case.) - */ - for (n = 0; n < 768*4; n++) - arc4_randbyte(); - MUTEX_EXIT(&arc4_mtx); -} - -/* - * Initialize our S-box to its beginning defaults. - */ -static void -arc4_init(void) -{ - int n; - - MD5Init(&md5ctx); - - MUTEX_INIT(&arc4_mtx, "arc4_mtx"); - arc4_i = arc4_j = 0; - for (n = 0; n < 256; n++) - arc4_sbox[n] = (u_int8_t) n; - - arc4_t_reseed = 0; -} - - -/* - * Generate a random byte. - */ -static u_int8_t -arc4_randbyte(void) -{ - u_int8_t arc4_t; - - arc4_i = (arc4_i + 1) % 256; - arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256; - - arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]); - - arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256; - return arc4_sbox[arc4_t]; -} - -/* - * MPSAFE - */ -void -arc4rand(void *ptr, u_int len, int reseed) -{ - u_int8_t *p; - struct timeval tv; - - GETKTIME(&tv); - if (reseed || - (arc4_numruns > ARC4_RESEED_BYTES) || - (tv.tv_sec > arc4_t_reseed)) - arc4_randomstir(); - - MUTEX_ENTER(&arc4_mtx); - arc4_numruns += len; - p = ptr; - while (len--) - *p++ = arc4_randbyte(); - MUTEX_EXIT(&arc4_mtx); -} - -uint32_t -ipf_random(void) -{ - uint32_t ret; - - arc4rand(&ret, sizeof ret, 0); - return ret; -} - - -static u_char pot[ARC4_RESEED_BYTES]; -static u_char *pothead = pot, *pottail = pot; -static int inpot = 0; - -/* - * This is not very strong, and this is understood, but the aim isn't to - * be cryptographically strong - it is just to make up something that is - * pseudo random. - */ -void -ipf_rand_push(void *src, int length) -{ - static int arc4_inited = 0; - u_char *nsrc; - int mylen; - - if (arc4_inited == 0) { - arc4_init(); - arc4_inited = 1; - } - - if (length < 64) { - MD5Update(&md5ctx, src, length); - return; - } - - nsrc = src; - mylen = length; - -#if defined(_SYS_MD5_H) && defined(SOLARIS2) -# define buf buf_un.buf8 -#endif - MUTEX_ENTER(&arc4_mtx); - while ((mylen > 64) && (sizeof(pot) - inpot > sizeof(md5ctx.buf))) { - MD5Update(&md5ctx, nsrc, 64); - mylen -= 64; - nsrc += 64; - if (pottail + sizeof(md5ctx.buf) > pot + sizeof(pot)) { - int left, numbytes; - - numbytes = pot + sizeof(pot) - pottail; - bcopy(md5ctx.buf, pottail, numbytes); - left = sizeof(md5ctx.buf) - numbytes; - pottail = pot; - bcopy(md5ctx.buf + sizeof(md5ctx.buf) - left, - pottail, left); - pottail += left; - } else { - bcopy(md5ctx.buf, pottail, sizeof(md5ctx.buf)); - pottail += sizeof(md5ctx.buf); - } - inpot += 64; - } - MUTEX_EXIT(&arc4_mtx); -#if defined(_SYS_MD5_H) && defined(SOLARIS2) -# undef buf -#endif -} - - -static int -ipf_read_random(void *dest, int length) -{ - if (length > inpot) - return 0; - - MUTEX_ENTER(&arc4_mtx); - if (pothead + length > pot + sizeof(pot)) { - int left, numbytes; - - left = length; - numbytes = pot + sizeof(pot) - pothead; - bcopy(pothead, dest, numbytes); - left -= numbytes; - pothead = pot; - bcopy(pothead, dest + length - left, left); - pothead += left; - } else { - bcopy(pothead, dest, length); - pothead += length; - } - inpot -= length; - if (inpot == 0) - pothead = pottail = pot; - MUTEX_EXIT(&arc4_mtx); - - return length; -} - -#endif /* NEED_LOCAL_RAND */ diff --git a/contrib/ipfilter/ip_fil_compat.c b/contrib/ipfilter/ip_fil_compat.c deleted file mode 100644 index 0b426f5d9c48..000000000000 --- a/contrib/ipfilter/ip_fil_compat.c +++ /dev/null @@ -1,4811 +0,0 @@ -/* - * Copyright (C) 2002-2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if defined(KERNEL) || defined(_KERNEL) -# undef KERNEL -# undef _KERNEL -# define KERNEL 1 -# define _KERNEL 1 -#endif -#include -#include -#include -#include -#include -#if defined(__FreeBSD__) && defined(_KERNEL) -# include -# include -#else -# include -#endif -#if !defined(_KERNEL) -# include -# define _KERNEL -# include -# undef _KERNEL -#endif -#include -#include -#if defined(__FreeBSD__) -# include -# include -#endif -#if defined(_KERNEL) -# include -# if !defined(__SVR4) -# include -# endif -#endif -#include - -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_pool.h" -#include "netinet/ip_htable.h" -#include "netinet/ip_lookup.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_state.h" -#include "netinet/ip_proxy.h" -#include "netinet/ip_auth.h" -/* END OF INCLUDES */ - -/* - * NetBSD has moved to 64bit time_t for all architectures. - * For some, such as sparc64, there is no change because long is already - * 64bit, but for others (i386), there is... - */ -#ifdef IPFILTER_COMPAT - -# ifdef __NetBSD__ -typedef struct timeval_l { - long tv_sec; - long tv_usec; -} timeval_l_t; -# endif - -/* ------------------------------------------------------------------------ */ - -typedef struct tcpinfo4 { - u_short ts_sport; - u_short ts_dport; - tcpdata_t ts_data[2]; -} tcpinfo4_t; - -static void ipf_v5tcpinfoto4(tcpinfo_t *, tcpinfo4_t *); - -static void -ipf_v5tcpinfoto4(v5, v4) - tcpinfo_t *v5; - tcpinfo4_t *v4; -{ - v4->ts_sport = v5->ts_sport; - v4->ts_dport = v5->ts_dport; - v4->ts_data[0] = v5->ts_data[0]; - v4->ts_data[1] = v5->ts_data[1]; -} - -typedef struct fr_ip4 { - u_32_t fi_v:4; - u_32_t fi_xx:4; - u_32_t fi_tos:8; - u_32_t fi_ttl:8; - u_32_t fi_p:8; - u_32_t fi_optmsk; - i6addr_t fi_src; - i6addr_t fi_dst; - u_short ofi_secmsk; - u_short ofi_auth; - u_32_t fi_flx; - u_32_t fi_tcpmsk; - u_32_t fi_res1; -} frip4_t; - -typedef struct frpcmp4 { - int frp_cmp; - u_short frp_port; - u_short frp_top; -} frpcmp4_t; - -typedef struct frtuc4 { - u_char ftu_tcpfm; - u_char ftu_tcpf; - frpcmp4_t ftu_src; - frpcmp4_t ftu_dst; -} frtuc4_t; - -typedef struct fripf4 { - frip4_t fri_ip; - frip4_t fri_mip; - - u_short fri_icmpm; - u_short fri_icmp; - - frtuc4_t fri_tuc; - int fri_satype; - int fri_datype; - int fri_sifpidx; - int fri_difpidx; -} fripf4_t; - -typedef struct frdest_4 { - void *fd_ifp; - i6addr_t ofd_ip6; - char fd_ifname[LIFNAMSIZ]; -} frdest_4_t; - -/* ------------------------------------------------------------------------ */ - -/* 5.1.0 new release (current) - * 4.1.34 changed the size of the time structure used for pps - * 4.1.16 moved the location of fr_flineno - * 4.1.0 base version - */ -typedef struct frentry_4_1_34 { - ipfmutex_t fr_lock; - struct frentry *fr_next; - struct frentry **fr_grp; - struct ipscan *fr_isc; - void *fr_ifas[4]; - void *fr_ptr; /* for use with fr_arg */ - char *fr_comment; /* text comment for rule */ - int fr_ref; /* reference count - for grouping */ - int fr_statecnt; /* state count - for limit rules */ - int fr_flineno; /* line number from conf file */ - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; - union { - struct timeval frp_lastpkt; - char frp_bytes[12]; - } fr_lpu; - int fr_curpps; - union { - void *fru_data; - char *fru_caddr; - fripf4_t *fru_ipf; - frentfunc_t fru_func; - } fr_dun; - ipfunc_t fr_func; /* call this function */ - int fr_dsize; - int fr_pps; - int fr_statemax; /* max reference count */ - u_32_t fr_type; - u_32_t fr_flags; /* per-rule flags && options (see below) */ - u_32_t fr_logtag; /* user defined log tag # */ - u_32_t fr_collect; /* collection number */ - u_int fr_arg; /* misc. numeric arg for rule */ - u_int fr_loglevel; /* syslog log facility + priority */ - u_int fr_age[2]; /* non-TCP timeouts */ - u_char fr_v; - u_char fr_icode; /* return ICMP code */ - char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */ - char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */ - ipftag_t fr_nattag; - char fr_ifnames[4][LIFNAMSIZ]; - char fr_isctag[16]; - frdest_4_t fr_tifs[2]; /* "to"/"reply-to" interface */ - frdest_4_t fr_dif; /* duplicate packet interface */ - u_int fr_cksum; /* checksum on filter rules for performance */ -} frentry_4_1_34_t; - -typedef struct frentry_4_1_16 { - ipfmutex_t fr_lock; - struct frentry *fr_next; - struct frentry **fr_grp; - struct ipscan *fr_isc; - void *fr_ifas[4]; - void *fr_ptr; - char *fr_comment; - int fr_ref; - int fr_statecnt; - int fr_flineno; - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; - union { -#ifdef __NetBSD__ - timeval_l_t frp_lastpkt; -#else - struct timeval frp_lastpkt; -#endif - } fr_lpu; - int fr_curpps; - union { - void *fru_data; - caddr_t fru_caddr; - fripf4_t *fru_ipf; - frentfunc_t fru_func; - } fr_dun; - ipfunc_t fr_func; - int fr_dsize; - int fr_pps; - int fr_statemax; - u_32_t fr_type; - u_32_t fr_flags; - u_32_t fr_logtag; - u_32_t fr_collect; - u_int fr_arg; - u_int fr_loglevel; - u_int fr_age[2]; - u_char fr_v; - u_char fr_icode; - char fr_group[FR_GROUPLEN]; - char fr_grhead[FR_GROUPLEN]; - ipftag_t fr_nattag; - char fr_ifnames[4][LIFNAMSIZ]; - char fr_isctag[16]; - frdest_4_t fr_tifs[2]; - frdest_4_t fr_dif; - u_int fr_cksum; -} frentry_4_1_16_t; - -typedef struct frentry_4_1_0 { - ipfmutex_t fr_lock; - struct frentry *fr_next; - struct frentry **fr_grp; - struct ipscan *fr_isc; - void *fr_ifas[4]; - void *fr_ptr; - char *fr_comment; - int fr_ref; - int fr_statecnt; - U_QUAD_T fr_hits; - U_QUAD_T fr_bytes; - union { -#ifdef __NetBSD__ - timeval_l_t frp_lastpkt; -#else - struct timeval frp_lastpkt; -#endif - } fr_lpu; - int fr_curpps; - - union { - void *fru_data; - caddr_t fru_caddr; - fripf4_t *fru_ipf; - frentfunc_t fru_func; - } fr_dun; - /* - * Fields after this may not change whilst in the kernel. - */ - ipfunc_t fr_func; - int fr_dsize; - int fr_pps; - int fr_statemax; - int fr_flineno; - u_32_t fr_type; - u_32_t fr_flags; - u_32_t fr_logtag; - u_32_t fr_collect; - u_int fr_arg; - u_int fr_loglevel; - u_int fr_age[2]; - u_char fr_v; - u_char fr_icode; - char fr_group[FR_GROUPLEN]; - char fr_grhead[FR_GROUPLEN]; - ipftag_t fr_nattag; - char fr_ifnames[4][LIFNAMSIZ]; - char fr_isctag[16]; - frdest_4_t fr_tifs[2]; - frdest_4_t fr_dif; - u_int fr_cksum; -} frentry_4_1_0_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 5.1.0 new release (current) - * 4.1.32 removed both fin_state and fin_nat, added fin_pktnum - * 4.1.24 added fin_cksum - * 4.1.23 added fin_exthdr - * 4.1.11 added fin_ifname - * 4.1.4 added fin_hbuf - */ -typedef struct fr_info_4_1_32 { - void *fin_ifp; /* interface packet is `on' */ - frip4_t fin_fi; /* IP Packet summary */ - union { - u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */ - u_32_t fid_32; - } fin_dat; - int fin_out; /* in or out ? 1 == out, 0 == in */ - int fin_rev; /* state only: 1 = reverse */ - u_short fin_hlen; /* length of IP header in bytes */ - u_char ofin_tcpf; /* TCP header flags (SYN, ACK, etc) */ - u_char fin_icode; /* ICMP error to return */ - u_32_t fin_rule; /* rule # last matched */ - char fin_group[FR_GROUPLEN]; /* group number, -1 for none */ - struct frentry *fin_fr; /* last matching rule */ - void *fin_dp; /* start of data past IP header */ - int fin_dlen; /* length of data portion of packet */ - int fin_plen; - int fin_ipoff; /* # bytes from buffer start to hdr */ - u_short fin_id; /* IP packet id field */ - u_short fin_off; - int fin_depth; /* Group nesting depth */ - int fin_error; /* Error code to return */ - int fin_cksum; /* -1 bad, 1 good, 0 not done */ - u_int fin_pktnum; - void *fin_nattag; - void *fin_exthdr; - ip_t *ofin_ip; - mb_t **fin_mp; /* pointer to pointer to mbuf */ - mb_t *fin_m; /* pointer to mbuf */ -#if SOLARIS - mb_t *fin_qfm; /* pointer to mblk where pkt starts */ - void *fin_qpi; - char fin_ifname[LIFNAMSIZ]; -#endif -} fr_info_4_1_32_t; - -typedef struct fr_info_4_1_24 { - void *fin_ifp; - frip4_t fin_fi; - union { - u_short fid_16[2]; - u_32_t fid_32; - } fin_dat; - int fin_out; - int fin_rev; - u_short fin_hlen; - u_char ofin_tcpf; - u_char fin_icode; - u_32_t fin_rule; - char fin_group[FR_GROUPLEN]; - struct frentry *fin_fr; - void *fin_dp; - int fin_dlen; - int fin_plen; - int fin_ipoff; - u_short fin_id; - u_short fin_off; - int fin_depth; - int fin_error; - int fin_cksum; - void *fin_state; - void *fin_nat; - void *fin_nattag; - void *fin_exthdr; - ip_t *ofin_ip; - mb_t **fin_mp; - mb_t *fin_m; -#if SOLARIS - mb_t *fin_qfm; - void *fin_qpi; - char fin_ifname[LIFNAMSIZ]; -#endif -} fr_info_4_1_24_t; - -typedef struct fr_info_4_1_23 { - void *fin_ifp; - frip4_t fin_fi; - union { - u_short fid_16[2]; - u_32_t fid_32; - } fin_dat; - int fin_out; - int fin_rev; - u_short fin_hlen; - u_char ofin_tcpf; - u_char fin_icode; - u_32_t fin_rule; - char fin_group[FR_GROUPLEN]; - struct frentry *fin_fr; - void *fin_dp; - int fin_dlen; - int fin_plen; - int fin_ipoff; - u_short fin_id; - u_short fin_off; - int fin_depth; - int fin_error; - void *fin_state; - void *fin_nat; - void *fin_nattag; - void *fin_exthdr; - ip_t *ofin_ip; - mb_t **fin_mp; - mb_t *fin_m; -#if SOLARIS - mb_t *fin_qfm; - void *fin_qpi; - char fin_ifname[LIFNAMSIZ]; -#endif -} fr_info_4_1_23_t; - -typedef struct fr_info_4_1_11 { - void *fin_ifp; - frip4_t fin_fi; - union { - u_short fid_16[2]; - u_32_t fid_32; - } fin_dat; - int fin_out; - int fin_rev; - u_short fin_hlen; - u_char ofin_tcpf; - u_char fin_icode; - u_32_t fin_rule; - char fin_group[FR_GROUPLEN]; - struct frentry *fin_fr; - void *fin_dp; - int fin_dlen; - int fin_plen; - int fin_ipoff; - u_short fin_id; - u_short fin_off; - int fin_depth; - int fin_error; - void *fin_state; - void *fin_nat; - void *fin_nattag; - ip_t *ofin_ip; - mb_t **fin_mp; - mb_t *fin_m; -#if SOLARIS - mb_t *fin_qfm; - void *fin_qpi; - char fin_ifname[LIFNAMSIZ]; -#endif -} fr_info_4_1_11_t; - -/* ------------------------------------------------------------------------ */ - -typedef struct filterstats_4_1 { - u_long fr_pass; /* packets allowed */ - u_long fr_block; /* packets denied */ - u_long fr_nom; /* packets which don't match any rule */ - u_long fr_short; /* packets which are short */ - u_long fr_ppkl; /* packets allowed and logged */ - u_long fr_bpkl; /* packets denied and logged */ - u_long fr_npkl; /* packets unmatched and logged */ - u_long fr_pkl; /* packets logged */ - u_long fr_skip; /* packets to be logged but buffer full */ - u_long fr_ret; /* packets for which a return is sent */ - u_long fr_acct; /* packets for which counting was performed */ - u_long fr_bnfr; /* bad attempts to allocate fragment state */ - u_long fr_nfr; /* new fragment state kept */ - u_long fr_cfr; /* add new fragment state but complete pkt */ - u_long fr_bads; /* bad attempts to allocate packet state */ - u_long fr_ads; /* new packet state kept */ - u_long fr_chit; /* cached hit */ - u_long fr_tcpbad; /* TCP checksum check failures */ - u_long fr_pull[2]; /* good and bad pullup attempts */ - u_long fr_badsrc; /* source received doesn't match route */ - u_long fr_badttl; /* TTL in packet doesn't reach minimum */ - u_long fr_bad; /* bad IP packets to the filter */ - u_long fr_ipv6; /* IPv6 packets in/out */ - u_long fr_ppshit; /* dropped because of pps ceiling */ - u_long fr_ipud; /* IP id update failures */ -} filterstats_4_1_t; - -/* - * 5.1.0 new release (current) - * 4.1.33 changed the size of f_locks from IPL_LOGMAX to IPL_LOGSIZE - */ -typedef struct friostat_4_1_33 { - struct filterstats_4_1 of_st[2]; - struct frentry *f_ipf[2][2]; - struct frentry *f_acct[2][2]; - struct frentry *f_ipf6[2][2]; - struct frentry *f_acct6[2][2]; - struct frentry *f_auth; - struct frgroup *f_groups[IPL_LOGSIZE][2]; - u_long f_froute[2]; - u_long f_ticks; - int f_locks[IPL_LOGSIZE]; - size_t f_kmutex_sz; - size_t f_krwlock_sz; - int f_defpass; /* default pass - from fr_pass */ - int f_active; /* 1 or 0 - active rule set */ - int f_running; /* 1 if running, else 0 */ - int f_logging; /* 1 if enabled, else 0 */ - int f_features; - char f_version[32]; /* version string */ -} friostat_4_1_33_t; - -typedef struct friostat_4_1_0 { - struct filterstats_4_1 of_st[2]; - struct frentry *f_ipf[2][2]; - struct frentry *f_acct[2][2]; - struct frentry *f_ipf6[2][2]; - struct frentry *f_acct6[2][2]; - struct frentry *f_auth; - struct frgroup *f_groups[IPL_LOGSIZE][2]; - u_long f_froute[2]; - u_long f_ticks; - int f_locks[IPL_LOGMAX]; - size_t f_kmutex_sz; - size_t f_krwlock_sz; - int f_defpass; - int f_active; - int f_running; - int f_logging; - int f_features; - char f_version[32]; -} friostat_4_1_0_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 5.1.0 new release (current) - * 4.1.14 added in_lock - */ -typedef struct ipnat_4_1_14 { - ipfmutex_t in_lock; - struct ipnat *in_next; /* NAT rule list next */ - struct ipnat *in_rnext; /* rdr rule hash next */ - struct ipnat **in_prnext; /* prior rdr next ptr */ - struct ipnat *in_mnext; /* map rule hash next */ - struct ipnat **in_pmnext; /* prior map next ptr */ - struct ipftq *in_tqehead[2]; - void *in_ifps[2]; - void *in_apr; - char *in_comment; - i6addr_t in_next6; - u_long in_space; - u_long in_hits; - u_int in_use; - u_int in_hv; - int in_flineno; /* conf. file line number */ - u_short in_pnext; - u_char in_v; - u_char in_xxx; - /* From here to the end is covered by IPN_CMPSIZ */ - u_32_t in_flags; - u_32_t in_mssclamp; /* if != 0 clamp MSS to this */ - u_int in_age[2]; - int in_redir; /* see below for values */ - int in_p; /* protocol. */ - i6addr_t in_in[2]; - i6addr_t in_out[2]; - i6addr_t in_src[2]; - frtuc4_t in_tuc; - u_short in_port[2]; - u_short in_ppip; /* ports per IP. */ - u_short in_ippip; /* IP #'s per IP# */ - char in_ifnames[2][LIFNAMSIZ]; - char in_plabel[APR_LABELLEN]; /* proxy label. */ - ipftag_t in_tag; -} ipnat_4_1_14_t; - -typedef struct ipnat_4_1_0 { - struct ipnat *in_next; - struct ipnat *in_rnext; - struct ipnat **in_prnext; - struct ipnat *in_mnext; - struct ipnat **in_pmnext; - struct ipftq *in_tqehead[2]; - void *in_ifps[2]; - void *in_apr; - char *in_comment; - i6addr_t in_next6; - u_long in_space; - u_long in_hits; - u_int in_use; - u_int in_hv; - int in_flineno; - u_short in_pnext; - u_char in_v; - u_char in_xxx; - u_32_t in_flags; - u_32_t in_mssclamp; - u_int in_age[2]; - int in_redir; - int in_p; - i6addr_t in_in[2]; - i6addr_t in_out[2]; - i6addr_t in_src[2]; - frtuc4_t in_tuc; - u_short in_port[2]; - u_short in_ppip; - u_short in_ippip; - char in_ifnames[2][LIFNAMSIZ]; - char in_plabel[APR_LABELLEN]; - ipftag_t in_tag; -} ipnat_4_1_0_t; - -/* ------------------------------------------------------------------------ */ - -typedef struct natlookup_4_1_1 { - struct in_addr onl_inip; - struct in_addr onl_outip; - struct in_addr onl_realip; - int nl_flags; - u_short nl_inport; - u_short nl_outport; - u_short nl_realport; -} natlookup_4_1_1_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 4.1.25 added nat_seqnext (current) - * 4.1.14 added nat_redir - * 4.1.3 moved nat_rev - * 4.1.2 added nat_rev - */ -typedef struct nat_4_1_25 { - ipfmutex_t nat_lock; - struct nat_4_1_25 *nat_next; - struct nat_4_1_25 **nat_pnext; - struct nat_4_1_25 *nat_hnext[2]; - struct nat_4_1_25 **nat_phnext[2]; - struct hostmap *nat_hm; - void *nat_data; - struct nat_4_1_25 **nat_me; - struct ipstate *nat_state; - struct ap_session *nat_aps; - frentry_t *nat_fr; - struct ipnat_4_1_14 *nat_ptr; - void *nat_ifps[2]; - void *nat_sync; - ipftqent_t nat_tqe; - u_32_t nat_flags; - u_32_t nat_sumd[2]; - u_32_t nat_ipsumd; - u_32_t nat_mssclamp; - i6addr_t nat_inip6; - i6addr_t nat_outip6; - i6addr_t nat_oip6; - U_QUAD_T nat_pkts[2]; - U_QUAD_T nat_bytes[2]; - union { - udpinfo_t nat_unu; - tcpinfo4_t nat_unt; - icmpinfo_t nat_uni; - greinfo_t nat_ugre; - } nat_un; - u_short nat_oport; - u_short nat_use; - u_char nat_p; - int nat_dir; - int nat_ref; - int nat_hv[2]; - char nat_ifnames[2][LIFNAMSIZ]; - int nat_rev; - int nat_redir; - u_32_t nat_seqnext[2]; -} nat_4_1_25_t; - -typedef struct nat_4_1_14 { - ipfmutex_t nat_lock; - struct nat *nat_next; - struct nat **nat_pnext; - struct nat *nat_hnext[2]; - struct nat **nat_phnext[2]; - struct hostmap *nat_hm; - void *nat_data; - struct nat **nat_me; - struct ipstate *nat_state; - struct ap_session *nat_aps; - frentry_t *nat_fr; - struct ipnat *nat_ptr; - void *nat_ifps[2]; - void *nat_sync; - ipftqent_t nat_tqe; - u_32_t nat_flags; - u_32_t nat_sumd[2]; - u_32_t nat_ipsumd; - u_32_t nat_mssclamp; - i6addr_t nat_inip6; - i6addr_t nat_outip6; - i6addr_t nat_oip6; - U_QUAD_T nat_pkts[2]; - U_QUAD_T nat_bytes[2]; - union { - udpinfo_t nat_unu; - tcpinfo4_t nat_unt; - icmpinfo_t nat_uni; - greinfo_t nat_ugre; - } nat_un; - u_short nat_oport; - u_short nat_use; - u_char nat_p; - int nat_dir; - int nat_ref; - int nat_hv[2]; - char nat_ifnames[2][LIFNAMSIZ]; - int nat_rev; - int nat_redir; -} nat_4_1_14_t; - -typedef struct nat_4_1_3 { - ipfmutex_t nat_lock; - struct nat *nat_next; - struct nat **nat_pnext; - struct nat *nat_hnext[2]; - struct nat **nat_phnext[2]; - struct hostmap *nat_hm; - void *nat_data; - struct nat **nat_me; - struct ipstate *nat_state; - struct ap_session *nat_aps; - frentry_t *nat_fr; - struct ipnat *nat_ptr; - void *nat_ifps[2]; - void *nat_sync; - ipftqent_t nat_tqe; - u_32_t nat_flags; - u_32_t nat_sumd[2]; - u_32_t nat_ipsumd; - u_32_t nat_mssclamp; - i6addr_t nat_inip6; - i6addr_t nat_outip6; - i6addr_t nat_oip6; - U_QUAD_T nat_pkts[2]; - U_QUAD_T nat_bytes[2]; - union { - udpinfo_t nat_unu; - tcpinfo4_t nat_unt; - icmpinfo_t nat_uni; - greinfo_t nat_ugre; - } nat_un; - u_short nat_oport; - u_short nat_use; - u_char nat_p; - int nat_dir; - int nat_ref; - int nat_hv[2]; - char nat_ifnames[2][LIFNAMSIZ]; - int nat_rev; -} nat_4_1_3_t; - - - -typedef struct nat_save_4_1_34 { - void *ipn_next; - struct nat_4_1_25 ipn_nat; - struct ipnat_4_1_14 ipn_ipnat; - struct frentry_4_1_34 ipn_fr; - int ipn_dsize; - char ipn_data[4]; -} nat_save_4_1_34_t; - -typedef struct nat_save_4_1_16 { - void *ipn_next; - nat_4_1_14_t ipn_nat; - ipnat_t ipn_ipnat; - frentry_4_1_16_t ipn_fr; - int ipn_dsize; - char ipn_data[4]; -} nat_save_4_1_16_t; - -typedef struct nat_save_4_1_14 { - void *ipn_next; - nat_4_1_14_t ipn_nat; - ipnat_t ipn_ipnat; - frentry_4_1_0_t ipn_fr; - int ipn_dsize; - char ipn_data[4]; -} nat_save_4_1_14_t; - -typedef struct nat_save_4_1_3 { - void *ipn_next; - nat_4_1_3_t ipn_nat; - ipnat_4_1_0_t ipn_ipnat; - frentry_4_1_0_t ipn_fr; - int ipn_dsize; - char ipn_data[4]; -} nat_save_4_1_3_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 5.1.0 new release (current) - * 4.1.32 added ns_uncreate - * 4.1.27 added ns_orphans - * 4.1.16 added ns_ticks - */ -typedef struct natstat_4_1_32 { - u_long ns_mapped[2]; - u_long ns_rules; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - u_long ns_logged; - u_long ns_logfail; - u_long ns_memfail; - u_long ns_badnat; - u_long ns_addtrpnt; - nat_t **ns_table[2]; - hostmap_t **ns_maptable; - ipnat_t *ns_list; - void *ns_apslist; - u_int ns_wilds; - u_int ns_nattab_sz; - u_int ns_nattab_max; - u_int ns_rultab_sz; - u_int ns_rdrtab_sz; - u_int ns_trpntab_sz; - u_int ns_hostmap_sz; - nat_t *ns_instances; - hostmap_t *ns_maplist; - u_long *ns_bucketlen[2]; - u_long ns_ticks; - u_int ns_orphans; - u_long ns_uncreate[2][2]; -} natstat_4_1_32_t; - -typedef struct natstat_4_1_27 { - u_long ns_mapped[2]; - u_long ns_rules; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - u_long ns_logged; - u_long ns_logfail; - u_long ns_memfail; - u_long ns_badnat; - u_long ns_addtrpnt; - nat_t **ns_table[2]; - hostmap_t **ns_maptable; - ipnat_t *ns_list; - void *ns_apslist; - u_int ns_wilds; - u_int ns_nattab_sz; - u_int ns_nattab_max; - u_int ns_rultab_sz; - u_int ns_rdrtab_sz; - u_int ns_trpntab_sz; - u_int ns_hostmap_sz; - nat_t *ns_instances; - hostmap_t *ns_maplist; - u_long *ns_bucketlen[2]; - u_long ns_ticks; - u_int ns_orphans; -} natstat_4_1_27_t; - -typedef struct natstat_4_1_16 { - u_long ns_mapped[2]; - u_long ns_rules; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - u_long ns_logged; - u_long ns_logfail; - u_long ns_memfail; - u_long ns_badnat; - u_long ns_addtrpnt; - nat_t **ns_table[2]; - hostmap_t **ns_maptable; - ipnat_t *ns_list; - void *ns_apslist; - u_int ns_wilds; - u_int ns_nattab_sz; - u_int ns_nattab_max; - u_int ns_rultab_sz; - u_int ns_rdrtab_sz; - u_int ns_trpntab_sz; - u_int ns_hostmap_sz; - nat_t *ns_instances; - hostmap_t *ns_maplist; - u_long *ns_bucketlen[2]; - u_long ns_ticks; -} natstat_4_1_16_t; - -typedef struct natstat_4_1_0 { - u_long ns_mapped[2]; - u_long ns_rules; - u_long ns_added; - u_long ns_expire; - u_long ns_inuse; - u_long ns_logged; - u_long ns_logfail; - u_long ns_memfail; - u_long ns_badnat; - u_long ns_addtrpnt; - nat_t **ns_table[2]; - hostmap_t **ns_maptable; - ipnat_t *ns_list; - void *ns_apslist; - u_int ns_wilds; - u_int ns_nattab_sz; - u_int ns_nattab_max; - u_int ns_rultab_sz; - u_int ns_rdrtab_sz; - u_int ns_trpntab_sz; - u_int ns_hostmap_sz; - nat_t *ns_instances; - hostmap_t *ns_maplist; - u_long *ns_bucketlen[2]; -} natstat_4_1_0_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 5.1.0 new release (current) - * 4.1.32 fra_info:removed both fin_state & fin_nat, added fin_pktnum - * 4.1.29 added fra_flx - * 4.1.24 fra_info:added fin_cksum - * 4.1.23 fra_info:added fin_exthdr - * 4.1.11 fra_info:added fin_ifname - * 4.1.4 fra_info:added fin_hbuf - */ - -typedef struct frauth_4_1_32 { - int fra_age; - int fra_len; - int fra_index; - u_32_t fra_pass; - fr_info_4_1_32_t fra_info; - char *fra_buf; - u_32_t fra_flx; -#if SOLARIS - queue_t *fra_q; - mb_t *fra_m; -#endif -} frauth_4_1_32_t; - -typedef struct frauth_4_1_29 { - int fra_age; - int fra_len; - int fra_index; - u_32_t fra_pass; - fr_info_4_1_24_t fra_info; - char *fra_buf; - u_32_t fra_flx; -#if SOLARIS - queue_t *fra_q; - mb_t *fra_m; -#endif -} frauth_4_1_29_t; - -typedef struct frauth_4_1_24 { - int fra_age; - int fra_len; - int fra_index; - u_32_t fra_pass; - fr_info_4_1_24_t fra_info; - char *fra_buf; -#if SOLARIS - queue_t *fra_q; - mb_t *fra_m; -#endif -} frauth_4_1_24_t; - -typedef struct frauth_4_1_23 { - int fra_age; - int fra_len; - int fra_index; - u_32_t fra_pass; - fr_info_4_1_23_t fra_info; - char *fra_buf; -#if SOLARIS - queue_t *fra_q; - mb_t *fra_m; -#endif -} frauth_4_1_23_t; - -typedef struct frauth_4_1_11 { - int fra_age; - int fra_len; - int fra_index; - u_32_t fra_pass; - fr_info_4_1_11_t fra_info; - char *fra_buf; -#if SOLARIS - queue_t *fra_q; - mb_t *fra_m; -#endif -} frauth_4_1_11_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 5.1.0 new release (current) - * 4.1.16 removed is_nat - */ -typedef struct ipstate_4_1_16 { - ipfmutex_t is_lock; - struct ipstate *is_next; - struct ipstate **is_pnext; - struct ipstate *is_hnext; - struct ipstate **is_phnext; - struct ipstate **is_me; - void *is_ifp[4]; - void *is_sync; - frentry_t *is_rule; - struct ipftq *is_tqehead[2]; - struct ipscan *is_isc; - U_QUAD_T is_pkts[4]; - U_QUAD_T is_bytes[4]; - U_QUAD_T is_icmppkts[4]; - struct ipftqent is_sti; - u_int is_frage[2]; - int is_ref; /* reference count */ - int is_isninc[2]; - u_short is_sumd[2]; - i6addr_t is_src; - i6addr_t is_dst; - u_int is_pass; - u_char is_p; /* Protocol */ - u_char is_v; - u_32_t is_hv; - u_32_t is_tag; - u_32_t is_opt[2]; /* packet options set */ - u_32_t is_optmsk[2]; /* " " mask */ - u_short is_sec; /* security options set */ - u_short is_secmsk; /* " " mask */ - u_short is_auth; /* authentication options set */ - u_short is_authmsk; /* " " mask */ - union { - icmpinfo_t is_ics; - tcpinfo4_t is_ts; - udpinfo_t is_us; - greinfo_t is_ug; - } is_ps; - u_32_t is_flags; - int is_flx[2][2]; - u_32_t is_rulen; /* rule number when created */ - u_32_t is_s0[2]; - u_short is_smsk[2]; - char is_group[FR_GROUPLEN]; - char is_sbuf[2][16]; - char is_ifname[4][LIFNAMSIZ]; -} ipstate_4_1_16_t; - -typedef struct ipstate_4_1_0 { - ipfmutex_t is_lock; - struct ipstate *is_next; - struct ipstate **is_pnext; - struct ipstate *is_hnext; - struct ipstate **is_phnext; - struct ipstate **is_me; - void *is_ifp[4]; - void *is_sync; - void *is_nat[2]; - frentry_t *is_rule; - struct ipftq *is_tqehead[2]; - struct ipscan *is_isc; - U_QUAD_T is_pkts[4]; - U_QUAD_T is_bytes[4]; - U_QUAD_T is_icmppkts[4]; - struct ipftqent is_sti; - u_int is_frage[2]; - int is_ref; - int is_isninc[2]; - u_short is_sumd[2]; - i6addr_t is_src; - i6addr_t is_dst; - u_int is_pass; - u_char is_p; - u_char is_v; - u_32_t is_hv; - u_32_t is_tag; - u_32_t is_opt[2]; - u_32_t is_optmsk[2]; - u_short is_sec; - u_short is_secmsk; - u_short is_auth; - u_short is_authmsk; - union { - icmpinfo_t is_ics; - tcpinfo4_t is_ts; - udpinfo_t is_us; - greinfo_t is_ug; - } is_ps; - u_32_t is_flags; - int is_flx[2][2]; - u_32_t is_rulen; - u_32_t is_s0[2]; - u_short is_smsk[2]; - char is_group[FR_GROUPLEN]; - char is_sbuf[2][16]; - char is_ifname[4][LIFNAMSIZ]; -} ipstate_4_1_0_t; - -typedef struct ipstate_save_4_1_34 { - void *ips_next; - struct ipstate_4_1_16 ips_is; - struct frentry_4_1_34 ips_fr; -} ipstate_save_4_1_34_t; - -typedef struct ipstate_save_4_1_16 { - void *ips_next; - ipstate_4_1_0_t ips_is; - frentry_4_1_16_t ips_fr; -} ipstate_save_4_1_16_t; - -typedef struct ipstate_save_4_1_0 { - void *ips_next; - ipstate_4_1_0_t ips_is; - frentry_4_1_0_t ips_fr; -} ipstate_save_4_1_0_t; - -/* ------------------------------------------------------------------------ */ - -/* - * 5.1.0 new release (current) - * 4.1.21 added iss_tcptab - */ -typedef struct ips_stat_4_1_21 { - u_long iss_hits; - u_long iss_miss; - u_long iss_max; - u_long iss_maxref; - u_long iss_tcp; - u_long iss_udp; - u_long iss_icmp; - u_long iss_nomem; - u_long iss_expire; - u_long iss_fin; - u_long iss_active; - u_long iss_logged; - u_long iss_logfail; - u_long iss_inuse; - u_long iss_wild; - u_long iss_killed; - u_long iss_ticks; - u_long iss_bucketfull; - int iss_statesize; - int iss_statemax; - ipstate_t **iss_table; - ipstate_t *iss_list; - u_long *iss_bucketlen; - ipftq_t *iss_tcptab; -} ips_stat_4_1_21_t; - -typedef struct ips_stat_4_1_0 { - u_long iss_hits; - u_long iss_miss; - u_long iss_max; - u_long iss_maxref; - u_long iss_tcp; - u_long iss_udp; - u_long iss_icmp; - u_long iss_nomem; - u_long iss_expire; - u_long iss_fin; - u_long iss_active; - u_long iss_logged; - u_long iss_logfail; - u_long iss_inuse; - u_long iss_wild; - u_long iss_killed; - u_long iss_ticks; - u_long iss_bucketfull; - int iss_statesize; - int iss_statemax; - ipstate_t **iss_table; - ipstate_t *iss_list; - u_long *iss_bucketlen; -} ips_stat_4_1_0_t; - -/* ------------------------------------------------------------------------ */ - -typedef struct ipfrstat_4_1_1 { - u_long ifs_exists; /* add & already exists */ - u_long ifs_nomem; - u_long ifs_new; - u_long ifs_hits; - u_long ifs_expire; - u_long ifs_inuse; - u_long ifs_retrans0; - u_long ifs_short; - struct ipfr **ifs_table; - struct ipfr **ifs_nattab; -} ipfrstat_4_1_1_t; - -/* ------------------------------------------------------------------------ */ -static int ipf_addfrstr(char *, int, char *, int); -static void ipf_v4iptov5(frip4_t *, fr_ip_t *); -static void ipf_v5iptov4(fr_ip_t *, frip4_t *); -static void ipfv4tuctov5(frtuc4_t *, frtuc_t *); -static void ipfv5tuctov4(frtuc_t *, frtuc4_t *); -static int ipf_v4fripftov5(fripf4_t *, char *); -static void ipf_v5fripftov4(fripf_t *, fripf4_t *); -static int fr_frflags4to5(u_32_t); -static int fr_frflags5to4(u_32_t); - -static void friostat_current_to_4_1_0(void *, friostat_4_1_0_t *, int); -static void friostat_current_to_4_1_33(void *, friostat_4_1_33_t *, int); -static void ipstate_current_to_4_1_0(void *, ipstate_4_1_0_t *); -static void ipstate_current_to_4_1_16(void *, ipstate_4_1_16_t *); -static void ipnat_current_to_4_1_0(void *, ipnat_4_1_0_t *); -static void ipnat_current_to_4_1_14(void *, ipnat_4_1_14_t *); -static void frauth_current_to_4_1_11(void *, frauth_4_1_11_t *); -static void frauth_current_to_4_1_23(void *, frauth_4_1_23_t *); -static void frauth_current_to_4_1_24(void *, frauth_4_1_24_t *); -static void frauth_current_to_4_1_29(void *, frauth_4_1_29_t *); -static void frentry_current_to_4_1_0(void *, frentry_4_1_0_t *); -static void frentry_current_to_4_1_16(void *, frentry_4_1_16_t *); -static void frentry_current_to_4_1_34(void *, frentry_4_1_34_t *); -static void fr_info_current_to_4_1_11(void *, fr_info_4_1_11_t *); -static void fr_info_current_to_4_1_23(void *, fr_info_4_1_23_t *); -static void fr_info_current_to_4_1_24(void *, fr_info_4_1_24_t *); -static void nat_save_current_to_4_1_3(void *, nat_save_4_1_3_t *); -static void nat_save_current_to_4_1_14(void *, nat_save_4_1_14_t *); -static void nat_save_current_to_4_1_16(void *, nat_save_4_1_16_t *); -static void ipstate_save_current_to_4_1_0(void *, ipstate_save_4_1_0_t *); -static void ipstate_save_current_to_4_1_16(void *, ipstate_save_4_1_16_t *); -static void ips_stat_current_to_4_1_0(void *, ips_stat_4_1_0_t *); -static void ips_stat_current_to_4_1_21(void *, ips_stat_4_1_21_t *); -static void natstat_current_to_4_1_0(void *, natstat_4_1_0_t *); -static void natstat_current_to_4_1_16(void *, natstat_4_1_16_t *); -static void natstat_current_to_4_1_27(void *, natstat_4_1_27_t *); -static void natstat_current_to_4_1_32(void *, natstat_4_1_32_t *); -static void nat_current_to_4_1_3(void *, nat_4_1_3_t *); -static void nat_current_to_4_1_14(void *, nat_4_1_14_t *); -static void nat_current_to_4_1_25(void *, nat_4_1_25_t *); - -static void friostat_4_1_0_to_current(friostat_4_1_0_t *, void *); -static void friostat_4_1_33_to_current(friostat_4_1_33_t *, void *); -static void ipnat_4_1_0_to_current(ipnat_4_1_0_t *, void *, int); -static void ipnat_4_1_14_to_current(ipnat_4_1_14_t *, void *, int); -static void frauth_4_1_11_to_current(frauth_4_1_11_t *, void *); -static void frauth_4_1_23_to_current(frauth_4_1_23_t *, void *); -static void frauth_4_1_24_to_current(frauth_4_1_24_t *, void *); -static void frauth_4_1_29_to_current(frauth_4_1_29_t *, void *); -static void frauth_4_1_32_to_current(frauth_4_1_32_t *, void *); -static void frentry_4_1_0_to_current(ipf_main_softc_t *, frentry_4_1_0_t *, void *, int); -static void frentry_4_1_16_to_current(ipf_main_softc_t *, frentry_4_1_16_t *, void *, int); -static void frentry_4_1_34_to_current(ipf_main_softc_t *, frentry_4_1_34_t *, void *, int); -static void fr_info_4_1_11_to_current(fr_info_4_1_11_t *, void *); -static void fr_info_4_1_23_to_current(fr_info_4_1_23_t *, void *); -static void fr_info_4_1_24_to_current(fr_info_4_1_24_t *, void *); -static void fr_info_4_1_32_to_current(fr_info_4_1_32_t *, void *); -static void nat_save_4_1_3_to_current(ipf_main_softc_t *, nat_save_4_1_3_t *, void *); -static void nat_save_4_1_14_to_current(ipf_main_softc_t *, nat_save_4_1_14_t *, void *); -static void nat_save_4_1_16_to_current(ipf_main_softc_t *, nat_save_4_1_16_t *, void *); - -/* ------------------------------------------------------------------------ */ -/* In this section is a series of short routines that deal with translating */ -/* the smaller data structures used above as their internal changes make */ -/* them inappropriate for simple assignment. */ -/* ------------------------------------------------------------------------ */ - - -static int -ipf_addfrstr(char *names, int namelen, char *str, int maxlen) -{ - char *t; - int i; - - for (i = maxlen, t = str; (*t != '\0') && (i > 0); i--) { - names[namelen++] = *t++; - } - names[namelen++] = '\0'; - return namelen; -} - - -static void -ipf_v4iptov5(v4, v5) - frip4_t *v4; - fr_ip_t *v5; -{ - v5->fi_v = v4->fi_v; - v5->fi_p = v4->fi_p; - v5->fi_xx = v4->fi_xx; - v5->fi_tos = v4->fi_tos; - v5->fi_ttl = v4->fi_ttl; - v5->fi_p = v4->fi_p; - v5->fi_optmsk = v4->fi_optmsk; - v5->fi_src = v4->fi_src; - v5->fi_dst = v4->fi_dst; - v5->fi_secmsk = v4->ofi_secmsk; - v5->fi_auth = v4->ofi_auth; - v5->fi_flx = v4->fi_flx; - v5->fi_tcpmsk = v4->fi_tcpmsk; -} - -static void -ipf_v5iptov4(v5, v4) - fr_ip_t *v5; - frip4_t *v4; -{ - v4->fi_v = v5->fi_v; - v4->fi_p = v5->fi_p; - v4->fi_xx = v5->fi_xx; - v4->fi_tos = v5->fi_tos; - v4->fi_ttl = v5->fi_ttl; - v4->fi_p = v5->fi_p; - v4->fi_optmsk = v5->fi_optmsk; - v4->fi_src = v5->fi_src; - v4->fi_dst = v5->fi_dst; - v4->ofi_secmsk = v5->fi_secmsk; - v4->ofi_auth = v5->fi_auth; - v4->fi_flx = v5->fi_flx; - v4->fi_tcpmsk = v5->fi_tcpmsk; -} - - -static void -ipfv4tuctov5(v4, v5) - frtuc4_t *v4; - frtuc_t *v5; -{ - v5->ftu_src.frp_cmp = v4->ftu_src.frp_cmp; - v5->ftu_src.frp_port = v4->ftu_src.frp_port; - v5->ftu_src.frp_top = v4->ftu_src.frp_top; - v5->ftu_dst.frp_cmp = v4->ftu_dst.frp_cmp; - v5->ftu_dst.frp_port = v4->ftu_dst.frp_port; - v5->ftu_dst.frp_top = v4->ftu_dst.frp_top; -} - - -static void -ipfv5tuctov4(v5, v4) - frtuc_t *v5; - frtuc4_t *v4; -{ - v4->ftu_src.frp_cmp = v5->ftu_src.frp_cmp; - v4->ftu_src.frp_port = v5->ftu_src.frp_port; - v4->ftu_src.frp_top = v5->ftu_src.frp_top; - v4->ftu_dst.frp_cmp = v5->ftu_dst.frp_cmp; - v4->ftu_dst.frp_port = v5->ftu_dst.frp_port; - v4->ftu_dst.frp_top = v5->ftu_dst.frp_top; -} - - -static int -ipf_v4fripftov5(frp4, dst) - fripf4_t *frp4; - char *dst; -{ - fripf_t *frp; - - frp = (fripf_t *)dst; - - ipf_v4iptov5(&frp4->fri_ip, &frp->fri_ip); - ipf_v4iptov5(&frp4->fri_mip, &frp->fri_mip); - frp->fri_icmpm = frp4->fri_icmpm; - frp->fri_icmp = frp4->fri_icmp; - frp->fri_tuc.ftu_tcpfm = frp4->fri_tuc.ftu_tcpfm; - frp->fri_tuc.ftu_tcpf = frp4->fri_tuc.ftu_tcpf; - ipfv4tuctov5(&frp4->fri_tuc, &frp->fri_tuc); - frp->fri_satype = frp4->fri_satype; - frp->fri_datype = frp4->fri_datype; - frp->fri_sifpidx = frp4->fri_sifpidx; - frp->fri_difpidx = frp4->fri_difpidx; - return 0; -} - - -static void -ipf_v5fripftov4(frp, frp4) - fripf_t *frp; - fripf4_t *frp4; -{ - - ipf_v5iptov4(&frp->fri_ip, &frp4->fri_ip); - ipf_v5iptov4(&frp->fri_mip, &frp4->fri_mip); - frp4->fri_icmpm = frp->fri_icmpm; - frp4->fri_icmp = frp->fri_icmp; - frp4->fri_tuc.ftu_tcpfm = frp->fri_tuc.ftu_tcpfm; - frp4->fri_tuc.ftu_tcpf = frp->fri_tuc.ftu_tcpf; - ipfv5tuctov4(&frp->fri_tuc, &frp4->fri_tuc); - frp4->fri_satype = frp->fri_satype; - frp4->fri_datype = frp->fri_datype; - frp4->fri_sifpidx = frp->fri_sifpidx; - frp4->fri_difpidx = frp->fri_difpidx; -} - - -/* ------------------------------------------------------------------------ */ -/* ipf_in_compat is the first of two service routines. It is responsible for*/ -/* converting data structures from user space into what's required by the */ -/* kernel module. */ -/* ------------------------------------------------------------------------ */ -int -ipf_in_compat(softc, obj, ptr, size) - ipf_main_softc_t *softc; - ipfobj_t *obj; - void *ptr; - int size; -{ - int error; - int sz; - - IPFERROR(140000); - error = EINVAL; - - switch (obj->ipfo_type) - { - default : - break; - - case IPFOBJ_FRENTRY : - if (obj->ipfo_rev >= 4013400) { - frentry_4_1_34_t *old; - - KMALLOC(old, frentry_4_1_34_t *); - if (old == NULL) { - IPFERROR(140001); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - if (old->fr_type != FR_T_NONE && - old->fr_type != FR_T_IPF) { - IPFERROR(140002); - error = EINVAL; - KFREE(old); - break; - } - frentry_4_1_34_to_current(softc, old, - ptr, size); - } else { - IPFERROR(140003); - } - KFREE(old); - } else if (obj->ipfo_rev >= 4011600) { - frentry_4_1_16_t *old; - - KMALLOC(old, frentry_4_1_16_t *); - if (old == NULL) { - IPFERROR(140004); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - if (old->fr_type != FR_T_NONE && - old->fr_type != FR_T_IPF) { - IPFERROR(140005); - error = EINVAL; - KFREE(old); - break; - } - frentry_4_1_16_to_current(softc, old, - ptr, size); - } else { - IPFERROR(140006); - } - KFREE(old); - } else { - frentry_4_1_0_t *old; - - KMALLOC(old, frentry_4_1_0_t *); - if (old == NULL) { - IPFERROR(140007); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - if (old->fr_type != FR_T_NONE && - old->fr_type != FR_T_IPF) { - IPFERROR(140008); - error = EINVAL; - KFREE(old); - break; - } - frentry_4_1_0_to_current(softc, old, ptr, size); - } else { - IPFERROR(140009); - } - KFREE(old); - } - break; - - case IPFOBJ_IPFSTAT : - if (obj->ipfo_rev >= 4013300) { - friostat_4_1_33_t *old; - - KMALLOC(old, friostat_4_1_33_t *); - if (old == NULL) { - IPFERROR(140010); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - friostat_4_1_33_to_current(old, ptr); - } else { - IPFERROR(140011); - } - } else { - friostat_4_1_0_t *old; - - KMALLOC(old, friostat_4_1_0_t *); - if (old == NULL) { - IPFERROR(140012); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - friostat_4_1_0_to_current(old, ptr); - } else { - IPFERROR(140013); - } - } - break; - - case IPFOBJ_IPFINFO : /* unused */ - break; - - case IPFOBJ_IPNAT : - if (obj->ipfo_rev >= 4011400) { - ipnat_4_1_14_t *old; - - KMALLOC(old, ipnat_4_1_14_t *); - if (old == NULL) { - IPFERROR(140014); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - ipnat_4_1_14_to_current(old, ptr, size); - } else { - IPFERROR(140015); - } - KFREE(old); - } else { - ipnat_4_1_0_t *old; - - KMALLOC(old, ipnat_4_1_0_t *); - if (old == NULL) { - IPFERROR(140016); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - ipnat_4_1_0_to_current(old, ptr, size); - } else { - IPFERROR(140017); - } - KFREE(old); - } - break; - - case IPFOBJ_NATSTAT : - /* - * Statistics are not copied in. - */ - break; - - case IPFOBJ_NATSAVE : - if (obj->ipfo_rev >= 4011600) { - nat_save_4_1_16_t *old16; - - KMALLOC(old16, nat_save_4_1_16_t *); - if (old16 == NULL) { - IPFERROR(140018); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old16, sizeof(*old16)); - if (error == 0) { - nat_save_4_1_16_to_current(softc, old16, ptr); - } else { - IPFERROR(140019); - } - KFREE(old16); - } else if (obj->ipfo_rev >= 4011400) { - nat_save_4_1_14_t *old14; - - KMALLOC(old14, nat_save_4_1_14_t *); - if (old14 == NULL) { - IPFERROR(140020); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old14, sizeof(*old14)); - if (error == 0) { - nat_save_4_1_14_to_current(softc, old14, ptr); - } else { - IPFERROR(140021); - } - KFREE(old14); - } else if (obj->ipfo_rev >= 4010300) { - nat_save_4_1_3_t *old3; - - KMALLOC(old3, nat_save_4_1_3_t *); - if (old3 == NULL) { - IPFERROR(140022); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old3, sizeof(*old3)); - if (error == 0) { - nat_save_4_1_3_to_current(softc, old3, ptr); - } else { - IPFERROR(140023); - } - KFREE(old3); - } - break; - - case IPFOBJ_STATESAVE : - if (obj->ipfo_rev >= 4013400) { - ipstate_save_4_1_34_t *old; - - KMALLOC(old, ipstate_save_4_1_34_t *); - if (old == NULL) { - IPFERROR(140024); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error != 0) { - IPFERROR(140025); - } - KFREE(old); - } else if (obj->ipfo_rev >= 4011600) { - ipstate_save_4_1_16_t *old; - - KMALLOC(old, ipstate_save_4_1_16_t *); - if (old == NULL) { - IPFERROR(140026); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error != 0) { - IPFERROR(140027); - } - KFREE(old); - } else { - ipstate_save_4_1_0_t *old; - - KMALLOC(old, ipstate_save_4_1_0_t *); - if (old == NULL) { - IPFERROR(140028); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error != 0) { - IPFERROR(140029); - } - KFREE(old); - } - break; - - case IPFOBJ_IPSTATE : - /* - * This structure is not copied in by itself. - */ - break; - - case IPFOBJ_STATESTAT : - /* - * Statistics are not copied in. - */ - break; - - case IPFOBJ_FRAUTH : - if (obj->ipfo_rev >= 4013200) { - frauth_4_1_32_t *old32; - - KMALLOC(old32, frauth_4_1_32_t *); - if (old32 == NULL) { - IPFERROR(140030); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old32, sizeof(*old32)); - if (error == 0) { - frauth_4_1_32_to_current(old32, ptr); - } else { - IPFERROR(140031); - } - KFREE(old32); - } else if (obj->ipfo_rev >= 4012900) { - frauth_4_1_29_t *old29; - - KMALLOC(old29, frauth_4_1_29_t *); - if (old29 == NULL) { - IPFERROR(140032); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old29, sizeof(*old29)); - if (error == 0) { - frauth_4_1_29_to_current(old29, ptr); - } else { - IPFERROR(140033); - } - KFREE(old29); - } else if (obj->ipfo_rev >= 4012400) { - frauth_4_1_24_t *old24; - - KMALLOC(old24, frauth_4_1_24_t *); - if (old24 == NULL) { - IPFERROR(140034); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old24, sizeof(*old24)); - if (error == 0) { - frauth_4_1_24_to_current(old24, ptr); - } else { - IPFERROR(140035); - } - KFREE(old24); - } else if (obj->ipfo_rev >= 4012300) { - frauth_4_1_23_t *old23; - - KMALLOC(old23, frauth_4_1_23_t *); - if (old23 == NULL) { - IPFERROR(140036); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old23, sizeof(*old23)); - if (error == 0) - frauth_4_1_23_to_current(old23, ptr); - KFREE(old23); - } else if (obj->ipfo_rev >= 4011100) { - frauth_4_1_11_t *old11; - - KMALLOC(old11, frauth_4_1_11_t *); - if (old11 == NULL) { - IPFERROR(140037); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old11, sizeof(*old11)); - if (error == 0) { - frauth_4_1_11_to_current(old11, ptr); - } else { - IPFERROR(140038); - } - KFREE(old11); - } - break; - - case IPFOBJ_NAT : - if (obj->ipfo_rev >= 4011400) { - sz = sizeof(nat_4_1_14_t); - } else if (obj->ipfo_rev >= 4010300) { - sz = sizeof(nat_4_1_3_t); - } else { - break; - } - bzero(ptr, sizeof(nat_t)); - error = COPYIN(obj->ipfo_ptr, ptr, sz); - if (error != 0) { - IPFERROR(140039); - } - break; - - case IPFOBJ_FRIPF : - if (obj->ipfo_rev < 5000000) { - fripf4_t *old; - - KMALLOC(old, fripf4_t *); - if (old == NULL) { - IPFERROR(140040); - error = ENOMEM; - break; - } - error = COPYIN(obj->ipfo_ptr, old, sizeof(*old)); - if (error == 0) { - ipf_v4fripftov5(old, ptr); - } else { - IPFERROR(140041); - } - KFREE(old); - } - break; - } - - return error; -} -/* ------------------------------------------------------------------------ */ - - -/* - * flags is v4 flags, returns v5 flags. - */ -static int -fr_frflags4to5(flags) - u_32_t flags; -{ - u_32_t nflags = 0; - - switch (flags & 0xf) { - case 0x0 : - nflags |= FR_CALL; - break; - case 0x1 : - nflags |= FR_BLOCK; - break; - case 0x2 : - nflags |= FR_PASS; - break; - case 0x3 : - nflags |= FR_AUTH; - break; - case 0x4 : - nflags |= FR_PREAUTH; - break; - case 0x5 : - nflags |= FR_ACCOUNT; - break; - case 0x6 : - nflags |= FR_SKIP; - break; - default : - break; - } - - if (flags & 0x00010) - nflags |= FR_LOG; - if (flags & 0x00020) - nflags |= FR_CALLNOW; - if (flags & 0x00080) - nflags |= FR_NOTSRCIP; - if (flags & 0x00040) - nflags |= FR_NOTDSTIP; - if (flags & 0x00100) - nflags |= FR_QUICK; - if (flags & 0x00200) - nflags |= FR_KEEPFRAG; - if (flags & 0x00400) - nflags |= FR_KEEPSTATE; - if (flags & 0x00800) - nflags |= FR_FASTROUTE; - if (flags & 0x01000) - nflags |= FR_RETRST; - if (flags & 0x02000) - nflags |= FR_RETICMP; - if (flags & 0x03000) - nflags |= FR_FAKEICMP; - if (flags & 0x04000) - nflags |= FR_OUTQUE; - if (flags & 0x08000) - nflags |= FR_INQUE; - if (flags & 0x10000) - nflags |= FR_LOGBODY; - if (flags & 0x20000) - nflags |= FR_LOGFIRST; - if (flags & 0x40000) - nflags |= FR_LOGORBLOCK; - if (flags & 0x100000) - nflags |= FR_FRSTRICT; - if (flags & 0x200000) - nflags |= FR_STSTRICT; - if (flags & 0x400000) - nflags |= FR_NEWISN; - if (flags & 0x800000) - nflags |= FR_NOICMPERR; - if (flags & 0x1000000) - nflags |= FR_STATESYNC; - if (flags & 0x8000000) - nflags |= FR_NOMATCH; - if (flags & 0x40000000) - nflags |= FR_COPIED; - if (flags & 0x80000000) - nflags |= FR_INACTIVE; - - return nflags; -} - -static void -frentry_4_1_34_to_current(softc, old, current, size) - ipf_main_softc_t *softc; - frentry_4_1_34_t *old; - void *current; - int size; -{ - frentry_t *fr = (frentry_t *)current; - - fr->fr_comment = -1; - fr->fr_ref = old->fr_ref; - fr->fr_statecnt = old->fr_statecnt; - fr->fr_hits = old->fr_hits; - fr->fr_bytes = old->fr_bytes; - fr->fr_lastpkt.tv_sec = old->fr_lastpkt.tv_sec; - fr->fr_lastpkt.tv_usec = old->fr_lastpkt.tv_usec; - bcopy(&old->fr_dun, &fr->fr_dun, sizeof(old->fr_dun)); - fr->fr_func = old->fr_func; - fr->fr_dsize = old->fr_dsize; - fr->fr_pps = old->fr_pps; - fr->fr_statemax = old->fr_statemax; - fr->fr_flineno = old->fr_flineno; - fr->fr_type = old->fr_type; - fr->fr_flags = fr_frflags4to5(old->fr_flags); - fr->fr_logtag = old->fr_logtag; - fr->fr_collect = old->fr_collect; - fr->fr_arg = old->fr_arg; - fr->fr_loglevel = old->fr_loglevel; - fr->fr_age[0] = old->fr_age[0]; - fr->fr_age[1] = old->fr_age[1]; - fr->fr_tifs[0].fd_ip6 = old->fr_tifs[0].ofd_ip6; - fr->fr_tifs[0].fd_type = FRD_NORMAL; - fr->fr_tifs[1].fd_ip6 = old->fr_tifs[1].ofd_ip6; - fr->fr_tifs[1].fd_type = FRD_NORMAL; - fr->fr_dif.fd_ip6 = old->fr_dif.ofd_ip6; - fr->fr_dif.fd_type = FRD_NORMAL; - if (old->fr_v == 4) - fr->fr_family = AF_INET; - if (old->fr_v == 6) - fr->fr_family = AF_INET6; - fr->fr_icode = old->fr_icode; - fr->fr_cksum = old->fr_cksum; - fr->fr_namelen = 0; - fr->fr_ifnames[0] = -1; - fr->fr_ifnames[1] = -1; - fr->fr_ifnames[2] = -1; - fr->fr_ifnames[3] = -1; - fr->fr_dif.fd_name = -1; - fr->fr_tifs[0].fd_name = -1; - fr->fr_tifs[1].fd_name = -1; - fr->fr_group = -1; - fr->fr_grhead = -1; - fr->fr_icmphead = -1; - if (size == 0) { - fr->fr_size = sizeof(*fr) + LIFNAMSIZ * 7 + FR_GROUPLEN * 2; - fr->fr_size += sizeof(fripf_t) + 16; - fr->fr_size += 9; /* room for \0's */ - } else { - char *names = fr->fr_names; - int nlen = fr->fr_namelen; - - fr->fr_size = size; - if (old->fr_ifnames[0][0] != '\0') { - fr->fr_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[0], - LIFNAMSIZ); - } - if (old->fr_ifnames[1][0] != '\0') { - fr->fr_ifnames[1] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[1], - LIFNAMSIZ); - } - if (old->fr_ifnames[2][0] != '\0') { - fr->fr_ifnames[2] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[2], - LIFNAMSIZ); - } - if (old->fr_ifnames[3][0] != '\0') { - fr->fr_ifnames[3] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[3], - LIFNAMSIZ); - } - if (old->fr_tifs[0].fd_ifname[0] != '\0') { - fr->fr_tifs[0].fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_tifs[0].fd_ifname, - LIFNAMSIZ); - } - if (old->fr_tifs[1].fd_ifname[0] != '\0') { - fr->fr_tifs[1].fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_tifs[1].fd_ifname, - LIFNAMSIZ); - } - if (old->fr_dif.fd_ifname[0] != '\0') { - fr->fr_dif.fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_dif.fd_ifname, LIFNAMSIZ); - } - if (old->fr_group[0] != '\0') { - fr->fr_group = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_group, LIFNAMSIZ); - } - if (old->fr_grhead[0] != '\0') { - fr->fr_grhead = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_grhead, LIFNAMSIZ); - } - fr->fr_namelen = nlen; - - if (old->fr_type == FR_T_IPF) { - int offset = fr->fr_namelen; - ipfobj_t obj; - int error; - - obj.ipfo_type = IPFOBJ_FRIPF; - obj.ipfo_rev = 4010100; - obj.ipfo_ptr = old->fr_data; - - if ((offset & 7) != 0) - offset += 8 - (offset & 7); - error = ipf_in_compat(softc, &obj, - fr->fr_names + offset, 0); - if (error == 0) { - fr->fr_data = fr->fr_names + offset; - fr->fr_dsize = sizeof(fripf_t); - } - } - } -} - -static void -frentry_4_1_16_to_current(softc, old, current, size) - ipf_main_softc_t *softc; - frentry_4_1_16_t *old; - void *current; - int size; -{ - frentry_t *fr = (frentry_t *)current; - - fr->fr_comment = -1; - fr->fr_ref = old->fr_ref; - fr->fr_statecnt = old->fr_statecnt; - fr->fr_hits = old->fr_hits; - fr->fr_bytes = old->fr_bytes; - fr->fr_lastpkt.tv_sec = old->fr_lastpkt.tv_sec; - fr->fr_lastpkt.tv_usec = old->fr_lastpkt.tv_usec; - bcopy(&old->fr_dun, &fr->fr_dun, sizeof(old->fr_dun)); - fr->fr_func = old->fr_func; - fr->fr_dsize = old->fr_dsize; - fr->fr_pps = old->fr_pps; - fr->fr_statemax = old->fr_statemax; - fr->fr_flineno = old->fr_flineno; - fr->fr_type = old->fr_type; - fr->fr_flags = fr_frflags4to5(old->fr_flags); - fr->fr_logtag = old->fr_logtag; - fr->fr_collect = old->fr_collect; - fr->fr_arg = old->fr_arg; - fr->fr_loglevel = old->fr_loglevel; - fr->fr_age[0] = old->fr_age[0]; - fr->fr_age[1] = old->fr_age[1]; - fr->fr_tifs[0].fd_ip6 = old->fr_tifs[0].ofd_ip6; - fr->fr_tifs[0].fd_type = FRD_NORMAL; - fr->fr_tifs[1].fd_ip6 = old->fr_tifs[1].ofd_ip6; - fr->fr_tifs[1].fd_type = FRD_NORMAL; - fr->fr_dif.fd_ip6 = old->fr_dif.ofd_ip6; - fr->fr_dif.fd_type = FRD_NORMAL; - if (old->fr_v == 4) - fr->fr_family = AF_INET; - if (old->fr_v == 6) - fr->fr_family = AF_INET6; - fr->fr_icode = old->fr_icode; - fr->fr_cksum = old->fr_cksum; - fr->fr_namelen = 0; - fr->fr_ifnames[0] = -1; - fr->fr_ifnames[1] = -1; - fr->fr_ifnames[2] = -1; - fr->fr_ifnames[3] = -1; - fr->fr_dif.fd_name = -1; - fr->fr_tifs[0].fd_name = -1; - fr->fr_tifs[1].fd_name = -1; - fr->fr_group = -1; - fr->fr_grhead = -1; - fr->fr_icmphead = -1; - if (size == 0) { - fr->fr_size = sizeof(*fr) + LIFNAMSIZ * 7 + FR_GROUPLEN * 2; - fr->fr_size += 9; /* room for \0's */ - } else { - char *names = fr->fr_names; - int nlen = fr->fr_namelen; - - fr->fr_size = size; - if (old->fr_ifnames[0][0] != '\0') { - fr->fr_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[0], - LIFNAMSIZ); - } - if (old->fr_ifnames[1][0] != '\0') { - fr->fr_ifnames[1] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[1], - LIFNAMSIZ); - } - if (old->fr_ifnames[2][0] != '\0') { - fr->fr_ifnames[2] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[2], - LIFNAMSIZ); - } - if (old->fr_ifnames[3][0] != '\0') { - fr->fr_ifnames[3] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[3], - LIFNAMSIZ); - } - if (old->fr_tifs[0].fd_ifname[0] != '\0') { - fr->fr_tifs[0].fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_tifs[0].fd_ifname, - LIFNAMSIZ); - } - if (old->fr_tifs[1].fd_ifname[0] != '\0') { - fr->fr_tifs[1].fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_tifs[1].fd_ifname, - LIFNAMSIZ); - } - if (old->fr_dif.fd_ifname[0] != '\0') { - fr->fr_dif.fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_dif.fd_ifname, LIFNAMSIZ); - } - if (old->fr_group[0] != '\0') { - fr->fr_group = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_group, LIFNAMSIZ); - } - if (old->fr_grhead[0] != '\0') { - fr->fr_grhead = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_grhead, LIFNAMSIZ); - } - fr->fr_namelen = nlen; - - if (old->fr_type == FR_T_IPF) { - int offset = fr->fr_namelen; - ipfobj_t obj; - int error; - - obj.ipfo_type = IPFOBJ_FRIPF; - obj.ipfo_rev = 4010100; - obj.ipfo_ptr = old->fr_data; - - if ((offset & 7) != 0) - offset += 8 - (offset & 7); - error = ipf_in_compat(softc, &obj, - fr->fr_names + offset, 0); - if (error == 0) { - fr->fr_data = fr->fr_names + offset; - fr->fr_dsize = sizeof(fripf_t); - } - } - } -} - - -static void -frentry_4_1_0_to_current(softc, old, current, size) - ipf_main_softc_t *softc; - frentry_4_1_0_t *old; - void *current; - int size; -{ - frentry_t *fr = (frentry_t *)current; - - fr->fr_size = sizeof(*fr); - fr->fr_comment = -1; - fr->fr_ref = old->fr_ref; - fr->fr_statecnt = old->fr_statecnt; - fr->fr_hits = old->fr_hits; - fr->fr_bytes = old->fr_bytes; - fr->fr_lastpkt.tv_sec = old->fr_lastpkt.tv_sec; - fr->fr_lastpkt.tv_usec = old->fr_lastpkt.tv_usec; - bcopy(&old->fr_dun, &fr->fr_dun, sizeof(old->fr_dun)); - fr->fr_func = old->fr_func; - fr->fr_dsize = old->fr_dsize; - fr->fr_pps = old->fr_pps; - fr->fr_statemax = old->fr_statemax; - fr->fr_flineno = old->fr_flineno; - fr->fr_type = old->fr_type; - fr->fr_flags = fr_frflags4to5(old->fr_flags); - fr->fr_logtag = old->fr_logtag; - fr->fr_collect = old->fr_collect; - fr->fr_arg = old->fr_arg; - fr->fr_loglevel = old->fr_loglevel; - fr->fr_age[0] = old->fr_age[0]; - fr->fr_age[1] = old->fr_age[1]; - fr->fr_tifs[0].fd_ip6 = old->fr_tifs[0].ofd_ip6; - fr->fr_tifs[0].fd_type = FRD_NORMAL; - fr->fr_tifs[1].fd_ip6 = old->fr_tifs[1].ofd_ip6; - fr->fr_tifs[1].fd_type = FRD_NORMAL; - fr->fr_dif.fd_ip6 = old->fr_dif.ofd_ip6; - fr->fr_dif.fd_type = FRD_NORMAL; - if (old->fr_v == 4) - fr->fr_family = AF_INET; - if (old->fr_v == 6) - fr->fr_family = AF_INET6; - fr->fr_icode = old->fr_icode; - fr->fr_cksum = old->fr_cksum; - fr->fr_namelen = 0; - fr->fr_ifnames[0] = -1; - fr->fr_ifnames[1] = -1; - fr->fr_ifnames[2] = -1; - fr->fr_ifnames[3] = -1; - fr->fr_dif.fd_name = -1; - fr->fr_tifs[0].fd_name = -1; - fr->fr_tifs[1].fd_name = -1; - fr->fr_group = -1; - fr->fr_grhead = -1; - fr->fr_icmphead = -1; - if (size == 0) { - fr->fr_size = sizeof(*fr) + LIFNAMSIZ * 7 + FR_GROUPLEN * 2; - fr->fr_size += 9; /* room for \0's */ - } else { - char *names = fr->fr_names; - int nlen = fr->fr_namelen; - - fr->fr_size = size; - if (old->fr_ifnames[0][0] != '\0') { - fr->fr_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[0], - LIFNAMSIZ); - } - if (old->fr_ifnames[1][0] != '\0') { - fr->fr_ifnames[1] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[1], - LIFNAMSIZ); - } - if (old->fr_ifnames[2][0] != '\0') { - fr->fr_ifnames[2] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[2], - LIFNAMSIZ); - } - if (old->fr_ifnames[3][0] != '\0') { - fr->fr_ifnames[3] = nlen; - nlen = ipf_addfrstr(names, nlen, old->fr_ifnames[3], - LIFNAMSIZ); - } - if (old->fr_tifs[0].fd_ifname[0] != '\0') { - fr->fr_tifs[0].fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_tifs[0].fd_ifname, - LIFNAMSIZ); - } - if (old->fr_tifs[1].fd_ifname[0] != '\0') { - fr->fr_tifs[1].fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_tifs[1].fd_ifname, - LIFNAMSIZ); - } - if (old->fr_dif.fd_ifname[0] != '\0') { - fr->fr_dif.fd_name = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_dif.fd_ifname, LIFNAMSIZ); - } - if (old->fr_group[0] != '\0') { - fr->fr_group = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_group, LIFNAMSIZ); - } - if (old->fr_grhead[0] != '\0') { - fr->fr_grhead = nlen; - nlen = ipf_addfrstr(names, nlen, - old->fr_grhead, LIFNAMSIZ); - } - fr->fr_namelen = nlen; - - if (old->fr_type == FR_T_IPF) { - int offset = fr->fr_namelen; - ipfobj_t obj; - int error; - - obj.ipfo_type = IPFOBJ_FRIPF; - obj.ipfo_rev = 4010100; - obj.ipfo_ptr = old->fr_data; - - if ((offset & 7) != 0) - offset += 8 - (offset & 7); - offset += 8 - (offset & 7); - error = ipf_in_compat(softc, &obj, - fr->fr_names + offset, 0); - if (error == 0) { - fr->fr_data = fr->fr_names + offset; - fr->fr_dsize = sizeof(fripf_t); - } - } - } -} - - -static void -friostat_4_1_33_to_current(old, current) - friostat_4_1_33_t *old; - void *current; -{ - friostat_t *fiop = (friostat_t *)current; - - bcopy(&old->of_st[0], &fiop->f_st[0].fr_pass, sizeof(old->of_st[0])); - bcopy(&old->of_st[1], &fiop->f_st[1].fr_pass, sizeof(old->of_st[1])); - - fiop->f_ipf[0][0] = old->f_ipf[0][0]; - fiop->f_ipf[0][1] = old->f_ipf[0][1]; - fiop->f_ipf[1][0] = old->f_ipf[1][0]; - fiop->f_ipf[1][1] = old->f_ipf[1][1]; - fiop->f_acct[0][0] = old->f_acct[0][0]; - fiop->f_acct[0][1] = old->f_acct[0][1]; - fiop->f_acct[1][0] = old->f_acct[1][0]; - fiop->f_acct[1][1] = old->f_acct[1][1]; - fiop->f_auth = fiop->f_auth; - bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups)); - bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute)); - fiop->f_ticks = old->f_ticks; - bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks)); - fiop->f_defpass = old->f_defpass; - fiop->f_active = old->f_active; - fiop->f_running = old->f_running; - fiop->f_logging = old->f_logging; - fiop->f_features = old->f_features; - bcopy(old->f_version, fiop->f_version, sizeof(old->f_version)); -} - - -static void -friostat_4_1_0_to_current(old, current) - friostat_4_1_0_t *old; - void *current; -{ - friostat_t *fiop = (friostat_t *)current; - - bcopy(&old->of_st[0], &fiop->f_st[0].fr_pass, sizeof(old->of_st[0])); - bcopy(&old->of_st[1], &fiop->f_st[1].fr_pass, sizeof(old->of_st[1])); - - fiop->f_ipf[0][0] = old->f_ipf[0][0]; - fiop->f_ipf[0][1] = old->f_ipf[0][1]; - fiop->f_ipf[1][0] = old->f_ipf[1][0]; - fiop->f_ipf[1][1] = old->f_ipf[1][1]; - fiop->f_acct[0][0] = old->f_acct[0][0]; - fiop->f_acct[0][1] = old->f_acct[0][1]; - fiop->f_acct[1][0] = old->f_acct[1][0]; - fiop->f_acct[1][1] = old->f_acct[1][1]; - fiop->f_auth = fiop->f_auth; - bcopy(&old->f_groups, &fiop->f_groups, sizeof(old->f_groups)); - bcopy(&old->f_froute, &fiop->f_froute, sizeof(old->f_froute)); - fiop->f_ticks = old->f_ticks; - bcopy(&old->f_locks, &fiop->f_locks, sizeof(old->f_locks)); - fiop->f_defpass = old->f_defpass; - fiop->f_active = old->f_active; - fiop->f_running = old->f_running; - fiop->f_logging = old->f_logging; - fiop->f_features = old->f_features; - bcopy(old->f_version, fiop->f_version, sizeof(old->f_version)); -} - - -static void -ipnat_4_1_14_to_current(old, current, size) - ipnat_4_1_14_t *old; - void *current; - int size; -{ - ipnat_t *np = (ipnat_t *)current; - - np->in_space = old->in_space; - np->in_hv[0] = old->in_hv; - np->in_hv[1] = old->in_hv; - np->in_flineno = old->in_flineno; - if (old->in_redir == NAT_REDIRECT) - np->in_dpnext = old->in_pnext; - else - np->in_spnext = old->in_pnext; - np->in_v[0] = old->in_v; - np->in_v[1] = old->in_v; - np->in_flags = old->in_flags; - np->in_mssclamp = old->in_mssclamp; - np->in_age[0] = old->in_age[0]; - np->in_age[1] = old->in_age[1]; - np->in_redir = old->in_redir; - np->in_pr[0] = old->in_p; - np->in_pr[1] = old->in_p; - if (np->in_redir == NAT_REDIRECT) { - np->in_ndst.na_nextaddr = old->in_next6; - np->in_ndst.na_addr[0] = old->in_in[0]; - np->in_ndst.na_addr[1] = old->in_in[1]; - np->in_ndst.na_atype = FRI_NORMAL; - np->in_odst.na_addr[0] = old->in_out[0]; - np->in_odst.na_addr[1] = old->in_out[1]; - np->in_odst.na_atype = FRI_NORMAL; - np->in_osrc.na_addr[0] = old->in_src[0]; - np->in_osrc.na_addr[1] = old->in_src[1]; - np->in_osrc.na_atype = FRI_NORMAL; - } else { - np->in_nsrc.na_nextaddr = old->in_next6; - np->in_nsrc.na_addr[0] = old->in_out[0]; - np->in_nsrc.na_addr[1] = old->in_out[1]; - np->in_nsrc.na_atype = FRI_NORMAL; - np->in_osrc.na_addr[0] = old->in_in[0]; - np->in_osrc.na_addr[1] = old->in_in[1]; - np->in_osrc.na_atype = FRI_NORMAL; - np->in_odst.na_addr[0] = old->in_src[0]; - np->in_odst.na_addr[1] = old->in_src[1]; - np->in_odst.na_atype = FRI_NORMAL; - } - ipfv4tuctov5(&old->in_tuc, &np->in_tuc); - if (np->in_redir == NAT_REDIRECT) { - np->in_dpmin = old->in_port[0]; - np->in_dpmax = old->in_port[1]; - } else { - np->in_spmin = old->in_port[0]; - np->in_spmax = old->in_port[1]; - } - np->in_ppip = old->in_ppip; - np->in_ippip = old->in_ippip; - np->in_tag = old->in_tag; - - np->in_namelen = 0; - np->in_plabel = -1; - np->in_ifnames[0] = -1; - np->in_ifnames[1] = -1; - - if (size == 0) { - np->in_size = sizeof(*np); - np->in_size += LIFNAMSIZ * 2 + APR_LABELLEN; - np->in_size += 3; - } else { - int nlen = np->in_namelen; - char *names = np->in_names; - - if (old->in_ifnames[0][0] != '\0') { - np->in_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->in_ifnames[0], - LIFNAMSIZ); - } - if (old->in_ifnames[1][0] != '\0') { - np->in_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->in_ifnames[1], - LIFNAMSIZ); - } - if (old->in_plabel[0] != '\0') { - np->in_plabel = nlen; - nlen = ipf_addfrstr(names, nlen, old->in_plabel, - LIFNAMSIZ); - } - np->in_namelen = nlen; - np->in_size = size; - } -} - - -static void -ipnat_4_1_0_to_current(old, current, size) - ipnat_4_1_0_t *old; - void *current; - int size; -{ - ipnat_t *np = (ipnat_t *)current; - - np->in_space = old->in_space; - np->in_hv[0] = old->in_hv; - np->in_hv[1] = old->in_hv; - np->in_flineno = old->in_flineno; - if (old->in_redir == NAT_REDIRECT) - np->in_dpnext = old->in_pnext; - else - np->in_spnext = old->in_pnext; - np->in_v[0] = old->in_v; - np->in_v[1] = old->in_v; - np->in_flags = old->in_flags; - np->in_mssclamp = old->in_mssclamp; - np->in_age[0] = old->in_age[0]; - np->in_age[1] = old->in_age[1]; - np->in_redir = old->in_redir; - np->in_pr[0] = old->in_p; - np->in_pr[1] = old->in_p; - if (np->in_redir == NAT_REDIRECT) { - np->in_ndst.na_nextaddr = old->in_next6; - bcopy(&old->in_in, &np->in_ndst.na_addr, sizeof(old->in_in)); - bcopy(&old->in_out, &np->in_odst.na_addr, sizeof(old->in_out)); - bcopy(&old->in_src, &np->in_osrc.na_addr, sizeof(old->in_src)); - } else { - np->in_nsrc.na_nextaddr = old->in_next6; - bcopy(&old->in_in, &np->in_osrc.na_addr, sizeof(old->in_in)); - bcopy(&old->in_out, &np->in_nsrc.na_addr, sizeof(old->in_out)); - bcopy(&old->in_src, &np->in_odst.na_addr, sizeof(old->in_src)); - } - ipfv4tuctov5(&old->in_tuc, &np->in_tuc); - if (np->in_redir == NAT_REDIRECT) { - np->in_dpmin = old->in_port[0]; - np->in_dpmax = old->in_port[1]; - } else { - np->in_spmin = old->in_port[0]; - np->in_spmax = old->in_port[1]; - } - np->in_ppip = old->in_ppip; - np->in_ippip = old->in_ippip; - bcopy(&old->in_tag, &np->in_tag, sizeof(np->in_tag)); - - np->in_namelen = 0; - np->in_plabel = -1; - np->in_ifnames[0] = -1; - np->in_ifnames[1] = -1; - - if (size == 0) { - np->in_size = sizeof(*np); - np->in_size += LIFNAMSIZ * 2 + APR_LABELLEN; - np->in_size += 3; - } else { - int nlen = np->in_namelen; - char *names = np->in_names; - - if (old->in_ifnames[0][0] != '\0') { - np->in_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->in_ifnames[0], - LIFNAMSIZ); - } - if (old->in_ifnames[1][0] != '\0') { - np->in_ifnames[0] = nlen; - nlen = ipf_addfrstr(names, nlen, old->in_ifnames[1], - LIFNAMSIZ); - } - if (old->in_plabel[0] != '\0') { - np->in_plabel = nlen; - nlen = ipf_addfrstr(names, nlen, old->in_plabel, - LIFNAMSIZ); - } - np->in_namelen = nlen; - np->in_size = size; - } -} - - -static void -frauth_4_1_32_to_current(old, current) - frauth_4_1_32_t *old; - void *current; -{ - frauth_t *fra = (frauth_t *)current; - - fra->fra_age = old->fra_age; - fra->fra_len = old->fra_len; - fra->fra_index = old->fra_index; - fra->fra_pass = old->fra_pass; - fr_info_4_1_32_to_current(&old->fra_info, &fra->fra_info); - fra->fra_buf = old->fra_buf; - fra->fra_flx = old->fra_flx; -#if SOLARIS - fra->fra_q = old->fra_q; - fra->fra_m = old->fra_m; -#endif -} - - -static void -frauth_4_1_29_to_current(old, current) - frauth_4_1_29_t *old; - void *current; -{ - frauth_t *fra = (frauth_t *)current; - - fra->fra_age = old->fra_age; - fra->fra_len = old->fra_len; - fra->fra_index = old->fra_index; - fra->fra_pass = old->fra_pass; - fr_info_4_1_24_to_current(&old->fra_info, &fra->fra_info); - fra->fra_buf = old->fra_buf; - fra->fra_flx = old->fra_flx; -#if SOLARIS - fra->fra_q = old->fra_q; - fra->fra_m = old->fra_m; -#endif -} - - -static void -frauth_4_1_24_to_current(old, current) - frauth_4_1_24_t *old; - void *current; -{ - frauth_t *fra = (frauth_t *)current; - - fra->fra_age = old->fra_age; - fra->fra_len = old->fra_len; - fra->fra_index = old->fra_index; - fra->fra_pass = old->fra_pass; - fr_info_4_1_24_to_current(&old->fra_info, &fra->fra_info); - fra->fra_buf = old->fra_buf; -#if SOLARIS - fra->fra_q = old->fra_q; - fra->fra_m = old->fra_m; -#endif -} - - -static void -frauth_4_1_23_to_current(old, current) - frauth_4_1_23_t *old; - void *current; -{ - frauth_t *fra = (frauth_t *)current; - - fra->fra_age = old->fra_age; - fra->fra_len = old->fra_len; - fra->fra_index = old->fra_index; - fra->fra_pass = old->fra_pass; - fr_info_4_1_23_to_current(&old->fra_info, &fra->fra_info); - fra->fra_buf = old->fra_buf; -#if SOLARIS - fra->fra_q = old->fra_q; - fra->fra_m = old->fra_m; -#endif -} - - -static void -frauth_4_1_11_to_current(old, current) - frauth_4_1_11_t *old; - void *current; -{ - frauth_t *fra = (frauth_t *)current; - - fra->fra_age = old->fra_age; - fra->fra_len = old->fra_len; - fra->fra_index = old->fra_index; - fra->fra_pass = old->fra_pass; - fr_info_4_1_11_to_current(&old->fra_info, &fra->fra_info); - fra->fra_buf = old->fra_buf; -#if SOLARIS - fra->fra_q = old->fra_q; - fra->fra_m = old->fra_m; -#endif -} - - -static void -fr_info_4_1_32_to_current(old, current) - fr_info_4_1_32_t *old; - void *current; -{ - fr_info_t *fin = (fr_info_t *)current; - - fin->fin_ifp = old->fin_ifp; - ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); - bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); - fin->fin_out = old->fin_out; - fin->fin_rev = old->fin_rev; - fin->fin_hlen = old->fin_hlen; - fin->fin_tcpf = old->ofin_tcpf; - fin->fin_icode = old->fin_icode; - fin->fin_rule = old->fin_rule; - bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); - fin->fin_fr = old->fin_fr; - fin->fin_dp = old->fin_dp; - fin->fin_dlen = old->fin_dlen; - fin->fin_plen = old->fin_plen; - fin->fin_ipoff = old->fin_ipoff; - fin->fin_id = old->fin_id; - fin->fin_off = old->fin_off; - fin->fin_depth = old->fin_depth; - fin->fin_error = old->fin_error; - fin->fin_cksum = old->fin_cksum; - fin->fin_nattag = old->fin_nattag; - fin->fin_ip = old->ofin_ip; - fin->fin_mp = old->fin_mp; - fin->fin_m = old->fin_m; -#if SOLARIS - fin->fin_qfm = old->fin_qfm; - fin->fin_qpi = old->fin_qpi; -#endif -} - - -static void -fr_info_4_1_24_to_current(old, current) - fr_info_4_1_24_t *old; - void *current; -{ - fr_info_t *fin = (fr_info_t *)current; - - fin->fin_ifp = old->fin_ifp; - ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); - bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); - fin->fin_out = old->fin_out; - fin->fin_rev = old->fin_rev; - fin->fin_hlen = old->fin_hlen; - fin->fin_tcpf = old->ofin_tcpf; - fin->fin_icode = old->fin_icode; - fin->fin_rule = old->fin_rule; - bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); - fin->fin_fr = old->fin_fr; - fin->fin_dp = old->fin_dp; - fin->fin_dlen = old->fin_dlen; - fin->fin_plen = old->fin_plen; - fin->fin_ipoff = old->fin_ipoff; - fin->fin_id = old->fin_id; - fin->fin_off = old->fin_off; - fin->fin_depth = old->fin_depth; - fin->fin_error = old->fin_error; - fin->fin_cksum = old->fin_cksum; - fin->fin_nattag = old->fin_nattag; - fin->fin_ip = old->ofin_ip; - fin->fin_mp = old->fin_mp; - fin->fin_m = old->fin_m; -#if SOLARIS - fin->fin_qfm = old->fin_qfm; - fin->fin_qpi = old->fin_qpi; -#endif -} - - -static void -fr_info_4_1_23_to_current(old, current) - fr_info_4_1_23_t *old; - void *current; -{ - fr_info_t *fin = (fr_info_t *)current; - - fin->fin_ifp = old->fin_ifp; - ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); - bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); - fin->fin_out = old->fin_out; - fin->fin_rev = old->fin_rev; - fin->fin_hlen = old->fin_hlen; - fin->fin_tcpf = old->ofin_tcpf; - fin->fin_icode = old->fin_icode; - fin->fin_rule = old->fin_rule; - bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); - fin->fin_fr = old->fin_fr; - fin->fin_dp = old->fin_dp; - fin->fin_dlen = old->fin_dlen; - fin->fin_plen = old->fin_plen; - fin->fin_ipoff = old->fin_ipoff; - fin->fin_id = old->fin_id; - fin->fin_off = old->fin_off; - fin->fin_depth = old->fin_depth; - fin->fin_error = old->fin_error; - fin->fin_nattag = old->fin_nattag; - fin->fin_ip = old->ofin_ip; - fin->fin_mp = old->fin_mp; - fin->fin_m = old->fin_m; -#if SOLARIS - fin->fin_qfm = old->fin_qfm; - fin->fin_qpi = old->fin_qpi; -#endif -} - - -static void -fr_info_4_1_11_to_current(old, current) - fr_info_4_1_11_t *old; - void *current; -{ - fr_info_t *fin = (fr_info_t *)current; - - fin->fin_ifp = old->fin_ifp; - ipf_v4iptov5(&old->fin_fi, &fin->fin_fi); - bcopy(&old->fin_dat, &fin->fin_dat, sizeof(old->fin_dat)); - fin->fin_out = old->fin_out; - fin->fin_rev = old->fin_rev; - fin->fin_hlen = old->fin_hlen; - fin->fin_tcpf = old->ofin_tcpf; - fin->fin_icode = old->fin_icode; - fin->fin_rule = old->fin_rule; - bcopy(old->fin_group, fin->fin_group, sizeof(old->fin_group)); - fin->fin_fr = old->fin_fr; - fin->fin_dp = old->fin_dp; - fin->fin_dlen = old->fin_dlen; - fin->fin_plen = old->fin_plen; - fin->fin_ipoff = old->fin_ipoff; - fin->fin_id = old->fin_id; - fin->fin_off = old->fin_off; - fin->fin_depth = old->fin_depth; - fin->fin_error = old->fin_error; - fin->fin_nattag = old->fin_nattag; - fin->fin_ip = old->ofin_ip; - fin->fin_mp = old->fin_mp; - fin->fin_m = old->fin_m; -#if SOLARIS - fin->fin_qfm = old->fin_qfm; - fin->fin_qpi = old->fin_qpi; -#endif -} - - -static void -nat_4_1_3_to_current(nat_4_1_3_t *old, nat_t *current) -{ - bzero((void *)current, sizeof(*current)); - bcopy((void *)old, (void *)current, sizeof(*old)); -} - - -static void -nat_4_1_14_to_current(nat_4_1_14_t *old, nat_t *current) -{ - bzero((void *)current, sizeof(*current)); - bcopy((void *)old, (void *)current, sizeof(*old)); -} - - -static void -nat_save_4_1_16_to_current(softc, old, current) - ipf_main_softc_t *softc; - nat_save_4_1_16_t *old; - void *current; -{ - nat_save_t *nats = (nat_save_t *)current; - - nats->ipn_next = old->ipn_next; - nat_4_1_14_to_current(&old->ipn_nat, &nats->ipn_nat); - bcopy(&old->ipn_ipnat, &nats->ipn_ipnat, sizeof(old->ipn_ipnat)); - frentry_4_1_16_to_current(softc, &old->ipn_fr, &nats->ipn_fr, 0); - nats->ipn_dsize = old->ipn_dsize; - bcopy(old->ipn_data, nats->ipn_data, sizeof(nats->ipn_data)); -} - - -static void -nat_save_4_1_14_to_current(softc, old, current) - ipf_main_softc_t *softc; - nat_save_4_1_14_t *old; - void *current; -{ - nat_save_t *nats = (nat_save_t *)current; - - nats->ipn_next = old->ipn_next; - nat_4_1_14_to_current(&old->ipn_nat, &nats->ipn_nat); - bcopy(&old->ipn_ipnat, &nats->ipn_ipnat, sizeof(old->ipn_ipnat)); - frentry_4_1_0_to_current(softc, &old->ipn_fr, &nats->ipn_fr, 0); - nats->ipn_dsize = old->ipn_dsize; - bcopy(old->ipn_data, nats->ipn_data, sizeof(nats->ipn_data)); -} - - -static void -nat_save_4_1_3_to_current(softc, old, current) - ipf_main_softc_t *softc; - nat_save_4_1_3_t *old; - void *current; -{ - nat_save_t *nats = (nat_save_t *)current; - - nats->ipn_next = old->ipn_next; - nat_4_1_3_to_current(&old->ipn_nat, &nats->ipn_nat); - ipnat_4_1_0_to_current(&old->ipn_ipnat, &nats->ipn_ipnat, 0); - frentry_4_1_0_to_current(softc, &old->ipn_fr, &nats->ipn_fr, 0); - nats->ipn_dsize = old->ipn_dsize; - bcopy(old->ipn_data, nats->ipn_data, sizeof(nats->ipn_data)); -} - - -static void -natstat_current_to_4_1_32(current, old) - void *current; - natstat_4_1_32_t *old; -{ - natstat_t *ns = (natstat_t *)current; - - old->ns_mapped[0] = ns->ns_side[0].ns_translated; - old->ns_mapped[1] = ns->ns_side[1].ns_translated; - old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; - old->ns_expire = ns->ns_expire; - old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_logged = ns->ns_log_ok; - old->ns_logfail = ns->ns_log_fail; - old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; - old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; - old->ns_addtrpnt = ns->ns_addtrpnt; - old->ns_table[0] = ns->ns_side[0].ns_table; - old->ns_table[1] = ns->ns_side[1].ns_table; - old->ns_maptable = NULL; - old->ns_list = ns->ns_list; - old->ns_apslist = NULL; - old->ns_wilds = ns->ns_wilds; - old->ns_nattab_sz = ns->ns_nattab_sz; - old->ns_nattab_max = ns->ns_nattab_max; - old->ns_rultab_sz = ns->ns_rultab_sz; - old->ns_rdrtab_sz = ns->ns_rdrtab_sz; - old->ns_trpntab_sz = ns->ns_trpntab_sz; - old->ns_hostmap_sz = 0; - old->ns_instances = ns->ns_instances; - old->ns_maplist = ns->ns_maplist; - old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; - old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; - old->ns_ticks = ns->ns_ticks; - old->ns_orphans = ns->ns_orphans; - old->ns_uncreate[0][0] = ns->ns_side[0].ns_uncreate[0]; - old->ns_uncreate[0][1] = ns->ns_side[0].ns_uncreate[1]; - old->ns_uncreate[1][0] = ns->ns_side[1].ns_uncreate[0]; - old->ns_uncreate[1][1] = ns->ns_side[1].ns_uncreate[1]; -} - - -static void -natstat_current_to_4_1_27(current, old) - void *current; - natstat_4_1_27_t *old; -{ - natstat_t *ns = (natstat_t *)current; - - old->ns_mapped[0] = ns->ns_side[0].ns_translated; - old->ns_mapped[1] = ns->ns_side[1].ns_translated; - old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; - old->ns_expire = ns->ns_expire; - old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_logged = ns->ns_log_ok; - old->ns_logfail = ns->ns_log_fail; - old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; - old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; - old->ns_addtrpnt = ns->ns_addtrpnt; - old->ns_table[0] = ns->ns_side[0].ns_table; - old->ns_table[1] = ns->ns_side[1].ns_table; - old->ns_maptable = NULL; - old->ns_list = ns->ns_list; - old->ns_apslist = NULL; - old->ns_wilds = ns->ns_wilds; - old->ns_nattab_sz = ns->ns_nattab_sz; - old->ns_nattab_max = ns->ns_nattab_max; - old->ns_rultab_sz = ns->ns_rultab_sz; - old->ns_rdrtab_sz = ns->ns_rdrtab_sz; - old->ns_trpntab_sz = ns->ns_trpntab_sz; - old->ns_hostmap_sz = 0; - old->ns_instances = ns->ns_instances; - old->ns_maplist = ns->ns_maplist; - old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; - old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; - old->ns_ticks = ns->ns_ticks; - old->ns_orphans = ns->ns_orphans; -} - - -static void -natstat_current_to_4_1_16(current, old) - void *current; - natstat_4_1_16_t *old; -{ - natstat_t *ns = (natstat_t *)current; - - old->ns_mapped[0] = ns->ns_side[0].ns_translated; - old->ns_mapped[1] = ns->ns_side[1].ns_translated; - old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; - old->ns_expire = ns->ns_expire; - old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_logged = ns->ns_log_ok; - old->ns_logfail = ns->ns_log_fail; - old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; - old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; - old->ns_addtrpnt = ns->ns_addtrpnt; - old->ns_table[0] = ns->ns_side[0].ns_table; - old->ns_table[1] = ns->ns_side[1].ns_table; - old->ns_maptable = NULL; - old->ns_list = ns->ns_list; - old->ns_apslist = NULL; - old->ns_wilds = ns->ns_wilds; - old->ns_nattab_sz = ns->ns_nattab_sz; - old->ns_nattab_max = ns->ns_nattab_max; - old->ns_rultab_sz = ns->ns_rultab_sz; - old->ns_rdrtab_sz = ns->ns_rdrtab_sz; - old->ns_trpntab_sz = ns->ns_trpntab_sz; - old->ns_hostmap_sz = 0; - old->ns_instances = ns->ns_instances; - old->ns_maplist = ns->ns_maplist; - old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; - old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; - old->ns_ticks = ns->ns_ticks; -} - - -static void -natstat_current_to_4_1_0(current, old) - void *current; - natstat_4_1_0_t *old; -{ - natstat_t *ns = (natstat_t *)current; - - old->ns_mapped[0] = ns->ns_side[0].ns_translated; - old->ns_mapped[1] = ns->ns_side[1].ns_translated; - old->ns_rules = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_added = ns->ns_side[0].ns_added + ns->ns_side[1].ns_added; - old->ns_expire = ns->ns_expire; - old->ns_inuse = ns->ns_side[0].ns_inuse + ns->ns_side[1].ns_inuse; - old->ns_logged = ns->ns_log_ok; - old->ns_logfail = ns->ns_log_fail; - old->ns_memfail = ns->ns_side[0].ns_memfail + ns->ns_side[1].ns_memfail; - old->ns_badnat = ns->ns_side[0].ns_badnat + ns->ns_side[1].ns_badnat; - old->ns_addtrpnt = ns->ns_addtrpnt; - old->ns_table[0] = ns->ns_side[0].ns_table; - old->ns_table[1] = ns->ns_side[1].ns_table; - old->ns_maptable = NULL; - old->ns_list = ns->ns_list; - old->ns_apslist = NULL; - old->ns_wilds = ns->ns_wilds; - old->ns_nattab_sz = ns->ns_nattab_sz; - old->ns_nattab_max = ns->ns_nattab_max; - old->ns_rultab_sz = ns->ns_rultab_sz; - old->ns_rdrtab_sz = ns->ns_rdrtab_sz; - old->ns_trpntab_sz = ns->ns_trpntab_sz; - old->ns_hostmap_sz = 0; - old->ns_instances = ns->ns_instances; - old->ns_maplist = ns->ns_maplist; - old->ns_bucketlen[0] = (u_long *)ns->ns_side[0].ns_bucketlen; - old->ns_bucketlen[1] = (u_long *)ns->ns_side[1].ns_bucketlen; -} - - -static void -ipstate_save_current_to_4_1_16(current, old) - void *current; - ipstate_save_4_1_16_t *old; -{ - ipstate_save_t *ips = (ipstate_save_t *)current; - - old->ips_next = ips->ips_next; - ipstate_current_to_4_1_0(&ips->ips_is, &old->ips_is); - frentry_current_to_4_1_16(&ips->ips_fr, &old->ips_fr); -} - - -static void -ipstate_save_current_to_4_1_0(current, old) - void *current; - ipstate_save_4_1_0_t *old; -{ - ipstate_save_t *ips = (ipstate_save_t *)current; - - old->ips_next = ips->ips_next; - ipstate_current_to_4_1_0(&ips->ips_is, &old->ips_is); - frentry_current_to_4_1_0(&ips->ips_fr, &old->ips_fr); -} - - -int -ipf_out_compat(softc, obj, ptr) - ipf_main_softc_t *softc; - ipfobj_t *obj; - void *ptr; -{ - frentry_t *fr; - int error; - - IPFERROR(140042); - error = EINVAL; - - switch (obj->ipfo_type) - { - default : - break; - - case IPFOBJ_FRENTRY : - if (obj->ipfo_rev >= 4013400) { - frentry_4_1_34_t *old; - - KMALLOC(old, frentry_4_1_34_t *); - if (old == NULL) { - IPFERROR(140043); - error = ENOMEM; - break; - } - frentry_current_to_4_1_34(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error == 0 && old->fr_dsize > 0) { - char *dst = obj->ipfo_ptr; - - fr = ptr; - dst += sizeof(*old); - error = COPYOUT(fr->fr_data, dst, - old->fr_dsize); - if (error != 0) { - IPFERROR(140044); - } - } - KFREE(old); - obj->ipfo_size = sizeof(*old); - } else if (obj->ipfo_rev >= 4011600) { - frentry_4_1_16_t *old; - - KMALLOC(old, frentry_4_1_16_t *); - if (old == NULL) { - IPFERROR(140045); - error = ENOMEM; - break; - } - frentry_current_to_4_1_16(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140046); - } - KFREE(old); - obj->ipfo_size = sizeof(*old); - } else { - frentry_4_1_0_t *old; - - KMALLOC(old, frentry_4_1_0_t *); - if (old == NULL) { - IPFERROR(140047); - error = ENOMEM; - break; - } - frentry_current_to_4_1_0(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140048); - } - KFREE(old); - obj->ipfo_size = sizeof(*old); - } - break; - - case IPFOBJ_IPFSTAT : - if (obj->ipfo_rev >= 4013300) { - friostat_4_1_33_t *old; - - KMALLOC(old, friostat_4_1_33_t *); - if (old == NULL) { - IPFERROR(140049); - error = ENOMEM; - break; - } - friostat_current_to_4_1_33(ptr, old, obj->ipfo_rev); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140050); - } - KFREE(old); - } else { - friostat_4_1_0_t *old; - - KMALLOC(old, friostat_4_1_0_t *); - if (old == NULL) { - IPFERROR(140051); - error = ENOMEM; - break; - } - friostat_current_to_4_1_0(ptr, old, obj->ipfo_rev); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140052); - } - KFREE(old); - } - break; - - case IPFOBJ_IPFINFO : /* unused */ - break; - - case IPFOBJ_IPNAT : - if (obj->ipfo_rev >= 4011400) { - ipnat_4_1_14_t *old; - - KMALLOC(old, ipnat_4_1_14_t *); - if (old == NULL) { - IPFERROR(140053); - error = ENOMEM; - break; - } - ipnat_current_to_4_1_14(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140054); - } - KFREE(old); - } else { - ipnat_4_1_0_t *old; - - KMALLOC(old, ipnat_4_1_0_t *); - if (old == NULL) { - IPFERROR(140055); - error = ENOMEM; - break; - } - ipnat_current_to_4_1_0(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140056); - } - KFREE(old); - } - break; - - case IPFOBJ_NATSTAT : - if (obj->ipfo_rev >= 4013200) { - natstat_4_1_32_t *old; - - KMALLOC(old, natstat_4_1_32_t *); - if (old == NULL) { - IPFERROR(140057); - error = ENOMEM; - break; - } - natstat_current_to_4_1_32(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140058); - } - KFREE(old); - } else if (obj->ipfo_rev >= 4012700) { - natstat_4_1_27_t *old; - - KMALLOC(old, natstat_4_1_27_t *); - if (old == NULL) { - IPFERROR(140059); - error = ENOMEM; - break; - } - natstat_current_to_4_1_27(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140060); - } - KFREE(old); - } else if (obj->ipfo_rev >= 4011600) { - natstat_4_1_16_t *old; - - KMALLOC(old, natstat_4_1_16_t *); - if (old == NULL) { - IPFERROR(140061); - error = ENOMEM; - break; - } - natstat_current_to_4_1_16(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140062); - } - KFREE(old); - } else { - natstat_4_1_0_t *old; - - KMALLOC(old, natstat_4_1_0_t *); - if (old == NULL) { - IPFERROR(140063); - error = ENOMEM; - break; - } - natstat_current_to_4_1_0(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140064); - } - KFREE(old); - } - break; - - case IPFOBJ_STATESAVE : - if (obj->ipfo_rev >= 4011600) { - ipstate_save_4_1_16_t *old; - - KMALLOC(old, ipstate_save_4_1_16_t *); - if (old == NULL) { - IPFERROR(140065); - error = ENOMEM; - break; - } - ipstate_save_current_to_4_1_16(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140066); - } - KFREE(old); - } else { - ipstate_save_4_1_0_t *old; - - KMALLOC(old, ipstate_save_4_1_0_t *); - if (old == NULL) { - IPFERROR(140067); - error = ENOMEM; - break; - } - ipstate_save_current_to_4_1_0(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140068); - } - KFREE(old); - } - break; - - case IPFOBJ_NATSAVE : - if (obj->ipfo_rev >= 4011600) { - nat_save_4_1_16_t *old16; - - KMALLOC(old16, nat_save_4_1_16_t *); - if (old16 == NULL) { - IPFERROR(140069); - error = ENOMEM; - break; - } - nat_save_current_to_4_1_16(ptr, old16); - error = COPYOUT(&old16, obj->ipfo_ptr, sizeof(*old16)); - if (error != 0) { - IPFERROR(140070); - } - KFREE(old16); - } else if (obj->ipfo_rev >= 4011400) { - nat_save_4_1_14_t *old14; - - KMALLOC(old14, nat_save_4_1_14_t *); - if (old14 == NULL) { - IPFERROR(140071); - error = ENOMEM; - break; - } - nat_save_current_to_4_1_14(ptr, old14); - error = COPYOUT(&old14, obj->ipfo_ptr, sizeof(*old14)); - if (error != 0) { - IPFERROR(140072); - } - KFREE(old14); - } else if (obj->ipfo_rev >= 4010300) { - nat_save_4_1_3_t *old3; - - KMALLOC(old3, nat_save_4_1_3_t *); - if (old3 == NULL) { - IPFERROR(140073); - error = ENOMEM; - break; - } - nat_save_current_to_4_1_3(ptr, old3); - error = COPYOUT(&old3, obj->ipfo_ptr, sizeof(*old3)); - if (error != 0) { - IPFERROR(140074); - } - KFREE(old3); - } - break; - - case IPFOBJ_IPSTATE : - if (obj->ipfo_rev >= 4011600) { - ipstate_4_1_16_t *old; - - KMALLOC(old, ipstate_4_1_16_t *); - if (old == NULL) { - IPFERROR(140075); - error = ENOMEM; - break; - } - ipstate_current_to_4_1_16(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140076); - } - KFREE(old); - } else { - ipstate_4_1_0_t *old; - - KMALLOC(old, ipstate_4_1_0_t *); - if (old == NULL) { - IPFERROR(140077); - error = ENOMEM; - break; - } - ipstate_current_to_4_1_0(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140078); - } - KFREE(old); - } - break; - - case IPFOBJ_STATESTAT : - if (obj->ipfo_rev >= 4012100) { - ips_stat_4_1_21_t *old; - - KMALLOC(old, ips_stat_4_1_21_t *); - if (old == NULL) { - IPFERROR(140079); - error = ENOMEM; - break; - } - ips_stat_current_to_4_1_21(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140080); - } - KFREE(old); - } else { - ips_stat_4_1_0_t *old; - - KMALLOC(old, ips_stat_4_1_0_t *); - if (old == NULL) { - IPFERROR(140081); - error = ENOMEM; - break; - } - ips_stat_current_to_4_1_0(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140082); - } - KFREE(old); - } - break; - - case IPFOBJ_FRAUTH : - if (obj->ipfo_rev >= 4012900) { - frauth_4_1_29_t *old29; - - KMALLOC(old29, frauth_4_1_29_t *); - if (old29 == NULL) { - IPFERROR(140083); - error = ENOMEM; - break; - } - frauth_current_to_4_1_29(ptr, old29); - error = COPYOUT(old29, obj->ipfo_ptr, sizeof(*old29)); - if (error != 0) { - IPFERROR(140084); - } - KFREE(old29); - } else if (obj->ipfo_rev >= 4012400) { - frauth_4_1_24_t *old24; - - KMALLOC(old24, frauth_4_1_24_t *); - if (old24 == NULL) { - IPFERROR(140085); - error = ENOMEM; - break; - } - frauth_current_to_4_1_24(ptr, old24); - error = COPYOUT(old24, obj->ipfo_ptr, sizeof(*old24)); - if (error != 0) { - IPFERROR(140086); - } - KFREE(old24); - } else if (obj->ipfo_rev >= 4012300) { - frauth_4_1_23_t *old23; - - KMALLOC(old23, frauth_4_1_23_t *); - if (old23 == NULL) { - IPFERROR(140087); - error = ENOMEM; - break; - } - frauth_current_to_4_1_23(ptr, old23); - error = COPYOUT(old23, obj->ipfo_ptr, sizeof(*old23)); - if (error != 0) { - IPFERROR(140088); - } - KFREE(old23); - } else if (obj->ipfo_rev >= 4011100) { - frauth_4_1_11_t *old11; - - KMALLOC(old11, frauth_4_1_11_t *); - if (old11 == NULL) { - IPFERROR(140089); - error = ENOMEM; - break; - } - frauth_current_to_4_1_11(ptr, old11); - error = COPYOUT(old11, obj->ipfo_ptr, sizeof(*old11)); - if (error != 0) { - IPFERROR(140090); - } - KFREE(old11); - } - break; - - case IPFOBJ_NAT : - if (obj->ipfo_rev >= 4012500) { - nat_4_1_25_t *old; - - KMALLOC(old, nat_4_1_25_t *); - if (old == NULL) { - IPFERROR(140091); - error = ENOMEM; - break; - } - nat_current_to_4_1_25(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140092); - } - KFREE(old); - } else if (obj->ipfo_rev >= 4011400) { - nat_4_1_14_t *old; - - KMALLOC(old, nat_4_1_14_t *); - if (old == NULL) { - IPFERROR(140093); - error = ENOMEM; - break; - } - nat_current_to_4_1_14(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140094); - } - KFREE(old); - } else if (obj->ipfo_rev >= 4010300) { - nat_4_1_3_t *old; - - KMALLOC(old, nat_4_1_3_t *); - if (old == NULL) { - IPFERROR(140095); - error = ENOMEM; - break; - } - nat_current_to_4_1_3(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140096); - } - KFREE(old); - } - break; - - case IPFOBJ_FRIPF : - if (obj->ipfo_rev < 5000000) { - fripf4_t *old; - - KMALLOC(old, fripf4_t *); - if (old == NULL) { - IPFERROR(140097); - error = ENOMEM; - break; - } - ipf_v5fripftov4(ptr, old); - error = COPYOUT(old, obj->ipfo_ptr, sizeof(*old)); - if (error != 0) { - IPFERROR(140098); - } - KFREE(old); - } - break; - } - return error; -} - - -static void -friostat_current_to_4_1_33(current, old, rev) - void *current; - friostat_4_1_33_t *old; - int rev; -{ - friostat_t *fiop = (friostat_t *)current; - - bcopy(&fiop->f_st[0].fr_pass, &old->of_st[0], sizeof(old->of_st[0])); - bcopy(&fiop->f_st[1].fr_pass, &old->of_st[1], sizeof(old->of_st[1])); - - old->f_ipf[0][0] = fiop->f_ipf[0][0]; - old->f_ipf[0][1] = fiop->f_ipf[0][1]; - old->f_ipf[1][0] = fiop->f_ipf[1][0]; - old->f_ipf[1][1] = fiop->f_ipf[1][1]; - old->f_acct[0][0] = fiop->f_acct[0][0]; - old->f_acct[0][1] = fiop->f_acct[0][1]; - old->f_acct[1][0] = fiop->f_acct[1][0]; - old->f_acct[1][1] = fiop->f_acct[1][1]; - old->f_ipf6[0][0] = NULL; - old->f_ipf6[0][1] = NULL; - old->f_ipf6[1][0] = NULL; - old->f_ipf6[1][1] = NULL; - old->f_acct6[0][0] = NULL; - old->f_acct6[0][1] = NULL; - old->f_acct6[1][0] = NULL; - old->f_acct6[1][1] = NULL; - old->f_auth = fiop->f_auth; - bcopy(&fiop->f_groups, &old->f_groups, sizeof(old->f_groups)); - bcopy(&fiop->f_froute, &old->f_froute, sizeof(old->f_froute)); - old->f_ticks = fiop->f_ticks; - bcopy(&fiop->f_locks, &old->f_locks, sizeof(old->f_locks)); - old->f_kmutex_sz = 0; - old->f_krwlock_sz = 0; - old->f_defpass = fiop->f_defpass; - old->f_active = fiop->f_active; - old->f_running = fiop->f_running; - old->f_logging = fiop->f_logging; - old->f_features = fiop->f_features; - sprintf(old->f_version, "IP Filter: v%d.%d.%d", - (rev / 1000000) % 100, - (rev / 10000) % 100, - (rev / 100) % 100); -} - - -static void -friostat_current_to_4_1_0(current, old, rev) - void *current; - friostat_4_1_0_t *old; - int rev; -{ - friostat_t *fiop = (friostat_t *)current; - - bcopy(&fiop->f_st[0].fr_pass, &old->of_st[0], sizeof(old->of_st[0])); - bcopy(&fiop->f_st[1].fr_pass, &old->of_st[1], sizeof(old->of_st[1])); - - old->f_ipf[0][0] = fiop->f_ipf[0][0]; - old->f_ipf[0][1] = fiop->f_ipf[0][1]; - old->f_ipf[1][0] = fiop->f_ipf[1][0]; - old->f_ipf[1][1] = fiop->f_ipf[1][1]; - old->f_acct[0][0] = fiop->f_acct[0][0]; - old->f_acct[0][1] = fiop->f_acct[0][1]; - old->f_acct[1][0] = fiop->f_acct[1][0]; - old->f_acct[1][1] = fiop->f_acct[1][1]; - old->f_ipf6[0][0] = NULL; - old->f_ipf6[0][1] = NULL; - old->f_ipf6[1][0] = NULL; - old->f_ipf6[1][1] = NULL; - old->f_acct6[0][0] = NULL; - old->f_acct6[0][1] = NULL; - old->f_acct6[1][0] = NULL; - old->f_acct6[1][1] = NULL; - old->f_auth = fiop->f_auth; - bcopy(&fiop->f_groups, &old->f_groups, sizeof(old->f_groups)); - bcopy(&fiop->f_froute, &old->f_froute, sizeof(old->f_froute)); - old->f_ticks = fiop->f_ticks; - old->f_ipf[0][0] = fiop->f_ipf[0][0]; - old->f_ipf[0][1] = fiop->f_ipf[0][1]; - old->f_ipf[1][0] = fiop->f_ipf[1][0]; - old->f_ipf[1][1] = fiop->f_ipf[1][1]; - old->f_acct[0][0] = fiop->f_acct[0][0]; - old->f_acct[0][1] = fiop->f_acct[0][1]; - old->f_acct[1][0] = fiop->f_acct[1][0]; - old->f_acct[1][1] = fiop->f_acct[1][1]; - old->f_ipf6[0][0] = NULL; - old->f_ipf6[0][1] = NULL; - old->f_ipf6[1][0] = NULL; - old->f_ipf6[1][1] = NULL; - old->f_acct6[0][0] = NULL; - old->f_acct6[0][1] = NULL; - old->f_acct6[1][0] = NULL; - old->f_acct6[1][1] = NULL; - old->f_auth = fiop->f_auth; - bcopy(&fiop->f_groups, &old->f_groups, sizeof(old->f_groups)); - bcopy(&fiop->f_froute, &old->f_froute, sizeof(old->f_froute)); - old->f_ticks = fiop->f_ticks; - bcopy(&fiop->f_locks, &old->f_locks, sizeof(old->f_locks)); - old->f_kmutex_sz = 0; - old->f_krwlock_sz = 0; - old->f_defpass = fiop->f_defpass; - old->f_active = fiop->f_active; - old->f_running = fiop->f_running; - old->f_logging = fiop->f_logging; - old->f_features = fiop->f_features; - sprintf(old->f_version, "IP Filter: v%d.%d.%d", - (rev / 1000000) % 100, - (rev / 10000) % 100, - (rev / 100) % 100); -} - - -/* - * nflags is v5 flags, returns v4 flags. - */ -static int -fr_frflags5to4(nflags) - u_32_t nflags; -{ - u_32_t oflags = 0; - - switch (nflags & FR_CMDMASK) { - case FR_CALL : - oflags = 0x0; - break; - case FR_BLOCK : - oflags = 0x1; - break; - case FR_PASS : - oflags = 0x2; - break; - case FR_AUTH : - oflags = 0x3; - break; - case FR_PREAUTH : - oflags = 0x4; - break; - case FR_ACCOUNT : - oflags = 0x5; - break; - case FR_SKIP : - oflags = 0x6; - break; - default : - break; - } - - if (nflags & FR_LOG) - oflags |= 0x00010; - if (nflags & FR_CALLNOW) - oflags |= 0x00020; - if (nflags & FR_NOTSRCIP) - oflags |= 0x00080; - if (nflags & FR_NOTDSTIP) - oflags |= 0x00040; - if (nflags & FR_QUICK) - oflags |= 0x00100; - if (nflags & FR_KEEPFRAG) - oflags |= 0x00200; - if (nflags & FR_KEEPSTATE) - oflags |= 0x00400; - if (nflags & FR_FASTROUTE) - oflags |= 0x00800; - if (nflags & FR_RETRST) - oflags |= 0x01000; - if (nflags & FR_RETICMP) - oflags |= 0x02000; - if (nflags & FR_FAKEICMP) - oflags |= 0x03000; - if (nflags & FR_OUTQUE) - oflags |= 0x04000; - if (nflags & FR_INQUE) - oflags |= 0x08000; - if (nflags & FR_LOGBODY) - oflags |= 0x10000; - if (nflags & FR_LOGFIRST) - oflags |= 0x20000; - if (nflags & FR_LOGORBLOCK) - oflags |= 0x40000; - if (nflags & FR_FRSTRICT) - oflags |= 0x100000; - if (nflags & FR_STSTRICT) - oflags |= 0x200000; - if (nflags & FR_NEWISN) - oflags |= 0x400000; - if (nflags & FR_NOICMPERR) - oflags |= 0x800000; - if (nflags & FR_STATESYNC) - oflags |= 0x1000000; - if (nflags & FR_NOMATCH) - oflags |= 0x8000000; - if (nflags & FR_COPIED) - oflags |= 0x40000000; - if (nflags & FR_INACTIVE) - oflags |= 0x80000000; - - return oflags; -} - - -static void -frentry_current_to_4_1_34(current, old) - void *current; - frentry_4_1_34_t *old; -{ - frentry_t *fr = (frentry_t *)current; - - old->fr_lock = fr->fr_lock; - old->fr_next = fr->fr_next; - old->fr_grp = (void *)fr->fr_grp; - old->fr_isc = fr->fr_isc; - old->fr_ifas[0] = fr->fr_ifas[0]; - old->fr_ifas[1] = fr->fr_ifas[1]; - old->fr_ifas[2] = fr->fr_ifas[2]; - old->fr_ifas[3] = fr->fr_ifas[3]; - old->fr_ptr = fr->fr_ptr; - old->fr_comment = NULL; - old->fr_ref = fr->fr_ref; - old->fr_statecnt = fr->fr_statecnt; - old->fr_hits = fr->fr_hits; - old->fr_bytes = fr->fr_bytes; - old->fr_lastpkt.tv_sec = fr->fr_lastpkt.tv_sec; - old->fr_lastpkt.tv_usec = fr->fr_lastpkt.tv_usec; - old->fr_curpps = fr->fr_curpps; - old->fr_dun.fru_data = fr->fr_dun.fru_data; - old->fr_func = fr->fr_func; - old->fr_dsize = fr->fr_dsize; - old->fr_pps = fr->fr_pps; - old->fr_statemax = fr->fr_statemax; - old->fr_flineno = fr->fr_flineno; - old->fr_type = fr->fr_type; - old->fr_flags = fr_frflags5to4(fr->fr_flags); - old->fr_logtag = fr->fr_logtag; - old->fr_collect = fr->fr_collect; - old->fr_arg = fr->fr_arg; - old->fr_loglevel = fr->fr_loglevel; - old->fr_age[0] = fr->fr_age[0]; - old->fr_age[1] = fr->fr_age[1]; - if (fr->fr_family == AF_INET) - old->fr_v = 4; - if (fr->fr_family == AF_INET6) - old->fr_v = 6; - old->fr_icode = fr->fr_icode; - old->fr_cksum = fr->fr_cksum; - old->fr_tifs[0].ofd_ip6 = fr->fr_tifs[0].fd_ip6; - old->fr_tifs[1].ofd_ip6 = fr->fr_tifs[0].fd_ip6; - old->fr_dif.ofd_ip6 = fr->fr_dif.fd_ip6; - if (fr->fr_ifnames[0] >= 0) { - strncpy(old->fr_ifnames[0], fr->fr_names + fr->fr_ifnames[0], - LIFNAMSIZ); - old->fr_ifnames[0][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[1] >= 0) { - strncpy(old->fr_ifnames[1], fr->fr_names + fr->fr_ifnames[1], - LIFNAMSIZ); - old->fr_ifnames[1][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[2] >= 0) { - strncpy(old->fr_ifnames[2], fr->fr_names + fr->fr_ifnames[2], - LIFNAMSIZ); - old->fr_ifnames[2][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[3] >= 0) { - strncpy(old->fr_ifnames[3], fr->fr_names + fr->fr_ifnames[3], - LIFNAMSIZ); - old->fr_ifnames[3][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_tifs[0].fd_name >= 0) { - strncpy(old->fr_tifs[0].fd_ifname, - fr->fr_names + fr->fr_tifs[0].fd_name, LIFNAMSIZ); - old->fr_tifs[0].fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_tifs[1].fd_name >= 0) { - strncpy(old->fr_tifs[1].fd_ifname, - fr->fr_names + fr->fr_tifs[1].fd_name, LIFNAMSIZ); - old->fr_tifs[1].fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_dif.fd_name >= 0) { - strncpy(old->fr_dif.fd_ifname, - fr->fr_names + fr->fr_dif.fd_name, LIFNAMSIZ); - old->fr_dif.fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_group >= 0) { - strncpy(old->fr_group, fr->fr_names + fr->fr_group, - FR_GROUPLEN); - old->fr_group[FR_GROUPLEN - 1] = '\0'; - } - if (fr->fr_grhead >= 0) { - strncpy(old->fr_grhead, fr->fr_names + fr->fr_grhead, - FR_GROUPLEN); - old->fr_grhead[FR_GROUPLEN - 1] = '\0'; - } -} - - -static void -frentry_current_to_4_1_16(current, old) - void *current; - frentry_4_1_16_t *old; -{ - frentry_t *fr = (frentry_t *)current; - - old->fr_lock = fr->fr_lock; - old->fr_next = fr->fr_next; - old->fr_grp = (void *)fr->fr_grp; - old->fr_isc = fr->fr_isc; - old->fr_ifas[0] = fr->fr_ifas[0]; - old->fr_ifas[1] = fr->fr_ifas[1]; - old->fr_ifas[2] = fr->fr_ifas[2]; - old->fr_ifas[3] = fr->fr_ifas[3]; - old->fr_ptr = fr->fr_ptr; - old->fr_comment = NULL; - old->fr_ref = fr->fr_ref; - old->fr_statecnt = fr->fr_statecnt; - old->fr_hits = fr->fr_hits; - old->fr_bytes = fr->fr_bytes; - old->fr_lastpkt.tv_sec = fr->fr_lastpkt.tv_sec; - old->fr_lastpkt.tv_usec = fr->fr_lastpkt.tv_usec; - old->fr_curpps = fr->fr_curpps; - old->fr_dun.fru_data = fr->fr_dun.fru_data; - old->fr_func = fr->fr_func; - old->fr_dsize = fr->fr_dsize; - old->fr_pps = fr->fr_pps; - old->fr_statemax = fr->fr_statemax; - old->fr_flineno = fr->fr_flineno; - old->fr_type = fr->fr_type; - old->fr_flags = fr_frflags5to4(fr->fr_flags); - old->fr_logtag = fr->fr_logtag; - old->fr_collect = fr->fr_collect; - old->fr_arg = fr->fr_arg; - old->fr_loglevel = fr->fr_loglevel; - old->fr_age[0] = fr->fr_age[0]; - old->fr_age[1] = fr->fr_age[1]; - if (old->fr_v == 4) - fr->fr_family = AF_INET; - if (old->fr_v == 6) - fr->fr_family = AF_INET6; - old->fr_icode = fr->fr_icode; - old->fr_cksum = fr->fr_cksum; - old->fr_tifs[0].ofd_ip6 = fr->fr_tifs[0].fd_ip6; - old->fr_tifs[1].ofd_ip6 = fr->fr_tifs[0].fd_ip6; - old->fr_dif.ofd_ip6 = fr->fr_dif.fd_ip6; - if (fr->fr_ifnames[0] >= 0) { - strncpy(old->fr_ifnames[0], fr->fr_names + fr->fr_ifnames[0], - LIFNAMSIZ); - old->fr_ifnames[0][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[1] >= 0) { - strncpy(old->fr_ifnames[1], fr->fr_names + fr->fr_ifnames[1], - LIFNAMSIZ); - old->fr_ifnames[1][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[2] >= 0) { - strncpy(old->fr_ifnames[2], fr->fr_names + fr->fr_ifnames[2], - LIFNAMSIZ); - old->fr_ifnames[2][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[3] >= 0) { - strncpy(old->fr_ifnames[3], fr->fr_names + fr->fr_ifnames[3], - LIFNAMSIZ); - old->fr_ifnames[3][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_tifs[0].fd_name >= 0) { - strncpy(old->fr_tifs[0].fd_ifname, - fr->fr_names + fr->fr_tifs[0].fd_name, LIFNAMSIZ); - old->fr_tifs[0].fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_tifs[1].fd_name >= 0) { - strncpy(old->fr_tifs[1].fd_ifname, - fr->fr_names + fr->fr_tifs[1].fd_name, LIFNAMSIZ); - old->fr_tifs[1].fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_dif.fd_name >= 0) { - strncpy(old->fr_dif.fd_ifname, - fr->fr_names + fr->fr_dif.fd_name, LIFNAMSIZ); - old->fr_dif.fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_group >= 0) { - strncpy(old->fr_group, fr->fr_names + fr->fr_group, - FR_GROUPLEN); - old->fr_group[FR_GROUPLEN - 1] = '\0'; - } - if (fr->fr_grhead >= 0) { - strncpy(old->fr_grhead, fr->fr_names + fr->fr_grhead, - FR_GROUPLEN); - old->fr_grhead[FR_GROUPLEN - 1] = '\0'; - } -} - - -static void -frentry_current_to_4_1_0(current, old) - void *current; - frentry_4_1_0_t *old; -{ - frentry_t *fr = (frentry_t *)current; - - old->fr_lock = fr->fr_lock; - old->fr_next = fr->fr_next; - old->fr_grp = (void *)fr->fr_grp; - old->fr_isc = fr->fr_isc; - old->fr_ifas[0] = fr->fr_ifas[0]; - old->fr_ifas[1] = fr->fr_ifas[1]; - old->fr_ifas[2] = fr->fr_ifas[2]; - old->fr_ifas[3] = fr->fr_ifas[3]; - old->fr_ptr = fr->fr_ptr; - old->fr_comment = NULL; - old->fr_ref = fr->fr_ref; - old->fr_statecnt = fr->fr_statecnt; - old->fr_hits = fr->fr_hits; - old->fr_bytes = fr->fr_bytes; - old->fr_lastpkt.tv_sec = fr->fr_lastpkt.tv_sec; - old->fr_lastpkt.tv_usec = fr->fr_lastpkt.tv_usec; - old->fr_curpps = fr->fr_curpps; - old->fr_dun.fru_data = fr->fr_dun.fru_data; - old->fr_func = fr->fr_func; - old->fr_dsize = fr->fr_dsize; - old->fr_pps = fr->fr_pps; - old->fr_statemax = fr->fr_statemax; - old->fr_flineno = fr->fr_flineno; - old->fr_type = fr->fr_type; - old->fr_flags = fr_frflags5to4(fr->fr_flags); - old->fr_logtag = fr->fr_logtag; - old->fr_collect = fr->fr_collect; - old->fr_arg = fr->fr_arg; - old->fr_loglevel = fr->fr_loglevel; - old->fr_age[0] = fr->fr_age[0]; - old->fr_age[1] = fr->fr_age[1]; - if (old->fr_v == 4) - fr->fr_family = AF_INET; - if (old->fr_v == 6) - fr->fr_family = AF_INET6; - old->fr_icode = fr->fr_icode; - old->fr_cksum = fr->fr_cksum; - old->fr_tifs[0].ofd_ip6 = fr->fr_tifs[0].fd_ip6; - old->fr_tifs[1].ofd_ip6 = fr->fr_tifs[0].fd_ip6; - old->fr_dif.ofd_ip6 = fr->fr_dif.fd_ip6; - if (fr->fr_ifnames[0] >= 0) { - strncpy(old->fr_ifnames[0], fr->fr_names + fr->fr_ifnames[0], - LIFNAMSIZ); - old->fr_ifnames[0][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[1] >= 0) { - strncpy(old->fr_ifnames[1], fr->fr_names + fr->fr_ifnames[1], - LIFNAMSIZ); - old->fr_ifnames[1][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[2] >= 0) { - strncpy(old->fr_ifnames[2], fr->fr_names + fr->fr_ifnames[2], - LIFNAMSIZ); - old->fr_ifnames[2][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_ifnames[3] >= 0) { - strncpy(old->fr_ifnames[3], fr->fr_names + fr->fr_ifnames[3], - LIFNAMSIZ); - old->fr_ifnames[3][LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_tifs[0].fd_name >= 0) { - strncpy(old->fr_tifs[0].fd_ifname, - fr->fr_names + fr->fr_tifs[0].fd_name, LIFNAMSIZ); - old->fr_tifs[0].fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_tifs[1].fd_name >= 0) { - strncpy(old->fr_tifs[1].fd_ifname, - fr->fr_names + fr->fr_tifs[1].fd_name, LIFNAMSIZ); - old->fr_tifs[1].fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_dif.fd_name >= 0) { - strncpy(old->fr_dif.fd_ifname, - fr->fr_names + fr->fr_dif.fd_name, LIFNAMSIZ); - old->fr_dif.fd_ifname[LIFNAMSIZ - 1] = '\0'; - } - if (fr->fr_group >= 0) { - strncpy(old->fr_group, fr->fr_names + fr->fr_group, - FR_GROUPLEN); - old->fr_group[FR_GROUPLEN - 1] = '\0'; - } - if (fr->fr_grhead >= 0) { - strncpy(old->fr_grhead, fr->fr_names + fr->fr_grhead, - FR_GROUPLEN); - old->fr_grhead[FR_GROUPLEN - 1] = '\0'; - } -} - - -static void -fr_info_current_to_4_1_24(current, old) - void *current; - fr_info_4_1_24_t *old; -{ - fr_info_t *fin = (fr_info_t *)current; - - old->fin_ifp = fin->fin_ifp; - ipf_v5iptov4(&fin->fin_fi, &old->fin_fi); - bcopy(&fin->fin_dat, &old->fin_dat, sizeof(fin->fin_dat)); - old->fin_out = fin->fin_out; - old->fin_rev = fin->fin_rev; - old->fin_hlen = fin->fin_hlen; - old->ofin_tcpf = fin->fin_tcpf; - old->fin_icode = fin->fin_icode; - old->fin_rule = fin->fin_rule; - bcopy(fin->fin_group, old->fin_group, sizeof(fin->fin_group)); - old->fin_fr = fin->fin_fr; - old->fin_dp = fin->fin_dp; - old->fin_dlen = fin->fin_dlen; - old->fin_plen = fin->fin_plen; - old->fin_ipoff = fin->fin_ipoff; - old->fin_id = fin->fin_id; - old->fin_off = fin->fin_off; - old->fin_depth = fin->fin_depth; - old->fin_error = fin->fin_error; - old->fin_cksum = fin->fin_cksum; - old->fin_state = NULL; - old->fin_nat = NULL; - old->fin_nattag = fin->fin_nattag; - old->fin_exthdr = NULL; - old->ofin_ip = fin->fin_ip; - old->fin_mp = fin->fin_mp; - old->fin_m = fin->fin_m; -#if SOLARIS - old->fin_qfm = fin->fin_qfm; - old->fin_qpi = fin->fin_qpi; - old->fin_ifname[0] = '\0'; -#endif -} - - -static void -fr_info_current_to_4_1_23(current, old) - void *current; - fr_info_4_1_23_t *old; -{ - fr_info_t *fin = (fr_info_t *)current; - - old->fin_ifp = fin->fin_ifp; - ipf_v5iptov4(&fin->fin_fi, &old->fin_fi); - bcopy(&fin->fin_dat, &old->fin_dat, sizeof(fin->fin_dat)); - old->fin_out = fin->fin_out; - old->fin_rev = fin->fin_rev; - old->fin_hlen = fin->fin_hlen; - old->ofin_tcpf = fin->fin_tcpf; - old->fin_icode = fin->fin_icode; - old->fin_rule = fin->fin_rule; - bcopy(fin->fin_group, old->fin_group, sizeof(fin->fin_group)); - old->fin_fr = fin->fin_fr; - old->fin_dp = fin->fin_dp; - old->fin_dlen = fin->fin_dlen; - old->fin_plen = fin->fin_plen; - old->fin_ipoff = fin->fin_ipoff; - old->fin_id = fin->fin_id; - old->fin_off = fin->fin_off; - old->fin_depth = fin->fin_depth; - old->fin_error = fin->fin_error; - old->fin_state = NULL; - old->fin_nat = NULL; - old->fin_nattag = fin->fin_nattag; - old->ofin_ip = fin->fin_ip; - old->fin_mp = fin->fin_mp; - old->fin_m = fin->fin_m; -#if SOLARIS - old->fin_qfm = fin->fin_qfm; - old->fin_qpi = fin->fin_qpi; - old->fin_ifname[0] = '\0'; -#endif -} - - -static void -fr_info_current_to_4_1_11(current, old) - void *current; - fr_info_4_1_11_t *old; -{ - fr_info_t *fin = (fr_info_t *)current; - - old->fin_ifp = fin->fin_ifp; - ipf_v5iptov4(&fin->fin_fi, &old->fin_fi); - bcopy(&fin->fin_dat, &old->fin_dat, sizeof(fin->fin_dat)); - old->fin_out = fin->fin_out; - old->fin_rev = fin->fin_rev; - old->fin_hlen = fin->fin_hlen; - old->ofin_tcpf = fin->fin_tcpf; - old->fin_icode = fin->fin_icode; - old->fin_rule = fin->fin_rule; - bcopy(fin->fin_group, old->fin_group, sizeof(fin->fin_group)); - old->fin_fr = fin->fin_fr; - old->fin_dp = fin->fin_dp; - old->fin_dlen = fin->fin_dlen; - old->fin_plen = fin->fin_plen; - old->fin_ipoff = fin->fin_ipoff; - old->fin_id = fin->fin_id; - old->fin_off = fin->fin_off; - old->fin_depth = fin->fin_depth; - old->fin_error = fin->fin_error; - old->fin_state = NULL; - old->fin_nat = NULL; - old->fin_nattag = fin->fin_nattag; - old->ofin_ip = fin->fin_ip; - old->fin_mp = fin->fin_mp; - old->fin_m = fin->fin_m; -#if SOLARIS - old->fin_qfm = fin->fin_qfm; - old->fin_qpi = fin->fin_qpi; - old->fin_ifname[0] = '\0'; -#endif -} - - -static void -frauth_current_to_4_1_29(current, old) - void *current; - frauth_4_1_29_t *old; -{ - frauth_t *fra = (frauth_t *)current; - - old->fra_age = fra->fra_age; - old->fra_len = fra->fra_len; - old->fra_index = fra->fra_index; - old->fra_pass = fra->fra_pass; - fr_info_current_to_4_1_24(&fra->fra_info, &old->fra_info); - old->fra_buf = fra->fra_buf; - old->fra_flx = fra->fra_flx; -#if SOLARIS - old->fra_q = fra->fra_q; - old->fra_m = fra->fra_m; -#endif -} - - -static void -frauth_current_to_4_1_24(current, old) - void *current; - frauth_4_1_24_t *old; -{ - frauth_t *fra = (frauth_t *)current; - - old->fra_age = fra->fra_age; - old->fra_len = fra->fra_len; - old->fra_index = fra->fra_index; - old->fra_pass = fra->fra_pass; - fr_info_current_to_4_1_24(&fra->fra_info, &old->fra_info); - old->fra_buf = fra->fra_buf; -#if SOLARIS - old->fra_q = fra->fra_q; - old->fra_m = fra->fra_m; -#endif -} - - -static void -frauth_current_to_4_1_23(current, old) - void *current; - frauth_4_1_23_t *old; -{ - frauth_t *fra = (frauth_t *)current; - - old->fra_age = fra->fra_age; - old->fra_len = fra->fra_len; - old->fra_index = fra->fra_index; - old->fra_pass = fra->fra_pass; - fr_info_current_to_4_1_23(&fra->fra_info, &old->fra_info); - old->fra_buf = fra->fra_buf; -#if SOLARIS - old->fra_q = fra->fra_q; - old->fra_m = fra->fra_m; -#endif -} - - -static void -frauth_current_to_4_1_11(current, old) - void *current; - frauth_4_1_11_t *old; -{ - frauth_t *fra = (frauth_t *)current; - - old->fra_age = fra->fra_age; - old->fra_len = fra->fra_len; - old->fra_index = fra->fra_index; - old->fra_pass = fra->fra_pass; - fr_info_current_to_4_1_11(&fra->fra_info, &old->fra_info); - old->fra_buf = fra->fra_buf; -#if SOLARIS - old->fra_q = fra->fra_q; - old->fra_m = fra->fra_m; -#endif -} - - -static void -ipnat_current_to_4_1_14(current, old) - void *current; - ipnat_4_1_14_t *old; -{ - ipnat_t *np = (ipnat_t *)current; - - old->in_next = np->in_next; - old->in_rnext = np->in_rnext; - old->in_prnext = np->in_prnext; - old->in_mnext = np->in_mnext; - old->in_pmnext = np->in_pmnext; - old->in_tqehead[0] = np->in_tqehead[0]; - old->in_tqehead[1] = np->in_tqehead[1]; - old->in_ifps[0] = np->in_ifps[0]; - old->in_ifps[1] = np->in_ifps[1]; - old->in_apr = np->in_apr; - old->in_comment = np->in_comment; - old->in_space = np->in_space; - old->in_hits = np->in_hits; - old->in_use = np->in_use; - old->in_hv = np->in_hv[0]; - old->in_flineno = np->in_flineno; - if (old->in_redir == NAT_REDIRECT) - old->in_pnext = np->in_dpnext; - else - old->in_pnext = np->in_spnext; - old->in_v = np->in_v[0]; - old->in_flags = np->in_flags; - old->in_mssclamp = np->in_mssclamp; - old->in_age[0] = np->in_age[0]; - old->in_age[1] = np->in_age[1]; - old->in_redir = np->in_redir; - old->in_p = np->in_pr[0]; - if (np->in_redir == NAT_REDIRECT) { - old->in_next6 = np->in_ndst.na_nextaddr; - old->in_in[0] = np->in_ndst.na_addr[0]; - old->in_in[1] = np->in_ndst.na_addr[1]; - old->in_out[0] = np->in_odst.na_addr[0]; - old->in_out[1] = np->in_odst.na_addr[1]; - old->in_src[0] = np->in_osrc.na_addr[0]; - old->in_src[1] = np->in_osrc.na_addr[1]; - } else { - old->in_next6 = np->in_nsrc.na_nextaddr; - old->in_out[0] = np->in_nsrc.na_addr[0]; - old->in_out[1] = np->in_nsrc.na_addr[1]; - old->in_in[0] = np->in_osrc.na_addr[0]; - old->in_in[1] = np->in_osrc.na_addr[1]; - old->in_src[0] = np->in_odst.na_addr[0]; - old->in_src[1] = np->in_odst.na_addr[1]; - } - ipfv5tuctov4(&np->in_tuc, &old->in_tuc); - if (np->in_redir == NAT_REDIRECT) { - old->in_port[0] = np->in_dpmin; - old->in_port[1] = np->in_dpmax; - } else { - old->in_port[0] = np->in_spmin; - old->in_port[1] = np->in_spmax; - } - old->in_ppip = np->in_ppip; - old->in_ippip = np->in_ippip; - bcopy(&np->in_tag, &old->in_tag, sizeof(np->in_tag)); - - if (np->in_ifnames[0] >= 0) { - strncpy(old->in_ifnames[0], np->in_names + np->in_ifnames[0], - LIFNAMSIZ); - old->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; - } - if (np->in_ifnames[1] >= 0) { - strncpy(old->in_ifnames[1], np->in_names + np->in_ifnames[1], - LIFNAMSIZ); - old->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; - } - if (np->in_plabel >= 0) { - strncpy(old->in_plabel, np->in_names + np->in_plabel, - APR_LABELLEN); - old->in_plabel[APR_LABELLEN - 1] = '\0'; - } -} - - -static void -ipnat_current_to_4_1_0(current, old) - void *current; - ipnat_4_1_0_t *old; -{ - ipnat_t *np = (ipnat_t *)current; - - old->in_next = np->in_next; - old->in_rnext = np->in_rnext; - old->in_prnext = np->in_prnext; - old->in_mnext = np->in_mnext; - old->in_pmnext = np->in_pmnext; - old->in_tqehead[0] = np->in_tqehead[0]; - old->in_tqehead[1] = np->in_tqehead[1]; - old->in_ifps[0] = np->in_ifps[0]; - old->in_ifps[1] = np->in_ifps[1]; - old->in_apr = np->in_apr; - old->in_comment = np->in_comment; - old->in_space = np->in_space; - old->in_hits = np->in_hits; - old->in_use = np->in_use; - old->in_hv = np->in_hv[0]; - old->in_flineno = np->in_flineno; - if (old->in_redir == NAT_REDIRECT) - old->in_pnext = np->in_dpnext; - else - old->in_pnext = np->in_spnext; - old->in_v = np->in_v[0]; - old->in_flags = np->in_flags; - old->in_mssclamp = np->in_mssclamp; - old->in_age[0] = np->in_age[0]; - old->in_age[1] = np->in_age[1]; - old->in_redir = np->in_redir; - old->in_p = np->in_pr[0]; - if (np->in_redir == NAT_REDIRECT) { - old->in_next6 = np->in_ndst.na_nextaddr; - old->in_in[0] = np->in_ndst.na_addr[0]; - old->in_in[1] = np->in_ndst.na_addr[1]; - old->in_out[0] = np->in_odst.na_addr[0]; - old->in_out[1] = np->in_odst.na_addr[1]; - old->in_src[0] = np->in_osrc.na_addr[0]; - old->in_src[1] = np->in_osrc.na_addr[1]; - } else { - old->in_next6 = np->in_nsrc.na_nextaddr; - old->in_out[0] = np->in_nsrc.na_addr[0]; - old->in_out[1] = np->in_nsrc.na_addr[1]; - old->in_in[0] = np->in_osrc.na_addr[0]; - old->in_in[1] = np->in_osrc.na_addr[1]; - old->in_src[0] = np->in_odst.na_addr[0]; - old->in_src[1] = np->in_odst.na_addr[1]; - } - ipfv5tuctov4(&np->in_tuc, &old->in_tuc); - if (np->in_redir == NAT_REDIRECT) { - old->in_port[0] = np->in_dpmin; - old->in_port[1] = np->in_dpmax; - } else { - old->in_port[0] = np->in_spmin; - old->in_port[1] = np->in_spmax; - } - old->in_ppip = np->in_ppip; - old->in_ippip = np->in_ippip; - bcopy(&np->in_tag, &old->in_tag, sizeof(np->in_tag)); - - if (np->in_ifnames[0] >= 0) { - strncpy(old->in_ifnames[0], np->in_names + np->in_ifnames[0], - LIFNAMSIZ); - old->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; - } - if (np->in_ifnames[1] >= 0) { - strncpy(old->in_ifnames[1], np->in_names + np->in_ifnames[1], - LIFNAMSIZ); - old->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; - } - if (np->in_plabel >= 0) { - strncpy(old->in_plabel, np->in_names + np->in_plabel, - APR_LABELLEN); - old->in_plabel[APR_LABELLEN - 1] = '\0'; - } -} - - -static void -ipstate_current_to_4_1_16(current, old) - void *current; - ipstate_4_1_16_t *old; -{ - ipstate_t *is = (ipstate_t *)current; - - old->is_lock = is->is_lock; - old->is_next = is->is_next; - old->is_pnext = is->is_pnext; - old->is_hnext = is->is_hnext; - old->is_phnext = is->is_phnext; - old->is_me = is->is_me; - old->is_ifp[0] = is->is_ifp[0]; - old->is_ifp[1] = is->is_ifp[1]; - old->is_sync = is->is_sync; - old->is_rule = is->is_rule; - old->is_tqehead[0] = is->is_tqehead[0]; - old->is_tqehead[1] = is->is_tqehead[1]; - old->is_isc = is->is_isc; - old->is_pkts[0] = is->is_pkts[0]; - old->is_pkts[1] = is->is_pkts[1]; - old->is_pkts[2] = is->is_pkts[2]; - old->is_pkts[3] = is->is_pkts[3]; - old->is_bytes[0] = is->is_bytes[0]; - old->is_bytes[1] = is->is_bytes[1]; - old->is_bytes[2] = is->is_bytes[2]; - old->is_bytes[3] = is->is_bytes[3]; - old->is_icmppkts[0] = is->is_icmppkts[0]; - old->is_icmppkts[1] = is->is_icmppkts[1]; - old->is_icmppkts[2] = is->is_icmppkts[2]; - old->is_icmppkts[3] = is->is_icmppkts[3]; - old->is_sti = is->is_sti; - old->is_frage[0] = is->is_frage[0]; - old->is_frage[1] = is->is_frage[1]; - old->is_ref = is->is_ref; - old->is_isninc[0] = is->is_isninc[0]; - old->is_isninc[1] = is->is_isninc[1]; - old->is_sumd[0] = is->is_sumd[0]; - old->is_sumd[1] = is->is_sumd[1]; - old->is_src = is->is_src; - old->is_dst = is->is_dst; - old->is_pass = is->is_pass; - old->is_p = is->is_p; - old->is_v = is->is_v; - old->is_hv = is->is_hv; - old->is_tag = is->is_tag; - old->is_opt[0] = is->is_opt[0]; - old->is_opt[1] = is->is_opt[1]; - old->is_optmsk[0] = is->is_optmsk[0]; - old->is_optmsk[1] = is->is_optmsk[1]; - old->is_sec = is->is_sec; - old->is_secmsk = is->is_secmsk; - old->is_auth = is->is_auth; - old->is_authmsk = is->is_authmsk; - ipf_v5tcpinfoto4(&is->is_tcp, &old->is_tcp); - old->is_flags = is->is_flags; - old->is_flx[0][0] = is->is_flx[0][0]; - old->is_flx[0][1] = is->is_flx[0][1]; - old->is_flx[1][0] = is->is_flx[1][0]; - old->is_flx[1][1] = is->is_flx[1][1]; - old->is_rulen = is->is_rulen; - old->is_s0[0] = is->is_s0[0]; - old->is_s0[1] = is->is_s0[1]; - old->is_smsk[0] = is->is_smsk[0]; - old->is_smsk[1] = is->is_smsk[1]; - bcopy(is->is_group, old->is_group, sizeof(is->is_group)); - bcopy(is->is_sbuf, old->is_sbuf, sizeof(is->is_sbuf)); - bcopy(is->is_ifname, old->is_ifname, sizeof(is->is_ifname)); -} - - -static void -ipstate_current_to_4_1_0(current, old) - void *current; - ipstate_4_1_0_t *old; -{ - ipstate_t *is = (ipstate_t *)current; - - old->is_lock = is->is_lock; - old->is_next = is->is_next; - old->is_pnext = is->is_pnext; - old->is_hnext = is->is_hnext; - old->is_phnext = is->is_phnext; - old->is_me = is->is_me; - old->is_ifp[0] = is->is_ifp[0]; - old->is_ifp[1] = is->is_ifp[1]; - old->is_sync = is->is_sync; - bzero(&old->is_nat, sizeof(old->is_nat)); - old->is_rule = is->is_rule; - old->is_tqehead[0] = is->is_tqehead[0]; - old->is_tqehead[1] = is->is_tqehead[1]; - old->is_isc = is->is_isc; - old->is_pkts[0] = is->is_pkts[0]; - old->is_pkts[1] = is->is_pkts[1]; - old->is_pkts[2] = is->is_pkts[2]; - old->is_pkts[3] = is->is_pkts[3]; - old->is_bytes[0] = is->is_bytes[0]; - old->is_bytes[1] = is->is_bytes[1]; - old->is_bytes[2] = is->is_bytes[2]; - old->is_bytes[3] = is->is_bytes[3]; - old->is_icmppkts[0] = is->is_icmppkts[0]; - old->is_icmppkts[1] = is->is_icmppkts[1]; - old->is_icmppkts[2] = is->is_icmppkts[2]; - old->is_icmppkts[3] = is->is_icmppkts[3]; - old->is_sti = is->is_sti; - old->is_frage[0] = is->is_frage[0]; - old->is_frage[1] = is->is_frage[1]; - old->is_ref = is->is_ref; - old->is_isninc[0] = is->is_isninc[0]; - old->is_isninc[1] = is->is_isninc[1]; - old->is_sumd[0] = is->is_sumd[0]; - old->is_sumd[1] = is->is_sumd[1]; - old->is_src = is->is_src; - old->is_dst = is->is_dst; - old->is_pass = is->is_pass; - old->is_p = is->is_p; - old->is_v = is->is_v; - old->is_hv = is->is_hv; - old->is_tag = is->is_tag; - old->is_opt[0] = is->is_opt[0]; - old->is_opt[1] = is->is_opt[1]; - old->is_optmsk[0] = is->is_optmsk[0]; - old->is_optmsk[1] = is->is_optmsk[1]; - old->is_sec = is->is_sec; - old->is_secmsk = is->is_secmsk; - old->is_auth = is->is_auth; - old->is_authmsk = is->is_authmsk; - ipf_v5tcpinfoto4(&is->is_tcp, &old->is_tcp); - old->is_flags = is->is_flags; - old->is_flx[0][0] = is->is_flx[0][0]; - old->is_flx[0][1] = is->is_flx[0][1]; - old->is_flx[1][0] = is->is_flx[1][0]; - old->is_flx[1][1] = is->is_flx[1][1]; - old->is_rulen = is->is_rulen; - old->is_s0[0] = is->is_s0[0]; - old->is_s0[1] = is->is_s0[1]; - old->is_smsk[0] = is->is_smsk[0]; - old->is_smsk[1] = is->is_smsk[1]; - bcopy(is->is_group, old->is_group, sizeof(is->is_group)); - bcopy(is->is_sbuf, old->is_sbuf, sizeof(is->is_sbuf)); - bcopy(is->is_ifname, old->is_ifname, sizeof(is->is_ifname)); -} - - -static void -ips_stat_current_to_4_1_21(current, old) - void *current; - ips_stat_4_1_21_t *old; -{ - ips_stat_t *st = (ips_stat_t *)current; - - old->iss_hits = st->iss_hits; - old->iss_miss = st->iss_check_miss; - old->iss_max = st->iss_max; - old->iss_maxref = st->iss_max_ref; - old->iss_tcp = st->iss_proto[IPPROTO_TCP]; - old->iss_udp = st->iss_proto[IPPROTO_UDP]; - old->iss_icmp = st->iss_proto[IPPROTO_ICMP]; - old->iss_nomem = st->iss_nomem; - old->iss_expire = st->iss_expire; - old->iss_fin = st->iss_fin; - old->iss_active = st->iss_active; - old->iss_logged = st->iss_log_ok; - old->iss_logfail = st->iss_log_fail; - old->iss_inuse = st->iss_inuse; - old->iss_wild = st->iss_wild; - old->iss_ticks = st->iss_ticks; - old->iss_bucketfull = st->iss_bucket_full; - old->iss_statesize = st->iss_state_size; - old->iss_statemax = st->iss_state_max; - old->iss_table = st->iss_table; - old->iss_list = st->iss_list; - old->iss_bucketlen = (void *)st->iss_bucketlen; - old->iss_tcptab = st->iss_tcptab; -} - - -static void -ips_stat_current_to_4_1_0(current, old) - void *current; - ips_stat_4_1_0_t *old; -{ - ips_stat_t *st = (ips_stat_t *)current; - - old->iss_hits = st->iss_hits; - old->iss_miss = st->iss_check_miss; - old->iss_max = st->iss_max; - old->iss_maxref = st->iss_max_ref; - old->iss_tcp = st->iss_proto[IPPROTO_TCP]; - old->iss_udp = st->iss_proto[IPPROTO_UDP]; - old->iss_icmp = st->iss_proto[IPPROTO_ICMP]; - old->iss_nomem = st->iss_nomem; - old->iss_expire = st->iss_expire; - old->iss_fin = st->iss_fin; - old->iss_active = st->iss_active; - old->iss_logged = st->iss_log_ok; - old->iss_logfail = st->iss_log_fail; - old->iss_inuse = st->iss_inuse; - old->iss_wild = st->iss_wild; - old->iss_ticks = st->iss_ticks; - old->iss_bucketfull = st->iss_bucket_full; - old->iss_statesize = st->iss_state_size; - old->iss_statemax = st->iss_state_max; - old->iss_table = st->iss_table; - old->iss_list = st->iss_list; - old->iss_bucketlen = (void *)st->iss_bucketlen; -} - - -static void -nat_save_current_to_4_1_16(current, old) - void *current; - nat_save_4_1_16_t *old; -{ - nat_save_t *nats = (nat_save_t *)current; - - old->ipn_next = nats->ipn_next; - bcopy(&nats->ipn_nat, &old->ipn_nat, sizeof(old->ipn_nat)); - bcopy(&nats->ipn_ipnat, &old->ipn_ipnat, sizeof(old->ipn_ipnat)); - frentry_current_to_4_1_16(&nats->ipn_fr, &old->ipn_fr); - old->ipn_dsize = nats->ipn_dsize; - bcopy(nats->ipn_data, old->ipn_data, sizeof(nats->ipn_data)); -} - - -static void -nat_save_current_to_4_1_14(current, old) - void *current; - nat_save_4_1_14_t *old; -{ - nat_save_t *nats = (nat_save_t *)current; - - old->ipn_next = nats->ipn_next; - bcopy(&nats->ipn_nat, &old->ipn_nat, sizeof(old->ipn_nat)); - bcopy(&nats->ipn_ipnat, &old->ipn_ipnat, sizeof(old->ipn_ipnat)); - frentry_current_to_4_1_0(&nats->ipn_fr, &old->ipn_fr); - old->ipn_dsize = nats->ipn_dsize; - bcopy(nats->ipn_data, old->ipn_data, sizeof(nats->ipn_data)); -} - - -static void -nat_save_current_to_4_1_3(current, old) - void *current; - nat_save_4_1_3_t *old; -{ - nat_save_t *nats = (nat_save_t *)current; - - old->ipn_next = nats->ipn_next; - bcopy(&nats->ipn_nat, &old->ipn_nat, sizeof(old->ipn_nat)); - bcopy(&nats->ipn_ipnat, &old->ipn_ipnat, sizeof(old->ipn_ipnat)); - frentry_current_to_4_1_0(&nats->ipn_fr, &old->ipn_fr); - old->ipn_dsize = nats->ipn_dsize; - bcopy(nats->ipn_data, old->ipn_data, sizeof(nats->ipn_data)); -} - - -static void -nat_current_to_4_1_25(current, old) - void *current; - nat_4_1_25_t *old; -{ - nat_t *nat = (nat_t *)current; - - old->nat_lock = nat->nat_lock; - old->nat_next = (void *)nat->nat_next; - old->nat_pnext = (void *)nat->nat_pnext; - old->nat_hnext[0] = (void *)nat->nat_hnext[0]; - old->nat_hnext[1] = (void *)nat->nat_hnext[1]; - old->nat_phnext[0] = (void *)nat->nat_phnext[0]; - old->nat_phnext[1] = (void *)nat->nat_phnext[1]; - old->nat_hm = nat->nat_hm; - old->nat_data = nat->nat_data; - old->nat_me = (void *)nat->nat_me; - old->nat_state = nat->nat_state; - old->nat_aps = nat->nat_aps; - old->nat_fr = nat->nat_fr; - old->nat_ptr = (void *)nat->nat_ptr; - old->nat_ifps[0] = nat->nat_ifps[0]; - old->nat_ifps[1] = nat->nat_ifps[1]; - old->nat_sync = nat->nat_sync; - old->nat_tqe = nat->nat_tqe; - old->nat_flags = nat->nat_flags; - old->nat_sumd[0] = nat->nat_sumd[0]; - old->nat_sumd[1] = nat->nat_sumd[1]; - old->nat_ipsumd = nat->nat_ipsumd; - old->nat_mssclamp = nat->nat_mssclamp; - old->nat_pkts[0] = nat->nat_pkts[0]; - old->nat_pkts[1] = nat->nat_pkts[1]; - old->nat_bytes[0] = nat->nat_bytes[0]; - old->nat_bytes[1] = nat->nat_bytes[1]; - old->nat_ref = nat->nat_ref; - old->nat_dir = nat->nat_dir; - old->nat_p = nat->nat_pr[0]; - old->nat_use = nat->nat_use; - old->nat_hv[0] = nat->nat_hv[0]; - old->nat_hv[1] = nat->nat_hv[1]; - old->nat_rev = nat->nat_rev; - old->nat_redir = nat->nat_redir; - bcopy(nat->nat_ifnames[0], old->nat_ifnames[0], LIFNAMSIZ); - bcopy(nat->nat_ifnames[1], old->nat_ifnames[1], LIFNAMSIZ); - - if (nat->nat_redir == NAT_REDIRECT) { - old->nat_inip6 = nat->nat_ndst6; - old->nat_outip6 = nat->nat_odst6; - old->nat_oip6 = nat->nat_osrc6; - old->nat_un.nat_unt.ts_sport = nat->nat_ndport; - old->nat_un.nat_unt.ts_dport = nat->nat_odport; - } else { - old->nat_inip6 = nat->nat_osrc6; - old->nat_outip6 = nat->nat_nsrc6; - old->nat_oip6 = nat->nat_odst6; - old->nat_un.nat_unt.ts_sport = nat->nat_osport; - old->nat_un.nat_unt.ts_dport = nat->nat_nsport; - } -} - - -static void -nat_current_to_4_1_14(current, old) - void *current; - nat_4_1_14_t *old; -{ - nat_t *nat = (nat_t *)current; - - old->nat_lock = nat->nat_lock; - old->nat_next = nat->nat_next; - old->nat_pnext = NULL; - old->nat_hnext[0] = NULL; - old->nat_hnext[1] = NULL; - old->nat_phnext[0] = NULL; - old->nat_phnext[1] = NULL; - old->nat_hm = nat->nat_hm; - old->nat_data = nat->nat_data; - old->nat_me = (void *)nat->nat_me; - old->nat_state = nat->nat_state; - old->nat_aps = nat->nat_aps; - old->nat_fr = nat->nat_fr; - old->nat_ptr = nat->nat_ptr; - old->nat_ifps[0] = nat->nat_ifps[0]; - old->nat_ifps[1] = nat->nat_ifps[1]; - old->nat_sync = nat->nat_sync; - old->nat_tqe = nat->nat_tqe; - old->nat_flags = nat->nat_flags; - old->nat_sumd[0] = nat->nat_sumd[0]; - old->nat_sumd[1] = nat->nat_sumd[1]; - old->nat_ipsumd = nat->nat_ipsumd; - old->nat_mssclamp = nat->nat_mssclamp; - old->nat_pkts[0] = nat->nat_pkts[0]; - old->nat_pkts[1] = nat->nat_pkts[1]; - old->nat_bytes[0] = nat->nat_bytes[0]; - old->nat_bytes[1] = nat->nat_bytes[1]; - old->nat_ref = nat->nat_ref; - old->nat_dir = nat->nat_dir; - old->nat_p = nat->nat_pr[0]; - old->nat_use = nat->nat_use; - old->nat_hv[0] = nat->nat_hv[0]; - old->nat_hv[1] = nat->nat_hv[1]; - old->nat_rev = nat->nat_rev; - bcopy(nat->nat_ifnames[0], old->nat_ifnames[0], LIFNAMSIZ); - bcopy(nat->nat_ifnames[1], old->nat_ifnames[1], LIFNAMSIZ); - - if (nat->nat_redir == NAT_REDIRECT) { - old->nat_inip6 = nat->nat_ndst6; - old->nat_outip6 = nat->nat_odst6; - old->nat_oip6 = nat->nat_osrc6; - old->nat_un.nat_unt.ts_sport = nat->nat_ndport; - old->nat_un.nat_unt.ts_dport = nat->nat_odport; - } else { - old->nat_inip6 = nat->nat_osrc6; - old->nat_outip6 = nat->nat_nsrc6; - old->nat_oip6 = nat->nat_odst6; - old->nat_un.nat_unt.ts_sport = nat->nat_osport; - old->nat_un.nat_unt.ts_dport = nat->nat_nsport; - } -} - - -static void -nat_current_to_4_1_3(current, old) - void *current; - nat_4_1_3_t *old; -{ - nat_t *nat = (nat_t *)current; - - old->nat_lock = nat->nat_lock; - old->nat_next = nat->nat_next; - old->nat_pnext = NULL; - old->nat_hnext[0] = NULL; - old->nat_hnext[1] = NULL; - old->nat_phnext[0] = NULL; - old->nat_phnext[1] = NULL; - old->nat_hm = nat->nat_hm; - old->nat_data = nat->nat_data; - old->nat_me = (void *)nat->nat_me; - old->nat_state = nat->nat_state; - old->nat_aps = nat->nat_aps; - old->nat_fr = nat->nat_fr; - old->nat_ptr = nat->nat_ptr; - old->nat_ifps[0] = nat->nat_ifps[0]; - old->nat_ifps[1] = nat->nat_ifps[1]; - old->nat_sync = nat->nat_sync; - old->nat_tqe = nat->nat_tqe; - old->nat_flags = nat->nat_flags; - old->nat_sumd[0] = nat->nat_sumd[0]; - old->nat_sumd[1] = nat->nat_sumd[1]; - old->nat_ipsumd = nat->nat_ipsumd; - old->nat_mssclamp = nat->nat_mssclamp; - old->nat_pkts[0] = nat->nat_pkts[0]; - old->nat_pkts[1] = nat->nat_pkts[1]; - old->nat_bytes[0] = nat->nat_bytes[0]; - old->nat_bytes[1] = nat->nat_bytes[1]; - old->nat_ref = nat->nat_ref; - old->nat_dir = nat->nat_dir; - old->nat_p = nat->nat_pr[0]; - old->nat_use = nat->nat_use; - old->nat_hv[0] = nat->nat_hv[0]; - old->nat_hv[1] = nat->nat_hv[1]; - old->nat_rev = nat->nat_rev; - bcopy(nat->nat_ifnames[0], old->nat_ifnames[0], LIFNAMSIZ); - bcopy(nat->nat_ifnames[1], old->nat_ifnames[1], LIFNAMSIZ); - - if (nat->nat_redir == NAT_REDIRECT) { - old->nat_inip6 = nat->nat_ndst6; - old->nat_outip6 = nat->nat_odst6; - old->nat_oip6 = nat->nat_osrc6; - old->nat_un.nat_unt.ts_sport = nat->nat_ndport; - old->nat_un.nat_unt.ts_dport = nat->nat_odport; - } else { - old->nat_inip6 = nat->nat_osrc6; - old->nat_outip6 = nat->nat_nsrc6; - old->nat_oip6 = nat->nat_odst6; - old->nat_un.nat_unt.ts_sport = nat->nat_osport; - old->nat_un.nat_unt.ts_dport = nat->nat_nsport; - } -} - -#endif /* IPFILTER_COMPAT */ diff --git a/contrib/ipfilter/ipf_rb.h b/contrib/ipfilter/ipf_rb.h deleted file mode 100644 index 3d7a59d99d36..000000000000 --- a/contrib/ipfilter/ipf_rb.h +++ /dev/null @@ -1,364 +0,0 @@ -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - * - */ -typedef enum rbcolour_e { - C_BLACK = 0, - C_RED = 1 -} rbcolour_t; - -#define RBI_LINK(_n, _t) \ - struct _n##_rb_link { \ - struct _t *left; \ - struct _t *right; \ - struct _t *parent; \ - rbcolour_t colour; \ - } - -#define RBI_HEAD(_n, _t) \ -struct _n##_rb_head { \ - struct _t top; \ - int count; \ - int (* compare)(struct _t *, struct _t *); \ -} - -#define RBI_CODE(_n, _t, _f, _cmp) \ - \ -typedef void (*_n##_rb_walker_t)(_t *, void *); \ - \ -_t * _n##_rb_delete(struct _n##_rb_head *, _t *); \ -void _n##_rb_init(struct _n##_rb_head *); \ -void _n##_rb_insert(struct _n##_rb_head *, _t *); \ -_t * _n##_rb_search(struct _n##_rb_head *, void *); \ -void _n##_rb_walktree(struct _n##_rb_head *, _n##_rb_walker_t, void *);\ - \ -static void \ -rotate_left(struct _n##_rb_head *head, _t *node) \ -{ \ - _t *parent, *tmp1, *tmp2; \ - \ - parent = node->_f.parent; \ - tmp1 = node->_f.right; \ - tmp2 = tmp1->_f.left; \ - node->_f.right = tmp2; \ - if (tmp2 != & _n##_rb_zero) \ - tmp2->_f.parent = node; \ - if (parent == & _n##_rb_zero) \ - head->top._f.right = tmp1; \ - else if (parent->_f.right == node) \ - parent->_f.right = tmp1; \ - else \ - parent->_f.left = tmp1; \ - tmp1->_f.left = node; \ - tmp1->_f.parent = parent; \ - node->_f.parent = tmp1; \ -} \ - \ -static void \ -rotate_right(struct _n##_rb_head *head, _t *node) \ -{ \ - _t *parent, *tmp1, *tmp2; \ - \ - parent = node->_f.parent; \ - tmp1 = node->_f.left; \ - tmp2 = tmp1->_f.right; \ - node->_f.left = tmp2; \ - if (tmp2 != &_n##_rb_zero) \ - tmp2->_f.parent = node; \ - if (parent == &_n##_rb_zero) \ - head->top._f.right = tmp1; \ - else if (parent->_f.right == node) \ - parent->_f.right = tmp1; \ - else \ - parent->_f.left = tmp1; \ - tmp1->_f.right = node; \ - tmp1->_f.parent = parent; \ - node->_f.parent = tmp1; \ -} \ - \ -void \ -_n##_rb_insert(struct _n##_rb_head *head, _t *node) \ -{ \ - _t *n, *parent, **p, *tmp1, *gparent; \ - \ - parent = &head->top; \ - node->_f.left = &_n##_rb_zero; \ - node->_f.right = &_n##_rb_zero; \ - p = &head->top._f.right; \ - while ((n = *p) != &_n##_rb_zero) { \ - if (_cmp(node, n) < 0) \ - p = &n->_f.left; \ - else \ - p = &n->_f.right; \ - parent = n; \ - } \ - *p = node; \ - node->_f.colour = C_RED; \ - node->_f.parent = parent; \ - \ - while ((node != &_n##_rb_zero) && (parent->_f.colour == C_RED)){\ - gparent = parent->_f.parent; \ - if (parent == gparent->_f.left) { \ - tmp1 = gparent->_f.right; \ - if (tmp1->_f.colour == C_RED) { \ - parent->_f.colour = C_BLACK; \ - tmp1->_f.colour = C_BLACK; \ - gparent->_f.colour = C_RED; \ - node = gparent; \ - } else { \ - if (node == parent->_f.right) { \ - node = parent; \ - rotate_left(head, node); \ - parent = node->_f.parent; \ - } \ - parent->_f.colour = C_BLACK; \ - gparent->_f.colour = C_RED; \ - rotate_right(head, gparent); \ - } \ - } else { \ - tmp1 = gparent->_f.left; \ - if (tmp1->_f.colour == C_RED) { \ - parent->_f.colour = C_BLACK; \ - tmp1->_f.colour = C_BLACK; \ - gparent->_f.colour = C_RED; \ - node = gparent; \ - } else { \ - if (node == parent->_f.left) { \ - node = parent; \ - rotate_right(head, node); \ - parent = node->_f.parent; \ - } \ - parent->_f.colour = C_BLACK; \ - gparent->_f.colour = C_RED; \ - rotate_left(head, parent->_f.parent); \ - } \ - } \ - parent = node->_f.parent; \ - } \ - head->top._f.right->_f.colour = C_BLACK; \ - head->count++; \ -} \ - \ -static void \ -deleteblack(struct _n##_rb_head *head, _t *parent, _t *node) \ -{ \ - _t *tmp; \ - \ - while ((node == &_n##_rb_zero || node->_f.colour == C_BLACK) && \ - node != &head->top) { \ - if (parent->_f.left == node) { \ - tmp = parent->_f.right; \ - if (tmp->_f.colour == C_RED) { \ - tmp->_f.colour = C_BLACK; \ - parent->_f.colour = C_RED; \ - rotate_left(head, parent); \ - tmp = parent->_f.right; \ - } \ - if ((tmp->_f.left == &_n##_rb_zero || \ - tmp->_f.left->_f.colour == C_BLACK) && \ - (tmp->_f.right == &_n##_rb_zero || \ - tmp->_f.right->_f.colour == C_BLACK)) { \ - tmp->_f.colour = C_RED; \ - node = parent; \ - parent = node->_f.parent; \ - } else { \ - if (tmp->_f.right == &_n##_rb_zero || \ - tmp->_f.right->_f.colour == C_BLACK) {\ - _t *tmp2 = tmp->_f.left; \ - \ - if (tmp2 != &_n##_rb_zero) \ - tmp2->_f.colour = C_BLACK;\ - tmp->_f.colour = C_RED; \ - rotate_right(head, tmp); \ - tmp = parent->_f.right; \ - } \ - tmp->_f.colour = parent->_f.colour; \ - parent->_f.colour = C_BLACK; \ - if (tmp->_f.right != &_n##_rb_zero) \ - tmp->_f.right->_f.colour = C_BLACK;\ - rotate_left(head, parent); \ - node = head->top._f.right; \ - } \ - } else { \ - tmp = parent->_f.left; \ - if (tmp->_f.colour == C_RED) { \ - tmp->_f.colour = C_BLACK; \ - parent->_f.colour = C_RED; \ - rotate_right(head, parent); \ - tmp = parent->_f.left; \ - } \ - if ((tmp->_f.left == &_n##_rb_zero || \ - tmp->_f.left->_f.colour == C_BLACK) && \ - (tmp->_f.right == &_n##_rb_zero || \ - tmp->_f.right->_f.colour == C_BLACK)) { \ - tmp->_f.colour = C_RED; \ - node = parent; \ - parent = node->_f.parent; \ - } else { \ - if (tmp->_f.left == &_n##_rb_zero || \ - tmp->_f.left->_f.colour == C_BLACK) {\ - _t *tmp2 = tmp->_f.right; \ - \ - if (tmp2 != &_n##_rb_zero) \ - tmp2->_f.colour = C_BLACK;\ - tmp->_f.colour = C_RED; \ - rotate_left(head, tmp); \ - tmp = parent->_f.left; \ - } \ - tmp->_f.colour = parent->_f.colour; \ - parent->_f.colour = C_BLACK; \ - if (tmp->_f.left != &_n##_rb_zero) \ - tmp->_f.left->_f.colour = C_BLACK;\ - rotate_right(head, parent); \ - node = head->top._f.right; \ - break; \ - } \ - } \ - } \ - if (node != &_n##_rb_zero) \ - node->_f.colour = C_BLACK; \ -} \ - \ -_t * \ -_n##_rb_delete(struct _n##_rb_head *head, _t *node) \ -{ \ - _t *child, *parent, *old = node, *left; \ - rbcolour_t color; \ - \ - if (node->_f.left == &_n##_rb_zero) { \ - child = node->_f.right; \ - } else if (node->_f.right == &_n##_rb_zero) { \ - child = node->_f.left; \ - } else { \ - node = node->_f.right; \ - while ((left = node->_f.left) != &_n##_rb_zero) \ - node = left; \ - child = node->_f.right; \ - parent = node->_f.parent; \ - color = node->_f.colour; \ - if (child != &_n##_rb_zero) \ - child->_f.parent = parent; \ - if (parent != &_n##_rb_zero) { \ - if (parent->_f.left == node) \ - parent->_f.left = child; \ - else \ - parent->_f.right = child; \ - } else { \ - head->top._f.right = child; \ - } \ - if (node->_f.parent == old) \ - parent = node; \ - *node = *old; \ - if (old->_f.parent != &_n##_rb_zero) { \ - if (old->_f.parent->_f.left == old) \ - old->_f.parent->_f.left = node; \ - else \ - old->_f.parent->_f.right = node; \ - } else { \ - head->top._f.right = child; \ - } \ - old->_f.left->_f.parent = node; \ - if (old->_f.right != &_n##_rb_zero) \ - old->_f.right->_f.parent = node; \ - if (parent != &_n##_rb_zero) { \ - left = parent; \ - } \ - goto colour; \ - } \ - parent = node->_f.parent; \ - color= node->_f.colour; \ - if (child != &_n##_rb_zero) \ - child->_f.parent = parent; \ - if (parent != &_n##_rb_zero) { \ - if (parent->_f.left == node) \ - parent->_f.left = child; \ - else \ - parent->_f.right = child; \ - } else { \ - head->top._f.right = child; \ - } \ -colour: \ - if (color == C_BLACK) \ - deleteblack(head, parent, node); \ - head->count--; \ - return old; \ -} \ - \ -void \ -_n##_rb_init(struct _n##_rb_head *head) \ -{ \ - memset(head, 0, sizeof(*head)); \ - memset(&_n##_rb_zero, 0, sizeof(_n##_rb_zero)); \ - head->top._f.left = &_n##_rb_zero; \ - head->top._f.right = &_n##_rb_zero; \ - head->top._f.parent = &head->top; \ - _n##_rb_zero._f.left = &_n##_rb_zero; \ - _n##_rb_zero._f.right = &_n##_rb_zero; \ - _n##_rb_zero._f.parent = &_n##_rb_zero; \ -} \ - \ -void \ -_n##_rb_walktree(struct _n##_rb_head *head, _n##_rb_walker_t func, void *arg)\ -{ \ - _t *prev; \ - _t *next; \ - _t *node = head->top._f.right; \ - _t *base; \ - \ - while (node != &_n##_rb_zero) \ - node = node->_f.left; \ - \ - for (;;) { \ - base = node; \ - prev = node; \ - while ((node->_f.parent->_f.right == node) && \ - (node != &_n##_rb_zero)) { \ - prev = node; \ - node = node->_f.parent; \ - } \ - \ - node = prev; \ - for (node = node->_f.parent->_f.right; node != &_n##_rb_zero;\ - node = node->_f.left) \ - prev = node; \ - next = prev; \ - \ - if (node != &_n##_rb_zero) \ - func(node, arg); \ - \ - node = next; \ - if (node == &_n##_rb_zero) \ - break; \ - } \ -} \ - \ -_t * \ -_n##_rb_search(struct _n##_rb_head *head, void *key) \ -{ \ - int match; \ - _t *node; \ - node = head->top._f.right; \ - while (node != &_n##_rb_zero) { \ - match = _cmp(key, node); \ - if (match == 0) \ - break; \ - if (match< 0) \ - node = node->_f.left; \ - else \ - node = node->_f.right; \ - } \ - if (node == &_n##_rb_zero || match != 0) \ - return (NULL); \ - return (node); \ -} - -#define RBI_DELETE(_n, _h, _v) _n##_rb_delete(_h, _v) -#define RBI_FIELD(_n) struct _n##_rb_link -#define RBI_INIT(_n, _h) _n##_rb_init(_h) -#define RBI_INSERT(_n, _h, _v) _n##_rb_insert(_h, _v) -#define RBI_ISEMPTY(_h) ((_h)->count == 0) -#define RBI_SEARCH(_n, _h, _k) _n##_rb_search(_h, _k) -#define RBI_WALK(_n, _h, _w, _a) _n##_rb_walktree(_h, _w, _a) -#define RBI_ZERO(_n) _n##_rb_zero diff --git a/contrib/ipfilter/lib/Makefile b/contrib/ipfilter/lib/Makefile deleted file mode 100644 index fdda78ed41a6..000000000000 --- a/contrib/ipfilter/lib/Makefile +++ /dev/null @@ -1,443 +0,0 @@ -# -# Copyright (C) 2012 by Darren Reed. -# -# See the IPFILTER.LICENCE file for details on licencing. -# -# $Id$ -# -INCDEP=$(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ipf.h - -LIBOBJS=$(DEST)/addicmp.o \ - $(DEST)/addipopt.o \ - $(DEST)/alist_free.o \ - $(DEST)/alist_new.o \ - $(DEST)/allocmbt.o \ - $(DEST)/assigndefined.o \ - $(DEST)/bcopywrap.o \ - $(DEST)/binprint.o \ - $(DEST)/buildopts.o \ - $(DEST)/checkrev.o \ - $(DEST)/connecttcp.o \ - $(DEST)/count6bits.o \ - $(DEST)/count4bits.o \ - $(DEST)/debug.o \ - $(DEST)/dupmbt.o \ - $(DEST)/familyname.o \ - $(DEST)/facpri.o \ - $(DEST)/fill6bits.o \ - $(DEST)/findword.o \ - $(DEST)/flags.o \ - $(DEST)/freembt.o \ - $(DEST)/ftov.o \ - $(DEST)/genmask.o \ - $(DEST)/gethost.o \ - $(DEST)/geticmptype.o \ - $(DEST)/getifname.o \ - $(DEST)/getnattype.o \ - $(DEST)/getport.o \ - $(DEST)/getportproto.o \ - $(DEST)/getproto.o \ - $(DEST)/getsumd.o \ - $(DEST)/hostname.o \ - $(DEST)/icmpcode.o \ - $(DEST)/icmptypename.o \ - $(DEST)/icmptypes.o \ - $(DEST)/initparse.o \ - $(DEST)/interror.o \ - $(DEST)/ionames.o \ - $(DEST)/ipf_dotuning.o \ - $(DEST)/ipf_perror.o \ - $(DEST)/ipft_hx.o \ - $(DEST)/ipft_pc.o \ - $(DEST)/ipft_tx.o \ - $(DEST)/ipoptsec.o \ - $(DEST)/kmem.o \ - $(DEST)/kmemcpywrap.o \ - $(DEST)/kvatoname.o \ - $(DEST)/load_file.o \ - $(DEST)/load_dstlist.o \ - $(DEST)/load_dstlistnode.o \ - $(DEST)/load_hash.o \ - $(DEST)/load_hashnode.o \ - $(DEST)/load_http.o \ - $(DEST)/load_pool.o \ - $(DEST)/load_poolnode.o \ - $(DEST)/load_url.o \ - $(DEST)/msgdsize.o \ - $(DEST)/mutex_emul.o \ - $(DEST)/nametokva.o \ - $(DEST)/nat_setgroupmap.o \ - $(DEST)/ntomask.o \ - $(DEST)/optname.o \ - $(DEST)/optprint.o \ - $(DEST)/optprintv6.o \ - $(DEST)/optvalue.o \ - $(DEST)/parsefields.o \ - $(DEST)/parseipfexpr.o \ - $(DEST)/parsewhoisline.o \ - $(DEST)/poolio.o \ - $(DEST)/portname.o \ - $(DEST)/print_toif.o \ - $(DEST)/printactiveaddr.o \ - $(DEST)/printactivenat.o \ - $(DEST)/printaddr.o \ - $(DEST)/printaps.o \ - $(DEST)/printbuf.o \ - $(DEST)/printdstlist.o \ - $(DEST)/printdstlistdata.o \ - $(DEST)/printdstlistnode.o \ - $(DEST)/printdstlistpolicy.o \ - $(DEST)/printdstl_live.o \ - $(DEST)/printfieldhdr.o \ - $(DEST)/printfr.o \ - $(DEST)/printfraginfo.o \ - $(DEST)/printhash.o \ - $(DEST)/printhashdata.o \ - $(DEST)/printhashnode.o \ - $(DEST)/printhash_live.o \ - $(DEST)/printhost.o \ - $(DEST)/printhostmap.o \ - $(DEST)/printhostmask.o \ - $(DEST)/printifname.o \ - $(DEST)/printip.o \ - $(DEST)/printipfexpr.o \ - $(DEST)/printlog.o \ - $(DEST)/printlookup.o \ - $(DEST)/printmask.o \ - $(DEST)/printnat.o \ - $(DEST)/printnataddr.o \ - $(DEST)/printnatfield.o \ - $(DEST)/printnatside.o \ - $(DEST)/printpool.o \ - $(DEST)/printpooldata.o \ - $(DEST)/printpoolfield.o \ - $(DEST)/printpoolnode.o \ - $(DEST)/printpool_live.o \ - $(DEST)/printproto.o \ - $(DEST)/printportcmp.o \ - $(DEST)/printpacket.o \ - $(DEST)/printpacket6.o \ - $(DEST)/printsbuf.o \ - $(DEST)/printstate.o \ - $(DEST)/printstatefields.o \ - $(DEST)/printtcpflags.o \ - $(DEST)/printtqtable.o \ - $(DEST)/printtunable.o \ - $(DEST)/printunit.o \ - $(DEST)/remove_hash.o \ - $(DEST)/remove_hashnode.o \ - $(DEST)/remove_pool.o \ - $(DEST)/remove_poolnode.o \ - $(DEST)/resetlexer.o \ - $(DEST)/rwlock_emul.o \ - $(DEST)/save_execute.o \ - $(DEST)/save_file.o \ - $(DEST)/save_nothing.o \ - $(DEST)/save_syslog.o \ - $(DEST)/save_v1trap.o \ - $(DEST)/save_v2trap.o \ - $(DEST)/tcpflags.o \ - $(DEST)/var.o \ - $(DEST)/verbose.o \ - $(DEST)/vtof.o \ - $(DEST)/v6ionames.o \ - $(DEST)/v6optvalue.o - -$(DEST)/libipf.a: $(LIBOBJS) - /bin/rm -f $@ - ar $(AROPTS) $@ $(LIBOBJS) - $(RANLIB) $@ - -$(DEST)/addicmp.o: $(LIBSRC)/addicmp.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/addicmp.c -o $@ -$(DEST)/addipopt.o: $(LIBSRC)/addipopt.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/addipopt.c -o $@ -$(DEST)/alist_free.o: $(LIBSRC)/alist_free.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/alist_free.c -o $@ -$(DEST)/alist_new.o: $(LIBSRC)/alist_new.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/alist_new.c -o $@ -$(DEST)/allocmbt.o: $(LIBSRC)/allocmbt.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/allocmbt.c -o $@ -$(DEST)/assigndefined.o: $(LIBSRC)/assigndefined.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/assigndefined.c -o $@ -$(DEST)/bcopywrap.o: $(LIBSRC)/bcopywrap.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/bcopywrap.c -o $@ -$(DEST)/binprint.o: $(LIBSRC)/binprint.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/binprint.c -o $@ -$(DEST)/buildopts.o: $(LIBSRC)/buildopts.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/buildopts.c -o $@ -$(DEST)/connecttcp.o: $(LIBSRC)/connecttcp.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/connecttcp.c -o $@ -$(DEST)/count6bits.o: $(LIBSRC)/count6bits.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/count6bits.c -o $@ -$(DEST)/checkrev.o: $(LIBSRC)/checkrev.c $(INCDEP) $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/checkrev.c -o $@ -$(DEST)/count4bits.o: $(LIBSRC)/count4bits.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/count4bits.c -o $@ -$(DEST)/debug.o: $(LIBSRC)/debug.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/debug.c -o $@ -$(DEST)/dupmbt.o: $(LIBSRC)/dupmbt.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/dupmbt.c -o $@ -$(DEST)/facpri.o: $(LIBSRC)/facpri.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/facpri.c -o $@ -$(DEST)/familyname.o: $(LIBSRC)/familyname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/familyname.c -o $@ -$(DEST)/fill6bits.o: $(LIBSRC)/fill6bits.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/fill6bits.c -o $@ -$(DEST)/findword.o: $(LIBSRC)/findword.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/findword.c -o $@ -$(DEST)/flags.o: $(LIBSRC)/flags.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/flags.c -o $@ -$(DEST)/freembt.o: $(LIBSRC)/freembt.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/freembt.c -o $@ -$(DEST)/ftov.o: $(LIBSRC)/ftov.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ftov.c -o $@ -$(DEST)/genmask.o: $(LIBSRC)/genmask.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/genmask.c -o $@ -$(DEST)/gethost.o: $(LIBSRC)/gethost.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/gethost.c -o $@ -$(DEST)/geticmptype.o: $(LIBSRC)/geticmptype.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/geticmptype.c -o $@ -$(DEST)/getifname.o: $(LIBSRC)/getifname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/getifname.c -o $@ -$(DEST)/getnattype.o: $(LIBSRC)/getnattype.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/getnattype.c -o $@ -$(DEST)/getport.o: $(LIBSRC)/getport.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/getport.c -o $@ -$(DEST)/getportproto.o: $(LIBSRC)/getportproto.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/getportproto.c -o $@ -$(DEST)/getproto.o: $(LIBSRC)/getproto.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/getproto.c -o $@ -$(DEST)/getsumd.o: $(LIBSRC)/getsumd.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/getsumd.c -o $@ -$(DEST)/hostname.o: $(LIBSRC)/hostname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/hostname.c -o $@ -$(DEST)/icmpcode.o: $(LIBSRC)/icmpcode.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/icmpcode.c -o $@ -$(DEST)/icmptypename.o: $(LIBSRC)/icmptypename.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/icmptypename.c -o $@ -$(DEST)/icmptypes.o: $(LIBSRC)/icmptypes.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/icmptypes.c -o $@ -$(DEST)/interror.o: $(LIBSRC)/interror.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/interror.c -o $@ -$(DEST)/ipoptsec.o: $(LIBSRC)/ipoptsec.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipoptsec.c -o $@ -$(DEST)/initparse.o: $(LIBSRC)/initparse.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/initparse.c -o $@ -$(DEST)/ionames.o: $(LIBSRC)/ionames.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ionames.c -o $@ -$(DEST)/ipf_dotuning.o: $(LIBSRC)/ipf_dotuning.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipf_dotuning.c -o $@ -$(DEST)/ipf_perror.o: $(LIBSRC)/ipf_perror.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipf_perror.c -o $@ -$(DEST)/ipft_hx.o: $(LIBSRC)/ipft_hx.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipft_hx.c -o $@ -$(DEST)/ipft_pc.o: $(LIBSRC)/ipft_pc.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipft_pc.c -o $@ -$(DEST)/ipft_tx.o: $(LIBSRC)/ipft_tx.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/ipft_tx.c -o $@ -$(DEST)/kmem.o: $(LIBSRC)/kmem.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/kmem.c -o $@ -$(DEST)/kmemcpywrap.o: $(LIBSRC)/kmemcpywrap.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/kmemcpywrap.c -o $@ -$(DEST)/kvatoname.o: $(LIBSRC)/kvatoname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/kvatoname.c -o $@ -$(DEST)/load_file.o: $(LIBSRC)/load_file.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/load_file.c -o $@ -$(DEST)/load_dstlist.o: $(LIBSRC)/load_dstlist.c $(INCDEP) $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/load_dstlist.c -o $@ -$(DEST)/load_dstlistnode.o: $(LIBSRC)/load_dstlistnode.c $(INCDEP) \ - $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/load_dstlistnode.c -o $@ -$(DEST)/load_hash.o: $(LIBSRC)/load_hash.c $(INCDEP) $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/load_hash.c -o $@ -$(DEST)/load_hashnode.o: $(LIBSRC)/load_hashnode.c $(INCDEP) $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/load_hashnode.c -o $@ -$(DEST)/load_http.o: $(LIBSRC)/load_http.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/load_http.c -o $@ -$(DEST)/load_pool.o: $(LIBSRC)/load_pool.c $(INCDEP) $(TOP)/ip_pool.h - $(CC) $(CCARGS) -c $(LIBSRC)/load_pool.c -o $@ -$(DEST)/load_poolnode.o: $(LIBSRC)/load_poolnode.c $(INCDEP) $(TOP)/ip_pool.h - $(CC) $(CCARGS) -c $(LIBSRC)/load_poolnode.c -o $@ -$(DEST)/load_url.o: $(LIBSRC)/load_url.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/load_url.c -o $@ -$(DEST)/msgdsize.o: $(LIBSRC)/msgdsize.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/msgdsize.c -o $@ -$(DEST)/mutex_emul.o: $(LIBSRC)/mutex_emul.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/mutex_emul.c -o $@ -$(DEST)/nametokva.o: $(LIBSRC)/nametokva.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/nametokva.c -o $@ -$(DEST)/nat_setgroupmap.o: $(LIBSRC)/nat_setgroupmap.c $(TOP)/ip_compat.h \ - $(TOP)/ipf.h $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/nat_setgroupmap.c -o $@ -$(DEST)/ntomask.o: $(LIBSRC)/ntomask.c $(TOP)/ip_compat.h - $(CC) $(CCARGS) -c $(LIBSRC)/ntomask.c -o $@ -$(DEST)/optname.o: $(LIBSRC)/optname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/optname.c -o $@ -$(DEST)/optprint.o: $(LIBSRC)/optprint.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/optprint.c -o $@ -$(DEST)/optprintv6.o: $(LIBSRC)/optprintv6.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/optprintv6.c -o $@ -$(DEST)/optvalue.o: $(LIBSRC)/optvalue.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/optvalue.c -o $@ -$(DEST)/parsefields.o: $(LIBSRC)/parsefields.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/parsefields.c -o $@ -$(DEST)/parseipfexpr.o: $(LIBSRC)/parseipfexpr.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/parseipfexpr.c -o $@ -$(DEST)/parsewhoisline.o: $(LIBSRC)/parsewhoisline.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/parsewhoisline.c -o $@ -$(DEST)/poolio.o: $(LIBSRC)/poolio.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/poolio.c -o $@ -$(DEST)/portname.o: $(LIBSRC)/portname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/portname.c -o $@ -$(DEST)/print_toif.o: $(LIBSRC)/print_toif.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/print_toif.c -o $@ -$(DEST)/printactiveaddr.o: $(LIBSRC)/printactiveaddr.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/printactiveaddr.c -o $@ -$(DEST)/printactivenat.o: $(LIBSRC)/printactivenat.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/printactivenat.c -o $@ -$(DEST)/printaddr.o: $(LIBSRC)/printaddr.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printaddr.c -o $@ -$(DEST)/printaps.o: $(LIBSRC)/printaps.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printaps.c -o $@ -$(DEST)/printbuf.o: $(LIBSRC)/printbuf.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printbuf.c -o $@ -$(DEST)/printdstlist.o: $(LIBSRC)/printdstlist.c $(INCDEP) $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/printdstlist.c -o $@ -$(DEST)/printdstlistdata.o: $(LIBSRC)/printdstlistdata.c $(INCDEP) \ - $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistdata.c -o $@ -$(DEST)/printdstlistnode.o: $(LIBSRC)/printdstlistnode.c $(INCDEP) \ - $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistnode.c -o $@ -$(DEST)/printdstlistpolicy.o: $(LIBSRC)/printdstlistpolicy.c $(INCDEP) \ - $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/printdstlistpolicy.c -o $@ -$(DEST)/printfieldhdr.o: $(LIBSRC)/printfieldhdr.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printfieldhdr.c -o $@ -$(DEST)/printfr.o: $(LIBSRC)/printfr.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printfr.c -o $@ -$(DEST)/printfraginfo.o: $(LIBSRC)/printfraginfo.c $(TOP)/ip_fil.h \ - $(TOP)/ip_frag.h - $(CC) $(CCARGS) -c $(LIBSRC)/printfraginfo.c -o $@ -$(DEST)/printhash.o: $(LIBSRC)/printhash.c $(TOP)/ip_fil.h $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/printhash.c -o $@ -$(DEST)/printhashdata.o: $(LIBSRC)/printhashdata.c $(TOP)/ip_fil.h \ - $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/printhashdata.c -o $@ -$(DEST)/printhashnode.o: $(LIBSRC)/printhashnode.c $(TOP)/ip_fil.h \ - $(TOP)/ip_htable.h $(TOP)/ip_lookup.h - $(CC) $(CCARGS) -c $(LIBSRC)/printhashnode.c -o $@ -$(DEST)/printhash_live.o: $(LIBSRC)/printhash_live.c $(TOP)/ip_fil.h \ - $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/printhash_live.c -o $@ -$(DEST)/printdstl_live.o: $(LIBSRC)/printdstl_live.c $(TOP)/ip_fil.h \ - $(TOP)/ip_dstlist.h - $(CC) $(CCARGS) -c $(LIBSRC)/printdstl_live.c -o $@ -$(DEST)/printip.o: $(LIBSRC)/printip.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printip.c -o $@ -$(DEST)/printipfexpr.o: $(LIBSRC)/printipfexpr.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printipfexpr.c -o $@ -$(DEST)/printlookup.o: $(LIBSRC)/printlookup.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printlookup.c -o $@ -$(DEST)/printnataddr.o: $(LIBSRC)/printnataddr.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/printnataddr.c -o $@ -$(DEST)/printnatside.o: $(LIBSRC)/printnatside.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/printnatside.c -o $@ -$(DEST)/printpool.o: $(LIBSRC)/printpool.c $(TOP)/ip_fil.h $(TOP)/ip_pool.h - $(CC) $(CCARGS) -c $(LIBSRC)/printpool.c -o $@ -$(DEST)/printpooldata.o: $(LIBSRC)/printpooldata.c $(TOP)/ip_fil.h \ - $(TOP)/ip_pool.h $(TOP)/ip_lookup.h - $(CC) $(CCARGS) -c $(LIBSRC)/printpooldata.c -o $@ -$(DEST)/printpoolfield.o: $(LIBSRC)/printpoolfield.c $(TOP)/ip_fil.h \ - $(TOP)/ip_pool.h $(TOP)/ip_lookup.h - $(CC) $(CCARGS) -c $(LIBSRC)/printpoolfield.c -o $@ -$(DEST)/printpoolnode.o: $(LIBSRC)/printpoolnode.c $(TOP)/ip_fil.h \ - $(TOP)/ip_pool.h $(TOP)/ip_lookup.h - $(CC) $(CCARGS) -c $(LIBSRC)/printpoolnode.c -o $@ -$(DEST)/printpool_live.o: $(LIBSRC)/printpool_live.c $(TOP)/ip_fil.h \ - $(TOP)/ip_pool.h $(TOP)/ip_lookup.h - $(CC) $(CCARGS) -c $(LIBSRC)/printpool_live.c -o $@ -$(DEST)/printproto.o: $(LIBSRC)/printproto.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printproto.c -o $@ -$(DEST)/printhost.o: $(LIBSRC)/printhost.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printhost.c -o $@ -$(DEST)/printhostmap.o: $(LIBSRC)/printhostmap.c $(TOP)/ip_fil.h - $(CC) $(CCARGS) -c $(LIBSRC)/printhostmap.c -o $@ -$(DEST)/printifname.o: $(LIBSRC)/printifname.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printifname.c -o $@ -$(DEST)/printmask.o: $(LIBSRC)/printmask.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printmask.c -o $@ -$(DEST)/printnat.o: $(LIBSRC)/printnat.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/printnat.c -o $@ -$(DEST)/printnatfield.o: $(LIBSRC)/printnatfield.c $(INCDEP) $(TOP)/ip_nat.h - $(CC) $(CCARGS) -c $(LIBSRC)/printnatfield.c -o $@ -$(DEST)/printhostmask.o: $(LIBSRC)/printhostmask.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printhostmask.c -o $@ -$(DEST)/printlog.o: $(LIBSRC)/printlog.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printlog.c -o $@ -$(DEST)/printpacket.o: $(LIBSRC)/printpacket.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printpacket.c -o $@ -$(DEST)/printpacket6.o: $(LIBSRC)/printpacket6.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printpacket6.c -o $@ -$(DEST)/printportcmp.o: $(LIBSRC)/printportcmp.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printportcmp.c -o $@ -$(DEST)/printsbuf.o: $(LIBSRC)/printsbuf.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printsbuf.c -o $@ -$(DEST)/printstate.o: $(LIBSRC)/printstate.c $(INCDEP) $(TOP)/ip_state.h - $(CC) $(CCARGS) -c $(LIBSRC)/printstate.c -o $@ -$(DEST)/printstatefields.o: $(LIBSRC)/printstatefields.c $(INCDEP) $(TOP)/ip_state.h - $(CC) $(CCARGS) -c $(LIBSRC)/printstatefields.c -o $@ -$(DEST)/printtcpflags.o: $(LIBSRC)/printtcpflags.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printtcpflags.c -o $@ -$(DEST)/printtqtable.o: $(LIBSRC)/printtqtable.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printtqtable.c -o $@ -$(DEST)/printtunable.o: $(LIBSRC)/printtunable.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printtunable.c -o $@ -$(DEST)/printunit.o: $(LIBSRC)/printunit.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/printunit.c -o $@ -$(DEST)/remove_hash.o: $(LIBSRC)/remove_hash.c $(INCDEP) \ - $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/remove_hash.c -o $@ -$(DEST)/remove_hashnode.o: $(LIBSRC)/remove_hashnode.c $(INCDEP) \ - $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/remove_hashnode.c -o $@ -$(DEST)/remove_pool.o: $(LIBSRC)/remove_pool.c $(INCDEP) \ - $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/remove_pool.c -o $@ -$(DEST)/remove_poolnode.o: $(LIBSRC)/remove_poolnode.c $(INCDEP) \ - $(TOP)/ip_htable.h - $(CC) $(CCARGS) -c $(LIBSRC)/remove_poolnode.c -o $@ -$(DEST)/resetlexer.o: $(LIBSRC)/resetlexer.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/resetlexer.c -o $@ -$(DEST)/rwlock_emul.o: $(LIBSRC)/rwlock_emul.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/rwlock_emul.c -o $@ -$(DEST)/tcpflags.o: $(LIBSRC)/tcpflags.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/tcpflags.c -o $@ -$(DEST)/tcp_flags.o: $(LIBSRC)/tcp_flags.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/tcp_flags.c -o $@ -$(DEST)/var.o: $(LIBSRC)/var.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/var.c -o $@ -$(DEST)/verbose.o: $(LIBSRC)/verbose.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/verbose.c -o $@ -$(DEST)/save_execute.o: $(LIBSRC)/save_execute.c $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/save_execute.c -o $@ -$(DEST)/save_file.o: $(LIBSRC)/save_file.c $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/save_file.c -o $@ -$(DEST)/save_nothing.o: $(LIBSRC)/save_nothing.c $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/save_nothing.c -o $@ -$(DEST)/save_syslog.o: $(LIBSRC)/save_syslog.c $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/save_syslog.c -o $@ -$(DEST)/vtof.o: $(LIBSRC)/vtof.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/vtof.c -o $@ -$(DEST)/save_v1trap.o: $(LIBSRC)/save_v1trap.c $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/save_v1trap.c -o $@ -$(DEST)/save_v2trap.o: $(LIBSRC)/save_v2trap.c $(TOP)/ipl.h - $(CC) $(CCARGS) -c $(LIBSRC)/save_v2trap.c -o $@ -$(DEST)/v6ionames.o: $(LIBSRC)/v6ionames.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/v6ionames.c -o $@ -$(DEST)/v6optvalue.o: $(LIBSRC)/v6optvalue.c $(INCDEP) - $(CC) $(CCARGS) -c $(LIBSRC)/v6optvalue.c -o $@ - -clean-lib: - /bin/rm -f ${LIBOBJS} ${LIB} diff --git a/contrib/ipfilter/man/Makefile b/contrib/ipfilter/man/Makefile deleted file mode 100644 index 04e97fb30365..000000000000 --- a/contrib/ipfilter/man/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -# -# Copyright (C) 2012 by Darren Reed. -# -# See the IPFILTER.LICENCE file for details on licencing. -# -# $FreeBSD$ -# - -all: - -install: - $(INSTALL) -m 0644 -c -o root -g bin mkfilters.1 $(MANDIR)/man1 - $(INSTALL) -m 0644 -c -o root -g bin ipftest.1 $(MANDIR)/man1 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipf.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipfilter.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipl.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.4 $(MANDIR)/man4 - $(INSTALL) -m 0644 -c -o root -g bin ipf.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipfilter.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipnat.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipf.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipfs.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipmon.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipmon.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ippool.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ippool.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipscan.8 $(MANDIR)/man8 - $(INSTALL) -m 0644 -c -o root -g bin ipscan.5 $(MANDIR)/man5 - $(INSTALL) -m 0644 -c -o root -g bin ipfstat.8 $(MANDIR)/man8 - @echo "Remember to rebuild the whatis database." diff --git a/contrib/ipfilter/man/ipfilter.4.mandoc b/contrib/ipfilter/man/ipfilter.4.mandoc deleted file mode 100644 index 22e1f36450b6..000000000000 --- a/contrib/ipfilter/man/ipfilter.4.mandoc +++ /dev/null @@ -1,267 +0,0 @@ -.Dd December 8, 2000 -.Dt IP\ FILTER 4 -.Os -.Sh NAME -.Nm IP Filter -.Nd Introduction to IP packet filtering -.Sh DESCRIPTION -IP Filter is a TCP/IP packet filter, suitable for use in a firewall -environment. To use, it can either be used as a loadable kernel module or -incorporated into your UNIX kernel; use as a loadable kernel module where -possible is highly recommended. Scripts are provided to install and patch -system files, as required. -.Sh FEATURES -The IP packet filter can: -.Bl -bullet -offset indent -compact -.It -explicitly deny/permit any packet from passing through -.It -distinguish between various interfaces -.It -filter by IP networks or hosts -.It -selectively filter any IP protocol -.It -selectively filter fragmented IP packets -.It -selectively filter packets with IP options -.It -send back an ICMP error/TCP reset for blocked packets -.It -keep packet state information for TCP, UDP and ICMP packet flows -.It -keep fragment state information for any IP packet, applying the same rule -to all fragments. -.It -act as a Network Address Translator (NAT) -.It -use redirection to setup true transparent proxy connections -.It -provide packet header details to a user program for authentication -.It -in addition, supports temporary storage of pre-authenticated rules for passing packets through -.El -.Pp -Special provision is made for the three most common Internet protocols, TCP, -UDP and ICMP. The IP Packet filter allows filtering of: -.Bl -bullet -offset indent -compact -.It -Inverted host/net matchingTCP/UDP packets by port number or a port number -range -.It -ICMP packets by type/code -.It -"established" TCP packets -.It -On any arbitrary combination of TCP flags -.It -"short" (fragmented) IP packets with incomplete headers can be filtered -.It -any of the 19 IP options or 8 registered IP security classes TOS (Type of -Service) field in packets -.El -.Pp -To keep track of the performance of the IP packet filter, a logging device -is used which supports logging of: -.Bl -bullet -offset indent -compact -.It -the TCP/UDP/ICMP and IP packet headers -.It -the first 128 bytes of the packet (including headers) -.El -.Pp -A packet can be logged when: -.Bl -bullet -offset indent -compact -.It -it is successfully passed through -.It -it is blocked from passing through -.It -it matches a rule setup to look for suspicious packets -.El -.Pp -IP Filter keeps its own set of statistics on: -.Bl -bullet -offset indent -compact -.It -packets blocked -.It -packets (and bytes!) used for accounting -.It -packets passed -.li -packets logged -.It -attempts to log which failed (buffer full) -.El -and much more, for packets going both in and out. - -.Sh Tools -The current implementation provides a small set of tools, which can easily -be used and integrated with regular unix shells and tools. A brief description -of the tools provided: -.Pp -.Xr ipf 8 -reads in a set of rules, from either stdin or a file, and adds them to -the kernels current list (appending them). It can also be used to flush the -current filter set or delete individual filter rules. The file format is -described in -.Xr ipf 5 . -.Pp -.Xr ipfs 8 -is a utility to temporarily lock the IP Filter kernel tables (state tables -and NAT mappings) and write them to disk. After that the system can be -rebooted, and ipfs can be used to read these tables from disk and restore -them into the kernel. This way the system can be rebooted without the -connections being terminated. -.Pp -.Xr ipfstat 8 -interrogates the kernel for statistics on packet filtering, so -far, and retrieves the list of filters in operation for inbound and outbound -packets. -.Pp -.Xr ipftest 1 -reads in a filter rule file and then applies sample IP packets to -the rule file. This allows for testing of filter list and examination of how -a packet is passed along through it. -.Pp -.Xr ipmon 8 -reads buffered data from the logging device (default is /dev/ipl) -for output to either: -.Bl -bullet -offset indent -compact -.It -screen (standard output) -.It -file -.It -syslog -.El -.Pp -.Xr ipsend 1 -generates arbitary IP packets for ethernet connected machines. -.Pp -.Xr ipresend 1 -reads in a data file of saved IP packets (ie -snoop/tcpdump/etherfind output) and sends it back across the network. -.Pp -.Xr iptest 1 -contains a set of test "programs" which send out a series of IP -packets, aimed at testing the strength of the TCP/IP stack at which it is -aimed at. WARNING: this may crash machine(s) targeted! -.Pp -.Xr ipnat 8 -reads in a set of rules, from either stdin or a file and adds them -to the kernels current list of active NAT rules. NAT rules can also be -deleted using ipnat. The format of the configuration file to be used -with ipnat is described in -.Xr ipnat 5 . -.Pp -For use in your own programs (e.g. for writing of transparent application -proxies), the programming interface and the associated ioctl's are -documented in -.Xr ipf 4 . - -Documentation on ioctl's and the format of data saved -to the logging character device is provided in -.Xr ipl 4 -so that you may develop your own applications to work with or in place of any -of the above. - -Similar, the interface to the NAT code is documented in -.Xr ipnat 4 . - -.Sh PACKET PROCESSING FLOW -The following diagram illustrates the flow of TCP/IP packets through the -various stages introduced by IP Filter. -.Pp -.nf - IN - | - V - +-------------------------+--------------------------+ - | | | - | V | - | Network Address Translation | - | | | - | authenticated | | - | +-------<---------+ | - | | | | - | | V | - | V IP Accounting | - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | V V V | - | | Packet State Check-->+ | - | | | | | - | | +->--+ | | | - | | | | V | | - | V groups IP Filtering V | - | | | | | | | - | | +--<-+ | | | - | | | | | - | +---------------->|<-----------+ | - | | | - | V | - | +---<----+ | - | | | | - | function | | - | | V | - | +--->----+ | - | | | - | V | - +--|---<--- fast-route ---<--+ | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - | | - | V - V [KERNEL TCP/IP Processing] - | | - | +-------------------------+--------------------------+ - | | | | - | | V | - | | Fragment Cache Check--+ | - | | | | | - | | V V | - | | Packet State Check-->+ | - | | | | | - | | V | | - V | IP Filtering | | - | | | V | - | | |<-----------+ | - | | V | - | | IP Accounting | - | | | | - | | V | - | | Network Address Translation | - | | | | - | | V | - | +-------------------------+--------------------------+ - | | - | pass only - V | - +--------------------------->| - V - OUT -.fi - -.Sh MORE INFORMATION -More information (including pointers to the FAQ and the mailing list) can be -obtained from the sofware's official homepage: www.ipfilter.org - -.Sh SEE ALSO -.Xr ipf 4 , -.Xr ipf 5 , -.Xr ipf 8 , -.Xr ipfilter 5 , -.Xr ipfs 8 , -.Xr ipfstat 8 , -.Xr ipftest 1 , -.Xr ipl 4 , -.Xr ipmon 8 , -.Xr ipnat 4 , -.Xr ipnat 8 , - diff --git a/contrib/ipfilter/opt_inet6.h b/contrib/ipfilter/opt_inet6.h deleted file mode 100644 index 43e7657e1ae3..000000000000 --- a/contrib/ipfilter/opt_inet6.h +++ /dev/null @@ -1 +0,0 @@ -#define INET6 diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h deleted file mode 100644 index 74bc2470aefc..000000000000 --- a/contrib/ipfilter/snoop.h +++ /dev/null @@ -1,47 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ - -#ifndef __SNOOP_H__ -#define __SNOOP_H__ - -/* - * written to comply with the RFC (1761) from Sun. - * $Id$ - */ -struct snoophdr { - char s_id[8]; - int s_v; - int s_type; -}; - -#define SNOOP_VERSION 2 - -#define SDL_8023 0 -#define SDL_8024 1 -#define SDL_8025 2 -#define SDL_8026 3 -#define SDL_ETHER 4 -#define SDL_HDLC 5 -#define SDL_CHSYNC 6 -#define SDL_IBMCC 7 -#define SDL_FDDI 8 -#define SDL_OTHER 9 - -#define SDL_MAX 9 - - -struct snooppkt { - int sp_olen; - int sp_ilen; - int sp_plen; - int sp_drop; - int sp_sec; - int sp_usec; -}; - -#endif /* __SNOOP_H__ */ diff --git a/contrib/ipfilter/sys/tree.h b/contrib/ipfilter/sys/tree.h deleted file mode 100644 index 585588544951..000000000000 --- a/contrib/ipfilter/sys/tree.h +++ /dev/null @@ -1,750 +0,0 @@ -/* $NetBSD: tree.h,v 1.8 2004/03/28 19:38:30 provos Exp $ */ -/* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ -/* $FreeBSD: src/sys/sys/tree.h,v 1.7 2007/12/28 07:03:26 jasone Exp $ */ - -/*- - * Copyright 2002 Niels Provos - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _SYS_TREE_H_ -#define _SYS_TREE_H_ - -/* - * This file defines data structures for different types of trees: - * splay trees and red-black trees. - * - * A splay tree is a self-organizing data structure. Every operation - * on the tree causes a splay to happen. The splay moves the requested - * node to the root of the tree and partly rebalances it. - * - * This has the benefit that request locality causes faster lookups as - * the requested nodes move to the top of the tree. On the other hand, - * every lookup causes memory writes. - * - * The Balance Theorem bounds the total access time for m operations - * and n inserts on an initially empty tree as O((m + n)lg n). The - * amortized cost for a sequence of m accesses to a splay tree is O(lg n); - * - * A red-black tree is a binary search tree with the node color as an - * extra attribute. It fulfills a set of conditions: - * - every search path from the root to a leaf consists of the - * same number of black nodes, - * - each red node (except for the root) has a black parent, - * - each leaf node is black. - * - * Every operation on a red-black tree is bounded as O(lg n). - * The maximum height of a red-black tree is 2lg (n+1). - */ - -#define SPLAY_HEAD(name, type) \ -struct name { \ - struct type *sph_root; /* root of the tree */ \ -} - -#define SPLAY_INITIALIZER(root) \ - { NULL } - -#define SPLAY_INIT(root) do { \ - (root)->sph_root = NULL; \ -} while (/*CONSTCOND*/ 0) - -#define SPLAY_ENTRY(type) \ -struct { \ - struct type *spe_left; /* left element */ \ - struct type *spe_right; /* right element */ \ -} - -#define SPLAY_LEFT(elm, field) (elm)->field.spe_left -#define SPLAY_RIGHT(elm, field) (elm)->field.spe_right -#define SPLAY_ROOT(head) (head)->sph_root -#define SPLAY_EMPTY(head) (SPLAY_ROOT(head) == NULL) - -/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */ -#define SPLAY_ROTATE_RIGHT(head, tmp, field) do { \ - SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field); \ - SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ - (head)->sph_root = tmp; \ -} while (/*CONSTCOND*/ 0) - -#define SPLAY_ROTATE_LEFT(head, tmp, field) do { \ - SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field); \ - SPLAY_LEFT(tmp, field) = (head)->sph_root; \ - (head)->sph_root = tmp; \ -} while (/*CONSTCOND*/ 0) - -#define SPLAY_LINKLEFT(head, tmp, field) do { \ - SPLAY_LEFT(tmp, field) = (head)->sph_root; \ - tmp = (head)->sph_root; \ - (head)->sph_root = SPLAY_LEFT((head)->sph_root, field); \ -} while (/*CONSTCOND*/ 0) - -#define SPLAY_LINKRIGHT(head, tmp, field) do { \ - SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ - tmp = (head)->sph_root; \ - (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field); \ -} while (/*CONSTCOND*/ 0) - -#define SPLAY_ASSEMBLE(head, node, left, right, field) do { \ - SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field); \ - SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\ - SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field); \ - SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field); \ -} while (/*CONSTCOND*/ 0) - -/* Generates prototypes and inline functions */ - -#define SPLAY_PROTOTYPE(name, type, field, cmp) \ -void name##_SPLAY(struct name *, struct type *); \ -void name##_SPLAY_MINMAX(struct name *, int); \ -struct type *name##_SPLAY_INSERT(struct name *, struct type *); \ -struct type *name##_SPLAY_REMOVE(struct name *, struct type *); \ - \ -/* Finds the node with the same key as elm */ \ -static __inline struct type * \ -name##_SPLAY_FIND(struct name *head, struct type *elm) \ -{ \ - if (SPLAY_EMPTY(head)) \ - return(NULL); \ - name##_SPLAY(head, elm); \ - if ((cmp)(elm, (head)->sph_root) == 0) \ - return (head->sph_root); \ - return (NULL); \ -} \ - \ -static __inline struct type * \ -name##_SPLAY_NEXT(struct name *head, struct type *elm) \ -{ \ - name##_SPLAY(head, elm); \ - if (SPLAY_RIGHT(elm, field) != NULL) { \ - elm = SPLAY_RIGHT(elm, field); \ - while (SPLAY_LEFT(elm, field) != NULL) { \ - elm = SPLAY_LEFT(elm, field); \ - } \ - } else \ - elm = NULL; \ - return (elm); \ -} \ - \ -static __inline struct type * \ -name##_SPLAY_MIN_MAX(struct name *head, int val) \ -{ \ - name##_SPLAY_MINMAX(head, val); \ - return (SPLAY_ROOT(head)); \ -} - -/* Main splay operation. - * Moves node close to the key of elm to top - */ -#define SPLAY_GENERATE(name, type, field, cmp) \ -struct type * \ -name##_SPLAY_INSERT(struct name *head, struct type *elm) \ -{ \ - if (SPLAY_EMPTY(head)) { \ - SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL; \ - } else { \ - int __comp; \ - name##_SPLAY(head, elm); \ - __comp = (cmp)(elm, (head)->sph_root); \ - if(__comp < 0) { \ - SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\ - SPLAY_RIGHT(elm, field) = (head)->sph_root; \ - SPLAY_LEFT((head)->sph_root, field) = NULL; \ - } else if (__comp > 0) { \ - SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\ - SPLAY_LEFT(elm, field) = (head)->sph_root; \ - SPLAY_RIGHT((head)->sph_root, field) = NULL; \ - } else \ - return ((head)->sph_root); \ - } \ - (head)->sph_root = (elm); \ - return (NULL); \ -} \ - \ -struct type * \ -name##_SPLAY_REMOVE(struct name *head, struct type *elm) \ -{ \ - struct type *__tmp; \ - if (SPLAY_EMPTY(head)) \ - return (NULL); \ - name##_SPLAY(head, elm); \ - if ((cmp)(elm, (head)->sph_root) == 0) { \ - if (SPLAY_LEFT((head)->sph_root, field) == NULL) { \ - (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\ - } else { \ - __tmp = SPLAY_RIGHT((head)->sph_root, field); \ - (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\ - name##_SPLAY(head, elm); \ - SPLAY_RIGHT((head)->sph_root, field) = __tmp; \ - } \ - return (elm); \ - } \ - return (NULL); \ -} \ - \ -void \ -name##_SPLAY(struct name *head, struct type *elm) \ -{ \ - struct type __node, *__left, *__right, *__tmp; \ - int __comp; \ -\ - SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ - __left = __right = &__node; \ -\ - while ((__comp = (cmp)(elm, (head)->sph_root)) != 0) { \ - if (__comp < 0) { \ - __tmp = SPLAY_LEFT((head)->sph_root, field); \ - if (__tmp == NULL) \ - break; \ - if ((cmp)(elm, __tmp) < 0){ \ - SPLAY_ROTATE_RIGHT(head, __tmp, field); \ - if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ - break; \ - } \ - SPLAY_LINKLEFT(head, __right, field); \ - } else if (__comp > 0) { \ - __tmp = SPLAY_RIGHT((head)->sph_root, field); \ - if (__tmp == NULL) \ - break; \ - if ((cmp)(elm, __tmp) > 0){ \ - SPLAY_ROTATE_LEFT(head, __tmp, field); \ - if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ - break; \ - } \ - SPLAY_LINKRIGHT(head, __left, field); \ - } \ - } \ - SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ -} \ - \ -/* Splay with either the minimum or the maximum element \ - * Used to find minimum or maximum element in tree. \ - */ \ -void name##_SPLAY_MINMAX(struct name *head, int __comp) \ -{ \ - struct type __node, *__left, *__right, *__tmp; \ -\ - SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ - __left = __right = &__node; \ -\ - while (1) { \ - if (__comp < 0) { \ - __tmp = SPLAY_LEFT((head)->sph_root, field); \ - if (__tmp == NULL) \ - break; \ - if (__comp < 0){ \ - SPLAY_ROTATE_RIGHT(head, __tmp, field); \ - if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ - break; \ - } \ - SPLAY_LINKLEFT(head, __right, field); \ - } else if (__comp > 0) { \ - __tmp = SPLAY_RIGHT((head)->sph_root, field); \ - if (__tmp == NULL) \ - break; \ - if (__comp > 0) { \ - SPLAY_ROTATE_LEFT(head, __tmp, field); \ - if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ - break; \ - } \ - SPLAY_LINKRIGHT(head, __left, field); \ - } \ - } \ - SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ -} - -#define SPLAY_NEGINF -1 -#define SPLAY_INF 1 - -#define SPLAY_INSERT(name, x, y) name##_SPLAY_INSERT(x, y) -#define SPLAY_REMOVE(name, x, y) name##_SPLAY_REMOVE(x, y) -#define SPLAY_FIND(name, x, y) name##_SPLAY_FIND(x, y) -#define SPLAY_NEXT(name, x, y) name##_SPLAY_NEXT(x, y) -#define SPLAY_MIN(name, x) (SPLAY_EMPTY(x) ? NULL \ - : name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF)) -#define SPLAY_MAX(name, x) (SPLAY_EMPTY(x) ? NULL \ - : name##_SPLAY_MIN_MAX(x, SPLAY_INF)) - -#define SPLAY_FOREACH(x, name, head) \ - for ((x) = SPLAY_MIN(name, head); \ - (x) != NULL; \ - (x) = SPLAY_NEXT(name, head, x)) - -/* Macros that define a red-black tree */ -#define RB_HEAD(name, type) \ -struct name { \ - struct type *rbh_root; /* root of the tree */ \ -} - -#define RB_INITIALIZER(root) \ - { NULL } - -#define RB_INIT(root) do { \ - (root)->rbh_root = NULL; \ -} while (/*CONSTCOND*/ 0) - -/* - * Undef for Linux - */ -#undef RB_BLACK -#undef RB_RED -#undef RB_ROOT - -#define RB_BLACK 0 -#define RB_RED 1 -#define RB_ENTRY(type) \ -struct { \ - struct type *rbe_left; /* left element */ \ - struct type *rbe_right; /* right element */ \ - struct type *rbe_parent; /* parent element */ \ - int rbe_color; /* node color */ \ -} - -#define RB_LEFT(elm, field) (elm)->field.rbe_left -#define RB_RIGHT(elm, field) (elm)->field.rbe_right -#define RB_PARENT(elm, field) (elm)->field.rbe_parent -#define RB_COLOR(elm, field) (elm)->field.rbe_color -#define RB_ROOT(head) (head)->rbh_root -#define RB_EMPTY(head) (RB_ROOT(head) == NULL) - -#define RB_SET(elm, parent, field) do { \ - RB_PARENT(elm, field) = parent; \ - RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL; \ - RB_COLOR(elm, field) = RB_RED; \ -} while (/*CONSTCOND*/ 0) - -#define RB_SET_BLACKRED(black, red, field) do { \ - RB_COLOR(black, field) = RB_BLACK; \ - RB_COLOR(red, field) = RB_RED; \ -} while (/*CONSTCOND*/ 0) - -#ifndef RB_AUGMENT -#define RB_AUGMENT(x) do {} while (0) -#endif - -#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ - (tmp) = RB_RIGHT(elm, field); \ - if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field)) != NULL) { \ - RB_PARENT(RB_LEFT(tmp, field), field) = (elm); \ - } \ - RB_AUGMENT(elm); \ - if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field)) != NULL) { \ - if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ - RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ - else \ - RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ - } else \ - (head)->rbh_root = (tmp); \ - RB_LEFT(tmp, field) = (elm); \ - RB_PARENT(elm, field) = (tmp); \ - RB_AUGMENT(tmp); \ - if ((RB_PARENT(tmp, field))) \ - RB_AUGMENT(RB_PARENT(tmp, field)); \ -} while (/*CONSTCOND*/ 0) - -#define RB_ROTATE_RIGHT(head, elm, tmp, field) do { \ - (tmp) = RB_LEFT(elm, field); \ - if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field)) != NULL) { \ - RB_PARENT(RB_RIGHT(tmp, field), field) = (elm); \ - } \ - RB_AUGMENT(elm); \ - if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field)) != NULL) { \ - if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ - RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ - else \ - RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ - } else \ - (head)->rbh_root = (tmp); \ - RB_RIGHT(tmp, field) = (elm); \ - RB_PARENT(elm, field) = (tmp); \ - RB_AUGMENT(tmp); \ - if ((RB_PARENT(tmp, field))) \ - RB_AUGMENT(RB_PARENT(tmp, field)); \ -} while (/*CONSTCOND*/ 0) - -/* Generates prototypes and inline functions */ -#define RB_PROTOTYPE(name, type, field, cmp) \ - RB_PROTOTYPE_INTERNAL(name, type, field, cmp,) -#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \ - RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __unused static) -#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \ -attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \ -attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ -attr struct type *name##_RB_REMOVE(struct name *, struct type *); \ -attr struct type *name##_RB_INSERT(struct name *, struct type *); \ -attr struct type *name##_RB_FIND(struct name *, struct type *); \ -attr struct type *name##_RB_NFIND(struct name *, struct type *); \ -attr struct type *name##_RB_NEXT(struct type *); \ -attr struct type *name##_RB_PREV(struct type *); \ -attr struct type *name##_RB_MINMAX(struct name *, int); \ - \ - -/* Main rb operation. - * Moves node close to the key of elm to top - */ -#define RB_GENERATE(name, type, field, cmp) \ - RB_GENERATE_INTERNAL(name, type, field, cmp,) -#define RB_GENERATE_STATIC(name, type, field, cmp) \ - RB_GENERATE_INTERNAL(name, type, field, cmp, __unused static) -#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \ -attr void \ -name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ -{ \ - struct type *parent, *gparent, *tmp; \ - while ((parent = RB_PARENT(elm, field)) != NULL && \ - RB_COLOR(parent, field) == RB_RED) { \ - gparent = RB_PARENT(parent, field); \ - if (parent == RB_LEFT(gparent, field)) { \ - tmp = RB_RIGHT(gparent, field); \ - if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ - RB_COLOR(tmp, field) = RB_BLACK; \ - RB_SET_BLACKRED(parent, gparent, field);\ - elm = gparent; \ - continue; \ - } \ - if (RB_RIGHT(parent, field) == elm) { \ - RB_ROTATE_LEFT(head, parent, tmp, field);\ - tmp = parent; \ - parent = elm; \ - elm = tmp; \ - } \ - RB_SET_BLACKRED(parent, gparent, field); \ - RB_ROTATE_RIGHT(head, gparent, tmp, field); \ - } else { \ - tmp = RB_LEFT(gparent, field); \ - if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ - RB_COLOR(tmp, field) = RB_BLACK; \ - RB_SET_BLACKRED(parent, gparent, field);\ - elm = gparent; \ - continue; \ - } \ - if (RB_LEFT(parent, field) == elm) { \ - RB_ROTATE_RIGHT(head, parent, tmp, field);\ - tmp = parent; \ - parent = elm; \ - elm = tmp; \ - } \ - RB_SET_BLACKRED(parent, gparent, field); \ - RB_ROTATE_LEFT(head, gparent, tmp, field); \ - } \ - } \ - RB_COLOR(head->rbh_root, field) = RB_BLACK; \ -} \ - \ -attr void \ -name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ -{ \ - struct type *tmp; \ - while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) && \ - elm != RB_ROOT(head)) { \ - if (RB_LEFT(parent, field) == elm) { \ - tmp = RB_RIGHT(parent, field); \ - if (RB_COLOR(tmp, field) == RB_RED) { \ - RB_SET_BLACKRED(tmp, parent, field); \ - RB_ROTATE_LEFT(head, parent, tmp, field);\ - tmp = RB_RIGHT(parent, field); \ - } \ - if ((RB_LEFT(tmp, field) == NULL || \ - RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ - (RB_RIGHT(tmp, field) == NULL || \ - RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ - RB_COLOR(tmp, field) = RB_RED; \ - elm = parent; \ - parent = RB_PARENT(elm, field); \ - } else { \ - if (RB_RIGHT(tmp, field) == NULL || \ - RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\ - struct type *oleft; \ - if ((oleft = RB_LEFT(tmp, field)) \ - != NULL) \ - RB_COLOR(oleft, field) = RB_BLACK;\ - RB_COLOR(tmp, field) = RB_RED; \ - RB_ROTATE_RIGHT(head, tmp, oleft, field);\ - tmp = RB_RIGHT(parent, field); \ - } \ - RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ - RB_COLOR(parent, field) = RB_BLACK; \ - if (RB_RIGHT(tmp, field)) \ - RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\ - RB_ROTATE_LEFT(head, parent, tmp, field);\ - elm = RB_ROOT(head); \ - break; \ - } \ - } else { \ - tmp = RB_LEFT(parent, field); \ - if (RB_COLOR(tmp, field) == RB_RED) { \ - RB_SET_BLACKRED(tmp, parent, field); \ - RB_ROTATE_RIGHT(head, parent, tmp, field);\ - tmp = RB_LEFT(parent, field); \ - } \ - if ((RB_LEFT(tmp, field) == NULL || \ - RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ - (RB_RIGHT(tmp, field) == NULL || \ - RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ - RB_COLOR(tmp, field) = RB_RED; \ - elm = parent; \ - parent = RB_PARENT(elm, field); \ - } else { \ - if (RB_LEFT(tmp, field) == NULL || \ - RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\ - struct type *oright; \ - if ((oright = RB_RIGHT(tmp, field)) \ - != NULL) \ - RB_COLOR(oright, field) = RB_BLACK;\ - RB_COLOR(tmp, field) = RB_RED; \ - RB_ROTATE_LEFT(head, tmp, oright, field);\ - tmp = RB_LEFT(parent, field); \ - } \ - RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ - RB_COLOR(parent, field) = RB_BLACK; \ - if (RB_LEFT(tmp, field)) \ - RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\ - RB_ROTATE_RIGHT(head, parent, tmp, field);\ - elm = RB_ROOT(head); \ - break; \ - } \ - } \ - } \ - if (elm) \ - RB_COLOR(elm, field) = RB_BLACK; \ -} \ - \ -attr struct type * \ -name##_RB_REMOVE(struct name *head, struct type *elm) \ -{ \ - struct type *child, *parent, *old = elm; \ - int color; \ - if (RB_LEFT(elm, field) == NULL) \ - child = RB_RIGHT(elm, field); \ - else if (RB_RIGHT(elm, field) == NULL) \ - child = RB_LEFT(elm, field); \ - else { \ - struct type *left; \ - elm = RB_RIGHT(elm, field); \ - while ((left = RB_LEFT(elm, field)) != NULL) \ - elm = left; \ - child = RB_RIGHT(elm, field); \ - parent = RB_PARENT(elm, field); \ - color = RB_COLOR(elm, field); \ - if (child) \ - RB_PARENT(child, field) = parent; \ - if (parent) { \ - if (RB_LEFT(parent, field) == elm) \ - RB_LEFT(parent, field) = child; \ - else \ - RB_RIGHT(parent, field) = child; \ - RB_AUGMENT(parent); \ - } else \ - RB_ROOT(head) = child; \ - if (RB_PARENT(elm, field) == old) \ - parent = elm; \ - (elm)->field = (old)->field; \ - if (RB_PARENT(old, field)) { \ - if (RB_LEFT(RB_PARENT(old, field), field) == old)\ - RB_LEFT(RB_PARENT(old, field), field) = elm;\ - else \ - RB_RIGHT(RB_PARENT(old, field), field) = elm;\ - RB_AUGMENT(RB_PARENT(old, field)); \ - } else \ - RB_ROOT(head) = elm; \ - RB_PARENT(RB_LEFT(old, field), field) = elm; \ - if (RB_RIGHT(old, field)) \ - RB_PARENT(RB_RIGHT(old, field), field) = elm; \ - if (parent) { \ - left = parent; \ - do { \ - RB_AUGMENT(left); \ - } while ((left = RB_PARENT(left, field)) != NULL); \ - } \ - goto color; \ - } \ - parent = RB_PARENT(elm, field); \ - color = RB_COLOR(elm, field); \ - if (child) \ - RB_PARENT(child, field) = parent; \ - if (parent) { \ - if (RB_LEFT(parent, field) == elm) \ - RB_LEFT(parent, field) = child; \ - else \ - RB_RIGHT(parent, field) = child; \ - RB_AUGMENT(parent); \ - } else \ - RB_ROOT(head) = child; \ -color: \ - if (color == RB_BLACK) \ - name##_RB_REMOVE_COLOR(head, parent, child); \ - return (old); \ -} \ - \ -/* Inserts a node into the RB tree */ \ -attr struct type * \ -name##_RB_INSERT(struct name *head, struct type *elm) \ -{ \ - struct type *tmp; \ - struct type *parent = NULL; \ - int comp = 0; \ - tmp = RB_ROOT(head); \ - while (tmp) { \ - parent = tmp; \ - comp = (cmp)(elm, parent); \ - if (comp < 0) \ - tmp = RB_LEFT(tmp, field); \ - else if (comp > 0) \ - tmp = RB_RIGHT(tmp, field); \ - else \ - return (tmp); \ - } \ - RB_SET(elm, parent, field); \ - if (parent != NULL) { \ - if (comp < 0) \ - RB_LEFT(parent, field) = elm; \ - else \ - RB_RIGHT(parent, field) = elm; \ - RB_AUGMENT(parent); \ - } else \ - RB_ROOT(head) = elm; \ - name##_RB_INSERT_COLOR(head, elm); \ - return (NULL); \ -} \ - \ -/* Finds the node with the same key as elm */ \ -attr struct type * \ -name##_RB_FIND(struct name *head, struct type *elm) \ -{ \ - struct type *tmp = RB_ROOT(head); \ - int comp; \ - while (tmp) { \ - comp = cmp(elm, tmp); \ - if (comp < 0) \ - tmp = RB_LEFT(tmp, field); \ - else if (comp > 0) \ - tmp = RB_RIGHT(tmp, field); \ - else \ - return (tmp); \ - } \ - return (NULL); \ -} \ - \ -/* Finds the first node greater than or equal to the search key */ \ -attr struct type * \ -name##_RB_NFIND(struct name *head, struct type *elm) \ -{ \ - struct type *tmp = RB_ROOT(head); \ - struct type *res = NULL; \ - int comp; \ - while (tmp) { \ - comp = cmp(elm, tmp); \ - if (comp < 0) { \ - res = tmp; \ - tmp = RB_LEFT(tmp, field); \ - } \ - else if (comp > 0) \ - tmp = RB_RIGHT(tmp, field); \ - else \ - return (tmp); \ - } \ - return (res); \ -} \ - \ -/* ARGSUSED */ \ -attr struct type * \ -name##_RB_NEXT(struct type *elm) \ -{ \ - if (RB_RIGHT(elm, field)) { \ - elm = RB_RIGHT(elm, field); \ - while (RB_LEFT(elm, field)) \ - elm = RB_LEFT(elm, field); \ - } else { \ - if (RB_PARENT(elm, field) && \ - (elm == RB_LEFT(RB_PARENT(elm, field), field))) \ - elm = RB_PARENT(elm, field); \ - else { \ - while (RB_PARENT(elm, field) && \ - (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\ - elm = RB_PARENT(elm, field); \ - elm = RB_PARENT(elm, field); \ - } \ - } \ - return (elm); \ -} \ - \ -/* ARGSUSED */ \ -attr struct type * \ -name##_RB_PREV(struct type *elm) \ -{ \ - if (RB_LEFT(elm, field)) { \ - elm = RB_LEFT(elm, field); \ - while (RB_RIGHT(elm, field)) \ - elm = RB_RIGHT(elm, field); \ - } else { \ - if (RB_PARENT(elm, field) && \ - (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \ - elm = RB_PARENT(elm, field); \ - else { \ - while (RB_PARENT(elm, field) && \ - (elm == RB_LEFT(RB_PARENT(elm, field), field)))\ - elm = RB_PARENT(elm, field); \ - elm = RB_PARENT(elm, field); \ - } \ - } \ - return (elm); \ -} \ - \ -attr struct type * \ -name##_RB_MINMAX(struct name *head, int val) \ -{ \ - struct type *tmp = RB_ROOT(head); \ - struct type *parent = NULL; \ - while (tmp) { \ - parent = tmp; \ - if (val < 0) \ - tmp = RB_LEFT(tmp, field); \ - else \ - tmp = RB_RIGHT(tmp, field); \ - } \ - return (parent); \ -} - -#define RB_NEGINF -1 -#define RB_INF 1 - -#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) -#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) -#define RB_FIND(name, x, y) name##_RB_FIND(x, y) -#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y) -#define RB_NEXT(name, x, y) name##_RB_NEXT(y) -#define RB_PREV(name, x, y) name##_RB_PREV(y) -#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) -#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) - -#define RB_FOREACH(x, name, head) \ - for ((x) = RB_MIN(name, head); \ - (x) != NULL; \ - (x) = name##_RB_NEXT(x)) - -#define RB_FOREACH_REVERSE(x, name, head) \ - for ((x) = RB_MAX(name, head); \ - (x) != NULL; \ - (x) = name##_RB_PREV(x)) - -#endif /* _SYS_TREE_H_ */ diff --git a/contrib/ipfilter/tools/BNF.ipf b/contrib/ipfilter/tools/BNF.ipf deleted file mode 100644 index 0740c5855af9..000000000000 --- a/contrib/ipfilter/tools/BNF.ipf +++ /dev/null @@ -1,80 +0,0 @@ -filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ] - [ proto ] [ ip ] [ group ] [ tag ] [ pps ] . - -insert = "@" decnumber . -action = block | "pass" | log | "count" | auth | call . -in-out = "in" | "out" . -options = [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] . -tos = "tos" decnumber | "tos" hexnumber . -ttl = "ttl" decnumber . -proto = "proto" protocol . -ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . -group = [ "head" decnumber ] [ "group" decnumber ] . -pps = "pps" decnumber . - -onif = "on" interface-name [ "out-via" interface-name ] . -block = "block" [ return-icmp[return-code] | "return-rst" ] . -auth = "auth" | "preauth" . -log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . -tag = "tag" tagid . -call = "call" [ "now" ] function-name . -dup = "dup-to" interface-name[":"ipaddr] . -froute = "fastroute" | "to" interface-name . -protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . -srcdst = "all" | fromto . -fromto = "from" object "to" object . - -return-icmp = "return-icmp" | "return-icmp-as-dest" . -loglevel = facility"."priority | priority . -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . -flags = "flags" flag { flag } [ "/" flag { flag } ] . -with = "with" | "and" . -icmp = "icmp-type" icmp-type [ "code" decnumber ] . -return-code = "("icmp-code")" . -keep = "keep" "state" [ "limit" number ] | "keep" "frags" . - -nummask = host-name [ "/" decnumber ] . -host-name = ipaddr | hostname | "any" . -ipaddr = host-num "." host-num "." host-num "." host-num . -host-num = digit [ digit [ digit ] ] . -port-num = service-name | decnumber . - -withopt = [ "not" | "no" ] opttype [ withopt ] . -opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" | - "mbcast" | "opt" ipopts . -optname = ipopts [ "," optname ] . -ipopts = optlist | "sec-class" [ secname ] . -secname = seclvl [ "," secname ] . -seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" | - "reserv-4" | "secret" | "topsecret" . -icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" | - "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | - "inforep" | "maskreq" | "maskrep" | "routerad" | - "routersol" | decnumber . -icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" | - "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" | - "net-prohib" | "host-prohib" | "net-tos" | "host-tos" | - "filter-prohib" | "host-preced" | "cutoff-preced" . -optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | - "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" | - "visa" | "imitd" | "eip" | "finn" . -facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" | - "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" | - "audit" | "logalert" | "local0" | "local1" | "local2" | - "local3" | "local4" | "local5" | "local6" | "local7" . -priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" | - "info" | "debug" . - -hexnumber = "0" "x" hexstring . -hexstring = hexdigit [ hexstring ] . -decnumber = digit [ decnumber ] . - -compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" | - "le" | "ge" . -range = "<>" | "><" . -hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" . -digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" . -flag = "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" . diff --git a/contrib/ipfilter/tools/BNF.ipnat b/contrib/ipfilter/tools/BNF.ipnat deleted file mode 100644 index 69ed8a205504..000000000000 --- a/contrib/ipfilter/tools/BNF.ipnat +++ /dev/null @@ -1,28 +0,0 @@ -ipmap :: = mapblock | redir | map . - -map ::= mapit ifname ipmask "->" ipmask [ mapport | mapicmpid ] . -map ::= mapit ifname fromto "->" ipmask [ mapport | mapicmpid ] . -mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] . -redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] [ ports ] options . - -dport ::= "port" portnum [ "-" portnum ] . -ports ::= "ports" numports | "auto" . -mapit ::= "map" | "bimap" . -fromto ::= "from" object "to" object . -ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask . -mapport ::= "portmap" tcpudp portnumber ":" portnumber . -mapicmpid ::= "icmpidmap" icmp idnumber ":" idnumber . -options ::= [ tcpudp ] [ rr ] . - -object = addr [ port-comp | port-range ] . -addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . -port-comp = "port" compare port-num . -port-range = "port" port-num range port-num . - -rr ::= "round-robin" . -tcpudp ::= "tcp" | "udp" | "tcp/udp" . -portnumber ::= number { numbers } | "auto" . -idnumber ::= number { numbers } . -ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers . - -numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' . diff --git a/contrib/ipfilter/tools/Makefile b/contrib/ipfilter/tools/Makefile deleted file mode 100644 index ce1ab0e6fc22..000000000000 --- a/contrib/ipfilter/tools/Makefile +++ /dev/null @@ -1,104 +0,0 @@ -YACC=yacc -v - -DEST=. - -all: $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c \ - $(DEST)/ipmon_y.c $(DEST)/ipmon_y.h $(DEST)/ipmon_l.c \ - $(DEST)/ipnat_y.c $(DEST)/ipnat_y.h $(DEST)/ipnat_l.c \ - $(DEST)/ipscan_y.c $(DEST)/ipscan_y.h $(DEST)/ipscan_l.c \ - $(DEST)/ippool_y.c $(DEST)/ippool_y.h $(DEST)/ippool_l.c \ - $(DEST)/ipf_l.h $(DEST)/ipnat_l.h $(DEST)/ipscan_l.h \ - $(DEST)/ippool_l.h $(DEST)/ipmon_l.h - -$(DEST)/ipf_y.h: $(DEST)/ipf_y.c - -$(DEST)/ipf_y.c: ipf_y.y - $(YACC) -d ipf_y.y - sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.c/' \ - -e 's/"ipf_y.y"/"..\/tools\/ipf_y.y"/' \ - y.tab.c > $(DEST)/ipf_y.c - sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' y.tab.h > $(DEST)/ipf_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipf_l.c: lexer.c - sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' \ - -e 's/lexer.h/ipf_l.h/' lexer.c > $@ - -$(DEST)/ipmon_y.n: $(DEST)/ipmon_y.c - -$(DEST)/ipmon_y.c $(DEST)/ipmon_y.h: ipmon_y.y - $(YACC) -d ipmon_y.y - sed -e 's/yy/ipmon_yy/g' -e 's/"ipmon_y.y"/"..\/tools\/ipmon_y.y"/' \ - y.tab.c > $(DEST)/ipmon_y.c - sed -e 's/yy/ipmon_yy/g' y.tab.h > $(DEST)/ipmon_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipmon_l.c: lexer.c - sed -e 's/yy/ipmon_yy/g' -e 's/y.tab.h/ipmon_y.h/' \ - -e 's/lexer.h/ipmon_l.h/' lexer.c > $@ - -$(DEST)/ipscan_y.h: $(DEST)/ipscan_y.c - -$(DEST)/ipscan_y.c $(DEST)/ipscan_y.h: ipscan_y.y - $(YACC) -d ipscan_y.y - sed -e 's/yy/ipscan_yy/g' \ - -e 's/"ipscan_y.y"/"..\/tools\/ipscan_y.y"/' \ - y.tab.c > $(DEST)/ipscan_y.c - sed -e 's/yy/ipscan_yy/g' y.tab.h > $(DEST)/ipscan_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipscan_l.c: lexer.c - sed -e 's/yy/ipscan_yy/g' -e 's/y.tab.h/ipscan_y.h/' \ - -e 's/lexer.h/ipscan_l.h/' lexer.c > $@ - -$(DEST)/ippool_y.h: $(DEST)/ippool_y.c - -$(DEST)/ippool_y.c $(DEST)/ippool_y.h: ippool_y.y - $(YACC) -d ippool_y.y - sed -e 's/yy/ippool_yy/g' -e 's/"ippool_y.y"/"..\/tools\/ippool_y.y"/' \ - y.tab.c > $(DEST)/ippool_y.c - sed -e 's/yy/ippool_yy/g' y.tab.h > $(DEST)/ippool_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ippool_l.c: lexer.c - sed -e 's/yy/ippool_yy/g' -e 's/y.tab.h/ippool_y.h/' \ - -e 's/lexer.h/ippool_l.h/' lexer.c > $@ - -$(DEST)/ipnat_y.h: $(DEST)/ipnat_y.c - -$(DEST)/ipnat_y.c $(DEST)/ipnat_y.h: ipnat_y.y - $(YACC) -d ipnat_y.y - sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.c/ipnat_y.c/' \ - -e s/\"ipnat_y.y\"/\"..\\/tools\\/ipnat_y.y\"/ \ - y.tab.c > $(DEST)/ipnat_y.c - sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \ - y.tab.h > $(DEST)/ipnat_y.h - /bin/rm -f y.tab.c y.tab.h - -$(DEST)/ipnat_l.c: lexer.c - sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \ - -e 's/lexer.h/ipnat_l.h/' lexer.c > $@ - -$(DEST)/ipf_l.h: lexer.h - sed -e 's/yy/ipf_yy/g' lexer.h > $@ - -$(DEST)/ipmon_l.h: lexer.h - sed -e 's/yy/ipmon_yy/g' lexer.h > $@ - -$(DEST)/ipscan_l.h: lexer.h - sed -e 's/yy/ipscan_yy/g' lexer.h > $@ - -$(DEST)/ippool_l.h: lexer.h - sed -e 's/yy/ippool_yy/g' lexer.h > $@ - -$(DEST)/ipnat_l.h: lexer.h - sed -e 's/yy/ipnat_yy/g' lexer.h > $@ - -clean: - /bin/rm -f $(DEST)/ipf_y.c $(DEST)/ipf_y.h $(DEST)/ipf_l.c - /bin/rm -f $(DEST)/ipmon_y.c $(DEST)/ipmon_y.h $(DEST)/ipmon_l.c - /bin/rm -f $(DEST)/ipscan_y.c $(DEST)/ipscan_y.h $(DEST)/ipscan_l.c - /bin/rm -f $(DEST)/ippool_y.c $(DEST)/ippool_y.h $(DEST)/ippool_l.c - /bin/rm -f $(DEST)/ipnat_y.c $(DEST)/ipnat_y.h $(DEST)/ipnat_l.c - /bin/rm -f $(DEST)/ipf_l.h $(DEST)/ipmon_l.h $(DEST)/ippool_l.h - /bin/rm -f $(DEST)/ipscan_l.h $(DEST)/ipnat_l.h diff --git a/contrib/ipfilter/tools/ipfsyncd.c b/contrib/ipfilter/tools/ipfsyncd.c deleted file mode 100644 index ead92b70371c..000000000000 --- a/contrib/ipfilter/tools/ipfsyncd.c +++ /dev/null @@ -1,671 +0,0 @@ -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfsyncd.c,v 1.1.2.2 2012/07/22 08:04:24 darren_r Exp $"; -#endif -#include -#include -#include -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "ipf.h" -#include "opts.h" - - -#define R_IO_ERROR -1 -#define R_OKAY 0 -#define R_MORE 1 -#define R_SKIP 2 -#if defined(sun) && !defined(SOLARIS2) -# define STRERROR(x) sys_errlist[x] -extern char *sys_errlist[]; -#else -# define STRERROR(x) strerror(x) -#endif - - -int main(int, char *[]); -void usage(char *); -void printsynchdr(synchdr_t *); -void printtable(int); -void printsmcproto(char *); -void printcommand(int); -int do_kbuff(int, char *, int *); -int do_packet(int, char *); -int buildsocket(char *, struct sockaddr_in *); -void do_io(void); -void handleterm(int); - -int terminate = 0; -int igmpfd = -1; -int nfd = -1; -int lfd = -1; -int opts = 0; - -void -usage(progname) - char *progname; -{ - fprintf(stderr, - "Usage: %s [-d] [-p port] [-i address] -I \n", - progname); -} - -void -handleterm(sig) - int sig; -{ - terminate = sig; -} - - -/* should be large enough to hold header + any datatype */ -#define BUFFERLEN 1400 - -int -main(argc, argv) - int argc; - char *argv[]; -{ - struct sockaddr_in sin; - char *interface; - char *progname; - int opt, tries; - - progname = strrchr(argv[0], '/'); - if (progname) { - progname++; - } else { - progname = argv[0]; - } - - opts = 0; - tries = 0; - interface = NULL; - - bzero((char *)&sin, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_port = htons(0xaf6c); - sin.sin_addr.s_addr = htonl(INADDR_UNSPEC_GROUP | 0x697066); - - while ((opt = getopt(argc, argv, "di:I:p:")) != -1) - switch (opt) - { - case 'd' : - debuglevel++; - break; - case 'I' : - interface = optarg; - break; - case 'i' : - sin.sin_addr.s_addr = inet_addr(optarg); - break; - case 'p' : - sin.sin_port = htons(atoi(optarg)); - break; - } - - if (interface == NULL) { - usage(progname); - exit(1); - } - - if (!debuglevel) { - -#ifdef BSD - daemon(0, 0); -#else - int fd = open("/dev/null", O_RDWR); - - switch (fork()) - { - case 0 : - break; - - case -1 : - fprintf(stderr, "%s: fork() failed: %s\n", - argv[0], STRERROR(errno)); - exit(1); - /* NOTREACHED */ - - default : - exit(0); - /* NOTREACHED */ - } - - dup2(fd, 0); - dup2(fd, 1); - dup2(fd, 2); - close(fd); - - setsid(); -#endif - } - - signal(SIGHUP, handleterm); - signal(SIGINT, handleterm); - signal(SIGTERM, handleterm); - - openlog(progname, LOG_PID, LOG_SECURITY); - - while (!terminate) { - if (lfd != -1) { - close(lfd); - lfd = -1; - } - if (nfd != -1) { - close(nfd); - nfd = -1; - } - if (igmpfd != -1) { - close(igmpfd); - igmpfd = -1; - } - - if (buildsocket(interface, &sin) == -1) - goto tryagain; - - lfd = open(IPSYNC_NAME, O_RDWR); - if (lfd == -1) { - syslog(LOG_ERR, "open(%s):%m", IPSYNC_NAME); - debug(1, "open(%s): %s\n", IPSYNC_NAME, - STRERROR(errno)); - goto tryagain; - } - - tries = -1; - do_io(); -tryagain: - tries++; - syslog(LOG_INFO, "retry in %d seconds", 1 << tries); - debug(1, "wait %d seconds\n", 1 << tries); - sleep(1 << tries); - } - - - /* terminate */ - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - syslog(LOG_ERR, "signal %d received, exiting...", terminate); - debug(1, "signal %d received, exiting...", terminate); - - exit(1); -} - - -void -do_io() -{ - char nbuff[BUFFERLEN]; - char buff[BUFFERLEN]; - fd_set mrd, rd; - int maxfd; - int inbuf; - int n1; - int left; - - FD_ZERO(&mrd); - FD_SET(lfd, &mrd); - FD_SET(nfd, &mrd); - maxfd = nfd; - if (lfd > maxfd) - maxfd = lfd; - debug(2, "nfd %d lfd %d maxfd %d\n", nfd, lfd, maxfd); - - inbuf = 0; - /* - * A threaded approach to this loop would have one thread - * work on reading lfd (only) all the time and another thread - * working on reading nfd all the time. - */ - while (!terminate) { - int n; - - rd = mrd; - - n = select(maxfd + 1, &rd, NULL, NULL, NULL); - if (n < 0) { - switch (errno) - { - case EINTR : - continue; - default : - syslog(LOG_ERR, "select error: %m"); - debug(1, "select error: %s\n", STRERROR(errno)); - return; - } - } - - if (FD_ISSET(lfd, &rd)) { - n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf); - - debug(3, "read(K):%d\n", n1); - - if (n1 <= 0) { - syslog(LOG_ERR, "read error (k-header): %m"); - debug(1, "read error (k-header): %s\n", - STRERROR(errno)); - return; - } - - left = 0; - - switch (do_kbuff(n1, buff, &left)) - { - case R_IO_ERROR : - return; - case R_MORE : - inbuf += left; - break; - default : - inbuf = 0; - break; - } - } - - if (FD_ISSET(nfd, &rd)) { - n1 = recv(nfd, nbuff, sizeof(nbuff), 0); - - debug(3, "read(N):%d\n", n1); - - if (n1 <= 0) { - syslog(LOG_ERR, "read error (n-header): %m"); - debug(1, "read error (n-header): %s\n", - STRERROR(errno)); - return; - } - - switch (do_packet(n1, nbuff)) - { - case R_IO_ERROR : - return; - default : - break; - } - } - } -} - - -int -buildsocket(nicname, sinp) - char *nicname; - struct sockaddr_in *sinp; -{ - struct sockaddr_in *reqip; - struct ifreq req; - char opt; - - debug(2, "binding to %s:%s\n", nicname, inet_ntoa(sinp->sin_addr)); - - if (IN_MULTICAST(ntohl(sinp->sin_addr.s_addr))) { - struct in_addr addr; - struct ip_mreq mreq; - - igmpfd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP); - if (igmpfd == -1) { - syslog(LOG_ERR, "socket:%m"); - debug(1, "socket:%s\n", STRERROR(errno)); - return -1; - } - - bzero((char *)&req, sizeof(req)); - strncpy(req.ifr_name, nicname, sizeof(req.ifr_name)); - req.ifr_name[sizeof(req.ifr_name) - 1] = '\0'; - if (ioctl(igmpfd, SIOCGIFADDR, &req) == -1) { - syslog(LOG_ERR, "ioctl(SIOCGIFADDR):%m"); - debug(1, "ioctl(SIOCGIFADDR):%s\n", STRERROR(errno)); - close(igmpfd); - igmpfd = -1; - return -1; - } - reqip = (struct sockaddr_in *)&req.ifr_addr; - - addr = reqip->sin_addr; - if (setsockopt(igmpfd, IPPROTO_IP, IP_MULTICAST_IF, - (char *)&addr, sizeof(addr)) == -1) { - syslog(LOG_ERR, "setsockopt(IP_MULTICAST_IF(%s)):%m", - inet_ntoa(addr)); - debug(1, "setsockopt(IP_MULTICAST_IF(%s)):%s\n", - inet_ntoa(addr), STRERROR(errno)); - close(igmpfd); - igmpfd = -1; - return -1; - } - - opt = 0; - if (setsockopt(igmpfd, IPPROTO_IP, IP_MULTICAST_LOOP, - (char *)&opt, sizeof(opt)) == -1) { - syslog(LOG_ERR, "setsockopt(IP_MULTICAST_LOOP=0):%m"); - debug(1, "setsockopt(IP_MULTICAST_LOOP=0):%s\n", - STRERROR(errno)); - close(igmpfd); - igmpfd = -1; - return -1; - } - - opt = 63; - if (setsockopt(igmpfd, IPPROTO_IP, IP_MULTICAST_TTL, - (char *)&opt, sizeof(opt)) == -1) { - syslog(LOG_ERR, "setsockopt(IP_MULTICAST_TTL=%d):%m", - opt); - debug(1, "setsockopt(IP_MULTICAST_TTL=%d):%s\n", opt, - STRERROR(errno)); - close(igmpfd); - igmpfd = -1; - return -1; - } - - mreq.imr_multiaddr.s_addr = sinp->sin_addr.s_addr; - mreq.imr_interface.s_addr = reqip->sin_addr.s_addr; - - if (setsockopt(igmpfd, IPPROTO_IP, IP_ADD_MEMBERSHIP, - (char *)&mreq, sizeof(mreq)) == -1) { - char buffer[80]; - - snprintf(buffer, sizeof(buffer), "%s,", inet_ntoa(sinp->sin_addr)); - strcat(buffer, inet_ntoa(reqip->sin_addr)); - - syslog(LOG_ERR, - "setsockpt(IP_ADD_MEMBERSHIP,%s):%m", buffer); - debug(1, "setsockpt(IP_ADD_MEMBERSHIP,%s):%s\n", - buffer, STRERROR(errno)); - close(igmpfd); - igmpfd = -1; - return -1; - } - } - nfd = socket(AF_INET, SOCK_DGRAM, 0); - if (nfd == -1) { - syslog(LOG_ERR, "socket:%m"); - if (igmpfd != -1) { - close(igmpfd); - igmpfd = -1; - } - return -1; - } - bzero((char *)&req, sizeof(req)); - strncpy(req.ifr_name, nicname, sizeof(req.ifr_name)); - req.ifr_name[sizeof(req.ifr_name) - 1] = '\0'; - if (ioctl(nfd, SIOCGIFADDR, &req) == -1) { - syslog(LOG_ERR, "ioctl(SIOCGIFADDR):%m"); - debug(1, "ioctl(SIOCGIFADDR):%s\n", STRERROR(errno)); - close(igmpfd); - igmpfd = -1; - return -1; - } - - if (bind(nfd, (struct sockaddr *)&req.ifr_addr, - sizeof(req.ifr_addr)) == -1) { - syslog(LOG_ERR, "bind:%m"); - debug(1, "bind:%s\n", STRERROR(errno)); - close(nfd); - if (igmpfd != -1) { - close(igmpfd); - igmpfd = -1; - } - nfd = -1; - return -1; - } - - if (connect(nfd, (struct sockaddr *)sinp, sizeof(*sinp)) == -1) { - syslog(LOG_ERR, "connect:%m"); - debug(1, "connect:%s\n", STRERROR(errno)); - close(nfd); - if (igmpfd != -1) { - close(igmpfd); - igmpfd = -1; - } - nfd = -1; - return -1; - } - syslog(LOG_INFO, "Sending data to %s", inet_ntoa(sinp->sin_addr)); - debug(3, "Sending data to %s\n", inet_ntoa(sinp->sin_addr)); - - return nfd; -} - - -int -do_packet(pklen, buff) - int pklen; - char *buff; -{ - synchdr_t *sh; - u_32_t magic; - int len; - int n2; - int n3; - - while (pklen > 0) { - if (pklen < sizeof(*sh)) { - syslog(LOG_ERR, "packet length too short:%d", pklen); - debug(2, "packet length too short:%d\n", pklen); - return R_SKIP; - } - - sh = (synchdr_t *)buff; - len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); - - if (magic != SYNHDRMAGIC) { - syslog(LOG_ERR, "invalid header magic %x", magic); - debug(2, "invalid header magic %x\n", magic); - return R_SKIP; - } - - if (pklen < len + sizeof(*sh)) { - syslog(LOG_ERR, "packet length too short:%d", pklen); - debug(2, "packet length too short:%d\n", pklen); - return R_SKIP; - } - - if (debuglevel > 3) { - printsynchdr(sh); - printcommand(sh->sm_cmd); - printtable(sh->sm_table); - printsmcproto(buff); - } - - n2 = sizeof(*sh) + len; - - do { - n3 = write(lfd, buff, n2); - if (n3 <= 0) { - syslog(LOG_ERR, "write error: %m"); - debug(1, "write error: %s\n", STRERROR(errno)); - return R_IO_ERROR; - } - - n2 -= n3; - buff += n3; - pklen -= n3; - } while (n3 != 0); - } - - return R_OKAY; -} - - - -int -do_kbuff(inbuf, buf, left) - int inbuf, *left; - char *buf; -{ - synchdr_t *sh; - u_32_t magic; - int complete; - int sendlen; - int error; - int bytes; - int len; - int n2; - int n3; - - sendlen = 0; - bytes = inbuf; - error = R_OKAY; - sh = (synchdr_t *)buf; - - for (complete = 0; bytes > 0; complete++) { - len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); - - if (magic != SYNHDRMAGIC) { - syslog(LOG_ERR, - "read invalid header magic 0x%x, flushing", - magic); - debug(2, "read invalid header magic 0x%x, flushing\n", - magic); - n2 = SMC_RLOG; - (void) ioctl(lfd, SIOCIPFFL, &n2); - break; - } - - if (debuglevel > 3) { - printsynchdr(sh); - printcommand(sh->sm_cmd); - printtable(sh->sm_table); - putchar('\n'); - } - - if (bytes < sizeof(*sh) + len) { - debug(3, "Not enough bytes %d < %d\n", bytes, - sizeof(*sh) + len); - error = R_MORE; - break; - } - - if (debuglevel > 3) { - printsmcproto(buf); - } - - sendlen += len + sizeof(*sh); - sh = (synchdr_t *)(buf + sendlen); - bytes -= sendlen; - } - - if (complete) { - n3 = send(nfd, buf, sendlen, 0); - if (n3 <= 0) { - syslog(LOG_ERR, "write error: %m"); - debug(1, "write error: %s\n", STRERROR(errno)); - return R_IO_ERROR; - } - debug(3, "send on %d len %d = %d\n", nfd, sendlen, n3); - error = R_OKAY; - } - - /* move buffer to the front,we might need to make - * this more efficient, by using a rolling pointer - * over the buffer and only copying it, when - * we are reaching the end - */ - if (bytes > 0) { - bcopy(buf + bytes, buf, bytes); - error = R_MORE; - } - debug(4, "complete %d bytes %d error %d\n", complete, bytes, error); - - *left = bytes; - - return error; -} - - -void -printcommand(cmd) - int cmd; -{ - - switch (cmd) - { - case SMC_CREATE : - printf(" cmd:CREATE"); - break; - case SMC_UPDATE : - printf(" cmd:UPDATE"); - break; - default : - printf(" cmd:Unknown(%d)", cmd); - break; - } -} - - -void -printtable(table) - int table; -{ - switch (table) - { - case SMC_NAT : - printf(" table:NAT"); - break; - case SMC_STATE : - printf(" table:STATE"); - break; - default : - printf(" table:Unknown(%d)", table); - break; - } -} - - -void -printsmcproto(buff) - char *buff; -{ - syncupdent_t *su; - synchdr_t *sh; - - sh = (synchdr_t *)buff; - - if (sh->sm_cmd == SMC_CREATE) { - ; - - } else if (sh->sm_cmd == SMC_UPDATE) { - su = (syncupdent_t *)buff; - if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", - su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], - su->sup_tcp.stu_state[1]); - } - } else { - printf("Unknown command\n"); - } -} - - -void -printsynchdr(sh) - synchdr_t *sh; -{ - - printf("v:%d p:%d num:%d len:%d magic:%x", sh->sm_v, sh->sm_p, - ntohl(sh->sm_num), ntohl(sh->sm_len), ntohl(sh->sm_magic)); -} diff --git a/contrib/ipfilter/tools/ipsyncm.c b/contrib/ipfilter/tools/ipsyncm.c deleted file mode 100644 index d57196379210..000000000000 --- a/contrib/ipfilter/tools/ipsyncm.c +++ /dev/null @@ -1,256 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_state.h" -#include "netinet/ip_sync.h" - - -int main(int, char *[]); -void usage(const char *); - -int terminate = 0; - -void usage(const char *progname) { - fprintf(stderr, "Usage: %s \n", progname); -} - -#if 0 -static void handleterm(int sig) -{ - terminate = sig; -} -#endif - - -/* should be large enough to hold header + any datatype */ -#define BUFFERLEN 1400 - -int main(argc, argv) - int argc; - char *argv[]; -{ - struct sockaddr_in sin; - char buff[BUFFERLEN]; - synclogent_t *sl; - syncupdent_t *su; - int nfd = -1, lfd = -1, n1, n2, n3, len; - int inbuf; - u_32_t magic; - synchdr_t *sh; - char *progname; - - progname = strrchr(argv[0], '/'); - if (progname) { - progname++; - } else { - progname = argv[0]; - } - - - if (argc < 2) { - usage(progname); - exit(1); - } - -#if 0 - signal(SIGHUP, handleterm); - signal(SIGINT, handleterm); - signal(SIGTERM, handleterm); -#endif - - openlog(progname, LOG_PID, LOG_SECURITY); - - bzero((char *)&sin, sizeof(sin)); - sin.sin_family = AF_INET; - sin.sin_addr.s_addr = inet_addr(argv[1]); - if (argc > 2) - sin.sin_port = htons(atoi(argv[2])); - else - sin.sin_port = htons(43434); - - while (1) { - - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - lfd = open(IPSYNC_NAME, O_RDONLY); - if (lfd == -1) { - syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); - goto tryagain; - } - - nfd = socket(AF_INET, SOCK_DGRAM, 0); - if (nfd == -1) { - syslog(LOG_ERR, "Socket :%m"); - goto tryagain; - } - - if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { - syslog(LOG_ERR, "Connect: %m"); - goto tryagain; - } - - syslog(LOG_INFO, "Sending data to %s", - inet_ntoa(sin.sin_addr)); - - inbuf = 0; - while (1) { - - n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf); - - printf("header : %d bytes read (header = %d bytes)\n", - n1, (int) sizeof(*sh)); - - if (n1 < 0) { - syslog(LOG_ERR, "Read error (header): %m"); - goto tryagain; - } - - if (n1 == 0) { - /* XXX can this happen??? */ - syslog(LOG_ERR, - "Read error (header) : No data"); - sleep(1); - continue; - } - - inbuf += n1; - -moreinbuf: - if (inbuf < sizeof(*sh)) { - continue; /* need more data */ - } - - sh = (synchdr_t *)buff; - len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); - - if (magic != SYNHDRMAGIC) { - syslog(LOG_ERR, - "Invalid header magic %x", magic); - goto tryagain; - } - -#define IPSYNC_DEBUG -#ifdef IPSYNC_DEBUG - printf("v:%d p:%d len:%d magic:%x", sh->sm_v, - sh->sm_p, len, magic); - - if (sh->sm_cmd == SMC_CREATE) - printf(" cmd:CREATE"); - else if (sh->sm_cmd == SMC_UPDATE) - printf(" cmd:UPDATE"); - else - printf(" cmd:Unknown(%d)", sh->sm_cmd); - - if (sh->sm_table == SMC_NAT) - printf(" table:NAT"); - else if (sh->sm_table == SMC_STATE) - printf(" table:STATE"); - else - printf(" table:Unknown(%d)", sh->sm_table); - - printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); -#endif - - if (inbuf < sizeof(*sh) + len) { - continue; /* need more data */ - goto tryagain; - } - -#ifdef IPSYNC_DEBUG - if (sh->sm_cmd == SMC_CREATE) { - sl = (synclogent_t *)buff; - - } else if (sh->sm_cmd == SMC_UPDATE) { - su = (syncupdent_t *)buff; - if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", - su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], - su->sup_tcp.stu_state[1]); - } - } else { - printf("Unknown command\n"); - } -#endif - - n2 = sizeof(*sh) + len; - n3 = write(nfd, buff, n2); - if (n3 <= 0) { - syslog(LOG_ERR, "Write error: %m"); - goto tryagain; - } - - - if (n3 != n2) { - syslog(LOG_ERR, "Incomplete write (%d/%d)", - n3, n2); - goto tryagain; - } - - /* signal received? */ - if (terminate) - break; - - /* move buffer to the front,we might need to make - * this more efficient, by using a rolling pointer - * over the buffer and only copying it, when - * we are reaching the end - */ - inbuf -= n2; - if (inbuf) { - bcopy(buff+n2, buff, inbuf); - printf("More data in buffer\n"); - goto moreinbuf; - } - } - - if (terminate) - break; -tryagain: - sleep(1); - } - - - /* terminate */ - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - syslog(LOG_ERR, "signal %d received, exiting...", terminate); - - exit(1); -} - diff --git a/contrib/ipfilter/tools/ipsyncs.c b/contrib/ipfilter/tools/ipsyncs.c deleted file mode 100644 index a53cfb8c9508..000000000000 --- a/contrib/ipfilter/tools/ipsyncs.c +++ /dev/null @@ -1,274 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "netinet/ip_compat.h" -#include "netinet/ip_fil.h" -#include "netinet/ip_state.h" -#include "netinet/ip_nat.h" -#include "netinet/ip_sync.h" - -int main(int, char *[]); -void usage(const char *progname); - -int terminate = 0; - -void usage(const char *progname) { - fprintf(stderr, - "Usage: %s [remote IP]\n", - progname); -} - -#if 0 -static void handleterm(int sig) -{ - terminate = sig; -} -#endif - -#define BUFFERLEN 1400 - -int main(argc, argv) - int argc; - char *argv[]; -{ - int nfd = -1 , lfd = -1; - int n1, n2, n3, magic, len, inbuf; - struct sockaddr_in sin; - struct sockaddr_in in; - char buff[BUFFERLEN]; - synclogent_t *sl; - syncupdent_t *su; - synchdr_t *sh; - char *progname; - - progname = strrchr(argv[0], '/'); - if (progname) { - progname++; - } else { - progname = argv[0]; - } - - if (argc < 2) { - usage(progname); - exit(1); - } - -#if 0 - signal(SIGHUP, handleterm); - signal(SIGINT, handleterm); - signal(SIGTERM, handleterm); -#endif - - openlog(progname, LOG_PID, LOG_SECURITY); - - lfd = open(IPSYNC_NAME, O_WRONLY); - if (lfd == -1) { - syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); - exit(1); - } - - bzero((char *)&sin, sizeof(sin)); - sin.sin_family = AF_INET; - if (argc > 1) - sin.sin_addr.s_addr = inet_addr(argv[1]); - if (argc > 2) - sin.sin_port = htons(atoi(argv[2])); - else - sin.sin_port = htons(43434); - if (argc > 3) - in.sin_addr.s_addr = inet_addr(argv[3]); - else - in.sin_addr.s_addr = 0; - in.sin_port = 0; - - while(1) { - - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - lfd = open(IPSYNC_NAME, O_WRONLY); - if (lfd == -1) { - syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); - goto tryagain; - } - - nfd = socket(AF_INET, SOCK_DGRAM, 0); - if (nfd == -1) { - syslog(LOG_ERR, "Socket :%m"); - goto tryagain; - } - - n1 = 1; - setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n1, sizeof(n1)); - - if (bind(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { - syslog(LOG_ERR, "Bind: %m"); - goto tryagain; - } - - syslog(LOG_INFO, "Listening to %s", inet_ntoa(sin.sin_addr)); - - inbuf = 0; - while (1) { - - - /* - * XXX currently we do not check the source address - * of a datagram, this can be a security risk - */ - n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf); - - printf("header : %d bytes read (header = %d bytes)\n", - n1, (int) sizeof(*sh)); - - if (n1 < 0) { - syslog(LOG_ERR, "Read error (header): %m"); - goto tryagain; - } - - if (n1 == 0) { - /* XXX can this happen??? */ - syslog(LOG_ERR, - "Read error (header) : No data"); - sleep(1); - continue; - } - - inbuf += n1; - -moreinbuf: - if (inbuf < sizeof(*sh)) { - continue; /* need more data */ - } - - sh = (synchdr_t *)buff; - len = ntohl(sh->sm_len); - magic = ntohl(sh->sm_magic); - - if (magic != SYNHDRMAGIC) { - syslog(LOG_ERR, "Invalid header magic %x", - magic); - goto tryagain; - } - -#define IPSYNC_DEBUG -#ifdef IPSYNC_DEBUG - printf("v:%d p:%d len:%d magic:%x", sh->sm_v, - sh->sm_p, len, magic); - - if (sh->sm_cmd == SMC_CREATE) - printf(" cmd:CREATE"); - else if (sh->sm_cmd == SMC_UPDATE) - printf(" cmd:UPDATE"); - else - printf(" cmd:Unknown(%d)", sh->sm_cmd); - - if (sh->sm_table == SMC_NAT) - printf(" table:NAT"); - else if (sh->sm_table == SMC_STATE) - printf(" table:STATE"); - else - printf(" table:Unknown(%d)", sh->sm_table); - - printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); -#endif - - if (inbuf < sizeof(*sh) + len) { - continue; /* need more data */ - goto tryagain; - } - -#ifdef IPSYNC_DEBUG - if (sh->sm_cmd == SMC_CREATE) { - sl = (synclogent_t *)buff; - - } else if (sh->sm_cmd == SMC_UPDATE) { - su = (syncupdent_t *)buff; - if (sh->sm_p == IPPROTO_TCP) { - printf(" TCP Update: age %lu state %d/%d\n", - su->sup_tcp.stu_age, - su->sup_tcp.stu_state[0], - su->sup_tcp.stu_state[1]); - } - } else { - printf("Unknown command\n"); - } -#endif - - n2 = sizeof(*sh) + len; - n3 = write(lfd, buff, n2); - if (n3 <= 0) { - syslog(LOG_ERR, "%s: Write error: %m", - IPSYNC_NAME); - goto tryagain; - } - - - if (n3 != n2) { - syslog(LOG_ERR, "%s: Incomplete write (%d/%d)", - IPSYNC_NAME, n3, n2); - goto tryagain; - } - - /* signal received? */ - if (terminate) - break; - - /* move buffer to the front,we might need to make - * this more efficient, by using a rolling pointer - * over the buffer and only copying it, when - * we are reaching the end - */ - inbuf -= n2; - if (inbuf) { - bcopy(buff+n2, buff, inbuf); - printf("More data in buffer\n"); - goto moreinbuf; - } - } - - if (terminate) - break; -tryagain: - sleep(1); - } - - - /* terminate */ - if (lfd != -1) - close(lfd); - if (nfd != -1) - close(nfd); - - syslog(LOG_ERR, "signal %d received, exiting...", terminate); - - exit(1); -} diff --git a/contrib/ipfilter/tools/lex_var.h b/contrib/ipfilter/tools/lex_var.h deleted file mode 100644 index eb59f5887cba..000000000000 --- a/contrib/ipfilter/tools/lex_var.h +++ /dev/null @@ -1,60 +0,0 @@ -/* $FreeBSD$ */ - -/* - * Copyright (C) 2012 by Darren Reed. - * - * See the IPFILTER.LICENCE file for details on licencing. - */ - -extern long string_start; -extern long string_end; -extern char *string_val; -extern long pos; - -#define YY_INPUT(buf, result, max_size) \ - if (pos >= string_start && pos <= string_end) { \ - buf[0] = string_val[pos - string_start]; \ - pos++; \ - result = 1; \ - } else if ( yy_current_buffer->yy_is_interactive ) \ - { \ - int c = '*', n; \ - for ( n = 0; n < 1 && \ - (c = getc( yyin )) != EOF && c != '\n'; ++n ) \ - buf[n] = (char) c; \ - if ( c == '\n' ) \ - buf[n++] = (char) c; \ - if ( c == EOF && ferror( yyin ) ) \ - YY_FATAL_ERROR( "input in flex scanner failed" ); \ - result = n; \ - pos++; \ - } \ - else if ( ((result = fread( buf, 1, 1, yyin )) == 0) \ - && ferror( yyin ) ) \ - YY_FATAL_ERROR( "input in flex scanner failed" ); - -#ifdef input -# undef input -# define input() (((pos >= string_start) && (pos < string_end)) ? \ - yysptr = yysbuf, string_val[pos++ - string_start] : \ - ((yytchar = yysptr > yysbuf ? U(*--yysptr) : \ - getc(yyin)) == 10 ? (pos++, yylineno++, yytchar) : \ - yytchar) == EOF ? (pos++, 0) : (pos++, yytchar)) -#endif - -#ifdef lex_input -# undef lex_input -# define lex_input() (((pos >= string_start) && (pos < string_end)) ? \ - yysptr = yysbuf, string_val[pos++ - string_start] : \ - ((yytchar = yysptr > yysbuf ? U(*--yysptr) : \ - getc(yyin)) == 10 ? (pos++, yylineno++, yytchar) : \ - yytchar) == EOF ? (pos++, 0) : (pos++, yytchar)) -#endif - -#ifdef unput -# undef unput -# define unput(c) { if (pos > 0) pos--; \ - yytchar = (c); if (yytchar == '\n') yylineno--; \ - *yysptr++ = yytchar; } -#endif -