diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 72086a016cdb..9a2158bcf47a 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -1,510 +1,523 @@ # # Copyright (C) 1993-1998 by Darren Reed. # # See the IPFILTER.LICENCE file for details on licencing. # BINDEST=/usr/sbin SBINDEST=/sbin MANDIR=/usr/share/man SEARCHDIRS!=echo $(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{for(i=1;i&1 | sed -n 's/.*devfs.*/-DDEVFS/p' CPU!=uname -m INC=-I/usr/include -I/sys -I/sys/sys -I/sys/arch DEF=-D$(CPU) -D__$(CPU)__ -DINET -DKERNEL -D_KERNEL $(INC) $(DEVFS) IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST VNODESHDIR=/sys/kern MLD=$(ML) ML=mln_ipl.c LKM=if_ipl.o LKMR=ipfrule.o DLKM= OBJ=. DEST=$(OBJ) MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)" "SYNC=$(SYNC)" LIBS=-L. -lipf $(LIBBPF) # ########## ########## ########## ########## ########## ########## ########## # CP=/bin/cp RM=/bin/rm CHMOD=/bin/chmod INSTALL=install # MODOBJS=ip_fil.o fil.o ml_ipl.o ip_nat.o ip_frag.o ip_state.o ip_proxy.o \ ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o ip_rules.o \ ip_scan.o ip_sync.o # ip_trafcon.o DFLAGS=$(IPFLKM) $(IPFLOG) $(LOOKUP) $(SYNC) $(DEF) $(DLKM) $(IPFBPF) -IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o +IPF=ipf.o ipfcomp.o ipf_y.o ipf_l.o bpf_filter_u.o IPT=ipftest.o fil_u.o ip_frag_u.o ip_state_u.o ip_nat_u.o \ ip_proxy_u.o ip_auth_u.o ip_htable_u.o ip_lookup_u.o ip_pool_u.o \ ip_scan_u.o ip_sync_u.o ip_rules_u.o ip_fil_u.o ip_log_u.o \ ippool_y.o ippool_l.o ipf_y.o ipf_l.o ipnat_y.o ipnat_l.o \ md5_u.o radix_u.o bpf_filter_u.o # ip_syn_u.o #ip_trafcon_u.o TOOL=$(TOP)/tools IPNAT=ipnat.o ipnat_y.o ipnat_l.o IPMON=ipmon.o ipmon_y.o ipmon_l.o IPPOOL=ippool_y.o ippool_l.o kmem.o ippool.o IPTRAFCON=iptrafcon.o PROXYLIST=$(TOP)/ip_ftp_pxy.c $(TOP)/ip_ipsec_pxy.c $(TOP)/ip_irc_pxy.c \ $(TOP)/ip_netbios_pxy.c $(TOP)/ip_raudio_pxy.c $(TOP)/ip_rcmd_pxy.c \ $(TOP)/ip_rpcb_pxy.c $(TOP)/ip_pptp_pxy.c FILS=ipfstat.o LIBSRC=$(TOP)/lib RANLIB=ranlib AROPTS=cq HERE!=pwd -CCARGS=-I. $(DEBUG) $(CFLAGS) +CCARGS=-I. $(DEBUG) $(CFLAGS) $(UFLAGS) +KCARGS=-I. $(DEBUG) $(CFLAGS) # # Extra is option kernel things we always want in user space. # EXTRA=$(ALLOPTS) include $(TOP)/lib/Makefile build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \ ippool ipscan ipsyncm ipsyncs $(LKM) $(LKMR) -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done' + -/bin/rm -f ../tools ./tools + -ln -s ../tools . + -ln -s ../tools .. machine: Makefile.kmod if [ -f Makefile.kmod ] ; then \ make -f Makefile.kmod depend MKUPDATE=no; \ fi Makefile.kmod: if [ -f /usr/share/mk/bsd.kmod.mk -a "`uname -s`" = "NetBSD" ] ; then \ rm -f Makefile.kmod; \ ln -s /usr/share/mk/bsd.kmod.mk Makefile.kmod; \ fi ipfstat: $(FILS) $(OBJ)/libipf.a $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ -o $@ $(LIBS) $(STATETOP_LIB) -lkvm ipf: $(IPF) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPF) -o $@ $(LIBS) -ll $(LIBBPF) ipftest: $(IPT) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPT) -o $@ $(LIBS) -ll $(LIBBPF) ipnat: $(IPNAT) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lkvm -ll ipfs: ipfs.o $(CC) $(CCARGS) ipfs.o -o $@ ipsyncm: ipsyncm.o $(OBJ)/libipf.a $(CC) $(CCARGS) ipsyncm.o -o $@ $(LIBS) ipsyncs: ipsyncs.o $(OBJ)/libipf.a $(CC) $(CCARGS) ipsyncs.o -o $@ $(LIBS) ipsyncm.o: $(TOOL)/ipsyncm.c $(TOP)/ip_sync.h $(CC) $(CCARGS) -c $(TOOL)/ipsyncm.c -o $@ ipsyncs.o: $(TOOL)/ipsyncs.c $(TOP)/ip_sync.h $(CC) $(CCARGS) -c $(TOOL)/ipsyncs.c -o $@ tests: (cd test; make ) ipfstat.o: $(TOOL)/ipfstat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_frag.h \ $(TOP)/ip_compat.h $(TOP)/ip_state.h $(TOP)/ip_nat.h $(TOP)/opts.h $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ -c $(TOOL)/ipfstat.c -o $@ ipfs.o: $(TOOL)/ipfs.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_state.h \ $(TOP)/ip_nat.h $(TOP)/opts.h $(CC) $(CCARGS) -c $(TOOL)/ipfs.c -o $@ fil_u.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_compat.h \ $(TOP)/opts.h $(TOP)/ip_rules.h $(CC) $(CCARGS) $(EXTRA) $(IPFBPF) -D_RADIX_H_ -c $(TOP)/fil.c -o $@ fil.o: $(TOP)/fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ipl.h \ $(TOP)/ip_rules.h - $(CC) $(CCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) \ + $(CC) $(KCARGS) $(POLICY) $(DFLAGS) $(IPFBPF) $(COMPIPF) \ -c $(TOP)/fil.c -o $@ ipf.o: $(TOOL)/ipf.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h $(CC) $(CCARGS) -c $(TOOL)/ipf.c -o $@ ipfcomp.o: $(TOOL)/ipfcomp.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/opts.h $(CC) $(CCARGS) -c $(TOOL)/ipfcomp.c -o $@ ipftest.o: $(TOOL)/ipftest.c $(TOP)/ip_fil.h $(TOP)/ipt.h $(TOP)/ipf.h \ $(TOP)/opts.h $(CC) $(CCARGS) -c $(TOOL)/ipftest.c -o $@ ipnat.o: $(TOOL)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h \ $(TOP)/opts.h $(CC) $(CCARGS) -c $(TOOL)/ipnat.c -o $@ ipnat_y.o: ipnat_y.c ipnat_y.h ipnat_l.h $(CC) $(CCARGS) -c ipnat_y.c -o $@ ipnat_l.o: ipnat_l.c ipnat_y.h $(CC) $(CCARGS) -I. -c ipnat_l.c -o $@ ipnat_y.c: $(TOOL)/ipnat_y.y (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipnat_y.h: ipnat_y.c ipnat_l.c: $(TOOL)/lexer.c $(TOP)/ip_nat.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipnat_l.h: $(TOOL)/lexer.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ip_nat_u.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_nat.c -o $@ ip_proxy_u.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_proxy.c -o $@ ip_frag_u.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_frag.c -o $@ ip_state_u.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_state.c -o $@ ip_auth_u.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_auth.c -o $@ ip_fil_u.o: $(TOP)/ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_fil.c -o $@ ip_rules_u.o: ip_rules.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_rules.h $(CC) $(CCARGS) $(EXTRA) -c ip_rules.c -o $@ ip_scan_u.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_scan.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_scan.c -o $@ ip_sync_u.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_sync.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_sync.c -o $@ ip_pool_u.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_pool.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_pool.c -o $@ ip_htable_u.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_htable.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_htable.c -o $@ ip_lookup_u.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_lookup.h $(TOP)/ip_pool.h $(TOP)/ip_htable.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_lookup.c -o $@ ip_trafcon_u.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_trafcon.h $(CC) $(CCARGS) -c $(TOP)/ip_trafcon.c -o $@ ip_log_u.o: $(TOP)/ip_log.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/ip_log.c -o $@ md5_u.o: $(TOP)/md5.c $(TOP)/md5.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/md5.c -o $@ radix_u.o: $(TOP)/md5.c $(TOP)/radix_ipf.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/radix.c -o $@ bpf_filter_u.o: $(TOP)/bpf_filter.c $(TOP)/pcap-ipf.h $(CC) $(CCARGS) $(EXTRA) -c $(TOP)/bpf_filter.c -o $@ if_ipl.o: $(MODOBJS) ld -r $(MODOBJS) -o $(LKM) ${RM} -f if_ipl ipfrule.ko.5: ip_rulesx.o $(MLR) ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) ip_rulesx.o $(MLR) ld -Bshareable -d -warn-common -o $(LKMR:S/.5$//) $(.TARGET:S/.ko/.kld/) ipfrule.ko: ip_rulesx.o $(MLR) gensetdefs ip_rulesx.o $(MLR) - $(CC) $(CCARGS) -c setdef0.c - $(CC) $(CCARGS) -c setdef1.c + $(CC) $(KCARGS) -c setdef0.c + $(CC) $(KCARGS) -c setdef1.c ld -Bshareable -o $@ setdef0.o ip_rulesx.o $(MLR) setdef1.o ipf.ko.5 ipl.ko.5: $(MODOBJS) ld -warn-common -r -d -o $(.TARGET:S/.ko/.kld/) $(MODOBJS) ld -Bshareable -d -warn-common -o $(LKM:S/.5$//) $(.TARGET:S/.ko/.kld/) ipf.ko ipl.ko: $(MODOBJS) gensetdefs $(MODOBJS) - $(CC) $(CCARGS) -c setdef0.c - $(CC) $(CCARGS) -c setdef1.c + $(CC) $(KCARGS) -c setdef0.c + $(CC) $(KCARGS) -c setdef1.c ld -Bshareable -o $@ setdef0.o $(MODOBJS) setdef1.o ip_nat.o: $(TOP)/ip_nat.c $(TOP)/ip_nat.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_nat.c -o $@ ip_frag.o: $(TOP)/ip_frag.c $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_fil.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_frag.c -o $@ ip_state.o: $(TOP)/ip_state.c $(TOP)/ip_state.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(TOP)/ip_nat.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ip_proxy.o: $(TOP)/ip_proxy.c $(TOP)/ip_proxy.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h $(PROXYLIST) $(TOP)/ip_nat.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_proxy.c -o $@ ip_auth.o: $(TOP)/ip_auth.c $(TOP)/ip_auth.h $(TOP)/ip_compat.h \ $(TOP)/ip_fil.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_auth.c -o $@ ip_fil.c: /bin/rm -f ip_fil.c ln -s $(TOP)/ip_fil_`uname -s|tr A-Z a-z`.c ip_fil.c ip_fil.o: ip_fil.c $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h - $(CC) $(CCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) $(COMPIPF) -c ip_fil.c -o $@ ip_log.o: $(TOP)/ip_log.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_log.c -o $@ ip_scan.o: $(TOP)/ip_scan.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_scan.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_scan.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_scan.c -o $@ ip_sync.o: $(TOP)/ip_sync.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h $(TOP)/ip_sync.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_sync.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_sync.c -o $@ ip_pool.o: $(TOP)/ip_pool.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_lookup.h $(TOP)/ip_pool.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_pool.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_pool.c -o $@ ip_htable.o: $(TOP)/ip_htable.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_lookup.h $(TOP)/ip_htable.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_htable.c -o $@ ip_lookup.o: $(TOP)/ip_lookup.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_pool.h $(TOP)/ip_htable.h $(TOP)/ip_lookup.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_lookup.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_lookup.c -o $@ ip_trafcon.o: $(TOP)/ip_trafcon.c $(TOP)/ip_compat.h $(TOP)/ip_fil.h \ $(TOP)/ip_trafcon.h - $(CC) $(CCARGS) $(DFLAGS) -c $(TOP)/ip_trafcon.c -o $@ + $(CC) $(KCARGS) $(DFLAGS) -c $(TOP)/ip_trafcon.c -o $@ vnode_if.h: $(VNODESHDIR)/vnode_if.src mkdir -p ../sys if [ -f $(VNODESHDIR)/vnode_if.sh ] ; then \ sh $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src; \ fi if [ -f $(VNODESHDIR)/vnode_if.pl ] ; then \ perl $(VNODESHDIR)/vnode_if.pl $(VNODESHDIR)/vnode_if.src; \ fi if [ -f ../sys/vnode_if.h ] ; then mv ../sys/vnode_if.h .; fi rmdir ../sys ml_ipl.o: vnode_if.h $(TOP)/$(MLD) $(TOP)/ipl.h -/bin/rm -f vnode_if.c $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/$(ML) -o $@ ip_rules.o: ip_rules.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) $(COMPIPF) -c ip_rules.c -o $@ ip_rules.c: $(TOP)/rules/ip_rules $(TOP)/tools/ipfcomp.c ipf ./ipf -cc -nf $(TOP)/rules/ip_rules $(TOP)/ip_rules.h: ip_rules.c if [ ! -f $(TOP)/ip_rules.h ] ; then \ /bin/mv -f ip_rules.h $(TOP); \ else \ touch $(TOP)/ip_rules.h; \ fi ip_rulesx.o: ip_rules.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -DIPFILTER_COMPILED -c ip_rules.c -o $@ mlf_rule.o: $(TOP)/mlf_rule.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlf_rule.c -o $@ mln_rule.o: $(TOP)/mln_rule.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mln_rule.c -o $@ mlo_rule.o: $(TOP)/mlo_rule.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlo_rule.c -o $@ mlfk_rule.o: $(TOP)/mlfk_rule.c $(TOP)/ip_rules.h $(CC) -I. $(CFLAGS) $(DFLAGS) -c $(TOP)/mlfk_rule.c -o $@ ipf_y.o: ipf_y.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h $(CC) $(CCARGS) $(IPFBPF) -c ipf_y.c -o $@ ipf_l.o: ipf_l.c ipf_y.h $(TOP)/ipf.h ipf_l.h $(TOP)/opts.h $(CC) $(CCARGS) -I. -c ipf_l.c -o $@ ipf_y.c: $(TOOL)/ipf_y.y $(TOP)/ipf.h $(TOP)/opts.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipf_y.h: ipf_y.c ipf_l.c: $(TOOL)/lexer.c $(TOP)/ipf.h $(TOP)/opts.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipf_l.h: $(TOOL)/lexer.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipmon: $(IPMON) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPMON) -o $@ $(LIBS) -ll ipmon.o: $(TOOL)/ipmon.c $(TOP)/ipmon.h $(CC) $(CCARGS) $(LOGFAC) -c $(TOOL)/ipmon.c -o $@ ipmon_y.o: ipmon_y.c ipmon_y.h $(TOP)/ipmon.h ipmon_l.h $(CC) $(CCARGS) -c ipmon_y.c -o $@ ipmon_l.o: ipmon_l.c ipmon_y.h $(TOP)/ipmon.h $(CC) $(CCARGS) -I. -c ipmon_l.c -o $@ ipmon_y.c: $(TOOL)/ipmon_y.y $(TOP)/ipmon.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipmon_y.h: ipmon_y.c ipmon_l.c: $(TOOL)/lexer.c $(TOP)/ipmon.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipmon_l.h: $(TOOL)/lexer.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipscan: ipscan_y.o ipscan_l.o $(CC) $(DEBUG) ipscan_y.o ipscan_l.o -o $@ -ll $(LIBS) -lkvm ipscan_y.o: ipscan_y.c ipscan_y.h $(TOP)/ip_scan.h ipscan_l.h $(CC) $(CCARGS) -c ipscan_y.c -o $@ ipscan_l.o: ipscan_l.c ipscan_y.h $(TOP)/ip_scan.h $(CC) $(CCARGS) -I. -c ipscan_l.c -o $@ ipscan_y.c: $(TOOL)/ipscan_y.y $(TOP)/ip_scan.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ipscan_y.h: ipscan_y.c ipscan_l.c ipscan_l.h: $(TOOL)/lexer.c $(TOP)/ip_scan.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ippool: $(IPPOOL) $(OBJ)/libipf.a $(CC) $(DEBUG) -I. $(CFLAGS) $(IPPOOL) -o $@ -ll -lkvm -L. -lipf ippool.o: $(TOOL)/ippool.c $(TOP)/ip_pool.h $(CC) $(CCARGS) -c $(TOOL)/ippool.c -o $@ ippool_y.o: ippool_y.c ippool_y.h $(TOP)/ip_pool.h ippool_l.h $(CC) $(CCARGS) -c ippool_y.c -o $@ ippool_l.o: ippool_l.c ippool_y.h $(TOP)/ip_pool.h $(CC) $(CCARGS) -I. -c ippool_l.c -o $@ ippool_y.c: $(TOOL)/ippool_y.y $(TOP)/ip_pool.h ippool_l.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ippool_y.h: ippool_y.c ippool_l.c: $(TOOL)/lexer.c $(TOP)/ip_pool.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) ippool_l.h: $(TOOL)/lexer.h (cd $(TOOL); make "DEST=$(HERE)" $(HERE)/$@) iptrafcon.o: $(TOP)/iptrafcon.c $(CC) $(CCARGS) -c $< -o $@ iptrafcon: $(IPTRAFCON) $(OBJ)/libipf.a $(CC) $(CCARGS) $(IPTRAFCON) -o $@ $(LIBS) .y.c: .l.c: clean: ${RM} -f ../ipf ../ipnat ../ipmon ../ippool ../ipftest ${RM} -f ../ipscan ../ipsyncm ../ipsyncs ${RM} -f *.core *.o *.a ipt ipfstat ipf ipfstat ipftest ipmon ${RM} -f if_ipl ipnat ipfrule.ko* ipf.kld* ${RM} -f vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h ${RM} -f ip_fil.c ipf_l.c ipf_y.c ipf_y.h ipf_l.h ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c ipscan_l.h ${RM} -f ippool ippool_y.c ippool_y.h ippool_l.c ippool_l.h ${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h ${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h + ${RM} -f *.da *.gcov *.bb *.bbg tools ${MAKE} -f Makefile.ipsend ${MFLAGS} clean if [ -f Makefile.kmod ] ; then \ ${MAKE} -f Makefile.kmod ${MFLAGS} clean; \ fi -(for i in *; do \ if [ -d $${i} -a -f $${i}/Makefile ] ; then \ cd $${i}; (make TOP=../.. clean); cd ..; \ /bin/rm -f $${i}/Makefile $${i}/Makefile.ipsend; \ /bin/rm -f $${i}/Makefile.kmod; \ rmdir $${i}; \ fi \ done) install: for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \ ip_frag.h ip_auth.h; do \ /bin/cp $(TOP)/$$i /usr/include/netinet/; \ $(CHMOD) 444 /usr/include/netinet/$$i; \ done -if [ -d /lkm -a -f if_ipl.o ] ; then \ cp if_ipl.o /lkm; \ fi -if [ -d /modules -a -f ipf.ko ] ; then \ cp ipf.ko /modules; \ fi -if [ -d /modules -a -f ipfrule.ko ] ; then \ cp ipfrule.ko /modules; \ fi -if [ -d /boot/kernel -a -f ipf.ko ] ; then \ cp ipf.ko /boot/kernel; \ fi -if [ -d /boot/kernel -a -f ipfrule.ko ] ; then \ cp ipfrule.ko /boot/kernel; \ fi -if [ -d /usr/lkm -a -f if_ipl.o ] ; then \ cp if_ipl.o /usr/lkm; \ fi -$(INSTALL) -cs -g wheel -m 755 -o root ipscan $(SBINDEST) (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) @for i in ipf:$(SBINDEST) ipfs:$(SBINDEST) ipnat:$(SBINDEST) \ ippool:$(BINDEST) ipsyncm:$(BINDEST) ipsyncs:$(BINDEST) \ ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \ def="`expr $$i : '[^:]*:\(.*\)'`"; \ p="`expr $$i : '\([^:]*\):.*'`"; \ dd=; \ for d in $(SEARCHDIRS); do \ if [ -f $$d/$$p ] ; then \ echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \ $(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \ dd=XXX; \ fi; \ done; \ if [ -z "$$dd" ] ; then \ echo $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \ $(INSTALL) -cs -g wheel -m 755 -o root $$p $$def; \ fi \ done (cd $(TOP)/man; make INSTALL=$(INSTALL) MANDIR=$(MANDIR) install; cd $(TOP)) + +coverage: + ksh -c 'for i in *.da; do j=$${i%%.da}.c; gcov $$j 2>&1 | egrep -v "y.tab.c|Could|Creating|_l\.c|\.h"; done' | sort -n > report + sort -n report | perl -e 'while(<>) { next if (/^0.00/); s/\%//g; @F=split;$$lc+=$$F[2];$$t += $$F[0]/100*$$F[2];} printf "%d of %d = %d%%\n", $$t, $$lc,$$t/$$lc*100;' >> report + +clean-coverage: + /bin/rm -f *.gcov *.da diff --git a/contrib/ipfilter/BSD/Makefile.ipsend b/contrib/ipfilter/BSD/Makefile.ipsend index 410ea67c14fa..a83de1c6a92c 100644 --- a/contrib/ipfilter/BSD/Makefile.ipsend +++ b/contrib/ipfilter/BSD/Makefile.ipsend @@ -1,108 +1,108 @@ # -# Id: Makefile.ipsend,v 2.8 2002/05/22 16:15:36 darrenr Exp +# $Id: Makefile.ipsend,v 2.8 2002/05/22 16:15:36 darrenr Exp $ # BINDEST=/usr/sbin SBINDEST=/sbin MANDIR=/usr/share/man OBJS=ipsend.o ip.o ipsopt.o iplang_y.o iplang_l.o IPFTO=ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o ROBJS=ipresend.o ip.o resend.o TOBJS=iptest.o iptests.o ip.o UNIXOBJS=sbpf.o sock.o 44arp.o OBJ=. LIBS=-L$(OBJ) -lipf CC=gcc -Wuninitialized -Wstrict-prototypes -O CFLAGS=-g -I$(TOP) # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ "SOLARIS2=$(SOLARIS2)" "DEBUG=$(DEBUG)" "DCPU=$(CPU)" \ "CPUDIR=$(CPUDIR)" "LOOKUP=$(LOOKUP)" # all build bsd-bpf : ipsend ipresend iptest iplang_y.o: $(TOP)/iplang/iplang_y.y (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) iplang_l.o: $(TOP)/iplang/iplang_l.l (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) .c.o: $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ ipsend: $(OBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll ipresend: $(ROBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(ROBJS) $(UNIXOBJS) -o $@ $(LIBS) iptest: $(TOBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(TOBJS) $(UNIXOBJS) -o $@ $(LIBS) clean: rm -rf *.o core a.out ipsend ipresend iptest iplang_y.* iplang_l.* ipsend.o: $(TOP)/ipsend/ipsend.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsend.c -o $@ ipsopt.o: $(TOP)/ipsend/ipsopt.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipsopt.c -o $@ ipresend.o: $(TOP)/ipsend/ipresend.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ipresend.c -o $@ ip.o: $(TOP)/ipsend/ip.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/ip.c -o $@ resend.o: $(TOP)/ipsend/resend.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/resend.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_sn.c -o $@ ipft_pc.o: $(TOP)/ipft_pc.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipft_pc.c -o $@ iptest.o: $(TOP)/ipsend/iptest.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptest.c -o $@ iptests.o: $(TOP)/ipsend/iptests.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/iptests.c -o $@ sbpf.o: $(TOP)/ipsend/sbpf.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sbpf.c -o $@ snit.o: $(TOP)/ipsend/snit.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/snit.c -o $@ sock.o: $(TOP)/ipsend/sock.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sock.c -o $@ arp.o: $(TOP)/ipsend/arp.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/arp.c -o $@ 44arp.o: $(TOP)/ipsend/44arp.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/44arp.c -o $@ lsock.o: $(TOP)/ipsend/lsock.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/lsock.c -o $@ slinux.o: $(TOP)/ipsend/slinux.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/slinux.c -o $@ larp.o: $(TOP)/ipsend/larp.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/larp.c -o $@ dlcommon.o: $(TOP)/ipsend/dlcommon.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/dlcommon.c -o $@ sdlpi.o: $(TOP)/ipsend/sdlpi.c $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/ipsend/sdlpi.c -o $@ install: -$(INSTALL) -cs -g wheel -m 755 -o root ipsend ipresend iptest $(BINDEST) diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade index 91f32daab43b..77a6ba1f534e 100644 --- a/contrib/ipfilter/BSD/kupgrade +++ b/contrib/ipfilter/BSD/kupgrade @@ -1,252 +1,260 @@ #!/bin/sh # PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH argv0=`basename $0` os=`uname -s` rev=`uname -r` maj=`expr $rev : '\([0-9]*\)\.'` min=`expr $rev : '[0-9]*\.\([0-9]*\)'` sub=`expr $rev : '[0-9]*\.[0-9]*\.\([0-9]*\)'` # try to bomb out fast if anything fails.... set -e fullrev=`printf '%02d%02d%02d' $maj $min $sub` dir=`pwd` karch=`uname -m` archdir="/sys/arch/$karch" ipfdir=/sys/netinet if [ -d /sys/contrib/ipfilter ] ; then ipfdir=/sys/contrib/ipfilter/netinet fi if [ -d /sys/dist/ipf ] ; then ipfdir=/sys/dist/ipf/netinet fi confdir="$archdir/conf" if [ -f /dev/ipnat ] ; then major=`ls -l /dev/ipnat | sed -e 's/.* \([0-9]*\),.*/\1/'` echo "Major number for IP Filter is $major" else major=x fi +if [ ! -f ip_rules.c -o ! -f ip_rules.h ] ; then + echo "Please do a build of ipfilter and then run the following" + echo "command to build extra files:" + echo + echo "make ip_rules.c" + exit 1 +fi + echo -n "Installing " for j in auth frag nat proxy scan state sync pool htable lookup rules; do for i in ip_$j.[ch]; do if [ -f "$i" ] ; then echo -n " $i" cp $i $ipfdir chmod 644 $ipfdir/$i fi done done case $os in SunOS) case `uname -r` in 5.*) filc=ip_fil_solaris.c ;; 4.*) filc=ip_fil_sunos.c ;; esac ;; *BSD) filc=ip_fil_`echo $os | tr A-Z a-z`.c case $os in FreeBSD) cp mlfk_ipl.c $ipfdir/ ;; *) ;; esac ;; esac if [ -f $ipfdir/$filc ] ; then echo -n "$filc -> $ipfdir/$filc " cp $filc $ipfdir/$filc chmod 644 $ipfdir/$filc fi if [ -f $ipfdir/ip_fil.c ] ; then echo -n "$filc -> $ipfdir/ip_fil.c " cp $filc $ipfdir/ip_fil.c chmod 644 $ipfdir/ip_fil.c fi for i in ip_fil.h fil.c ip_log.c ip_compat.h ipl.h ip_*_pxy.c; do echo -n " $i" cp $i $ipfdir chmod 644 $ipfdir/$i done echo "" echo -n "Installing into /usr/include/netinet" for j in auth compat fil frag nat proxy scan state sync pool htable lookup; do i=ip_$j.h if [ -f "$i" ] ; then echo -n " $i" cp $i /usr/include/netinet/$i chmod 644 /usr/include/netinet/$i fi done for j in ipl.h; do if [ -f "$j" ] ; then echo -n " $j" cp $j /usr/include/netinet/$j chmod 644 /usr/include/netinet/$j fi done echo if [ -f /sys/netinet/ip_fil_compat.h ] ; then echo "Linking /sys/netinet/ip_compat.h to /sys/netinet/ip_fil_compat.h" rm /sys/netinet/ip_fil_compat.h ln -s /sys/netinet/ip_compat.h /sys/netinet/ip_fil_compat.h fi if [ $major != x ] ; then if [ ! -e /dev/ipsync ] ; then echo "Creating /dev/ipsync" mknod /dev/ipsync c $major 4 fi if [ ! -e /dev/ipsync ] ; then echo "Creating /dev/ipscan" mknod /dev/ipsync c $major 5 fi if [ ! -e /dev/iplookup ] ; then echo "Creating /dev/iplookup" mknod /dev/iplookup c $major 6 fi fi set +e os=`uname -s` if [ $os = FreeBSD -a -f /sys/conf/files ] ; then cd /sys/conf if [ -f options ] ; then if [ ! -f options.preipf4 ] ; then mv options options.preipf4 cp -p options.preipf4 options fi for i in SCAN SYNC LOOKUP COMPILED; do grep IPFILTER_$i options >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo >> options echo "# extra option for IP Filter" >> options echo "IPFILTER_$i opt_ipfilter.h" >> options fi done fi if [ ! -f files.preipf4 ] ; then mv files files.preipf4 cp -p files.preipf4 files fi for i in htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "contrib/ipfilter/netinet/ip_$i.c optional ipfilter inet ipfilter_lookup" >> files fi done grep ip_sync.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'contrib/ipfilter/netinet/ip_sync.c optional ipfilter inet ipfilter_sync' >> files fi grep ip_scan.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'contrib/ipfilter/netinet/ip_scan.c optional ipfilter inet ipfilter_scan' >> files fi grep ip_rules.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'contrib/ipfilter/netinet/ip_rules.c optional ipfilter inet ipfilter_compiled' >> files fi fi if [ $os = NetBSD -a -f /sys/conf/files ] ; then cd /sys/conf if [ ! -f files.preipf4 ] ; then mv files files.preipf4 cp -p files.preipf4 files fi if [ $fullrev -ge 010600 -a $fullrev -lt 020000 ] ; then for i in htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files fi done grep ip_sync.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'file netinet/ip_sync.c ipfilter & ipfilter_sync' >> files fi grep ip_scan.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'file netinet/ip_scan.c ipfilter & ipfilter_scan' >> files fi grep ip_rules.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'file netinet/ip_rules.c ipfilter & ipfilter_compiled' >> files fi fi fi if [ $os = OpenBSD -a -f /sys/conf/files ] ; then cd /sys/conf if [ ! -f files.preipf4 ] ; then mv files files.preipf4 cp -p files.preipf4 files fi if [ $fullrev -ge 030400 ] ; then for i in htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo "file netinet/ip_$i.c ipfilter & ipfilter_lookup" >> files fi done grep ip_sync.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'file netinet/ip_sync.c ipfilter & ipfilter_sync' >> files fi grep ip_scan.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'file netinet/ip_scan.c ipfilter & ipfilter_scan' >> files fi grep ip_rules.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then echo 'file netinet/ip_rules.c ipfilter & ipfilter_compiled' >> files fi fi fi if [ -f /usr/src/sys/modules/ipfilter/Makefile -a \ ! -f /usr/src/sys/modules/ipfilter/Makefile.orig ] ; then cat | (cd /usr/src/sys/modules/ipfilter; patch) <<__EOF__ *** Makefile.orig Mon Mar 28 09:10:11 2005 --- Makefile Mon Mar 28 09:12:51 2005 *************** *** 5,13 **** KMOD= ipl SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\ ! ip_log.c ip_fil.c fil.c .if !defined(NOINET6) CFLAGS+= -DUSE_INET6 .endif CFLAGS+= -I$${.CURDIR}/../../contrib/ipfilter ! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS --- 5,15 ---- KMOD= ipl SRCS= mlfk_ipl.c ip_nat.c ip_frag.c ip_state.c ip_proxy.c ip_auth.c \\ ! ip_log.c ip_fil.c fil.c ip_lookup.c ip_pool.c ip_htable.c \\ ! ip_sync.c ip_scan.c ip_rules.c .if !defined(NOINET6) CFLAGS+= -DUSE_INET6 .endif CFLAGS+= -I$${.CURDIR}/../../contrib/ipfilter ! CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DPFIL_HOOKS \\ ! -DIPFILTER_LOOKUP -DIPFILTER_COMPILED __EOF__ fi exit 0 diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 index 8a827cf899e3..c232b2c15972 100755 --- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 +++ b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.0 @@ -1,63 +1,61 @@ -.\" $NetBSD$ -.\" *** ip6_input.c.orig Sun Feb 13 14:32:01 2000 --- ip6_input.c Wed Apr 26 22:31:34 2000 *************** *** 121,126 **** --- 121,127 ---- extern struct domain inet6domain; extern struct ip6protosw inet6sw[]; + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); u_char ip6_protox[IPPROTO_MAX]; static int ip6qmaxlen = IFQ_MAXLEN; *************** *** 302,307 **** --- 303,317 ---- ip6stat.ip6s_badvers++; in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); goto bad; + } + + if (fr_checkp) { + struct mbuf *m1 = m; + + if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif, + 0, &m1) || !m1) + return; + ip6 = mtod(m = m1, struct ip6_hdr *); } ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; *** ip6_output.c.orig Fri Mar 10 01:57:16 2000 --- ip6_output.c Wed Apr 26 22:34:34 2000 *************** *** 108,113 **** --- 108,115 ---- #include #endif + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options"); struct ip6_exthdrs { *************** *** 754,759 **** --- 756,770 ---- ip6->ip6_src.s6_addr16[1] = 0; if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) ip6->ip6_dst.s6_addr16[1] = 0; + } + + if (fr_checkp) { + struct mbuf *m1 = m; + + if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) || + !m1) + goto done; + ip6 = mtod(m = m1, struct ip6_hdr *); } #ifdef IPV6FIREWALL diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 index a6a461299036..90dac19eb044 100644 --- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 +++ b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.1 @@ -1,65 +1,63 @@ -.\" $NetBSD$ -.\" *** ip6_input.c.orig Sat Jul 15 07:14:34 2000 --- ip6_input.c Thu Oct 19 17:14:37 2000 *************** *** 120,125 **** --- 120,127 ---- extern struct domain inet6domain; extern struct ip6protosw inet6sw[]; + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); u_char ip6_protox[IPPROTO_MAX]; static int ip6qmaxlen = IFQ_MAXLEN; *************** *** 289,294 **** --- 291,305 ---- ip6stat.ip6s_badvers++; in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); goto bad; + } + + if (fr_checkp) { + struct mbuf *m1 = m; + + if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif, + 0, &m1) || !m1) + return; + ip6 = mtod(m = m1, struct ip6_hdr *); } ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; *** ip6_output.c.orig Sat Jul 15 07:14:35 2000 --- ip6_output.c Thu Oct 19 17:13:53 2000 *************** *** 106,111 **** --- 106,113 ---- #include #endif + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options"); struct ip6_exthdrs { *************** *** 787,792 **** --- 789,803 ---- ip6->ip6_src.s6_addr16[1] = 0; if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) ip6->ip6_dst.s6_addr16[1] = 0; + } + + if (fr_checkp) { + struct mbuf *m1 = m; + + if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) || + !m1) + goto done; + ip6 = mtod(m = m1, struct ip6_hdr *); } #ifdef IPV6FIREWALL diff --git a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 index a6a461299036..90dac19eb044 100644 --- a/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 +++ b/contrib/ipfilter/FreeBSD-4.0/ipv6-patch-4.2 @@ -1,65 +1,63 @@ -.\" $NetBSD$ -.\" *** ip6_input.c.orig Sat Jul 15 07:14:34 2000 --- ip6_input.c Thu Oct 19 17:14:37 2000 *************** *** 120,125 **** --- 120,127 ---- extern struct domain inet6domain; extern struct ip6protosw inet6sw[]; + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, + struct mbuf **)); u_char ip6_protox[IPPROTO_MAX]; static int ip6qmaxlen = IFQ_MAXLEN; *************** *** 289,294 **** --- 291,305 ---- ip6stat.ip6s_badvers++; in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); goto bad; + } + + if (fr_checkp) { + struct mbuf *m1 = m; + + if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif, + 0, &m1) || !m1) + return; + ip6 = mtod(m = m1, struct ip6_hdr *); } ip6stat.ip6s_nxthist[ip6->ip6_nxt]++; *** ip6_output.c.orig Sat Jul 15 07:14:35 2000 --- ip6_output.c Thu Oct 19 17:13:53 2000 *************** *** 106,111 **** --- 106,113 ---- #include #endif + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options"); struct ip6_exthdrs { *************** *** 787,792 **** --- 789,803 ---- ip6->ip6_src.s6_addr16[1] = 0; if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) ip6->ip6_dst.s6_addr16[1] = 0; + } + + if (fr_checkp) { + struct mbuf *m1 = m; + + if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) || + !m1) + goto done; + ip6 = mtod(m = m1, struct ip6_hdr *); } #ifdef IPV6FIREWALL diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 9b93e8309cab..32daed422bb3 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -1,1885 +1,1964 @@ # # NOTE: Quite a few patches and suggestions come from other sources, to whom # I'm greatly indebted, even if no names are mentioned. # # Thanks to the Coombs Computing Unit at the ANU for their continued support # in providing a very available location for the IP Filter home page and # distribution center. # # Thanks also to all those who have contributed patches and other code, # and especially those who have found the time to port IP Filter to new # platforms. # +4.1.10 - Released 6 December 2005 + +Expand regression testing to cover more features + +Add "coverage" build target for BSD + +Fix building 64bit sparc target for Solaris + +Add IPv6 mobility header to list of accepted keywords for V6 headers + +Resolve locking problems on Solaris when sending RST/icmp packets + +#ifdef's for IPFILTER_BPF need to check if words are defined before +using them in comparisons + +Add checking for SACK permitted option in TCP SYN packets + +Fix loading anonymous pools from inline rule configuration groups + +Add -C command line option to ipftest + +Include extra "const" from NetBSD + +Don't require SIOCKSTLCK for SIOCSTPUT + +Fix some use of "sticky" on NAT rules + +Fix statistical counting of deleting state for TCP connections + +Fix compile problems caused by changes to is_opt/is_optmsk in ip_sync.c + +Fix TCP out-of-window (OOW) problems: +- window scaling turned off if one chose for its scale factor +- Microsoft Windows TCP sends the "next packet" to the right of the window + when using SACK and filling in a hole + +4.1.9 - Released 13 August 2005 + +make ipfilter fix IPv4 header checksums for outgoing packets if BRIDGE_IPF +is defined when compiled. + +move the definition of SIOCPROXY from ip_nat.h to ip_proxy.h + +make the BSD/upgrade script more instructive about the requiements for +ip_rules.[ch] when it is run + +register for interface events on FreeBSD (>5.2.1) and NetBSD so that +"ipf -y" is not not requried to tell ipfilter about interface changes. + +for "quick" rules that do "keep state", move the state adding into the rule +evaluation so that we can detect it failing as rules are evaluated and +continue on to the next rather than wait until we're done and it's too late +to recover for more rule processing. + +mark ICMP packets advertising an MTU that's too small as being bad + +rework ipv6 header parsing to get better code reuse and fix logic errors +in dealing with ipv6 packets containing fragment headers. Also, where a +protocol handler was doing both v4 & v6, make a seperate function for each. + +build for both amd64 and i86pc (32bit) on Solaris10 and later, if possible + +include start of work to get IPFilter working on AIX 5.3 + +Use FI_ICMPERR flag rather than try to compute its equivalent all the time + +Rewrork IPv6 extension header parsing to get better code reuse + +Add missing timeout on Linux + +Fix for locking when reading from ipsync (Frank Volf) + +Fix insertion/appending of rules that use a collection number + +Somehow turning up the spl knob to splnet disappeared on platforms that still +use the spl interface. + +fix problems with "ipf -T" not listing multiple variables properly + 4.1.8 - Released 29 March 2005 include path from Phil Dibowitz for sorting ipfstat -t output by source or destination port. fix a bug in printing rules where interface names could not be printed, even if they're in the rule structure. fix BSD/kupgrade to correctly change ipfilter lkm Makefile for FreeBSD add 2 new features to SIOCGNATL: - if IPN_FINDFORWARD is set, check if the respective MAP is already present in the outbound table - if IPN_IN is set, search for a matching MAP entry instead of RDR (Peter Potsma) turn off function inlining for freebsd 5.3+ UDP doesn't pullup enough data which can sometimes cause a panic. Fix other protocols, as required, where a similar problem may exist. overhaul the timeout queue management, especially that for user defined queues which are now only freed in an orderly manner. 4.1.7 - Released 13 March 2005 Using the GRE call field is almost impossible because it is unbalanced and both call fields are not present in each v1 header. Fix a problem where it was possible to load duplicate rules into ipf patch from John Wehle to address problems with fastroute on solaris Copying data out for ipf -z failed because it tried to copy out to an address that is a kernel pointer in user space. add "ip" timeout for both NAT & state that's for non-TCP/UDP/ICMP synch up with NetBSD's changes fix problems parsing long lines of text in the ftp proxy where they would not be parsed properly and stop the session from working enhance the PPTP proxy so that it tries to decode messages in the TCP stream so it knows when to create and destroy the state/nat sessions for GRE. There are also 4 new regression tests for it, testing map/rdr rules. impose some limits on the size of data that can be moved with SIOCSTPUT in the NAT code and also prevent a duplicate session entry from being created using this method. add a new flag (IPN_FINDFORWARD) to NAT code that can be used with SIOCGNATL to check if it is possible to create an outgoing transparent NAT mapping to compliment the redirect being investigated. Linux requires that the checksums in the IP header get adjusted only resolve unknown interfaces in fr_stinsert, and nuke all interface pointers in SIOCSTPUT to prevent bad data being loaded from userspace. make the byte counting for state correct (was counting data from ICMP packet twice) print out the keyword "frag-body" if the flag is set. fix ipfs loading/restoring NAT sessions patch from Frank to correctly format IP addresses in ipfstat -t output parsing port numbers in ipf/ipnat was confusing as the port number was returned in an int that was also overloaded to be the suceess/failure. instead, change the port using pass by reference and only use the return value for indicating success or failure. 4.1.6 - Released 19 February 2005 add a new timeout number to NAT (fr_defnatipage) that is used for all non-TCP/UDP/ICMP protocols - default 60 seconds. buffer leak with bad nat - David Gueluy fix memory leak with state entries created by proxies eliminate copying too much data into a scan buffer allow a trailing protocol name for map rules as well as rdr ones fix bug in parsing of <= and > for NAT rules (two were crossed over) FreeBSD's iplwrite hasn't kept pace with iplread's prototype expand documention on the karma of using "auto" in ipnat map rules add matching on IP protocol to ipnat map rules allow ippool definitions to contain no addresses to start with Linux NAT needs to modify the IP header checksum as it gets called after it has been computed by IP. UDP was missing a pullup for packet header information before examining the header 4.1.5 - Released 9 January 2005 all rules were being converted into "dup-to" rules in the kernel fix two ftp proxy problems: 1st, buffer needs to be bigger for fitting in complete RETR/CWD commands, 2nd is () use in 227 messages isn't copied over correctly. response to CWDs revert ip_off back to network byte order in the ICMP error packet that gets generated. 4.1.4 - Released 9 January 2005 force NAT rules to only match ipv4 NAT rules (which all are, currently, by default) include state synchronisation fixes from Frank Volf make the maximum log size for internally buffered log entries accessible via "ipf -T" redesign start of fr_check() to avoid putting duplicate information in ipfilter about how much data needs to be pulled up for a protocol to be properly filtered. tidy up sending ICMP error messages - some bad inputs could result in data not being freed and/or no error returned. make the maximum size of the log buffer run-time tunable fix bug in parsing TCP header when looking for MSS option that could make the system hang change pool lookups that fail to find a match to return "no match" rather than fail. add run-time tunable debugging for proxy support code and FTP proxy. fix state table updates for entries where the first packet as an ICMPv6 multicast message fix hang when flushing state for v4/v6 and other (v6/v4) entries are present too attaching filtering to ipv6 pfil hook wasn't present for solaris don't allow rules with "keep state" and "with oow" move a bunch of userland only code from fil.c to ip_fil.c make fr_coalesce() more resiliant to bad input, just returning an error instead of crashing, making calling it easier in many places When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer to the same mbuf passed in as the first arg. remove fr_unreach and use ENETUNREACH by default. printing out of tag data in ipf rules doesn't match input syntax ipftest(1) man page update ipfs command line option parsing still rejects some valid syntaxes SIGHUP handling by ipmon was not as safe as it could be fix various parsing regressions, including "", "tcpudp", ordering of "keep" options patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, ICMP packet length not calculated correctly in send_icmp_err, reply-to not printed by ipfstat, keep state with icmp passing (mtrr) patches for return-rst and return-icmp from Attila Fueloep (lichtscheu@gesindel.org) 4.1.3 - Released 18 July 2004 do some more fine tuning on NAT checksum adjustments correct IP address byte order in proxy setup for ipsec/pptp man page updates fix numerous problems with ipfs operation complete new syntax for ipmon.conf in its parser and update the sample file assign error value consistantly in fastroute code rewrite allocation of mbufs in send_reset/send_icmp_err to better use mbuf clusters and size calculations resolve problem with linux panic'ing because the wrong flag was being passed to skb_clone/skb_alloc enable use of shared/exclusive locks on freebsd5 and above do not rely on m_pkthdr.len to be valid all the time for mbufs on modern BSD and so use mbufchainlen to get the mbuf length instead replace lots of COPYIN/COPYOUT with BCOPYIN/BCOPYOUT where the data is going to be on the stack and not in userland packet buffer pointers were not refreshed & used properly in fr_check() include extra bits for OpenBSD 3.4 & 3.5. fix ipf/ipnat parsing regression problems with v3.4 4.1.2 - RELEASED - 27 May 2004 add state top for ipv6 fix numerous parsing regressions change sample proxies to use SIOCGNATL with the new API allow macro names to contain underscores (_) split the parser into a collection of dictionaries so that keywords do not interfere with resolving hostnames and portnames fix ipfrule LKM loading on freebsd support mapping a fixed range of ports to a single port fix timeout queue use by proxies with private queues handle space-led ftp server replies properly fix timeout queue management fix fastroute, generation of RST & ICMP packets and operation with to/fastroute resolve further linux compatibility problems replace the use of COPYIN with BCOPYIN for platforms that provide ioctl args on the stack allow flushing of ipv6 rules independant of ipv4 rules correct internal ipv6 checksum calculations if a 'keep state' rule fails to create state, block the packet rather than let it through correct all checksums in regression tests and correct NAT code to adjust checksums correctly. fix ipfs -R/-W 4.1.1 - RELEASED - 24 March 2004 allow new connections with the same port numbers as an existing one in the state table if the creating packet is a SYN timeout values have drifted, incorrectly, from what they were in 3.4 FreeBSD - compatibility changes for 5.2 don't match on sequence number (as well) for ICMO ECHO/REPLY, just the ICMP Id. field as otherwise thre is a state/NAT entry per packet pair rather than per "flow" fr_cksum() returned the wrong answer for ICMP Linux: - get return-rst and return-icmp working - treat the interface name the same as if_xname on BSD adjust expectations for TCP urgent bits based on observed traffic in the wild openbsd3.4 has ip_len/ip_off in network byte order when ipfilter is called fix flushing of hash pool gorups (ippool -F) as well as displaying them (ippool -l) passing of pointers to interface structures wrong for HP-UX/Solaris with return-* rules. Make the solaris boot script able to run on 2.5.1 ippool related files missing from Solaris packages The name /dev/ippool should be /dev/iplookup add regression testing for parsing long interface names in nat rules, along with mssclamp and tags. Also add test for mssclamp operation. ttl displayed for "ipfstat -t" is wrong because ttl is not computed. parse logical interface names (Sun) unloading LKMs was only working if they were enabled. sync'ing up NAT sessions when NICs change should cause NAT rules to re-lookup name->pointer mappings not all of the ippool ioctl's are IOWR and they should be because they use the ipfobj_t for passing information in/out of the kernel. leave the old values defined and handle them, for compatibility. pool stats wrong: ippoolstate used where ipoolstat should be, hash table statistics not reported at all fr_running not set correctly for OpenBSD when compiled into the kernel Allow SIOCGETFF while disabled Fix mssclamp with NAT (pasing and printing of the word, plus wrong bytes altered. How do you say "untested" ?) 4.1 - RELEASED - 12 February 2004 4.0-BETA1 20 August 2003 support 0/32 and 0/0 on the RHS in redirect rules where LHS and RHS netmasks are the same size for redirect, do 1:1 mapping for bimap rules. allow NAT rule to match 'all' interfaces with * as interface name do mapping of ICMP sequence id#'s in pings allow default age for NAT entries to be set per NAT rule provide round robin selection of destination addresses for redirect ipmon can load a configuration file with instructions on actions to take when a matching log entry is received now requires pfil to work on Solaris & HP-UX supports mapping outbound connections to a specific address/port support toggling of logging per ipfilter 'device' use queues to expire data rather than lists add MSN RPC proxy add IRC proxy support rules with dynamic ip addresses add ability to define a pool of addresses & networks which can then be placed in a single rule support passing entire packet back to user program for authentication support master/slave for state information sharing reorganise generic code into a lib directory and make libipf.a user programs enforce version matching with the kernel supports window scaling if seen at TCP session setup generates C code from filter rules to compile in or load as native machine code. supports loading rules comprised of BPF bytecode statements HP-UX 11 port completed and packets-per-second filtering add numerical tags to rules for filtering and display in ipmon output 3.4.4 23/05/2000 - Released don't add TCP state if it is an RST packet and (attempt) to send out RST/ICMP packets in a manner that bypasses IP Filter. add patch to work with 4.0_STABLE delayed checksums 3.4.3 20/05/2000 - Released fix ipmon -F don't truncate IPv6 packets on Solaris fix keep state for ICMP ECHO add some NAT stats and use def_nat_age rather than DEF_NAT_AGE don't make ftp proxy drop packets use MCLISREFERENCED() in tandem with M_EXT to check if IP fields need to be swapped back. fix up RST generation for non-Solaris get "short" flag right for IPv6 3.4.2 - 10/5/2000 - Released Fix bug in dealing with "hlen == 1 and opt > 1" - Itojun ignore previous NAT mappings for 0/0 and 0/32 rules bring in a completely new ftp proxy allow NAT to cause packets to be dropped. add NetBSD callout support for 1.4-current 3.4.1 - 30/4/2000 - Released add ratoui() and fix parsing of group numbers to allow 0 - UINT_MAX don't include opt_inet6.h for FreeBSD if KLD_MODULE is defined Solaris must use copyin() for all types of ioctl() args fix up screen/tty when leaving "top mode" of ipfstat linked list for maptable not setup correctly in nat_hostmap() check for maptable rather than nat_table[1] to see if malloc for maptable succeeded in nat_init fix handling of map NAT rules with "from/to" host specs fix printout out of source address when using "from/to" with map rules convert ip_len back to network byte order, not plen, for solaris as ip_len may have been changed by NAT and plen won't reflect this 3.4 - 27/4/2000 - Released source address spoofing can be turned on (fr_chksrc) without using filter rules group numbers are now 32bits in size, up from 16bits IPv6 filtering available add frank volf's state-top patches add load splitting and round-robin attribute to redirect rules FreeBSD-4.0 support (including KLD) add top-style operation mode for ipfstat (-t) add save/restore of IP Filter state/NAT information (ipfs) further ftp proxy security checks support for adding and removing proxies at runtime 3.3.13 26/04/2000 - Released Fix parsing of "range" with "portmap" Relax checking of ftp replies, slightly. Fix NAT timeouts for ICMP packets SunOS4 patches for ICMP redirects from Jurgen Keil (jk@tools.de) 3.3.12 16/03/2000 - Released tighten up ftp proxy behaviour. sigh. yuck. hate. fix bug in range check for NAT where the last IP# was not used. fix problem with icmp codes > 127 in filter rules caused bad things to happen and in particular, where #18 caused the rule to be printed erroneously. fix bug with the spl level not being reset when returning EIO from iplioctl due to ipfilter not being initialized yet. 3.3.11 04/03/2000 - Released make "or-block" work with lines that start with "log" fix up parsing and printing of rules with syslog levels in them fix from Cy Schubert for calling of apr_fini only if non-null 3.3.10 24/02/2000 - Released * fix back from guido for state tracking interfaces * update for NetBSD pfil interface changes * if attaching fails and we can abort, then cleanup when doing so. julian@computer.org: * solaris.c (fr_precheck): After calling freemsg on mt, set it point to *mp. * ipf.c (packetlogon): use flag to store the return value from get_flags. * ipmon.c (init_tabs): General cleanup so we do not have to cast an int s->s_port to u_int port and try to check if the u_int port is less than zero. 3.3.9 15/02/2000 - Released fix scheduling of bad locking in fr_addstate() used when we attach onto a filter rule. fix up ip_statesync() with storing interface names in ipstate_t fix fr_running for LKM's - Eugene Polovnikov junk using pullupmsg() for solaris - it's next to useless for what we need to do here anyway - and implement what we require. don't call fr_delstate() in fr_checkstate(), when compiled for a user program, early but when we're finished with it (got fr & pass) ipnat(5) fix from Guido on solaris2, copy message and use that with filter if there is another copy if it being used (db_ref > 1). bad for performance, but better than causing a crash. patch for solaris8-fcs compile from Casper Dik 3.3.8 01/02/2000 - Released fix state handling of SYN packets. add parsing recognition of extra icmp types/codes and fix handling of icmp time stamps and mask requests - Frank volf 3.3.7 25/01/2000 - Released sync on state information as well as NAT information when required record nat protocol in all nat log records don't reuse the IP# from an active NAT session if the IP# in the rule has changed dynamically. lookup the protocol for NAT log information in ipmon and pass that to portname. fix the bug with changing the outbound interface of a packet where it would lead to a panic. use fr_running instead of ipl_inited. (sysctl name change on freebsd) return EIO if someone attempts an ioctl on state/nat if ipfilter is not enabled. fix rule insertion bug make state flushing clean anything that's not fully established (4/4) call fr_state_flush() after we've released ipf_state so we don't generate a recursive mutex acquisition panic fix parsing of icmp code after return-icmp/return-icmp-as-dest and add some patches to enhance parsing strength 3.3.6 28/12/1999 - Released add in missing rwlock release in fr_checkicmpmatchingstate() and fix check for ICMP_ECHO to only be for packet, not state entry which we don't have yet. handle SIOCIPFFB in nat_ioctl() and fr_state_ioctl() fix size of friostat for SunOS4 fix bug in running off the end of a buffer in real audio proxy 3.3.5 11/12/1999 - Released fix parsing of "log level" and printing it back out too is only present on Solaris2.6/7/8 use send_icmp_err rather than icmp_error to send back a frag-needed error when doing PMTU do not use -b with add_drv on Solaris unless $BASEDIR is set. fix problem where source address in icmp replies is reversed fix yet another problem with real audio. 3.3.4 4/12/1999 - Released fix up the real audio proxy to properly setup state information and NAT entries, thanks to Laine Stump for testing/advice/fixes. fix ipfr_fastroute to set dst->sin_addr (Sean Farley - appears to prevent FreeBSD 3.3 from panic'ing) as this had been removed in prior hacks to this routine. fix kinstall for BSDI support ICMP errors being allowed through for ICMP packets going out with keep state enabled support hardware checksumming (gigabit ethernet cards) on Solaris thanks to Tel.Net Media for providing hardware for testing. patched from Frank Volf for ipmon (ICMP & fragmented packets) and allowing ICMP responses to ICMP packets in the keep state table. add in patches for hardware checksumming under solaris Solaris install scripts now use $BASEDIR as appropriate. add Solaris8 support fix "ipf -y" on solaris so that it rescans rules also for changes in interface pointers let ipmon become a daemon with -D if it is using syslog fix parsing of return-icmp-as-dest(foo) add reference to ipfstat -g to ipfstat.8 ipf_mutex needs to be declared for irix in ip_fil.c 3.3.3 22/10/1999 - Released add -g command line option to ipfstat to show groups still define. fix problem with fragment table not recording rule pointer when called from state functions (fin_fr not set). fixup fastroute problems with keep state rules. load rules into inactive set first, so we don't disable things like NIS lookups half way through processing - found by Kevin Littlejohn fix handling of unaligned ip pointer for solaris patch for fr_newauth from Rudi Sluijtman fixed htons() bug in fr_tcpsum() where ip_p wasn't cast to u_short 3.3.2 23/09/1999 - Released patches from Scott Presnell to fix rcmd proxy patches from Greg to fix Solaris detachment of interfaces add openbsd compatibility fixes fix free'ing already freed memory in ipfr_slowtimer() fix for deferencing invalid memory in cleaning up after a device disappears 3.3.1 14/8/1999 - Released remove include file sys/user.h for irix prevent people from running buildsunos directly fix up some problems with the saving of rule pointers so that NAT saves that information in case it should need to call fr_addstate() from a proxy. fix up scanning for the end of FTP messages don't remove /etc/opt/ipf in postremove attempt to prevent people running buildsolaris script without doing a "make solaris" fix timeout losing on freebsd3 3.3 7/8/1999 - Released NAT: information (rules, mappings) are stored in hash tables; setup some basic NAT regression testing. display version name of installed kernel code when initializing. add -V command line option to ipf, showing version (program and kernel module) as well as the run-status of the kernel code. fix problem with "log" rules actually affecting result of filtering. automatically use SUNWspro if available and on a 64bit Solaris system for compiling. add kernel proxies for rcmd(3) and RealAudio (PNA) use timeout/untimeout on SunOS4/BSD platforms too rather than hijacking ip_slowtimo fix IP headers generated through parsing of text information fix NAT rules to be in the correct order again. make keep-state work with to/fastroute keywords and enforce usage of those interfaces. update keep-state code with new algorithm from Guido add FreeBSD-3 support add return-icmp-as-dest option to retrun an ICMP packet using the original destination as the source rather than a local IP address add "level [facility.]" option to filter language add changes from Guido to state code. add code to return EPERM if the device is opened for writing and we're in securelevel 2 or greater. authentication code patches from Guido fix real audio proxy fix ipmon rule printing of interfaces and add IN/OUT to the end of ipmon log output. fix bimap rules with hash tables update addresses used in NAT mappings for 0/32 rules for any protocol but TCP if it changes on the interface - check every ip_natexpire() add redirect regression test count buckets used in the state hash table. fix sending of RST's with return-rst to use the ack number provided in the packet being replied to in addition to the sequence number. fix to compile as a 64bit application on solaris7-64bit add NAT IP mapping to ranges of IP addresses that aren't CIDR specified fix calculation of in_space parameter for NAT fix `wrapping' when incrementing the next ip address for use in NAT fix free'ing of kernel memory in ip_natunload on solaris fix -l/-U command line options from interfering with each other fix fastroute under solaris2 and cleanup compilation for solaris7 add install scripts and compile cleanly on BSD/OS 4.0 safely open files in /tmp for writing device output when testing. fix uninitialized pointer bug in NAT fix SIOCZRLST (zero list rule stats) bug with groups change some usage of u_short to u_int in function calling fix compilation for Solaris7 (SUNWspro) change solaris makefiles to build for either sparc or i386 rather than per-cpu (sun4u, etc). fixed bug in ipllog add patches from George Michaelson for FreeBSD 3.0 add patch from Guido to provide ICMP checking for known state in the same manner as is done for NAT. enable FTP PASV proxying and enable wildcarding in NAT/state code for ports for better PORT/PASV support with FTP. bring into main tree static nat features: map-block and "auto" portmapping. add in source host filtering for redirects (alan jones) 3.2.10 22/11/98 - Released 3.2.10beta9 17/11/98 - Released fix fr_tcpsum problems in handling mbufs with an odd number of bytes and/or split across an mbuf boundary fix NAT list entry comparisons and allow multiple entries for the same proxy (but on different ports). don't create duplicate NAT entries for repeated PORT commands. 3.2.10beta8 14/11/98 - Released always exit an rwlock before expecting to enter it again on solaris fix loop in nat_new for pre-existing nat don't setup state for an ftp connection if creating nat fails. 3.2.10beta7 05/11/98 - Released set fake window in ipft_tx.c to ensure code passes tests. cleaned up/enhanced ipnat -l/ipnat -lv output fixed NAT handling of non-TCP/UDP packets, esp. for ICMP errors returned. Solaris recusive mutex on icmp-error/tcp-reset - requires rwlock's rather than mutexes. 3.2.10beta6 03/11/98 - Released fix mixed use of krwlock_t and kmutex_t on Solaris2 fix FTP proxy back up, splitting pasv code out of port code. 3.2.10beta5 02/11/98 - Released fixed port translation in ICMP reply handling 3.2.10beta4 01/11/98 - Released increase useful statistic collection on solaris filter DL_UNITDATA_REQ as well as DL_UNITDATA_IND on solaris disable PASV reply translation for now fail with an error if we try to load a NAT rule with a non-existant proxy name - Guido fix portmap usage with 0/0 and 0/32 map rules remove ap_unload/ap_expire - automatically done when NAT is cleaned up print "STATE:CLOSED" from ipmon if the connection progresses past established rather than "STATE:EXPIRED" 3.2.10beta3 26/10/98 - Released fixed traceroute/nat problem rewrote nat/proxy interface ipnat now lists associated proxy sessions for each NAT where applicable 3.2.10beta2 13/10/98 - Released use KRWLOCK_T in place of krwlock_t for solaris as well as irix disable use of read-write lock acquisition by default add in mb_t for linux, non-kernel some changes to progress compilation on linux with glibc change PASV as well as PORT when passed through kernel ftp proxy. don't allow window to become 0 in tcp state code make ipmon compile cleaner irix patches 3.2.10beta 11/09/98 - Released stop fr_tcpsum() thinking it has run out of data when it hasn't. stop solaris panics due to fin_dp being something wild. revisit usage of ATOMIC_*() log closing state of TCP connection in "keep state" fix fake-arp table code for ipsend. ipmon now writes pid to a file. fix "ipmon -a" to actually activate all logging devices. add patches for BSDOS4. perl scripts for log analysis donated. 3.2.9 22/06/98 - Released fix byte order for ICMP packets generated on Solaris fix some locking problems. fix malloc bug in NAT (introduced in 3.2.8). patch from guido for state connections that get fragmented 3.2.8 08/06/98 - Released use readers/writers locks in Solaris2 in place of some mutexes. Solaris2 installation enhancements - Martin Forssen (maf@carlstedt.se) 3.2.7 24/05/98 - Released u_long -> u_32_t conversions patches from Bernd Ernesti for NetBSD fixup ipmon to actually handle HUP's. Linux fixes from Michael H. Warfield (mhw@wittsend.com) update for keep state patch (not security related) - Guido dumphex() uses stdout rather than log 3.2.6 18/05/98 - Released fix potential security loop hole in keep state code. update examples. 3.2.5 09/05/98 - Released BSD/OS 3.1 .o files added for the kernel. fix sequence # skew vs window size check. fix minimum ICMP header size check. remove references to Cybersource. fix my email address. remove ntohl in ipnat - Thomas Tornblom 3.2.4 09/04/98 - Released add script to make devices for /dev on BSD boxes fixup building into the kernel for FreeBSD 2.2.5 add -D command line option to ipmon to make it a daemon and SIGHUP causes it to close and reopen the logfile fixup make clean and make package for SunOS5 - Marc Boucher postinstall keeps adding "minor=ipf ipl" - George Ross protected by IP Filter gif - Sergey Solyanik 3.2.3 10/11/97 - Released fix some iplang bugs fix tcp checksum data overrun, sgi #define changes, avoid infinite loop when nat'ing to single IP# - Marc Boucher fixup DEVFS usage for FreeBSD fix sunos5 "make clean" cleaning up too much 3.2.2 28/11/97 - Released change packet matching to return actual error, if bad packet, to facilitate ECONNRESET for TCP. allow ip:netmask in grammar too now - Guido assume IRIX has u_int32_t in sys/types.h (needed for R10000) rewrite parts of command line options for ipmon fix TCP urgent packet & offset testing and add LAND attack test for iptest fix grammar error in yacc grammar for iplang redirect (rdr) destination port bytes-wapped when it shouldn't be. general: fr_check now returns error code, such as EHOSTUNREACH or ECONNRESET (attempt to make ECONNRESET work for locally outbound packets). linux: enable return-rst, need to filter tcp retransmits which are sent separately from normal packets memory leak plugged in ip_proxy.c BSDI compatibility patches from Guido tcp checksum fix - Marc Boucher recursive mutex and ioctl param fix - Marc Boucher 3.2.1 12/11/97 - Released port to BSD/OS 3.0 port to Linux 2.0.31 patches to make "map a/m -> 0/0" work with ftp proxying properly - Marc Boucher add "ipf -F s" and "ipf -F S" to flush state table entries. announce if logging is on or off when ip filter initializes. "ipf -F a" doesn't flush groups properly for Solaris. 3.2 30/10/97 - Released ipnat doesn't successfully remove proxy mappings with "-rf" - Alexander Romanyu use K&R C function style for solaris kernel code use m_adj() to decrease packet size in ftp proxy use mbufchainlen rather than msgdsize, IRIX update - Marc Boucher fix NetBSD modunload bug (pfil_add_hook done twice) patches for OpenBSD 2.1 - Craig Bevins 3.2beta10 24/10/97 - Released fix fragment table entries allocated for NAT. fix tcp checksum calculations over mbuf/mblk boundaries fix panic for blen < 0 in ftp kernel proxy - marc boucher fix flushing of rules which have been grouped. 3.2beta9 20/10/97 - Released some nit picking on solaris2 with SUNWspro - Michael Lyle ftp kernel proxy patches from Marc Boucher 3.2beta8 13/10/97 - Released add support for passing ICMP errors back through NAT. IRIX port update - Marc Boucher calculate correct MIN size of packet to log for UDP - Marc Boucher need htons(ETHERTYPE_x) on little endian BSD boxes - Dave Huang copyright header fixups 3.2beta7 23/09/97 - Released fickup problems introduced by prior merges & changes. 3.2beta6 23/09/97 - Released patch for spin-reading race condition - Marc Boucher. IRIX port by Marc Boucher. compatibility updates for Linux to ipsend 3.2beta5 13/09/97 - Released patches from Bernd Ernesti for NetBSD integration (mostly prototyping and compiler warning things) ipf -y will resync IP#'s allocated with 0/32 in NAT to match interface if it changes. update manual pages and other documentation updates. 3.2beta4 27/8/97 - Released enable setting IP and TCP options for iplang/ Solaris2 patches from Marc Boucher. add groups for filter rules. 3.2beta3 21/8/97 - Released patches for Solaris2 (interface panic solution ?): fix FIONREAD and replacing q_qinfo points - Marc Boucher change ipsend/* and ipsd/* copyright notices to be the same as ip filter's patch for SYN-ACK skew testing fix from Eric V. Smith 3.2beta2 6/8/97 - Released make it load on Solaris 2.3 rewrote logging to remove solaris errors, introduced checking to see if the same packet is logged successively. fix filter cache to work when there are no rules loaded. add "raw" option to ipresend to send entire ethernet frames. nat list corruption bug - NetBSD - Klaus Klein 3.2beta1 5/7/97 - Released patches from Jason Thorpe fixing: UNSIGNED_CHAR lossage, off_t being 64bits lossage, and other NetBSD bits. NetBSD 1.2G update. fixup fwtk patches and add protocol field for SIOCGNATL. rdr bugs reported by Alexander Romanyu (alexr@aix.krid.crimea.ua), with fixes: * rdr matched all packets of a given protocol (ignored ports). * severe bug in nat_delete which caused system crash/freeze. change Makefile so that CC isn't passed on for FreeBSD/NetBSD (will use the default CC - cc, not gcc) 3.2alpha9 16/6/97 - Released added "skip" keyword. implement preauthentication of packets, as outlined by Guido. Make it compile as cleanly as possible with -Wall & general code cleanup getopt returns int, not char. Bernd Ernesti 3.2alpha8 13/6/97 - Released code added to support "auth" rules which require a user program to allow them through. First revision and much of the code came from Guido. hex output from ipmon doesn't goto syslog when recovering from out of sync error. Luke Mewburn (lukem@connect.com.au) fix solaris2.6 lookup of destination ire's. ipnat doesn't throw away unused bits (after masking), causing it to behave incorrectly. Carson Gaspar NAT code doesn't include inteface name when matching - Alexey Mavrin replace old SunOS tcpip.h with new tcpip.h (from 4.4BSD) - Jason Thorpe. update install procedures to include ip_proxy.c mask out unused bits in NAT/RDR rules. use a generic type (u_32_t) for 32bit variables, rather than rely on u_long being such - Jason Thorpe. create a local "netinet" directory and include from ~netinet/*" rather than just "*" to make keeping the code working on ports easier. add an m_copydata and m_copyback for SunOS4 (based on 4.4BSD-Lite versions) documentation updates. NetBSD update from Jason Thorpe allow RST's through with a matching SEQ # and 0 ACK. Guido Van Rooij ipmon uses excessive amounts of CPU on Solaris2 - Reinhard Bertram 3.2alpha7 25/5/97 - Released add strlen for pre-2.2 kernels - Doug Kite setup bits and pieces for compiling into a FreeBSD-2.2 kernel. split up "bsd" targets. Now a separate netbsd/freebsd/bsd target. mln_ipl.c has been split up into itself and mlf_ipl.c (for freebsd). fix (negative) host matching in filtering. add sysctl interface for some variables when compiled into FreeBSD-2.2 kernels or later. make all the candidates for kernel compiling include "netinet/..." and build a subdirectory "netinet" when compiling and symlink all .h files into this. add install make target to Makefile.ipsend 3.2alpha6 8/5/97 - Released Add "!" (not) to hostname/ip matching. Automatically add packet info to the fragment cache if it is a fragment and we're translating addreses for. Automatically add packet info to the fragment cache if it is a fragment and we're "keeping state" for the packet. Solaris2 patches - Anthony Baxter (arb@connect.com.au) change install procedure for FreeBSD 2.2 to allow building to a kernel which is different to the running kernel. add FIONREAD for Solaris2! when expiring NAT table entries, if we would set a time to fr_tcpclosed (which is 1), make it fr_tcplaskack(20) so that the state tables have a chance to clear up. 3.2alpha5 add proxying skeleton support and sample ftp transparent proxy code. add printfs at startup to tell user what is happening. add packets & bytes for EXPIRE NAT log records. fix the "install-bsd" target in the root Makefile. Chris Williams Fixes for FreeBSD 2.2 (and later revs) to prevent panics. Julian Assange. 3.2alpha4 2/4/97 - Released Some compiler warnings cleaned up. FreeBSD-2.2 patches for LKM completed. 3.2alpha3 31/3/97 - Released ipmon changes: -N for reading NAT logfile, -S for reading state logfile. -a for reading all. -n now toggles hostname resolution. Add logging of new state entries and expiration of old state entries. count log successes and failures. Add logging of new NAT entries and expiration of old NAT entries. count log successes and failures. Use u_quad_t for records of bytes & packets where kept (IP Accounting: fr_hits, fr_bytes; IP state: is_pkts, is_bytes). Fixup use of CPU and DCPU in Makefiles. Fix broken 0/32 NAT mapping. Carl Makin 3.2alpha2 Implement mapping to 0/32 as being an alias for automatically using the interface's first IP address. Implement separate minor devices for both NAT and IP state code. Fully prototype all functions. Fix Makefile problem due to attempt to fix Sun compiling problems. 3.1.10 23/3/97 - Released ipfstat -a requires a -i or -o command line option too. Print an error when not present rather than attempt to do something. patch updates for SunOS4 for kernel compiling. patch for ipmon -s (flush's syslog file which isn't good). Andrew J. Schorr too many people hit their heads hard when compiling code into the kernel that doesn't let any packets through. (fil.c - IPF_NOMATCH) icmp-type parsing doesn't return any errors when it isn't constructed correctly. Neil Readwin Using "-conf" with modload on SunOS4 doesn't work. Timothy Demarest Need to define ARCH in makefile for SunOS4 building. "make sunos4" in INSTALL.SunOS is incorrect. James R Grinter [all SunOS targets now run buildsunos] NAT lookups are still incorrect, matching non-TCP/UDP with TCP/UDP information. ArkanoiD Need to check for __FreeBSD_version being 199511 rather than 199607 in mln_ipl.c. Eric Feillant 3.1.9 8/3/97 - Released fixed incorrect lookup of active NAT entries. patch for ip_deq() wrong for pre 2.1.6 FreeBSD. fyeung@fyeung8.netific.com (Francis Yeung) check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi (erkki@vlsi.fi) text_readip returns the interface pointer pointing to text on stack - Neil Readwin fix from Pradeep Krishnan for printout rules "with not opt sec". 3.1.8 18/2/97 - Released Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and compiling warnings about reuse of m0. prevent use of return-rst and return-icmp with rules blocking packets going out, preventing panics in certain situations. loop forms in frag cache table - Yury Pshenychny should use SPLNET/SPLX around expire routines in NAT/frag/state code. redeclared malloc in 44arp.c - 3.1.7 8/2/97 - Released Macros used for ntohs/htons supplied with gcc don't always work very well when the assignment is the same variable being converted. Filter matching doesn't not match rule which checks tcp flags on packets which are fragments - David Wilson 3.1.7beta 30/1/97 - Released Fix up NAT bugs introduced in last major change (now tested), including nat_delete(), nat_lookupredir(), checksum changes, etc. 3.1.7alpha 30/1/97 - Released Many changes to NAT code, including contributions from Laurent Joncheray Use "NO_SLEEP" when allocating memory under SunOS. Make kernel printf's nicer for BSD/SunOS4 Always do a checksum for packets being filtered going out and being processed by fastroute. Leave kernel to play with cdevsw on *BSD systems with LKM's. ipnat.1 man page fixes. 3.1.6 21/1/97 - Released Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried to free memory twice. NAT recalculates IP header checksum based on difference between IP#'s and port numbers - should be just IP#'s (Solaris2 only) 3.1.5 13/1/97 - Released fixed setting of NAT timeouts and use different timeouts for concurrent TCP sessions using the same IP# mapping (when port mapping isn't used) multiple loading/unloading of LKM's doesn't clean up cdevsw properly for *BSD systems. 3.1.4 10/1/97 - Released add command line options -C and -F to ipnat to flush NAT list and table ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) NetBSD/FreeBSD kernel malloc changes - Daniel Carosone 3.1.3 10/1/97 - Released NAT chains not constructed correctly in hash tables - Antony Y.R Lu (antony@hawk.ee.ncku.edu.tw) Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) ICMP header checksum update now included in NAT. Solaris2 needs to modify IP header checksums in ip_natin and ip_natout. 3.1.2 4/12/96 - Released ipmon doesn't use syslog all the time when given -s option fixed mclput panic in ip_input.c and replace ntohs() with NTOHS() macro check the results of hostname resolution in ipnat "make *install" fixed for subdirectories. problems with "ARCH:=" and gnu make resolved parser reports an error for lines with whitespaces only rather than skipping them. D.Carosone@abm.com.au (Daniel Carosone) patches for integration into NetBSD-current (post 1.2). add an option to allow non-IP packets going up/down the stream on Solaris2 to be dropped. John Bass. 3.1.2beta 21/11/96 - Released make ipsend compile on Linux 2.0.24 changes to TCP kept state algorithm, making it watch state on TCP connections in both directions. Also use the same algorithm for NAT TCP. -Wall cleanup - Bernd Ernesti added "or-block" for "pass .. log or-block" after a suggestion from David Oppenheim (davido@optimation.com.au) added subdirectories for building IP Filter in SunOS5/BSD for different cpu architecures Solaris2 fixes to logging and pre-filtering packet processing - 3.1.1p2 mbuf logging not using mtod(), remove iplbusy - 3.1.1p1 1/11/96 3.1.1 28/10/96 - Released Installation script fixes and deinstall scripts for IP Filter on: SunOS4/FreeBSD/NetBSD Man page fixes - Paul Dubois (dubois@primate.wisc.edu) Fix use of SOLARIS macro in ipmon, rewrote ipllog() (again!) parsing isn't completely case insensitive - David Wilson (davidw@optimation.com.au) Release ipl_mutex across uiomove() calls print entire rule entries out for "ipf -z" when zero'ing per-rule stats. ipfstat returns same output for "hits" in "ipfstat -aio" - Terletsky Slavik (ts@polynet.lviv.ua) New algorithm for setting timeouts for TCP connection (more closely follow TCP FSM) - Pradeep Krishnan (pkrishna@netcom.com) Track both window sizes for TCP connections through "keep state". Solaris2 doesn't like _KERNEL defined in stdargs.h - Jos van Wezel (wezel@bio.vu.nl) 3.1.1-beta2 6/10/96 - Released Solaris2 fastroute/dup-to/to now works ipmon `record' reading rewritten Added post-NetBSD1.2 packet filter patches - Mathew Green (mrg@eterna.com.au) Attempt to use in_proto.c.diff, not "..diffs" for SunOS4 - David Wilson (davidw@optimation.com.au) Michael Ryan (mike@NetworX.ie) reports the following: * The Trumpet WinSock under Windows always sends its SYN packet with an ACK value of 1, unlike any other implementation I've seen, which would set it to zero. The "keep state" feature of IP Filter doesn't work when receiving non-zero ACK values on new connection requests. * */Makefile install rule doesn't install all the binaries/man pages * Make ipnat use "tcp/udp" instead of "tcpudp" * Print out "tcp/udp" properly * ipnat "portmap tcp" matches "portmap udp" when adding/removing * NAT dest. ip# increased by one on mask of 0xffffffff when it shouldn't 3.1.1-beta 1/9/96 - Released add better detection of TCP connections closing to TCP state monitoring. fr_addstate() not called correctly for fragments. "keep state" and "keep frag" code don't work together 100% - Songqing Cai (songqing_cai@sterling.com) call to fr_addstate() incorrect for adding state in combination with keeping fragment information - Songqing Cai (songqing_cai@sterling.com) KFREE() passed fp (incorrect) and not fr (correct) in ip_frag.c - John Hood (cgull@smoke.marlboro.vt.us) make ipf parser recognise '\\' as a `continued line' marker - Dima Ruban (dima@best.net) 3.1.1-alpha 23/8/96 - Released kernel panic's when ICMP packets go through NAT code stats aren't zero'd properly with ipf -Z ipnat doesn't show port numbers correctly all the time and also add the protocol (tcp/udp/tcpudp) to rdr output - Carson Gaspar (carson@lehman.com) fast checksum fixing not 100% - backout patch - Bill Dorsey (dorsey@lila.com) NetBSD-1.2 patches from - VaX#n8 Usage() call error in fils.c - Ajay Shekhawat (ajay@cedar.buffalo.edu) ip_optcopy() staticly defined in ip_output.c in SunOS4 - Nick Hall (nrh@tardis.ed.ac.uk) 3.1.0 7/7/96 - Released Reformatted ipnat output to be compatible with it's input, so that "ipnat -l | ipnat -rf -" is possible. 3.1.0beta 30/6/96 - Released NetBSD-1.2 patches from Greg Woods (woods@most.weird.com) kernel module must not be installed stripped (Solaris2), as created by "make package" for Solaris2 - Peter Heimann (peter@i3.informatik.rwth-aachen.de) 3.1.0alpha 5/6/96 - Released include examples in package for solaris2 patches for removing an extra ip header checksum (FreeBSD/NetBSD/SunOS) removed trailing space from printouts of rules in ipf. ipresend supports the same range of inputs that ipftest does. sending a duplicate copy of a packet to another network devices is now supported. ("dup-to") sending a packet to an arbitary interface is now supported, irrespective of its actual route, with no ttl decrement. Can also be routed without the ttl being decremented. ("to" and "fastroute"). "call" option added to support calling a generic function if a packet is matched. show all (upto 4) recorded bytes from the interface name in logging from ipmon. support for using unix file permissions for read/write access on the device is now in place. recursive mutex in nat_new() for Solaris 2.x - Per L. Hagen ipftest doesn't call initparse() for THISHOST - Catherine Allen (cla@connect.com.au) Man page corrections from Rex Bona (rex@pengo.comsmiths.com.au) 3.0.4 10/4/96 - Released looop in `parsing' IP packets with optlen 0 for ip options. rule number not initialized and resulted in unexpected results for state maching. option parsing and printing bugs - Pradeep Krishnan 3.0.4beta 25/3/96 - Released wouldn't parse "keep flags keep state" correctly. SunOS4.1.x ip_input.c doesn't recognise all 1s broadcast address - Nigel Verdon patches for BSDI's BSD/OS 2.1 and libpcap reader on little endian systems from Thorsten Lockert b* functions in fil.c on Solaris 2.4 3.0.3 17/3/96 - Released added patches to support IP Filter initialisation when compiled into the kernel. added -x option to ipmon to display hex dumps of logged packets. added -H option to ipftest to allow ascii-hex formatted input to specify arbitary IP packets. Sending TCP RSTs as a response now work for Solaris2 x86 add patches to make IP Filter compile into NetBSD kernels properly. patch to stop SunOS 4.1.x kernels panicing with "data traps". ipfboot script unloads and reloads ipf module on Solaris2 if it is already loaded into the kernel. Installation of IP Filter as a Solaris2 package is now supported. Man pages for ipnat.4, ipnat.5 added. added some more regression tests and fixed up IP Filter to pass the new tests (previous versions failed some of the tests in set 12). IP option filter processing has changed so that saying "with opt lsrr" will check only for that one, but not mask out other options, so a packet with strict source routing, along with loose source routing will match all of "with opt lsrr", "with opt ssrr" and "with opt lsrr,ssrr". IPL_NAME needed in ipnat.c - Kelly (kelly@count04.mry.scruznet.com) patches for clean NetBSD compilation from Bernd Ernesti (bernd@arresum.inka.de) make install is incorrect - Julian Briggs (julian@lightwork.co.uk) strtol() returns 0x7fffffff for all negative numbers, printfr() generates incorrect output for "opt sec-class *", handling of "not opt xxx opt yyy" incorrect. - Minh Tonthat (minht@sbei.com)/Pradeep Krishnan (pradeepk@sbei.com) m_pullup() called only for input and not output; caused problems with filtering icmp - Nigel Verdon (verdenn@gb.swissbank.com) parsing problem for "port 1" and NetBSD patches incorrect - Andreas Gustafsson (gson@guava.araneus.fi) 3.0.2 4/2/96 - Released Corrected bug where NAT recalculates checksums for fragments. make NAT recalculate UDP checksums (rather than setting them to 0), if they're non-zero. DNS patches - Real Page (Real.Page@Matrox.com) alteration of checksum recalculations in NAT code and addition of redirection with NAT - Mike Neuman core dump, if tcp/udp is used with a port number and not service name, in ipf - Mike Neuman (mcn@engarde.com) initparse() call, missing to prime "" hook - Craig Bishop 3.0.1 14/1/96 - Released miscellaneous patches for Solaris2 3.0 14/1/96 - Released Patch included for FDDI, from Richard Ohnemus (Richard_Ohnemus@dallas.csd.sterling.com) Code cleanup for release. 3.0beta4 10/1/96 recursive mutex in ipfr_slowtimer fixed, reported by Craig Bishop recursive mutex in sending TCP RSTs fixed, reported by Tony Becker 3.0beta3 9/1/96 FIxup for Solaris2.5 install and interface name bug in ipftest from Julian Briggs (julian@lightwork.co.uk) Byte order patches for ipmon from Tony Becker (tony@mcrsys.com) 3.0beta2 7/1/96 Added the (somewhat warped) IP accounting as it exists in ipfw on FreeBSD. Note, this isn't really what one would call IP account, when compared to process accounting, sigh. Split up ipresend into iptest/ipresend/ipsend Added another m_pullup() inside fr_check() for BSD style kernels and added some checks to ipllog() to not log more than is present (for short packets). Fixed bug where failed hostname/netname resolution goes undetecte and becomes 0.0.0.0 (any) (reported Guido van Rooij) 3.0beta 11/11/95 - Released Rewrote the way rule testing is done, reducing the number of files needed and generated. SIOCIPFFL was incorrectly affected by IPFILTER_LOG (Mathew Green) Patches from Guido van Rooij to fix sending back TCP RSTs on Net-2/Net-3 BSD based Unixes (panic'd) Patches for FreeBSD/i86 ipmon from Riku Kalinen (I think someone else already told me about these but they got lost :-/) Changed Makefile structure to build object files for different operating systems in separate directories by default. BSDI has ef0 for first ethernet interface Allow for a "not" operator before optional keywords. The "rule number" was being incorrectly incremented every time it went through the loop rather than when it matched a rule. 2.8.2 24/10/95 - Released Fixed up problems with "textip" for doing lots of testing. Fixed bug in detection of "short" tcp/ip packets (all reported as being short). Solaris 2.4 port now works 100%. Man page errors reported and fixed. Removed duplicate entry in etc/services for login on port 49 (Craig Bishop). Fixed ipmon output to put a space after the log-letter. Patch from Guido van Rooij to fix parsing problem. 2.8.1 15/10/95 - Released Added ttl and tos filtering. Patches for fixing up compilation and port problems (little endian) from Guido van Rooij . Man page problems reported and fixed by Carson Gaspar . ipsend doesn't compile properly on Solaris2.4 Lots of work done for Solaris2.4 to make it MT/MP safe and work. 2.8 15/9/95 - Released ipmon can now send messages to syslogd (-s) and use names instead of numbers (-N). IP packets are now "compiled" into a structure only containing filterable bits. Added regression testing in the test/ subdirectory, using a new option (-b) with the ipftest program. Added "nomatch" return to filter results. These are counted and show up in reports from ipfstat. Moved filter code out of ip_fil.c and into fil.c - there is now only one instance of it in the package. Added Solaris 2.4 support. Added IPSO basic security option filtering. Added name support for filtering on all 19 named IP options. Patches from Ivan Brawley to log packet contents as well as packet headers. Update for sun/conf.c.diff from Ivan Brawley Added patches for FreeBSD 1, and added two new switches (-E, -D) to ipf, along with a new ioctl, SIOCFRENB. From: Dieter Dworkin Muller 2.7.3 31/7.95 - Released Didn't compile cleanly without IPFILTER_LOG defined (Mathew Green). ipftest now deals with tcpdump3 binary output files (from libpcap) with -P. Brought ipftest program upto date with actual filter code. Filter would cause a match to occur when it wasn't meant to if the packet had short headers and was missing portions that should have been there. Err, it would rightly not match on them, but their absence caused a match when it shouldn't have been. 2.7.2 26/7/95 - Released Problem with filtering just SYN flagged packets reported by Dieter Dworkin Muller . To solve this problem, added support for masking TCP flags for comparison "flags X/Y". 2.7.1 9/7/95 - Released Added ip_dirbroadcast support for Sun ip_input.c Fixed up the install scripts for FreeBSD/NetBSD to recognise where they are better. 2.7 7/7/95 - Released Added "return-rst" to return TCP RST's to TCP packets. Actually ported it to FreeBSD-i386 2.0.0, so it works there properly now. Added insertion of filter rules. Use "@<#>" at the beginning of a filter to insert a rule at row #. Filter keeps track of how many times each rule is matched. Changed compile time things to match kernel option (IPFILTER_LKM & IPFILTER_LOG). Updated ip_input.c and ip_output.c with paches for 3.5 Multicast IP. (No change required for 3.6) Now includes TCP fragments which start inside the TCP header as being short. Added counting the number of times each rule is matched. 2.6 11/5/95 - Released Added -n option to ipf: when supplied, no changes are made to the kernel. Added installation scripts for SunOS 4.1.x and NetBSD/FreeBSD/BSDI. Rewrote filtering to use a more generic mask & match procedure for checking if a packet matches a rule. 2.5.2 27/4/95 - Released "tcp/udp" and a non-initialised pointer caused the "proto" to become a `random' value; added "ip#/dotted.mask" notation to the BNF. From Adam W. Feigin 2.5.1 22/3/95 - Released "tcp/udp" had a strange effect (undesired) on getserv*() functions, causing protocol/service lookups to fail. Reported by Matthew Green. 2.5 17/3/95 - Released Added a new keyword "all" to BNF and parsing of tcpdump/etherfind/snoop output through the ipftest program. Suggestions from: Michael Ciavarella (mikec@phyto.apana.org.au) Conflicts occur when "general" filter rules are used for ports and the lack of a "proto" when used with "port" matches other packets when only TCP/UDP are implied. Reported Matthew Green (mrg@fulcom.com.au); reported & fixed 6-8/3/95 Added filtering of short TCP packets using "with short" 28/2/95 (These can possibly slip by checks for the various flags). Short UDP or ICMP are dropped to the floor and logged. Added filtering of fragmented packets using "with frag" 24/2/95 Port to NetBSD-current completed 20/2/95, using LKM. Added logging of the rule # which caused the logging to happen and the interface on which the packet is currently as suggested by Andreas Greulich (greulich@math-stat.unibe.ch) 10/2/95 2.4 9/2/95 - Released Fixed saving of IP headers in ICMP packets. 2.3 29/1/95 Added ipf -F [in|out|all] to flush filter rule sets (SIOCIPFFL). Fixed iplread() and iplsave() with help from Marc Huber. 2.2 7/1/95 - Released Added code from Marc Huber to allow it to allocate its own major char number dynamically when modload'ing. Fixed up use of <, >, <=, >= and >< for ports. 2.1 21/12/94 - Released repackaged to include the correct ip_output.c and ip_input.c *goof* 2.0 18/12/94 - Released added code to check for port ranges - complete. rewrote to work as a loadable kernel module - complete. 1.1 added code for ouput filtering as well as input filtering and added support for logging to a simple character device of packet headers. 1.0 22/04/93 - Released First release cut. diff --git a/contrib/ipfilter/INST.FreeBSD-2.2 b/contrib/ipfilter/INST.FreeBSD-2.2 index 0e0ea06786f9..78f7295e0894 100644 --- a/contrib/ipfilter/INST.FreeBSD-2.2 +++ b/contrib/ipfilter/INST.FreeBSD-2.2 @@ -1,62 +1,60 @@ -.\" $NetBSD$ -.\" To build a kernel for use with the loadable kernel module, follow these steps: 1. In /sys/i386/conf, create a new kernel config file (to be used with IPFILTER), i.e. FIREWALL and run config, i.e. "config FIREWALL" 2. build the object files, telling it the name of the kernel to be used. "freebsd22" MUST be the target, so the command would be something like this: "make freebsd22 IPFILKERN=FIREWALL" 3. do "make install-bsd" (probably has to be done as root) 4. run "FreeBSD-2.2/minstall" as root 5. build a new kernel 6. install and reboot with the new kernel 7. use modload(8) to load the packet filter with: modload if_ipl.o 8. do "modstat" to confirm that it has been loaded successfully. There is no need to use mknod to create the device in /dev; - upon loading the module, it will create itself with the correct values, under the name (IPL_NAME) from the Makefile. It will also remove itself from /dev when it is modunload'd. To build a kernel with the IP filter, follow these steps: *** KERNEL INSTALL CURRENTLY UNSUPPORTED *** 1. do "make freebsd22" 2. do "make install-bsd" (probably has to be done as root) 3. run "FreeBSD-2.2/kinstall" as root 4. build a new kernel 5a) For FreeBSD 2.2 (or later) create devices for IP Filter as follows: mknod /dev/ipl c 79 0 mknod /dev/ipnat c 79 1 mknod /dev/ipstate c 79 2 mknod /dev/ipauth c 79 3 5b) For versions prior to FreeBSD 2.2: create devices for IP Filter as follows (assuming it was installed into the device table as char dev 20): mknod /dev/ipl c 20 0 mknod /dev/ipnat c 20 1 mknod /dev/ipstate c 20 2 mknod /dev/ipauth c 20 3 6. install and reboot with the new kernel Darren Reed darrenr@pobox.com diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index c54e1db1b866..59fb797a54ea 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -1,380 +1,402 @@ # # Copyright (C) 1993-2001 by Darren Reed. # # Redistribution and use in source and binary forms are permitted # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp +# $Id: Makefile,v 2.76.2.18 2005/12/04 23:41:22 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin SBINDEST=/sbin MANDIR=/usr/local/man #To test prototyping #CC=gcc -Wstrict-prototypes -Wmissing-prototypes # -Wunused -Wuninitialized #CC=gcc #CC=cc -Dconst= DEBUG=-g # -O CFLAGS=-I$$(TOP) -D_BSD_SOURCE CPU=`uname -m` CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m` OBJ=. # # To enable this to work as a Loadable Kernel Module... # IPFLKM=-DIPFILTER_LKM # # To enable logging of blocked/passed packets... # IPFLOG=-DIPFILTER_LOG # # To enable loading filter rules compiled to C code... # #COMPIPF=-DIPFILTER_COMPILED # # To enable synchronisation between IPFilter hosts # #SYNC=-DIPFILTER_SYNC # # To enable extended IPFilter functionality # LOOKUP=-DIPFILTER_LOOKUP -DIPFILTER_SCAN # # The facility you wish to log messages from ipmon to syslogd with. # LOGFAC=-DLOGFAC=LOG_LOCAL0 # # To enable rules to be written with BPF syntax, uncomment these two lines. # # WARNING: If you're building a commercial product based on IPFilter, using # this options *may* infringe at least one patent held by CheckPoint # (5,606,668.) # #IPFBPF=-DIPFILTER_BPF -I/usr/local/include #LIBBPF=-L/usr/local/lib -lpcap # # HP-UX and Solaris require this uncommented for BPF. # #BPFILTER=bpf_filter.o # # LINUXKERNEL is the path to the top of your Linux kernel source tree. # By default IPFilter looks for /usr/src/linux, but you may have to change # it to /usr/src/linux-2.4 or similar. # LINUXKERNEL=/usr/src/linux LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;i opt_inet6.h; \ else \ echo "#define INET6" > opt_inet6.h; \ fi + if [ "x$(IPFBPF)" = "x" ] ; then \ + echo "#undef NBPF" > opt_bpf.h; \ + echo "#undef NBPFILTER" > opt_bpf.h; \ + echo "#undef DEV_BPF" > opt_bpf.h; \ + else \ + echo "#define NBPF" > opt_bpf.h; \ + echo "#define NBPFILTER" > opt_bpf.h; \ + echo "#define DEV_BPF" > opt_bpf.h; \ + fi if [ x$(ENABLE_PFIL) = x ] ; then \ echo "#undef PFIL_HOOKS" > opt_pfil.h; \ else \ echo "#define PFIL_HOOKS" > opt_pfil.h; \ fi make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko.5" "LKMR=ipfrule.ko.5" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) freebsd4 : include if [ x$(INET6) = x ] ; then \ echo "#undef INET6" > opt_inet6.h; \ else \ echo "#define INET6" > opt_inet6.h; \ fi make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlfk_ipl.c" "MLD=mlfk_ipl.c" "LKM=ipf.ko" "LKMR=ipfrule.ko" "DLKM=-DKLD_MODULE" "MLR=mlfk_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) freebsd3 freebsd30: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS1) "ML=mlf_ipl.c" "MLR=mlf_rule.o" LKM= LKMR=; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS1); cd ..) netbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) openbsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mlo_ipl.c" LKMR= "MLR=mlo_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) freebsd20 freebsd21: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) "ML=mlf_ipl.c" "MLR=mlf_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) osf tru64: null include make setup "TARGOS=OSF" "CPUDIR=`OSF/cpurev`" (cd OSF/`OSF/cpurev`; make build TRU64=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "MACHASSERT=$(MACHASSERT)" "OSREV=`../cpurev`"; cd ..) (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend build TRU64=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..) +aix: null include + make setup "TARGOS=AIX" "CPUDIR=`AIX/cpurev`" + (cd AIX/`AIX/cpurev`; make build AIX=`uname -v` TOP=../.. "DEBUG=-g" $(MFLAGS) "OSREV=`../cpurev`" BITS=`../bootbits.sh`; cd ..) +# (cd AIX/`AIX/cpurev`; make -f Makefile.ipsend build AIX=`uname -v` TOP=../.. $(MFLAGS) "OSREV=`../cpurev`"; cd ..) + bsd: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM' "ML=mln_ipl.c" "MLR=mln_rule.o"; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS); cd ..) bsdi bsdos: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" (cd BSD/$(CPUDIR); make build "CC=$(CC)" TOP=../.. $(MFLAGS) LKM= LKMR= ; cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend build "CC=$(CC)" TOP=../.. $(MFLAGS); cd ..) irix IRIX: include make setup TARGOS=IRIX CPUDIR=`IRIX/cpurev` if [ "x${SGIREV}" = "x" ] ; then \ make irix "SGIREV=-D_KMEMUSER -DIRIX=`IRIX/getrev`"; \ else \ (cd IRIX/`IRIX/cpurev`; smake -l -J 1 build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \ (cd IRIX/`IRIX/cpurev`; make -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) IRIX=`../getrev` SGI=$$(IRIX) CPUDIR=`../cpurev`; cd ..); \ fi setup: -if [ ! -d $(TARGOS)/$(CPUDIR) ] ; then mkdir $(TARGOS)/$(CPUDIR); fi -rm -f $(TARGOS)/$(CPUDIR)/Makefile $(TARGOS)/$(CPUDIR)/Makefile.ipsend -ln -s ../Makefile $(TARGOS)/$(CPUDIR)/Makefile -ln -s ../Makefile.ipsend $(TARGOS)/$(CPUDIR)/Makefile.ipsend -if [ -f $(TARGOS)/Makefile.common ] ; then \ rm -f $(TARGOS)/$(CPUDIR)/Makefile.common; \ ln -s ../Makefile.common $(TARGOS)/$(CPUDIR)/Makefile.common;\ fi clean: clean-include /bin/rm -rf h y.output ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl \ vnode_if.h $(LKM) *~ /bin/rm -rf sparcv7 sparcv9 mdbgen_build (cd SunOS4; $(MAKE) TOP=.. clean) -(cd SunOS5; $(MAKE) TOP=.. clean) (cd BSD; $(MAKE) TOP=.. clean) (cd HPUX; $(MAKE) BITS=32 TOP=.. clean) (cd Linux; $(MAKE) TOP=.. clean) (cd OSF; $(MAKE) TOP=.. clean) + (cd AIX; $(MAKE) TOP=.. clean) if [ "`uname -s`" = "IRIX" ]; then (cd IRIX; $(MAKE) clean); fi [ -d test ] && (cd test; $(MAKE) clean) (cd ipsend; $(MAKE) clean) clean-include: sh -c 'if [ -d netinet ] ; then cd netinet; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi' sh -c 'if [ -d net ] ; then cd net; for i in *; do if [ -h $$i ] ; then /bin/rm -f $$i; fi; done fi' ${RM} -f netinet/done net/done clean-bsd: clean-include (cd BSD; make TOP=.. clean) clean-hpux: clean-include (cd HPUX; $(MAKE) BITS=32 clean) clean-osf: clean-include (cd OSF; make clean) +clean-aix: clean-include + (cd AIX; make clean) + clean-linux: clean-include (cd Linux; make clean) clean-sunos4: clean-include (cd SunOS4; make clean) clean-sunos5: clean-include (cd SunOS5; $(MAKE) clean) /bin/rm -rf sparcv? clean-irix: clean-include (cd IRIX; $(MAKE) clean) h/xti.h: mkdir -p h ln -s /usr/include/sys/xti.h h hpux: include h/xti.h make setup CPUDIR=`HPUX/cpurev` TARGOS=HPUX (cd HPUX/`HPUX/cpurev`; $(MAKE) build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..) (cd HPUX/`HPUX/cpurev`; $(MAKE) -f Makefile.ipsend build TOP=../.. $(DEST) $(MFLAGS) "BITS=`getconf KERNEL_BITS`" `../makeargs`; cd ..) sunos4 solaris1: (cd SunOS4; make build TOP=.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) (cd SunOS4; make -f Makefile.ipsend build "CC=$(CC)" TOP=.. $(DEST) $(MFLAGS); cd ..) sunos5 solaris2: null (cd SunOS5/$(CPUDIR); $(MAKE) build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) (cd SunOS5/$(CPUDIR); $(MAKE) -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) sunos5x86 solaris2x86: null (cd SunOS5/$(CPUDIR); make build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) (cd SunOS5/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. "CC=$(CC)" $(DEST) $(MFLAGS); cd ..) linux: include (cd Linux; make build LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL); cd ..) (cd Linux; make ipflkm LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) LINUXKERNEL=$(LINUXKERNEL) WORKDIR=`pwd`; cd ..) # (cd Linux; make -f Makefile.ipsend build LINUX=$(LINUX) TOP=.. "CC=$(CC)" $(MFLAGS); cd ..) install-linux: linux (cd Linux/; make LINUX=$(LINUX) TOP=.. "DEBUG=-g" "CC=$(CC)" $(MFLAGS) OBJ=$(CPUDIR) install ; cd ..) install-bsd: (cd BSD/$(CPUDIR); make install "TOP=../.." $(MFLAGS); cd ..) (cd BSD/$(CPUDIR); make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) install-sunos4: solaris (cd SunOS4; $(MAKE) CPU=$(CPU) TOP=.. install) install-sunos5: solaris null (cd SunOS5; $(MAKE) CPU=$(CPU) TOP=.. install) +install-aix: + (cd AIX/`AIX/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) +# (cd AIX/`AIX/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) + install-hpux: hpux (cd HPUX/`HPUX/cpurev`; $(MAKE) CPU=$(CPU) TOP=../.. "BITS=`getconf KERNEL_BITS`" install) install-irix: irix (cd IRIX; smake install CPU=$(CPU) TOP=.. $(DEST) $(MFLAGS) CPUDIR=`./cpurev`) install-osf install-tru64: (cd OSF/`OSF/cpurev`; make install "TOP=../.." $(MFLAGS); cd ..) - (cd OSF/`OSF/cpurev`; make -f Makefile.ipsend INSTALL=$(INSTALL) install "TOP=../.." $(MFLAGS); cd ..) do-cvs: find . -type d -name CVS -print | xargs /bin/rm -rf find . -type f -name .cvsignore -print | xargs /bin/rm -f /bin/rm -f ip_msnrpc_pxy.c ip_sunrpc_pxy.c ip_rules.c ip_rules.h: rules/ip_rules tools/ipfcomp.c -./ipf -n -cc -f rules/ip_rules 2>/dev/null 1>&2 null: @if [ "`$(MAKE) -v 2>&1 | sed -ne 's/GNU.*/GNU/p'`" = "GNU" ] ; then \ echo 'Do not use GNU make (gmake) to compile IPFilter'; \ exit 1; \ fi -@echo make ok mdb: /bin/rm -rf mdbgen_build mdbgen -D_KERNEL -DIPFILTER_LOG -DIPFILTER_LOOKUP -DSUNDDI \ -DIPFILTER_SCAN -DIPFILTER_LKM -DSOLARIS2=10 -n ipf_mdb -k \ -I/home/dr146992/pfil -I/home/dr146992/ipf -f \ /usr/include/netinet/in_systm.h,/usr/include/sys/ethernet.h,/usr/include/netinet/in.h,/usr/include/netinet/ip.h,/usr/include/netinet/ip_var.h,/usr/include/netinet/tcp.h,/usr/include/netinet/tcpip.h,/usr/include/netinet/ip_icmp.h,/usr/include/netinet/udp.h,ip_compat.h,ip_fil.h,ip_nat.h,ip_state.h,ip_proxy.h,ip_scan.h + diff --git a/contrib/ipfilter/NAT.FreeBSD b/contrib/ipfilter/NAT.FreeBSD index 996b009ab1bf..8a7e95262f7c 100644 --- a/contrib/ipfilter/NAT.FreeBSD +++ b/contrib/ipfilter/NAT.FreeBSD @@ -1,104 +1,104 @@ These are Instructions for Configuring A FreeBSD Box For NAT After you have installed IpFilter. You will need to change three files: /etc/rc.local -/etc/sysconfig +/etc/rc.conf /etc/natrules You will have to: 1) Load the kernel module 2) Make the ipnat rules 3) Load the ipnat rules 4) Enable routing between interfaces 5) Add static routes for the subnet ranges 6) Configure your network interfaces 7) reboot the computer for the changes to take effect. The FAQ was written by Chris Coleman This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE _________________________________________________________ 1) Loading the Kernel Module If you are using a Kernal Loadable Module you need to edit your /etc/rc.local file and load the module at boot time. use the line: modload /lkm/if_ipl.o If you are not loading a kernel module, skip this step. _________________________________________________________ 2) Setting up the NAT Rules Make a file called /etc/natrules put in the rules that you need for your system. If you want to use the whole 10 Network. Try: map fpx0 10.0.0.0/8 -> 208.8.0.1/32 portmap tcp/udp 10000:65000 _________________________________________________________ Here is an explaination of each part of the command: map starts the command. fpx0 is the interface with the real internet address. 10.0.0.0 is the subnet you want to use. /8 is the subnet mask. ie 255.0.0.0 208.8.0.1 is the real ip address that you use. /32 is the subnet mask 255.255.255.255, ie only use this ip address. portmap tcp/udp 10000:65000 tells it to use the ports to redirect the tcp/udp calls through The one line should work for the whole network. _________________________________________________________ 3) Loading the NAT Rules: The NAT Rules will need to be loaded every time the computer reboots. In your /etc/rc.local put the line: ipnat -f /etc/natrules To check and see if it is loaded, as root type ipnat -ls _________________________________________________________ 4) Enable Routing between interfaces. Tell the kernel to route these addresses. in the rc.local file put the line: sysctl -w net.inet.ip.forwarding=1 _________________________________________________________ 5) Static Routes to Subnet Ranges Now you have to add a static routes for the subnet ranges. Edit your /etc/sysconfig to add them at bootup. static_routes="foo" route_foo="10.0.0.0 -netmask 0xf0000000 -interface 10.0.0.1" _________________________________________________________ 6) Make sure that you have your interfaces configured. I have two Intel Ether Express Pro B cards. One is on 208.8.0.1 The other is on 10.0.0.1 You need to configure these in the /etc/sysconfig network_interfaces="fxp0 fxp1" ifconfig_fxp0="inet 208.8.0.1 netmask 255.255.255.0" ifconfig_fxp1="inet 10.0.0.1 netmask 255.0.0.0" _________________________________________________________ diff --git a/contrib/ipfilter/bpf-ipf.h b/contrib/ipfilter/bpf-ipf.h index c30315242a42..544455e5ff39 100644 --- a/contrib/ipfilter/bpf-ipf.h +++ b/contrib/ipfilter/bpf-ipf.h @@ -1,452 +1,450 @@ -/* $NetBSD$ */ - /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.h 7.1 (Berkeley) 5/7/91 * * @(#) $Header: /devel/CVS/IP-Filter/bpf-ipf.h,v 2.1 2002/10/26 12:14:26 darrenr Exp $ (LBL) */ #ifndef BPF_MAJOR_VERSION #ifdef __cplusplus extern "C" { #endif /* BSD style release date */ #define BPF_RELEASE 199606 typedef int bpf_int32; typedef u_int bpf_u_int32; /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #ifndef __NetBSD__ #define BPF_ALIGNMENT sizeof(bpf_int32) #else #define BPF_ALIGNMENT sizeof(long) #endif #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct bpf_program { u_int bf_len; struct bpf_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct bpf_stat { u_int bs_recv; /* number of packets received */ u_int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * bpf understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct bpf_version { u_short bv_major; u_short bv_minor; }; /* Current version number of filter architecture. */ #define BPF_MAJOR_VERSION 1 #define BPF_MINOR_VERSION 1 /* * BPF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #define BIOCGBLEN _IOR(B,102, u_int) #define BIOCSBLEN _IOWR(B,102, u_int) #define BIOCSETF _IOW(B,103, struct bpf_program) #define BIOCFLUSH _IO(B,104) #define BIOCPROMISC _IO(B,105) #define BIOCGDLT _IOR(B,106, u_int) #define BIOCGETIF _IOR(B,107, struct ifreq) #define BIOCSETIF _IOW(B,108, struct ifreq) #define BIOCSRTIMEOUT _IOW(B,109, struct timeval) #define BIOCGRTIMEOUT _IOR(B,110, struct timeval) #define BIOCGSTATS _IOR(B,111, struct bpf_stat) #define BIOCIMMEDIATE _IOW(B,112, u_int) #define BIOCVERSION _IOR(B,113, struct bpf_version) #define BIOCSTCPF _IOW(B,114, struct bpf_program) #define BIOCSUDPF _IOW(B,115, struct bpf_program) #else #define BIOCGBLEN _IOR('B',102, u_int) #define BIOCSBLEN _IOWR('B',102, u_int) #define BIOCSETF _IOW('B',103, struct bpf_program) #define BIOCFLUSH _IO('B',104) #define BIOCPROMISC _IO('B',105) #define BIOCGDLT _IOR('B',106, u_int) #define BIOCGETIF _IOR('B',107, struct ifreq) #define BIOCSETIF _IOW('B',108, struct ifreq) #define BIOCSRTIMEOUT _IOW('B',109, struct timeval) #define BIOCGRTIMEOUT _IOR('B',110, struct timeval) #define BIOCGSTATS _IOR('B',111, struct bpf_stat) #define BIOCIMMEDIATE _IOW('B',112, u_int) #define BIOCVERSION _IOR('B',113, struct bpf_version) #define BIOCSTCPF _IOW('B',114, struct bpf_program) #define BIOCSUDPF _IOW('B',115, struct bpf_program) #endif /* * Structure prepended to each packet. */ struct bpf_hdr { struct timeval bh_tstamp; /* time stamp */ bpf_u_int32 bh_caplen; /* length of captured portion */ bpf_u_int32 bh_datalen; /* original length of packet */ u_short bh_hdrlen; /* length of bpf header (this struct plus alignment padding) */ }; /* * Because the structure above is not a multiple of 4 bytes, some compilers * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work. * Only the kernel needs to know about it; applications use bh_hdrlen. */ #if defined(KERNEL) || defined(_KERNEL) #define SIZEOF_BPF_HDR 18 #endif /* * Data-link level type codes. */ /* * These are the types that are the same on all platforms; on other * platforms, a should be supplied that defines the additional * DLT_* codes appropriately for that platform (the BSDs, for example, * should not just pick up this version of "bpf.h"; they should also define * the additional DLT_* codes used by their kernels, as well as the values * defined here - and, if the values they use for particular DLT_ types * differ from those here, they should use their values, not the ones * here). */ #define DLT_NULL 0 /* no link-layer encapsulation */ #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #define DLT_AX25 3 /* Amateur Radio AX.25 */ #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #define DLT_CHAOS 5 /* Chaos */ #define DLT_IEEE802 6 /* IEEE 802 Networks */ #define DLT_ARCNET 7 /* ARCNET */ #define DLT_SLIP 8 /* Serial Line IP */ #define DLT_PPP 9 /* Point-to-point Protocol */ #define DLT_FDDI 10 /* FDDI */ /* * These are values from the traditional libpcap "bpf.h". * Ports of this to particular platforms should replace these definitions * with the ones appropriate to that platform, if the values are * different on that platform. */ #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #define DLT_RAW 12 /* raw IP */ /* * These are values from BSD/OS's "bpf.h". * These are not the same as the values from the traditional libpcap * "bpf.h"; however, these values shouldn't be generated by any * OS other than BSD/OS, so the correct values to use here are the * BSD/OS values. * * Platforms that have already assigned these values to other * DLT_ codes, however, should give these codes the values * from that platform, so that programs that use these codes will * continue to compile - even though they won't correctly read * files of these types. */ #ifdef __NetBSD__ #ifndef DLT_SLIP_BSDOS #define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ #endif #else #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ #endif #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ /* * These values are defined by NetBSD; other platforms should refrain from * using them for other purposes, so that NetBSD savefiles with link * types of 50 or 51 can be read as this type on all platforms. */ #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ #define DLT_PPP_ETHER 51 /* PPP over Ethernet */ /* * Values between 100 and 103 are used in capture file headers as * link-layer types corresponding to DLT_ types that differ * between platforms; don't use those values for new DLT_ new types. */ /* * This value was defined by libpcap 0.5; platforms that have defined * it with a different value should define it here with that value - * a link type of 104 in a save file will be mapped to DLT_C_HDLC, * whatever value that happens to be, so programs will correctly * handle files with that link type regardless of the value of * DLT_C_HDLC. * * The name DLT_C_HDLC was used by BSD/OS; we use that name for source * compatibility with programs written for BSD/OS. * * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, * for source compatibility with programs written for libpcap 0.5. */ #define DLT_C_HDLC 104 /* Cisco HDLC */ #define DLT_CHDLC DLT_C_HDLC #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ /* * Values between 106 and 107 are used in capture file headers as * link-layer types corresponding to DLT_ types that might differ * between platforms; don't use those values for new DLT_ new types. */ /* * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except * that the AF_ type in the link-layer header is in network byte order. * * OpenBSD defines it as 12, but that collides with DLT_RAW, so we * define it as 108 here. If OpenBSD picks up this file, it should * define DLT_LOOP as 12 in its version, as per the comment above - * and should not use 108 as a DLT_ value. */ #define DLT_LOOP 108 /* * Values between 109 and 112 are used in capture file headers as * link-layer types corresponding to DLT_ types that might differ * between platforms; don't use those values for new DLT_ types * other than the corresponding DLT_ types. */ /* * This is for Linux cooked sockets. */ #define DLT_LINUX_SLL 113 /* * Apple LocalTalk hardware. */ #define DLT_LTALK 114 /* * Acorn Econet. */ #define DLT_ECONET 115 /* * Reserved for use with OpenBSD ipfilter. */ #define DLT_IPFILTER 116 /* * Reserved for use in capture-file headers as a link-layer type * corresponding to OpenBSD DLT_PFLOG; DLT_PFLOG is 17 in OpenBSD, * but that's DLT_LANE8023 in SuSE 6.3, so we can't use 17 for it * in capture-file headers. */ #define DLT_PFLOG 117 /* * Registered for Cisco-internal use. */ #define DLT_CISCO_IOS 118 /* * Reserved for 802.11 cards using the Prism II chips, with a link-layer * header including Prism monitor mode information plus an 802.11 * header. */ #define DLT_PRISM_HEADER 119 /* * Reserved for Aironet 802.11 cards, with an Aironet link-layer header * (see Doug Ambrisko's FreeBSD patches). */ #define DLT_AIRONET_HEADER 120 /* * Reserved for Siemens HiPath HDLC. */ #define DLT_HHDLC 121 /* * Reserved for RFC 2625 IP-over-Fibre Channel, as per a request from * Don Lee . * * This is not for use with raw Fibre Channel, where the link-layer * header starts with a Fibre Channel frame header; it's for IP-over-FC, * where the link-layer header starts with an RFC 2625 Network_Header * field. */ #define DLT_IP_OVER_FC 122 /* * The instruction encodings. */ /* instruction classes */ #define BPF_CLASS(code) ((code) & 0x07) #define BPF_LD 0x00 #define BPF_LDX 0x01 #define BPF_ST 0x02 #define BPF_STX 0x03 #define BPF_ALU 0x04 #define BPF_JMP 0x05 #define BPF_RET 0x06 #define BPF_MISC 0x07 /* ld/ldx fields */ #define BPF_SIZE(code) ((code) & 0x18) #define BPF_W 0x00 #define BPF_H 0x08 #define BPF_B 0x10 #define BPF_MODE(code) ((code) & 0xe0) #define BPF_IMM 0x00 #define BPF_ABS 0x20 #define BPF_IND 0x40 #define BPF_MEM 0x60 #define BPF_LEN 0x80 #define BPF_MSH 0xa0 /* alu/jmp fields */ #define BPF_OP(code) ((code) & 0xf0) #define BPF_ADD 0x00 #define BPF_SUB 0x10 #define BPF_MUL 0x20 #define BPF_DIV 0x30 #define BPF_OR 0x40 #define BPF_AND 0x50 #define BPF_LSH 0x60 #define BPF_RSH 0x70 #define BPF_NEG 0x80 #define BPF_JA 0x00 #define BPF_JEQ 0x10 #define BPF_JGT 0x20 #define BPF_JGE 0x30 #define BPF_JSET 0x40 #define BPF_SRC(code) ((code) & 0x08) #define BPF_K 0x00 #define BPF_X 0x08 /* ret - BPF_K and BPF_X also apply */ #define BPF_RVAL(code) ((code) & 0x18) #define BPF_A 0x10 /* misc */ #define BPF_MISCOP(code) ((code) & 0xf8) #define BPF_TAX 0x00 #define BPF_TXA 0x80 /* * The instruction data structure. */ struct bpf_insn { u_short code; u_char jt; u_char jf; bpf_int32 k; }; /* * Macros for insn array initializers. */ #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } #if defined(BSD) && (defined(KERNEL) || defined(_KERNEL)) /* * Systems based on non-BSD kernels don't have ifnet's (or they don't mean * anything if it is in ) and won't work like this. */ # if __STDC__ extern void bpf_tap(struct ifnet *, u_char *, u_int); extern void bpf_mtap(struct ifnet *, struct mbuf *); extern void bpfattach(struct ifnet *, u_int, u_int); extern void bpfilterattach(int); # else extern void bpf_tap(); extern void bpf_mtap(); extern void bpfattach(); extern void bpfilterattach(); # endif /* __STDC__ */ #endif /* BSD && (_KERNEL || KERNEL) */ #if __STDC__ || defined(__cplusplus) extern int bpf_validate(struct bpf_insn *, int); extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); #else extern int bpf_validate(); extern u_int bpf_filter(); #endif /* * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). */ #define BPF_MEMWORDS 16 #ifdef __cplusplus } #endif #endif diff --git a/contrib/ipfilter/bpf_filter.c b/contrib/ipfilter/bpf_filter.c index 9876ff3e2637..c4ca42fc906f 100644 --- a/contrib/ipfilter/bpf_filter.c +++ b/contrib/ipfilter/bpf_filter.c @@ -1,517 +1,515 @@ -/* $NetBSD$ */ - /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.c 7.5 (Berkeley) 7/15/91 */ #if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) static const char rcsid[] = - "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2 2003/08/19 16:49:58 darrenr Exp $ (LBL)"; + "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.1 2005/06/18 02:41:30 darrenr Exp $ (LBL)"; #endif #include #include #include #include #include #include -#include "ip_compat.h" +#include "netinet/ip_compat.h" #include "bpf-ipf.h" #if (defined(__hpux) || SOLARIS) && (defined(_KERNEL) || defined(KERNEL)) # include # include #endif #include "pcap-ipf.h" #if !defined(KERNEL) && !defined(_KERNEL) #include #endif #define int32 bpf_int32 #define u_int32 bpf_u_int32 static int m_xword __P((mb_t *, int, int *)); static int m_xhalf __P((mb_t *, int, int *)); #ifndef LBL_ALIGN /* * XXX - IA-64? If not, this probably won't work on Win64 IA-64 * systems, unless LBL_ALIGN is defined elsewhere for them. * XXX - SuperH? If not, this probably won't work on WinCE SuperH * systems, unless LBL_ALIGN is defined elsewhere for them. */ #if defined(sparc) || defined(__sparc__) || defined(mips) || \ defined(ibm032) || defined(__alpha) || defined(__hpux) || \ defined(__arm__) #define LBL_ALIGN #endif #endif #ifndef LBL_ALIGN #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p)) #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p)) #else #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+0)<<8|\ (u_short)*((u_char *)p+1)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+0)<<24|\ (u_int32)*((u_char *)p+1)<<16|\ (u_int32)*((u_char *)p+2)<<8|\ (u_int32)*((u_char *)p+3)<<0) #endif #define MINDEX(len, _m, _k) \ { \ len = M_LEN(m); \ while ((_k) >= len) { \ (_k) -= len; \ (_m) = (_m)->m_next; \ if ((_m) == 0) \ return 0; \ len = M_LEN(m); \ } \ } static int m_xword(m, k, err) register mb_t *m; register int k, *err; { register int len; register u_char *cp, *np; register mb_t *m0; MINDEX(len, m, k); cp = MTOD(m, u_char *) + k; if (len - k >= 4) { *err = 0; return EXTRACT_LONG(cp); } m0 = m->m_next; if (m0 == 0 || M_LEN(m0) + len - k < 4) goto bad; *err = 0; np = MTOD(m0, u_char *); switch (len - k) { case 1: return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; case 2: return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1]; default: return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0]; } bad: *err = 1; return 0; } static int m_xhalf(m, k, err) register mb_t *m; register int k, *err; { register int len; register u_char *cp; register mb_t *m0; MINDEX(len, m, k); cp = MTOD(m, u_char *) + k; if (len - k >= 2) { *err = 0; return EXTRACT_SHORT(cp); } m0 = m->m_next; if (m0 == 0) goto bad; *err = 0; return (cp[0] << 8) | MTOD(m0, u_char *)[0]; bad: *err = 1; return 0; } /* * Execute the filter program starting at pc on the packet p * wirelen is the length of the original packet * buflen is the amount of data present * For the kernel, p is assumed to be a pointer to an mbuf if buflen is 0, * in all other cases, p is a pointer to a buffer and buflen is its size. */ u_int bpf_filter(pc, p, wirelen, buflen) register struct bpf_insn *pc; register u_char *p; u_int wirelen; register u_int buflen; { register u_int32 A, X; register int k; int32 mem[BPF_MEMWORDS]; mb_t *m, *n; int merr, len; if (buflen == 0) { m = (mb_t *)p; p = MTOD(m, u_char *); buflen = M_LEN(m); } else m = NULL; if (pc == 0) /* * No filter means accept all. */ return (u_int)-1; A = 0; X = 0; --pc; while (1) { ++pc; switch (pc->code) { default: return 0; case BPF_RET|BPF_K: return (u_int)pc->k; case BPF_RET|BPF_A: return (u_int)A; case BPF_LD|BPF_W|BPF_ABS: k = pc->k; if (k + sizeof(int32) > buflen) { if (m == NULL) return 0; A = m_xword(m, k, &merr); if (merr != 0) return 0; continue; } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_ABS: k = pc->k; if (k + sizeof(short) > buflen) { if (m == NULL) return 0; A = m_xhalf(m, k, &merr); if (merr != 0) return 0; continue; } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_ABS: k = pc->k; if (k >= buflen) { if (m == NULL) return 0; n = m; MINDEX(len, n, k); A = MTOD(n, u_char *)[k]; continue; } A = p[k]; continue; case BPF_LD|BPF_W|BPF_LEN: A = wirelen; continue; case BPF_LDX|BPF_W|BPF_LEN: X = wirelen; continue; case BPF_LD|BPF_W|BPF_IND: k = X + pc->k; if (k + sizeof(int32) > buflen) { if (m == NULL) return 0; A = m_xword(m, k, &merr); if (merr != 0) return 0; continue; } A = EXTRACT_LONG(&p[k]); continue; case BPF_LD|BPF_H|BPF_IND: k = X + pc->k; if (k + sizeof(short) > buflen) { if (m == NULL) return 0; A = m_xhalf(m, k, &merr); if (merr != 0) return 0; continue; } A = EXTRACT_SHORT(&p[k]); continue; case BPF_LD|BPF_B|BPF_IND: k = X + pc->k; if (k >= buflen) { if (m == NULL) return 0; n = m; MINDEX(len, n, k); A = MTOD(n, u_char *)[k]; continue; } A = p[k]; continue; case BPF_LDX|BPF_MSH|BPF_B: k = pc->k; if (k >= buflen) { if (m == NULL) return 0; n = m; MINDEX(len, n, k); X = (MTOD(n, char *)[k] & 0xf) << 2; continue; } X = (p[pc->k] & 0xf) << 2; continue; case BPF_LD|BPF_IMM: A = pc->k; continue; case BPF_LDX|BPF_IMM: X = pc->k; continue; case BPF_LD|BPF_MEM: A = mem[pc->k]; continue; case BPF_LDX|BPF_MEM: X = mem[pc->k]; continue; case BPF_ST: mem[pc->k] = A; continue; case BPF_STX: mem[pc->k] = X; continue; case BPF_JMP|BPF_JA: pc += pc->k; continue; case BPF_JMP|BPF_JGT|BPF_K: pc += (A > pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_K: pc += (A >= pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_K: pc += (A == pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_K: pc += (A & pc->k) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGT|BPF_X: pc += (A > X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JGE|BPF_X: pc += (A >= X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JEQ|BPF_X: pc += (A == X) ? pc->jt : pc->jf; continue; case BPF_JMP|BPF_JSET|BPF_X: pc += (A & X) ? pc->jt : pc->jf; continue; case BPF_ALU|BPF_ADD|BPF_X: A += X; continue; case BPF_ALU|BPF_SUB|BPF_X: A -= X; continue; case BPF_ALU|BPF_MUL|BPF_X: A *= X; continue; case BPF_ALU|BPF_DIV|BPF_X: if (X == 0) return 0; A /= X; continue; case BPF_ALU|BPF_AND|BPF_X: A &= X; continue; case BPF_ALU|BPF_OR|BPF_X: A |= X; continue; case BPF_ALU|BPF_LSH|BPF_X: A <<= X; continue; case BPF_ALU|BPF_RSH|BPF_X: A >>= X; continue; case BPF_ALU|BPF_ADD|BPF_K: A += pc->k; continue; case BPF_ALU|BPF_SUB|BPF_K: A -= pc->k; continue; case BPF_ALU|BPF_MUL|BPF_K: A *= pc->k; continue; case BPF_ALU|BPF_DIV|BPF_K: A /= pc->k; continue; case BPF_ALU|BPF_AND|BPF_K: A &= pc->k; continue; case BPF_ALU|BPF_OR|BPF_K: A |= pc->k; continue; case BPF_ALU|BPF_LSH|BPF_K: A <<= pc->k; continue; case BPF_ALU|BPF_RSH|BPF_K: A >>= pc->k; continue; case BPF_ALU|BPF_NEG: A = -A; continue; case BPF_MISC|BPF_TAX: X = A; continue; case BPF_MISC|BPF_TXA: A = X; continue; } } } /* * Return true if the 'fcode' is a valid filter program. * The constraints are that each jump be forward and to a valid * code. The code must terminate with either an accept or reject. * 'valid' is an array for use by the routine (it must be at least * 'len' bytes long). * * The kernel needs to be able to verify an application's filter code. * Otherwise, a bogus program could easily crash the system. */ int bpf_validate(f, len) struct bpf_insn *f; int len; { register int i; register struct bpf_insn *p; for (i = 0; i < len; ++i) { /* * Check that that jumps are forward, and within * the code block. */ p = &f[i]; if (BPF_CLASS(p->code) == BPF_JMP) { register int from = i + 1; if (BPF_OP(p->code) == BPF_JA) { if (from + p->k >= (unsigned)len) return 0; } else if (from + p->jt >= len || from + p->jf >= len) return 0; } /* * Check that memory operations use valid addresses. */ if ((BPF_CLASS(p->code) == BPF_ST || (BPF_CLASS(p->code) == BPF_LD && (p->code & 0xe0) == BPF_MEM)) && (p->k >= BPF_MEMWORDS || p->k < 0)) return 0; /* * Check for constant division by 0. */ if (p->code == (BPF_ALU|BPF_DIV|BPF_K) && p->k == 0) return 0; } return BPF_CLASS(f[len - 1].code) == BPF_RET; } diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index 1398c05f7cd7..3cf0ffb06238 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -1,306 +1,305 @@ -/* $NetBSD$ */ - /* * Copyright (C) 1993-2001, 2003 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * Id: ipf.h,v 2.71.2.6 2005/02/21 05:05:29 darrenr Exp + * $Id: ipf.h,v 2.71.2.7 2005/06/12 07:18:31 darrenr Exp $ */ #ifndef __IPF_H__ #define __IPF_H__ #if defined(__osf__) # define radix_mask ipf_radix_mask # define radix_node ipf_radix_node # define radix_node_head ipf_radix_node_head #endif #include #include #include /* * This is a workaround for troubles on FreeBSD, HPUX, OpenBSD. * Needed here because on some systems gets included by things * like */ #ifndef _KERNEL # define ADD_KERNEL # define _KERNEL # define KERNEL #endif #ifdef __OpenBSD__ struct file; #endif #include #ifdef ADD_KERNEL # undef _KERNEL # undef KERNEL #endif #include #include #include #if __FreeBSD_version >= 300000 # include #endif #include #include #include #include #ifndef TCP_PAWS_IDLE /* IRIX */ # include #endif #include #include #include #include #include #include #include #include #if !defined(__SVR4) && !defined(__svr4__) && defined(sun) # include #endif #include #include #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" #include "netinet/ip_nat.h" #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_proxy.h" #include "netinet/ip_auth.h" #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" #include "netinet/ip_scan.h" #include "netinet/ip_htable.h" #include "netinet/ip_sync.h" #include "opts.h" #ifndef __P # ifdef __STDC__ # define __P(x) x # else # define __P(x) () # endif #endif #ifndef __STDC__ # undef const # define const #endif #ifndef U_32_T # define U_32_T 1 # if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \ defined(__sgi) typedef u_int32_t u_32_t; # else # if defined(__alpha__) || defined(__alpha) || defined(_LP64) typedef unsigned int u_32_t; # else # if SOLARIS2 >= 6 typedef uint32_t u_32_t; # else typedef unsigned int u_32_t; # endif # endif # endif /* __NetBSD__ || __OpenBSD__ || __FreeBSD__ || __sgi */ #endif /* U_32_T */ #ifndef MAXHOSTNAMELEN # define MAXHOSTNAMELEN 256 #endif #define MAX_ICMPCODE 16 #define MAX_ICMPTYPE 19 struct ipopt_names { int on_value; int on_bit; int on_siz; char *on_name; }; typedef struct alist_s { struct alist_s *al_next; int al_not; i6addr_t al_i6addr; i6addr_t al_i6mask; } alist_t; #define al_addr al_i6addr.in4_addr #define al_mask al_i6mask.in4_addr #define al_1 al_addr #define al_2 al_mask typedef struct { u_short fb_c; u_char fb_t; u_char fb_f; u_32_t fb_k; } fakebpf_t; #if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \ SOLARIS || defined(__sgi) || defined(__osf__) || defined(linux) # include typedef int (* ioctlfunc_t) __P((int, ioctlcmd_t, ...)); #else typedef int (* ioctlfunc_t) __P((dev_t, ioctlcmd_t, void *)); #endif typedef void (* addfunc_t) __P((int, ioctlfunc_t, void *)); typedef int (* copyfunc_t) __P((void *, void *, size_t)); /* * SunOS4 */ #if defined(sun) && !defined(__SVR4) && !defined(__svr4__) extern int ioctl __P((int, int, void *)); #endif extern char thishost[]; extern char flagset[]; extern u_char flags[]; extern struct ipopt_names ionames[]; extern struct ipopt_names secclass[]; extern char *icmpcodes[MAX_ICMPCODE + 1]; extern char *icmptypes[MAX_ICMPTYPE + 1]; extern int use_inet6; extern int lineNum; extern struct ipopt_names v6ionames[]; extern int addicmp __P((char ***, struct frentry *, int)); extern int addipopt __P((char *, struct ipopt_names *, int, char *)); extern int addkeep __P((char ***, struct frentry *, int)); extern int bcopywrap __P((void *, void *, size_t)); extern void binprint __P((void *, size_t)); extern void initparse __P((void)); extern u_32_t buildopts __P((char *, char *, int)); extern int checkrev __P((char *)); extern int count6bits __P((u_32_t *)); extern int count4bits __P((u_32_t)); extern int extras __P((char ***, struct frentry *, int)); extern char *fac_toname __P((int)); extern int fac_findname __P((char *)); extern void fill6bits __P((int, u_int *)); extern int gethost __P((char *, u_32_t *)); extern int getport __P((struct frentry *, char *, u_short *)); extern int getportproto __P((char *, int)); extern int getproto __P((char *)); extern char *getline __P((char *, size_t, FILE *, int *)); extern int genmask __P((char *, u_32_t *)); extern char *getnattype __P((struct ipnat *)); extern char *getsumd __P((u_32_t)); extern u_32_t getoptbyname __P((char *)); extern u_32_t getoptbyvalue __P((int)); extern u_32_t getv6optbyname __P((char *)); extern u_32_t getv6optbyvalue __P((int)); extern void hexdump __P((FILE *, void *, int, int)); extern int hostmask __P((char ***, char *, char *, u_32_t *, u_32_t *, int)); extern int hostnum __P((u_32_t *, char *, int, char *)); extern int icmpcode __P((char *)); extern int icmpidnum __P((char *, u_short *, int)); extern void initparse __P((void)); extern void ipf_dotuning __P((int, char *, ioctlfunc_t)); extern void ipf_addrule __P((int, ioctlfunc_t, void *)); extern int ipf_parsefile __P((int, addfunc_t, ioctlfunc_t *, char *)); extern int ipf_parsesome __P((int, addfunc_t, ioctlfunc_t *, FILE *)); extern int ipmon_parsefile __P((char *)); extern int ipmon_parsesome __P((FILE *)); extern void ipnat_addrule __P((int, ioctlfunc_t, void *)); extern int ipnat_parsefile __P((int, addfunc_t, ioctlfunc_t, char *)); extern int ipnat_parsesome __P((int, addfunc_t, ioctlfunc_t, FILE *)); extern int ippool_parsefile __P((int, char *, ioctlfunc_t)); extern int ippool_parsesome __P((int, FILE *, ioctlfunc_t)); extern int kmemcpywrap __P((void *, void *, size_t)); extern char *kvatoname __P((ipfunc_t, ioctlfunc_t)); extern int load_hash __P((struct iphtable_s *, struct iphtent_s *, ioctlfunc_t)); extern int load_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t)); extern int load_pool __P((struct ip_pool_s *list, ioctlfunc_t)); extern int load_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t)); extern int loglevel __P((char **, u_int *, int)); extern alist_t *make_range __P((int, struct in_addr, struct in_addr)); extern ipfunc_t nametokva __P((char *, ioctlfunc_t)); extern ipnat_t *natparse __P((char *, int)); extern void natparsefile __P((int, char *, int)); extern void nat_setgroupmap __P((struct ipnat *)); extern int ntomask __P((int, int, u_32_t *)); extern u_32_t optname __P((char ***, u_short *, int)); extern struct frentry *parse __P((char *, int)); extern char *portname __P((int, int)); extern int portnum __P((char *, char *, u_short *, int)); extern int ports __P((char ***, char *, u_short *, int *, u_short *, int)); extern int pri_findname __P((char *)); extern char *pri_toname __P((int)); extern void print_toif __P((char *, struct frdest *)); extern void printaps __P((ap_session_t *, int)); extern void printbuf __P((char *, int, int)); extern void printfr __P((struct frentry *, ioctlfunc_t)); extern void printtunable __P((ipftune_t *)); extern struct iphtable_s *printhash __P((struct iphtable_s *, copyfunc_t, char *, int)); extern struct iphtent_s *printhashnode __P((struct iphtable_s *, struct iphtent_s *, copyfunc_t, int)); extern void printhostmask __P((int, u_32_t *, u_32_t *)); extern void printip __P((u_32_t *)); extern void printlog __P((struct frentry *)); extern void printlookup __P((i6addr_t *addr, i6addr_t *mask)); extern void printmask __P((u_32_t *)); extern void printpacket __P((struct ip *)); extern void printpacket6 __P((struct ip *)); extern struct ip_pool_s *printpool __P((struct ip_pool_s *, copyfunc_t, char *, int)); extern struct ip_pool_node *printpoolnode __P((struct ip_pool_node *, int)); +extern void printproto __P((struct protoent *, int, struct ipnat *)); extern void printportcmp __P((int, struct frpcmp *)); extern void optprint __P((u_short *, u_long, u_long)); #ifdef USE_INET6 extern void optprintv6 __P((u_short *, u_long, u_long)); #endif extern int ratoi __P((char *, int *, int, int)); extern int ratoui __P((char *, u_int *, u_int, u_int)); extern int remove_hash __P((struct iphtable_s *, ioctlfunc_t)); extern int remove_hashnode __P((int, char *, struct iphtent_s *, ioctlfunc_t)); extern int remove_pool __P((ip_pool_t *, ioctlfunc_t)); extern int remove_poolnode __P((int, char *, ip_pool_node_t *, ioctlfunc_t)); extern u_char tcp_flags __P((char *, u_char *, int)); extern u_char tcpflags __P((char *)); extern int to_interface __P((struct frdest *, char *, int)); extern void printc __P((struct frentry *)); extern void printC __P((int)); extern void emit __P((int, int, void *, struct frentry *)); extern u_char secbit __P((int)); extern u_char seclevel __P((char *)); extern void printfraginfo __P((char *, struct ipfr *)); extern void printifname __P((char *, char *, void *)); extern char *hostname __P((int, void *)); extern struct ipstate *printstate __P((struct ipstate *, int, u_long)); extern void printsbuf __P((char *)); extern void printnat __P((struct ipnat *, int)); extern void printactivenat __P((struct nat *, int)); extern void printhostmap __P((struct hostmap *, u_int)); extern void printpacket __P((struct ip *)); extern void set_variable __P((char *, char *)); extern char *get_variable __P((char *, char **, int)); extern void resetlexer __P((void)); #if SOLARIS extern int gethostname __P((char *, int )); extern void sync __P((void)); #endif #endif /* __IPF_H__ */ diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h index 675897b8419d..f36a3843c0aa 100644 --- a/contrib/ipfilter/iplang/iplang.h +++ b/contrib/ipfilter/iplang/iplang.h @@ -1,54 +1,52 @@ -/* $NetBSD$ */ - /* * Copyright (C) 1997-1998 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ typedef struct iface { int if_MTU; char *if_name; struct in_addr if_addr; struct ether_addr if_eaddr; struct iface *if_next; int if_fd; } iface_t; typedef struct send { struct iface *snd_if; struct in_addr snd_gw; } send_t; typedef struct arp { struct in_addr arp_addr; struct ether_addr arp_eaddr; struct arp *arp_next; } arp_t; typedef struct aniphdr { union { ip_t *ahu_ip; char *ahu_data; tcphdr_t *ahu_tcp; udphdr_t *ahu_udp; icmphdr_t *ahu_icmp; } ah_un; int ah_optlen; int ah_lastopt; int ah_p; size_t ah_len; struct aniphdr *ah_next; struct aniphdr *ah_prev; } aniphdr_t; #define ah_ip ah_un.ahu_ip #define ah_data ah_un.ahu_data #define ah_tcp ah_un.ahu_tcp #define ah_udp ah_un.ahu_udp #define ah_icmp ah_un.ahu_icmp extern int get_arpipv4 __P((char *, char *)); diff --git a/contrib/ipfilter/iplang/iplang_l.l b/contrib/ipfilter/iplang/iplang_l.l index 0a97ec94d4bf..fae30a25ed2d 100644 --- a/contrib/ipfilter/iplang/iplang_l.l +++ b/contrib/ipfilter/iplang/iplang_l.l @@ -1,322 +1,320 @@ -/* $NetBSD$ */ - %{ /* * Copyright (C) 1997-1998 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * Id: iplang_l.l,v 2.8 2003/07/28 01:15:31 darrenr Exp + * $Id: iplang_l.l,v 2.8 2003/07/28 01:15:31 darrenr Exp $ */ #include #include #include #if defined(__SVR4) || defined(__sysv__) #include #endif #include #include #include #include "iplang_y.h" #include "ipf.h" #ifndef __P # ifdef __STDC__ # define __P(x) x # else # define __P(x) () # endif #endif extern int opts; int lineNum = 0, ipproto = 0, oldipproto = 0, next = -1, laststate = 0; int *prstack = NULL, numpr = 0, state = 0, token = 0; void yyerror __P((char *)); void push_proto __P((void)); void pop_proto __P((void)); int next_state __P((int, int)); int next_item __P((int)); int save_token __P((void)); void swallow __P((void)); int yylex __P((void)); struct lwordtab { char *word; int state; int next; }; struct lwordtab words[] = { { "interface", IL_INTERFACE, -1 }, { "iface", IL_INTERFACE, -1 }, { "name", IL_IFNAME, IL_TOKEN }, { "ifname", IL_IFNAME, IL_TOKEN }, { "router", IL_DEFROUTER, IL_TOKEN }, { "mtu", IL_MTU, IL_NUMBER }, { "eaddr", IL_EADDR, IL_TOKEN }, { "v4addr", IL_V4ADDR, IL_TOKEN }, { "ipv4", IL_IPV4, -1 }, { "v", IL_V4V, IL_TOKEN }, { "proto", IL_V4PROTO, IL_TOKEN }, { "hl", IL_V4HL, IL_TOKEN }, { "id", IL_V4ID, IL_TOKEN }, { "ttl", IL_V4TTL, IL_TOKEN }, { "tos", IL_V4TOS, IL_TOKEN }, { "src", IL_V4SRC, IL_TOKEN }, { "dst", IL_V4DST, IL_TOKEN }, { "opt", IL_OPT, -1 }, { "len", IL_LEN, IL_TOKEN }, { "off", IL_OFF, IL_TOKEN }, { "sum", IL_SUM, IL_TOKEN }, { "tcp", IL_TCP, -1 }, { "sport", IL_SPORT, IL_TOKEN }, { "dport", IL_DPORT, IL_TOKEN }, { "seq", IL_TCPSEQ, IL_TOKEN }, { "ack", IL_TCPACK, IL_TOKEN }, { "flags", IL_TCPFL, IL_TOKEN }, { "urp", IL_TCPURP, IL_TOKEN }, { "win", IL_TCPWIN, IL_TOKEN }, { "udp", IL_UDP, -1 }, { "send", IL_SEND, -1 }, { "via", IL_VIA, IL_TOKEN }, { "arp", IL_ARP, -1 }, { "data", IL_DATA, -1 }, { "value", IL_DVALUE, IL_TOKEN }, { "file", IL_DFILE, IL_TOKEN }, { "nop", IL_IPO_NOP, -1 }, { "eol", IL_IPO_EOL, -1 }, { "rr", IL_IPO_RR, -1 }, { "zsu", IL_IPO_ZSU, -1 }, { "mtup", IL_IPO_MTUP, -1 }, { "mtur", IL_IPO_MTUR, -1 }, { "encode", IL_IPO_ENCODE, -1 }, { "ts", IL_IPO_TS, -1 }, { "tr", IL_IPO_TR, -1 }, { "sec", IL_IPO_SEC, -1 }, { "secclass", IL_IPO_SECCLASS, IL_TOKEN }, { "lsrr", IL_IPO_LSRR, -1 }, { "esec", IL_IPO_ESEC, -1 }, { "cipso", IL_IPO_CIPSO, -1 }, { "satid", IL_IPO_SATID, -1 }, { "ssrr", IL_IPO_SSRR, -1 }, { "addext", IL_IPO_ADDEXT, -1 }, { "visa", IL_IPO_VISA, -1 }, { "imitd", IL_IPO_IMITD, -1 }, { "eip", IL_IPO_EIP, -1 }, { "finn", IL_IPO_FINN, -1 }, { "mss", IL_TCPO_MSS, IL_TOKEN }, { "wscale", IL_TCPO_WSCALE, IL_TOKEN }, { "reserv-4", IL_IPS_RESERV4, -1 }, { "topsecret", IL_IPS_TOPSECRET, -1 }, { "secret", IL_IPS_SECRET, -1 }, { "reserv-3", IL_IPS_RESERV3, -1 }, { "confid", IL_IPS_CONFID, -1 }, { "unclass", IL_IPS_UNCLASS, -1 }, { "reserv-2", IL_IPS_RESERV2, -1 }, { "reserv-1", IL_IPS_RESERV1, -1 }, { "icmp", IL_ICMP, -1 }, { "type", IL_ICMPTYPE, -1 }, { "code", IL_ICMPCODE, -1 }, { "echorep", IL_ICMP_ECHOREPLY, -1 }, { "unreach", IL_ICMP_UNREACH, -1 }, { "squench", IL_ICMP_SOURCEQUENCH, -1 }, { "redir", IL_ICMP_REDIRECT, -1 }, { "echo", IL_ICMP_ECHO, -1 }, { "routerad", IL_ICMP_ROUTERADVERT, -1 }, { "routersol", IL_ICMP_ROUTERSOLICIT, -1 }, { "timex", IL_ICMP_TIMXCEED, -1 }, { "paramprob", IL_ICMP_PARAMPROB, -1 }, { "timest", IL_ICMP_TSTAMP, -1 }, { "timestrep", IL_ICMP_TSTAMPREPLY, -1 }, { "inforeq", IL_ICMP_IREQ, -1 }, { "inforep", IL_ICMP_IREQREPLY, -1 }, { "maskreq", IL_ICMP_MASKREQ, -1 }, { "maskrep", IL_ICMP_MASKREPLY, -1 }, { "net-unr", IL_ICMP_UNREACH_NET, -1 }, { "host-unr", IL_ICMP_UNREACH_HOST, -1 }, { "proto-unr", IL_ICMP_UNREACH_PROTOCOL, -1 }, { "port-unr", IL_ICMP_UNREACH_PORT, -1 }, { "needfrag", IL_ICMP_UNREACH_NEEDFRAG, -1 }, { "srcfail", IL_ICMP_UNREACH_SRCFAIL, -1 }, { "net-unk", IL_ICMP_UNREACH_NET_UNKNOWN, -1 }, { "host-unk", IL_ICMP_UNREACH_HOST_UNKNOWN, -1 }, { "isolate", IL_ICMP_UNREACH_ISOLATED, -1 }, { "net-prohib", IL_ICMP_UNREACH_NET_PROHIB, -1 }, { "host-prohib", IL_ICMP_UNREACH_HOST_PROHIB, -1 }, { "net-tos", IL_ICMP_UNREACH_TOSNET, -1 }, { "host-tos", IL_ICMP_UNREACH_TOSHOST, -1 }, { "filter-prohib", IL_ICMP_UNREACH_FILTER_PROHIB, -1 }, { "host-preced", IL_ICMP_UNREACH_HOST_PRECEDENCE, -1 }, { "cutoff-preced", IL_ICMP_UNREACH_PRECEDENCE_CUTOFF, -1 }, { "net-redir", IL_ICMP_REDIRECT_NET, -1 }, { "host-redir", IL_ICMP_REDIRECT_HOST, -1 }, { "tos-net-redir", IL_ICMP_REDIRECT_TOSNET, -1 }, { "tos-host-redir", IL_ICMP_REDIRECT_TOSHOST, -1 }, { "intrans", IL_ICMP_TIMXCEED_INTRANS, -1 }, { "reass", IL_ICMP_TIMXCEED_REASS, -1 }, { "optabsent", IL_ICMP_PARAMPROB_OPTABSENT, -1 }, { "otime", IL_ICMP_OTIME, -1 }, { "rtime", IL_ICMP_RTIME, -1 }, { "ttime", IL_ICMP_TTIME, -1 }, { "icmpseq", IL_ICMP_SEQ, -1 }, { "icmpid", IL_ICMP_SEQ, -1 }, { ".", IL_DOT, -1 }, { NULL, 0, 0 } }; %} white [ \t\r]+ %% {white} ; \n { lineNum++; swallow(); } \{ { push_proto(); return next_item('{'); } \} { pop_proto(); return next_item('}'); } ; { return next_item(';'); } [0-9]+ { return next_item(IL_NUMBER); } [0-9a-fA-F] { return next_item(IL_HEXDIGIT); } : { return next_item(IL_COLON); } #[^\n]* { return next_item(IL_COMMENT); } [^ \{\}\n\t;:{}]* { return next_item(IL_TOKEN); } \"[^\"]*\" { return next_item(IL_TOKEN); } %% void yyerror(msg) char *msg; { fprintf(stderr, "%s error at \"%s\", line %d\n", msg, yytext, lineNum + 1); exit(1); } void push_proto() { numpr++; if (!prstack) prstack = (int *)malloc(sizeof(int)); else prstack = (int *)realloc((char *)prstack, numpr * sizeof(int)); prstack[numpr - 1] = oldipproto; } void pop_proto() { numpr--; ipproto = prstack[numpr]; if (!numpr) { free(prstack); prstack = NULL; return; } prstack = (int *)realloc((char *)prstack, numpr * sizeof(int)); } int save_token() { yylval.str = strdup((char *)yytext); return IL_TOKEN; } int next_item(nstate) int nstate; { struct lwordtab *wt; if (opts & OPT_DEBUG) printf("text=[%s] id=%d next=%d\n", yytext, nstate, next); if (next == IL_TOKEN) { next = -1; return save_token(); } token++; for (wt = words; wt->word; wt++) if (!strcasecmp(wt->word, (char *)yytext)) return next_state(wt->state, wt->next); if (opts & OPT_DEBUG) printf("unknown keyword=[%s]\n", yytext); next = -1; if (nstate == IL_NUMBER) yylval.num = atoi((char *)yytext); token++; return nstate; } int next_state(nstate, fornext) int nstate, fornext; { next = fornext; switch (nstate) { case IL_IPV4 : case IL_TCP : case IL_UDP : case IL_ICMP : case IL_DATA : case IL_INTERFACE : case IL_ARP : oldipproto = ipproto; ipproto = nstate; break; case IL_SUM : if (ipproto == IL_IPV4) nstate = IL_V4SUM; else if (ipproto == IL_TCP) nstate = IL_TCPSUM; else if (ipproto == IL_UDP) nstate = IL_UDPSUM; break; case IL_OPT : if (ipproto == IL_IPV4) nstate = IL_V4OPT; else if (ipproto == IL_TCP) nstate = IL_TCPOPT; break; case IL_IPO_NOP : if (ipproto == IL_TCP) nstate = IL_TCPO_NOP; break; case IL_IPO_EOL : if (ipproto == IL_TCP) nstate = IL_TCPO_EOL; break; case IL_IPO_TS : if (ipproto == IL_TCP) nstate = IL_TCPO_TS; break; case IL_OFF : if (ipproto == IL_IPV4) nstate = IL_V4OFF; else if (ipproto == IL_TCP) nstate = IL_TCPOFF; break; case IL_LEN : if (ipproto == IL_IPV4) nstate = IL_V4LEN; else if (ipproto == IL_UDP) nstate = IL_UDPLEN; break; } return nstate; } void swallow() { int c; c = input(); if (c == '#') { while ((c != '\n') && (c != EOF)) c = input(); } if (c != EOF) unput(c); } diff --git a/contrib/ipfilter/iplang/iplang_y.y b/contrib/ipfilter/iplang/iplang_y.y index fa960dfd6d16..4d494fb44ebf 100644 --- a/contrib/ipfilter/iplang/iplang_y.y +++ b/contrib/ipfilter/iplang/iplang_y.y @@ -1,1852 +1,1856 @@ -/* $NetBSD$ */ - %{ /* * Copyright (C) 1997-1998 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * - * Id: iplang_y.y,v 2.9.2.2 2004/12/09 19:41:10 darrenr Exp + * $Id: iplang_y.y,v 2.9.2.3 2005/10/17 17:25:04 darrenr Exp $ */ #include #include #include #if !defined(__SVR4) && !defined(__svr4__) #include #else #include #endif #include #include #include #include #include #include #include #include #include #include #include #ifndef linux #include #endif #include #ifndef linux #include #endif #include #include #include #include #include #include "ipsend.h" #include "ip_compat.h" #include "ipf.h" #include "iplang.h" #if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \ __FreeBSD_version < 400020) && (!SOLARIS || SOLARIS2 < 10) extern struct ether_addr *ether_aton __P((char *)); #endif extern int opts; extern struct ipopt_names ionames[]; extern int state, state, lineNum, token; extern int yylineno; extern char yytext[]; extern FILE *yyin; int yylex __P((void)); #define YYDEBUG 1 #if !defined(ultrix) && !defined(hpux) int yydebug = 1; #else extern int yydebug; #endif iface_t *iflist = NULL, **iftail = &iflist; iface_t *cifp = NULL; arp_t *arplist = NULL, **arptail = &arplist, *carp = NULL; struct in_addr defrouter; send_t sending; char *sclass = NULL; u_short c_chksum __P((u_short *, u_int, u_long)); u_long p_chksum __P((u_short *, u_int)); u_long ipbuffer[67584/sizeof(u_long)]; /* 66K */ aniphdr_t *aniphead = NULL, *canip = NULL, **aniptail = &aniphead; ip_t *ip = NULL; udphdr_t *udp = NULL; tcphdr_t *tcp = NULL; icmphdr_t *icmp = NULL; struct statetoopt { int sto_st; int sto_op; }; struct in_addr getipv4addr __P((char *arg)); u_short getportnum __P((char *, char *)); struct ether_addr *geteaddr __P((char *, struct ether_addr *)); void *new_header __P((int)); void free_aniplist __P((void)); void inc_anipheaders __P((int)); void new_data __P((void)); void set_datalen __P((char **)); void set_datafile __P((char **)); void set_data __P((char **)); void new_packet __P((void)); void set_ipv4proto __P((char **)); void set_ipv4src __P((char **)); void set_ipv4dst __P((char **)); void set_ipv4off __P((char **)); void set_ipv4v __P((char **)); void set_ipv4hl __P((char **)); void set_ipv4ttl __P((char **)); void set_ipv4tos __P((char **)); void set_ipv4id __P((char **)); void set_ipv4sum __P((char **)); void set_ipv4len __P((char **)); void new_tcpheader __P((void)); void set_tcpsport __P((char **)); void set_tcpdport __P((char **)); void set_tcpseq __P((char **)); void set_tcpack __P((char **)); void set_tcpoff __P((char **)); void set_tcpurp __P((char **)); void set_tcpwin __P((char **)); void set_tcpsum __P((char **)); void set_tcpflags __P((char **)); void set_tcpopt __P((int, char **)); void end_tcpopt __P((void)); void new_udpheader __P((void)); void set_udplen __P((char **)); void set_udpsum __P((char **)); void prep_packet __P((void)); void packet_done __P((void)); void new_interface __P((void)); void check_interface __P((void)); void set_ifname __P((char **)); void set_ifmtu __P((int)); void set_ifv4addr __P((char **)); void set_ifeaddr __P((char **)); void new_arp __P((void)); void set_arpeaddr __P((char **)); void set_arpv4addr __P((char **)); void reset_send __P((void)); void set_sendif __P((char **)); void set_sendvia __P((char **)); void set_defaultrouter __P((char **)); void new_icmpheader __P((void)); void set_icmpcode __P((int)); void set_icmptype __P((int)); void set_icmpcodetok __P((char **)); void set_icmptypetok __P((char **)); void set_icmpid __P((int)); void set_icmpseq __P((int)); void set_icmpotime __P((int)); void set_icmprtime __P((int)); void set_icmpttime __P((int)); void set_icmpmtu __P((int)); void set_redir __P((int, char **)); void new_ipv4opt __P((void)); void set_icmppprob __P((int)); void add_ipopt __P((int, void *)); void end_ipopt __P((void)); void set_secclass __P((char **)); void free_anipheader __P((void)); void end_ipv4 __P((void)); void end_icmp __P((void)); void end_udp __P((void)); void end_tcp __P((void)); void end_data __P((void)); void yyerror __P((char *)); void iplang __P((FILE *)); int arp_getipv4 __P((char *, char *)); int yyparse __P((void)); %} %union { char *str; int num; } %token IL_NUMBER %type number digits optnumber %token IL_TOKEN %type token optoken %token IL_HEXDIGIT IL_COLON IL_DOT IL_EOF IL_COMMENT %token IL_INTERFACE IL_IFNAME IL_MTU IL_EADDR %token IL_IPV4 IL_V4PROTO IL_V4SRC IL_V4DST IL_V4OFF IL_V4V IL_V4HL IL_V4TTL %token IL_V4TOS IL_V4SUM IL_V4LEN IL_V4OPT IL_V4ID %token IL_TCP IL_SPORT IL_DPORT IL_TCPFL IL_TCPSEQ IL_TCPACK IL_TCPOFF %token IL_TCPWIN IL_TCPSUM IL_TCPURP IL_TCPOPT IL_TCPO_NOP IL_TCPO_EOL %token IL_TCPO_MSS IL_TCPO_WSCALE IL_TCPO_TS %token IL_UDP IL_UDPLEN IL_UDPSUM %token IL_ICMP IL_ICMPTYPE IL_ICMPCODE %token IL_SEND IL_VIA %token IL_ARP %token IL_DEFROUTER %token IL_SUM IL_OFF IL_LEN IL_V4ADDR IL_OPT %token IL_DATA IL_DLEN IL_DVALUE IL_DFILE %token IL_IPO_NOP IL_IPO_RR IL_IPO_ZSU IL_IPO_MTUP IL_IPO_MTUR IL_IPO_EOL %token IL_IPO_TS IL_IPO_TR IL_IPO_SEC IL_IPO_LSRR IL_IPO_ESEC %token IL_IPO_SATID IL_IPO_SSRR IL_IPO_ADDEXT IL_IPO_VISA IL_IPO_IMITD %token IL_IPO_EIP IL_IPO_FINN IL_IPO_SECCLASS IL_IPO_CIPSO IL_IPO_ENCODE %token IL_IPS_RESERV4 IL_IPS_TOPSECRET IL_IPS_SECRET IL_IPS_RESERV3 %token IL_IPS_CONFID IL_IPS_UNCLASS IL_IPS_RESERV2 IL_IPS_RESERV1 %token IL_ICMP_ECHOREPLY IL_ICMP_UNREACH IL_ICMP_UNREACH_NET %token IL_ICMP_UNREACH_HOST IL_ICMP_UNREACH_PROTOCOL IL_ICMP_UNREACH_PORT %token IL_ICMP_UNREACH_NEEDFRAG IL_ICMP_UNREACH_SRCFAIL %token IL_ICMP_UNREACH_NET_UNKNOWN IL_ICMP_UNREACH_HOST_UNKNOWN %token IL_ICMP_UNREACH_ISOLATED IL_ICMP_UNREACH_NET_PROHIB %token IL_ICMP_UNREACH_HOST_PROHIB IL_ICMP_UNREACH_TOSNET %token IL_ICMP_UNREACH_TOSHOST IL_ICMP_UNREACH_FILTER_PROHIB %token IL_ICMP_UNREACH_HOST_PRECEDENCE IL_ICMP_UNREACH_PRECEDENCE_CUTOFF %token IL_ICMP_SOURCEQUENCH IL_ICMP_REDIRECT IL_ICMP_REDIRECT_NET %token IL_ICMP_REDIRECT_HOST IL_ICMP_REDIRECT_TOSNET %token IL_ICMP_REDIRECT_TOSHOST IL_ICMP_ECHO IL_ICMP_ROUTERADVERT %token IL_ICMP_ROUTERSOLICIT IL_ICMP_TIMXCEED IL_ICMP_TIMXCEED_INTRANS %token IL_ICMP_TIMXCEED_REASS IL_ICMP_PARAMPROB IL_ICMP_PARAMPROB_OPTABSENT %token IL_ICMP_TSTAMP IL_ICMP_TSTAMPREPLY IL_ICMP_IREQ IL_ICMP_IREQREPLY %token IL_ICMP_MASKREQ IL_ICMP_MASKREPLY IL_ICMP_SEQ IL_ICMP_ID %token IL_ICMP_OTIME IL_ICMP_RTIME IL_ICMP_TTIME %% file: line | line file | IL_COMMENT | IL_COMMENT file ; line: iface | arp | send | defrouter | ipline ; iface: ifhdr '{' ifaceopts '}' ';' { check_interface(); } ; ifhdr: IL_INTERFACE { new_interface(); } ; ifaceopts: ifaceopt | ifaceopt ifaceopts ; ifaceopt: IL_IFNAME token { set_ifname(&$2); } | IL_MTU number { set_ifmtu($2); } | IL_V4ADDR token { set_ifv4addr(&$2); } | IL_EADDR token { set_ifeaddr(&$2); } ; send: sendhdr '{' sendbody '}' ';' { packet_done(); } | sendhdr ';' { packet_done(); } ; sendhdr: IL_SEND { reset_send(); } ; sendbody: sendopt | sendbody sendopt ; sendopt: IL_IFNAME token { set_sendif(&$2); } | IL_VIA token { set_sendvia(&$2); } ; arp: arphdr '{' arpbody '}' ';' ; arphdr: IL_ARP { new_arp(); } ; arpbody: arpopt | arpbody arpopt ; arpopt: IL_V4ADDR token { set_arpv4addr(&$2); } | IL_EADDR token { set_arpeaddr(&$2); } ; defrouter: IL_DEFROUTER token { set_defaultrouter(&$2); } ; bodyline: ipline | tcp tcpline | udp udpline | icmp icmpline | data dataline ; ipline: ipv4 '{' ipv4body '}' ';' { end_ipv4(); } ; ipv4: IL_IPV4 { new_packet(); } ipv4body: ipv4type | ipv4type ipv4body | bodyline ; ipv4type: IL_V4PROTO token { set_ipv4proto(&$2); } | IL_V4SRC token { set_ipv4src(&$2); } | IL_V4DST token { set_ipv4dst(&$2); } | IL_V4OFF token { set_ipv4off(&$2); } | IL_V4V token { set_ipv4v(&$2); } | IL_V4HL token { set_ipv4hl(&$2); } | IL_V4ID token { set_ipv4id(&$2); } | IL_V4TTL token { set_ipv4ttl(&$2); } | IL_V4TOS token { set_ipv4tos(&$2); } | IL_V4SUM token { set_ipv4sum(&$2); } | IL_V4LEN token { set_ipv4len(&$2); } | ipv4opt '{' ipv4optlist '}' ';' { end_ipopt(); } ; tcp: IL_TCP { new_tcpheader(); } ; tcpline: '{' tcpheader '}' ';' { end_tcp(); } ; tcpheader: tcpbody | tcpbody tcpheader | bodyline ; tcpbody: IL_SPORT token { set_tcpsport(&$2); } | IL_DPORT token { set_tcpdport(&$2); } | IL_TCPSEQ token { set_tcpseq(&$2); } | IL_TCPACK token { set_tcpack(&$2); } | IL_TCPOFF token { set_tcpoff(&$2); } | IL_TCPURP token { set_tcpurp(&$2); } | IL_TCPWIN token { set_tcpwin(&$2); } | IL_TCPSUM token { set_tcpsum(&$2); } | IL_TCPFL token { set_tcpflags(&$2); } | IL_TCPOPT '{' tcpopts '}' ';' { end_tcpopt(); } ; tcpopts: | tcpopt tcpopts ; tcpopt: IL_TCPO_NOP ';' { set_tcpopt(IL_TCPO_NOP, NULL); } | IL_TCPO_EOL ';' { set_tcpopt(IL_TCPO_EOL, NULL); } | IL_TCPO_MSS optoken { set_tcpopt(IL_TCPO_MSS,&$2);} | IL_TCPO_WSCALE optoken { set_tcpopt(IL_TCPO_WSCALE,&$2);} | IL_TCPO_TS optoken { set_tcpopt(IL_TCPO_TS, &$2);} ; udp: IL_UDP { new_udpheader(); } ; udpline: '{' udpheader '}' ';' { end_udp(); } ; udpheader: udpbody | udpbody udpheader | bodyline ; udpbody: IL_SPORT token { set_tcpsport(&$2); } | IL_DPORT token { set_tcpdport(&$2); } | IL_UDPLEN token { set_udplen(&$2); } | IL_UDPSUM token { set_udpsum(&$2); } ; icmp: IL_ICMP { new_icmpheader(); } ; icmpline: '{' icmpbody '}' ';' { end_icmp(); } ; icmpbody: icmpheader | icmpheader bodyline ; icmpheader: IL_ICMPTYPE icmptype | IL_ICMPTYPE icmptype icmpcode ; icmpcode: IL_ICMPCODE token { set_icmpcodetok(&$2); } ; icmptype: IL_ICMP_ECHOREPLY ';' { set_icmptype(ICMP_ECHOREPLY); } | IL_ICMP_ECHOREPLY '{' icmpechoopts '}' ';' | unreach | IL_ICMP_SOURCEQUENCH ';' { set_icmptype(ICMP_SOURCEQUENCH); } | redirect | IL_ICMP_ROUTERADVERT ';' { set_icmptype(ICMP_ROUTERADVERT); } | IL_ICMP_ROUTERSOLICIT ';' { set_icmptype(ICMP_ROUTERSOLICIT); } | IL_ICMP_ECHO ';' { set_icmptype(ICMP_ECHO); } | IL_ICMP_ECHO '{' icmpechoopts '}' ';' | IL_ICMP_TIMXCEED ';' { set_icmptype(ICMP_TIMXCEED); } | IL_ICMP_TIMXCEED '{' exceed '}' ';' | IL_ICMP_TSTAMP ';' { set_icmptype(ICMP_TSTAMP); } | IL_ICMP_TSTAMPREPLY ';' { set_icmptype(ICMP_TSTAMPREPLY); } | IL_ICMP_TSTAMPREPLY '{' icmptsopts '}' ';' | IL_ICMP_IREQ ';' { set_icmptype(ICMP_IREQ); } | IL_ICMP_IREQREPLY ';' { set_icmptype(ICMP_IREQREPLY); } | IL_ICMP_IREQREPLY '{' data dataline '}' ';' | IL_ICMP_MASKREQ ';' { set_icmptype(ICMP_MASKREQ); } | IL_ICMP_MASKREPLY ';' { set_icmptype(ICMP_MASKREPLY); } | IL_ICMP_MASKREPLY '{' token '}' ';' | IL_ICMP_PARAMPROB ';' { set_icmptype(ICMP_PARAMPROB); } | IL_ICMP_PARAMPROB '{' paramprob '}' ';' | IL_TOKEN ';' { set_icmptypetok(&$1); } ; icmpechoopts: | icmpechoopts icmpecho ; icmpecho: IL_ICMP_SEQ number { set_icmpseq($2); } | IL_ICMP_ID number { set_icmpid($2); } ; icmptsopts: | icmptsopts icmpts ';' ; icmpts: IL_ICMP_OTIME number { set_icmpotime($2); } | IL_ICMP_RTIME number { set_icmprtime($2); } | IL_ICMP_TTIME number { set_icmpttime($2); } ; unreach: IL_ICMP_UNREACH | IL_ICMP_UNREACH '{' unreachopts '}' ';' ; unreachopts: IL_ICMP_UNREACH_NET line | IL_ICMP_UNREACH_HOST line | IL_ICMP_UNREACH_PROTOCOL line | IL_ICMP_UNREACH_PORT line | IL_ICMP_UNREACH_NEEDFRAG number ';' { set_icmpmtu($2); } | IL_ICMP_UNREACH_SRCFAIL line | IL_ICMP_UNREACH_NET_UNKNOWN line | IL_ICMP_UNREACH_HOST_UNKNOWN line | IL_ICMP_UNREACH_ISOLATED line | IL_ICMP_UNREACH_NET_PROHIB line | IL_ICMP_UNREACH_HOST_PROHIB line | IL_ICMP_UNREACH_TOSNET line | IL_ICMP_UNREACH_TOSHOST line | IL_ICMP_UNREACH_FILTER_PROHIB line | IL_ICMP_UNREACH_HOST_PRECEDENCE line | IL_ICMP_UNREACH_PRECEDENCE_CUTOFF line ; redirect: IL_ICMP_REDIRECT | IL_ICMP_REDIRECT '{' redirectopts '}' ';' ; redirectopts: | IL_ICMP_REDIRECT_NET token { set_redir(0, &$2); } | IL_ICMP_REDIRECT_HOST token { set_redir(1, &$2); } | IL_ICMP_REDIRECT_TOSNET token { set_redir(2, &$2); } | IL_ICMP_REDIRECT_TOSHOST token { set_redir(3, &$2); } ; exceed: IL_ICMP_TIMXCEED_INTRANS line | IL_ICMP_TIMXCEED_REASS line ; paramprob: IL_ICMP_PARAMPROB_OPTABSENT | IL_ICMP_PARAMPROB_OPTABSENT paraprobarg paraprobarg: '{' number '}' ';' { set_icmppprob($2); } ; ipv4opt: IL_V4OPT { new_ipv4opt(); } ; ipv4optlist: | ipv4opts ipv4optlist ; ipv4opts: IL_IPO_NOP ';' { add_ipopt(IL_IPO_NOP, NULL); } | IL_IPO_RR optnumber { add_ipopt(IL_IPO_RR, &$2); } | IL_IPO_ZSU ';' { add_ipopt(IL_IPO_ZSU, NULL); } | IL_IPO_MTUP ';' { add_ipopt(IL_IPO_MTUP, NULL); } | IL_IPO_MTUR ';' { add_ipopt(IL_IPO_MTUR, NULL); } | IL_IPO_ENCODE ';' { add_ipopt(IL_IPO_ENCODE, NULL); } | IL_IPO_TS ';' { add_ipopt(IL_IPO_TS, NULL); } | IL_IPO_TR ';' { add_ipopt(IL_IPO_TR, NULL); } | IL_IPO_SEC ';' { add_ipopt(IL_IPO_SEC, NULL); } | IL_IPO_SECCLASS secclass { add_ipopt(IL_IPO_SECCLASS, sclass); } | IL_IPO_LSRR token { add_ipopt(IL_IPO_LSRR,&$2); } | IL_IPO_ESEC ';' { add_ipopt(IL_IPO_ESEC, NULL); } | IL_IPO_CIPSO ';' { add_ipopt(IL_IPO_CIPSO, NULL); } | IL_IPO_SATID optnumber { add_ipopt(IL_IPO_SATID,&$2);} | IL_IPO_SSRR token { add_ipopt(IL_IPO_SSRR,&$2); } | IL_IPO_ADDEXT ';' { add_ipopt(IL_IPO_ADDEXT, NULL); } | IL_IPO_VISA ';' { add_ipopt(IL_IPO_VISA, NULL); } | IL_IPO_IMITD ';' { add_ipopt(IL_IPO_IMITD, NULL); } | IL_IPO_EIP ';' { add_ipopt(IL_IPO_EIP, NULL); } | IL_IPO_FINN ';' { add_ipopt(IL_IPO_FINN, NULL); } ; secclass: IL_IPS_RESERV4 ';' { set_secclass(&$1); } | IL_IPS_TOPSECRET ';' { set_secclass(&$1); } | IL_IPS_SECRET ';' { set_secclass(&$1); } | IL_IPS_RESERV3 ';' { set_secclass(&$1); } | IL_IPS_CONFID ';' { set_secclass(&$1); } | IL_IPS_UNCLASS ';' { set_secclass(&$1); } | IL_IPS_RESERV2 ';' { set_secclass(&$1); } | IL_IPS_RESERV1 ';' { set_secclass(&$1); } ; data: IL_DATA { new_data(); } ; dataline: '{' databody '}' ';' { end_data(); } ; databody: dataopts | dataopts databody ; dataopts: IL_DLEN token { set_datalen(&$2); } | IL_DVALUE token { set_data(&$2); } | IL_DFILE token { set_datafile(&$2); } ; token: IL_TOKEN ';' ; optoken: ';' { $$ = ""; } | token ; number: digits ';' ; optnumber: ';' { $$ = 0; } | number ; digits: IL_NUMBER | digits IL_NUMBER ; %% struct statetoopt toipopts[] = { { IL_IPO_NOP, IPOPT_NOP }, { IL_IPO_RR, IPOPT_RR }, { IL_IPO_ZSU, IPOPT_ZSU }, { IL_IPO_MTUP, IPOPT_MTUP }, { IL_IPO_MTUR, IPOPT_MTUR }, { IL_IPO_ENCODE, IPOPT_ENCODE }, { IL_IPO_TS, IPOPT_TS }, { IL_IPO_TR, IPOPT_TR }, { IL_IPO_SEC, IPOPT_SECURITY }, { IL_IPO_SECCLASS, IPOPT_SECURITY }, { IL_IPO_LSRR, IPOPT_LSRR }, { IL_IPO_ESEC, IPOPT_E_SEC }, { IL_IPO_CIPSO, IPOPT_CIPSO }, { IL_IPO_SATID, IPOPT_SATID }, { IL_IPO_SSRR, IPOPT_SSRR }, { IL_IPO_ADDEXT, IPOPT_ADDEXT }, { IL_IPO_VISA, IPOPT_VISA }, { IL_IPO_IMITD, IPOPT_IMITD }, { IL_IPO_EIP, IPOPT_EIP }, { IL_IPO_FINN, IPOPT_FINN }, { 0, 0 } }; struct statetoopt tosecopts[] = { { IL_IPS_RESERV4, IPSO_CLASS_RES4 }, { IL_IPS_TOPSECRET, IPSO_CLASS_TOPS }, { IL_IPS_SECRET, IPSO_CLASS_SECR }, { IL_IPS_RESERV3, IPSO_CLASS_RES3 }, { IL_IPS_CONFID, IPSO_CLASS_CONF }, { IL_IPS_UNCLASS, IPSO_CLASS_UNCL }, { IL_IPS_RESERV2, IPSO_CLASS_RES2 }, { IL_IPS_RESERV1, IPSO_CLASS_RES1 }, { 0, 0 } }; #ifdef bsdi struct ether_addr * ether_aton(s) char *s; { static struct ether_addr n; u_int i[6]; if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1], &i[2], &i[3], &i[4], &i[5]) == 6) { n.ether_addr_octet[0] = (u_char)i[0]; n.ether_addr_octet[1] = (u_char)i[1]; n.ether_addr_octet[2] = (u_char)i[2]; n.ether_addr_octet[3] = (u_char)i[3]; n.ether_addr_octet[4] = (u_char)i[4]; n.ether_addr_octet[5] = (u_char)i[5]; return &n; } return NULL; } #endif struct in_addr getipv4addr(arg) char *arg; { struct hostent *hp; struct in_addr in; in.s_addr = 0xffffffff; if ((hp = gethostbyname(arg))) bcopy(hp->h_addr, &in.s_addr, sizeof(struct in_addr)); else in.s_addr = inet_addr(arg); return in; } u_short getportnum(pr, name) char *pr, *name; { struct servent *sp; if (!(sp = getservbyname(name, pr))) return htons(atoi(name)); return sp->s_port; } struct ether_addr *geteaddr(arg, buf) char *arg; struct ether_addr *buf; { struct ether_addr *e; #if !defined(hpux) && !defined(linux) e = ether_aton(arg); if (!e) fprintf(stderr, "Invalid ethernet address: %s\n", arg); else # ifdef __FreeBSD__ bcopy(e->octet, buf->octet, sizeof(e->octet)); # else bcopy(e->ether_addr_octet, buf->ether_addr_octet, sizeof(e->ether_addr_octet)); # endif return e; #else return NULL; #endif } void *new_header(type) int type; { aniphdr_t *aip, *oip = canip; int sz = 0; aip = (aniphdr_t *)calloc(1, sizeof(*aip)); *aniptail = aip; aniptail = &aip->ah_next; aip->ah_p = type; aip->ah_prev = oip; canip = aip; if (type == IPPROTO_UDP) sz = sizeof(udphdr_t); else if (type == IPPROTO_TCP) sz = sizeof(tcphdr_t); else if (type == IPPROTO_ICMP) sz = sizeof(icmphdr_t); else if (type == IPPROTO_IP) sz = sizeof(ip_t); if (oip) canip->ah_data = oip->ah_data + oip->ah_len; else canip->ah_data = (char *)ipbuffer; /* * Increase the size fields in all wrapping headers. */ for (aip = aniphead; aip; aip = aip->ah_next) { aip->ah_len += sz; if (aip->ah_p == IPPROTO_IP) aip->ah_ip->ip_len += sz; else if (aip->ah_p == IPPROTO_UDP) aip->ah_udp->uh_ulen += sz; } return (void *)canip->ah_data; } void free_aniplist() { aniphdr_t *aip, **aipp = &aniphead; while ((aip = *aipp)) { *aipp = aip->ah_next; free(aip); } aniptail = &aniphead; } void inc_anipheaders(inc) int inc; { aniphdr_t *aip; for (aip = aniphead; aip; aip = aip->ah_next) { aip->ah_len += inc; if (aip->ah_p == IPPROTO_IP) aip->ah_ip->ip_len += inc; else if (aip->ah_p == IPPROTO_UDP) aip->ah_udp->uh_ulen += inc; } } void new_data() { (void) new_header(-1); canip->ah_len = 0; } void set_datalen(arg) char **arg; { int len; len = strtol(*arg, NULL, 0); inc_anipheaders(len); free(*arg); *arg = NULL; } void set_data(arg) char **arg; { u_char *s = (u_char *)*arg, *t = (u_char *)canip->ah_data, c; int len = 0, todo = 0, quote = 0, val = 0; while ((c = *s++)) { if (todo) { if (ISDIGIT(c)) { todo--; if (c > '7') { fprintf(stderr, "octal with %c!\n", c); break; } val <<= 3; val |= (c - '0'); } if (!ISDIGIT(c) || !todo) { *t++ = (u_char)(val & 0xff); todo = 0; } if (todo) continue; } if (quote) { if (ISDIGIT(c)) { todo = 2; if (c > '7') { fprintf(stderr, "octal with %c!\n", c); break; } val = (c - '0'); } else { switch (c) { case '\"' : *t++ = '\"'; break; case '\\' : *t++ = '\\'; break; case 'n' : *t++ = '\n'; break; case 'r' : *t++ = '\r'; break; case 't' : *t++ = '\t'; break; } } quote = 0; continue; } if (c == '\\') quote = 1; else *t++ = c; } if (todo) *t++ = (u_char)(val & 0xff); if (quote) *t++ = '\\'; len = t - (u_char *)canip->ah_data; inc_anipheaders(len - canip->ah_len); canip->ah_len = len; } void set_datafile(arg) char **arg; { struct stat sb; char *file = *arg; int fd, len; if ((fd = open(file, O_RDONLY)) == -1) { perror("open"); exit(-1); } if (fstat(fd, &sb) == -1) { perror("fstat"); exit(-1); } if ((sb.st_size + aniphead->ah_len ) > 65535) { fprintf(stderr, "data file %s too big to include.\n", file); close(fd); return; } if ((len = read(fd, canip->ah_data, sb.st_size)) == -1) { perror("read"); close(fd); return; } inc_anipheaders(len); canip->ah_len += len; close(fd); } void new_packet() { static u_short id = 0; if (!aniphead) bzero((char *)ipbuffer, sizeof(ipbuffer)); ip = (ip_t *)new_header(IPPROTO_IP); ip->ip_v = IPVERSION; ip->ip_hl = sizeof(ip_t) >> 2; ip->ip_len = sizeof(ip_t); ip->ip_ttl = 63; ip->ip_id = htons(id++); } void set_ipv4proto(arg) char **arg; { struct protoent *pr; if ((pr = getprotobyname(*arg))) ip->ip_p = pr->p_proto; else if (!(ip->ip_p = atoi(*arg))) fprintf(stderr, "unknown protocol %s\n", *arg); free(*arg); *arg = NULL; } void set_ipv4src(arg) char **arg; { ip->ip_src = getipv4addr(*arg); free(*arg); *arg = NULL; } void set_ipv4dst(arg) char **arg; { ip->ip_dst = getipv4addr(*arg); free(*arg); *arg = NULL; } void set_ipv4off(arg) char **arg; { ip->ip_off = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } void set_ipv4v(arg) char **arg; { ip->ip_v = strtol(*arg, NULL, 0); free(*arg); *arg = NULL; } void set_ipv4hl(arg) char **arg; { int newhl, inc; newhl = strtol(*arg, NULL, 0); inc = (newhl - ip->ip_hl) << 2; ip->ip_len += inc; ip->ip_hl = newhl; canip->ah_len += inc; free(*arg); *arg = NULL; } void set_ipv4ttl(arg) char **arg; { ip->ip_ttl = strtol(*arg, NULL, 0); free(*arg); *arg = NULL; } void set_ipv4tos(arg) char **arg; { ip->ip_tos = strtol(*arg, NULL, 0); free(*arg); *arg = NULL; } void set_ipv4id(arg) char **arg; { ip->ip_id = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } void set_ipv4sum(arg) char **arg; { ip->ip_sum = strtol(*arg, NULL, 0); free(*arg); *arg = NULL; } void set_ipv4len(arg) char **arg; { int len; len = strtol(*arg, NULL, 0); inc_anipheaders(len - ip->ip_len); ip->ip_len = len; free(*arg); *arg = NULL; } void new_tcpheader() { if ((ip->ip_p) && (ip->ip_p != IPPROTO_TCP)) { fprintf(stderr, "protocol %d specified with TCP!\n", ip->ip_p); return; } ip->ip_p = IPPROTO_TCP; tcp = (tcphdr_t *)new_header(IPPROTO_TCP); tcp->th_win = htons(4096); tcp->th_off = sizeof(*tcp) >> 2; } void set_tcpsport(arg) char **arg; { u_short *port; char *pr; if (ip->ip_p == IPPROTO_UDP) { port = &udp->uh_sport; pr = "udp"; } else { port = &tcp->th_sport; pr = "udp"; } *port = getportnum(pr, *arg); free(*arg); *arg = NULL; } void set_tcpdport(arg) char **arg; { u_short *port; char *pr; if (ip->ip_p == IPPROTO_UDP) { port = &udp->uh_dport; pr = "udp"; } else { port = &tcp->th_dport; pr = "udp"; } *port = getportnum(pr, *arg); free(*arg); *arg = NULL; } void set_tcpseq(arg) char **arg; { tcp->th_seq = htonl(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } void set_tcpack(arg) char **arg; { tcp->th_ack = htonl(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } void set_tcpoff(arg) char **arg; { int off; off = strtol(*arg, NULL, 0); inc_anipheaders((off - tcp->th_off) << 2); tcp->th_off = off; free(*arg); *arg = NULL; } void set_tcpurp(arg) char **arg; { tcp->th_urp = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } void set_tcpwin(arg) char **arg; { tcp->th_win = htons(strtol(*arg, NULL, 0)); free(*arg); *arg = NULL; } void set_tcpsum(arg) char **arg; { tcp->th_sum = strtol(*arg, NULL, 0); free(*arg); *arg = NULL; } void set_tcpflags(arg) char **arg; { static char flags[] = "ASURPF"; static int flagv[] = { TH_ACK, TH_SYN, TH_URG, TH_RST, TH_PUSH, TH_FIN } ; char *s, *t; for (s = *arg; *s; s++) if (!(t = strchr(flags, *s))) { if (s - *arg) { fprintf(stderr, "unknown TCP flag %c\n", *s); break; } tcp->th_flags = strtol(*arg, NULL, 0); break; } else tcp->th_flags |= flagv[t - flags]; free(*arg); *arg = NULL; } void set_tcpopt(state, arg) int state; char **arg; { u_char *s; int val, len, val2, pad, optval; if (arg && *arg) val = atoi(*arg); else val = 0; s = (u_char *)tcp + sizeof(*tcp) + canip->ah_optlen; switch (state) { case IL_TCPO_EOL : optval = 0; len = 1; break; case IL_TCPO_NOP : optval = 1; len = 1; break; case IL_TCPO_MSS : optval = 2; len = 4; break; case IL_TCPO_WSCALE : optval = 3; len = 3; break; case IL_TCPO_TS : optval = 8; len = 10; break; default : optval = 0; len = 0; break; } if (len > 1) { /* * prepend padding - if required. */ if (len & 3) for (pad = 4 - (len & 3); pad; pad--) { *s++ = 1; canip->ah_optlen++; } /* * build tcp option */ *s++ = (u_char)optval; *s++ = (u_char)len; if (len > 2) { if (len == 3) { /* 1 byte - char */ *s++ = (u_char)val; } else if (len == 4) { /* 2 bytes - short */ *s++ = (u_char)((val >> 8) & 0xff); *s++ = (u_char)(val & 0xff); } else if (len >= 6) { /* 4 bytes - long */ val2 = htonl(val); bcopy((char *)&val2, s, 4); } s += (len - 2); } } else *s++ = (u_char)optval; canip->ah_lastopt = optval; canip->ah_optlen += len; if (arg && *arg) { free(*arg); *arg = NULL; } } void end_tcpopt() { int pad; char *s = (char *)tcp; s += sizeof(*tcp) + canip->ah_optlen; /* * pad out so that we have a multiple of 4 bytes in size fo the * options. make sure last byte is EOL. */ if (canip->ah_optlen & 3) { if (canip->ah_lastopt != 1) { for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { *s++ = 1; canip->ah_optlen++; } canip->ah_optlen++; } else { s -= 1; for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { *s++ = 1; canip->ah_optlen++; } } *s++ = 0; } tcp->th_off = (sizeof(*tcp) + canip->ah_optlen) >> 2; inc_anipheaders(canip->ah_optlen); } void new_udpheader() { if ((ip->ip_p) && (ip->ip_p != IPPROTO_UDP)) { fprintf(stderr, "protocol %d specified with UDP!\n", ip->ip_p); return; } ip->ip_p = IPPROTO_UDP; udp = (udphdr_t *)new_header(IPPROTO_UDP); udp->uh_ulen = sizeof(*udp); } void set_udplen(arg) char **arg; { int len; len = strtol(*arg, NULL, 0); inc_anipheaders(len - udp->uh_ulen); udp->uh_ulen = len; free(*arg); *arg = NULL; } void set_udpsum(arg) char **arg; { udp->uh_sum = strtol(*arg, NULL, 0); free(*arg); *arg = NULL; } void prep_packet() { iface_t *ifp; struct in_addr gwip; ifp = sending.snd_if; if (!ifp) { fprintf(stderr, "no interface defined for sending!\n"); return; } if (ifp->if_fd == -1) ifp->if_fd = initdevice(ifp->if_name, 5); gwip = sending.snd_gw; - if (!gwip.s_addr) + if (!gwip.s_addr) { + if (aniphead == NULL) { + fprintf(stderr, + "no destination address defined for sending\n"); + return; + } gwip = aniphead->ah_ip->ip_dst; + } (void) send_ip(ifp->if_fd, ifp->if_MTU, (ip_t *)ipbuffer, gwip, 2); } void packet_done() { char outline[80]; int i, j, k; u_char *s = (u_char *)ipbuffer, *t = (u_char *)outline; if (opts & OPT_VERBOSE) { ip->ip_len = htons(ip->ip_len); for (i = ntohs(ip->ip_len), j = 0; i; i--, j++, s++) { if (j && !(j & 0xf)) { *t++ = '\n'; *t = '\0'; fputs(outline, stdout); fflush(stdout); t = (u_char *)outline; *t = '\0'; } sprintf((char *)t, "%02x", *s & 0xff); t += 2; if (!((j + 1) & 0xf)) { s -= 15; sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) *t++ = (ISPRINT(*s) ? *s : '.'); s--; } if ((j + 1) & 0xf) *t++ = ' ';; } if (j & 0xf) { for (k = 16 - (j & 0xf); k; k--) { *t++ = ' '; *t++ = ' '; *t++ = ' '; } sprintf((char *)t, " "); t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) *t++ = (ISPRINT(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } fputs(outline, stdout); fflush(stdout); ip->ip_len = ntohs(ip->ip_len); } prep_packet(); free_aniplist(); } void new_interface() { cifp = (iface_t *)calloc(1, sizeof(iface_t)); *iftail = cifp; iftail = &cifp->if_next; cifp->if_fd = -1; } void check_interface() { if (!cifp->if_name || !*cifp->if_name) fprintf(stderr, "No interface name given!\n"); if (!cifp->if_MTU || !*cifp->if_name) fprintf(stderr, "Interface %s has an MTU of 0!\n", cifp->if_name); } void set_ifname(arg) char **arg; { cifp->if_name = *arg; *arg = NULL; } void set_ifmtu(arg) int arg; { cifp->if_MTU = arg; } void set_ifv4addr(arg) char **arg; { cifp->if_addr = getipv4addr(*arg); free(*arg); *arg = NULL; } void set_ifeaddr(arg) char **arg; { (void) geteaddr(*arg, &cifp->if_eaddr); free(*arg); *arg = NULL; } void new_arp() { carp = (arp_t *)calloc(1, sizeof(arp_t)); *arptail = carp; arptail = &carp->arp_next; } void set_arpeaddr(arg) char **arg; { (void) geteaddr(*arg, &carp->arp_eaddr); free(*arg); *arg = NULL; } void set_arpv4addr(arg) char **arg; { carp->arp_addr = getipv4addr(*arg); free(*arg); *arg = NULL; } int arp_getipv4(ip, addr) char *ip; char *addr; { arp_t *a; for (a = arplist; a; a = a->arp_next) if (!bcmp(ip, (char *)&a->arp_addr, 4)) { bcopy((char *)&a->arp_eaddr, addr, 6); return 0; } return -1; } void reset_send() { sending.snd_if = iflist; sending.snd_gw = defrouter; } void set_sendif(arg) char **arg; { iface_t *ifp; for (ifp = iflist; ifp; ifp = ifp->if_next) if (ifp->if_name && !strcmp(ifp->if_name, *arg)) break; sending.snd_if = ifp; if (!ifp) fprintf(stderr, "couldn't find interface %s\n", *arg); free(*arg); *arg = NULL; } void set_sendvia(arg) char **arg; { sending.snd_gw = getipv4addr(*arg); free(*arg); *arg = NULL; } void set_defaultrouter(arg) char **arg; { defrouter = getipv4addr(*arg); free(*arg); *arg = NULL; } void new_icmpheader() { if ((ip->ip_p) && (ip->ip_p != IPPROTO_ICMP)) { fprintf(stderr, "protocol %d specified with ICMP!\n", ip->ip_p); return; } ip->ip_p = IPPROTO_ICMP; icmp = (icmphdr_t *)new_header(IPPROTO_ICMP); } void set_icmpcode(code) int code; { icmp->icmp_code = code; } void set_icmptype(type) int type; { icmp->icmp_type = type; } void set_icmpcodetok(code) char **code; { char *s; int i; for (i = 0; (s = icmpcodes[i]); i++) if (!strcmp(s, *code)) { icmp->icmp_code = i; break; } if (!s) fprintf(stderr, "unknown ICMP code %s\n", *code); free(*code); *code = NULL; } void set_icmptypetok(type) char **type; { char *s; int i, done = 0; for (i = 0; !(s = icmptypes[i]) || strcmp(s, "END"); i++) if (s && !strcmp(s, *type)) { icmp->icmp_type = i; done = 1; break; } if (!done) fprintf(stderr, "unknown ICMP type %s\n", *type); free(*type); *type = NULL; } void set_icmpid(arg) int arg; { icmp->icmp_id = htons(arg); } void set_icmpseq(arg) int arg; { icmp->icmp_seq = htons(arg); } void set_icmpotime(arg) int arg; { icmp->icmp_otime = htonl(arg); } void set_icmprtime(arg) int arg; { icmp->icmp_rtime = htonl(arg); } void set_icmpttime(arg) int arg; { icmp->icmp_ttime = htonl(arg); } void set_icmpmtu(arg) int arg; { #if BSD >= 199306 icmp->icmp_nextmtu = htons(arg); #endif } void set_redir(redir, arg) int redir; char **arg; { icmp->icmp_code = redir; icmp->icmp_gwaddr = getipv4addr(*arg); free(*arg); *arg = NULL; } void set_icmppprob(num) int num; { icmp->icmp_pptr = num; } void new_ipv4opt() { new_header(-2); } void add_ipopt(state, ptr) int state; void *ptr; { struct ipopt_names *io; struct statetoopt *sto; char numbuf[16], *arg, **param = ptr; int inc, hlen; if (state == IL_IPO_RR || state == IL_IPO_SATID) { if (param) sprintf(numbuf, "%d", *(int *)param); else strcpy(numbuf, "0"); arg = numbuf; } else arg = param ? *param : NULL; if (canip->ah_next) { fprintf(stderr, "cannot specify options after data body\n"); return; } for (sto = toipopts; sto->sto_st; sto++) if (sto->sto_st == state) break; if (!sto || !sto->sto_st) { fprintf(stderr, "No mapping for state %d to IP option\n", state); return; } hlen = sizeof(ip_t) + canip->ah_optlen; for (io = ionames; io->on_name; io++) if (io->on_value == sto->sto_op) break; canip->ah_lastopt = io->on_value; if (io->on_name) { inc = addipopt((char *)ip + hlen, io, hlen - sizeof(ip_t),arg); if (inc > 0) { while (inc & 3) { ((char *)ip)[sizeof(*ip) + inc] = IPOPT_NOP; canip->ah_lastopt = IPOPT_NOP; inc++; } hlen += inc; } } canip->ah_optlen = hlen - sizeof(ip_t); if (state != IL_IPO_RR && state != IL_IPO_SATID) if (param && *param) { free(*param); *param = NULL; } sclass = NULL; } void end_ipopt() { int pad; char *s, *buf = (char *)ip; /* * pad out so that we have a multiple of 4 bytes in size fo the * options. make sure last byte is EOL. */ if (canip->ah_lastopt == IPOPT_NOP) { buf[sizeof(*ip) + canip->ah_optlen - 1] = IPOPT_EOL; } else if (canip->ah_lastopt != IPOPT_EOL) { s = buf + sizeof(*ip) + canip->ah_optlen; for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { *s++ = IPOPT_NOP; *s = IPOPT_EOL; canip->ah_optlen++; } canip->ah_optlen++; } else { s = buf + sizeof(*ip) + canip->ah_optlen - 1; for (pad = 3 - (canip->ah_optlen & 3); pad; pad--) { *s++ = IPOPT_NOP; *s = IPOPT_EOL; canip->ah_optlen++; } } ip->ip_hl = (sizeof(*ip) + canip->ah_optlen) >> 2; inc_anipheaders(canip->ah_optlen); free_anipheader(); } void set_secclass(arg) char **arg; { sclass = *arg; *arg = NULL; } void free_anipheader() { aniphdr_t *aip; aip = canip; if ((canip = aip->ah_prev)) { canip->ah_next = NULL; aniptail = &canip->ah_next; } if (canip) free(aip); } void end_ipv4() { aniphdr_t *aip; ip->ip_sum = 0; ip->ip_len = htons(ip->ip_len); ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); ip->ip_len = ntohs(ip->ip_len); free_anipheader(); for (aip = aniphead, ip = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_IP) ip = aip->ah_ip; } void end_icmp() { aniphdr_t *aip; icmp->icmp_cksum = 0; icmp->icmp_cksum = chksum((u_short *)icmp, canip->ah_len); free_anipheader(); for (aip = aniphead, icmp = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_ICMP) icmp = aip->ah_icmp; } void end_udp() { u_long sum; aniphdr_t *aip; ip_t iptmp; bzero((char *)&iptmp, sizeof(iptmp)); iptmp.ip_p = ip->ip_p; iptmp.ip_src = ip->ip_src; iptmp.ip_dst = ip->ip_dst; iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2)); sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp)); udp->uh_ulen = htons(udp->uh_ulen); udp->uh_sum = c_chksum((u_short *)udp, (u_int)ntohs(iptmp.ip_len), sum); free_anipheader(); for (aip = aniphead, udp = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_UDP) udp = aip->ah_udp; } void end_tcp() { u_long sum; aniphdr_t *aip; ip_t iptmp; bzero((char *)&iptmp, sizeof(iptmp)); iptmp.ip_p = ip->ip_p; iptmp.ip_src = ip->ip_src; iptmp.ip_dst = ip->ip_dst; iptmp.ip_len = htons(ip->ip_len - (ip->ip_hl << 2)); sum = p_chksum((u_short *)&iptmp, (u_int)sizeof(iptmp)); tcp->th_sum = 0; tcp->th_sum = c_chksum((u_short *)tcp, (u_int)ntohs(iptmp.ip_len), sum); free_anipheader(); for (aip = aniphead, tcp = NULL; aip; aip = aip->ah_next) if (aip->ah_p == IPPROTO_TCP) tcp = aip->ah_tcp; } void end_data() { free_anipheader(); } void iplang(fp) FILE *fp; { yyin = fp; yydebug = (opts & OPT_DEBUG) ? 1 : 0; while (!feof(fp)) yyparse(); } u_short c_chksum(buf, len, init) u_short *buf; u_int len; u_long init; { u_long sum = init; int nwords = len >> 1; for(; nwords > 0; nwords--) sum += *buf++; sum = (sum>>16) + (sum & 0xffff); sum += (sum >>16); return (~sum); } u_long p_chksum(buf,len) u_short *buf; u_int len; { u_long sum = 0; int nwords = len >> 1; for(; nwords > 0; nwords--) sum += *buf++; return sum; } diff --git a/contrib/ipfilter/ipmon.h b/contrib/ipfilter/ipmon.h index a2408367e729..765a6469540f 100644 --- a/contrib/ipfilter/ipmon.h +++ b/contrib/ipfilter/ipmon.h @@ -1,96 +1,94 @@ -/* $NetBSD$ */ - /* * Copyright (C) 1993-2001 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp + * $Id: ipmon.h,v 2.8 2003/07/25 22:16:20 darrenr Exp $ */ typedef struct ipmon_action { struct ipmon_action *ac_next; int ac_mflag; /* collection of things to compare */ int ac_dflag; /* flags to compliment the doing fields */ int ac_syslog; /* = 1 to syslog rules. */ char *ac_savefile; /* filename to save log records to */ FILE *ac_savefp; int ac_direction; char ac_group[FR_GROUPLEN]; char ac_nattag[16]; u_32_t ac_logtag; int ac_type; /* nat/state/ipf */ int ac_proto; int ac_rule; int ac_packet; int ac_second; int ac_result; u_32_t ac_sip; u_32_t ac_smsk; u_32_t ac_dip; u_32_t ac_dmsk; u_short ac_sport; u_short ac_dport; char *ac_exec; /* execute argument */ char *ac_run; /* actual command that gets run */ char *ac_iface; /* * used with ac_packet/ac_second */ struct timeval ac_last; int ac_pktcnt; } ipmon_action_t; #define ac_lastsec ac_last.tv_sec #define ac_lastusec ac_last.tv_usec /* * Flags indicating what fields to do matching upon (ac_mflag). */ #define IPMAC_DIRECTION 0x0001 #define IPMAC_DSTIP 0x0002 #define IPMAC_DSTPORT 0x0004 #define IPMAC_EVERY 0x0008 #define IPMAC_GROUP 0x0010 #define IPMAC_INTERFACE 0x0020 #define IPMAC_LOGTAG 0x0040 #define IPMAC_NATTAG 0x0080 #define IPMAC_PROTOCOL 0x0100 #define IPMAC_RESULT 0x0200 #define IPMAC_RULE 0x0400 #define IPMAC_SRCIP 0x0800 #define IPMAC_SRCPORT 0x1000 #define IPMAC_TYPE 0x2000 #define IPMAC_WITH 0x4000 #define IPMR_BLOCK 1 #define IPMR_PASS 2 #define IPMR_NOMATCH 3 #define IPMR_LOG 4 #define IPMDO_SAVERAW 0x0001 #define OPT_SYSLOG 0x001 #define OPT_RESOLVE 0x002 #define OPT_HEXBODY 0x004 #define OPT_VERBOSE 0x008 #define OPT_HEXHDR 0x010 #define OPT_TAIL 0x020 #define OPT_NAT 0x080 #define OPT_STATE 0x100 #define OPT_FILTER 0x200 #define OPT_PORTNUM 0x400 #define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) #define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b)) #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 #endif extern int load_config __P((char *)); extern void dumphex __P((FILE *, int, char *, int)); extern int check_action __P((char *, char *, int, int)); extern char *getword __P((int)); diff --git a/contrib/ipfilter/ipsd/Celler/ip_compat.h b/contrib/ipfilter/ipsd/Celler/ip_compat.h index 8b43cb94adf7..a911fd83c3f3 100644 --- a/contrib/ipfilter/ipsd/Celler/ip_compat.h +++ b/contrib/ipfilter/ipsd/Celler/ip_compat.h @@ -1,203 +1,201 @@ -/* $NetBSD$ */ - /* * (C)opyright 1995 by Darren Reed. * * This code may be freely distributed as long as it retains this notice * and is not changed in any way. The author accepts no responsibility * for the use of this software. I hate legaleese, don't you ? * * @(#)ip_compat.h 1.1 9/14/95 */ /* * These #ifdef's are here mainly for linux, but who knows, they may * not be in other places or maybe one day linux will grow up and some * of these will turn up there too. */ #ifndef ICMP_UNREACH # define ICMP_UNREACH ICMP_DEST_UNREACH #endif #ifndef ICMP_SOURCEQUENCH # define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH #endif #ifndef ICMP_TIMXCEED # define ICMP_TIMXCEED ICMP_TIME_EXCEEDED #endif #ifndef ICMP_PARAMPROB # define ICMP_PARAMPROB ICMP_PARAMETERPROB #endif #ifndef IPVERSION # define IPVERSION 4 #endif #ifndef IPOPT_MINOFF # define IPOPT_MINOFF 4 #endif #ifndef IPOPT_COPIED # define IPOPT_COPIED(x) ((x)&0x80) #endif #ifndef IPOPT_EOL # define IPOPT_EOL 0 #endif #ifndef IPOPT_NOP # define IPOPT_NOP 1 #endif #ifndef IP_MF # define IP_MF ((u_short)0x2000) #endif #ifndef ETHERTYPE_IP # define ETHERTYPE_IP ((u_short)0x0800) #endif #ifndef TH_FIN # define TH_FIN 0x01 #endif #ifndef TH_SYN # define TH_SYN 0x02 #endif #ifndef TH_RST # define TH_RST 0x04 #endif #ifndef TH_PUSH # define TH_PUSH 0x08 #endif #ifndef TH_ACK # define TH_ACK 0x10 #endif #ifndef TH_URG # define TH_URG 0x20 #endif #ifndef IPOPT_EOL # define IPOPT_EOL 0 #endif #ifndef IPOPT_NOP # define IPOPT_NOP 1 #endif #ifndef IPOPT_RR # define IPOPT_RR 7 #endif #ifndef IPOPT_TS # define IPOPT_TS 68 #endif #ifndef IPOPT_SECURITY # define IPOPT_SECURITY 130 #endif #ifndef IPOPT_LSRR # define IPOPT_LSRR 131 #endif #ifndef IPOPT_SATID # define IPOPT_SATID 136 #endif #ifndef IPOPT_SSRR # define IPOPT_SSRR 137 #endif #ifndef IPOPT_SECUR_UNCLASS # define IPOPT_SECUR_UNCLASS ((u_short)0x0000) #endif #ifndef IPOPT_SECUR_CONFID # define IPOPT_SECUR_CONFID ((u_short)0xf135) #endif #ifndef IPOPT_SECUR_EFTO # define IPOPT_SECUR_EFTO ((u_short)0x789a) #endif #ifndef IPOPT_SECUR_MMMM # define IPOPT_SECUR_MMMM ((u_short)0xbc4d) #endif #ifndef IPOPT_SECUR_RESTR # define IPOPT_SECUR_RESTR ((u_short)0xaf13) #endif #ifndef IPOPT_SECUR_SECRET # define IPOPT_SECUR_SECRET ((u_short)0xd788) #endif #ifndef IPOPT_SECUR_TOPSECRET # define IPOPT_SECUR_TOPSECRET ((u_short)0x6bc5) #endif #ifdef linux # define icmp icmphdr # define icmp_type type # define icmp_code code /* * From /usr/include/netinet/ip_var.h * !%@#!$@# linux... */ struct ipovly { caddr_t ih_next, ih_prev; /* for protocol sequence q's */ u_char ih_x1; /* (unused) */ u_char ih_pr; /* protocol */ short ih_len; /* protocol length */ struct in_addr ih_src; /* source internet address */ struct in_addr ih_dst; /* destination internet address */ }; typedef struct { __u16 th_sport; __u16 th_dport; __u32 th_seq; __u32 th_ack; # if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ defined(vax) __u8 th_res:4; __u8 th_off:4; #else __u8 th_off:4; __u8 th_res:4; #endif __u8 th_flags; __u16 th_win; __u16 th_sum; __u16 th_urp; } tcphdr_t; typedef struct { __u16 uh_sport; __u16 uh_dport; __s16 uh_ulen; __u16 uh_sum; } udphdr_t; typedef struct { # if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ defined(vax) __u8 ip_hl:4; __u8 ip_v:4; # else __u8 ip_hl:4; __u8 ip_v:4; # endif __u8 ip_tos; __u16 ip_len; __u16 ip_id; __u16 ip_off; __u8 ip_ttl; __u8 ip_p; __u16 ip_sum; struct in_addr ip_src; struct in_addr ip_dst; } ip_t; typedef struct { __u8 ether_dhost[6]; __u8 ether_shost[6]; __u16 ether_type; } ether_header_t; # define bcopy(a,b,c) memmove(b,a,c) # define bcmp(a,b,c) memcmp(a,b,c) # define ifnet device #else typedef struct udphdr udphdr_t; typedef struct tcphdr tcphdr_t; typedef struct ip ip_t; typedef struct ether_header ether_header_t; #endif #ifdef solaris # define bcopy(a,b,c) memmove(b,a,c) # define bcmp(a,b,c) memcmp(a,b,c) # define bzero(a,b) memset(a,0,b) #endif diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c index 3d9ea4cdf568..51d0a148902f 100644 --- a/contrib/ipfilter/ipsd/ipsd.c +++ b/contrib/ipfilter/ipsd/ipsd.c @@ -1,296 +1,294 @@ -/* $NetBSD$ */ - /* * (C)opyright 1995-1998 Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef linux #include #include #endif #include "ip_compat.h" #ifdef linux #include #include "tcpip.h" #endif #include "ipsd.h" #ifndef lint static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)Id: ipsd.c,v 2.2 2001/06/09 17:09:25 darrenr Exp"; +static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.2 2001/06/09 17:09:25 darrenr Exp $"; #endif extern char *optarg; extern int optind; #ifdef linux char default_device[] = "eth0"; #else # ifdef sun char default_device[] = "le0"; # else # ifdef ultrix char default_device[] = "ln0"; # else char default_device[] = "lan0"; # endif # endif #endif #define NPORTS 21 u_short defports[NPORTS] = { 7, 9, 20, 21, 23, 25, 53, 69, 79, 111, 123, 161, 162, 512, 513, 514, 515, 520, 540, 6000, 0 }; ipsd_t *iphits[NPORTS]; int writes = 0; int ipcmp(sh1, sh2) sdhit_t *sh1, *sh2; { return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr; } /* * Check to see if we've already received a packet from this host for this * port. */ int findhit(ihp, src, dport) ipsd_t *ihp; struct in_addr src; u_short dport; { int i, j, k; sdhit_t *sh; sh = NULL; if (ihp->sd_sz == 4) { for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++) if (src.s_addr == sh->sh_ip.s_addr) return 1; } else { for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) { k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr; if (!k) return 1; else if (k < 0) i -= j; else i += j; } } return 0; } /* * Search for port number amongst the sorted array of targets we're * interested in. */ int detect(ip, tcp) ip_t *ip; tcphdr_t *tcp; { ipsd_t *ihp; sdhit_t *sh; int i, j, k; for (i = 10, j = 4; j >= 0; j--) { k = tcp->th_dport - defports[i]; if (!k) { ihp = iphits[i]; if (findhit(ihp, ip->ip_src, tcp->th_dport)) return 0; sh = ihp->sd_hit + ihp->sd_cnt; sh->sh_date = time(NULL); sh->sh_ip.s_addr = ip->ip_src.s_addr; if (++ihp->sd_cnt == ihp->sd_sz) { ihp->sd_sz += 8; sh = realloc(sh, ihp->sd_sz * sizeof(*sh)); ihp->sd_hit = sh; } qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp); return 0; } if (k < 0) i -= j; else i += j; } return -1; } /* * Allocate initial storage for hosts */ setuphits() { int i; for (i = 0; i < NPORTS; i++) { if (iphits[i]) { if (iphits[i]->sd_hit) free(iphits[i]->sd_hit); free(iphits[i]); } iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t)); iphits[i]->sd_port = defports[i]; iphits[i]->sd_cnt = 0; iphits[i]->sd_sz = 4; iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4); } } /* * cleanup exits */ waiter() { wait(0); } /* * Write statistics out to a file */ writestats(nwrites) int nwrites; { ipsd_t **ipsd, *ips; char fname[32]; int i, fd; (void) sprintf(fname, "/var/log/ipsd/ipsd-hits.%d", nwrites); fd = open(fname, O_RDWR|O_CREAT|O_TRUNC|O_EXCL, 0644); for (i = 0, ipsd = iphits; i < NPORTS; i++, ipsd++) { ips = *ipsd; if (ips->sd_cnt) { write(fd, ips, sizeof(ipsd_t)); write(fd, ips->sd_hit, sizeof(sdhit_t) * ips->sd_sz); } } (void) close(fd); exit(0); } void writenow() { signal(SIGCHLD, waiter); switch (fork()) { case 0 : writestats(writes); exit(0); case -1 : perror("vfork"); break; default : writes++; setuphits(); break; } } void usage(prog) char *prog; { fprintf(stderr, "Usage: %s [-d device]\n", prog); exit(1); } void detecthits(fd, writecount) int fd, writecount; { struct in_addr ip; int hits = 0; while (1) { hits += readloop(fd, ip); if (hits > writecount) { writenow(); hits = 0; } } } main(argc, argv) int argc; char *argv[]; { char *name = argv[0], *dev = NULL; int fd, writeafter = 10000, angelic = 0, c; while ((c = getopt(argc, argv, "ad:n:")) != -1) switch (c) { case 'a' : angelic = 1; break; case 'd' : dev = optarg; break; case 'n' : writeafter = atoi(optarg); break; default : fprintf(stderr, "Unknown option \"%c\"\n", c); usage(name); } bzero(iphits, sizeof(iphits)); setuphits(); if (!dev) dev = default_device; printf("Device: %s\n", dev); fd = initdevice(dev, 60); if (!angelic) { switch (fork()) { case 0 : (void) close(0); (void) close(1); (void) close(2); (void) setpgrp(0, getpgrp()); (void) setsid(); break; case -1: perror("fork"); exit(-1); default: exit(0); } } signal(SIGUSR1, writenow); detecthits(fd, writeafter); } diff --git a/contrib/ipfilter/ipsd/ipsd.h b/contrib/ipfilter/ipsd/ipsd.h index 48f591101b50..3726b84149b1 100644 --- a/contrib/ipfilter/ipsd/ipsd.h +++ b/contrib/ipfilter/ipsd/ipsd.h @@ -1,28 +1,26 @@ -/* $NetBSD$ */ - /* * (C)opyright 1995-1998 Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipsd.h 1.3 12/3/95 */ typedef struct { time_t sh_date; struct in_addr sh_ip; } sdhit_t; typedef struct { u_int sd_sz; u_int sd_cnt; u_short sd_port; sdhit_t *sd_hit; } ipsd_t; typedef struct { struct in_addr ss_ip; int ss_hits; u_long ss_ports; } ipss_t; diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c index 4689cbad83e7..af007e45f8aa 100644 --- a/contrib/ipfilter/ipsd/ipsdr.c +++ b/contrib/ipfilter/ipsd/ipsdr.c @@ -1,314 +1,312 @@ -/* $NetBSD$ */ - /* * (C)opyright 1995-1998 Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef linux #include #include #endif #include "ip_compat.h" #ifdef linux #include #include "tcpip.h" #endif #include "ipsd.h" #ifndef lint static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)Id: ipsdr.c,v 2.2 2001/06/09 17:09:25 darrenr Exp"; +static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.2 2001/06/09 17:09:25 darrenr Exp $"; #endif extern char *optarg; extern int optind; #define NPORTS 21 u_short defports[NPORTS] = { 7, 9, 20, 21, 23, 25, 53, 69, 79, 111, 123, 161, 162, 512, 513, 513, 515, 520, 540, 6000, 0 }; u_short pweights[NPORTS] = { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; ipsd_t *iphits[NPORTS]; int pkts; int ipcmp(sh1, sh2) sdhit_t *sh1, *sh2; { return sh1->sh_ip.s_addr - sh2->sh_ip.s_addr; } int ssipcmp(sh1, sh2) ipss_t *sh1, *sh2; { return sh1->ss_ip.s_addr - sh2->ss_ip.s_addr; } int countpbits(num) u_long num; { int i, j; for (i = 1, j = 0; i; i <<= 1) if (num & i) j++; return j; } /* * Check to see if we've already received a packet from this host for this * port. */ int findhit(ihp, src, dport) ipsd_t *ihp; struct in_addr src; u_short dport; { int i, j, k; sdhit_t *sh; sh = NULL; if (ihp->sd_sz == 4) { for (i = 0, sh = ihp->sd_hit; i < ihp->sd_cnt; i++, sh++) if (src.s_addr == sh->sh_ip.s_addr) return 1; } else { for (i = ihp->sd_cnt / 2, j = (i / 2) - 1; j >= 0; j--) { k = ihp->sd_hit[i].sh_ip.s_addr - src.s_addr; if (!k) return 1; else if (k < 0) i -= j; else i += j; } } return 0; } /* * Search for port number amongst the sorted array of targets we're * interested in. */ int detect(srcip, dport, date) struct in_addr srcip; u_short dport; time_t date; { ipsd_t *ihp; sdhit_t *sh; int i, j, k; for (i = 10, j = 4; j >= 0; j--) { k = dport - defports[i]; if (!k) { ihp = iphits[i]; if (findhit(ihp, srcip, dport)) return 0; sh = ihp->sd_hit + ihp->sd_cnt; sh->sh_date = date; sh->sh_ip = srcip; if (++ihp->sd_cnt == ihp->sd_sz) { ihp->sd_sz += 8; sh = realloc(sh, ihp->sd_sz * sizeof(*sh)); ihp->sd_hit = sh; } qsort(sh, ihp->sd_cnt, sizeof(*sh), ipcmp); return 0; } if (k < 0) i -= j; else i += j; } return -1; } /* * Allocate initial storage for hosts */ setuphits() { int i; for (i = 0; i < NPORTS; i++) { if (iphits[i]) { if (iphits[i]->sd_hit) free(iphits[i]->sd_hit); free(iphits[i]); } iphits[i] = (ipsd_t *)malloc(sizeof(ipsd_t)); iphits[i]->sd_port = defports[i]; iphits[i]->sd_cnt = 0; iphits[i]->sd_sz = 4; iphits[i]->sd_hit = (sdhit_t *)malloc(sizeof(sdhit_t) * 4); } } /* * Write statistics out to a file */ addfile(file) char *file; { ipsd_t ipsd, *ips = &ipsd; sdhit_t hit, *hp; char fname[32]; int i, fd, sz; if ((fd = open(file, O_RDONLY)) == -1) { perror("open"); return; } printf("opened %s\n", file); do { if (read(fd, ips, sizeof(*ips)) != sizeof(*ips)) break; sz = ips->sd_sz * sizeof(*hp); hp = (sdhit_t *)malloc(sz); if (read(fd, hp, sz) != sz) break; for (i = 0; i < ips->sd_cnt; i++) detect(hp[i].sh_ip, ips->sd_port, hp[i].sh_date); } while (1); (void) close(fd); } readfiles(dir) char *dir; { struct direct **d; int i, j; d = NULL; i = scandir(dir, &d, NULL, NULL); for (j = 0; j < i; j++) { if (strncmp(d[j]->d_name, "ipsd-hits.", 10)) continue; addfile(d[j]->d_name); } } void printreport(ss, num) ipss_t *ss; int num; { struct in_addr ip; ipss_t *sp; int i, j, mask; u_long ports; printf("Hosts detected: %d\n", num); if (!num) return; for (i = 0; i < num; i++) printf("%s %d %d\n", inet_ntoa(ss[i].ss_ip), ss[i].ss_hits, countpbits(ss[i].ss_ports)); printf("--------------------------\n"); for (mask = 0xfffffffe, j = 32; j; j--, mask <<= 1) { ip.s_addr = ss[0].ss_ip.s_addr & mask; ports = ss[0].ss_ports; for (i = 1; i < num; i++) { sp = ss + i; if (ip.s_addr != (sp->ss_ip.s_addr & mask)) { printf("Netmask: 0x%08x\n", mask); printf("%s %d\n", inet_ntoa(ip), countpbits(ports)); ip.s_addr = sp->ss_ip.s_addr & mask; ports = 0; } ports |= sp->ss_ports; } if (ports) { printf("Netmask: 0x%08x\n", mask); printf("%s %d\n", inet_ntoa(ip), countpbits(ports)); } } } collectips() { ipsd_t *ips; ipss_t *ss; int i, num, nip, in, j, k; for (i = 0; i < NPORTS; i++) nip += iphits[i]->sd_cnt; ss = (ipss_t *)malloc(sizeof(ipss_t) * nip); for (in = 0, i = 0, num = 0; i < NPORTS; i++) { ips = iphits[i]; for (j = 0; j < ips->sd_cnt; j++) { for (k = 0; k < num; k++) if (!bcmp(&ss[k].ss_ip, &ips->sd_hit[j].sh_ip, sizeof(struct in_addr))) { ss[k].ss_hits += pweights[i]; ss[k].ss_ports |= (1 << i); break; } if (k == num) { ss[num].ss_ip = ips->sd_hit[j].sh_ip; ss[num].ss_hits = pweights[i]; ss[k].ss_ports |= (1 << i); num++; } } } qsort(ss, num, sizeof(*ss), ssipcmp); printreport(ss, num); } main(argc, argv) int argc; char *argv[]; { char c, *name = argv[0], *dir = NULL; int fd; setuphits(); dir = dir ? dir : "."; readfiles(dir); collectips(); } diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h index 2fadfcfb2529..d9606cbba15d 100644 --- a/contrib/ipfilter/ipsd/linux.h +++ b/contrib/ipfilter/ipsd/linux.h @@ -1,17 +1,15 @@ -/* $NetBSD$ */ - /* * Copyright (C) 1997-1998 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. * * @(#)linux.h 1.1 8/19/95 */ #include #ifdef MODULE #include #include #endif /* MODULE */ #include "ip_compat.h" diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index 29a72008ab84..97bb4ce0ff3a 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -1,196 +1,194 @@ -/* $NetBSD$ */ - /* * (C)opyright 1995-1998 Darren Reed. (from tcplog) * * See the IPFILTER.LICENCE file for details on licencing. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #if BSD < 199103 #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include "ip_compat.h" #ifndef lint static char sbpf[] = "@(#)sbpf.c 1.2 12/3/95 (C)1995 Darren Reed"; #endif /* (000) ldh [12] (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (003) jeq #0x6 jt 4 jf 5 (004) ret #68 (005) ret #0 */ struct bpf_insn filter[] = { /* 0. */ { BPF_LD|BPF_H|BPF_ABS, 0, 0, 12 }, /* 1. */ { BPF_JMP|BPF_JEQ, 0, 3, 0x0800 }, /* 2. */ { BPF_LD|BPF_B|BPF_ABS, 0, 0, 23 }, /* 3. */ { BPF_JMP|BPF_JEQ, 0, 1, 0x06 }, /* 4. */ { BPF_RET, 0, 0, 68 }, /* 5. */ { BPF_RET, 0, 0, 0 } }; /* * the code herein is dervied from libpcap. */ static u_char *buf = NULL; static u_int bufsize = 32768, timeout = 1; int ack_recv(ep) char *ep; { struct tcpiphdr tip; tcphdr_t *tcp; ip_t *ip; ip = (ip_t *)&tip; tcp = (tcphdr_t *)(ip + 1); bcopy(ep + 14, (char *)ip, sizeof(*ip)); bcopy(ep + 14 + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp)); if (ip->ip_p != IPPROTO_TCP && ip->ip_p != IPPROTO_UDP) return -1; if (ip->ip_p & 0x1fff != 0) return 0; if (0 == detect(ip, tcp)) return 1; return 0; } int readloop(fd, port, dst) int fd, port; struct in_addr dst; { register u_char *bp, *cp, *bufend; register struct bpf_hdr *bh; register int cc; time_t in = time(NULL); int done = 0; while ((cc = read(fd, buf, bufsize)) >= 0) { if (!cc && (time(NULL) - in) > timeout) return done; bp = buf; bufend = buf + cc; /* * loop through each snapshot in the chunk */ while (bp < bufend) { bh = (struct bpf_hdr *)bp; cp = bp + bh->bh_hdrlen; done += ack_recv(cp); bp += BPF_WORDALIGN(bh->bh_caplen + bh->bh_hdrlen); } return done; } perror("read"); exit(-1); } int initdevice(device, tout) char *device; int tout; { struct bpf_program prog; struct bpf_version bv; struct timeval to; struct ifreq ifr; char bpfname[16]; int fd, i; for (i = 0; i < 16; i++) { (void) sprintf(bpfname, "/dev/bpf%d", i); if ((fd = open(bpfname, O_RDWR)) >= 0) break; } if (i == 16) { fprintf(stderr, "no bpf devices available as /dev/bpfxx\n"); return -1; } if (ioctl(fd, BIOCVERSION, (caddr_t)&bv) < 0) { perror("BIOCVERSION"); return -1; } if (bv.bv_major != BPF_MAJOR_VERSION || bv.bv_minor < BPF_MINOR_VERSION) { fprintf(stderr, "kernel bpf (v%d.%d) filter out of date:\n", bv.bv_major, bv.bv_minor); fprintf(stderr, "current version: %d.%d\n", BPF_MAJOR_VERSION, BPF_MINOR_VERSION); return -1; } (void) strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, BIOCSETIF, &ifr) == -1) { fprintf(stderr, "%s(%d):", ifr.ifr_name, fd); perror("BIOCSETIF"); exit(1); } /* * set the timeout */ timeout = tout; to.tv_sec = 1; to.tv_usec = 0; if (ioctl(fd, BIOCSRTIMEOUT, (caddr_t)&to) == -1) { perror("BIOCSRTIMEOUT"); exit(-1); } /* * get kernel buffer size */ if (ioctl(fd, BIOCSBLEN, &bufsize) == -1) perror("BIOCSBLEN"); if (ioctl(fd, BIOCGBLEN, &bufsize) == -1) { perror("BIOCGBLEN"); exit(-1); } printf("BPF buffer size: %d\n", bufsize); buf = (u_char*)malloc(bufsize); prog.bf_len = sizeof(filter) / sizeof(struct bpf_insn); prog.bf_insns = filter; if (ioctl(fd, BIOCSETF, (caddr_t)&prog) == -1) { perror("BIOCSETF"); exit(-1); } (void) ioctl(fd, BIOCFLUSH, 0); return fd; } diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c index 289ad2f46804..baede7c46a06 100644 --- a/contrib/ipfilter/ipsd/sdlpi.c +++ b/contrib/ipfilter/ipsd/sdlpi.c @@ -1,261 +1,259 @@ -/* $NetBSD$ */ - /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * See the IPFILTER.LICENCE file for details on licencing. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ip_compat.h" #ifndef lint static char snitid[] = "%W% %G% (C)1995 Darren Reed"; #endif #define BUFSPACE 32768 static int solfd; /* * Be careful to only include those defined in the flags option for the * interface are included in the header size. */ static int timeout; void nullbell() { return 0; } int ack_recv(ep) char *ep; { struct tcpiphdr tip; tcphdr_t *tcp; ip_t *ip; ip = (ip_t *)&tip; tcp = (tcphdr_t *)(ip + 1); bcopy(ep, (char *)ip, sizeof(*ip)); bcopy(ep + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp)); if (ip->ip_off & 0x1fff != 0) return 0; if (0 == detect(ip, tcp)) return 1; return 0; } int readloop(fd, port, dst) int fd, port; struct in_addr dst; { static u_char buf[BUFSPACE]; register u_char *bp, *cp, *bufend; register struct sb_hdr *hp; register int cc; struct strbuf dbuf; ether_header_t eh; time_t now = time(NULL); int flags = 0, i, done = 0; fd = solfd; dbuf.len = 0; dbuf.buf = buf; dbuf.maxlen = sizeof(buf); /* * no control data buffer... */ while (1) { (void) signal(SIGALRM, nullbell); alarm(1); i = getmsg(fd, NULL, &dbuf, &flags); alarm(0); (void) signal(SIGALRM, nullbell); cc = dbuf.len; if ((time(NULL) - now) > timeout) return done; if (i == -1) if (errno == EINTR) continue; else break; bp = buf; bufend = buf + cc; /* * loop through each snapshot in the chunk */ while (bp < bufend) { /* * get past bufmod header */ hp = (struct sb_hdr *)bp; cp = (u_char *)((char *)bp + sizeof(*hp)); bcopy(cp, (char *)&eh, sizeof(eh)); /* * next snapshot */ bp += hp->sbh_totlen; cc -= hp->sbh_totlen; if (eh.ether_type != ETHERTYPE_IP) continue; cp += sizeof(eh); done += ack_recv(cp); } alarm(1); } perror("getmsg"); exit(-1); } int initdevice(device, tout) char *device; int tout; { struct strioctl si; struct timeval to; struct ifreq ifr; struct packetfilt pfil; u_long if_flags; u_short *fwp = pfil.Pf_Filter; char devname[16], *s, buf[256]; int i, offset, fd, snaplen= 58, chunksize = BUFSPACE; (void) sprintf(devname, "/dev/%s", device); s = devname + 5; while (*s && !ISDIGIT(*s)) s++; if (!*s) { fprintf(stderr, "bad device name %s\n", devname); exit(-1); } i = atoi(s); *s = '\0'; /* * For reading */ if ((fd = open(devname, O_RDWR)) < 0) { fprintf(stderr, "O_RDWR(0) "); perror(devname); exit(-1); } if (dlattachreq(fd, i) == -1 || dlokack(fd, buf) == -1) { fprintf(stderr, "DLPI error\n"); exit(-1); } dlbindreq(fd, ETHERTYPE_IP, 0, DL_CLDLS, 0, 0); dlbindack(fd, buf); /* * read full headers */ if (strioctl(fd, DLIOCRAW, -1, 0, NULL) == -1) { fprintf(stderr, "DLIOCRAW error\n"); exit(-1); } /* * Create some filter rules for our TCP watcher. We only want ethernet * pacets which are IP protocol and only the TCP packets from IP. */ offset = 6; *fwp++ = ENF_PUSHWORD + offset; *fwp++ = ENF_PUSHLIT | ENF_CAND; *fwp++ = htons(ETHERTYPE_IP); *fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4; *fwp++ = ENF_PUSHLIT | ENF_AND; *fwp++ = htons(0x00ff); *fwp++ = ENF_PUSHLIT | ENF_COR; *fwp++ = htons(IPPROTO_TCP); *fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4; *fwp++ = ENF_PUSHLIT | ENF_AND; *fwp++ = htons(0x00ff); *fwp++ = ENF_PUSHLIT | ENF_CAND; *fwp++ = htons(IPPROTO_UDP); pfil.Pf_FilterLen = (fwp - &pfil.Pf_Filter[0]); /* * put filter in place. */ if (ioctl(fd, I_PUSH, "pfmod") == -1) { perror("ioctl: I_PUSH pf"); exit(1); } if (strioctl(fd, PFIOCSETF, -1, sizeof(pfil), (char *)&pfil) == -1) { perror("ioctl: PFIOCSETF"); exit(1); } /* * arrange to get messages from the NIT STREAM and use NIT_BUF option */ if (ioctl(fd, I_PUSH, "bufmod") == -1) { perror("ioctl: I_PUSH bufmod"); exit(1); } i = 128; strioctl(fd, SBIOCSSNAP, -1, sizeof(i), (char *)&i); /* * set the timeout */ to.tv_sec = 1; to.tv_usec = 0; if (strioctl(fd, SBIOCSTIME, -1, sizeof(to), (char *)&to) == -1) { perror("strioctl(SBIOCSTIME)"); exit(-1); } /* * flush read queue */ if (ioctl(fd, I_FLUSH, FLUSHR) == -1) { perror("I_FLUSHR"); exit(-1); } timeout = tout; solfd = fd; return fd; } diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c index 3b786b04b88c..6372a607b2c1 100644 --- a/contrib/ipfilter/ipsd/slinux.c +++ b/contrib/ipfilter/ipsd/slinux.c @@ -1,118 +1,116 @@ -/* $NetBSD$ */ - /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * See the IPFILTER.LICENCE file for details on licencing. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ip_compat.h" #include "tcpip.h" #ifndef lint static const char sccsid[] = "@(#)slinux.c 1.1 12/3/95 (C) 1995 Darren Reed"; #endif #define BUFSPACE 32768 /* * Be careful to only include those defined in the flags option for the * interface are included in the header size. */ static int timeout; static char *eth_dev = NULL; int ack_recv(bp) char *bp; { struct tcpip tip; tcphdr_t *tcp; ip_t *ip; ip = (struct ip *)&tip; tcp = (tcphdr_t *)(ip + 1); bcopy(bp, (char *)&tip, sizeof(tip)); bcopy(bp + (ip.ip_hl << 2), (char *)tcp, sizeof(*tcp)); if (0 == detect(ip, tcp)) return 1; return 0; } void readloop(fd, port, dst) int fd, port; struct in_addr dst; { static u_char buf[BUFSPACE]; struct sockaddr dest; register u_char *bp = buf; register int cc; int dlen, done = 0; time_t now = time(NULL); do { fflush(stdout); dlen = sizeof(dest); bzero((char *)&dest, dlen); cc = recvfrom(fd, buf, BUFSPACE, 0, &dest, &dlen); if (!cc) if ((time(NULL) - now) > timeout) return done; else continue; if (bp[12] != 0x8 || bp[13] != 0) continue; /* not ip */ /* * get rid of non-tcp or fragmented packets here. */ if (cc >= sizeof(struct tcpiphdr)) { if (((bp[14+9] != IPPROTO_TCP) && (bp[14+9] != IPPROTO_UDP)) || (bp[14+6] & 0x1f) || (bp[14+6] & 0xff)) continue; done += ack_recv(bp + 14); } } while (cc >= 0); perror("read"); exit(-1); } int initdevice(dev, tout) char *dev; int tout; { int fd; eth_dev = strdup(dev); if ((fd = socket(AF_INET, SOCK_PACKET, htons(ETHERTYPE_IP))) == -1) { perror("socket(SOCK_PACKET)"); exit(-1); } return fd; } diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c index 8f250260c33f..e78c59190e00 100644 --- a/contrib/ipfilter/ipsd/snit.c +++ b/contrib/ipfilter/ipsd/snit.c @@ -1,228 +1,226 @@ -/* $NetBSD$ */ - /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * * See the IPFILTER.LICENCE file for details on licencing. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifndef lint static char snitid[] = "@(#)snit.c 1.2 12/3/95 (C)1995 Darren Reed"; #endif #define BUFSPACE 32768 /* * Be careful to only include those defined in the flags option for the * interface are included in the header size. */ #define BUFHDR_SIZE (sizeof(struct nit_bufhdr)) #define NIT_HDRSIZE (BUFHDR_SIZE) static int timeout; int ack_recv(ep) char *ep; { struct tcpiphdr tip; struct tcphdr *tcp; struct ip *ip; ip = (struct ip *)&tip; tcp = (struct tcphdr *)(ip + 1); bcopy(ep + 14, (char *)ip, sizeof(*ip)); bcopy(ep + 14 + (ip->ip_hl << 2), (char *)tcp, sizeof(*tcp)); if (ip->ip_off & 0x1fff != 0) return 0; if (0 == detect(ip, tcp)) return 1; return 0; } int readloop(fd, dst) int fd; struct in_addr dst; { static u_char buf[BUFSPACE]; register u_char *bp, *cp, *bufend; register struct nit_bufhdr *hp; register int cc; time_t now = time(NULL); int done = 0; while ((cc = read(fd, buf, BUFSPACE-1)) >= 0) { if (!cc) if ((time(NULL) - now) > timeout) return done; else continue; bp = buf; bufend = buf + cc; /* * loop through each snapshot in the chunk */ while (bp < bufend) { cp = (u_char *)((char *)bp + NIT_HDRSIZE); /* * get past NIT buffer */ hp = (struct nit_bufhdr *)bp; /* * next snapshot */ bp += hp->nhb_totlen; done += ack_recv(cp); } return done; } perror("read"); exit(-1); } int initdevice(device, tout) char *device; int tout; { struct strioctl si; struct timeval to; struct ifreq ifr; struct packetfilt pfil; u_long if_flags; u_short *fwp = pfil.Pf_Filter; int ret, offset, fd, snaplen= 76, chunksize = BUFSPACE; if ((fd = open("/dev/nit", O_RDWR)) < 0) { perror("/dev/nit"); exit(-1); } /* * Create some filter rules for our TCP watcher. We only want ethernet * pacets which are IP protocol and only the TCP packets from IP. */ offset = 6; *fwp++ = ENF_PUSHWORD + offset; *fwp++ = ENF_PUSHLIT | ENF_CAND; *fwp++ = htons(ETHERTYPE_IP); *fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4; *fwp++ = ENF_PUSHLIT | ENF_AND; *fwp++ = htons(0x00ff); *fwp++ = ENF_PUSHLIT | ENF_COR; *fwp++ = htons(IPPROTO_TCP); *fwp++ = ENF_PUSHWORD + sizeof(struct ether_header)/sizeof(short)+4; *fwp++ = ENF_PUSHLIT | ENF_AND; *fwp++ = htons(0x00ff); *fwp++ = ENF_PUSHLIT | ENF_CAND; *fwp++ = htons(IPPROTO_UDP); pfil.Pf_FilterLen = fwp - &pfil.Pf_Filter[0]; /* * put filter in place. */ if (ioctl(fd, I_PUSH, "pf") == -1) { perror("ioctl: I_PUSH pf"); exit(1); } if (ioctl(fd, NIOCSETF, &pfil) == -1) { perror("ioctl: NIOCSETF"); exit(1); } /* * arrange to get messages from the NIT STREAM and use NIT_BUF option */ ioctl(fd, I_SRDOPT, (char*)RMSGD); ioctl(fd, I_PUSH, "nbuf"); /* * set the timeout */ timeout = tout; si.ic_timout = 1; to.tv_sec = 1; to.tv_usec = 0; si.ic_cmd = NIOCSTIME; si.ic_len = sizeof(to); si.ic_dp = (char*)&to; if (ioctl(fd, I_STR, (char*)&si) == -1) { perror("ioctl: NIT timeout"); exit(-1); } /* * set the chunksize */ si.ic_cmd = NIOCSCHUNK; si.ic_len = sizeof(chunksize); si.ic_dp = (char*)&chunksize; if (ioctl(fd, I_STR, (char*)&si) == -1) perror("ioctl: NIT chunksize"); if (ioctl(fd, NIOCGCHUNK, (char*)&chunksize) == -1) { perror("ioctl: NIT chunksize"); exit(-1); } printf("NIT buffer size: %d\n", chunksize); /* * request the interface */ strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); ifr.ifr_name[sizeof(ifr.ifr_name) - 1] = ' '; si.ic_cmd = NIOCBIND; si.ic_len = sizeof(ifr); si.ic_dp = (char*)𝔦 if (ioctl(fd, I_STR, (char*)&si) == -1) { perror(ifr.ifr_name); exit(1); } /* * set the snapshot length */ si.ic_cmd = NIOCSSNAP; si.ic_len = sizeof(snaplen); si.ic_dp = (char*)&snaplen; if (ioctl(fd, I_STR, (char*)&si) == -1) { perror("ioctl: NIT snaplen"); exit(1); } (void) ioctl(fd, I_FLUSH, (char*)FLUSHR); return fd; } diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c index 420635516ebf..ca571e01db02 100644 --- a/contrib/ipfilter/ipsend/44arp.c +++ b/contrib/ipfilter/ipsend/44arp.c @@ -1,119 +1,117 @@ -/* $NetBSD$ */ - /* * Based upon 4.4BSD's /usr/sbin/arp */ #include #include #include #include #include #if __FreeBSD_version >= 300000 # include #endif #include #include #if defined(__FreeBSD__) # include "radix_ipf.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ipsend.h" #include "iplang/iplang.h" /* * lookup host and return * its IP address in address * (4 bytes) */ int resolve(host, address) char *host, *address; { struct hostent *hp; u_long add; add = inet_addr(host); if (add == -1) { if (!(hp = gethostbyname(host))) { fprintf(stderr, "unknown host: %s\n", host); return -1; } bcopy((char *)hp->h_addr, (char *)address, 4); return 0; } bcopy((char*)&add, address, 4); return 0; } int arp(addr, eaddr) char *addr, *eaddr; { int mib[6]; size_t needed; char *lim, *buf, *next; struct rt_msghdr *rtm; struct sockaddr_inarp *sin; struct sockaddr_dl *sdl; #ifdef IPSEND if (arp_getipv4(addr, ether) == 0) return 0; #endif if (!addr) return -1; mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; mib[3] = AF_INET; mib[4] = NET_RT_FLAGS; mib[5] = RTF_LLINFO; if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1) { perror("route-sysctl-estimate"); exit(-1); } if ((buf = malloc(needed)) == NULL) { perror("malloc"); exit(-1); } if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1) { perror("actual retrieval of routing table"); exit(-1); } lim = buf + needed; for (next = buf; next < lim; next += rtm->rtm_msglen) { rtm = (struct rt_msghdr *)next; sin = (struct sockaddr_inarp *)(rtm + 1); sdl = (struct sockaddr_dl *)(sin + 1); if (!bcmp(addr, (char *)&sin->sin_addr, sizeof(struct in_addr))) { bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen); return 0; } } return -1; } diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index 0e8f556724ac..609b8dd73fd7 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -1,141 +1,139 @@ -/* $NetBSD$ */ - /* * arp.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)Id: arp.c,v 2.8 2003/12/01 02:01:15 darrenr Exp"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.8.2.1 2005/06/12 07:18:38 darrenr Exp $"; #endif #include #include -#if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) +#if !defined(ultrix) && !defined(hpux) && !defined(__hpux) && !defined(__osf__) && !defined(_AIX51) #include #endif #include #include #include #include #include #ifndef ultrix #include #endif #include #include #include #include #include #include #include #include "ipsend.h" #include "iplang/iplang.h" /* * lookup host and return * its IP address in address * (4 bytes) */ int resolve(host, address) char *host, *address; { struct hostent *hp; u_long add; add = inet_addr(host); if (add == -1) { if (!(hp = gethostbyname(host))) { fprintf(stderr, "unknown host: %s\n", host); return -1; } bcopy((char *)hp->h_addr, (char *)address, 4); return 0; } bcopy((char*)&add, address, 4); return 0; } /* * ARP for the MAC address corresponding * to the IP address. This taken from * some BSD program, I cant remember which. */ int arp(ip, ether) char *ip; char *ether; { static int sfd = -1; static char ethersave[6], ipsave[4]; struct arpreq ar; struct sockaddr_in *sin, san; struct hostent *hp; int fd; #ifdef IPSEND if (arp_getipv4(ip, ether) == 0) return 0; #endif if (!bcmp(ipsave, ip, 4)) { bcopy(ethersave, ether, 6); return 0; } fd = -1; bzero((char *)&ar, sizeof(ar)); sin = (struct sockaddr_in *)&ar.arp_pa; sin->sin_family = AF_INET; bcopy(ip, (char *)&sin->sin_addr.s_addr, 4); #ifndef hpux if ((hp = gethostbyaddr(ip, 4, AF_INET))) # if SOLARIS && (SOLARIS2 >= 10) if (!(ether_hostton(hp->h_name, (struct ether_addr *)ether))) # else if (!(ether_hostton(hp->h_name, ether))) # endif goto savearp; #endif if (sfd == -1) if ((sfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) { perror("arp: socket"); return -1; } tryagain: if (ioctl(sfd, SIOCGARP, (caddr_t)&ar) == -1) { if (fd == -1) { bzero((char *)&san, sizeof(san)); san.sin_family = AF_INET; san.sin_port = htons(1); bcopy(ip, &san.sin_addr.s_addr, 4); fd = socket(AF_INET, SOCK_DGRAM, 0); (void) sendto(fd, ip, 4, 0, (struct sockaddr *)&san, sizeof(san)); sleep(1); (void) close(fd); goto tryagain; } fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr)); if (errno != ENXIO) perror("SIOCGARP"); return -1; } if ((ar.arp_ha.sa_data[0] == 0) && (ar.arp_ha.sa_data[1] == 0) && (ar.arp_ha.sa_data[2] == 0) && (ar.arp_ha.sa_data[3] == 0) && (ar.arp_ha.sa_data[4] == 0) && (ar.arp_ha.sa_data[5] == 0)) { fprintf(stderr, "(%s):", inet_ntoa(sin->sin_addr)); return -1; } bcopy(ar.arp_ha.sa_data, ether, 6); savearp: bcopy(ether, ethersave, 6); bcopy(ip, ipsave, 4); return 0; } diff --git a/contrib/ipfilter/ipsend/dlcommon.c b/contrib/ipfilter/ipsend/dlcommon.c index 6e351f0fd061..89941388a618 100644 --- a/contrib/ipfilter/ipsend/dlcommon.c +++ b/contrib/ipfilter/ipsend/dlcommon.c @@ -1,1383 +1,1381 @@ -/* $NetBSD$ */ - /* * Common (shared) DLPI test routines. * Mostly pretty boring boilerplate sorta stuff. * These can be split into individual library routines later * but it's just convenient to keep them in a single file * while they're being developed. * * Not supported: * Connection Oriented stuff * QOS stuff */ /* typedef unsigned long ulong; */ #include #include #include #ifdef __osf__ # include #else # include #endif #include #include #include #include "dltest.h" #define CASERET(s) case s: return ("s") char *dlprim(); char *dlstate(); char *dlerrno(); char *dlpromisclevel(); char *dlservicemode(); char *dlstyle(); char *dlmactype(); void dlinforeq(fd) int fd; { dl_info_req_t info_req; struct strbuf ctl; int flags; info_req.dl_primitive = DL_INFO_REQ; ctl.maxlen = 0; ctl.len = sizeof (info_req); ctl.buf = (char *) &info_req; flags = RS_HIPRI; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlinforeq: putmsg"); } void dlinfoack(fd, bufp) int fd; char *bufp; { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlinfoack"); dlp = (union DL_primitives *) ctl.buf; expecting(DL_INFO_ACK, dlp); if (ctl.len < sizeof (dl_info_ack_t)) err("dlinfoack: response ctl.len too short: %d", ctl.len); if (flags != RS_HIPRI) err("dlinfoack: DL_INFO_ACK was not M_PCPROTO"); if (ctl.len < sizeof (dl_info_ack_t)) err("dlinfoack: short response ctl.len: %d", ctl.len); } void dlattachreq(fd, ppa) int fd; u_long ppa; { dl_attach_req_t attach_req; struct strbuf ctl; int flags; attach_req.dl_primitive = DL_ATTACH_REQ; attach_req.dl_ppa = ppa; ctl.maxlen = 0; ctl.len = sizeof (attach_req); ctl.buf = (char *) &attach_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlattachreq: putmsg"); } void dlenabmultireq(fd, addr, length) int fd; char *addr; int length; { long buf[MAXDLBUF]; union DL_primitives *dlp; struct strbuf ctl; int flags; dlp = (union DL_primitives*) buf; dlp->enabmulti_req.dl_primitive = DL_ENABMULTI_REQ; dlp->enabmulti_req.dl_addr_length = length; dlp->enabmulti_req.dl_addr_offset = sizeof (dl_enabmulti_req_t); (void) memcpy((char*)OFFADDR(buf, sizeof (dl_enabmulti_req_t)), addr, length); ctl.maxlen = 0; ctl.len = sizeof (dl_enabmulti_req_t) + length; ctl.buf = (char*) buf; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlenabmultireq: putmsg"); } void dldisabmultireq(fd, addr, length) int fd; char *addr; int length; { long buf[MAXDLBUF]; union DL_primitives *dlp; struct strbuf ctl; int flags; dlp = (union DL_primitives*) buf; dlp->disabmulti_req.dl_primitive = DL_ENABMULTI_REQ; dlp->disabmulti_req.dl_addr_length = length; dlp->disabmulti_req.dl_addr_offset = sizeof (dl_disabmulti_req_t); (void) memcpy((char*)OFFADDR(buf, sizeof (dl_disabmulti_req_t)), addr, length); ctl.maxlen = 0; ctl.len = sizeof (dl_disabmulti_req_t) + length; ctl.buf = (char*) buf; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dldisabmultireq: putmsg"); } void dlpromisconreq(fd, level) int fd; u_long level; { dl_promiscon_req_t promiscon_req; struct strbuf ctl; int flags; promiscon_req.dl_primitive = DL_PROMISCON_REQ; promiscon_req.dl_level = level; ctl.maxlen = 0; ctl.len = sizeof (promiscon_req); ctl.buf = (char *) &promiscon_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlpromiscon: putmsg"); } void dlpromiscoff(fd, level) int fd; u_long level; { dl_promiscoff_req_t promiscoff_req; struct strbuf ctl; int flags; promiscoff_req.dl_primitive = DL_PROMISCOFF_REQ; promiscoff_req.dl_level = level; ctl.maxlen = 0; ctl.len = sizeof (promiscoff_req); ctl.buf = (char *) &promiscoff_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlpromiscoff: putmsg"); } void dlphysaddrreq(fd, addrtype) int fd; u_long addrtype; { dl_phys_addr_req_t phys_addr_req; struct strbuf ctl; int flags; phys_addr_req.dl_primitive = DL_PHYS_ADDR_REQ; phys_addr_req.dl_addr_type = addrtype; ctl.maxlen = 0; ctl.len = sizeof (phys_addr_req); ctl.buf = (char *) &phys_addr_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlphysaddrreq: putmsg"); } void dlsetphysaddrreq(fd, addr, length) int fd; char *addr; int length; { long buf[MAXDLBUF]; union DL_primitives *dlp; struct strbuf ctl; int flags; dlp = (union DL_primitives*) buf; dlp->set_physaddr_req.dl_primitive = DL_ENABMULTI_REQ; dlp->set_physaddr_req.dl_addr_length = length; dlp->set_physaddr_req.dl_addr_offset = sizeof (dl_set_phys_addr_req_t); (void) memcpy((char*)OFFADDR(buf, sizeof (dl_set_phys_addr_req_t)), addr, length); ctl.maxlen = 0; ctl.len = sizeof (dl_set_phys_addr_req_t) + length; ctl.buf = (char*) buf; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlsetphysaddrreq: putmsg"); } void dldetachreq(fd) int fd; { dl_detach_req_t detach_req; struct strbuf ctl; int flags; detach_req.dl_primitive = DL_DETACH_REQ; ctl.maxlen = 0; ctl.len = sizeof (detach_req); ctl.buf = (char *) &detach_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dldetachreq: putmsg"); } void dlbindreq(fd, sap, max_conind, service_mode, conn_mgmt, xidtest) int fd; u_long sap; u_long max_conind; u_long service_mode; u_long conn_mgmt; u_long xidtest; { dl_bind_req_t bind_req; struct strbuf ctl; int flags; bind_req.dl_primitive = DL_BIND_REQ; bind_req.dl_sap = sap; bind_req.dl_max_conind = max_conind; bind_req.dl_service_mode = service_mode; bind_req.dl_conn_mgmt = conn_mgmt; bind_req.dl_xidtest_flg = xidtest; ctl.maxlen = 0; ctl.len = sizeof (bind_req); ctl.buf = (char *) &bind_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlbindreq: putmsg"); } void dlunitdatareq(fd, addrp, addrlen, minpri, maxpri, datap, datalen) int fd; u_char *addrp; int addrlen; u_long minpri, maxpri; u_char *datap; int datalen; { long buf[MAXDLBUF]; union DL_primitives *dlp; struct strbuf data, ctl; dlp = (union DL_primitives*) buf; dlp->unitdata_req.dl_primitive = DL_UNITDATA_REQ; dlp->unitdata_req.dl_dest_addr_length = addrlen; dlp->unitdata_req.dl_dest_addr_offset = sizeof (dl_unitdata_req_t); dlp->unitdata_req.dl_priority.dl_min = minpri; dlp->unitdata_req.dl_priority.dl_max = maxpri; (void) memcpy(OFFADDR(dlp, sizeof (dl_unitdata_req_t)), addrp, addrlen); ctl.maxlen = 0; ctl.len = sizeof (dl_unitdata_req_t) + addrlen; ctl.buf = (char *) buf; data.maxlen = 0; data.len = datalen; data.buf = (char *) datap; if (putmsg(fd, &ctl, &data, 0) < 0) syserr("dlunitdatareq: putmsg"); } void dlunbindreq(fd) int fd; { dl_unbind_req_t unbind_req; struct strbuf ctl; int flags; unbind_req.dl_primitive = DL_UNBIND_REQ; ctl.maxlen = 0; ctl.len = sizeof (unbind_req); ctl.buf = (char *) &unbind_req; flags = 0; if (putmsg(fd, &ctl, (struct strbuf*) NULL, flags) < 0) syserr("dlunbindreq: putmsg"); } void dlokack(fd, bufp) int fd; char *bufp; { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlokack"); dlp = (union DL_primitives *) ctl.buf; expecting(DL_OK_ACK, dlp); if (ctl.len < sizeof (dl_ok_ack_t)) err("dlokack: response ctl.len too short: %d", ctl.len); if (flags != RS_HIPRI) err("dlokack: DL_OK_ACK was not M_PCPROTO"); if (ctl.len < sizeof (dl_ok_ack_t)) err("dlokack: short response ctl.len: %d", ctl.len); } void dlerrorack(fd, bufp) int fd; char *bufp; { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlerrorack"); dlp = (union DL_primitives *) ctl.buf; expecting(DL_ERROR_ACK, dlp); if (ctl.len < sizeof (dl_error_ack_t)) err("dlerrorack: response ctl.len too short: %d", ctl.len); if (flags != RS_HIPRI) err("dlerrorack: DL_OK_ACK was not M_PCPROTO"); if (ctl.len < sizeof (dl_error_ack_t)) err("dlerrorack: short response ctl.len: %d", ctl.len); } void dlbindack(fd, bufp) int fd; char *bufp; { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlbindack"); dlp = (union DL_primitives *) ctl.buf; expecting(DL_BIND_ACK, dlp); if (flags != RS_HIPRI) err("dlbindack: DL_OK_ACK was not M_PCPROTO"); if (ctl.len < sizeof (dl_bind_ack_t)) err("dlbindack: short response ctl.len: %d", ctl.len); } void dlphysaddrack(fd, bufp) int fd; char *bufp; { union DL_primitives *dlp; struct strbuf ctl; int flags; ctl.maxlen = MAXDLBUF; ctl.len = 0; ctl.buf = bufp; strgetmsg(fd, &ctl, (struct strbuf*)NULL, &flags, "dlphysaddrack"); dlp = (union DL_primitives *) ctl.buf; expecting(DL_PHYS_ADDR_ACK, dlp); if (flags != RS_HIPRI) err("dlbindack: DL_OK_ACK was not M_PCPROTO"); if (ctl.len < sizeof (dl_phys_addr_ack_t)) err("dlphysaddrack: short response ctl.len: %d", ctl.len); } void sigalrm() { (void) err("sigalrm: TIMEOUT"); } strgetmsg(fd, ctlp, datap, flagsp, caller) int fd; struct strbuf *ctlp, *datap; int *flagsp; char *caller; { int rc; static char errmsg[80]; /* * Start timer. */ (void) signal(SIGALRM, sigalrm); if (alarm(MAXWAIT) < 0) { (void) sprintf(errmsg, "%s: alarm", caller); syserr(errmsg); } /* * Set flags argument and issue getmsg(). */ *flagsp = 0; if ((rc = getmsg(fd, ctlp, datap, flagsp)) < 0) { (void) sprintf(errmsg, "%s: getmsg", caller); syserr(errmsg); } /* * Stop timer. */ if (alarm(0) < 0) { (void) sprintf(errmsg, "%s: alarm", caller); syserr(errmsg); } /* * Check for MOREDATA and/or MORECTL. */ if ((rc & (MORECTL | MOREDATA)) == (MORECTL | MOREDATA)) err("%s: MORECTL|MOREDATA", caller); if (rc & MORECTL) err("%s: MORECTL", caller); if (rc & MOREDATA) err("%s: MOREDATA", caller); /* * Check for at least sizeof (long) control data portion. */ if (ctlp->len < sizeof (long)) err("getmsg: control portion length < sizeof (long): %d", ctlp->len); } expecting(prim, dlp) int prim; union DL_primitives *dlp; { if (dlp->dl_primitive != (u_long)prim) { printdlprim(dlp); err("expected %s got %s", dlprim(prim), dlprim(dlp->dl_primitive)); exit(1); } } /* * Print any DLPI msg in human readable format. */ printdlprim(dlp) union DL_primitives *dlp; { switch (dlp->dl_primitive) { case DL_INFO_REQ: printdlinforeq(dlp); break; case DL_INFO_ACK: printdlinfoack(dlp); break; case DL_ATTACH_REQ: printdlattachreq(dlp); break; case DL_OK_ACK: printdlokack(dlp); break; case DL_ERROR_ACK: printdlerrorack(dlp); break; case DL_DETACH_REQ: printdldetachreq(dlp); break; case DL_BIND_REQ: printdlbindreq(dlp); break; case DL_BIND_ACK: printdlbindack(dlp); break; case DL_UNBIND_REQ: printdlunbindreq(dlp); break; case DL_SUBS_BIND_REQ: printdlsubsbindreq(dlp); break; case DL_SUBS_BIND_ACK: printdlsubsbindack(dlp); break; case DL_SUBS_UNBIND_REQ: printdlsubsunbindreq(dlp); break; case DL_ENABMULTI_REQ: printdlenabmultireq(dlp); break; case DL_DISABMULTI_REQ: printdldisabmultireq(dlp); break; case DL_PROMISCON_REQ: printdlpromisconreq(dlp); break; case DL_PROMISCOFF_REQ: printdlpromiscoffreq(dlp); break; case DL_UNITDATA_REQ: printdlunitdatareq(dlp); break; case DL_UNITDATA_IND: printdlunitdataind(dlp); break; case DL_UDERROR_IND: printdluderrorind(dlp); break; case DL_UDQOS_REQ: printdludqosreq(dlp); break; case DL_PHYS_ADDR_REQ: printdlphysaddrreq(dlp); break; case DL_PHYS_ADDR_ACK: printdlphysaddrack(dlp); break; case DL_SET_PHYS_ADDR_REQ: printdlsetphysaddrreq(dlp); break; default: err("printdlprim: unknown primitive type 0x%x", dlp->dl_primitive); break; } } /* ARGSUSED */ printdlinforeq(dlp) union DL_primitives *dlp; { (void) printf("DL_INFO_REQ\n"); } printdlinfoack(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; u_char brdcst[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->info_ack.dl_addr_offset), dlp->info_ack.dl_addr_length, addr); addrtostring(OFFADDR(dlp, dlp->info_ack.dl_brdcst_addr_offset), dlp->info_ack.dl_brdcst_addr_length, brdcst); (void) printf("DL_INFO_ACK: max_sdu %d min_sdu %d\n", dlp->info_ack.dl_max_sdu, dlp->info_ack.dl_min_sdu); (void) printf("addr_length %d mac_type %s current_state %s\n", dlp->info_ack.dl_addr_length, dlmactype(dlp->info_ack.dl_mac_type), dlstate(dlp->info_ack.dl_current_state)); (void) printf("sap_length %d service_mode %s qos_length %d\n", dlp->info_ack.dl_sap_length, dlservicemode(dlp->info_ack.dl_service_mode), dlp->info_ack.dl_qos_length); (void) printf("qos_offset %d qos_range_length %d qos_range_offset %d\n", dlp->info_ack.dl_qos_offset, dlp->info_ack.dl_qos_range_length, dlp->info_ack.dl_qos_range_offset); (void) printf("provider_style %s addr_offset %d version %d\n", dlstyle(dlp->info_ack.dl_provider_style), dlp->info_ack.dl_addr_offset, dlp->info_ack.dl_version); (void) printf("brdcst_addr_length %d brdcst_addr_offset %d\n", dlp->info_ack.dl_brdcst_addr_length, dlp->info_ack.dl_brdcst_addr_offset); (void) printf("addr %s\n", addr); (void) printf("brdcst_addr %s\n", brdcst); } printdlattachreq(dlp) union DL_primitives *dlp; { (void) printf("DL_ATTACH_REQ: ppa %d\n", dlp->attach_req.dl_ppa); } printdlokack(dlp) union DL_primitives *dlp; { (void) printf("DL_OK_ACK: correct_primitive %s\n", dlprim(dlp->ok_ack.dl_correct_primitive)); } printdlerrorack(dlp) union DL_primitives *dlp; { (void) printf("DL_ERROR_ACK: error_primitive %s errno %s unix_errno %d: %s\n", dlprim(dlp->error_ack.dl_error_primitive), dlerrno(dlp->error_ack.dl_errno), dlp->error_ack.dl_unix_errno, strerror(dlp->error_ack.dl_unix_errno)); } printdlenabmultireq(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->enabmulti_req.dl_addr_offset), dlp->enabmulti_req.dl_addr_length, addr); (void) printf("DL_ENABMULTI_REQ: addr_length %d addr_offset %d\n", dlp->enabmulti_req.dl_addr_length, dlp->enabmulti_req.dl_addr_offset); (void) printf("addr %s\n", addr); } printdldisabmultireq(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->disabmulti_req.dl_addr_offset), dlp->disabmulti_req.dl_addr_length, addr); (void) printf("DL_DISABMULTI_REQ: addr_length %d addr_offset %d\n", dlp->disabmulti_req.dl_addr_length, dlp->disabmulti_req.dl_addr_offset); (void) printf("addr %s\n", addr); } printdlpromisconreq(dlp) union DL_primitives *dlp; { (void) printf("DL_PROMISCON_REQ: level %s\n", dlpromisclevel(dlp->promiscon_req.dl_level)); } printdlpromiscoffreq(dlp) union DL_primitives *dlp; { (void) printf("DL_PROMISCOFF_REQ: level %s\n", dlpromisclevel(dlp->promiscoff_req.dl_level)); } printdlphysaddrreq(dlp) union DL_primitives *dlp; { (void) printf("DL_PHYS_ADDR_REQ: addr_type 0x%x\n", dlp->physaddr_req.dl_addr_type); } printdlphysaddrack(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->physaddr_ack.dl_addr_offset), dlp->physaddr_ack.dl_addr_length, addr); (void) printf("DL_PHYS_ADDR_ACK: addr_length %d addr_offset %d\n", dlp->physaddr_ack.dl_addr_length, dlp->physaddr_ack.dl_addr_offset); (void) printf("addr %s\n", addr); } printdlsetphysaddrreq(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->set_physaddr_req.dl_addr_offset), dlp->set_physaddr_req.dl_addr_length, addr); (void) printf("DL_SET_PHYS_ADDR_REQ: addr_length %d addr_offset %d\n", dlp->set_physaddr_req.dl_addr_length, dlp->set_physaddr_req.dl_addr_offset); (void) printf("addr %s\n", addr); } /* ARGSUSED */ printdldetachreq(dlp) union DL_primitives *dlp; { (void) printf("DL_DETACH_REQ\n"); } printdlbindreq(dlp) union DL_primitives *dlp; { (void) printf("DL_BIND_REQ: sap %d max_conind %d\n", dlp->bind_req.dl_sap, dlp->bind_req.dl_max_conind); (void) printf("service_mode %s conn_mgmt %d xidtest_flg 0x%x\n", dlservicemode(dlp->bind_req.dl_service_mode), dlp->bind_req.dl_conn_mgmt, dlp->bind_req.dl_xidtest_flg); } printdlbindack(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->bind_ack.dl_addr_offset), dlp->bind_ack.dl_addr_length, addr); (void) printf("DL_BIND_ACK: sap %d addr_length %d addr_offset %d\n", dlp->bind_ack.dl_sap, dlp->bind_ack.dl_addr_length, dlp->bind_ack.dl_addr_offset); (void) printf("max_conind %d xidtest_flg 0x%x\n", dlp->bind_ack.dl_max_conind, dlp->bind_ack.dl_xidtest_flg); (void) printf("addr %s\n", addr); } /* ARGSUSED */ printdlunbindreq(dlp) union DL_primitives *dlp; { (void) printf("DL_UNBIND_REQ\n"); } printdlsubsbindreq(dlp) union DL_primitives *dlp; { u_char sap[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->subs_bind_req.dl_subs_sap_offset), dlp->subs_bind_req.dl_subs_sap_length, sap); (void) printf("DL_SUBS_BIND_REQ: subs_sap_offset %d sub_sap_len %d\n", dlp->subs_bind_req.dl_subs_sap_offset, dlp->subs_bind_req.dl_subs_sap_length); (void) printf("sap %s\n", sap); } printdlsubsbindack(dlp) union DL_primitives *dlp; { u_char sap[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->subs_bind_ack.dl_subs_sap_offset), dlp->subs_bind_ack.dl_subs_sap_length, sap); (void) printf("DL_SUBS_BIND_ACK: subs_sap_offset %d sub_sap_length %d\n", dlp->subs_bind_ack.dl_subs_sap_offset, dlp->subs_bind_ack.dl_subs_sap_length); (void) printf("sap %s\n", sap); } printdlsubsunbindreq(dlp) union DL_primitives *dlp; { u_char sap[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->subs_unbind_req.dl_subs_sap_offset), dlp->subs_unbind_req.dl_subs_sap_length, sap); (void) printf("DL_SUBS_UNBIND_REQ: subs_sap_offset %d sub_sap_length %d\n", dlp->subs_unbind_req.dl_subs_sap_offset, dlp->subs_unbind_req.dl_subs_sap_length); (void) printf("sap %s\n", sap); } printdlunitdatareq(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->unitdata_req.dl_dest_addr_offset), dlp->unitdata_req.dl_dest_addr_length, addr); (void) printf("DL_UNITDATA_REQ: dest_addr_length %d dest_addr_offset %d\n", dlp->unitdata_req.dl_dest_addr_length, dlp->unitdata_req.dl_dest_addr_offset); (void) printf("dl_priority.min %d dl_priority.max %d\n", dlp->unitdata_req.dl_priority.dl_min, dlp->unitdata_req.dl_priority.dl_max); (void) printf("addr %s\n", addr); } printdlunitdataind(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->unitdata_ind.dl_dest_addr_offset), dlp->unitdata_ind.dl_dest_addr_length, dest); addrtostring(OFFADDR(dlp, dlp->unitdata_ind.dl_src_addr_offset), dlp->unitdata_ind.dl_src_addr_length, src); (void) printf("DL_UNITDATA_IND: dest_addr_length %d dest_addr_offset %d\n", dlp->unitdata_ind.dl_dest_addr_length, dlp->unitdata_ind.dl_dest_addr_offset); (void) printf("src_addr_length %d src_addr_offset %d\n", dlp->unitdata_ind.dl_src_addr_length, dlp->unitdata_ind.dl_src_addr_offset); (void) printf("group_address 0x%x\n", dlp->unitdata_ind.dl_group_address); (void) printf("dest %s\n", dest); (void) printf("src %s\n", src); } printdluderrorind(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->uderror_ind.dl_dest_addr_offset), dlp->uderror_ind.dl_dest_addr_length, addr); (void) printf("DL_UDERROR_IND: dest_addr_length %d dest_addr_offset %d\n", dlp->uderror_ind.dl_dest_addr_length, dlp->uderror_ind.dl_dest_addr_offset); (void) printf("unix_errno %d errno %s\n", dlp->uderror_ind.dl_unix_errno, dlerrno(dlp->uderror_ind.dl_errno)); (void) printf("addr %s\n", addr); } printdltestreq(dlp) union DL_primitives *dlp; { u_char addr[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->test_req.dl_dest_addr_offset), dlp->test_req.dl_dest_addr_length, addr); (void) printf("DL_TEST_REQ: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->test_req.dl_flag, dlp->test_req.dl_dest_addr_length, dlp->test_req.dl_dest_addr_offset); (void) printf("dest_addr %s\n", addr); } printdltestind(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->test_ind.dl_dest_addr_offset), dlp->test_ind.dl_dest_addr_length, dest); addrtostring(OFFADDR(dlp, dlp->test_ind.dl_src_addr_offset), dlp->test_ind.dl_src_addr_length, src); (void) printf("DL_TEST_IND: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->test_ind.dl_flag, dlp->test_ind.dl_dest_addr_length, dlp->test_ind.dl_dest_addr_offset); (void) printf("src_addr_length %d src_addr_offset %d\n", dlp->test_ind.dl_src_addr_length, dlp->test_ind.dl_src_addr_offset); (void) printf("dest_addr %s\n", dest); (void) printf("src_addr %s\n", src); } printdltestres(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->test_res.dl_dest_addr_offset), dlp->test_res.dl_dest_addr_length, dest); (void) printf("DL_TEST_RES: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->test_res.dl_flag, dlp->test_res.dl_dest_addr_length, dlp->test_res.dl_dest_addr_offset); (void) printf("dest_addr %s\n", dest); } printdltestcon(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->test_con.dl_dest_addr_offset), dlp->test_con.dl_dest_addr_length, dest); addrtostring(OFFADDR(dlp, dlp->test_con.dl_src_addr_offset), dlp->test_con.dl_src_addr_length, src); (void) printf("DL_TEST_CON: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->test_con.dl_flag, dlp->test_con.dl_dest_addr_length, dlp->test_con.dl_dest_addr_offset); (void) printf("src_addr_length %d src_addr_offset %d\n", dlp->test_con.dl_src_addr_length, dlp->test_con.dl_src_addr_offset); (void) printf("dest_addr %s\n", dest); (void) printf("src_addr %s\n", src); } printdlxidreq(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->xid_req.dl_dest_addr_offset), dlp->xid_req.dl_dest_addr_length, dest); (void) printf("DL_XID_REQ: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->xid_req.dl_flag, dlp->xid_req.dl_dest_addr_length, dlp->xid_req.dl_dest_addr_offset); (void) printf("dest_addr %s\n", dest); } printdlxidind(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->xid_ind.dl_dest_addr_offset), dlp->xid_ind.dl_dest_addr_length, dest); addrtostring(OFFADDR(dlp, dlp->xid_ind.dl_src_addr_offset), dlp->xid_ind.dl_src_addr_length, src); (void) printf("DL_XID_IND: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->xid_ind.dl_flag, dlp->xid_ind.dl_dest_addr_length, dlp->xid_ind.dl_dest_addr_offset); (void) printf("src_addr_length %d src_addr_offset %d\n", dlp->xid_ind.dl_src_addr_length, dlp->xid_ind.dl_src_addr_offset); (void) printf("dest_addr %s\n", dest); (void) printf("src_addr %s\n", src); } printdlxidres(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->xid_res.dl_dest_addr_offset), dlp->xid_res.dl_dest_addr_length, dest); (void) printf("DL_XID_RES: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->xid_res.dl_flag, dlp->xid_res.dl_dest_addr_length, dlp->xid_res.dl_dest_addr_offset); (void) printf("dest_addr %s\n", dest); } printdlxidcon(dlp) union DL_primitives *dlp; { u_char dest[MAXDLADDR]; u_char src[MAXDLADDR]; addrtostring(OFFADDR(dlp, dlp->xid_con.dl_dest_addr_offset), dlp->xid_con.dl_dest_addr_length, dest); addrtostring(OFFADDR(dlp, dlp->xid_con.dl_src_addr_offset), dlp->xid_con.dl_src_addr_length, src); (void) printf("DL_XID_CON: flag 0x%x dest_addr_length %d dest_addr_offset %d\n", dlp->xid_con.dl_flag, dlp->xid_con.dl_dest_addr_length, dlp->xid_con.dl_dest_addr_offset); (void) printf("src_addr_length %d src_addr_offset %d\n", dlp->xid_con.dl_src_addr_length, dlp->xid_con.dl_src_addr_offset); (void) printf("dest_addr %s\n", dest); (void) printf("src_addr %s\n", src); } printdludqosreq(dlp) union DL_primitives *dlp; { (void) printf("DL_UDQOS_REQ: qos_length %d qos_offset %d\n", dlp->udqos_req.dl_qos_length, dlp->udqos_req.dl_qos_offset); } /* * Return string. */ addrtostring(addr, length, s) u_char *addr; u_long length; u_char *s; { int i; for (i = 0; i < length; i++) { (void) sprintf((char*) s, "%x:", addr[i] & 0xff); s = s + strlen((char*)s); } if (length) *(--s) = '\0'; } /* * Return length */ stringtoaddr(sp, addr) char *sp; char *addr; { int n = 0; char *p; int val; p = sp; while (p = strtok(p, ":")) { if (sscanf(p, "%x", &val) != 1) err("stringtoaddr: invalid input string: %s", sp); if (val > 0xff) err("stringtoaddr: invalid input string: %s", sp); *addr++ = val; n++; p = NULL; } return (n); } static char hexnibble(c) char c; { static char hextab[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; return (hextab[c & 0x0f]); } char* dlprim(prim) u_long prim; { static char primbuf[80]; switch ((int)prim) { CASERET(DL_INFO_REQ); CASERET(DL_INFO_ACK); CASERET(DL_ATTACH_REQ); CASERET(DL_DETACH_REQ); CASERET(DL_BIND_REQ); CASERET(DL_BIND_ACK); CASERET(DL_UNBIND_REQ); CASERET(DL_OK_ACK); CASERET(DL_ERROR_ACK); CASERET(DL_SUBS_BIND_REQ); CASERET(DL_SUBS_BIND_ACK); CASERET(DL_UNITDATA_REQ); CASERET(DL_UNITDATA_IND); CASERET(DL_UDERROR_IND); CASERET(DL_UDQOS_REQ); CASERET(DL_CONNECT_REQ); CASERET(DL_CONNECT_IND); CASERET(DL_CONNECT_RES); CASERET(DL_CONNECT_CON); CASERET(DL_TOKEN_REQ); CASERET(DL_TOKEN_ACK); CASERET(DL_DISCONNECT_REQ); CASERET(DL_DISCONNECT_IND); CASERET(DL_RESET_REQ); CASERET(DL_RESET_IND); CASERET(DL_RESET_RES); CASERET(DL_RESET_CON); default: (void) sprintf(primbuf, "unknown primitive 0x%x", prim); return (primbuf); } } char* dlstate(state) u_long state; { static char statebuf[80]; switch (state) { CASERET(DL_UNATTACHED); CASERET(DL_ATTACH_PENDING); CASERET(DL_DETACH_PENDING); CASERET(DL_UNBOUND); CASERET(DL_BIND_PENDING); CASERET(DL_UNBIND_PENDING); CASERET(DL_IDLE); CASERET(DL_UDQOS_PENDING); CASERET(DL_OUTCON_PENDING); CASERET(DL_INCON_PENDING); CASERET(DL_CONN_RES_PENDING); CASERET(DL_DATAXFER); CASERET(DL_USER_RESET_PENDING); CASERET(DL_PROV_RESET_PENDING); CASERET(DL_RESET_RES_PENDING); CASERET(DL_DISCON8_PENDING); CASERET(DL_DISCON9_PENDING); CASERET(DL_DISCON11_PENDING); CASERET(DL_DISCON12_PENDING); CASERET(DL_DISCON13_PENDING); CASERET(DL_SUBS_BIND_PND); default: (void) sprintf(statebuf, "unknown state 0x%x", state); return (statebuf); } } char* dlerrno(errno) u_long errno; { static char errnobuf[80]; switch (errno) { CASERET(DL_ACCESS); CASERET(DL_BADADDR); CASERET(DL_BADCORR); CASERET(DL_BADDATA); CASERET(DL_BADPPA); CASERET(DL_BADPRIM); CASERET(DL_BADQOSPARAM); CASERET(DL_BADQOSTYPE); CASERET(DL_BADSAP); CASERET(DL_BADTOKEN); CASERET(DL_BOUND); CASERET(DL_INITFAILED); CASERET(DL_NOADDR); CASERET(DL_NOTINIT); CASERET(DL_OUTSTATE); CASERET(DL_SYSERR); CASERET(DL_UNSUPPORTED); CASERET(DL_UNDELIVERABLE); CASERET(DL_NOTSUPPORTED); CASERET(DL_TOOMANY); CASERET(DL_NOTENAB); CASERET(DL_BUSY); CASERET(DL_NOAUTO); CASERET(DL_NOXIDAUTO); CASERET(DL_NOTESTAUTO); CASERET(DL_XIDAUTO); CASERET(DL_TESTAUTO); CASERET(DL_PENDING); default: (void) sprintf(errnobuf, "unknown dlpi errno 0x%x", errno); return (errnobuf); } } char* dlpromisclevel(level) u_long level; { static char levelbuf[80]; switch (level) { CASERET(DL_PROMISC_PHYS); CASERET(DL_PROMISC_SAP); CASERET(DL_PROMISC_MULTI); default: (void) sprintf(levelbuf, "unknown promisc level 0x%x", level); return (levelbuf); } } char* dlservicemode(servicemode) u_long servicemode; { static char servicemodebuf[80]; switch (servicemode) { CASERET(DL_CODLS); CASERET(DL_CLDLS); CASERET(DL_CODLS|DL_CLDLS); default: (void) sprintf(servicemodebuf, "unknown provider service mode 0x%x", servicemode); return (servicemodebuf); } } char* dlstyle(style) long style; { static char stylebuf[80]; switch (style) { CASERET(DL_STYLE1); CASERET(DL_STYLE2); default: (void) sprintf(stylebuf, "unknown provider style 0x%x", style); return (stylebuf); } } char* dlmactype(media) u_long media; { static char mediabuf[80]; switch (media) { CASERET(DL_CSMACD); CASERET(DL_TPB); CASERET(DL_TPR); CASERET(DL_METRO); CASERET(DL_ETHER); CASERET(DL_HDLC); CASERET(DL_CHAR); CASERET(DL_CTCA); default: (void) sprintf(mediabuf, "unknown media type 0x%x", media); return (mediabuf); } } /*VARARGS1*/ err(fmt, a1, a2, a3, a4) char *fmt; char *a1, *a2, *a3, *a4; { (void) fprintf(stderr, fmt, a1, a2, a3, a4); (void) fprintf(stderr, "\n"); (void) exit(1); } syserr(s) char *s; { (void) perror(s); exit(1); } strioctl(fd, cmd, timout, len, dp) int fd; int cmd; int timout; int len; char *dp; { struct strioctl sioc; int rc; sioc.ic_cmd = cmd; sioc.ic_timout = timout; sioc.ic_len = len; sioc.ic_dp = dp; rc = ioctl(fd, I_STR, &sioc); if (rc < 0) return (rc); else return (sioc.ic_len); } diff --git a/contrib/ipfilter/ipsend/dltest.h b/contrib/ipfilter/ipsend/dltest.h index 9fafd9182dc0..4c32c30eb1bc 100644 --- a/contrib/ipfilter/ipsend/dltest.h +++ b/contrib/ipfilter/ipsend/dltest.h @@ -1,34 +1,32 @@ -/* $NetBSD$ */ - /* * Common DLPI Test Suite header file * */ /* * Maximum control/data buffer size (in long's !!) for getmsg(). */ #define MAXDLBUF 8192 /* * Maximum number of seconds we'll wait for any * particular DLPI acknowledgment from the provider * after issuing a request. */ #define MAXWAIT 15 /* * Maximum address buffer length. */ #define MAXDLADDR 1024 /* * Handy macro. */ #define OFFADDR(s, n) (u_char*)((char*)(s) + (int)(n)) /* * externs go here */ extern void sigalrm(); diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c index 69f962c77c13..42078e3b7f54 100644 --- a/contrib/ipfilter/ipsend/hpux.c +++ b/contrib/ipfilter/ipsend/hpux.c @@ -1,114 +1,112 @@ -/* $NetBSD$ */ - /* * (C)opyright 1997-1998 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #include #include #include #include #include #include #include #include #include int initdevice(device, sport, tout) char *device; int sport, tout; { int fd; if ((fd = socket(AF_DLI, SOCK_RAW, 0)) == -1) perror("socket"); return fd; } /* * output an IP packet onto a fd opened for /dev/bpf */ int sendip(fd, pkt, len) int fd, len; char *pkt; { if (send(fd, pkt, len, 0) == -1) { perror("send"); return -1; } return len; } char *strdup(str) char *str; { char *s; if ((s = (char *)malloc(strlen(str) + 1))) return strcpy(s, str); return NULL; } /* * (C)opyright 1997 Darren Reed. (from tcplog) * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ #include #include #include #include #include #include #include #include #include int initdevice(device, sport, tout) char *device; int sport, tout; { int fd; if ((fd = socket(AF_DLI, SOCK_RAW, 0)) == -1) perror("socket"); return fd; } /* * output an IP packet onto a fd opened for /dev/bpf */ int sendip(fd, pkt, len) int fd, len; char *pkt; { if (send(fd, pkt, len, 0) == -1) { perror("send"); return -1; } return len; } char *strdup(str) char *str; { char *s; if ((s = (char *)malloc(strlen(str) + 1))) return strcpy(s, str); return NULL; } diff --git a/contrib/ipfilter/ipsend/in_var.h b/contrib/ipfilter/ipsend/in_var.h index f228bbbb69f2..2ebd731a4892 100644 --- a/contrib/ipfilter/ipsend/in_var.h +++ b/contrib/ipfilter/ipsend/in_var.h @@ -1,179 +1,177 @@ -/* $NetBSD$ */ - /* @(#)in_var.h 1.3 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1985, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Interface address, Internet version. One of these structures * is allocated for each interface with an Internet address. * The ifaddr structure contains the protocol-independent part * of the structure and is assumed to be first. */ #ifndef _netinet_in_var_h #define _netinet_in_var_h struct in_ifaddr { struct ifaddr ia_ifa; /* protocol-independent info */ #define ia_addr ia_ifa.ifa_addr #define ia_broadaddr ia_ifa.ifa_broadaddr #define ia_dstaddr ia_ifa.ifa_dstaddr #define ia_ifp ia_ifa.ifa_ifp u_long ia_net; /* network number of interface */ u_long ia_netmask; /* mask of net part */ u_long ia_subnet; /* subnet number, including net */ u_long ia_subnetmask; /* mask of net + subnet */ struct in_addr ia_netbroadcast; /* broadcast addr for (logical) net */ int ia_flags; struct in_ifaddr *ia_next; /* next in list of internet addresses */ struct in_multi *ia_multiaddrs;/* list of multicast addresses */ }; /* * Given a pointer to an in_ifaddr (ifaddr), * return a pointer to the addr as a sockadd_in. */ #define IA_SIN(ia) ((struct sockaddr_in *)(&((struct in_ifaddr *)ia)->ia_addr)) /* * ia_flags */ #define IFA_ROUTE 0x01 /* routing entry installed */ #ifdef KERNEL struct in_ifaddr *in_ifaddr; struct in_ifaddr *in_iaonnetof(); struct ifqueue ipintrq; /* ip packet input queue */ #endif #ifdef KERNEL /* * Macro for finding the interface (ifnet structure) corresponding to one * of our IP addresses. */ #define INADDR_TO_IFP(addr, ifp) \ /* struct in_addr addr; */ \ /* struct ifnet *ifp; */ \ { \ register struct in_ifaddr *ia; \ \ for (ia = in_ifaddr; \ ia != NULL && IA_SIN(ia)->sin_addr.s_addr != (addr).s_addr; \ ia = ia->ia_next); \ (ifp) = (ia == NULL) ? NULL : ia->ia_ifp; \ } /* * Macro for finding the internet address structure (in_ifaddr) corresponding * to a given interface (ifnet structure). */ #define IFP_TO_IA(ifp, ia) \ /* struct ifnet *ifp; */ \ /* struct in_ifaddr *ia; */ \ { \ for ((ia) = in_ifaddr; \ (ia) != NULL && (ia)->ia_ifp != (ifp); \ (ia) = (ia)->ia_next); \ } #endif /* KERNEL */ /* * Per-interface router version information is kept in this list. * This information should be part of the ifnet structure but we don't wish * to change that - as it might break a number of things */ struct router_info { struct ifnet *ifp; int type; /* type of router which is querier on this interface */ int time; /* # of slow timeouts since last old query */ struct router_info *next; }; /* * Internet multicast address structure. There is one of these for each IP * multicast group to which this host belongs on a given network interface. * They are kept in a linked list, rooted in the interface's in_ifaddr * structure. */ struct in_multi { struct in_addr inm_addr; /* IP multicast address */ struct ifnet *inm_ifp; /* back pointer to ifnet */ struct in_ifaddr *inm_ia; /* back pointer to in_ifaddr */ u_int inm_refcount;/* no. membership claims by sockets */ u_int inm_timer; /* IGMP membership report timer */ struct in_multi *inm_next; /* ptr to next multicast address */ u_int inm_state; /* state of the membership */ struct router_info *inm_rti; /* router info*/ }; #ifdef KERNEL /* * Structure used by macros below to remember position when stepping through * all of the in_multi records. */ struct in_multistep { struct in_ifaddr *i_ia; struct in_multi *i_inm; }; /* * Macro for looking up the in_multi record for a given IP multicast address * on a given interface. If no matching record is found, "inm" returns NULL. */ #define IN_LOOKUP_MULTI(addr, ifp, inm) \ /* struct in_addr addr; */ \ /* struct ifnet *ifp; */ \ /* struct in_multi *inm; */ \ { \ register struct in_ifaddr *ia; \ \ IFP_TO_IA((ifp), ia); \ if (ia == NULL) \ (inm) = NULL; \ else \ for ((inm) = ia->ia_multiaddrs; \ (inm) != NULL && (inm)->inm_addr.s_addr != (addr).s_addr; \ (inm) = inm->inm_next); \ } /* * Macro to step through all of the in_multi records, one at a time. * The current position is remembered in "step", which the caller must * provide. IN_FIRST_MULTI(), below, must be called to initialize "step" * and get the first record. Both macros return a NULL "inm" when there * are no remaining records. */ #define IN_NEXT_MULTI(step, inm) \ /* struct in_multistep step; */ \ /* struct in_multi *inm; */ \ { \ if (((inm) = (step).i_inm) != NULL) { \ (step).i_inm = (inm)->inm_next; \ } \ else while ((step).i_ia != NULL) { \ (inm) = (step).i_ia->ia_multiaddrs; \ (step).i_ia = (step).i_ia->ia_next; \ if ((inm) != NULL) { \ (step).i_inm = (inm)->inm_next; \ break; \ } \ } \ } #define IN_FIRST_MULTI(step, inm) \ /* struct in_multistep step; */ \ /* struct in_multi *inm; */ \ { \ (step).i_ia = in_ifaddr; \ (step).i_inm = NULL; \ IN_NEXT_MULTI((step), (inm)); \ } struct in_multi *in_addmulti(); #endif /* KERNEL */ #endif /*!_netinet_in_var_h*/ diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index 8302806f441d..a5023cd4bde0 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -1,366 +1,364 @@ -/* $NetBSD$ */ - /* * ip.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)Id: ip.c,v 2.8.2.1 2004/10/19 12:31:48 darrenr Exp"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.1 2004/10/19 12:31:48 darrenr Exp $"; #endif #include #include #include #include #include #include #include #include #ifndef linux # include # include # if __FreeBSD_version >= 300000 # include # endif #endif #include #include #include #include #include #include "ipsend.h" static char *ipbuf = NULL, *ethbuf = NULL; u_short chksum(buf,len) u_short *buf; int len; { u_long sum = 0; int nwords = len >> 1; for(; nwords > 0; nwords--) sum += *buf++; sum = (sum>>16) + (sum & 0xffff); sum += (sum >>16); return (~sum); } int send_ether(nfd, buf, len, gwip) int nfd, len; char *buf; struct in_addr gwip; { static struct in_addr last_gw; static char last_arp[6] = { 0, 0, 0, 0, 0, 0}; ether_header_t *eh; char *s; int err; if (!ethbuf) ethbuf = (char *)calloc(1, 65536+1024); s = ethbuf; eh = (ether_header_t *)s; bcopy((char *)buf, s + sizeof(*eh), len); if (gwip.s_addr == last_gw.s_addr) { bcopy(last_arp, (char *)A_A eh->ether_dhost, 6); } else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1) { perror("arp"); return -2; } eh->ether_type = htons(ETHERTYPE_IP); last_gw.s_addr = gwip.s_addr; err = sendip(nfd, s, sizeof(*eh) + len); return err; } /* */ int send_ip(nfd, mtu, ip, gwip, frag) int nfd, mtu; ip_t *ip; struct in_addr gwip; int frag; { static struct in_addr last_gw, local_ip; static char local_arp[6] = { 0, 0, 0, 0, 0, 0}; static char last_arp[6] = { 0, 0, 0, 0, 0, 0}; static u_short id = 0; ether_header_t *eh; ip_t ipsv; int err, iplen; if (!ipbuf) { ipbuf = (char *)malloc(65536); if (!ipbuf) { perror("malloc failed"); return -2; } } eh = (ether_header_t *)ipbuf; bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr)) { bcopy(last_arp, (char *)A_A eh->ether_dhost, 6); } else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1) { perror("arp"); return -2; } bcopy((char *)A_A eh->ether_dhost, last_arp, sizeof(last_arp)); eh->ether_type = htons(ETHERTYPE_IP); bcopy((char *)ip, (char *)&ipsv, sizeof(*ip)); last_gw.s_addr = gwip.s_addr; iplen = ip->ip_len; ip->ip_len = htons(iplen); if (!(frag & 2)) { if (!IP_V(ip)) IP_V_A(ip, IPVERSION); if (!ip->ip_id) ip->ip_id = htons(id++); if (!ip->ip_ttl) ip->ip_ttl = 60; } if (ip->ip_src.s_addr != local_ip.s_addr) { (void) arp((char *)&ip->ip_src, (char *)A_A local_arp); bcopy(local_arp, (char *)A_A eh->ether_shost,sizeof(last_arp)); local_ip = ip->ip_src; } else bcopy(local_arp, (char *)A_A eh->ether_shost, 6); if (!frag || (sizeof(*eh) + iplen < mtu)) { ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, IP_HL(ip) << 2); bcopy((char *)ip, ipbuf + sizeof(*eh), iplen); err = sendip(nfd, ipbuf, sizeof(*eh) + iplen); } else { /* * Actually, this is bogus because we're putting all IP * options in every packet, which isn't always what should be * done. Will do for now. */ ether_header_t eth; char optcpy[48], ol; char *s; int i, sent = 0, ts, hlen, olen; hlen = IP_HL(ip) << 2; if (mtu < (hlen + 8)) { fprintf(stderr, "mtu (%d) < ip header size (%d) + 8\n", mtu, hlen); fprintf(stderr, "can't fragment data\n"); return -2; } ol = (IP_HL(ip) << 2) - sizeof(*ip); for (i = 0, s = (char*)(ip + 1); ol > 0; ) if (*s == IPOPT_EOL) { optcpy[i++] = *s; break; } else if (*s == IPOPT_NOP) { s++; ol--; } else { olen = (int)(*(u_char *)(s + 1)); ol -= olen; if (IPOPT_COPIED(*s)) { bcopy(s, optcpy + i, olen); i += olen; s += olen; } } if (i) { /* * pad out */ while ((i & 3) && (i & 3) != 3) optcpy[i++] = IPOPT_NOP; if ((i & 3) == 3) optcpy[i++] = IPOPT_EOL; } bcopy((char *)eh, (char *)ð, sizeof(eth)); s = (char *)ip + hlen; iplen = ntohs(ip->ip_len) - hlen; ip->ip_off |= htons(IP_MF); while (1) { if ((sent + (mtu - hlen)) >= iplen) { ip->ip_off ^= htons(IP_MF); ts = iplen - sent; } else ts = (mtu - hlen); ip->ip_off &= htons(0xe000); ip->ip_off |= htons(sent >> 3); ts += hlen; ip->ip_len = htons(ts); ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, hlen); bcopy((char *)ip, ipbuf + sizeof(*eh), hlen); bcopy(s + sent, ipbuf + sizeof(*eh) + hlen, ts - hlen); err = sendip(nfd, ipbuf, sizeof(*eh) + ts); bcopy((char *)ð, ipbuf, sizeof(eth)); sent += (ts - hlen); if (!(ntohs(ip->ip_off) & IP_MF)) break; else if (!(ip->ip_off & htons(0x1fff))) { hlen = i + sizeof(*ip); IP_HL_A(ip, (sizeof(*ip) + i) >> 2); bcopy(optcpy, (char *)(ip + 1), i); } } } bcopy((char *)&ipsv, (char *)ip, sizeof(*ip)); return err; } /* * send a tcp packet. */ int send_tcp(nfd, mtu, ip, gwip) int nfd, mtu; ip_t *ip; struct in_addr gwip; { static tcp_seq iss = 2; tcphdr_t *t, *t2; int thlen, i, iplen, hlen; u_32_t lbuf[20]; ip_t *ip2; iplen = ip->ip_len; hlen = IP_HL(ip) << 2; t = (tcphdr_t *)((char *)ip + hlen); ip2 = (struct ip *)lbuf; t2 = (tcphdr_t *)((char *)ip2 + hlen); thlen = TCP_OFF(t) << 2; if (!thlen) thlen = sizeof(tcphdr_t); bzero((char *)ip2, sizeof(*ip2) + sizeof(*t2)); ip->ip_p = IPPROTO_TCP; ip2->ip_p = ip->ip_p; ip2->ip_src = ip->ip_src; ip2->ip_dst = ip->ip_dst; bcopy((char *)ip + hlen, (char *)t2, thlen); if (!t2->th_win) t2->th_win = htons(4096); iss += 63; i = sizeof(struct tcpiphdr) / sizeof(long); if ((t2->th_flags == TH_SYN) && !ntohs(ip->ip_off) && (lbuf[i] != htonl(0x020405b4))) { lbuf[i] = htonl(0x020405b4); bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4, iplen - thlen - hlen); thlen += 4; } TCP_OFF_A(t2, thlen >> 2); ip2->ip_len = htons(thlen); ip->ip_len = hlen + thlen; t2->th_sum = 0; t2->th_sum = chksum((u_short *)ip2, thlen + sizeof(ip_t)); bcopy((char *)t2, (char *)ip + hlen, thlen); return send_ip(nfd, mtu, ip, gwip, 1); } /* * send a udp packet. */ int send_udp(nfd, mtu, ip, gwip) int nfd, mtu; ip_t *ip; struct in_addr gwip; { struct tcpiphdr *ti; int thlen; u_long lbuf[20]; ti = (struct tcpiphdr *)lbuf; bzero((char *)ti, sizeof(*ti)); thlen = sizeof(udphdr_t); ti->ti_pr = ip->ip_p; ti->ti_src = ip->ip_src; ti->ti_dst = ip->ip_dst; bcopy((char *)ip + (IP_HL(ip) << 2), (char *)&ti->ti_sport, sizeof(udphdr_t)); ti->ti_len = htons(thlen); ip->ip_len = (IP_HL(ip) << 2) + thlen; ti->ti_sum = 0; ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); bcopy((char *)&ti->ti_sport, (char *)ip + (IP_HL(ip) << 2), sizeof(udphdr_t)); return send_ip(nfd, mtu, ip, gwip, 1); } /* * send an icmp packet. */ int send_icmp(nfd, mtu, ip, gwip) int nfd, mtu; ip_t *ip; struct in_addr gwip; { struct icmp *ic; ic = (struct icmp *)((char *)ip + (IP_HL(ip) << 2)); ic->icmp_cksum = 0; ic->icmp_cksum = chksum((u_short *)ic, sizeof(struct icmp)); return send_ip(nfd, mtu, ip, gwip, 1); } int send_packet(nfd, mtu, ip, gwip) int nfd, mtu; ip_t *ip; struct in_addr gwip; { switch (ip->ip_p) { case IPPROTO_TCP : return send_tcp(nfd, mtu, ip, gwip); case IPPROTO_UDP : return send_udp(nfd, mtu, ip, gwip); case IPPROTO_ICMP : return send_icmp(nfd, mtu, ip, gwip); default : return send_ip(nfd, mtu, ip, gwip, 1); } } diff --git a/contrib/ipfilter/ipsend/ip_var.h b/contrib/ipfilter/ipsend/ip_var.h index b08f4e7a2fd3..92eb38a0befc 100644 --- a/contrib/ipfilter/ipsend/ip_var.h +++ b/contrib/ipfilter/ipsend/ip_var.h @@ -1,125 +1,123 @@ -/* $NetBSD$ */ - /* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * Overlay for ip header used by other protocols (tcp, udp). */ #ifndef _netinet_ip_var_h #define _netinet_ip_var_h struct ipovly { caddr_t ih_next, ih_prev; /* for protocol sequence q's */ u_char ih_x1; /* (unused) */ u_char ih_pr; /* protocol */ short ih_len; /* protocol length */ struct in_addr ih_src; /* source internet address */ struct in_addr ih_dst; /* destination internet address */ }; /* * Ip reassembly queue structure. Each fragment * being reassembled is attached to one of these structures. * They are timed out after ipq_ttl drops to 0, and may also * be reclaimed if memory becomes tight. */ struct ipq { struct ipq *next,*prev; /* to other reass headers */ u_char ipq_ttl; /* time for reass q to live */ u_char ipq_p; /* protocol of this fragment */ u_short ipq_id; /* sequence id for reassembly */ struct ipasfrag *ipq_next,*ipq_prev; /* to ip headers of fragments */ struct in_addr ipq_src,ipq_dst; }; /* * Ip header, when holding a fragment. * * Note: ipf_next must be at same offset as ipq_next above */ struct ipasfrag { #if defined(vax) || defined(i386) u_char ip_hl:4, ip_v:4; #endif #if defined(mc68000) || defined(sparc) u_char ip_v:4, ip_hl:4; #endif u_char ipf_mff; /* copied from (ip_off&IP_MF) */ short ip_len; u_short ip_id; short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; struct ipasfrag *ipf_next; /* next fragment */ struct ipasfrag *ipf_prev; /* previous fragment */ }; /* * Structure stored in mbuf in inpcb.ip_options * and passed to ip_output when ip options are in use. * The actual length of the options (including ipopt_dst) * is in m_len. */ #define MAX_IPOPTLEN 40 struct ipoption { struct in_addr ipopt_dst; /* first-hop dst if source routed */ char ipopt_list[MAX_IPOPTLEN]; /* options proper */ }; /* * Structure stored in an mbuf attached to inpcb.ip_moptions and * passed to ip_output when IP multicast options are in use. */ struct ip_moptions { struct ifnet *imo_multicast_ifp; /* ifp for outgoing multicasts */ u_char imo_multicast_ttl; /* TTL for outgoing multicasts */ u_char imo_multicast_loop; /* 1 => hear sends if a member */ u_short imo_num_memberships;/* no. memberships this socket */ struct in_multi *imo_membership[IP_MAX_MEMBERSHIPS]; #ifdef RSVP_ISI long imo_multicast_vif; /* vif for outgoing multicasts */ #endif /* RSVP_ISI */ }; struct ipstat { long ips_total; /* total packets received */ long ips_badsum; /* checksum bad */ long ips_tooshort; /* packet too short */ long ips_toosmall; /* not enough data */ long ips_badhlen; /* ip header length < data size */ long ips_badlen; /* ip length < ip header length */ long ips_fragments; /* fragments received */ long ips_fragdropped; /* frags dropped (dups, out of space) */ long ips_fragtimeout; /* fragments timed out */ long ips_forward; /* packets forwarded */ long ips_cantforward; /* packets rcvd for unreachable dest */ long ips_redirectsent; /* packets forwarded on same net */ }; #ifdef KERNEL /* flags passed to ip_output as last parameter */ #define IP_FORWARDING 0x1 /* most of ip header exists */ #define IP_MULTICASTOPTS 0x2 /* multicast opts present */ #define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */ #define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */ struct ipstat ipstat; struct ipq ipq; /* ip reass. queue */ u_short ip_id; /* ip packet ctr, for ids */ struct mbuf *ip_srcroute(); #endif #endif /*!_netinet_ip_var_h*/ diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1 index cffc6f3c29b6..6014313587b0 100644 --- a/contrib/ipfilter/ipsend/ipresend.1 +++ b/contrib/ipfilter/ipsend/ipresend.1 @@ -1,108 +1,106 @@ -.\" $NetBSD$ -.\" .TH IPRESEND 1 .SH NAME ipresend \- resend IP packets out to network .SH SYNOPSIS .B ipresend [ .B \-EHPRSTX ] [ .B \-d ] [ .B \-g <\fIgateway\fP> ] [ .B \-m <\fIMTU\fP> ] [ .B \-r <\fIfilename\fP> ] .SH DESCRIPTION .PP \fBipresend\fP was designed to allow packets to be resent, once captured, back out onto the network for use in testing. \fIipresend\fP supports a number of different file formats as input, including saved snoop/tcpdump binary data. .SH OPTIONS .TP .BR \-d \0 Set the interface name to be the name supplied. This is useful with the \fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is not otherwise possible to associate a packet with an interface. Normal "text packets" can override this setting. .TP .BR \-g \0 Specify the hostname of the gateway through which to route packets. This is required whenever the destination host isn't directly attached to the same network as the host from which you're sending. .TP .BR \-m \0 Specify the MTU to be used when sending out packets. This option allows you to set a fake MTU, allowing the simulation of network interfaces with small MTU's without setting them so. .TP .BR \-r \0 Specify the filename from which to take input. Default is stdin. .TP .B \-E The input file is to be text output from etherfind. The text formats which are currently supported are those which result from the following etherfind option combinations: .PP .nf etherfind -n etherfind -n -t .fi .LP .TP .B \-H The input file is to be hex digits, representing the binary makeup of the packet. No length correction is made, if an incorrect length is put in the IP header. .TP .B \-P The input file specified by \fB\-i\fP is a binary file produced using libpcap (i.e., tcpdump version 3). Packets are read from this file as being input (for rule purposes). .TP .B \-R When sending packets out, send them out "raw" (the way they came in). The only real significance here is that it will expect the link layer (i.e. ethernet) headers to be prepended to the IP packet being output. .TP .B \-S The input file is to be in "snoop" format (see RFC 1761). Packets are read from this file and used as input from any interface. This is perhaps the most useful input type, currently. .TP .B \-T The input file is to be text output from tcpdump. The text formats which are currently supported are those which result from the following tcpdump option combinations: .PP .nf tcpdump -n tcpdump -nq tcpdump -nqt tcpdump -nqtt tcpdump -nqte .fi .LP .TP .B \-X The input file is composed of text descriptions of IP packets. .DT .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS .PP Needs to be run as root. .SH BUGS .PP Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. If you find any, please send email to me at darrenr@pobox.com diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index 1db54e19015f..7e52fe959f51 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -1,160 +1,158 @@ -/* $NetBSD$ */ - /* * ipresend.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. * */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darrenr Exp"; +static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.4 2004/01/08 13:34:31 darrenr Exp $"; #endif #include #include #include #include #include #include #include #include #ifndef linux #include #endif #include #include #include #include #include #include "ipsend.h" extern char *optarg; extern int optind; #ifndef NO_IPF extern struct ipread snoop, pcap, etherf, iphex, tcpd, iptext; #endif int opts = 0; #ifndef DEFAULT_DEVICE # ifdef linux char default_device[] = "eth0"; # else # ifdef sun char default_device[] = "le0"; # else # ifdef ultrix char default_device[] = "ln0"; # else # ifdef __bsdi__ char default_device[] = "ef0"; # else # ifdef __sgi char default_device[] = "ec0"; # else char default_device[] = "lan0"; # endif # endif # endif # endif # endif #else char default_device[] = DEFAULT_DEVICE; #endif static void usage __P((char *)); int main __P((int, char **)); static void usage(prog) char *prog; { fprintf(stderr, "Usage: %s [options] <-r filename|-R filename>\n\ \t\t-r filename\tsnoop data file to resend\n\ \t\t-R filename\tlibpcap data file to resend\n\ \toptions:\n\ \t\t-d device\tSend out on this device\n\ \t\t-g gateway\tIP gateway to use if non-local dest.\n\ \t\t-m mtu\t\tfake MTU to use when sending out\n\ ", prog); exit(1); } int main(argc, argv) int argc; char **argv; { struct in_addr gwip; struct ipread *ipr = NULL; char *name = argv[0], *gateway = NULL, *dev = NULL; char *resend = NULL; int mtu = 1500, c; while ((c = getopt(argc, argv, "EHPRSTXd:g:m:r:")) != -1) switch (c) { case 'd' : dev = optarg; break; case 'g' : gateway = optarg; break; case 'm' : mtu = atoi(optarg); if (mtu < 28) { fprintf(stderr, "mtu must be > 28\n"); exit(1); } case 'r' : resend = optarg; break; case 'R' : opts |= OPT_RAW; break; #ifndef NO_IPF case 'E' : ipr = ðerf; break; case 'H' : ipr = &iphex; break; case 'P' : ipr = &pcap; break; case 'S' : ipr = &snoop; break; case 'T' : ipr = &tcpd; break; case 'X' : ipr = &iptext; break; #endif default : fprintf(stderr, "Unknown option \"%c\"\n", c); usage(name); } if (!ipr || !resend) usage(name); gwip.s_addr = 0; if (gateway && resolve(gateway, (char *)&gwip) == -1) { fprintf(stderr,"Cant resolve %s\n", gateway); exit(2); } if (!dev) dev = default_device; printf("Device: %s\n", dev); printf("Gateway: %s\n", inet_ntoa(gwip)); printf("mtu: %d\n", mtu); return ip_resend(dev, mtu, ipr, gwip, resend); } diff --git a/contrib/ipfilter/ipsend/ipsend.1 b/contrib/ipfilter/ipsend/ipsend.1 index 33320f3bd57b..f2f806658dd3 100644 --- a/contrib/ipfilter/ipsend/ipsend.1 +++ b/contrib/ipfilter/ipsend/ipsend.1 @@ -1,111 +1,109 @@ -.\" $NetBSD$ -.\" .TH IPSEND 1 .SH NAME ipsend \- sends IP packets .SH SYNOPSIS .B ipsend [ .B \-dITUv ] [ .B \-i ] [ .B \-f <\fIoffset\fP> ] [ .B \-g <\fIgateway\fP> ] [ .B \-m <\fIMTU\fP> ] [ .B \-o <\fIoption\fP> ] [ .B \-P ] [ .B \-s <\fIsource\fP> ] [ .B \-t <\fIdest. port\fP> ] [ .B \-w <\fIwindow\fP> ] [TCP-flags] .SH DESCRIPTION .PP \fBipsend\fP can be compiled in two ways. The first is used to send one-off packets to a destination host, using command line options to specify various attributes present in the headers. The \fIdestination\fP must be given as the last command line option, except for when TCP flags are specified as a combination of A, S, F, U, P and R, last. .PP The other way it may be compiled, with DOSOCKET defined, is to allow an attempt at making a TCP connection using a with ipsend resending the SYN packet as per the command line options. .SH OPTIONS .TP .BR \-d enable debugging mode. .TP .BR \-f \0 The \fI-f\fP allows the IP offset field in the IP header to be set to an arbitrary value, which can be specified in decimal or hexadecimal. .TP .BR \-g \0 Specify the hostname of the gateway through which to route packets. This is required whenever the destination host isn't directly attached to the same network as the host from which you're sending. .TP .BR \-i \0 Set the interface name to be the name supplied. .TP .TP .BR \-m \0 Specify the MTU to be used when sending out packets. This option allows you to set a fake MTU, allowing the simulation of network interfaces with small MTU's without setting them so. .TP .BR \-o \0