diff options
Diffstat (limited to 'usr/src/cmd')
67 files changed, 2935 insertions, 1797 deletions
diff --git a/usr/src/cmd/ipf/Makefile.ipf b/usr/src/cmd/ipf/Makefile.ipf index b4bb4d8620..7a6d8c4c16 100644 --- a/usr/src/cmd/ipf/Makefile.ipf +++ b/usr/src/cmd/ipf/Makefile.ipf @@ -1,5 +1,5 @@ # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # #ident "%Z%%M% %I% %E% SMI" @@ -11,8 +11,8 @@ LIBIPF= ../../lib/$(MACH)/libipf.a LIBIPF64= ../../lib/$(MACH64)/libipf.a -COMMONIPF= $(SRC)/common/ipf -KERNELIPF= $(SRC)/uts/common/inet/ipf +COMMONIPF= $(SRC)/uts/common/inet/ipf +KERNELIPF= $(SRC)/uts/common/inet/pfil MINOR= echo $(RELEASE) | cut -d. -f2 CPPFLAGS += -I$(COMMONIPF) -I$(KERNELIPF) -DSUNDDI -DUSE_INET6 \ diff --git a/usr/src/cmd/ipf/lib/Makefile.com b/usr/src/cmd/ipf/lib/Makefile.com index c2f50235b5..70f7d0a179 100644 --- a/usr/src/cmd/ipf/lib/Makefile.com +++ b/usr/src/cmd/ipf/lib/Makefile.com @@ -1,5 +1,5 @@ # -# Copyright 2005 Sun Microsystems, Inc. All rights reserved. +# Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # #ident "%Z%%M% %I% %E% SMI" @@ -17,19 +17,21 @@ OBJECTS= addicmp.o addipopt.o bcopywrap.o \ getline.o getnattype.o getport.o getportproto.o \ getproto.o getsumd.o hostmask.o hostname.o \ hostnum.o icmpcode.o inet_addr.o initparse.o \ - ionames.o ipoptsec.o ipft_ef.o ipft_hx.o \ - ipft_pc.o ipft_sn.o ipft_td.o ipft_tx.o kmem.o \ - kmemcpywrap.o kvatoname.o load_hash.o load_pool.o \ - load_hashnode.o load_poolnode.o loglevel.o \ - mutex_emul.o nametokva.o natparse.o ntomask.o \ - optname.o optprint.o optprintv6.o optvalue.o \ + ionames.o v6ionames.o ipoptsec.o ipf_dotuning.o \ + ipft_ef.o ipft_hx.o ipft_pc.o ipft_sn.o ipft_td.o \ + ipft_tx.o kmem.o kmemcpywrap.o kvatoname.o \ + load_hash.o load_pool.o load_hashnode.o \ + load_poolnode.o loglevel.o mutex_emul.o nametokva.o \ + natparse.o ntomask.o optname.o optprint.o \ + optprintv6.o optvalue.o \ portname.o portnum.o ports.o print_toif.o \ - printaps.o printbuf.o printhash.o printhashnode.o \ - printip.o printpool.o printpoolnode.o printfr.o \ + printactivenat.o printaps.o printbuf.o printhash.o \ + printhashnode.o printip.o printpool.o \ + printpoolnode.o printfr.o printfraginfo.o \ printhostmap.o printifname.o printhostmask.o \ - printlog.o printmask.o printnat.o printportcmp.o \ - printpacket.o printpacket6.o printsbuf.o \ - printstate.o ratoi.o \ + printlog.o printmask.o printnat.o printpacket.o \ + printpacket6.o printportcmp.o printproto.o \ + printsbuf.o printstate.o printtunable.o ratoi.o \ remove_pool.o remove_poolnode.o remove_hash.o \ remove_hashnode.o resetlexer.o rwlock_emul.o \ tcpflags.o to_interface.o var.o verbose.o \ diff --git a/usr/src/cmd/ipf/lib/common/addicmp.c b/usr/src/cmd/ipf/lib/common/addicmp.c index 4892ba09ed..e18a787a0a 100644 --- a/usr/src/cmd/ipf/lib/common/addicmp.c +++ b/usr/src/cmd/ipf/lib/common/addicmp.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: addicmp.c,v 1.8 2002/01/28 06:50:45 darrenr Exp $ + * $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $ */ #include <ctype.h> @@ -34,7 +34,7 @@ int linenum; return -1; if (!fp->fr_proto) /* to catch lusers */ fp->fr_proto = IPPROTO_ICMP; - if (isdigit(***cp)) { + if (ISDIGIT(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { fprintf(stderr, "%d: Invalid icmp-type (%s) specified\n", @@ -68,9 +68,9 @@ int linenum; if (**cp && strcasecmp("code", **cp)) return 0; (*cp)++; - if (isdigit(***cp)) { + if (ISDIGIT(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { - fprintf(stderr, + fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", linenum, **cp); return -1; @@ -78,7 +78,7 @@ int linenum; } else { i = icmpcode(**cp); if (i == -1) { - fprintf(stderr, + fprintf(stderr, "%d: Unknown icmp code (%s) specified\n", linenum, **cp); return -1; diff --git a/usr/src/cmd/ipf/lib/common/checkrev.c b/usr/src/cmd/ipf/lib/common/checkrev.c index c57295385f..f95cc7977a 100644 --- a/usr/src/cmd/ipf/lib/common/checkrev.c +++ b/usr/src/cmd/ipf/lib/common/checkrev.c @@ -3,21 +3,21 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: checkrev.c,v 1.9 2003/04/27 17:09:46 darrenr Exp $ + * $Id: checkrev.c,v 1.12.2.1 2004/03/09 14:44:39 darrenr Exp $ */ #include <sys/ioctl.h> #include <fcntl.h> #include "ipf.h" -#include "ipl.h" +#include "netinet/ipl.h" int checkrev(ipfname) char *ipfname; { + static int vfd = -1; struct friostat fio, *fiop = &fio; ipfobj_t ipfo; - int vfd; bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; @@ -25,7 +25,7 @@ char *ipfname; ipfo.ipfo_ptr = (void *)fiop; ipfo.ipfo_type = IPFOBJ_IPFSTAT; - if ((vfd = open(ipfname, O_RDONLY)) == -1) { + if ((vfd == -1) && ((vfd = open(ipfname, O_RDONLY)) == -1)) { perror("open device"); return -1; } @@ -33,9 +33,9 @@ char *ipfname; if (ioctl(vfd, SIOCGETFS, &ipfo)) { perror("ioctl(SIOCGETFS)"); close(vfd); + vfd = -1; return -1; } - close(vfd); if (strncmp(IPL_VERSION, fio.f_version, sizeof(fio.f_version))) { return -1; diff --git a/usr/src/cmd/ipf/lib/common/facpri.c b/usr/src/cmd/ipf/lib/common/facpri.c index eb76ee0f95..9d6faa9055 100644 --- a/usr/src/cmd/ipf/lib/common/facpri.c +++ b/usr/src/cmd/ipf/lib/common/facpri.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: facpri.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $ + * $Id: facpri.c,v 1.6 2003/12/01 01:59:43 darrenr Exp $ */ #include <stdio.h> @@ -20,7 +20,7 @@ #include "facpri.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.6 2003/12/01 01:59:43 darrenr Exp $"; #endif @@ -35,7 +35,7 @@ table_t facs[] = { { "auth", LOG_AUTH }, { "syslog", LOG_SYSLOG }, { "lpr", LOG_LPR }, { "news", LOG_NEWS }, { "uucp", LOG_UUCP }, -#if LOG_CRON == LOG_CRON2 +#if LOG_CRON == LOG_CRON2 { "cron2", LOG_CRON1 }, #else { "cron", LOG_CRON1 }, diff --git a/usr/src/cmd/ipf/lib/common/genmask.c b/usr/src/cmd/ipf/lib/common/genmask.c index e57a65499b..238e5b62af 100644 --- a/usr/src/cmd/ipf/lib/common/genmask.c +++ b/usr/src/cmd/ipf/lib/common/genmask.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: genmask.c,v 1.6 2002/01/28 06:50:46 darrenr Exp $ + * $Id: genmask.c,v 1.7 2003/11/11 13:40:15 darrenr Exp $ */ #include "ipf.h" diff --git a/usr/src/cmd/ipf/lib/common/gethost.c b/usr/src/cmd/ipf/lib/common/gethost.c index bc5d8975ee..5ecea3adaf 100644 --- a/usr/src/cmd/ipf/lib/common/gethost.c +++ b/usr/src/cmd/ipf/lib/common/gethost.c @@ -1,3 +1,8 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + #include "ipf.h" int gethost(name, hostp) @@ -5,8 +10,14 @@ char *name; u_32_t *hostp; { struct hostent *h; + struct netent *n; u_32_t addr; + if (!strcmp(name, "test.host.dots")) { + *hostp = htonl(0xfedcba98); + return 0; + } + if (!strcmp(name, "<thishost>")) name = thishost; @@ -18,5 +29,11 @@ u_32_t *hostp; return 0; } } + + n = getnetbyname(name); + if (n != NULL) { + *hostp = (u_32_t)htonl(n->n_net & 0xffffffff); + return 0; + } return -1; } diff --git a/usr/src/cmd/ipf/lib/common/getifname.c b/usr/src/cmd/ipf/lib/common/getifname.c index 39d193dcc6..a42a4e089b 100644 --- a/usr/src/cmd/ipf/lib/common/getifname.c +++ b/usr/src/cmd/ipf/lib/common/getifname.c @@ -1,6 +1,16 @@ +/* + * Copyright (C) 2003 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +#pragma ident "%Z%%M% %I% %E% SMI" + #include "ipf.h" #include "qif.h" - #include "kmem.h" /* @@ -10,24 +20,34 @@ char *getifname(ptr) struct ifnet *ptr; { -#if SOLARIS +#if SOLARIS || defined(__hpux) +# if SOLARIS +# include <sys/mutex.h> +# include <sys/condvar.h> +# endif +# ifdef __hpux +# include "compat.h" +# endif char *ifname; - s_ill_t ill; + qif_t qif; if ((void *)ptr == (void *)-1) return "!"; if (ptr == NULL) return "-"; - if (kmemcpy((char *)&ill, (u_long)ptr, sizeof(ill)) == -1) + if (kmemcpy((char *)&qif, (u_long)ptr, sizeof(qif)) == -1) return "X"; - ifname = malloc(sizeof(ill.ill_name) + 1); - strncpy(ifname, ill.ill_name, sizeof(ill.ill_name)); - ifname[sizeof(ill.ill_name)] = '\0'; + ifname = strdup(qif.qf_name); + if ((ifname != NULL) && (*ifname == '\0')) { + free(ifname); + return "!"; + } return ifname; #else # if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - defined(__OpenBSD__) + defined(__OpenBSD__) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) #else char buf[32]; int len; @@ -42,7 +62,8 @@ struct ifnet *ptr; if (kmemcpy((char *)&netif, (u_long)ptr, sizeof(netif)) == -1) return "X"; # if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ - defined(__OpenBSD__) + defined(__OpenBSD__) || defined(linux) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) return strdup(netif.if_xname); # else if (kstrncpy(buf, (u_long)netif.if_name, sizeof(buf)) == -1) diff --git a/usr/src/cmd/ipf/lib/common/getnattype.c b/usr/src/cmd/ipf/lib/common/getnattype.c index d3b32d2d77..312a862c3e 100644 --- a/usr/src/cmd/ipf/lib/common/getnattype.c +++ b/usr/src/cmd/ipf/lib/common/getnattype.c @@ -9,7 +9,7 @@ #include "kmem.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.2 2002/01/28 06:50:46 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: getnattype.c,v 1.3 2004/01/17 17:26:07 darrenr Exp $"; #endif @@ -23,9 +23,10 @@ ipnat_t *ipnat; ipnat_t ipnatbuff; char *which; - if (!ipnat || (ipnat && kmemcpy((char *)&ipnatbuff, (long)ipnat, - sizeof(ipnatbuff)))) + if (!ipnat) return "???"; + if (kmemcpy((char *)&ipnatbuff, (long)ipnat, sizeof(ipnatbuff))) + return "!!!"; switch (ipnatbuff.in_redir) { diff --git a/usr/src/cmd/ipf/lib/common/getport.c b/usr/src/cmd/ipf/lib/common/getport.c index 9e77c665d3..415522ffc0 100644 --- a/usr/src/cmd/ipf/lib/common/getport.c +++ b/usr/src/cmd/ipf/lib/common/getport.c @@ -1,8 +1,14 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + #include "ipf.h" -int getport(fr, name) +int getport(fr, name, port) frentry_t *fr; char *name; +u_short *port; { struct protoent *p; struct servent *s; @@ -10,8 +16,10 @@ char *name; if (fr == NULL || fr->fr_type != FR_T_IPF) { s = getservbyname(name, NULL); - if (s != NULL) - return s->s_port; + if (s != NULL) { + *port = s->s_port; + return 0; + } return -1; } @@ -27,13 +35,15 @@ char *name; s = getservbyname(name, "udp"); if (s == NULL || s->s_port != p1) return -1; - return p1; + *port = p1; + return 0; } p = getprotobynumber(fr->fr_proto); s = getservbyname(name, p ? p->p_name : NULL); - if (s != NULL) - return s->s_port; - + if (s != NULL) { + *port = s->s_port; + return 0; + } return -1; } diff --git a/usr/src/cmd/ipf/lib/common/getportproto.c b/usr/src/cmd/ipf/lib/common/getportproto.c index 6237e39ab9..ae04229c67 100644 --- a/usr/src/cmd/ipf/lib/common/getportproto.c +++ b/usr/src/cmd/ipf/lib/common/getportproto.c @@ -1,3 +1,8 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + #include <ctype.h> #include "ipf.h" @@ -8,14 +13,23 @@ int proto; struct servent *s; struct protoent *p; - if (isdigit(*name) && atoi(name) > 0) - return htons(atoi(name) & 65535); + if (ISDIGIT(*name)) { + int number; + char *s; - p = getprotobynumber(proto); - if (p != NULL) { - s = getservbyname(name, p->p_name); - if (s != NULL) - return s->s_port; + for (s = name; *s != '\0'; s++) + if (!ISDIGIT(*s)) + return -1; + + number = atoi(name); + if (number < 0 || number > 65535) + return -1; + return htons(number); } - return 0; + + p = getprotobynumber(proto); + s = getservbyname(name, p ? p->p_name : NULL); + if (s != NULL) + return s->s_port; + return -1; } diff --git a/usr/src/cmd/ipf/lib/common/getproto.c b/usr/src/cmd/ipf/lib/common/getproto.c index 43a3029f47..472fe148ab 100644 --- a/usr/src/cmd/ipf/lib/common/getproto.c +++ b/usr/src/cmd/ipf/lib/common/getproto.c @@ -1,3 +1,8 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + #include "ipf.h" int getproto(name) @@ -7,11 +12,19 @@ char *name; char *s; for (s = name; *s != '\0'; s++) - if (!isdigit(*s)) + if (!ISDIGIT(*s)) break; if (*s == '\0') return atoi(name); +#ifdef _AIX51 + /* + * For some bogus reason, "ip" is 252 in /etc/protocols on AIX 5 + */ + if (!strcasecmp(name, "ip")) + return 0; +#endif + p = getprotobyname(name); if (p != NULL) return p->p_proto; diff --git a/usr/src/cmd/ipf/lib/common/hostname.c b/usr/src/cmd/ipf/lib/common/hostname.c index d0c8b490fe..4bca028c16 100644 --- a/usr/src/cmd/ipf/lib/common/hostname.c +++ b/usr/src/cmd/ipf/lib/common/hostname.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -15,17 +15,43 @@ char *hostname(v, ip) int v; void *ip; { -#ifdef USE_INET6 - static char hostbuf[INET6_ADDRSTRLEN]; -#endif + static char hostbuf[MAXHOSTNAMELEN+1]; + struct hostent *hp; struct in_addr ipa; + struct netent *np; if (v == 4) { ipa.s_addr = *(u_32_t *)ip; + if (ipa.s_addr == htonl(0xfedcba98)) + return "test.host.dots"; + } + + if ((opts & OPT_NORESOLVE) == 0) { + if (v == 4) { + hp = gethostbyaddr(ip, 4, AF_INET); + if (hp != NULL && hp->h_name != NULL && + *hp->h_name != '\0') { + strncpy(hostbuf, hp->h_name, sizeof(hostbuf)); + hostbuf[sizeof(hostbuf) - 1] = '\0'; + return hostbuf; + } + + np = getnetbyaddr(ipa.s_addr, AF_INET); + if (np != NULL && np->n_name != NULL && + *np->n_name != '\0') { + strncpy(hostbuf, np->n_name, sizeof(hostbuf)); + hostbuf[sizeof(hostbuf) - 1] = '\0'; + return hostbuf; + } + } + } + + if (v == 4) { return inet_ntoa(ipa); } #ifdef USE_INET6 - (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf)); + (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); + hostbuf[MAXHOSTNAMELEN] = '\0'; return hostbuf; #else return "IPv6"; diff --git a/usr/src/cmd/ipf/lib/common/hostnum.c b/usr/src/cmd/ipf/lib/common/hostnum.c index edef2997dd..2ec0529a29 100644 --- a/usr/src/cmd/ipf/lib/common/hostnum.c +++ b/usr/src/cmd/ipf/lib/common/hostnum.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: hostnum.c,v 1.8 2002/01/28 06:50:46 darrenr Exp $ + * $Id: hostnum.c,v 1.10.2.1 2004/12/09 19:41:20 darrenr Exp $ */ #include <ctype.h> @@ -21,13 +21,12 @@ char *host; int linenum; char *ifname; { - struct hostent *hp; - struct netent *np; struct in_addr ip; if (!strcasecmp("any", host) || (ifname && *ifname && !strcasecmp(ifname, host))) return 0; + #ifdef USE_INET6 if (use_inet6) { if (inet_pton(AF_INET6, host, ipa) == 1) @@ -36,7 +35,7 @@ char *ifname; return -1; } #endif - if (isdigit(*host) && inet_aton(host, &ip)) { + if (ISDIGIT(*host) && inet_aton(host, &ip)) { *ipa = ip.s_addr; return 0; } @@ -44,15 +43,5 @@ char *ifname; if (!strcasecmp("<thishost>", host)) host = thishost; - if (!(hp = gethostbyname(host))) { - if (!(np = getnetbyname(host))) { - fprintf(stderr, "%d: can't resolve hostname: %s\n", - linenum, host); - return -1; - } - *ipa = htonl(np->n_net); - return 0; - } - *ipa = *(u_32_t *)hp->h_addr; - return 0; + return gethost(host, ipa); } diff --git a/usr/src/cmd/ipf/lib/common/icmpcode.c b/usr/src/cmd/ipf/lib/common/icmpcode.c index 1dac556cec..fd1e647687 100644 --- a/usr/src/cmd/ipf/lib/common/icmpcode.c +++ b/usr/src/cmd/ipf/lib/common/icmpcode.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: icmpcode.c,v 1.6 2001/06/09 17:09:24 darrenr Exp $ + * $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $ */ #include <ctype.h> @@ -18,7 +18,7 @@ char *icmpcodes[MAX_ICMPCODE + 1] = { "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail", "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib", - "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", + "net-tos", "host-tos", "filter-prohib", "host-preced", "preced-cutoff", NULL }; /* @@ -32,7 +32,7 @@ char *str; if ((s = strrchr(str, ')'))) *s = '\0'; - if (isdigit(*str)) { + if (ISDIGIT(*str)) { if (!ratoi(str, &i, 0, 255)) return -1; else diff --git a/usr/src/cmd/ipf/lib/common/inet_addr.c b/usr/src/cmd/ipf/lib/common/inet_addr.c index 5c91169141..820b7b58a4 100644 --- a/usr/src/cmd/ipf/lib/common/inet_addr.c +++ b/usr/src/cmd/ipf/lib/common/inet_addr.c @@ -3,7 +3,7 @@ * - * Copyright (c) 1983, 1990, 1993 * The Regents of the University of California. All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -19,7 +19,7 @@ * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -33,14 +33,14 @@ * SUCH DAMAGE. * - * Portions Copyright (c) 1993 by Digital Equipment Corporation. - * + * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies, and that * the name of Digital Equipment Corporation not be used in advertising or * publicity pertaining to distribution of the document or software without * specific, written prior permission. - * + * * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT @@ -55,7 +55,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.4 2002/02/21 09:25:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.8.2.3 2004/12/09 19:41:20 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -70,9 +70,24 @@ static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.4 2002/02/21 09:25:42 darr # define __P(x) () # endif #endif +#ifndef linux int inet_aton __P((const char *, struct in_addr *)); -/* +/* + * Because the ctype(3) posix definition, if used "safely" in code everywhere, + * would mean all normal code that walks through strings needed casts. Yuck. + */ +#define ISALNUM(x) isalnum((u_char)(x)) +#define ISALPHA(x) isalpha((u_char)(x)) +#define ISASCII(x) isascii((u_char)(x)) +#define ISDIGIT(x) isdigit((u_char)(x)) +#define ISPRINT(x) isprint((u_char)(x)) +#define ISSPACE(x) isspace((u_char)(x)) +#define ISUPPER(x) isupper((u_char)(x)) +#define ISXDIGIT(x) isxdigit((u_char)(x)) +#define ISLOWER(x) islower((u_char)(x)) + +/* * Check whether "cp" is a valid ascii representation * of an Internet address and convert to a binary address. * Returns 1 if the address is valid, 0 if not. @@ -97,7 +112,7 @@ inet_aton(cp, addr) * Values are specified as for C: * 0x=hex, 0=octal, isdigit=decimal. */ - if (!isdigit(c)) + if (!ISDIGIT(c)) return (0); val = 0; base = 10; if (c == '0') { @@ -108,12 +123,12 @@ inet_aton(cp, addr) base = 8; } for (;;) { - if (isascii(c) && isdigit(c)) { + if (ISASCII(c) && ISDIGIT(c)) { val = (val * base) + (c - '0'); c = *++cp; - } else if (base == 16 && isascii(c) && isxdigit(c)) { + } else if (base == 16 && ISASCII(c) && ISXDIGIT(c)) { val = (val << 4) | - (c + 10 - (islower(c) ? 'a' : 'A')); + (c + 10 - (ISLOWER(c) ? 'a' : 'A')); c = *++cp; } else break; @@ -135,7 +150,7 @@ inet_aton(cp, addr) /* * Check for trailing characters. */ - if (c != '\0' && (!isascii(c) || !isspace(c))) + if (c != '\0' && (!ISASCII(c) || !ISSPACE(c))) return (0); /* * Concoct the address according to @@ -172,6 +187,7 @@ inet_aton(cp, addr) addr->s_addr = htonl(val); return (1); } +#endif /* these are compatibility routines, not needed on recent BSD releases */ @@ -179,16 +195,9 @@ inet_aton(cp, addr) * Ascii internet address interpretation routine. * The value returned is in network order. */ -#if (defined(SOLARIS2) && (SOLARIS2 > 5)) || defined(__hpux) || \ - defined(__osf__) || (defined(IRIX) && (IRIX >= 605)) || \ - (defined(__FreeBSD__) && (__FreeBSD__ >= 4)) || \ - defined(__OpenBSD__) -in_addr_t -#else -u_long -#endif +#if 0 inet_addr(cp) - register const char *cp; + const char *cp; { struct in_addr val; @@ -196,3 +205,4 @@ inet_addr(cp) return (val.s_addr); return (0xffffffff); } +#endif diff --git a/usr/src/cmd/ipf/lib/common/ipf_dotuning.c b/usr/src/cmd/ipf/lib/common/ipf_dotuning.c new file mode 100644 index 0000000000..0746bd1e67 --- /dev/null +++ b/usr/src/cmd/ipf/lib/common/ipf_dotuning.c @@ -0,0 +1,67 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" +#include "netinet/ipl.h" +#include <sys/ioctl.h> + +void ipf_dotuning(fd, tuneargs, iocfn) +int fd; +char *tuneargs; +ioctlfunc_t iocfn; +{ + ipfobj_t obj; + ipftune_t tu; + char *s, *t; + + bzero((char *)&tu, sizeof(tu)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(tu);; + obj.ipfo_ptr = (void *)&tu; + obj.ipfo_type = IPFOBJ_TUNEABLE; + + for (s = strtok(tuneargs, ","); s != NULL; s = strtok(NULL, ",")) { + if (!strcmp(s, "list")) { + while (1) { + if ((*iocfn)(fd, SIOCIPFGETNEXT, &obj) == -1) { + perror("ioctl(SIOCIPFGETNEXT)"); + break; + } + if (tu.ipft_cookie == NULL) + break; + + tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; + printtunable(&tu); + } + } else if ((t = strchr(s, '=')) != NULL) { + tu.ipft_cookie = NULL; + *t++ = '\0'; + strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); + if (sscanf(t, "%lu", &tu.ipft_vlong) == 1) { + if ((*iocfn)(fd, SIOCIPFSET, &obj) == -1) { + perror("ioctl(SIOCIPFSET)"); + return; + } + } else { + fprintf(stderr, "invalid value '%s'\n", s); + return; + } + } else { + tu.ipft_cookie = NULL; + strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); + if ((*iocfn)(fd, SIOCIPFGET, &obj) == -1) { + perror("ioctl(SIOCIPFGET)"); + return; + } + if (tu.ipft_cookie == NULL) { + fprintf(stderr, "Null cookie for %s\n", s); + return; + } + + tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; + printtunable(&tu); + } + } +} diff --git a/usr/src/cmd/ipf/lib/common/ipft_ef.c b/usr/src/cmd/ipf/lib/common/ipft_ef.c index 411dc51a91..237febcb4b 100644 --- a/usr/src/cmd/ipf/lib/common/ipft_ef.c +++ b/usr/src/cmd/ipf/lib/common/ipft_ef.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_ef.c,v 1.11 2003/06/02 12:22:49 darrenr Exp $ + * $Id: ipft_ef.c,v 1.14 2004/01/08 13:34:31 darrenr Exp $ */ /* @@ -23,16 +23,15 @@ etherfind -n -t #include "ipf.h" #include "ipt.h" -#undef ICMP_MAXTYPE -#include <netinet/ip_icmp.h> +#ifndef linux #include <netinet/ip_var.h> -#include <netinet/udp.h> +#endif #include <netinet/tcpip.h> #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.11 2003/06/02 12:22:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 1.14 2004/01/08 13:34:31 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/usr/src/cmd/ipf/lib/common/ipft_hx.c b/usr/src/cmd/ipf/lib/common/ipft_hx.c index 3a02700206..fa5923b756 100644 --- a/usr/src/cmd/ipf/lib/common/ipft_hx.c +++ b/usr/src/cmd/ipf/lib/common/ipft_hx.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11 2003/02/16 02:32:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.1 2004/12/09 19:41:20 darrenr Exp $"; #endif #include <ctype.h> @@ -111,7 +111,7 @@ int cnt, *dir; if (t < (char *)ip) putchar('\t'); while (t < (char *)ip) { - if (isprint(*t) && isascii(*t)) + if (ISPRINT(*t) && ISASCII(*t)) putchar(*t); else putchar('.'); @@ -133,7 +133,7 @@ register char *src, *dst; char c; while ((c = *src++)) { - if (isspace(c)) { + if (ISSPACE(c)) { if (state) { dst++; state = 0; @@ -141,7 +141,7 @@ register char *src, *dst; continue; } else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')) { - c = isdigit(c) ? (c - '0') : (toupper(c) - 55); + c = ISDIGIT(c) ? (c - '0') : (TOUPPER(c) - 55); if (state == 0) { *dst = (c << 4); state++; diff --git a/usr/src/cmd/ipf/lib/common/ipft_pc.c b/usr/src/cmd/ipf/lib/common/ipft_pc.c index 92b482bfaa..3042a3976c 100644 --- a/usr/src/cmd/ipf/lib/common/ipft_pc.c +++ b/usr/src/cmd/ipf/lib/common/ipft_pc.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_pc.c,v 1.9 2003/02/16 02:32:36 darrenr Exp $ + * $Id: ipft_pc.c,v 1.10 2004/02/07 18:17:40 darrenr Exp $ */ #include "ipf.h" #include "pcap-ipf.h" @@ -11,7 +11,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.9 2003/02/16 02:32:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 1.10 2004/02/07 18:17:40 darrenr Exp $"; #endif struct llc { @@ -75,7 +75,7 @@ static int pcap_readip __P((char *, int, char **, int *)); static void swap_hdr __P((pcaphdr_t *)); static int pcap_read_rec __P((struct pcap_pkthdr *)); -static int pfd = -1, s_type = -1, swapped = 0; +static int pfd = -1, swapped = 0; static struct llc *llcp = NULL; struct ipread pcap = { pcap_open, pcap_close, pcap_readip, 0 }; @@ -139,7 +139,6 @@ char *fname; } pfd = fd; - s_type = ph.pc_type; printf("opened pcap file %s:\n", fname); printf("\tid: %08x version: %d.%d type: %d snap %d\n", ph.pc_id, ph.pc_v_maj, ph.pc_v_min, ph.pc_type, ph.pc_slen); diff --git a/usr/src/cmd/ipf/lib/common/ipft_td.c b/usr/src/cmd/ipf/lib/common/ipft_td.c index acc3631e46..1aa616670a 100644 --- a/usr/src/cmd/ipf/lib/common/ipft_td.c +++ b/usr/src/cmd/ipf/lib/common/ipft_td.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_td.c,v 1.11 2003/06/03 16:01:01 darrenr Exp $ + * $Id: ipft_td.c,v 1.15 2004/01/08 13:34:31 darrenr Exp $ */ /* @@ -32,16 +32,15 @@ tcpdump -nqte #include "ipf.h" #include "ipt.h" -#undef ICMP_MAXTYPE -#include <netinet/ip_icmp.h> +#ifndef linux #include <netinet/ip_var.h> -#include <netinet/udp.h> +#endif #include <netinet/tcpip.h> #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.11 2003/06/03 16:01:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 1.15 2004/01/08 13:34:31 darrenr Exp $"; #endif static int tcpd_open __P((char *)); @@ -97,7 +96,6 @@ int cnt, *dir; { struct tcpiphdr pkt; ip_t *ip = (ip_t *)&pkt; - struct protoent *p; char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; char lbuf[160], *s; int n, slen, extra = 0; diff --git a/usr/src/cmd/ipf/lib/common/ipft_tx.c b/usr/src/cmd/ipf/lib/common/ipft_tx.c index 3d0f5800ce..82eca169d8 100644 --- a/usr/src/cmd/ipf/lib/common/ipft_tx.c +++ b/usr/src/cmd/ipf/lib/common/ipft_tx.c @@ -3,11 +3,11 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ipft_tx.c,v 1.11 2003/02/16 02:32:01 darrenr Exp $ + * $Id: ipft_tx.c,v 1.15.2.3 2005/06/18 02:41:34 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.11 2003/02/16 02:32:01 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.3 2005/06/18 02:41:34 darrenr Exp $"; #endif #include <ctype.h> @@ -15,10 +15,9 @@ static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.11 2003/02/16 02:32:01 darre #include "ipf.h" #include "ipt.h" -#undef ICMP_MAXTYPE -#include <netinet/ip_icmp.h> +#ifndef linux #include <netinet/ip_var.h> -#include <netinet/udp.h> +#endif #include <netinet/tcpip.h> @@ -30,8 +29,8 @@ static int text_open __P((char *)), text_close __P((void)); static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); -static char _tcp_flagset[] = "FSRPAUEC"; -static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, +static char myflagset[] = "FSRPAUEC"; +static u_char myflags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, TH_ECN, TH_CWR }; struct ipread iptext = { text_open, text_close, text_readip, R_DO_CKSUM }; @@ -50,24 +49,20 @@ static u_32_t tx_hostnum(host, resolved) char *host; int *resolved; { - struct hostent *hp; - struct netent *np; + u_32_t ipa; *resolved = 0; - if (!strcasecmp("any",host)) + if (!strcasecmp("any", host)) return 0L; - if (isdigit(*host)) + if (ISDIGIT(*host)) return inet_addr(host); - if (!(hp = gethostbyname(host))) { - if (!(np = getnetbyname(host))) { - *resolved = -1; - fprintf(stderr, "can't resolve hostname: %s\n", host); - return 0; - } - return htonl(np->n_net); + if (gethost(host, &ipa) == -1) { + *resolved = -1; + fprintf(stderr, "can't resolve hostname: %s\n", host); + return 0; } - return *(u_32_t *)hp->h_addr; + return ipa; } @@ -81,7 +76,7 @@ char *name; struct servent *sp, *sp2; u_short p1 = 0; - if (isdigit(*name)) + if (ISDIGIT(*name)) return (u_short)atoi(name); if (!tx_proto) tx_proto = "tcp/udp"; @@ -205,11 +200,11 @@ int *out; return 1; c = **cpp; - if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) { + if (!ISALPHA(c) || (TOLOWER(c) != 'o' && TOLOWER(c) != 'i')) { fprintf(stderr, "bad direction \"%s\"\n", *cpp); return 1; } - *out = (tolower(c) == 'o') ? 1 : 0; + *out = (TOLOWER(c) == 'o') ? 1 : 0; cpp++; if (!*cpp) return 1; @@ -241,7 +236,7 @@ int *out; tx_proto = "icmp"; } cpp++; - } else if (isdigit(**cpp) && !index(*cpp, '.')) { + } else if (ISDIGIT(**cpp) && !index(*cpp, '.')) { ip->ip_p = atoi(*cpp); cpp++; } else @@ -259,6 +254,10 @@ int *out; } *last++ = '\0'; tcp->th_sport = htons(tx_portnum(last)); + if (ip->ip_p == IPPROTO_TCP) { + tcp->th_win = htons(4096); + TCP_OFF_A(tcp, sizeof(*tcp) >> 2); + } } ip->ip_src.s_addr = tx_hostnum(*cpp, &r); cpp++; @@ -279,19 +278,18 @@ int *out; ip->ip_dst.s_addr = tx_hostnum(*cpp, &r); cpp++; if (*cpp && ip->ip_p == IPPROTO_TCP) { - extern char _tcp_flagset[]; - extern u_char _tcp_flags[]; char *s, *t; + tcp->th_flags = 0; for (s = *cpp; *s; s++) - if ((t = strchr(_tcp_flagset, *s))) - tcp->th_flags |= _tcp_flags[t - _tcp_flagset]; + if ((t = strchr(myflagset, *s))) + tcp->th_flags |= myflags[t - myflagset]; if (tcp->th_flags) cpp++; if (tcp->th_flags == 0) abort(); - tcp->th_win = htons(4096); - TCP_OFF_A(tcp, sizeof(*tcp) >> 2); + if (tcp->th_flags & TH_URG) + tcp->th_urp = htons(1); } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; diff --git a/usr/src/cmd/ipf/lib/common/kmem.c b/usr/src/cmd/ipf/lib/common/kmem.c index a90b897cf7..3142d68011 100644 --- a/usr/src/cmd/ipf/lib/common/kmem.c +++ b/usr/src/cmd/ipf/lib/common/kmem.c @@ -9,7 +9,7 @@ */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -23,7 +23,7 @@ #include <string.h> #include <fcntl.h> #include <sys/file.h> -#if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) +#if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && !defined(linux) && !defined(_AIX51) #include <kvm.h> #endif #include <fcntl.h> @@ -37,6 +37,9 @@ #if __FreeBSD_version >= 300000 # include <net/if_var.h> #endif +#if defined(linux) || defined(__osf__) || defined(__sgi) || defined(__hpux) +# include <stdlib.h> +#endif #include "kmem.h" @@ -46,12 +49,13 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 1.11 2003/06/02 12:22:29 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 1.16.2.2 2005/06/12 07:18:41 darrenr Exp $"; #endif -#if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) +#if !defined(__sgi) && !defined(__hpux) && !defined(__osf__) && \ + !defined(linux) && !defined(_AIX51) /* * For all platforms where there is a libkvm and a kvm_t, we use that... */ @@ -62,17 +66,21 @@ static kvm_t *kvm_f = NULL; *...and for the others (HP-UX, IRIX, Tru64), we have to provide our own. */ -typedef int kvm_t; +typedef int * kvm_t; -static kvm_t kvm_f = -1; +static kvm_t kvm_f = NULL; static char *kvm_errstr = NULL; +kvm_t kvm_open __P((char *, char *, char *, int, char *)); +int kvm_read __P((kvm_t, u_long, char *, size_t)); + kvm_t kvm_open(kernel, core, swap, mode, errstr) char *kernel, *core, *swap; int mode; char *errstr; { - kvm_t fd; + kvm_t k; + int fd; kvm_errstr = errstr; @@ -80,7 +88,15 @@ char *errstr; core = "/dev/kmem"; fd = open(core, mode); - return fd; + if (fd == -1) + return NULL; + k = malloc(sizeof(*k)); + if (k == NULL) { + close(fd); + return NULL; + } + *k = fd; + return k; } int kvm_read(kvm, pos, buffer, size) @@ -89,10 +105,10 @@ u_long pos; char *buffer; size_t size; { - int r, left; + int r = 0, left; char *bufp; - if (lseek(kvm, pos, 0) == -1) { + if (lseek(*kvm, pos, 0) == -1) { if (kvm_errstr != NULL) { fprintf(stderr, "%s", kvm_errstr); perror("lseek"); @@ -101,19 +117,19 @@ size_t size; } for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) { - r = read(kvm, bufp, 1); + r = read(*kvm, bufp, left); #ifdef __osf__ /* * Tru64 returns "0" for successful operation, not the number * of bytes read. */ - return r; -#else + if (r == 0) + r = left; +#endif if (r <= 0) return -1; -#endif } - return 0; + return r; } #endif /* !defined(__sgi) && !defined(__hpux) && !defined(__osf__) */ @@ -126,7 +142,7 @@ char *kern, *core; perror("openkmem:open"); return -1; } - return 0; + return kvm_f != NULL; } int kmemcpy(buf, pos, n) @@ -179,7 +195,7 @@ register int n; if (r <= 0) { fprintf(stderr, "pos=0x%lx ", (u_long)pos); - perror("kstrncpy:read"); + perror("kmemcpy:read"); return -1; } else diff --git a/usr/src/cmd/ipf/lib/common/load_hash.c b/usr/src/cmd/ipf/lib/common/load_hash.c index a86052478e..e43ddf54a3 100644 --- a/usr/src/cmd/ipf/lib/common/load_hash.c +++ b/usr/src/cmd/ipf/lib/common/load_hash.c @@ -3,9 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_hash.c,v 1.10 2003/04/26 04:55:11 darrenr Exp $ + * $Id: load_hash.c,v 1.11.2.2 2005/02/01 02:44:05 darrenr Exp $ * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -14,13 +14,8 @@ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -#endif static int hashfd = -1; @@ -40,8 +35,6 @@ ioctlfunc_t iocfunc; hashfd = open(IPLOOKUP_NAME, O_RDWR); if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) return -1; - if (list == NULL) - return 0; for (n = 0, a = list; a != NULL; a = a->ipe_next) n++; @@ -58,20 +51,29 @@ ioctlfunc_t iocfunc; iph.iph_type = iphp->iph_type; strncpy(iph.iph_name, iphp->iph_name, sizeof(iph.iph_name)); iph.iph_flags = iphp->iph_flags; + if (n <= 0) + n = 1; if (iphp->iph_size == 0) size = n * 2 - 1; else size = iphp->iph_size; + if ((list == NULL) && (size == 1)) { + fprintf(stderr, + "WARNING: empty hash table %s, recommend setting %s\n", + iphp->iph_name, "size to match expected use"); + } iph.iph_size = size; iph.iph_seed = iphp->iph_seed; iph.iph_table = NULL; iph.iph_ref = 0; - if ((*iocfunc)(hashfd, SIOCLOOKUPADDTABLE, &op)) - if ((opts & OPT_DONOTHING) == 0) { - perror("load_hash:SIOCLOOKUPADDTABLE"); - return -1; - } + if ((opts & OPT_REMOVE) == 0) { + if ((*iocfunc)(hashfd, SIOCLOOKUPADDTABLE, &op)) + if ((opts & OPT_DONOTHING) == 0) { + perror("load_hash:SIOCLOOKUPADDTABLE"); + return -1; + } + } strncpy(op.iplo_name, iph.iph_name, sizeof(op.iplo_name)); strncpy(iphp->iph_name, iph.iph_name, sizeof(op.iplo_name)); @@ -89,7 +91,7 @@ ioctlfunc_t iocfunc; return -1; } iph.iph_table[0] = list; - printhash(&iph, bcopywrap, opts); + printhash(&iph, bcopywrap, iph.iph_name, opts); free(iph.iph_table); for (a = list; a != NULL; a = a->ipe_next) { @@ -106,5 +108,12 @@ ioctlfunc_t iocfunc; for (a = list; a != NULL; a = a->ipe_next) load_hashnode(iphp->iph_unit, iph.iph_name, a, iocfunc); + if ((opts & OPT_REMOVE) != 0) { + if ((*iocfunc)(hashfd, SIOCLOOKUPDELTABLE, &op)) + if ((opts & OPT_DONOTHING) == 0) { + perror("load_hash:SIOCLOOKUPDELTABLE"); + return -1; + } + } return 0; } diff --git a/usr/src/cmd/ipf/lib/common/load_hashnode.c b/usr/src/cmd/ipf/lib/common/load_hashnode.c index c072031abc..8cf1bb2c67 100644 --- a/usr/src/cmd/ipf/lib/common/load_hashnode.c +++ b/usr/src/cmd/ipf/lib/common/load_hashnode.c @@ -3,9 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_hashnode.c,v 1.2 2003/04/26 04:55:11 darrenr Exp $ + * $Id: load_hashnode.c,v 1.2.4.1 2004/03/06 14:33:28 darrenr Exp $ * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -14,14 +14,8 @@ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" - -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -#endif static int hashfd = -1; @@ -34,6 +28,7 @@ ioctlfunc_t iocfunc; { iplookupop_t op; iphtent_t ipe; + int err; if ((hashfd == -1) && ((opts & OPT_DONOTHING) == 0)) hashfd = open(IPLOOKUP_NAME, O_RDWR); @@ -56,9 +51,14 @@ ioctlfunc_t iocfunc; bcopy((char *)&node->ipe_group, (char *)&ipe.ipe_group, sizeof(ipe.ipe_group)); - if ((*iocfunc)(hashfd, SIOCLOOKUPADDNODE, &op)) + if ((opts & OPT_REMOVE) == 0) + err = (*iocfunc)(hashfd, SIOCLOOKUPADDNODE, &op); + else + err = (*iocfunc)(hashfd, SIOCLOOKUPDELNODE, &op); + + if (err != 0) if (!(opts & OPT_DONOTHING)) { - perror("load_hash:SIOCLOOKUPADDNODE"); + perror("load_hash:SIOCLOOKUP*NODE"); return -1; } return 0; diff --git a/usr/src/cmd/ipf/lib/common/load_pool.c b/usr/src/cmd/ipf/lib/common/load_pool.c index e87db99119..d27b6c381b 100644 --- a/usr/src/cmd/ipf/lib/common/load_pool.c +++ b/usr/src/cmd/ipf/lib/common/load_pool.c @@ -3,19 +3,14 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_pool.c,v 1.12 2003/04/26 04:55:11 darrenr Exp $ + * $Id: load_pool.c,v 1.14.2.2 2005/02/01 02:44:06 darrenr Exp $ */ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_pool.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" -#endif static int poolfd = -1; @@ -44,20 +39,29 @@ ioctlfunc_t iocfunc; if (*plp->ipo_name == '\0') op.iplo_arg |= IPOOL_ANON; - if ((*iocfunc)(poolfd, SIOCLOOKUPADDTABLE, &op)) - if ((opts & OPT_DONOTHING) == 0) { - perror("load_pool:SIOCLOOKUPADDTABLE"); - return -1; - } + if ((opts & OPT_REMOVE) == 0) { + if ((*iocfunc)(poolfd, SIOCLOOKUPADDTABLE, &op)) + if ((opts & OPT_DONOTHING) == 0) { + perror("load_pool:SIOCLOOKUPADDTABLE"); + return -1; + } + } if ((opts & OPT_VERBOSE) != 0) { pool.ipo_list = plp->ipo_list; - printpool(&pool, bcopywrap, opts); + printpool(&pool, bcopywrap, pool.ipo_name, opts); pool.ipo_list = NULL; } for (a = plp->ipo_list; a != NULL; a = a->ipn_next) load_poolnode(plp->ipo_unit, plp->ipo_name, a, iocfunc); + if ((opts & OPT_REMOVE) != 0) { + if ((*iocfunc)(poolfd, SIOCLOOKUPDELTABLE, &op)) + if ((opts & OPT_DONOTHING) == 0) { + perror("load_pool:SIOCLOOKUPDELTABLE"); + return -1; + } + } return 0; } diff --git a/usr/src/cmd/ipf/lib/common/load_poolnode.c b/usr/src/cmd/ipf/lib/common/load_poolnode.c index 50c06b538d..e992a80281 100644 --- a/usr/src/cmd/ipf/lib/common/load_poolnode.c +++ b/usr/src/cmd/ipf/lib/common/load_poolnode.c @@ -3,20 +3,14 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: load_poolnode.c,v 1.2 2003/04/26 04:55:11 darrenr Exp $ + * $Id: load_poolnode.c,v 1.3.2.1 2004/03/06 14:33:29 darrenr Exp $ */ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" - -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_pool.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" -#endif static int poolfd = -1; @@ -29,6 +23,7 @@ ioctlfunc_t iocfunc; { ip_pool_node_t pn; iplookupop_t op; + int err; if ((poolfd == -1) && ((opts & OPT_DONOTHING) == 0)) poolfd = open(IPLOOKUP_NAME, O_RDWR); @@ -50,9 +45,14 @@ ioctlfunc_t iocfunc; pn.ipn_info = node->ipn_info; strncpy(pn.ipn_name, node->ipn_name, sizeof(pn.ipn_name)); - if ((*iocfunc)(poolfd, SIOCLOOKUPADDNODE, &op)) { + if ((opts & OPT_REMOVE) == 0) + err = (*iocfunc)(poolfd, SIOCLOOKUPADDNODE, &op); + else + err = (*iocfunc)(poolfd, SIOCLOOKUPDELNODE, &op); + + if (err != 0) { if ((opts & OPT_DONOTHING) == 0) { - perror("load_pool:SIOCLOOKUPADDNODE"); + perror("load_pool:SIOCLOOKUP*NODE"); return -1; } } diff --git a/usr/src/cmd/ipf/lib/common/natparse.c b/usr/src/cmd/ipf/lib/common/natparse.c index b6dd7318a5..9937380f35 100644 --- a/usr/src/cmd/ipf/lib/common/natparse.c +++ b/usr/src/cmd/ipf/lib/common/natparse.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.6 2002/11/09 14:08:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.8.2.1 2004/12/09 19:41:21 darrenr Exp $"; #endif #include <sys/ioctl.h> @@ -55,7 +55,7 @@ int linenum; *s = '\0'; if ((s = strchr(line, '#'))) *s = '\0'; - while (*line && isspace(*line)) + while (*line && ISSPACE(*line)) line++; if (!*line) return NULL; @@ -223,7 +223,7 @@ int linenum; return NULL; } - if (isdigit(**cpp) && (s = strchr(*cpp, '-'))) + if (ISDIGIT(**cpp) && (s = strchr(*cpp, '-'))) *s++ = '\0'; else s = NULL; @@ -357,7 +357,7 @@ int linenum; return NULL; ipn.in_pnext = htons(ipn.in_pnext); cpp++; - } + } if (dnetm && *dnetm == '/') *dnetm++ = '\0'; @@ -559,7 +559,7 @@ int linenum; } *t++ = '\0'; - if (!icmpidnum(*cpp, &ipn.in_pmin, linenum) || + if (!icmpidnum(*cpp, &ipn.in_pmin, linenum) || !icmpidnum(t, &ipn.in_pmax, linenum)) return NULL; } else if (!strcasecmp(*cpp, "portmap")) { diff --git a/usr/src/cmd/ipf/lib/common/portname.c b/usr/src/cmd/ipf/lib/common/portname.c index 7e9586ee47..7136d8c017 100644 --- a/usr/src/cmd/ipf/lib/common/portname.c +++ b/usr/src/cmd/ipf/lib/common/portname.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: portname.c,v 1.6 2002/01/28 06:50:47 darrenr Exp $ + * $Id: portname.c,v 1.7 2003/08/14 14:27:43 darrenr Exp $ */ #include "ipf.h" @@ -15,21 +15,23 @@ int pr, port; struct protoent *p = NULL; struct servent *sv = NULL, *sv1 = NULL; - if (pr == -1) { - if ((sv = getservbyport(htons(port), "tcp"))) { - strncpy(buf, sv->s_name, sizeof(buf)-1); - buf[sizeof(buf)-1] = '\0'; - sv1 = getservbyport(htons(port), "udp"); - sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? - NULL : sv1; - } - if (sv) - return buf; - } else if ((pr != -2) && (p = getprotobynumber(pr))) { - if ((sv = getservbyport(htons(port), p->p_name))) { - strncpy(buf, sv->s_name, sizeof(buf)-1); - buf[sizeof(buf)-1] = '\0'; - return buf; + if ((opts & OPT_NORESOLVE) == 0) { + if (pr == -1) { + if ((sv = getservbyport(htons(port), "tcp"))) { + strncpy(buf, sv->s_name, sizeof(buf)-1); + buf[sizeof(buf)-1] = '\0'; + sv1 = getservbyport(htons(port), "udp"); + sv = strncasecmp(buf, sv->s_name, strlen(buf)) ? + NULL : sv1; + } + if (sv) + return buf; + } else if ((pr != -2) && (p = getprotobynumber(pr))) { + if ((sv = getservbyport(htons(port), p->p_name))) { + strncpy(buf, sv->s_name, sizeof(buf)-1); + buf[sizeof(buf)-1] = '\0'; + return buf; + } } } diff --git a/usr/src/cmd/ipf/lib/common/portnum.c b/usr/src/cmd/ipf/lib/common/portnum.c index 07556337c8..4079f464c2 100644 --- a/usr/src/cmd/ipf/lib/common/portnum.c +++ b/usr/src/cmd/ipf/lib/common/portnum.c @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * - * $Id: portnum.c,v 1.6 2001/06/09 17:09:24 darrenr Exp $ + * $Id: portnum.c,v 1.6.4.1 2004/12/09 19:41:22 darrenr Exp $ */ #include <ctype.h> @@ -25,7 +25,7 @@ int linenum; u_short p1 = 0; int i; - if (isdigit(*name)) { + if (ISDIGIT(*name)) { if (ratoi(name, &i, 0, USHRT_MAX)) { *port = (u_short)i; return 1; diff --git a/usr/src/cmd/ipf/lib/common/ports.c b/usr/src/cmd/ipf/lib/common/ports.c index 1c56f6e9ca..9a44e2c06a 100644 --- a/usr/src/cmd/ipf/lib/common/ports.c +++ b/usr/src/cmd/ipf/lib/common/ports.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ports.c,v 1.9 2002/01/28 06:50:47 darrenr Exp $ + * $Id: ports.c,v 1.9.4.1 2004/12/09 19:41:22 darrenr Exp $ */ #include <ctype.h> @@ -28,7 +28,7 @@ int linenum; return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; - if (isalnum(***seg) && *(*seg + 2)) { + if (ISALNUM(***seg) && *(*seg + 2)) { if (portnum(**seg, proto, pp, linenum) == 0) return -1; (*seg)++; diff --git a/usr/src/cmd/ipf/lib/common/print_toif.c b/usr/src/cmd/ipf/lib/common/print_toif.c index 81524396d2..fc57a302e8 100644 --- a/usr/src/cmd/ipf/lib/common/print_toif.c +++ b/usr/src/cmd/ipf/lib/common/print_toif.c @@ -5,7 +5,7 @@ * * $Id: print_toif.c,v 1.8 2002/01/28 06:50:47 darrenr Exp $ * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -28,7 +28,7 @@ frdest_t *fdp; char ipv6addr[INET6_ADDRSTRLEN]; inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr, - sizeof(ipv6addr)); + sizeof(fdp->fd_ip6)); printf(":%s", ipv6addr); } else #endif diff --git a/usr/src/cmd/ipf/lib/common/printactivenat.c b/usr/src/cmd/ipf/lib/common/printactivenat.c new file mode 100644 index 0000000000..389818b67b --- /dev/null +++ b/usr/src/cmd/ipf/lib/common/printactivenat.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 1993-2001 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) + */ + +#include "ipf.h" + + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.4 2004/05/11 16:07:32 darrenr Exp $"; +#endif + + +void printactivenat(nat, opts) +nat_t *nat; +int opts; +{ + + printf("%s", getnattype(nat->nat_ptr)); + + if (nat->nat_flags & SI_CLONE) + printf(" CLONE"); + + printf(" %-15s", inet_ntoa(nat->nat_inip)); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + printf(" %-5hu", ntohs(nat->nat_inport)); + + printf(" <- -> %-15s",inet_ntoa(nat->nat_outip)); + + if ((nat->nat_flags & IPN_TCPUDP) != 0) + printf(" %-5hu", ntohs(nat->nat_outport)); + + printf(" [%s", inet_ntoa(nat->nat_oip)); + if ((nat->nat_flags & IPN_TCPUDP) != 0) + printf(" %hu", ntohs(nat->nat_oport)); + printf("]"); + + if (opts & OPT_VERBOSE) { + printf("\n\tage %lu use %hu sumd %s/", + nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0])); + printf("%s pr %u bkt %d/%d flags %x\n", + getsumd(nat->nat_sumd[1]), nat->nat_p, + nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags); + printf("\tifp %s", getifname(nat->nat_ifps[0])); + printf(",%s ", getifname(nat->nat_ifps[1])); +#ifdef USE_QUAD_T + printf("bytes %qu/%qu pkts %qu/%qu", + (unsigned long long)nat->nat_bytes[0], + (unsigned long long)nat->nat_bytes[1], + (unsigned long long)nat->nat_pkts[0], + (unsigned long long)nat->nat_pkts[1]); +#else + printf("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0], + nat->nat_bytes[1], nat->nat_pkts[0], nat->nat_pkts[1]); +#endif + printf(" ipsumd %x", nat->nat_ipsumd); + } + + if (opts & OPT_DEBUG) { + printf("\n\tnat_next %p _pnext %p _hm %p\n", + nat->nat_next, nat->nat_pnext, nat->nat_hm); + printf("\t_hnext %p/%p _phnext %p/%p\n", + nat->nat_hnext[0], nat->nat_hnext[1], + nat->nat_phnext[0], nat->nat_phnext[1]); + printf("\t_data %p _me %p _state %p _aps %p\n", + nat->nat_data, nat->nat_me, nat->nat_state, nat->nat_aps); + printf("\tfr %p ptr %p ifps %p/%p sync %p\n", + nat->nat_fr, nat->nat_ptr, nat->nat_ifps[0], + nat->nat_ifps[1], nat->nat_sync); + printf("\ttqe:pnext %p next %p ifq %p parent %p/%p\n", + nat->nat_tqe.tqe_pnext, nat->nat_tqe.tqe_next, + nat->nat_tqe.tqe_ifq, nat->nat_tqe.tqe_parent, nat); + printf("\ttqe:die %ld touched %ld flags %x state %d/%d\n", + nat->nat_tqe.tqe_die, nat->nat_tqe.tqe_touched, + nat->nat_tqe.tqe_flags, nat->nat_tqe.tqe_state[0], + nat->nat_tqe.tqe_state[1]); + } + putchar('\n'); +} diff --git a/usr/src/cmd/ipf/lib/common/printaps.c b/usr/src/cmd/ipf/lib/common/printaps.c index 437fc03ae9..45b4b2f6ad 100644 --- a/usr/src/cmd/ipf/lib/common/printaps.c +++ b/usr/src/cmd/ipf/lib/common/printaps.c @@ -11,7 +11,7 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id"; +static const char rcsid[] = "@(#)$Id: printaps.c,v 1.4 2004/01/08 13:34:32 darrenr Exp $"; #endif diff --git a/usr/src/cmd/ipf/lib/common/printbuf.c b/usr/src/cmd/ipf/lib/common/printbuf.c index dae0e541a0..613293ae19 100644 --- a/usr/src/cmd/ipf/lib/common/printbuf.c +++ b/usr/src/cmd/ipf/lib/common/printbuf.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printbuf.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $ + * $Id: printbuf.c,v 1.5.4.1 2004/12/09 19:41:22 darrenr Exp $ */ #include <ctype.h> @@ -20,7 +20,7 @@ int len, zend; for (s = buf, i = len; i; i--) { c = *s++; - if (isprint(c)) + if (ISPRINT(c)) putchar(c); else printf("\\%03o", c); diff --git a/usr/src/cmd/ipf/lib/common/printfr.c b/usr/src/cmd/ipf/lib/common/printfr.c index fc7a3a1a8e..d7bd3f2bbf 100644 --- a/usr/src/cmd/ipf/lib/common/printfr.c +++ b/usr/src/cmd/ipf/lib/common/printfr.c @@ -3,9 +3,9 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printfr.c,v 1.37 2003/06/03 16:01:12 darrenr Exp $ + * $Id: printfr.c,v 1.43.2.12 2005/06/12 07:18:42 darrenr Exp $ * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -13,6 +13,60 @@ #include "ipf.h" +static void printaddr(int, int, char *, u_32_t *, u_32_t *); + +static void printaddr(v, type, ifname, addr, mask) +int v, type; +char *ifname; +u_32_t *addr, *mask; +{ + char *suffix; + + switch (type) + { + case FRI_BROADCAST : + suffix = "/bcast"; + break; + + case FRI_DYNAMIC : + printf("%s", ifname); + printmask(v, mask); + suffix = NULL; + break; + + case FRI_NETWORK : + suffix = "/net"; + break; + + case FRI_NETMASKED : + suffix = "/netmasked"; + break; + + case FRI_PEERADDR : + suffix = "/peer"; + break; + + case FRI_LOOKUP : + suffix = NULL; + printlookup((i6addr_t *)addr, (i6addr_t *)mask); + break; + + case FRI_NORMAL : + printhostmask(v, addr, mask); + suffix = NULL; + break; + default : + printf("<%d>", type); + printmask(v, mask); + suffix = NULL; + break; + } + + if (suffix != NULL) { + printf("%s/%s", ifname, suffix); + } +} + void printlookup(addr, mask) i6addr_t *addr, *mask; @@ -59,6 +113,9 @@ ioctlfunc_t iocfunc; if ((fp->fr_type & FR_T_BUILTIN) != 0) printf("# Builtin: "); + if (fp->fr_collect != 0) + printf("%u ", fp->fr_collect); + if (fp->fr_type == FR_T_CALLFUNC) { ; } else if (fp->fr_func != NULL) { @@ -120,30 +177,32 @@ ioctlfunc_t iocfunc; if (*fp->fr_ifnames[1] && strcmp(fp->fr_ifnames[1], "*")) printifname(",", fp->fr_ifnames[1], fp->fr_ifas[1]); putchar(' '); + } - if (*fp->fr_dif.fd_ifname) - print_toif("dup-to", &fp->fr_dif); - if (*fp->fr_tif.fd_ifname) - print_toif("to", &fp->fr_tif); - if (fp->fr_flags & FR_FASTROUTE) - printf("fastroute "); - - if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || - (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { - if (fp->fr_flags & FR_OUTQUE) - printf("in-via "); - else - printf("out-via "); + if (*fp->fr_dif.fd_ifname || (fp->fr_flags & FR_DUP)) + print_toif("dup-to", &fp->fr_dif); + if (*fp->fr_tif.fd_ifname) + print_toif("to", &fp->fr_tif); + if (*fp->fr_rif.fd_ifname) + print_toif("reply-to", &fp->fr_rif); + if (fp->fr_flags & FR_FASTROUTE) + printf("fastroute "); - if (*fp->fr_ifnames[2]) { - printifname("", fp->fr_ifnames[2], - fp->fr_ifas[2]); - putchar(' '); + if ((*fp->fr_ifnames[2] && strcmp(fp->fr_ifnames[2], "*")) || + (*fp->fr_ifnames[3] && strcmp(fp->fr_ifnames[3], "*"))) { + if (fp->fr_flags & FR_OUTQUE) + printf("in-via "); + else + printf("out-via "); + + if (*fp->fr_ifnames[2]) { + printifname("", fp->fr_ifnames[2], + fp->fr_ifas[2]); + putchar(' '); - if (*fp->fr_ifnames[3]) { - printifname(",", fp->fr_ifnames[3], - fp->fr_ifas[3]); - } + if (*fp->fr_ifnames[3]) { + printifname(",", fp->fr_ifnames[3], + fp->fr_ifas[3]); } } } @@ -158,10 +217,10 @@ ioctlfunc_t iocfunc; pr = -1; } else if (fp->fr_mip.fi_p) { pr = fp->fr_ip.fi_p; - if ((p = getprotobynumber(fp->fr_proto))) - printf("proto %s ", p->p_name); - else - printf("proto %d ", fp->fr_proto); + p = getprotobynumber(pr); + printf("proto "); + printproto(p, pr, NULL); + putchar(' '); } } @@ -169,133 +228,17 @@ ioctlfunc_t iocfunc; printf("all"); } else if (type == FR_T_IPF) { printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : ""); - if (fp->fr_satype != FRI_NORMAL) { - printf("%s", fp->fr_ifname); - if (fp->fr_satype == FRI_BROADCAST) - printf("/bcast"); - else if (fp->fr_satype == FRI_NETWORK) - printf("/net"); - else if (fp->fr_satype == FRI_NETMASKED) - printf("/netmasked"); - else if (fp->fr_satype == FRI_PEERADDR) - printf("/peer"); - else if (fp->fr_satype == FRI_LOOKUP) - printlookup(&fp->fr_ip.fi_src, - &fp->fr_mip.fi_src); - else - printmask(fp->fr_v, - (u_32_t *)&fp->fr_smsk.s_addr); - } else - printhostmask(fp->fr_v, (u_32_t *)&fp->fr_src.s_addr, - (u_32_t *)&fp->fr_smsk.s_addr); + printaddr(fp->fr_v, fp->fr_satype, fp->fr_ifname, + &fp->fr_src.s_addr, &fp->fr_smsk.s_addr); if (fp->fr_scmp) printportcmp(pr, &fp->fr_tuc.ftu_src); printf(" to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : ""); - if (fp->fr_datype != FRI_NORMAL) { - printf("%s", fp->fr_ifname); - if (fp->fr_datype == FRI_BROADCAST) - printf("/bcast"); - else if (fp->fr_datype == FRI_NETWORK) - printf("/net"); - else if (fp->fr_datype == FRI_NETMASKED) - printf("/netmasked"); - else if (fp->fr_datype == FRI_PEERADDR) - printf("/peer"); - else if (fp->fr_datype == FRI_LOOKUP) - printlookup(&fp->fr_ip.fi_dst, - &fp->fr_mip.fi_dst); - else - printmask(fp->fr_v, - (u_32_t *)&fp->fr_dmsk.s_addr); - } else - printhostmask(fp->fr_v, (u_32_t *)&fp->fr_dst.s_addr, - (u_32_t *)&fp->fr_dmsk.s_addr); + printaddr(fp->fr_v, fp->fr_datype, fp->fr_ifname, + &fp->fr_dst.s_addr, &fp->fr_dmsk.s_addr); if (fp->fr_dcmp) printportcmp(pr, &fp->fr_tuc.ftu_dst); - if ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) || - fp->fr_optbits || fp->fr_optmask || - fp->fr_secbits || fp->fr_secmask) { - printf(" with"); - if (fp->fr_optbits || fp->fr_optmask || - fp->fr_secbits || fp->fr_secmask) { - sec[0] = fp->fr_secmask; - sec[1] = fp->fr_secbits; - if (fp->fr_v == 4) - optprint(sec, fp->fr_optmask, - fp->fr_optbits); -#ifdef USE_INET6 - else - optprintv6(sec, fp->fr_optmask, - fp->fr_optbits); -#endif - } else if (fp->fr_mflx & FI_OPTIONS) { - if (!(fp->fr_flx & FI_OPTIONS)) - printf(" not"); - printf(" ipopts"); - } - if (fp->fr_mflx & FI_SHORT) { - if (!(fp->fr_flx & FI_SHORT)) - printf(" not"); - printf(" short"); - } - if (fp->fr_mflx & FI_FRAG) { - if (!(fp->fr_flx & FI_FRAG)) - printf(" not"); - printf(" frag"); - } - if (fp->fr_mflx & FI_NATED) { - if (!(fp->fr_flx & FI_NATED)) - printf(" not"); - printf(" nat"); - } - if (fp->fr_mflx & FI_MULTICAST) { - if (!(fp->fr_flx & FI_MULTICAST)) - printf(" not"); - printf(" multicast"); - } - if (fp->fr_mflx & FI_BROADCAST) { - if (!(fp->fr_flx & FI_BROADCAST)) - printf(" not"); - printf(" bcast"); - } - if (fp->fr_mflx & FI_MBCAST) { - if (!(fp->fr_flx & FI_MBCAST)) - printf(" not"); - printf(" mbcast"); - } - if (fp->fr_mflx & FI_STATE) { - if (!(fp->fr_flx & FI_STATE)) - printf(" not"); - printf(" state"); - } - if (fp->fr_mflx & FI_BADNAT) { - if (!(fp->fr_flx & FI_BADNAT)) - printf(" not"); - printf(" bad-nat"); - } - if (fp->fr_mflx & FI_BAD) { - if (!(fp->fr_flx & FI_BAD)) - printf(" not"); - printf(" bad"); - } - if (fp->fr_mflx & FI_OOW) { - if (!(fp->fr_flx & FI_OOW)) - printf(" not"); - printf(" oow"); - } - if (fp->fr_mflx & FI_LOWTTL) { - if (!(fp->fr_flx & FI_LOWTTL)) - printf(" not"); - printf(" lowttl"); - } - if (fp->fr_mflx & FI_BADSRC) { - if (!(fp->fr_flx & FI_BADSRC)) - printf(" not"); - printf(" bad-src"); - } - } if ((fp->fr_proto == IPPROTO_ICMP #ifdef USE_INET6 || fp->fr_proto == IPPROTO_ICMPV6 @@ -334,19 +277,18 @@ ioctlfunc_t iocfunc; (void)putchar(*s); } } -#ifdef IPFILTER_BPF } else if (type == FR_T_BPFOPC) { - u_32_t *bp; + fakebpf_t *fb; int i; - printf("{"); - i = fp->fr_dsize / sizeof(*bp); + printf("bpf-v%d { \"", fp->fr_v); + i = fp->fr_dsize / sizeof(*fb); - for (bp = fp->fr_data; i; i--, bp++) - printf(" 0x%08x", *bp); + for (fb = fp->fr_data, s = ""; i; i--, fb++, s = " ") + printf("%s%#x %#x %#x %#x", s, fb->fb_c, fb->fb_t, + fb->fb_f, fb->fb_k); - printf(" }"); -#endif + printf("\" }"); } else if (type == FR_T_COMPIPF) { ; } else if (type == FR_T_CALLFUNC) { @@ -355,21 +297,153 @@ ioctlfunc_t iocfunc; printf("[unknown filter type %#x]", fp->fr_type); } + if ((type == FR_T_IPF) && + ((fp->fr_flx & FI_WITH) || (fp->fr_mflx & FI_WITH) || + fp->fr_optbits || fp->fr_optmask || + fp->fr_secbits || fp->fr_secmask)) { + char *comma = " "; + + printf(" with"); + if (fp->fr_optbits || fp->fr_optmask || + fp->fr_secbits || fp->fr_secmask) { + sec[0] = fp->fr_secmask; + sec[1] = fp->fr_secbits; + if (fp->fr_v == 4) + optprint(sec, fp->fr_optmask, fp->fr_optbits); +#ifdef USE_INET6 + else + optprintv6(sec, fp->fr_optmask, + fp->fr_optbits); +#endif + } else if (fp->fr_mflx & FI_OPTIONS) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_OPTIONS)) + printf("not "); + printf("ipopts"); + comma = ","; + } + if (fp->fr_mflx & FI_SHORT) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_SHORT)) + printf("not "); + printf("short"); + comma = ","; + } + if (fp->fr_mflx & FI_FRAG) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_FRAG)) + printf("not "); + printf("frag"); + comma = ","; + } + if (fp->fr_mflx & FI_FRAGBODY) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_FRAGBODY)) + printf("not "); + printf("frag-body"); + comma = ","; + } + if (fp->fr_mflx & FI_NATED) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_NATED)) + printf("not "); + printf("nat"); + comma = ","; + } + if (fp->fr_mflx & FI_LOWTTL) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_LOWTTL)) + printf("not "); + printf("lowttl"); + comma = ","; + } + if (fp->fr_mflx & FI_BAD) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_BAD)) + printf("not "); + printf("bad"); + comma = ","; + } + if (fp->fr_mflx & FI_BADSRC) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_BADSRC)) + printf("not "); + printf("bad-src"); + comma = ","; + } + if (fp->fr_mflx & FI_BADNAT) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_BADNAT)) + printf("not "); + printf("bad-nat"); + comma = ","; + } + if (fp->fr_mflx & FI_OOW) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_OOW)) + printf("not "); + printf("oow"); + } + if (fp->fr_mflx & FI_MULTICAST) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_MULTICAST)) + printf("not "); + printf("multicast"); + comma = ","; + } + if (fp->fr_mflx & FI_BROADCAST) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_BROADCAST)) + printf("not "); + printf("bcast"); + comma = ","; + } + if (fp->fr_mflx & FI_MBCAST) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_MBCAST)) + printf("not "); + printf("mbcast"); + comma = ","; + } + if (fp->fr_mflx & FI_STATE) { + fputs(comma, stdout); + if (!(fp->fr_flx & FI_STATE)) + printf("not "); + printf("state"); + comma = ","; + } + } + if (fp->fr_flags & FR_KEEPSTATE) { printf(" keep state"); - if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN)) || + if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) || (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { + char *comma = ""; printf(" ("); - if (fp->fr_statemax != 0) - printf(" limit %u", fp->fr_statemax); - if (fp->fr_flags & FR_FRSTRICT) - printf(" strict"); - if (fp->fr_flags & FR_NEWISN) - printf(" newisn"); + if (fp->fr_statemax != 0) { + printf("limit %u", fp->fr_statemax); + comma = ","; + } + if (fp->fr_flags & FR_STSTRICT) { + printf("%sstrict", comma); + comma = ","; + } + if (fp->fr_flags & FR_NEWISN) { + printf("%snewisn", comma); + comma = ","; + } + if (fp->fr_flags & FR_NOICMPERR) { + printf("%sno-icmp-err", comma); + comma = ","; + } + if (fp->fr_flags & FR_STATESYNC) { + printf("%ssync", comma); + comma = ","; + } if (fp->fr_age[0] || fp->fr_age[1]) - printf(" age %d/%d", fp->fr_age[0], + printf("%sage %d/%d", comma, fp->fr_age[0], fp->fr_age[1]); - printf(" )"); + printf(")"); } } if (fp->fr_flags & FR_KEEPFRAG) { @@ -392,8 +466,20 @@ ioctlfunc_t iocfunc; printf(" head %s", fp->fr_grhead); if (*fp->fr_group != '\0') printf(" group %s", fp->fr_group); - if (fp->fr_logtag != FR_NOLOGTAG) - printf(" log-tag %u", fp->fr_logtag); + if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) { + char *s = ""; + + printf(" set-tag("); + if (fp->fr_logtag != FR_NOLOGTAG) { + printf("log=%u", fp->fr_logtag); + s = ", "; + } + if (*fp->fr_nattag.ipt_tag) { + printf("%snat=%-.*s", s, IPFTAG_LEN, + fp->fr_nattag.ipt_tag); + } + printf(")"); + } if (fp->fr_pps) printf(" pps %d", fp->fr_pps); (void)putchar('\n'); diff --git a/usr/src/cmd/ipf/lib/common/printfraginfo.c b/usr/src/cmd/ipf/lib/common/printfraginfo.c new file mode 100644 index 0000000000..557b031a6b --- /dev/null +++ b/usr/src/cmd/ipf/lib/common/printfraginfo.c @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2004 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: printfraginfo.c,v 1.1.2.2 2004/03/23 15:15:45 darrenr Exp $ + */ +#include "ipf.h" +#include "kmem.h" + +void printfraginfo(prefix, ifr) +char *prefix; +struct ipfr *ifr; +{ + frentry_t fr; + + fr.fr_flags = 0xffffffff; + + printf("%s%s -> ", prefix, hostname(4, &ifr->ipfr_src)); + if (kmemcpy((char *)&fr, (u_long)ifr->ipfr_rule, + sizeof(fr)) == -1) + return; + printf("%s id %d ttl %d pr %d seen0 %d ifp %p tos %#02x = %#x\n", + hostname(4, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_seen0, + ifr->ipfr_ttl, ifr->ipfr_p, ifr->ipfr_ifp, ifr->ipfr_tos, + fr.fr_flags); +} diff --git a/usr/src/cmd/ipf/lib/common/printhash.c b/usr/src/cmd/ipf/lib/common/printhash.c index f683226026..034c952d6f 100644 --- a/usr/src/cmd/ipf/lib/common/printhash.c +++ b/usr/src/cmd/ipf/lib/common/printhash.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -14,19 +14,24 @@ #define PRINTF (void)printf #define FPRINTF (void)fprintf -iphtable_t *printhash(hp, copyfunc, opts) + +iphtable_t *printhash(hp, copyfunc, name, opts) iphtable_t *hp; copyfunc_t copyfunc; +char *name; int opts; { iphtent_t *ipep, **table; iphtable_t iph; + int i, printed; size_t sz; - int i; if ((*copyfunc)((char *)hp, (char *)&iph, sizeof(iph))) return NULL; + if ((name != NULL) && strncmp(name, iph.iph_name, FR_GROUPLEN)) + return iph.iph_next; + if ((opts & OPT_DEBUG) == 0) { if ((iph.iph_type & IPHASH_ANON) == IPHASH_ANON) PRINTF("# 'anonymous' table\n"); @@ -124,11 +129,14 @@ int opts; if ((*copyfunc)((char *)iph.iph_table, (char *)table, sz)) return NULL; - for (i = 0; i < iph.iph_size; i++) { + for (i = 0, printed = 0; i < iph.iph_size; i++) { for (ipep = table[i]; ipep != NULL; ) { ipep = printhashnode(&iph, ipep, copyfunc, opts); + printed++; } } + if (printed == 0) + putchar(';'); free(table); diff --git a/usr/src/cmd/ipf/lib/common/printhashnode.c b/usr/src/cmd/ipf/lib/common/printhashnode.c index 83cd57eab1..10f2223f28 100644 --- a/usr/src/cmd/ipf/lib/common/printhashnode.c +++ b/usr/src/cmd/ipf/lib/common/printhashnode.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -47,8 +47,8 @@ int opts; #endif printmask(4, (u_32_t *)&ipe.ipe_mask.in4_addr); - PRINTF("\tRef. Count: %d\tValue: %d\n", ipe.ipe_ref, - ipe.ipe_value); + PRINTF("\tRef. Count: %d\tGroup: %s\n", ipe.ipe_ref, + ipe.ipe_group); } else { putchar(' '); #ifdef USE_INET6 @@ -65,8 +65,10 @@ int opts; switch (iph->iph_type & ~IPHASH_ANON) { case IPHASH_GROUPMAP : - PRINTF(", group = %s", ipe.ipe_group); - break; + if (strncmp(ipe.ipe_group, iph->iph_name, + FR_GROUPLEN)) + PRINTF(", group = %s", ipe.ipe_group); + break; } } putchar(';'); diff --git a/usr/src/cmd/ipf/lib/common/printnat.c b/usr/src/cmd/ipf/lib/common/printnat.c index 2f6c058bc4..0e228652fa 100644 --- a/usr/src/cmd/ipf/lib/common/printnat.c +++ b/usr/src/cmd/ipf/lib/common/printnat.c @@ -5,7 +5,7 @@ * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -16,84 +16,9 @@ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.14 2003/04/13 06:39:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.9 2005/06/12 07:18:43 darrenr Exp $"; #endif - -void printactivenat(nat, opts) -nat_t *nat; -int opts; -{ - u_int hv1, hv2; - - printf("%s", getnattype(nat->nat_ptr)); - - if (nat->nat_flags & SI_CLONE) - printf(" CLONE"); - - printf(" %-15s", inet_ntoa(nat->nat_inip)); - - if ((nat->nat_flags & IPN_TCPUDP) != 0) - printf(" %-5hu", ntohs(nat->nat_inport)); - - printf(" <- -> %-15s",inet_ntoa(nat->nat_outip)); - - if ((nat->nat_flags & IPN_TCPUDP) != 0) - printf(" %-5hu", ntohs(nat->nat_outport)); - - printf(" [%s", inet_ntoa(nat->nat_oip)); - if ((nat->nat_flags & IPN_TCPUDP) != 0) - printf(" %hu", ntohs(nat->nat_oport)); - printf("]"); - - if (opts & OPT_VERBOSE) { - printf("\n\tage %lu use %hu sumd %s/", - nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0])); - if ((nat->nat_flags & SI_WILDP) == 0) { - hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, - nat->nat_inport, 0xffffffff); - hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, - hv1 + nat->nat_oport, NAT_TABLE_SZ); - hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, - nat->nat_outport, 0xffffffff); - hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, - hv2 + nat->nat_oport, NAT_TABLE_SZ); - } else { - hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, 0, - 0xffffffff); - hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1, - NAT_TABLE_SZ); - hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, 0, - 0xffffffff); - hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2, - NAT_TABLE_SZ); - } - printf("%s pr %u bkt %d/%d flags %x\n", - getsumd(nat->nat_sumd[1]), nat->nat_p, - hv1, hv2, nat->nat_flags); - printf("\tifp %s", getifname(nat->nat_ifps[0])); - printf(",%s ", getifname(nat->nat_ifps[1])); -#ifdef USE_QUAD_T - printf("bytes %qu/%qu pkts %qu/%qu", - (unsigned long long)nat->nat_bytes[0], - (unsigned long long)nat->nat_bytes[1], - (unsigned long long)nat->nat_pkts[0], - (unsigned long long)nat->nat_pkts[1]); -#else - printf("bytes %lu/%lu pkts %lu/%lu", nat->nat_bytes[0], - nat->nat_bytes[1], nat->nat_pkts[0], nat->nat_pkts[1]); -#endif -#if SOLARIS - printf(" %lx", nat->nat_ipsumd); -#endif - } - - putchar('\n'); - if (nat->nat_aps) - printaps(nat->nat_aps, opts); -} - - /* * Print out a NAT rule */ @@ -102,7 +27,6 @@ ipnat_t *np; int opts; { struct protoent *pr; - struct servent *sv; int bits; pr = getprotobynumber(np->in_p); @@ -167,33 +91,26 @@ int opts; printf("%s", inet_ntoa(np->in_out[0].in4)); bits = count4bits(np->in_outmsk); if (bits != -1) - printf("/%d ", bits); + printf("/%d", bits); else - printf("/%s ", inet_ntoa(np->in_out[1].in4)); - printf("port %d", ntohs(np->in_pmin)); - if (np->in_pmax != np->in_pmin) - printf("-%d", ntohs(np->in_pmax)); + printf("/%s", inet_ntoa(np->in_out[1].in4)); + if (np->in_flags & IPN_TCPUDP) { + printf(" port %d", ntohs(np->in_pmin)); + if (np->in_pmax != np->in_pmin) + printf("-%d", ntohs(np->in_pmax)); + } } printf(" -> %s", inet_ntoa(np->in_in[0].in4)); if (np->in_flags & IPN_SPLIT) printf(",%s", inet_ntoa(np->in_in[1].in4)); - if (np->in_inip == 0) { - bits = count4bits(np->in_inmsk); - printf("/%d", bits); + if (np->in_flags & IPN_TCPUDP) { + if ((np->in_flags & IPN_FIXEDDPORT) != 0) + printf(" port = %d", ntohs(np->in_pnext)); + else + printf(" port %d", ntohs(np->in_pnext)); } - printf(" port %d", ntohs(np->in_pnext)); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if ((np->in_flags & IPN_TCP) == IPN_TCP) - printf(" tcp"); - else if ((np->in_flags & IPN_UDP) == IPN_UDP) - printf(" udp"); - else if (np->in_p == 0) - printf(" ip"); - else if (pr != NULL) - printf(" %s", pr->p_name); - else - printf(" %d", np->in_p); + putchar(' '); + printproto(pr, np->in_p, np); if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); if (np->in_flags & IPN_FRAG) @@ -205,19 +122,14 @@ int opts; printf(" sticky"); if (np->in_mssclamp != 0) printf(" mssclamp %d", np->in_mssclamp); - if (*np->in_plabel != '\0') { - printf(" proxy %.*s/", (int)sizeof(np->in_plabel), + if (*np->in_plabel != '\0') + printf(" proxy %.*s", (int)sizeof(np->in_plabel), np->in_plabel); - if (pr != NULL) - fputs(pr->p_name, stdout); - else - printf("%d", np->in_p); - } + if (np->in_tag.ipt_tag[0] != '\0') + printf(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag); printf("\n"); if (opts & OPT_DEBUG) - printf("\tspc %lu flg %#x max %u use %d\n", - np->in_space, np->in_flags, - np->in_pmax, np->in_use); + printf("\tpmax %u\n", np->in_pmax); } else { if (!(np->in_flags & IPN_FILTER)) { printf("%s/", inet_ntoa(np->in_in[0].in4)); @@ -240,26 +152,21 @@ int opts; printf("%s", inet_ntoa(np->in_out[1].in4)); } if (*np->in_plabel != '\0') { - printf(" proxy port"); + printf(" proxy port "); if (np->in_dcmp != 0) np->in_dport = htons(np->in_dport); if (np->in_dport != 0) { - if (pr != NULL) - sv = getservbyport(np->in_dport, - pr->p_name); - else - sv = getservbyport(np->in_dport, NULL); - if (sv != NULL) - printf(" %s", sv->s_name); + char *s; + + s = portname(np->in_p, ntohs(np->in_dport)); + if (s != NULL) + fputs(s, stdout); else - printf(" %hu", ntohs(np->in_dport)); + fputs("???", stdout); } printf(" %.*s/", (int)sizeof(np->in_plabel), np->in_plabel); - if (pr != NULL) - fputs(pr->p_name, stdout); - else - printf("%d", np->in_p); + printproto(pr, np->in_p, NULL); } else if (np->in_redir == NAT_MAPBLK) { if ((np->in_pmin == 0) && (np->in_flags & IPN_AUTOPORTMAP)) @@ -269,13 +176,12 @@ int opts; if (opts & OPT_DEBUG) printf("\n\tip modulous %d", np->in_pmax); } else if (np->in_pmin || np->in_pmax) { - printf(" portmap"); - if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) - printf(" tcp/udp"); - else if (np->in_flags & IPN_TCP) - printf(" tcp"); - else if (np->in_flags & IPN_UDP) - printf(" udp"); + if (np->in_flags & IPN_ICMPQUERY) { + printf(" icmpidmap "); + } else { + printf(" portmap "); + } + printproto(pr, np->in_p, np); if (np->in_flags & IPN_AUTOPORTMAP) { printf(" auto"); if (opts & OPT_DEBUG) @@ -287,7 +193,11 @@ int opts; printf(" %d:%d", ntohs(np->in_pmin), ntohs(np->in_pmax)); } + } else if (np->in_flags & IPN_TCPUDP || np->in_p) { + putchar(' '); + printproto(pr, np->in_p, np); } + if (np->in_flags & IPN_FRAG) printf(" frag"); if (np->in_age[0] != 0 || np->in_age[1] != 0) { @@ -295,16 +205,26 @@ int opts; } if (np->in_mssclamp != 0) printf(" mssclamp %d", np->in_mssclamp); + if (np->in_tag.ipt_tag[0] != '\0') + printf(" tag %s", np->in_tag.ipt_tag); printf("\n"); if (opts & OPT_DEBUG) { struct in_addr nip; nip.s_addr = htonl(np->in_nextip.s_addr); - printf("\tspace %lu nextip %s pnext %d", np->in_space, + printf("\tnextip %s pnext %d\n", inet_ntoa(nip), np->in_pnext); - printf(" flags %x use %u\n", - np->in_flags, np->in_use); } } + + if (opts & OPT_DEBUG) { + printf("\tspace %lu use %u hits %lu flags %#x proto %d hv %d\n", + np->in_space, np->in_use, np->in_hits, + np->in_flags, np->in_p, np->in_hv); + printf("\tifp[0] %p ifp[1] %p apr %p\n", + np->in_ifps[0], np->in_ifps[1], np->in_apr); + printf("\ttqehead %p/%p comment %p\n", + np->in_tqehead[0], np->in_tqehead[1], np->in_comment); + } } diff --git a/usr/src/cmd/ipf/lib/common/printpacket.c b/usr/src/cmd/ipf/lib/common/printpacket.c index 6f2194af70..4121e3acd5 100644 --- a/usr/src/cmd/ipf/lib/common/printpacket.c +++ b/usr/src/cmd/ipf/lib/common/printpacket.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: printpacket.c,v 1.12 2002/11/02 13:27:29 darrenr Exp $ + * $Id: printpacket.c,v 1.12.4.1 2005/02/21 05:09:24 darrenr Exp $ */ #include "ipf.h" @@ -18,11 +18,15 @@ struct ip *ip; { struct tcphdr *tcp; u_short len; + u_short off; - if (IP_V(ip) == 6) + if (IP_V(ip) == 6) { + off = 0; len = ntohs(((u_short *)ip)[2]) + 40; - else + } else { + off = ntohs(ip->ip_off); len = ntohs(ip->ip_len); + } if ((opts & OPT_HEX) == OPT_HEX) { u_char *s; @@ -47,15 +51,15 @@ struct ip *ip; tcp = (struct tcphdr *)((char *)ip + (IP_HL(ip) << 2)); printf("ip %d(%d) %d", ntohs(ip->ip_len), IP_HL(ip) << 2, ip->ip_p); - if (ip->ip_off & IP_OFFMASK) - printf(" @%d", ip->ip_off << 3); + if (off & IP_OFFMASK) + printf(" @%d", off << 3); printf(" %s", inet_ntoa(ip->ip_src)); - if (!(ip->ip_off & IP_OFFMASK)) + if (!(off & IP_OFFMASK)) if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) printf(",%d", ntohs(tcp->th_sport)); printf(" > "); printf("%s", inet_ntoa(ip->ip_dst)); - if (!(ip->ip_off & IP_OFFMASK)) { + if (!(off & IP_OFFMASK)) { if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) printf(",%d", ntohs(tcp->th_dport)); if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags != 0)) { diff --git a/usr/src/cmd/ipf/lib/common/printpool.c b/usr/src/cmd/ipf/lib/common/printpool.c index 59f5d727e7..842086274b 100644 --- a/usr/src/cmd/ipf/lib/common/printpool.c +++ b/usr/src/cmd/ipf/lib/common/printpool.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -14,17 +14,21 @@ #define PRINTF (void)printf #define FPRINTF (void)fprintf -ip_pool_t *printpool(pp, copyfunc, opts) +ip_pool_t *printpool(pp, copyfunc, name, opts) ip_pool_t *pp; copyfunc_t copyfunc; +char *name; int opts; { - ip_pool_node_t *ipnp, *ipnpn; + ip_pool_node_t *ipnp, *ipnpn, ipn; ip_pool_t ipp; if ((*copyfunc)(pp, &ipp, sizeof(ipp))) return NULL; + if ((name != NULL) && strncmp(name, ipp.ipo_name, FR_GROUPLEN)) + return ipp.ipo_next; + if ((opts & OPT_DEBUG) == 0) { if ((ipp.ipo_flags & IPOOL_ANON) != 0) PRINTF("# 'anonymous' tree %s\n", ipp.ipo_name); @@ -82,17 +86,22 @@ int opts; ipp.ipo_list = NULL; while (ipnpn != NULL) { ipnp = (ip_pool_node_t *)malloc(sizeof(*ipnp)); - (*copyfunc)(ipnpn, ipnp, sizeof(*ipnp)); + (*copyfunc)(ipnpn, ipnp, sizeof(ipn)); ipnpn = ipnp->ipn_next; ipnp->ipn_next = ipp.ipo_list; ipp.ipo_list = ipnp; } - for (ipnp = ipp.ipo_list; ipnp != NULL; ) { - ipnp = printpoolnode(ipnp, opts); + if (ipp.ipo_list == NULL) { + putchar(';'); + } else { + for (ipnp = ipp.ipo_list; ipnp != NULL; ) { + ipnp = printpoolnode(ipnp, opts); - if ((opts & OPT_DEBUG) == 0) - putchar(';'); + if ((opts & OPT_DEBUG) == 0) { + putchar(';'); + } + } } if ((opts & OPT_DEBUG) == 0) diff --git a/usr/src/cmd/ipf/lib/common/printproto.c b/usr/src/cmd/ipf/lib/common/printproto.c new file mode 100644 index 0000000000..dd0ce39ca5 --- /dev/null +++ b/usr/src/cmd/ipf/lib/common/printproto.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" + + +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: printproto.c,v 1.1.2.1 2005/06/12 07:21:53 darrenr Exp $"; +#endif + + +void printproto(pr, p, np) +struct protoent *pr; +int p; +ipnat_t *np; +{ + if (np != NULL) { + if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) + printf("tcp/udp"); + else if (np->in_flags & IPN_TCP) + printf("tcp"); + else if (np->in_flags & IPN_UDP) + printf("udp"); + else if (np->in_flags & IPN_ICMPQUERY) + printf("icmp"); +#ifdef _AIX51 + /* + * To make up for "ip = 252" and "hopopt = 0" in /etc/protocols + */ + else if (np->in_p == 0) + printf("ip"); +#endif + else if (pr != NULL) + printf("%s", pr->p_name); + else + printf("%d", np->in_p); + } else { +#ifdef _AIX51 + if (p == 0) + printf("ip"); + else +#endif + if (pr != NULL) + printf("%s", pr->p_name); + else + printf("%d", p); + } +} diff --git a/usr/src/cmd/ipf/lib/common/printsbuf.c b/usr/src/cmd/ipf/lib/common/printsbuf.c index 98139cebc9..cc13e19b6b 100644 --- a/usr/src/cmd/ipf/lib/common/printsbuf.c +++ b/usr/src/cmd/ipf/lib/common/printsbuf.c @@ -1,3 +1,8 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + #ifdef IPFILTER_SCAN #include <ctype.h> @@ -12,7 +17,7 @@ char *buf; int i; for (s = (u_char *)buf, i = ISC_TLEN; i; i--, s++) { - if (isprint(*s)) + if (ISPRINT(*s)) putchar(*s); else printf("\\%o", *s); diff --git a/usr/src/cmd/ipf/lib/common/printstate.c b/usr/src/cmd/ipf/lib/common/printstate.c index 369c1665bf..b0a58abfd7 100644 --- a/usr/src/cmd/ipf/lib/common/printstate.c +++ b/usr/src/cmd/ipf/lib/common/printstate.c @@ -10,11 +10,15 @@ #define PRINTF (void)printf #define FPRINTF (void)fprintf -ipstate_t *printstate(sp, opts) +ipstate_t *printstate(sp, opts, now) ipstate_t *sp; int opts; +u_long now; { ipstate_t ips; +#ifdef IPFILTER_SYNC + synclist_t ipsync; +#endif if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips))) return NULL; @@ -23,7 +27,7 @@ int opts; PRINTF("%s pass %#x pr %d state %d/%d bkt %d\n", hostname(ips.is_v, &ips.is_dst.in4), ips.is_pass, ips.is_p, ips.is_state[0], ips.is_state[1], ips.is_hv); - PRINTF("\ttag %u age %lu/%lu", ips.is_tag, ips.is_die, ips.is_touched); + PRINTF("\ttag %u ttl %lu", ips.is_tag, ips.is_die - now); if (ips.is_p == IPPROTO_TCP) { PRINTF("\n\t%hu -> %hu %x:%x %hu<<%d:%hu<<%d\n", @@ -45,10 +49,13 @@ int opts; printsbuf(ips.is_sbuf[1]); PRINTF("]\n"); #endif - } else if (ips.is_p == IPPROTO_UDP) + } else if (ips.is_p == IPPROTO_UDP) { PRINTF(" %hu -> %hu\n", ntohs(ips.is_sport), ntohs(ips.is_dport)); - else if (ips.is_p == IPPROTO_ICMP + } else if (ips.is_p == IPPROTO_GRE) { + PRINTF(" call %hx/%hx\n", ntohs(ips.is_gre.gs_call[0]), + ntohs(ips.is_gre.gs_call[1])); + } else if (ips.is_p == IPPROTO_ICMP #ifdef USE_INET6 || ips.is_p == IPPROTO_ICMPV6 #endif @@ -57,7 +64,7 @@ int opts; ntohs(ips.is_icmp.ici_seq), ips.is_icmp.ici_type); #ifdef USE_QUAD_T - PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd", + PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n", ips.is_pkts[0], ips.is_bytes[0], ips.is_pkts[1], ips.is_bytes[1], ips.is_pkts[2], ips.is_bytes[2], @@ -126,16 +133,19 @@ int opts; if (ips.is_pass & FR_KEEPFRAG) PRINTF(" keep frags"); /* a given; no? */ - if (ips.is_pass & FR_KEEPSTATE) + if (ips.is_pass & FR_KEEPSTATE) { PRINTF(" keep state"); + if (ips.is_pass & FR_STATESYNC) + PRINTF(" ( sync )"); + } PRINTF("\tIPv%d", ips.is_v); PRINTF("\n"); PRINTF("\tpkt_flags & %x(%x) = %x,\t", ips.is_flags & 0xf, ips.is_flags, ips.is_flags >> 4); - PRINTF("\tpkt_options & %x = %x\n", ips.is_optmsk, - ips.is_opt); + PRINTF("\tpkt_options & %x = %x, %x = %x \n", ips.is_optmsk[0], + ips.is_opt[0], ips.is_optmsk[1], ips.is_opt[1]); PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", ips.is_secmsk, ips.is_sec, ips.is_authmsk, ips.is_auth); @@ -159,5 +169,23 @@ int opts; PRINTF("/%p", ips.is_ifp[3]); PRINTF("]\n"); +#ifdef IPFILTER_SYNC + if (ips.is_sync != NULL) { + + if (kmemcpy((char *)&ipsync, (u_long)ips.is_sync, sizeof(ipsync))) { + + PRINTF("\tSync status: status could not be retrieved\n"); + return NULL; + } + + PRINTF("\tSync status: idx %d num %d v %d pr %d rev %d\n", + ipsync.sl_idx, ipsync.sl_num, ipsync.sl_v, + ipsync.sl_p, ipsync.sl_rev); + + } else { + PRINTF("\tSync status: not synchronized\n"); + } +#endif + return ips.is_next; } diff --git a/usr/src/cmd/ipf/lib/common/printtunable.c b/usr/src/cmd/ipf/lib/common/printtunable.c new file mode 100644 index 0000000000..01ea7e8985 --- /dev/null +++ b/usr/src/cmd/ipf/lib/common/printtunable.c @@ -0,0 +1,24 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + +#include "ipf.h" + +void printtunable(tup) +ipftune_t *tup; +{ + printf("%s\tmin %#lx\tmax %#lx\tcurrent ", + tup->ipft_name, tup->ipft_min, tup->ipft_max); + if (tup->ipft_sz == sizeof(u_long)) + printf("%lu\n", tup->ipft_vlong); + else if (tup->ipft_sz == sizeof(u_int)) + printf("%u\n", tup->ipft_vint); + else if (tup->ipft_sz == sizeof(u_short)) + printf("%hu\n", tup->ipft_vshort); + else if (tup->ipft_sz == sizeof(u_char)) + printf("%u\n", (u_int)tup->ipft_vchar); + else { + printf("sz = %d\n", tup->ipft_sz); + } +} diff --git a/usr/src/cmd/ipf/lib/common/remove_hash.c b/usr/src/cmd/ipf/lib/common/remove_hash.c index d939f97b71..d1830ac76a 100644 --- a/usr/src/cmd/ipf/lib/common/remove_hash.c +++ b/usr/src/cmd/ipf/lib/common/remove_hash.c @@ -9,14 +9,8 @@ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" - -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -#endif static int hashfd = -1; diff --git a/usr/src/cmd/ipf/lib/common/remove_hashnode.c b/usr/src/cmd/ipf/lib/common/remove_hashnode.c index b9c65d5914..afa0dbc554 100644 --- a/usr/src/cmd/ipf/lib/common/remove_hashnode.c +++ b/usr/src/cmd/ipf/lib/common/remove_hashnode.c @@ -9,14 +9,8 @@ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" - -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -#endif static int hashfd = -1; diff --git a/usr/src/cmd/ipf/lib/common/remove_pool.c b/usr/src/cmd/ipf/lib/common/remove_pool.c index 398ce376ed..d14529ab40 100644 --- a/usr/src/cmd/ipf/lib/common/remove_pool.c +++ b/usr/src/cmd/ipf/lib/common/remove_pool.c @@ -9,14 +9,8 @@ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" - -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_htable.h" -#endif static int poolfd = -1; diff --git a/usr/src/cmd/ipf/lib/common/remove_poolnode.c b/usr/src/cmd/ipf/lib/common/remove_poolnode.c index 1b5b537913..2c7f9d3028 100644 --- a/usr/src/cmd/ipf/lib/common/remove_poolnode.c +++ b/usr/src/cmd/ipf/lib/common/remove_poolnode.c @@ -3,20 +3,14 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: remove_poolnode.c,v 1.1 2003/04/13 06:40:14 darrenr Exp $ + * $Id: remove_poolnode.c,v 1.3 2003/11/22 10:14:36 darrenr Exp $ */ #include <fcntl.h> #include <sys/ioctl.h> #include "ipf.h" - -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" -#include "netinet/ip_htable.h" -#endif +#include "netinet/ip_pool.h" static int poolfd = -1; diff --git a/usr/src/cmd/ipf/lib/common/v6ionames.c b/usr/src/cmd/ipf/lib/common/v6ionames.c index 9b47cfd9fd..27affe5e50 100644 --- a/usr/src/cmd/ipf/lib/common/v6ionames.c +++ b/usr/src/cmd/ipf/lib/common/v6ionames.c @@ -3,10 +3,8 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: v6ionames.c,v 1.1 2003/04/26 04:55:58 darrenr Exp $ + * $Id: v6ionames.c,v 1.1.4.1 2005/01/02 13:08:49 darrenr Exp $ */ - - #include "ipf.h" diff --git a/usr/src/cmd/ipf/lib/common/var.c b/usr/src/cmd/ipf/lib/common/var.c index 994d5bcdb3..706a55ba97 100644 --- a/usr/src/cmd/ipf/lib/common/var.c +++ b/usr/src/cmd/ipf/lib/common/var.c @@ -1,3 +1,8 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + #include <ctype.h> #include "ipf.h" @@ -44,9 +49,9 @@ int line; fprintf(stderr, "%d: { without }\n", line); return NULL; } - } else if (isalpha(*s)) { + } else if (ISALPHA(*s)) { for (t = s + 1; *t != '\0'; t++) - if (!isalpha(*t) && !isdigit(*t)) + if (!ISALPHA(*t) && !ISDIGIT(*t) && (*t != '_')) break; } else { fprintf(stderr, "%d: variables cannot start with '%c'\n", @@ -95,6 +100,9 @@ int line; break; default : c = *s; + if (c == '\0') + return newstring; + value = get_variable(s, &p3, line); if (value == NULL) return NULL; @@ -119,7 +127,7 @@ int line; if (p3 != NULL) strcat(p1, p3); - s = p1 + len - strlen(p3); + s = p1 + len - strlen(p3) - 1; if (newstring != oldstring) free(newstring); newstring = p1; diff --git a/usr/src/cmd/ipf/tools/Makefile.tools b/usr/src/cmd/ipf/tools/Makefile.tools index c4cd838a04..17ec18ab93 100644 --- a/usr/src/cmd/ipf/tools/Makefile.tools +++ b/usr/src/cmd/ipf/tools/Makefile.tools @@ -48,7 +48,7 @@ ipftest := LDLIBS += -lsocket -lnsl -lmd ipfstat := LDLIBS += -lsocket -lnsl -lkvm -lelf ipmon := LDLIBS += -lsocket -lnsl ipnat := LDLIBS += -lsocket -lnsl -lkvm -lelf -ippool := LDLIBS += -lnsl -lkvm +ippool := LDLIBS += -lsocket -lnsl -lkvm CLEANFILES += $(OBJS) @@ -90,7 +90,7 @@ ipf: $(IPF_OBJS) $(LIBIPF) $(LINK.c) -o ipf $(IPF_OBJS) $(LDLIBS) $(POST_PROCESS) -ipf_y.o: ../ipf_y.c $(COMMONIPF)/ip_fil.h $(COMMONIPF)/ipf.h \ +ipf_y.o: ../ipf_y.c $(COMMONIPF)/netinet/ip_fil.h $(COMMONIPF)/ipf.h \ ../ipf_y.c ../ipf_l.h ../ipf_y.c ../ipf_y.h: ../ipf_y.y @@ -100,11 +100,11 @@ ipf_y.o: ../ipf_y.c $(COMMONIPF)/ip_fil.h $(COMMONIPF)/ipf.h \ sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' \ ipf.tab.h > ../ipf_y.h -ipf_l.o: ../ipf_l.c $(COMMONIPF)/ip_fil.h $(COMMONIPF)/ipf.h \ +ipf_l.o: ../ipf_l.c $(COMMONIPF)/netinet/ip_fil.h $(COMMONIPF)/ipf.h \ ../ipf_y.h ../ipf_l.h $(COMPILE.c) ../ipf_l.c -o $@ -../ipf_l.c: ../lexer.c $(COMMONIPF)/ipf.h $(COMMONIPF)/ip_fil.h +../ipf_l.c: ../lexer.c $(COMMONIPF)/ipf.h $(COMMONIPF)/netinet/ip_fil.h sed -e 's/yy/ipf_yy/g' -e 's/y.tab.h/ipf_y.h/' \ -e 's/lexer.h/ipf_l.h/' ../lexer.c > $@ @@ -149,7 +149,7 @@ ipnat: $(IPNAT_OBJS) $(LIBIPF) $(LINK.c) -o ipnat $(IPNAT_OBJS) $(LDLIBS) $(POST_PROCESS) -ipnat_y.o: ../ipnat_y.c $(COMMONIPF)/ip_nat.h \ +ipnat_y.o: ../ipnat_y.c $(COMMONIPF)/netinet/ip_nat.h \ ../ipnat_y.h ../ipnat_l.h ../ipnat_y.c ../ipnat_y.h: ../ipnat_y.y @@ -161,10 +161,10 @@ ipnat_y.o: ../ipnat_y.c $(COMMONIPF)/ip_nat.h \ sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \ ipnat.tab.h > ../ipnat_y.h -ipnat_l.o: ../ipnat_l.c $(COMMONIPF)/ip_nat.h ../ipnat_l.h +ipnat_l.o: ../ipnat_l.c $(COMMONIPF)/netinet/ip_nat.h ../ipnat_l.h $(COMPILE.c) ../ipnat_l.c -o $@ -../ipnat_l.c: ../lexer.c $(COMMONIPF)/ip_nat.h +../ipnat_l.c: ../lexer.c $(COMMONIPF)/netinet/ip_nat.h sed -e 's/yy/ipnat_yy/g' -e 's/y.tab.h/ipnat_y.h/' \ -e 's/lexer.h/ipnat_l.h/' ../lexer.c > $@ @@ -175,7 +175,7 @@ ippool: $(IPPOOL_OBJS) $(LIBIPF) $(LINK.c) -o ippool $(IPPOOL_OBJS) $(LDLIBS) $(POST_PROCESS) -ippool_y.o: ../ippool_y.c $(COMMONIPF)/ip_pool.h \ +ippool_y.o: ../ippool_y.c $(COMMONIPF)/netinet/ip_pool.h \ ../ippool_y.h ../ippool_l.h ../ippool_y.c ../ippool_y.h: ../ippool_y.y @@ -187,10 +187,10 @@ ippool_y.o: ../ippool_y.c $(COMMONIPF)/ip_pool.h \ sed -e 's/yy/ippool_yy/g' -e 's/y.tab.h/ippool_y.h/' \ ippool.tab.h > ../ippool_y.h -ippool_l.o: ../ippool_l.c $(COMMONIPF)/ip_pool.h ../ippool_l.h +ippool_l.o: ../ippool_l.c $(COMMONIPF)/netinet/ip_pool.h ../ippool_l.h $(COMPILE.c) ../ippool_l.c -o $@ -../ippool_l.c: ../lexer.c $(COMMONIPF)/ip_pool.h +../ippool_l.c: ../lexer.c $(COMMONIPF)/netinet/ip_pool.h sed -e 's/yy/ippool_yy/g' -e 's/y.tab.h/ippool_y.h/' \ -e 's/lexer.h/ippool_l.h/' ../lexer.c > $@ @@ -206,7 +206,7 @@ clean: lint: lint_SRCS -%.o: $(SRC)/common/ipf/%.c +%.o: $(SRC)/uts/common/inet/ipf/%.c $(COMPILE.c) $< %.o: ../%.c diff --git a/usr/src/cmd/ipf/tools/ip_fil.c b/usr/src/cmd/ipf/tools/ip_fil.c index ae11de166e..0011968b9a 100644 --- a/usr/src/cmd/ipf/tools/ip_fil.c +++ b/usr/src/cmd/ipf/tools/ip_fil.c @@ -3,26 +3,21 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.121 2003/06/28 17:01:55 darrenr Exp $"; +static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $"; #endif #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif -#if defined(KERNEL) || defined(_KERNEL) -# undef KERNEL -# undef _KERNEL -# define KERNEL 1 -# define _KERNEL 1 -#endif #include <sys/param.h> #if defined(__FreeBSD__) && !defined(__FreeBSD_version) # if defined(IPFILTER_LKM) @@ -36,30 +31,20 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.121 2003/06/28 17:01:55 darre # endif #endif #include <sys/errno.h> +#if defined(__hpux) && (HPUXREV >= 1111) && !defined(_KERNEL) +# include <sys/kern_svcs.h> +#endif #include <sys/types.h> - -#ifdef _KERNEL -# include <sys/systm.h> -# include <sys/fcntl.h> -#else -# define _KERNEL -# ifdef __OpenBSD__ +#define _KERNEL +#define KERNEL +#ifdef __OpenBSD__ struct file; -# endif - -# include <sys/uio.h> -# undef _KERNEL #endif - +#include <sys/uio.h> +#undef _KERNEL +#undef KERNEL #include <sys/file.h> #include <sys/ioctl.h> - -#include <stdio.h> -#include <string.h> -#include <stdlib.h> -#include <ctype.h> -#include <fcntl.h> - #ifdef __sgi # include <sys/ptimers.h> #endif @@ -73,7 +58,9 @@ struct file; #else # include <sys/filio.h> #endif -#include <sys/protosw.h> +#ifndef linux +# include <sys/protosw.h> +#endif #include <sys/socket.h> #include <stdio.h> @@ -81,6 +68,7 @@ struct file; #include <stdlib.h> #include <ctype.h> #include <fcntl.h> +#include <arpa/inet.h> #ifdef __hpux # define _NET_ROUTE_INCLUDED @@ -98,19 +86,28 @@ struct file; #include <sys/hashing.h> # endif #endif +#if defined(__FreeBSD__) +# include "radix_ipf.h" +#endif #include <net/route.h> #include <netinet/in.h> #if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /* IRIX < 6 */ && \ - !defined(__hpux) + !defined(__hpux) && !defined(linux) # include <netinet/in_var.h> #endif #include <netinet/in_systm.h> #include <netinet/ip.h> -#include <netinet/ip_var.h> +#if !defined(linux) +# include <netinet/ip_var.h> +#endif #include <netinet/tcp.h> #if defined(__osf__) # include <netinet/tcp_timer.h> #endif +#if defined(__osf__) || defined(__hpux) || defined(__sgi) +# include "radix_ipf_local.h" +# define _RADIX_H_ +#endif #include <netinet/udp.h> #include <netinet/tcpip.h> #include <netinet/ip_icmp.h> @@ -119,15 +116,6 @@ struct file; #ifdef __hpux # undef _NET_ROUTE_INCLUDED #endif -#if SOLARIS2 >= 10 -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_nat.h" -#include "ip_frag.h" -#include "ip_state.h" -#include "ip_proxy.h" -#include "ip_auth.h" -#else #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" #include "netinet/ip_nat.h" @@ -135,18 +123,13 @@ struct file; #include "netinet/ip_state.h" #include "netinet/ip_proxy.h" #include "netinet/ip_auth.h" -#endif #ifdef IPFILTER_SYNC #include "netinet/ip_sync.h" #endif #ifdef IPFILTER_SCAN #include "netinet/ip_scan.h" #endif -#if SOLARIS2 >= 10 -#include "ip_pool.h" -#else #include "netinet/ip_pool.h" -#endif #ifdef IPFILTER_COMPILED # include "netinet/ip_rules.h" #endif @@ -156,8 +139,8 @@ struct file; #ifdef __hpux struct rtentry; #endif +#include "md5.h" -#include <sys/md5.h> #if !defined(__osf__) extern struct protosw inetsw[]; @@ -168,8 +151,9 @@ static struct ifnet **ifneta = NULL; static int nifs = 0; static int frzerostats __P((caddr_t)); +static void fr_setifpaddr __P((struct ifnet *, char *)); void init_ifp __P((void)); -#if defined(__sgi) && (IRIX < 605) +#if defined(__sgi) && (IRIX < 60500) static int no_output __P((struct ifnet *, struct mbuf *, struct sockaddr *)); static int write_output __P((struct ifnet *, struct mbuf *, @@ -220,18 +204,12 @@ caddr_t data; } - /* * Filter ioctl interface. */ int iplioctl(dev, cmd, data, mode) int dev; -#if defined(__NetBSD__) || defined(__OpenBSD__) || \ - (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) -u_long cmd; -#else -int cmd; -#endif +ioctlcmd_t cmd; caddr_t data; int mode; { @@ -260,7 +238,8 @@ int mode; } if (unit == IPL_LOGAUTH) { if (fr_running > 0) { - if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) { + if ((cmd == (ioctlcmd_t)SIOCADAFR) || + (cmd == (ioctlcmd_t)SIOCRMAFR)) { if (!(mode & FWRITE)) { error = EPERM; } else { @@ -325,6 +304,15 @@ int mode; error = ipldetach(); } break; + case SIOCIPFSET : + if (!(mode & FWRITE)) { + error = EPERM; + break; + } + case SIOCIPFGETNEXT : + case SIOCIPFGET : + error = fr_ipftune(cmd, (void *)data); + break; case SIOCSETFF : if (!(mode & FWRITE)) error = EPERM; @@ -422,7 +410,7 @@ int mode; if (!(mode & FWRITE)) error = EPERM; else { - frsync(); + frsync(NULL); } break; default : @@ -471,7 +459,7 @@ void *ifp; } -void fr_resolvdest(fdp, v) +void fr_resolvedest(fdp, v) frdest_t *fdp; int v; { @@ -485,7 +473,7 @@ int v; } -#if defined(__sgi) && (IRIX < 605) +#if defined(__sgi) && (IRIX < 60500) static int no_output(ifp, m, s) #else # if TRU64 >= 1885 @@ -504,7 +492,7 @@ struct sockaddr *s; } -#if defined(__sgi) && (IRIX < 605) +#if defined(__sgi) && (IRIX < 60500) static int write_output(ifp, m, s) #else # if TRU64 >= 1885 @@ -528,7 +516,8 @@ struct sockaddr *s; ip = MTOD(mb, ip_t *); #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) + (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) sprintf(fname, "/tmp/%s", ifp->if_xname); #else sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); @@ -544,20 +533,75 @@ struct sockaddr *s; } +static void fr_setifpaddr(ifp, addr) +struct ifnet *ifp; +char *addr; +{ +#ifdef __sgi + struct in_ifaddr *ifa; +#else + struct ifaddr *ifa; +#endif + +#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + if (ifp->if_addrlist.tqh_first != NULL) +#else +# ifdef __sgi + if (ifp->in_ifaddr != NULL) +# else + if (ifp->if_addrlist != NULL) +# endif +#endif + return; + + ifa = (struct ifaddr *)malloc(sizeof(*ifa)); +#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + ifp->if_addrlist.tqh_first = ifa; +#else +# ifdef __sgi + ifp->in_ifaddr = ifa; +# else + ifp->if_addrlist = ifa; +# endif +#endif + + if (ifa != NULL) { + struct sockaddr_in *sin; + +#ifdef __sgi + sin = (struct sockaddr_in *)&ifa->ia_addr; +#else + sin = (struct sockaddr_in *)&ifa->ifa_addr; +#endif + sin->sin_addr.s_addr = inet_addr(addr); + if (sin->sin_addr.s_addr == 0) + abort(); + } +} + struct ifnet *get_unit(name, v) char *name; int v; { - struct ifnet *ifp, **ifa, **old_ifneta; + struct ifnet *ifp, **ifpp, **old_ifneta; + char *addr; #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) + (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) if (name == NULL) name = "anon0"; - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { - if (!strcmp(name, ifp->if_xname)) + addr = strchr(name, '='); + if (addr != NULL) + *addr++ = '\0'; + + for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { + if (!strcmp(name, ifp->if_xname)) { + if (addr != NULL) + fr_setifpaddr(ifp, addr); return ifp; + } } #else char *s, ifname[LIFNAMSIZ+1]; @@ -565,10 +609,17 @@ int v; if (name == NULL) name = "anon0"; - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + addr = strchr(name, '='); + if (addr != NULL) + *addr++ = '\0'; + + for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { COPYIFNAME(ifp, ifname); - if (!strcmp(name, ifname)) + if (!strcmp(name, ifname)) { + if (addr != NULL) + fr_setifpaddr(ifp, addr); return ifp; + } } #endif @@ -587,7 +638,7 @@ int v; old_ifneta = ifneta; nifs++; ifneta = (struct ifnet **)realloc(ifneta, - (nifs + 1) * sizeof(*ifa)); + (nifs + 1) * sizeof(ifp)); if (!ifneta) { free(old_ifneta); nifs = 0; @@ -603,12 +654,13 @@ int v; ifp = ifneta[nifs - 1]; #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); + (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) + (void) strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); #else - for (s = name; *s && !isdigit(*s); s++) + for (s = name; *s && !ISDIGIT(*s); s++) ; - if (*s && isdigit(*s)) { + if (*s && ISDIGIT(*s)) { ifp->if_unit = atoi(s); ifp->if_name = (char *)malloc(s - name + 1); if (ifp->if_name == NULL) { @@ -619,7 +671,7 @@ int v; perror("malloc"); exit(1); } - strncpy(ifp->if_name, name, s - name); + (void) strncpy(ifp->if_name, name, s - name); ifp->if_name[s - name] = '\0'; } else { ifp->if_name = strdup(name); @@ -627,6 +679,11 @@ int v; } #endif ifp->if_output = no_output; + + if (addr != NULL) { + fr_setifpaddr(ifp, addr); + } + return ifp; } @@ -636,7 +693,8 @@ struct ifnet *ifp; { static char ifname[LIFNAMSIZ]; -#if defined(__OpenBSD__) || defined(__NetBSD__) +#if defined(__OpenBSD__) || defined(__NetBSD__) || defined(linux) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) sprintf(ifname, "%s", ifp->if_xname); #else sprintf(ifname, "%s%d", ifp->if_name, ifp->if_unit); @@ -648,13 +706,14 @@ struct ifnet *ifp; void init_ifp() { - struct ifnet *ifp, **ifa; + struct ifnet *ifp, **ifpp; char fname[32]; int fd; #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) + for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s", ifp->if_xname); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); @@ -665,7 +724,7 @@ void init_ifp() } #else - for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { + for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); @@ -692,7 +751,7 @@ frdest_t *fdp; ip->ip_len = htons((u_short)ip->ip_len); ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); ip->ip_sum = 0; -#if defined(__sgi) && (IRIX < 605) +#if defined(__sgi) && (IRIX < 60500) (*ifp->if_output)(ifp, (void *)ip, NULL); # if TRU64 >= 1885 (*ifp->if_output)(ifp, (void *)m, NULL, 0, 0); @@ -717,12 +776,13 @@ int type; fr_info_t *fin; int dst; { - verbose("- TCP RST sent\n"); + verbose("- ICMP unreachable sent\n"); return 0; } -void frsync() +void frsync(ifp) +void *ifp; { return; } @@ -860,3 +920,74 @@ fr_info_t *fin; fin->fin_flx |= FI_BAD; } #endif + + +/* + * See above for description, except that all addressing is in user space. + */ +int copyoutptr(src, dst, size) +void *src, *dst; +size_t size; +{ + caddr_t ca; + + bcopy(dst, (char *)&ca, sizeof(ca)); + bcopy(src, ca, size); + return 0; +} + + +/* + * See above for description, except that all addressing is in user space. + */ +int copyinptr(src, dst, size) +void *src, *dst; +size_t size; +{ + caddr_t ca; + + bcopy(src, (char *)&ca, sizeof(ca)); + bcopy(ca, dst, size); + return 0; +} + + +/* + * return the first IP Address associated with an interface + */ +int fr_ifpaddr(v, atype, ifptr, inp, inpmask) +int v, atype; +void *ifptr; +struct in_addr *inp, *inpmask; +{ + struct ifnet *ifp = ifptr; +#ifdef __sgi + struct in_ifaddr *ifa; +#else + struct ifaddr *ifa; +#endif + +#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + ifa = ifp->if_addrlist.tqh_first; +#else +# ifdef __sgi + ifa = (struct in_ifaddr *)ifp->in_ifaddr; +# else + ifa = ifp->if_addrlist; +# endif +#endif + if (ifa != NULL) { + struct sockaddr_in *sin, mask; + + mask.sin_addr.s_addr = 0xffffffff; + +#ifdef __sgi + sin = (struct sockaddr_in *)&ifa->ia_addr; +#else + sin = (struct sockaddr_in *)&ifa->ifa_addr; +#endif + + return fr_ifpfillv4addr(atype, sin, &mask, inp, inpmask); + } + return 0; +} diff --git a/usr/src/cmd/ipf/tools/ipf.c b/usr/src/cmd/ipf/tools/ipf.c index 1a06567959..a9621ef7df 100644 --- a/usr/src/cmd/ipf/tools/ipf.c +++ b/usr/src/cmd/ipf/tools/ipf.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -21,20 +21,13 @@ #include "ipf.h" #include <fcntl.h> #include <sys/ioctl.h> -#if SOLARIS2 >= 10 -#include "ipl.h" -#else #include "netinet/ipl.h" -#endif #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 1.24 2003/07/01 16:30:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $"; #endif -#if SOLARIS -static void blockunknown __P((void)); -#endif #if !defined(__SVR4) && defined(__GNUC__) extern char *index __P((const char *, int)); #endif @@ -44,7 +37,7 @@ extern int optind; extern frentry_t *frtop; -void frsync __P((void)); +void ipf_frsync __P((void)); void zerostats __P((void)); int main __P((int, char *[])); @@ -62,8 +55,6 @@ static void usage __P((void)); static int showversion __P((void)); static int get_flags __P((void)); static void ipf_interceptadd __P((int, ioctlfunc_t, void *)); -static void dotuning __P((char *)); -static void printtunable __P((ipftune_t *)); static int fd = -1; static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl, @@ -73,13 +64,9 @@ static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl, static void usage() { - fprintf(stderr, "usage: ipf [-" -#ifdef USE_INET6 - "6" -#endif - "AdDEInoPrsUvVyzZ] %s %s %s %s\n", - "[-l block|pass|nomatch|state|nat]", "[-T optionlist]", - "[-F i|o|a|s|S|u]", "[-f filename]"); + fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n", + "[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]", + "[-f filename] [-T <tuneopts>]"); exit(1); } @@ -93,7 +80,7 @@ char *argv[]; if (argc < 2) usage(); - while ((c = getopt(argc, argv, "6ACdDEf:F:Il:noPrsT:UvVyzZ")) != -1) { + while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) { switch (c) { case '?' : @@ -107,11 +94,10 @@ char *argv[]; case 'A' : opts &= ~OPT_INACTIVE; break; -#ifdef USE_OPTIONC - case 'C' : - outputc = 1; + case 'c' : + if (strcmp(optarg, "c") == 0) + outputc = 1; break; -#endif case 'E' : set_state((u_int)1); break; @@ -141,6 +127,9 @@ char *argv[]; case 'P' : ipfname = IPAUTH_NAME; break; + case 'R' : + opts ^= OPT_NORESOLVE; + break; case 'r' : opts ^= OPT_REMOVE; break; @@ -148,13 +137,9 @@ char *argv[]; swapactive(); break; case 'T' : - dotuning(optarg); - break; -#if SOLARIS - case 'U' : - blockunknown(); + if (opendevice(ipfname, 1) >= 0) + ipf_dotuning(fd, optarg, ioctl); break; -#endif case 'v' : opts += OPT_VERBOSE; break; @@ -163,7 +148,7 @@ char *argv[]; exit(1); break; case 'y' : - frsync(); + ipf_frsync(); break; case 'z' : opts ^= OPT_ZERORULEST; @@ -275,7 +260,7 @@ void *ptr; static void packetlogon(opt) char *opt; { - int flag, xfd, logopt; + int flag, xfd, logopt, change = 0; flag = get_flags(); if (flag != 0) { @@ -289,24 +274,35 @@ char *opt; flag |= FF_LOGPASS; if (opts & OPT_VERBOSE) printf("set log flag: pass\n"); + change = 1; } if (strstr(opt, "nomatch")) { flag |= FF_LOGNOMATCH; if (opts & OPT_VERBOSE) printf("set log flag: nomatch\n"); + change = 1; } if (strstr(opt, "block") || index(opt, 'd')) { flag |= FF_LOGBLOCK; if (opts & OPT_VERBOSE) printf("set log flag: block\n"); + change = 1; + } + if (strstr(opt, "none")) { + if (opts & OPT_VERBOSE) + printf("disable all log flags\n"); + change = 1; } - if (opendevice(ipfname, 1) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0)) - perror("ioctl(SIOCSETFF)"); + if (change == 1) { + if (opendevice(ipfname, 1) != -2 && + (ioctl(fd, SIOCSETFF, &flag) != 0)) + perror("ioctl(SIOCSETFF)"); + } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { flag = get_flags(); - printf("log flag is now %#x\n", flag); + printf("log flags are now %#x\n", flag); } if (strstr(opt, "state")) { @@ -360,19 +356,22 @@ char *arg; rem = fl; closedevice(); + if (opendevice(IPSTATE_NAME, 1) == -2) + exit(1); - if (opendevice(IPSTATE_NAME, 1) != -2) { + if (!(opts & OPT_DONOTHING)) { if (use_inet6) { -#ifdef USE_INET6 - if (ioctl(fd, SIOCIPFL6, &fl) == -1) - perror("SIOCIPFL6"); -#endif + if (ioctl(fd, SIOCIPFL6, &fl) == -1) { + perror("ioctl(SIOCIPFL6)"); + exit(1); + } } else { - if (ioctl(fd, SIOCIPFFL, &fl) == -1) - perror("SIOCIPFFL"); + if (ioctl(fd, SIOCIPFFL, &fl) == -1) { + perror("ioctl(SIOCIPFFL)"); + exit(1); + } } } - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { printf("remove flags %s (%d)\n", arg, rem); printf("removed %d filter rules\n", fl); @@ -408,15 +407,20 @@ char *arg; fl |= FR_INACTIVE; rem = fl; - if (opendevice(ipfname, 1) != -2) { + if (opendevice(ipfname, 1) == -2) + exit(1); + + if (!(opts & OPT_DONOTHING)) { if (use_inet6) { -#ifdef USE_INET6 - if (ioctl(fd, SIOCIPFL6, &fl) == -1) - perror("SIOCIPFL6"); -#endif + if (ioctl(fd, SIOCIPFL6, &fl) == -1) { + perror("ioctl(SIOCIPFL6)"); + exit(1); + } } else { - if (ioctl(fd, SIOCIPFFL, &fl) == -1) - perror("SIOCIPFFL"); + if (ioctl(fd, SIOCIPFFL, &fl) == -1) { + perror("ioctl(SIOCIPFFL)"); + exit(1); + } } } @@ -440,7 +444,7 @@ static void swapactive() } -void frsync() +void ipf_frsync() { int frsyn = 0; @@ -493,33 +497,6 @@ friostat_t *fp; } -#if SOLARIS -static void blockunknown() -{ - u_32_t flag; - - if (opendevice(ipfname, 1) == -1) - return; - - flag = get_flags(); - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) - printf("log flag is currently %#x\n", flag); - - flag ^= FF_BLOCKNONIP; - - if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSETFF, &flag)) - perror("ioctl(SIOCSETFF)"); - - if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { - if (ioctl(fd, SIOCGETFF, &flag)) - perror("ioctl(SIOCGETFF)"); - - printf("log flag is now %#x\n", flag); - } -} -#endif - - static int showversion() { struct friostat fio; @@ -583,82 +560,7 @@ static int showversion() s = "nomatch -> block"; printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); printf("Active list: %d\n", fio.f_active); + printf("Feature mask: %#x\n", fio.f_features); return 0; } - - -static void dotuning(tuneargs) -char *tuneargs; -{ - ipfobj_t obj; - ipftune_t tu; - char *s, *t; - - if (opendevice(ipfname, 1) < 0) - return; - - bzero((char *)&tu, sizeof(tu)); - obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(tu);; - obj.ipfo_ptr = (void *)&tu; - obj.ipfo_type = IPFOBJ_TUNEABLE; - - for (s = strtok(tuneargs, ","); s != NULL; s = strtok(NULL, ",")) { - if (!strcmp(s, "list")) { - while (1) { - if (ioctl(fd, SIOCIPFGETNEXT, &obj) == -1) { - perror("ioctl(SIOCIPFGETNEXT)"); - break; - } - if (tu.ipft_cookie == NULL) - break; - - tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; - printtunable(&tu); - } - } else if ((t = strchr(s, '=')) != NULL) { - *t++ = '\0'; - strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); - if (sscanf(t, "%lu", &tu.ipft_vlong) == 1) { - if (ioctl(fd, SIOCIPFSET, &obj) == -1) { - perror("ioctl(SIOCIPFSET)"); - return; - } - } else { - fprintf(stderr, "invalid value '%s'\n", s); - return; - } - } else { - strncpy(tu.ipft_name, s, sizeof(tu.ipft_name)); - if (ioctl(fd, SIOCIPFGET, &obj) == -1) { - perror("ioctl(SIOCIPFGET)"); - return; - } - if (tu.ipft_cookie == NULL) - return; - - tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; - printtunable(&tu); - } - } -} - - -static void printtunable(tup) -ipftune_t *tup; -{ - printf("%s\tmin %#lx\tmax %#lx\tcurrent ", - tup->ipft_name, tup->ipft_min, tup->ipft_max); - if (tup->ipft_sz == sizeof(u_long)) - printf("%lu\n", tup->ipft_vlong); - else if (tup->ipft_sz == sizeof(u_int)) - printf("%u\n", tup->ipft_vint); - else if (tup->ipft_sz == sizeof(u_short)) - printf("%hu\n", tup->ipft_vshort); - else if (tup->ipft_sz == sizeof(u_char)) - printf("%u\n", (u_int)tup->ipft_vchar); - else { - printf("sz = %d\n", tup->ipft_sz); - } -} diff --git a/usr/src/cmd/ipf/tools/ipf_y.y b/usr/src/cmd/ipf/tools/ipf_y.y index f1fc0096f0..31af5ef875 100644 --- a/usr/src/cmd/ipf/tools/ipf_y.y +++ b/usr/src/cmd/ipf/tools/ipf_y.y @@ -4,47 +4,36 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" #include "ipf.h" -#include <netinet/ip_icmp.h> #include <sys/ioctl.h> #include <syslog.h> #ifdef IPFILTER_BPF -# include <net/bpf.h> -# include <pcap-int.h> +# include "pcap-bpf.h" +# define _NET_BPF_H_ # include <pcap.h> #endif -#if SOLARIS2 >= 10 -#include "ip_pool.h" -#include "ip_htable.h" -#include "ipl.h" -#else #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" #include "netinet/ipl.h" -#endif #include "ipf_l.h" #define YYDEBUG 1 #define DOALL(x) for (fr = frc; fr != NULL; fr = fr->fr_next) { x } #define DOREM(x) for (; fr != NULL; fr = fr->fr_next) { x } -#if SOLARIS2 >= 10 -#define VNI "vni" -#define VNISTRLEN 3 -#endif -#define OPTION_LOG 0x1 -#define OPTION_QUICK 0x2 -#define OPTION_DUP 0x4 -#define OPTION_PROUTE 0x8 -#define OPTION_ON 0x10 -#define OPTION_REPLYTO 0x20 -#define OPTION_FROUTE 0x40 +#define OPTION_LOG 0x1 +#define OPTION_QUICK 0x2 +#define OPTION_DUP 0x4 +#define OPTION_PROUTE 0x8 +#define OPTION_ON 0x10 +#define OPTION_REPLYTO 0x20 +#define OPTION_FROUTE 0x40 extern void yyerror __P((char *)); extern int yyparse __P((void)); @@ -56,7 +45,7 @@ extern int yylineNum; static void newrule __P((void)); static void setipftype __P((void)); static u_32_t lookuphost __P((char *)); -static void dobpf __P((char *)); +static void dobpf __P((int, char *)); static void resetaddr __P((void)); static struct alist_s *newalist __P((struct alist_s *)); static u_int makehash __P((struct alist_s *)); @@ -77,14 +66,20 @@ static int nrules = 0; static int newlist = 0; static int added = 0; static int ipffd = -1; +static int ruleopts = 0; static int *yycont = 0; -static int ruleopts = 0; static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; static addfunc_t ipfaddfunc = NULL; -static wordtab_t addrwords[4]; -static wordtab_t maskwords[5]; -static wordtab_t *savewords; -static int set_ipv6_addr = 0; +static struct wordtab ipfwords[95]; +static struct wordtab addrwords[4]; +static struct wordtab maskwords[5]; +static struct wordtab icmpcodewords[17]; +static struct wordtab icmptypewords[16]; +static struct wordtab ipv4optwords[25]; +static struct wordtab ipv4secwords[9]; +static struct wordtab ipv6optwords[8]; +static struct wordtab logwords[33]; +static int set_ipv6_addr = 0; %} %union { @@ -94,6 +89,7 @@ static int set_ipv6_addr = 0; frentry_t fr; frtuc_t *frt; struct alist_s *alist; + u_short port; struct { u_short p1; u_short p2; @@ -106,10 +102,11 @@ static int set_ipv6_addr = 0; union i6addr ip6; }; -%type <num> portnum facility priority icmpcode seclevel secname icmptype +%type <port> portnum +%type <num> facility priority icmpcode seclevel secname icmptype %type <num> opt compare range opttype flagset optlist ipv6hdrlist ipv6hdr -%type <num> portc porteq -%type <ipa> hostname ipv4 ipv4mask +%type <num> portc porteq +%type <ipa> hostname ipv4 ipv4mask ipv4_16 ipv4_24 %type <ip6> ipv6mask %type <ipp> addr ipaddr %type <str> servicename name interfacename @@ -127,13 +124,13 @@ static int set_ipv6_addr = 0; %token IPFY_RETICMP IPFY_RETRST IPFY_RETICMPASDST %token IPFY_IN IPFY_OUT %token IPFY_QUICK IPFY_ON IPFY_OUTVIA IPFY_INVIA -%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO +%token IPFY_DUPTO IPFY_TO IPFY_FROUTE IPFY_REPLY_TO IPFY_ROUTETO %token IPFY_TOS IPFY_TTL IPFY_PROTO %token IPFY_HEAD IPFY_GROUP -%token IPFY_AUTH IPFY_PREAUTH IPFY_DIVERT +%token IPFY_AUTH IPFY_PREAUTH %token IPFY_LOG IPFY_BODY IPFY_FIRST IPFY_LEVEL IPFY_ORBLOCK -%token IPFY_LOGTAG IPFY_TAG IPFY_SKIP -%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPF IPFY_POOL IPFY_HASH +%token IPFY_LOGTAG IPFY_MATCHTAG IPFY_SETTAG IPFY_SKIP +%token IPFY_FROM IPFY_ALL IPFY_ANY IPFY_BPFV4 IPFY_BPFV6 IPFY_POOL IPFY_HASH %token IPFY_PPS %token IPFY_ESP IPFY_AH %token IPFY_WITH IPFY_AND IPFY_NOT IPFY_NO IPFY_OPT @@ -146,6 +143,7 @@ static int set_ipv6_addr = 0; %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE +%token IPFY_SYNC IPFY_FRAGBODY %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO @@ -212,16 +210,19 @@ assigning: '=' { yyvarnext = 1; } ; -rule: inrule - | outrule +rule: inrule eol + | outrule eol + ; + +eol: | ';' ; inrule: - rulehead markin { ruleopts = 0; } inopts rulemain ruletail + rulehead markin { ruleopts = 0; } inopts rulemain ruletail intag ruletail2 ; outrule: - rulehead markout { ruleopts = 0; } outopts rulemain ruletail + rulehead markout { ruleopts = 0; } outopts rulemain ruletail outtag ruletail2 ; rulehead: @@ -246,15 +247,26 @@ ipfrule: ; bpfrule: - IPFY_BPF '{' YY_STR '}' { dobpf($3); free($3); } + IPFY_BPFV4 '{' YY_STR '}' { dobpf(4, $3); free($3); } + | IPFY_BPFV6 '{' YY_STR '}' { dobpf(6, $3); free($3); } ; ruletail: - keep head group tag pps age new + with keep head group + ; + +ruletail2: + pps age new + ; + +intag: settagin matchtagin + ; + +outtag: settagout matchtagout ; insert: - '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2; } + '@' YY_NUMBER { fr->fr_hits = (U_QUAD_T)$2 + 1; } ; collection: @@ -263,8 +275,6 @@ collection: action: block | IPFY_PASS { fr->fr_flags |= FR_PASS; } - | IPFY_DIVERT YY_NUMBER { fr->fr_flags |= FR_DIVERT; - fr->fr_arg = $2; } | log | IPFY_COUNT { fr->fr_flags |= FR_ACCOUNT; } | auth @@ -429,7 +439,7 @@ lmore: lanother { if (newlist == 1) { } fr = addrule(); if (yycont != NULL) - *yycont = 1; + *yycont = 1; } ; @@ -454,7 +464,7 @@ protox: IPFY_PROTO { setipftype(); yysetdict(NULL); } ; -ip: srcdst flags with icmp +ip: srcdst flags icmp ; group: | IPFY_GROUP YY_STR { DOALL(strncpy(fr->fr_group, $2, \ @@ -473,21 +483,50 @@ head: | IPFY_HEAD YY_STR { DOALL(strncpy(fr->fr_grhead, $2, \ $2);) } ; -tag: | IPFY_TAG YY_NUMBER { DOALL(fr->fr_logtag = $2;) } - | IPFY_TAG '(' taglist ')' +settagin: + | IPFY_SETTAG '(' taginlist ')' + ; -taglist: - tagspec - | taglist ',' tagspec +taginlist: + taginspec + | taginlist ',' taginspec ; -tagspec: - IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ - $3, 16);); +taginspec: + logtag + |nattag + ; + +nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ + $3, IPFTAG_LEN);); free($3); } | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ - "%15d", $3);) } - | IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } + "%d", $3 & 0xffffffff);) } + ; + +logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } + ; + +settagout: + | IPFY_SETTAG '(' tagoutlist ')' + ; + +tagoutlist: + tagoutspec + | tagoutlist ',' tagoutspec + ; + +tagoutspec: + logtag + | nattag + ; + +matchtagin: + | IPFY_MATCHTAG '(' tagoutlist ')' + ; + +matchtagout: + | IPFY_MATCHTAG '(' taginlist ')' ; pps: | IPFY_PPS YY_NUMBER { DOALL(fr->fr_pps = $2;) } @@ -517,114 +556,26 @@ on: IPFY_ON onname ; onname: interfacename - { -#if SOLARIS2 >=10 - char *cp; -#endif - strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); -#if SOLARIS2 >= 10 - if (strncmp(VNI, $1, VNISTRLEN) == 0) { - cp = $1 + VNISTRLEN; - cp += strspn(cp, "0123456789"); - if (*cp == '\0' || *cp == ':') { - fprintf(stderr, "%d: Warning- %s specified. vni" - " is a virtual interface, use a physical" - " interface instead. See vni(7D)\n", - yylineNum, $1); - } - } -#endif + { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); free($1); } - | interfacename ',' name - { -#if SOLARIS2 >= 10 - char *cp; -#endif - strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); -#if SOLARIS2 >= 10 - if (strncmp(VNI, $1, VNISTRLEN) == 0) { - cp = $1 + VNISTRLEN; - cp += strspn(cp, "0123456789"); - if (*cp == '\0' || *cp == ':') { - fprintf(stderr, "%d: Warning- %s specified. vni" - " is a virtual interface, use a physical" - " interface instead. See vni(7D)\n", - yylineNum, $1); - } - } -#endif + | interfacename ',' interfacename + { strncpy(fr->fr_ifnames[0], $1, sizeof(fr->fr_ifnames[0])); free($1); strncpy(fr->fr_ifnames[1], $3, sizeof(fr->fr_ifnames[1])); -#if SOLARIS2 >= 10 - if (strncmp(VNI, $3, VNISTRLEN) == 0) { - cp = $3 + VNISTRLEN; - cp += strspn(cp, "0123456789"); - if (*cp == '\0' || *cp == ':') { - fprintf(stderr, "%d: Warning- %s specified. vni" - " is a virtual interface, use a physical" - " interface instead. See vni(7D)\n", - yylineNum, $3); - } - } -#endif free($3); } ; vianame: - interfacename - { -#if SOLARIS2 >= 10 - char *cp; -#endif - strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); -#if SOLARIS2 >= 10 - if (strncmp(VNI, $1, VNISTRLEN) == 0) { - cp = $1 + VNISTRLEN; - cp += strspn(cp, "0123456789"); - if (*cp == '\0' || *cp == ':') { - fprintf(stderr, "%d: Warning- %s specified. vni" - " is a virtual interface, use a physical" - " interface instead. See vni(7D)\n", - yylineNum, $1); - } - } -#endif + name + { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); free($1); } - | interfacename ',' name - { -#if SOLARIS2 >= 10 - char *cp; -#endif - strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); -#if SOLARIS2 >= 10 - if (strncmp(VNI, $1, VNISTRLEN) == 0) { - cp = $1 + VNISTRLEN; - cp += strspn(cp, "0123456789"); - if (*cp == '\0' || *cp == ':') { - fprintf(stderr, "%d: Warning- %s specified. vni" - " is a virtual interface, use a physical" - " interface instead. See vni(7D)\n", - yylineNum, $1); - } - } -#endif + | name ',' name + { strncpy(fr->fr_ifnames[2], $1, sizeof(fr->fr_ifnames[2])); free($1); strncpy(fr->fr_ifnames[3], $3, sizeof(fr->fr_ifnames[3])); -#if SOLARIS2 >= 10 - if (strncmp(VNI, $3, VNISTRLEN) == 0) { - cp = $3 + VNISTRLEN; - cp += strspn(cp, "0123456789"); - if (*cp == '\0' || *cp == ':') { - fprintf(stderr, "%d: Warning- %s specified. vni" - " is a virtual interface, use a physical" - " interface instead. See vni(7D)\n", - yylineNum, $3); - } - } -#endif free($3); } ; @@ -633,33 +584,56 @@ dup: IPFY_DUPTO name { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); free($2); } - | IPFY_DUPTO name ':' hostname + | IPFY_DUPTO name duptoseparator hostname { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); fr->fr_dif.fd_ip = $4; + yyexpectaddr = 0; + free($2); + } + | IPFY_DUPTO name duptoseparator YY_IPV6 + { strncpy(fr->fr_dif.fd_ifname, $2, sizeof(fr->fr_dif.fd_ifname)); + bcopy(&$4, &fr->fr_dif.fd_ip6, sizeof(fr->fr_dif.fd_ip6)); + yyexpectaddr = 0; free($2); } ; +duptoseparator: + ':' { yyexpectaddr = 1; yycont = &yyexpectaddr; resetaddr(); } + ; + froute: IPFY_FROUTE { fr->fr_flags |= FR_FASTROUTE; } ; -proute: IPFY_TO name +proute: routeto name { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); free($2); } - | IPFY_TO name ':' hostname + | routeto name duptoseparator hostname { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); fr->fr_tif.fd_ip = $4; + yyexpectaddr = 0; + free($2); + } + | routeto name duptoseparator YY_IPV6 + { strncpy(fr->fr_tif.fd_ifname, $2, sizeof(fr->fr_tif.fd_ifname)); + bcopy(&$4, &fr->fr_tif.fd_ip6, sizeof(fr->fr_tif.fd_ip6)); + yyexpectaddr = 0; free($2); } ; +routeto: + IPFY_TO + | IPFY_ROUTETO + ; + replyto: IPFY_REPLY_TO name { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); free($2); } - | IPFY_REPLY_TO name ':' hostname + | IPFY_REPLY_TO name duptoseparator hostname { strncpy(fr->fr_rif.fd_ifname, $2, sizeof(fr->fr_rif.fd_ifname)); fr->fr_rif.fd_ip = $4; free($2); @@ -686,7 +660,7 @@ starticmpcode: '(' { yysetdict(icmpcodewords); } ; -srcdst: IPFY_ALL +srcdst: | IPFY_ALL | fromto ; @@ -699,7 +673,7 @@ protocol: } else { int p = getproto($1); if (p == -1) - fprintf(stderr, "protocol unknown: %s, line %d\n", $1, yylineNum); + yyerror("protocol unknown"); DOREM(fr->fr_proto = p; \ fr->fr_mproto = 0xff;) } @@ -730,6 +704,8 @@ from: IPFY_FROM { setipftype(); if (fr == NULL) fr = frc; yyexpectaddr = 1; + if (yydebug) + printf("set yyexpectaddr\n"); yycont = &yyexpectaddr; yysetdict(addrwords); resetaddr(); } @@ -738,6 +714,8 @@ from: IPFY_FROM { setipftype(); to: IPFY_TO { if (fr == NULL) fr = frc; yyexpectaddr = 1; + if (yydebug) + printf("set yyexpectaddr\n"); yycont = &yyexpectaddr; yysetdict(addrwords); resetaddr(); } @@ -751,34 +729,42 @@ andwith: | IPFY_AND { nowith = 0; setipftype(); } ; -flags: | IPFY_FLAGS flagset +flags: | startflags flagset { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } - | IPFY_FLAGS flagset '/' flagset + | startflags flagset '/' flagset { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | IPFY_FLAGS '/' flagset + | startflags '/' flagset { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } - | IPFY_FLAGS YY_NUMBER + | startflags YY_NUMBER { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = FR_TCPFMAX;) } - | IPFY_FLAGS '/' YY_NUMBER + | startflags '/' YY_NUMBER { DOALL(fr->fr_tcpf = 0; fr->fr_tcpfm = $3;) } - | IPFY_FLAGS YY_NUMBER '/' YY_NUMBER + | startflags YY_NUMBER '/' YY_NUMBER { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | IPFY_FLAGS flagset '/' YY_NUMBER + | startflags flagset '/' YY_NUMBER { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } - | IPFY_FLAGS YY_NUMBER '/' flagset + | startflags YY_NUMBER '/' flagset { DOALL(fr->fr_tcpf = $2; fr->fr_tcpfm = $4;) } ; +startflags: + IPFY_FLAGS { if (frc->fr_type != FR_T_IPF) + yyerror("flags with non-ipf type rule"); + if (frc->fr_proto != IPPROTO_TCP) + yyerror("flags with non-TCP rule"); + } + ; + flagset: YY_STR { $$ = tcpflags($1); free($1); } | YY_HEX { $$ = $1; } ; srcobject: - srcaddr srcport + { yyresetdict(); } fromport + | srcaddr srcport | '!' srcaddr srcport { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } - | fromport ; srcaddr: @@ -840,7 +826,7 @@ srcportlist: ; dstobject: - toport + { yyresetdict(); } toport | dstaddr dstport | '!' dstaddr dstport { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } @@ -960,7 +946,11 @@ maskspace: ipv4mask: ipv4 { $$ = $1; } | YY_HEX { $$.s_addr = htonl($1); } - | YY_NUMBER { ntomask(4, $1, (u_32_t *)&$$); } + | YY_NUMBER { if (($1 >= 0) && ($1 <= 32)) { + ntomask(4, $1, (u_32_t *)&$$); + } else + yyerror("invalid mask"); + } | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { $$.s_addr = 0; ifpflag = FRI_BROADCAST; @@ -988,7 +978,11 @@ ipv4mask: ; ipv6mask: - YY_NUMBER { ntomask(6, $1, $$.i6); } + YY_NUMBER { if (($1 >= 0) && ($1 <= 128)) { + ntomask(6, $1, $$.i6); + } else + yyerror("invalid mask"); + } | IPFY_BROADCAST { if (ifpflag == FRI_DYNAMIC) { bzero(&$$, sizeof($$)); ifpflag = FRI_BROADCAST; @@ -1174,6 +1168,7 @@ age: | IPFY_AGE YY_NUMBER { DOALL(fr->fr_age[0] = $2; \ keep: | IPFY_KEEP keepstate | IPFY_KEEP keepfrag | IPFY_KEEP keepstate IPFY_KEEP keepfrag + | IPFY_KEEP keepfrag IPFY_KEEP keepstate ; keepstate: @@ -1182,6 +1177,7 @@ keepstate: keepfrag: IPFY_FRAGS fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } + | IPFY_FRAG fragoptlist { DOALL(fr->fr_flags |= FR_KEEPFRAG;) } ; fragoptlist: @@ -1219,34 +1215,46 @@ stateopt: fr->fr_flags |= FR_NEWISN;) } | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } + + | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } ; portnum: - servicename { $$ = ntohs(getport(frc, $1)); - if ($$ == -1) - fprintf(stderr, "service unknown: %s, line %d\n", $1, yylineNum); + servicename { if (getport(frc, $1, &($$)) == -1) + yyerror("service unknown"); + else + $$ = ntohs($$); free($1); } - | YY_NUMBER { $$ = $1; } + | YY_NUMBER { if ($1 > 65535) /* Unsigned */ + yyerror("invalid port number"); + else + $$ = $1; + } ; withlist: withopt | withlist withopt + | withlist ',' withopt ; withopt: opttype { DOALL(fr->fr_flx |= $1; fr->fr_mflx |= $1;) } | notwith opttype - { DOALL(fr->fr_mflx |= $2;) } - | IPFY_OPT ipopts - | notwith IPFY_OPT ipopts - | startv6hdrs ipv6hdrs + { DOALL(fr->fr_mflx |= $2;) } + | ipopt ipopts { yyresetdict(); } + | notwith ipopt ipopts { yyresetdict(); } + | startv6hdrs ipv6hdrs { yyresetdict(); } + ; + +ipopt: IPFY_OPT { yysetdict(ipv4optwords); } ; startv6hdrs: IPF6_V6HDRS { if (use_inet6 == 0) yyerror("only available with IPv6"); + yysetdict(ipv6optwords); } ; @@ -1264,6 +1272,8 @@ opttype: | IPFY_BADSRC { $$ = FI_BADSRC; } | IPFY_LOWTTL { $$ = FI_LOWTTL; } | IPFY_FRAG { $$ = FI_FRAG; } + | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } + | IPFY_FRAGS { $$ = FI_FRAG; } | IPFY_MBCAST { $$ = FI_MBCAST; } | IPFY_MULTICAST { $$ = FI_MULTICAST; } | IPFY_BROADCAST { $$ = FI_BROADCAST; } @@ -1374,14 +1384,19 @@ opt: | IPFY_IPOPT_NSAPA { $$ = getoptbyvalue(IPOPT_NSAPA); } | IPFY_IPOPT_RTRALRT { $$ = getoptbyvalue(IPOPT_RTRALRT); } | IPFY_IPOPT_UMP { $$ = getoptbyvalue(IPOPT_UMP); } - | IPFY_SECCLASS secname + | setsecclass secname { DOALL(fr->fr_mip.fi_secmsk |= $2; if (!nowith) fr->fr_ip.fi_secmsk |= $2;) $$ = 0; + yyresetdict(); } ; +setsecclass: + IPFY_SECCLASS { yysetdict(ipv4secwords); } + ; + ipv6hdr: IPFY_AH { $$ = getv6optbyvalue(IPPROTO_AH); } | IPFY_IPV6OPT_DSTOPTS { $$ = getv6optbyvalue(IPPROTO_DSTOPTS); } @@ -1439,8 +1454,7 @@ priority: ; compare: - '=' { $$ = FR_EQUAL; } - | YY_CMP_EQ { $$ = FR_EQUAL; } + YY_CMP_EQ { $$ = FR_EQUAL; } | YY_CMP_NE { $$ = FR_NEQUAL; } | YY_CMP_LT { $$ = FR_LESST; } | YY_CMP_LE { $$ = FR_LESSTE; } @@ -1460,32 +1474,51 @@ servicename: interfacename: YY_STR { $$ = $1; } | YY_STR ':' YY_NUMBER { $$ = $1; -#if SOLARIS2 >= 10 - if (strncmp(VNI, $1, VNISTRLEN) != 0) -#endif fprintf(stderr, "%d: Logical interface %s:%d unsupported, " - "use the physical interface %s instead.\n", - yylineNum, $1, $3, $1); + "use the physical interface %s instead.\n", + yylineNum, $1, $3, $1); } ; name: YY_STR { $$ = $1; } ; -ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER - { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { +ipv4_16: + YY_NUMBER '.' YY_NUMBER + { if ($1 > 255 || $3 > 255) { yyerror("Invalid octet string for IP address"); return 0; } - $$.s_addr = ($1 << 24) | ($3 << 16) | ($5 << 8) | $7; + $$.s_addr = ($1 << 24) | ($3 << 16); $$.s_addr = htonl($$.s_addr); } ; + +ipv4_24: + ipv4_16 '.' YY_NUMBER + { if ($3 > 255) { + yyerror("Invalid octet string for IP address"); + return 0; + } + $$.s_addr |= htonl($3 << 8); + } + ; + +ipv4: ipv4_24 '.' YY_NUMBER + { if ($3 > 255) { + yyerror("Invalid octet string for IP address"); + return 0; + } + $$.s_addr |= htonl($3); + } + | ipv4_24 + | ipv4_16 + ; + %% -static struct wordtab ipfwords[] = { - { "addext", IPFY_IPOPT_ADDEXT }, +static struct wordtab ipfwords[95] = { { "age", IPFY_AGE }, { "ah", IPFY_AH }, { "all", IPFY_ALL }, @@ -1497,58 +1530,43 @@ static struct wordtab ipfwords[] = { { "bcast", IPFY_BROADCAST }, { "block", IPFY_BLOCK }, { "body", IPFY_BODY }, - { "bpf", IPFY_BPF }, + { "bpf-v4", IPFY_BPFV4 }, +#ifdef USE_INET6 + { "bpf-v6", IPFY_BPFV6 }, +#endif { "call", IPFY_CALL }, - { "cipso", IPFY_IPOPT_CIPSO }, { "code", IPFY_ICMPCODE }, - { "confid", IPFY_SEC_CONF }, { "count", IPFY_COUNT }, - { "divert", IPFY_DIVERT }, - { "dps", IPFY_IPOPT_DPS }, - { "dstopts", IPFY_IPV6OPT_DSTOPTS }, { "dup-to", IPFY_DUPTO }, - { "e-sec", IPFY_IPOPT_ESEC }, - { "eip", IPFY_IPOPT_EIP }, - { "encode", IPFY_IPOPT_ENCODE }, { "eq", YY_CMP_EQ }, { "esp", IPFY_ESP }, { "fastroute", IPFY_FROUTE }, { "first", IPFY_FIRST }, - { "finn", IPFY_IPOPT_FINN }, - { "frag", IPFY_FRAG }, { "flags", IPFY_FLAGS }, + { "frag", IPFY_FRAG }, + { "frag-body", IPFY_FRAGBODY }, { "frags", IPFY_FRAGS }, { "from", IPFY_FROM }, { "ge", YY_CMP_GE }, { "group", IPFY_GROUP }, { "gt", YY_CMP_GT }, { "head", IPFY_HEAD }, - { "hopopts", IPFY_IPV6OPT_HOPOPTS }, - { "host-preced", IPFY_ICMPC_HSTPRE }, - { "host-prohib", IPFY_ICMPC_HSTPRO }, - { "host-tos", IPFY_ICMPC_HSTTOS }, - { "host-unk", IPFY_ICMPC_HSTUNK }, - { "host-unr", IPFY_ICMPC_HSTUNR }, { "icmp", IPFY_ICMP }, { "icmp-type", IPFY_ICMPTYPE }, - { "imitd", IPFY_IPOPT_IMITD }, { "in", IPFY_IN }, { "in-via", IPFY_INVIA }, { "ipopt", IPFY_IPOPTS }, { "ipopts", IPFY_IPOPTS }, - { "ipv6", IPFY_IPV6OPT_IPV6 }, { "keep", IPFY_KEEP }, { "le", YY_CMP_LE }, { "level", IPFY_LEVEL }, { "limit", IPFY_LIMIT }, { "log", IPFY_LOG }, { "lowttl", IPFY_LOWTTL }, - { "lsrr", IPFY_IPOPT_LSRR }, { "lt", YY_CMP_LT }, { "mask", IPFY_MASK }, + { "match-tag", IPFY_MATCHTAG }, { "mbcast", IPFY_MBCAST }, - { "mtup", IPFY_IPOPT_MTUP }, - { "mtur", IPFY_IPOPT_MTUR }, { "multicast", IPFY_MULTICAST }, { "nat", IPFY_NAT }, { "ne", YY_CMP_NE }, @@ -1556,11 +1574,8 @@ static struct wordtab ipfwords[] = { { "newisn", IPFY_NEWISN }, { "no", IPFY_NO }, { "no-icmp-err", IPFY_NOICMPERR }, - { "none", IPFY_IPV6OPT_NONE }, - { "nop", IPFY_IPOPT_NOP }, { "now", IPFY_NOW }, { "not", IPFY_NOT }, - { "nsapa", IPFY_IPOPT_NSAPA }, { "oow", IPFY_OOW }, { "on", IPFY_ON }, { "opt", IPFY_OPT }, @@ -1574,42 +1589,26 @@ static struct wordtab ipfwords[] = { { "proto", IPFY_PROTO }, { "quick", IPFY_QUICK }, { "reply-to", IPFY_REPLY_TO }, - { "reserv-1", IPFY_SEC_RSV1 }, - { "reserv-2", IPFY_SEC_RSV2 }, - { "reserv-3", IPFY_SEC_RSV3 }, - { "reserv-4", IPFY_SEC_RSV4 }, { "return-icmp", IPFY_RETICMP }, { "return-icmp-as-dest", IPFY_RETICMPASDST }, { "return-rst", IPFY_RETRST }, - { "routing", IPFY_IPV6OPT_ROUTING }, - { "rr", IPFY_IPOPT_RR }, - { "rtralrt", IPFY_IPOPT_RTRALRT }, - { "satid", IPFY_IPOPT_SATID }, - { "sdb", IPFY_IPOPT_SDB }, - { "sec", IPFY_IPOPT_SEC }, + { "route-to", IPFY_ROUTETO }, { "sec-class", IPFY_SECCLASS }, - { "secret", IPFY_SEC_SEC }, + { "set-tag", IPFY_SETTAG }, { "skip", IPFY_SKIP }, { "short", IPFY_SHORT }, - { "ssrr", IPFY_IPOPT_SSRR }, { "state", IPFY_STATE }, + { "state-age", IPFY_AGE }, { "strict", IPFY_STRICT }, - { "tag", IPFY_TAG }, + { "sync", IPFY_SYNC }, { "tcp", IPFY_TCP }, { "tcp-udp", IPFY_TCPUDP }, { "tos", IPFY_TOS }, - { "topsecret", IPFY_SEC_TS }, { "to", IPFY_TO }, - { "tr", IPFY_IPOPT_TR }, - { "ts", IPFY_IPOPT_TS }, { "ttl", IPFY_TTL }, { "udp", IPFY_UDP }, - { "ump", IPFY_IPOPT_UMP }, - { "unclass", IPFY_SEC_UNC }, { "v6hdrs", IPF6_V6HDRS }, - { "visa", IPFY_IPOPT_VISA }, { "with", IPFY_WITH }, - { "zsu", IPFY_IPOPT_ZSU }, { NULL, 0 } }; @@ -1667,7 +1666,58 @@ static struct wordtab icmpcodewords[17] = { { NULL, 0 }, }; -static struct wordtab logwords[] = { +static struct wordtab ipv4optwords[25] = { + { "addext", IPFY_IPOPT_ADDEXT }, + { "cipso", IPFY_IPOPT_CIPSO }, + { "dps", IPFY_IPOPT_DPS }, + { "e-sec", IPFY_IPOPT_ESEC }, + { "eip", IPFY_IPOPT_EIP }, + { "encode", IPFY_IPOPT_ENCODE }, + { "finn", IPFY_IPOPT_FINN }, + { "imitd", IPFY_IPOPT_IMITD }, + { "lsrr", IPFY_IPOPT_LSRR }, + { "mtup", IPFY_IPOPT_MTUP }, + { "mtur", IPFY_IPOPT_MTUR }, + { "nop", IPFY_IPOPT_NOP }, + { "nsapa", IPFY_IPOPT_NSAPA }, + { "rr", IPFY_IPOPT_RR }, + { "rtralrt", IPFY_IPOPT_RTRALRT }, + { "satid", IPFY_IPOPT_SATID }, + { "sdb", IPFY_IPOPT_SDB }, + { "sec", IPFY_IPOPT_SEC }, + { "ssrr", IPFY_IPOPT_SSRR }, + { "tr", IPFY_IPOPT_TR }, + { "ts", IPFY_IPOPT_TS }, + { "ump", IPFY_IPOPT_UMP }, + { "visa", IPFY_IPOPT_VISA }, + { "zsu", IPFY_IPOPT_ZSU }, + { NULL, 0 }, +}; + +static struct wordtab ipv4secwords[9] = { + { "confid", IPFY_SEC_CONF }, + { "reserv-1", IPFY_SEC_RSV1 }, + { "reserv-2", IPFY_SEC_RSV2 }, + { "reserv-3", IPFY_SEC_RSV3 }, + { "reserv-4", IPFY_SEC_RSV4 }, + { "secret", IPFY_SEC_SEC }, + { "topsecret", IPFY_SEC_TS }, + { "unclass", IPFY_SEC_UNC }, + { NULL, 0 }, +}; + +static struct wordtab ipv6optwords[8] = { + { "dstopts", IPFY_IPV6OPT_DSTOPTS }, + { "esp", IPFY_ESP }, + { "frag", IPFY_FRAG }, + { "hopopts", IPFY_IPV6OPT_HOPOPTS }, + { "ipv6", IPFY_IPV6OPT_IPV6 }, + { "none", IPFY_IPV6OPT_NONE }, + { "routing", IPFY_IPV6OPT_ROUTING }, + { NULL, 0 }, +}; + +static struct wordtab logwords[33] = { { "kern", IPFY_FAC_KERN }, { "user", IPFY_FAC_USER }, { "mail", IPFY_FAC_MAIL }, @@ -1892,46 +1942,74 @@ char *name; } if (gethost(name, &addr) == -1) { + fprintf(stderr, "unknown name \"%s\"\n", name); return 0; } return addr; } -static void dobpf(phrase) +static void dobpf(v, phrase) +int v; char *phrase; { #ifdef IPFILTER_BPF struct bpf_program bpf; struct pcap *p; +#endif + fakebpf_t *fb; u_32_t l; char *s; int i; for (fr = frc; fr != NULL; fr = fr->fr_next) { if (fr->fr_type != FR_T_NONE) { - fprintf(stderr, "cannoy mix IPF and BPF matching\n"); + fprintf(stderr, "cannot mix IPF and BPF matching\n"); return; } - fr->fr_type = FR_T_IPF; + fr->fr_v = v; + fr->fr_type = FR_T_BPFOPC; if (!strncmp(phrase, "\"0x", 2)) { phrase++; - fr->fr_data = malloc(4); - if (fr->fr_data == NULL) + fb = malloc(sizeof(fakebpf_t)); + if (fb == NULL) yyerror("sorry, out of memory"); - for (i = 0, s = strtok(phrase, " \r\n\t"; s != NULL; + for (i = 0, s = strtok(phrase, " \r\n\t"); s != NULL; s = strtok(NULL, " \r\n\t"), i++) { - fr->fr_data = realloc(fr->fr_data, (i + 1) * 4); - if (fr->fr_data == NULL) + fb = realloc(fb, (i / 4 + 1) * sizeof(*fb)); + if (fb == NULL) yyerror("sorry, out of memory"); l = (u_32_t)strtol(s, NULL, 0); - ((u_32_t *)fr->fr_data)[i] = l; + switch (i & 3) + { + case 0 : + fb[i / 4].fb_c = l & 0xffff; + break; + case 1 : + fb[i / 4].fb_t = l & 0xff; + break; + case 2 : + fb[i / 4].fb_f = l & 0xff; + break; + case 3 : + fb[i / 4].fb_k = l; + break; + } } + if ((i & 3) != 0) { + fprintf(stderr, + "Odd number of bytes in BPF code\n"); + exit(1); + } + i--; + fr->fr_dsize = (i / 4 + 1) * sizeof(*fb); + fr->fr_data = fb; return; } +#ifdef IPFILTER_BPF bzero((char *)&bpf, sizeof(bpf)); p = pcap_open_dead(DLT_RAW, 1); if (!p) { @@ -1939,29 +2017,32 @@ char *phrase; return; } - if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff) { + if (pcap_compile(p, &bpf, phrase, 1, 0xffffffff)) { pcap_perror(p, "ipf"); pcap_close(p); - fprintf(stderr, "pcap parsing failed\n"); + fprintf(stderr, "pcap parsing failed (%s)\n", phrase); return; } pcap_close(p); fr->fr_dsize = bpf.bf_len * sizeof(struct bpf_insn); - fr->fr_data = malloc(bpf.bf_len); + fr->fr_data = malloc(fr->fr_dsize); if (fr->fr_data == NULL) yyerror("sorry, out of memory"); - bcopy((char *)bpf.bf_insns, fr->fr_data, bpf.bf_len); + bcopy((char *)bpf.bf_insns, fr->fr_data, fr->fr_dsize); if (!bpf_validate(fr->fr_data, bpf.bf_len)) { fprintf(stderr, "BPF validation failed\n"); return; } +#endif } +#ifdef IPFILTER_BPF if (opts & OPT_DEBUG) bpf_dump(&bpf, 0); #else - fprintf(stderr, "BPF expressions for matching not supported\n"); + fprintf(stderr, "BPF filter expressions not supported\n"); + exit(1); #endif } @@ -2087,7 +2168,7 @@ int fd; ioctlfunc_t ioctlfunc; void *ptr; { - u_int add, del; + ioctlcmd_t add, del; frentry_t *fr; ipfobj_t obj; @@ -2148,7 +2229,7 @@ void *ptr; } } else if ((opts & OPT_REMOVE) != 0) { if ((*ioctlfunc)(fd, del, (void *)&obj) == -1) { - if ((opts & OPT_DONOTHING) == 0) { + if ((opts & OPT_DONOTHING) != 0) { fprintf(stderr, "%d:", yylineNum); perror("ioctl(delete rule)"); } @@ -2157,23 +2238,22 @@ void *ptr; if ((*ioctlfunc)(fd, add, (void *)&obj) == -1) { if (!(opts & OPT_DONOTHING)) { fprintf(stderr, "%d:", yylineNum); - fprintf(stderr,"ioctl(add/insert rule) failed: rule exists\n"); + perror("ioctl(add/insert rule)"); } } } } - static void setsyslog() { - savewords = yysettab(logwords); + yysetdict(logwords); yybreakondot = 1; } static void unsetsyslog() { - yysettab(savewords); + yyresetdict(); yybreakondot = 0; } @@ -2182,7 +2262,6 @@ static void fillgroup(fr) frentry_t *fr; { frentry_t *f; - int i; for (f = frold; f != NULL; f = f->fr_next) if (strncmp(f->fr_grhead, fr->fr_group, FR_GROUPLEN) == 0) @@ -2192,7 +2271,9 @@ frentry_t *fr; /* * Only copy down matching fields if the rules are of the same type - * and are of ipf type. + * and are of ipf type. The only fields that are copied are those + * that impact the rule parsing itself, eg. need for knowing what the + * protocol should be for rules with port comparisons in them. */ if (f->fr_type != fr->fr_type || f->fr_type != FR_T_IPF) return; @@ -2205,36 +2286,7 @@ frentry_t *fr; if (fr->fr_proto == 0 && f->fr_proto != 0) fr->fr_proto = f->fr_proto; - if (fr->fr_proto == IPPROTO_TCP) { - if (fr->fr_tcpfm == 0 && f->fr_tcpfm != 0) - fr->fr_tcpfm = f->fr_tcpfm; - if (fr->fr_tcpf == 0 && f->fr_tcpf != 0) - fr->fr_tcpf = f->fr_tcpf; - } - - if (fr->fr_proto == IPPROTO_ICMP) { - if (fr->fr_icmpm == 0 && f->fr_icmpm != 0) - fr->fr_icmpm = f->fr_icmpm; - if (fr->fr_icmp == 0 && f->fr_icmp != 0) - fr->fr_icmp = f->fr_icmp; - } - - if (fr->fr_optbits == 0 && f->fr_optbits != 0) - fr->fr_optbits = f->fr_optbits; - if (fr->fr_optmask == 0 && f->fr_optmask != 0) - fr->fr_optmask = f->fr_optmask; - if (fr->fr_secbits == 0 && f->fr_secbits != 0) - fr->fr_secbits = f->fr_secbits; - if (fr->fr_secmask == 0 && f->fr_secmask != 0) - fr->fr_secmask = f->fr_secmask; - if (fr->fr_authbits == 0 && f->fr_authbits != 0) - fr->fr_authbits = f->fr_authbits; - if (fr->fr_authmask == 0 && f->fr_authmask != 0) - fr->fr_authmask = f->fr_authmask; - - for (i = 0; i < 3; i++) { - if (*f->fr_ifnames[i] != '\0' && *fr->fr_ifnames[i] == '\0') - strncpy(fr->fr_ifnames[i], f->fr_ifnames[i], - sizeof(f->fr_ifnames[i])); - } + if ((fr->fr_mproto == 0) && ((fr->fr_flx & FI_TCPUDP) == 0) && + ((f->fr_flx & FI_TCPUDP) != 0)) + fr->fr_flx |= FI_TCPUDP; } diff --git a/usr/src/cmd/ipf/tools/ipfcomp.c b/usr/src/cmd/ipf/tools/ipfcomp.c index 05e0202d73..f09bfd314f 100644 --- a/usr/src/cmd/ipf/tools/ipfcomp.c +++ b/usr/src/cmd/ipf/tools/ipfcomp.c @@ -5,7 +5,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.19 2003/04/09 19:04:33 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfcomp.c,v 1.24.2.2 2004/04/28 10:34:44 darrenr Exp $"; #endif #include "ipf.h" @@ -95,7 +95,9 @@ frentry_t *fr; fprintf(fp, "#include <sys/types.h>\n"); fprintf(fp, "#include <sys/time.h>\n"); fprintf(fp, "#include <sys/socket.h>\n"); - fprintf(fp, "#include <sys/systm.h>\n"); + fprintf(fp, "#if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__sgi)\n"); + fprintf(fp, "# include <sys/systm.h>\n"); + fprintf(fp, "#endif\n"); fprintf(fp, "#include <sys/errno.h>\n"); fprintf(fp, "#include <sys/param.h>\n"); fprintf(fp, @@ -113,9 +115,14 @@ frentry_t *fr; fprintf(fp, "#include <netinet/in_systm.h>\n"); fprintf(fp, "#include <netinet/ip.h>\n"); fprintf(fp, "#include <netinet/tcp.h>\n"); - fprintf(fp, "#include \"ip_compat.h\"\n"); - fprintf(fp, "#include \"ip_fil.h\"\n\n"); - fprintf(fp, "#include \"ip_rules.h\"\n\n"); + fprintf(fp, "#include \"netinet/ip_compat.h\"\n"); + fprintf(fp, "#include \"netinet/ip_fil.h\"\n\n"); + fprintf(fp, "#include \"netinet/ip_rules.h\"\n\n"); + fprintf(fp, "#ifndef _KERNEL\n"); + fprintf(fp, "# include <string.h>\n"); + fprintf(fp, "#endif /* _KERNEL */\n"); + fprintf(fp, "\n"); + fprintf(fp, "#ifdef IPFILTER_COMPILED\n"); } addrule(fp, fr); @@ -152,18 +159,9 @@ frentry_t *fr; int i; f = (frentry_t *)malloc(sizeof(*f)); - if (f == NULL) { - fprintf(stderr, "out of memory\n"); - exit(1); - } - bcopy((char *)fr, (char *)f, sizeof(*fr)); if (fr->fr_ipf) { f->fr_ipf = (fripf_t *)malloc(sizeof(*f->fr_ipf)); - if (f->fr_ipf == NULL) { - fprintf(stderr, "out of memory\n"); - exit(1); - } bcopy((char *)fr->fr_ipf, (char *)f->fr_ipf, sizeof(*fr->fr_ipf)); } @@ -176,10 +174,6 @@ frentry_t *fr; if (g == NULL) { g = (frgroup_t *)calloc(1, sizeof(*g)); - if (g == NULL) { - fprintf(stderr, "out of memory\n"); - exit(1); - } g->fg_next = groups; groups = g; g->fg_head = f; @@ -220,10 +214,6 @@ static u_long ipf%s_rule_data_%s_%u[] = {\n", break; if (g == NULL) { g = (frgroup_t *)calloc(1, sizeof(*g)); - if (g == NULL) { - fprintf(stderr, "out of memory\n"); - exit(1); - } g->fg_next = groups; groups = g; g->fg_head = f; @@ -332,7 +322,9 @@ frentry_t *fr; } } emittail(); + fprintf(cfile, "#endif /* IPFILTER_COMPILED */\n"); } + } @@ -723,7 +715,7 @@ u_int incount, outcount; /* * print out C code that implements a filter rule. - */ + */ for (; i < FRC_MAX; i++) { switch(m[i].c) { @@ -941,10 +933,6 @@ u_int incount, outcount; } if (n == NULL) n = (mc_t *)malloc(sizeof(*n) * FRC_MAX); - if (n == NULL) { - fprintf(stderr, "out of memory\n"); - exit(1); - } bcopy((char *)m, (char *)n, sizeof(*n) * FRC_MAX); sin = in; } @@ -958,10 +946,6 @@ int dir; if (m == NULL) m = (mc_t *)calloc(1, sizeof(*m) * FRC_MAX); - if (m == NULL) { - fprintf(stderr, "out of memory\n"); - exit(1); - } for (g = groups; g != NULL; g = g->fg_next) { if ((dir == 0) && ((g->fg_flags & FR_INQUE) != 0)) @@ -1309,6 +1293,9 @@ int ipfrule_add_%s_%s()\n", instr, group); fp->fr_flags = FR_%sQUE|FR_NOMATCH;\n\ fp->fr_data = (void *)ipf_rules_%s_%s[0];\n", (in != 0) ? "IN" : "OUT", instr, group); + fprintf(fp, "\ + fp->fr_dsize = sizeof(ipf_rules_%s_%s[0]);\n", + instr, group); fprintf(fp, "\ fp->fr_v = 4;\n\ diff --git a/usr/src/cmd/ipf/tools/ipfs.c b/usr/src/cmd/ipf/tools/ipfs.c index 91ee4498ef..e8a5148143 100644 --- a/usr/src/cmd/ipf/tools/ipfs.c +++ b/usr/src/cmd/ipf/tools/ipfs.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2003 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -45,9 +45,10 @@ #include <arpa/nameser.h> #include <resolv.h> #include "ipf.h" +#include "netinet/ipl.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 1.9 2003/05/17 09:47:35 darrenr Exp $"; +static const char rcsid[] = "@(#)Id: ipfs.c,v 1.12 2003/12/01 01:56:53 darrenr Exp"; #endif #ifndef IPF_SAVEDIR @@ -254,7 +255,7 @@ char *argv[]; set = 1; break; case 'r' : - if ((ns >= 0) || dirname || (rw != -1)) + if (dirname || (rw != -1) || (ns == -1)) usage(); rw = 0; set = 1; @@ -389,6 +390,7 @@ int fd; char *file; { ipstate_save_t ips, *ipsp; + ipfobj_t obj; int wfd = -1; if (!file) @@ -402,12 +404,19 @@ char *file; } ipsp = &ips; + bzero((char *)&obj, sizeof(obj)); bzero((char *)ipsp, sizeof(ips)); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(*ipsp); + obj.ipfo_type = IPFOBJ_STATESAVE; + obj.ipfo_ptr = ipsp; + do { + if (opts & OPT_VERBOSE) printf("Getting state from addr %p\n", ips.ips_next); - if (ioctl(fd, SIOCSTGET, &ipsp)) { + if (ioctl(fd, SIOCSTGET, &obj)) { if (errno == ENOENT) break; perror("state:SIOCSTGET"); @@ -434,6 +443,7 @@ char *file; { ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL; int sfd = -1, i; + ipfobj_t obj; if (!file) file = IPF_STATEFILE; @@ -460,8 +470,8 @@ char *file; if (i == 0) break; if (i != sizeof(ips)) { - fprintf(stderr, "incomplete read: %d != %d\n", i, - (int)sizeof(ips)); + fprintf(stderr, "state:incomplete read: %d != %d\n", + i, (int)sizeof(ips)); close(sfd); return 1; } @@ -502,6 +512,10 @@ char *file; close(sfd); + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_size = sizeof(*is); + obj.ipfo_type = IPFOBJ_STATESAVE; + for (is = ipshead; is; is = is->ips_next) { if (opts & OPT_VERBOSE) printf("Loading new state table entry\n"); @@ -509,8 +523,10 @@ char *file; if (opts & OPT_VERBOSE) printf("Loading new filter rule\n"); } + + obj.ipfo_ptr = is; if (!(opts & OPT_DONOTHING)) - if (ioctl(fd, SIOCSTPUT, &is)) { + if (ioctl(fd, SIOCSTPUT, &obj)) { perror("SIOCSTPUT"); return 1; } @@ -532,9 +548,12 @@ int readnat(fd, file) int fd; char *file; { - nat_save_t ipn, *in, *ipnhead, *in1, *ipntail, *ipnp; + nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL; + ipfobj_t obj; int nfd, i; nat_t *nat; + char *s; + int n; nfd = -1; in = NULL; @@ -552,7 +571,6 @@ char *file; } bzero((char *)&ipn, sizeof(ipn)); - ipnp = &ipn; /* * 1. Read all state information in. @@ -567,42 +585,36 @@ char *file; if (i == 0) break; if (i != sizeof(ipn)) { - fprintf(stderr, "incomplete read: %d != %d\n", i, - (int)sizeof(ipn)); + fprintf(stderr, "nat:incomplete read: %d != %d\n", + i, (int)sizeof(ipn)); close(nfd); return 1; } - if (ipn.ipn_dsize > 0) { - char *s = ipnp->ipn_data; - int n = ipnp->ipn_dsize; - - n -= sizeof(ipnp->ipn_data); - in = malloc(sizeof(*in) + n); - if (!in) - break; + in = (nat_save_t *)malloc(ipn.ipn_dsize); + if (!in) + break; - s += sizeof(ipnp->ipn_data); - i = read(nfd, s, n); - if (i == 0) - break; - if (i != n) { - fprintf(stderr, "incomplete read: %d != %d\n", - i, n); - close(nfd); - free(in); - return 1; + if (ipn.ipn_dsize > sizeof(ipn)) { + n = ipn.ipn_dsize - sizeof(ipn); + if (n > 0) { + s = in->ipn_data + sizeof(in->ipn_data); + i = read(nfd, s, n); + if (i == 0) + break; + if (i != n) { + fprintf(stderr, + "nat:incomplete read: %d != %d\n", + i, n); + close(nfd); + return 1; + } } - } else { - ipn.ipn_dsize = 0; - in = (nat_save_t *)malloc(sizeof(*in)); - if (in == NULL) - break; } - bcopy((char *)ipnp, (char *)in, sizeof(ipn)); + bcopy((char *)&ipn, (char *)in, sizeof(ipn)); /* - * Check to see if this is the first state entry that will + * Check to see if this is the first NAT entry that will * reference a particular rule and if so, flag it as such * else just adjust the rule pointer to become a pointer to * the other. We do this so we have a means later for tracking @@ -632,6 +644,10 @@ char *file; } while (1); close(nfd); + nfd = -1; + + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_NATSAVE; for (in = ipnhead; in; in = in->ipn_next) { if (opts & OPT_VERBOSE) @@ -641,8 +657,12 @@ char *file; if (opts & OPT_VERBOSE) printf("Loading new filter rule\n"); } + + obj.ipfo_ptr = in; + obj.ipfo_size = in->ipn_dsize; if (!(opts & OPT_DONOTHING)) - if (ioctl(fd, SIOCSTPUT, &in)) { + if (ioctl(fd, SIOCSTPUT, &obj)) { + fprintf(stderr, "in=%p:", in); perror("SIOCSTPUT"); return 1; } @@ -665,6 +685,7 @@ int fd; char *file; { nat_save_t *ipnp = NULL, *next = NULL; + ipfobj_t obj; int nfd = -1; natget_t ng; @@ -678,6 +699,8 @@ char *file; return 1; } + obj.ipfo_rev = IPFILTER_VERSION; + obj.ipfo_type = IPFOBJ_NATSAVE; do { if (opts & OPT_VERBOSE) @@ -709,8 +732,11 @@ char *file; } bzero((char *)ipnp, ng.ng_sz); + obj.ipfo_size = ng.ng_sz; + obj.ipfo_ptr = ipnp; + ipnp->ipn_dsize = ng.ng_sz; ipnp->ipn_next = next; - if (ioctl(fd, SIOCSTGET, &ipnp)) { + if (ioctl(fd, SIOCSTGET, &obj)) { if (errno == ENOENT) break; perror("nat:SIOCSTGET"); @@ -720,8 +746,9 @@ char *file; } if (opts & OPT_VERBOSE) - printf("Got nat next %p\n", ipnp->ipn_next); - if (write(nfd, ipnp, ng.ng_sz) != ng.ng_sz) { + printf("Got nat next %p ipn_dsize %d ng_sz %d\n", + ipnp->ipn_next, ipnp->ipn_dsize, ng.ng_sz); + if (write(nfd, ipnp, ipnp->ipn_dsize) != ipnp->ipn_dsize) { perror("nat:write"); close(nfd); free(ipnp); @@ -746,6 +773,7 @@ char *dirname; dirname = IPF_SAVEDIR; if (chdir(dirname)) { + fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname); perror("chdir(IPF_SAVEDIR)"); return 1; } diff --git a/usr/src/cmd/ipf/tools/ipfstat.c b/usr/src/cmd/ipf/tools/ipfstat.c index e3de41316c..b2f3195a99 100644 --- a/usr/src/cmd/ipf/tools/ipfstat.c +++ b/usr/src/cmd/ipf/tools/ipfstat.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -20,14 +20,20 @@ #endif #include <sys/ioctl.h> #include <fcntl.h> -#include <nlist.h> +#ifdef linux +# include <linux/a.out.h> +#else +# include <nlist.h> +#endif #include <ctype.h> -#include <stddef.h> +#if defined(sun) && (defined(__svr4__) || defined(__SVR4)) +# include <stddef.h> +#endif #include "ipf.h" -#include "ipl.h" +#include "netinet/ipl.h" #if defined(STATETOP) # if defined(_BSDI_VERSION) -# undef STATETOP) +# undef STATETOP # endif # if defined(__FreeBSD__) && \ (!defined(__FreeBSD_version) || (__FreeBSD_version < 430000)) @@ -49,16 +55,15 @@ # include <netinet/tcp_fsm.h> #endif #ifdef STATETOP -#if SOLARIS2 >= 10 -# include "ipl.h" -#else -# include "netinet/ipl.h" -#endif +# include <ctype.h> +# include <signal.h> # if SOLARIS || defined(__NetBSD__) || defined(_BSDI_VERSION) || \ defined(__sgi) # ifdef ERR # undef ERR # endif +# undef ISASCII +# undef ISPRINT # include <curses.h> # else /* SOLARIS */ # include <ncurses.h> @@ -71,7 +76,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.28 2003/07/01 01:03:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.12 2005/06/12 07:18:46 darrenr Exp $"; #endif #ifdef __hpux @@ -80,6 +85,7 @@ static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.28 2003/07/01 01:03:04 darre extern char *optarg; extern int optind; +extern int opterr; #define PRINTF (void)printf #define FPRINTF (void)fprintf @@ -107,8 +113,10 @@ int ipf_fd = -1; #define STSORT_BYTES 2 #define STSORT_TTL 3 #define STSORT_SRCIP 4 -#define STSORT_DSTIP 5 -#define STSORT_MAX STSORT_DSTIP +#define STSORT_SRCPT 5 +#define STSORT_DSTIP 6 +#define STSORT_DSTPT 7 +#define STSORT_MAX STSORT_DSTPT #define STSORT_DEFAULT STSORT_BYTES @@ -118,6 +126,7 @@ typedef struct statetop { u_short st_sport; u_short st_dport; u_char st_p; + u_char st_v; u_char st_state[2]; U_QUAD_T st_pkts; U_QUAD_T st_bytes; @@ -125,42 +134,54 @@ typedef struct statetop { } statetop_t; #endif -extern int main __P((int, char *[])); +int main __P((int, char *[])); + static void showstats __P((friostat_t *, u_32_t)); static void showfrstates __P((ipfrstat_t *)); static void showlist __P((friostat_t *)); static void showipstates __P((ips_stat_t *)); static void showauthstates __P((fr_authstat_t *)); static void showgroups __P((friostat_t *)); -static void Usage __P((char *)); +static void usage __P((char *)); static void printlist __P((frentry_t *, char *)); -static void parse_ipportstr __P((const char *, struct in_addr *, int *)); +static void parse_ipportstr __P((const char *, i6addr_t *, int *)); static void ipfstate_live __P((char *, friostat_t **, ips_stat_t **, ipfrstat_t **, fr_authstat_t **, u_32_t *)); static void ipfstate_dead __P((char *, friostat_t **, ips_stat_t **, ipfrstat_t **, fr_authstat_t **, u_32_t *)); #ifdef STATETOP -static void topipstates __P((struct in_addr, struct in_addr, int, int, int, int, int)); +static void topipstates __P((i6addr_t, i6addr_t, int, int, int, + int, int, int)); +static void sig_break __P((int)); +static void sig_resize __P((int)); +static char *getip __P((int, i6addr_t *)); static char *ttl_to_string __P((long)); static int sort_p __P((const void *, const void *)); static int sort_pkts __P((const void *, const void *)); static int sort_bytes __P((const void *, const void *)); static int sort_ttl __P((const void *, const void *)); static int sort_srcip __P((const void *, const void *)); +static int sort_srcpt __P((const void *, const void *)); static int sort_dstip __P((const void *, const void *)); +static int sort_dstpt __P((const void *, const void *)); #endif -static void Usage(name) +static void usage(name) char *name; { #ifdef USE_INET6 - fprintf(stderr, "Usage: %s [-6aAfhIinosv] [-d <device>]\n", name); + fprintf(stderr, "Usage: %s [-6aAdfghIilnoRsv]\n", name); #else - fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name); + fprintf(stderr, "Usage: %s [-aAdfghIilnoRsv]\n", name); #endif - fprintf(stderr, "\t\t[-M corefile] [-N symbol-list]\n"); - fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); + fprintf(stderr, " %s [-M corefile] [-N symbol-list]\n", name); +#ifdef USE_INET6 + fprintf(stderr, " %s -t [-6C] ", name); +#else + fprintf(stderr, " %s -t [-C] ", name); +#endif + fprintf(stderr, "[-D destination address] [-P protocol] [-S source address] [-T refresh time]\n"); exit(1); } @@ -178,27 +199,39 @@ char *argv[]; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; char *device = IPL_NAME, *memf = NULL; - char *kern = NULL; + char *options, *kern = NULL; int c, myoptind; - struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ int refreshtime = 1; /* default update time */ int sport = -1; /* -1 = wild card for any source port */ int dport = -1; /* -1 = wild card for any dest port */ int topclosed = 0; /* do not show closed tcp sessions */ - struct in_addr saddr, daddr; + i6addr_t saddr, daddr; u_32_t frf; - saddr.s_addr = INADDR_ANY; /* default any source addr */ - daddr.s_addr = INADDR_ANY; /* default any dest addr */ +#ifdef USE_INET6 + options = "6aACdfghIilnostvD:M:N:P:RS:T:"; +#else + options = "aACdfghIilnostvD:M:N:P:RS:T:"; +#endif + + saddr.in4.s_addr = INADDR_ANY; /* default any v4 source addr */ + daddr.in4.s_addr = INADDR_ANY; /* default any v4 dest addr */ +#ifdef USE_INET6 + saddr.in6 = in6addr_any; /* default any v6 source addr */ + daddr.in6 = in6addr_any; /* default any v6 dest addr */ +#endif + + /* Don't warn about invalid flags when we run getopt for the 1st time */ + opterr = 0; /* * Parse these two arguments now lest there be any buffer overflows * in the parsing of the rest. */ myoptind = optind; - while ((c = getopt(argc, argv, "6aACdfghIilnostvD:M:N:P:S:T:")) != -1) + while ((c = getopt(argc, argv, options)) != -1) { switch (c) { case 'M' : @@ -210,32 +243,37 @@ char *argv[]; live_kernel = 0; break; } + } optind = myoptind; if (live_kernel == 1) { if ((state_fd = open(IPSTATE_NAME, O_RDONLY)) == -1) { - perror("open"); + perror("open(IPSTATE_NAME)"); exit(-1); } if ((ipf_fd = open(device, O_RDONLY)) == -1) { - perror("open"); + fprintf(stderr, "open(%s)", device); + perror(""); exit(-1); } } - if (kern != NULL || memf != NULL) - { + if (kern != NULL || memf != NULL) { (void)setgid(getgid()); (void)setreuid(getuid(), getuid()); } + if (live_kernel == 1) + (void) checkrev(device); if (openkmem(kern, memf) == -1) exit(-1); (void)setgid(getgid()); (void)setreuid(getuid(), getuid()); - while ((c = getopt(argc, argv, "6aACdfghIilnostvD:M:N:P:S:T:")) != -1) + opterr = 1; + + while ((c = getopt(argc, argv, options)) != -1) { switch (c) { @@ -288,15 +326,16 @@ char *argv[]; opts |= OPT_OUTQUE|OPT_SHOWLIST; break; case 'P' : - if ((proto = getprotobyname(optarg)) != NULL) { - protocol = proto->p_proto; - } else if (!sscanf(optarg, "%d", &protocol) || - (protocol < 0)) { - fprintf(stderr, "%s : Invalid protocol: %s\n", + protocol = getproto(optarg); + if (protocol == -1) { + fprintf(stderr, "%s: Invalid protocol: %s\n", argv[0], optarg); exit(-2); } break; + case 'R' : + opts |= OPT_NORESOLVE; + break; case 's' : opts |= OPT_IPSTATES; break; @@ -309,7 +348,7 @@ char *argv[]; break; #else fprintf(stderr, - "%s : state top facility not compiled in\n", + "%s: state top facility not compiled in\n", argv[0]); exit(-2); #endif @@ -317,7 +356,7 @@ char *argv[]; if (!sscanf(optarg, "%d", &refreshtime) || (refreshtime <= 0)) { fprintf(stderr, - "%s : Invalid refreshtime < 1 : %s\n", + "%s: Invalid refreshtime < 1 : %s\n", argv[0], optarg); exit(-2); } @@ -327,7 +366,7 @@ char *argv[]; opts |= OPT_UNDEF; break; default : - Usage(argv[0]); + usage(argv[0]); break; } } @@ -350,21 +389,20 @@ char *argv[]; opts &= ~OPT_OUTQUE; showlist(fiop); } - } else { - if (opts & OPT_FRSTATES) - showfrstates(ifrstp); + } else if (opts & OPT_FRSTATES) + showfrstates(ifrstp); #ifdef STATETOP - else if (opts & OPT_STATETOP) - topipstates(saddr, daddr, sport, dport, - protocol, refreshtime, topclosed); + else if (opts & OPT_STATETOP) + topipstates(saddr, daddr, sport, dport, protocol, + use_inet6 ? 6 : 4, refreshtime, topclosed); #endif - else if (opts & OPT_AUTHSTATS) - showauthstates(frauthstp); - else if (opts & OPT_GROUPS) - showgroups(fiop); - else - showstats(fiop, frf); - } + else if (opts & OPT_AUTHSTATS) + showauthstates(frauthstp); + else if (opts & OPT_GROUPS) + showgroups(fiop); + else + showstats(fiop, frf); + return 0; } @@ -685,12 +723,12 @@ u_32_t frf; PRINTF(" input packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[0].fr_block, fp->f_st[0].fr_pass, fp->f_st[0].fr_nom); - PRINTF(" counted %lu short %lu\n", + PRINTF(" counted %lu short %lu\n", fp->f_st[0].fr_acct, fp->f_st[0].fr_short); PRINTF("output packets:\t\tblocked %lu passed %lu nomatch %lu", fp->f_st[1].fr_block, fp->f_st[1].fr_pass, fp->f_st[1].fr_nom); - PRINTF(" counted %lu short %lu\n", + PRINTF(" counted %lu short %lu\n", fp->f_st[1].fr_acct, fp->f_st[1].fr_short); PRINTF(" input packets logged:\tblocked %lu passed %lu\n", fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl); @@ -700,10 +738,12 @@ u_32_t frf; fp->f_st[0].fr_pkl, fp->f_st[1].fr_pkl); PRINTF(" log failures:\t\tinput %lu output %lu\n", fp->f_st[0].fr_skip, fp->f_st[1].fr_skip); - PRINTF("fragment state(in):\tkept %lu\tlost %lu\n", - fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr); - PRINTF("fragment state(out):\tkept %lu\tlost %lu\n", - fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr); + PRINTF("fragment state(in):\tkept %lu\tlost %lu\tnot fragmented %lu\n", + fp->f_st[0].fr_nfr, fp->f_st[0].fr_bnfr, + fp->f_st[0].fr_cfr); + PRINTF("fragment state(out):\tkept %lu\tlost %lu\tnot fragmented %lu\n", + fp->f_st[1].fr_nfr, fp->f_st[1].fr_bnfr, + fp->f_st[0].fr_cfr); PRINTF("packet state(in):\tkept %lu\tlost %lu\n", fp->f_st[0].fr_ads, fp->f_st[0].fr_bads); PRINTF("packet state(out):\tkept %lu\tlost %lu\n", @@ -787,7 +827,7 @@ char *comment; } printfr(fp, ioctl); - if (opts & OPT_VERBOSE) { + if (opts & OPT_DEBUG) { binprint(fp, sizeof(*fp)); if (fp->fr_data != NULL && fp->fr_dsize > 0) binprint(fp->fr_data, fp->fr_dsize); @@ -902,6 +942,8 @@ ips_stat_t *ipsp; ipsp->iss_miss); PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu max bucket\n", ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_bucketfull); + PRINTF("\t%lu maximum\n\t%lu no memory\n\t%lu bkts in use\n", + ipsp->iss_max, ipsp->iss_nomem, ipsp->iss_inuse); PRINTF("\t%lu active\n\t%lu expired\n\t%lu closed\n", ipsp->iss_active, ipsp->iss_expire, ipsp->iss_fin); @@ -936,13 +978,13 @@ ips_stat_t *ipsp; if (opts & OPT_VERBOSE) { PRINTF("\nCurrent bucket sizes :\n"); for (i = 0; i < ipsp->iss_statesize; i++) { - if ((i % ENTRIES_PER_LINE) == 0) + if ((i % ENTRIES_PER_LINE) == 0) PRINTF("\t"); PRINTF("%4d -> %4lu", i, buckets[i]); if ((i % ENTRIES_PER_LINE) == - (ENTRIES_PER_LINE - 1)) + (ENTRIES_PER_LINE - 1)) PRINTF("\n"); - else + else PRINTF(" "); } PRINTF("\n"); @@ -957,7 +999,8 @@ ips_stat_t *ipsp; * Print out all the state information currently held in the kernel. */ while (ipsp->iss_list != NULL) { - ipsp->iss_list = printstate(ipsp->iss_list, opts); + ipsp->iss_list = printstate(ipsp->iss_list, opts, + ipsp->iss_ticks); } free(buckets); @@ -965,39 +1008,52 @@ ips_stat_t *ipsp; #ifdef STATETOP -static void topipstates(saddr, daddr, sport, dport, protocol, +static int handle_resize = 0, handle_break = 0; + +static void topipstates(saddr, daddr, sport, dport, protocol, ver, refreshtime, topclosed) -struct in_addr saddr; -struct in_addr daddr; +i6addr_t saddr; +i6addr_t daddr; int sport; int dport; int protocol; +int ver; int refreshtime; int topclosed; { char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; - int i, j, winx, tsentry, maxx, maxy, redraw = 0; + int i, j, winy, tsentry, maxx, maxy, redraw = 0, ret = 0; + int len, srclen, dstlen, forward = 1, c = 0; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; + const char *errstr = ""; ipstate_t ips; ipfobj_t ipfo; - struct timeval selecttimeout; + struct timeval selecttimeout; char hostnm[HOSTNMLEN]; struct protoent *proto; fd_set readfd; - int c = 0; time_t t; + /* install signal handlers */ + signal(SIGINT, sig_break); + signal(SIGQUIT, sig_break); + signal(SIGTERM, sig_break); + signal(SIGWINCH, sig_resize); + /* init ncurses stuff */ initscr(); cbreak(); noecho(); + curs_set(0); + timeout(0); + getmaxyx(stdscr, maxy, maxx); /* init hostname */ gethostname(hostnm, sizeof(hostnm) - 1); hostnm[sizeof(hostnm) - 1] = '\0'; - + /* init ipfobj_t stuff */ bzero((caddr_t)&ipfo, sizeof(ipfo)); ipfo.ipfo_rev = IPFILTER_VERSION; @@ -1011,73 +1067,111 @@ int topclosed; /* get state table */ bzero((char *)&ipsst, sizeof(ipsst)); if ((ioctl(state_fd, SIOCGETFS, &ipfo) == -1)) { - perror("ioctl(SIOCGETFS)"); - break; + errstr = "ioctl(SIOCGETFS)"; + ret = -1; + goto out; } /* clear the history */ tsentry = -1; + /* reset max str len */ + srclen = dstlen = 0; + /* read the state table and store in tstable */ - while (ipsstp->iss_list) { + for (; ipsstp->iss_list; ipsstp->iss_list = ips.is_next) { + if (kmemcpy((char *)&ips, (u_long)ipsstp->iss_list, sizeof(ips))) break; - ipsstp->iss_list = ips.is_next; - - if (((saddr.s_addr == INADDR_ANY) || - (saddr.s_addr == ips.is_saddr)) && - ((daddr.s_addr == INADDR_ANY) || - (daddr.s_addr == ips.is_daddr)) && - ((protocol < 0) || (protocol == ips.is_p)) && - (((ips.is_p != IPPROTO_TCP) && - (ips.is_p != IPPROTO_UDP)) || - (((sport < 0) || - (htons(sport) == ips.is_sport)) && - ((dport < 0) || - (htons(dport) == ips.is_dport)))) && - (topclosed || (ips.is_p != IPPROTO_TCP) || - (ips.is_state[0] < TCPS_LAST_ACK) || - (ips.is_state[1] < TCPS_LAST_ACK))) { - /* - * if necessary make room for this state - * entry - */ - tsentry++; - if (!maxtsentries || - (tsentry == maxtsentries)) { - - maxtsentries += STGROWSIZE; - tstable = realloc(tstable, maxtsentries * sizeof(statetop_t)); - if (!tstable) { - perror("malloc"); - goto breakout; - } - } - /* fill structure */ - tp = tstable + tsentry; - tp->st_src = ips.is_src; - tp->st_dst = ips.is_dst; - tp->st_p = ips.is_p; - tp->st_state[0] = ips.is_state[0]; - tp->st_state[1] = ips.is_state[1]; - tp->st_pkts = ips.is_pkts[0] + ips.is_pkts[1]; - tp->st_bytes = ips.is_bytes[0] + - ips.is_bytes[1]; - tp->st_age = ips.is_die - ipsstp->iss_ticks; - if ((ips.is_p == IPPROTO_TCP) || - (ips.is_p == IPPROTO_UDP)) { - tp->st_sport = ips.is_sport; - tp->st_dport = ips.is_dport; + if (ips.is_v != ver) + continue; + + /* check v4 src/dest addresses */ + if (ips.is_v == 4) { + if ((saddr.in4.s_addr != INADDR_ANY && + saddr.in4.s_addr != ips.is_saddr) || + (daddr.in4.s_addr != INADDR_ANY && + daddr.in4.s_addr != ips.is_daddr)) + continue; + } +#ifdef USE_INET6 + /* check v6 src/dest addresses */ + if (ips.is_v == 6) { + if ((IP6_NEQ(&saddr, &in6addr_any) && + IP6_NEQ(&saddr, &ips.is_src)) || + (IP6_NEQ(&daddr, &in6addr_any) && + IP6_NEQ(&daddr, &ips.is_dst))) + continue; + } +#endif + /* check protocol */ + if (protocol > 0 && protocol != ips.is_p) + continue; + + /* check ports if protocol is TCP or UDP */ + if (((ips.is_p == IPPROTO_TCP) || + (ips.is_p == IPPROTO_UDP)) && + (((sport > 0) && (htons(sport) != ips.is_sport)) || + ((dport > 0) && (htons(dport) != ips.is_dport)))) + continue; + + /* show closed TCP sessions ? */ + if ((topclosed == 0) && (ips.is_p == IPPROTO_TCP) && + (ips.is_state[0] >= IPF_TCPS_LAST_ACK) && + (ips.is_state[1] >= IPF_TCPS_LAST_ACK)) + continue; + + /* + * if necessary make room for this state + * entry + */ + tsentry++; + if (!maxtsentries || tsentry == maxtsentries) { + maxtsentries += STGROWSIZE; + tstable = realloc(tstable, + maxtsentries * sizeof(statetop_t)); + if (tstable == NULL) { + perror("realloc"); + exit(-1); } + } + /* get max src/dest address string length */ + len = strlen(getip(ips.is_v, &ips.is_src)); + if (srclen < len) + srclen = len; + len = strlen(getip(ips.is_v, &ips.is_dst)); + if (dstlen < len) + dstlen = len; + + /* fill structure */ + tp = tstable + tsentry; + tp->st_src = ips.is_src; + tp->st_dst = ips.is_dst; + tp->st_p = ips.is_p; + tp->st_v = ips.is_v; + tp->st_state[0] = ips.is_state[0]; + tp->st_state[1] = ips.is_state[1]; + if (forward) { + tp->st_pkts = ips.is_pkts[0]+ips.is_pkts[1]; + tp->st_bytes = ips.is_bytes[0]+ips.is_bytes[1]; + } else { + tp->st_pkts = ips.is_pkts[2]+ips.is_pkts[3]; + tp->st_bytes = ips.is_bytes[2]+ips.is_bytes[3]; + } + tp->st_age = ips.is_die - ipsstp->iss_ticks; + if ((ips.is_p == IPPROTO_TCP) || + (ips.is_p == IPPROTO_UDP)) { + tp->st_sport = ips.is_sport; + tp->st_dport = ips.is_dport; } } /* sort the array */ - if (tsentry != -1) + if (tsentry != -1) { switch (sorting) { case STSORT_PR: @@ -1100,20 +1194,45 @@ int topclosed; qsort(tstable, tsentry + 1, sizeof(statetop_t), sort_srcip); break; + case STSORT_SRCPT: + qsort(tstable, tsentry +1, + sizeof(statetop_t), sort_srcpt); + break; case STSORT_DSTIP: qsort(tstable, tsentry + 1, sizeof(statetop_t), sort_dstip); break; + case STSORT_DSTPT: + qsort(tstable, tsentry + 1, + sizeof(statetop_t), sort_dstpt); + break; default: break; } + } + + /* handle window resizes */ + if (handle_resize) { + endwin(); + initscr(); + cbreak(); + noecho(); + curs_set(0); + timeout(0); + getmaxyx(stdscr, maxy, maxx); + redraw = 1; + handle_resize = 0; + } + + /* stop program? */ + if (handle_break) + break; /* print title */ erase(); - getmaxyx(stdscr, maxy, maxx); attron(A_BOLD); - winx = 0; - move(winx,0); + winy = 0; + move(winy,0); sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION); for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) printw(" "); @@ -1121,30 +1240,30 @@ int topclosed; attroff(A_BOLD); /* just for fun add a clock */ - move(winx, maxx - 8); + move(winy, maxx - 8); t = time(NULL); strftime(str1, 80, "%T", localtime(&t)); printw("%s\n", str1); /* - * print the display filters, this is placed in the loop, + * print the display filters, this is placed in the loop, * because someday I might add code for changing these * while the programming is running :-) */ if (sport >= 0) - sprintf(str1, "%s,%d", inet_ntoa(saddr), sport); + sprintf(str1, "%s,%d", getip(ver, &saddr), sport); else - sprintf(str1, "%s", inet_ntoa(saddr)); + sprintf(str1, "%s", getip(ver, &saddr)); if (dport >= 0) - sprintf(str2, "%s,%d", inet_ntoa(daddr), dport); + sprintf(str2, "%s,%d", getip(ver, &daddr), dport); else - sprintf(str2, "%s", inet_ntoa(daddr)); + sprintf(str2, "%s", getip(ver, &daddr)); if (protocol < 0) strcpy(str3, "any"); else if ((proto = getprotobynumber(protocol)) != NULL) - sprintf(str3, "%s", proto->p_name); + sprintf(str3, "%s", proto->p_name); else sprintf(str3, "%d", protocol); @@ -1163,10 +1282,16 @@ int topclosed; sprintf(str4, "ttl"); break; case STSORT_SRCIP: - sprintf(str4, "srcip"); + sprintf(str4, "src ip"); + break; + case STSORT_SRCPT: + sprintf(str4, "src port"); break; case STSORT_DSTIP: - sprintf(str4, "dstip"); + sprintf(str4, "dest ip"); + break; + case STSORT_DSTPT: + sprintf(str4, "dest port"); break; default: sprintf(str4, "unknown"); @@ -1176,17 +1301,33 @@ int topclosed; if (reverse) strcat(str4, " (reverse)"); - winx += 2; - move(winx,0); - printw("Src = %s Dest = %s Proto = %s Sorted by = %s\n\n", + winy += 2; + move(winy,0); + printw("Src: %s, Dest: %s, Proto: %s, Sorted by: %s\n\n", str1, str2, str3, str4); + /* + * For an IPv4 IP address we need at most 15 characters, + * 4 tuples of 3 digits, separated by 3 dots. Enforce this + * length, so the colums do not change positions based + * on the size of the IP address. This length makes the + * output fit in a 80 column terminal. + * We are lacking a good solution for IPv6 addresses (that + * can be longer that 15 characters), so we do not enforce + * a maximum on the IP field size. + */ + if (srclen < 15) + srclen = 15; + if (dstlen < 15) + dstlen = 15; + /* print column description */ - winx += 2; - move(winx,0); + winy += 2; + move(winy,0); attron(A_BOLD); - printw("%-21s %-21s %3s %4s %7s %9s %9s\n", "Source IP", - "Destination IP", "ST", "PR", "#pkts", "#bytes", "ttl"); + printw("%-*s %-*s %3s %4s %7s %9s %9s\n", + srclen + 6, "Source IP", dstlen + 6, "Destination IP", + "ST", "PR", "#pkts", "#bytes", "ttl"); attroff(A_BOLD); /* print all the entries */ @@ -1201,25 +1342,27 @@ int topclosed; if ((tp->st_p == IPPROTO_TCP) || (tp->st_p == IPPROTO_UDP)) { sprintf(str1, "%s,%hu", - inet_ntoa(tp->st_src.in4), + getip(tp->st_v, &tp->st_src), ntohs(tp->st_sport)); sprintf(str2, "%s,%hu", - inet_ntoa(tp->st_dst.in4), + getip(tp->st_v, &tp->st_dst), ntohs(tp->st_dport)); } else { - sprintf(str1, "%s", inet_ntoa(tp->st_src.in4)); - sprintf(str2, "%s", inet_ntoa(tp->st_dst.in4)); + sprintf(str1, "%s", getip(tp->st_v, + &tp->st_src)); + sprintf(str2, "%s", getip(tp->st_v, + &tp->st_dst)); } - winx++; - move(winx, 0); - printw("%-21s %-21s", str1, str2); + winy++; + move(winy, 0); + printw("%-*s %-*s", srclen + 6, str1, dstlen + 6, str2); /* print state */ sprintf(str1, "%X/%X", tp->st_state[0], tp->st_state[1]); printw(" %3s", str1); - /* print proto */ + /* print protocol */ proto = getprotobynumber(tp->st_p); if (proto) { strncpy(str1, proto->p_name, 4); @@ -1227,8 +1370,12 @@ int topclosed; } else { sprintf(str1, "%d", tp->st_p); } + /* just print icmp for IPv6-ICMP */ + if (tp->st_p == IPPROTO_ICMPV6) + strcpy(str1, "icmp"); printw(" %4s", str1); - /* print #pkt/#bytes */ + + /* print #pkt/#bytes */ #ifdef USE_QUAD_T printw(" %7qu %9qu", (unsigned long long) tp->st_pkts, (unsigned long long) tp->st_bytes); @@ -1247,7 +1394,8 @@ int topclosed; if (redraw) clearok(stdscr,1); - refresh(); + if (refresh() == ERR) + break; if (redraw) { clearok(stdscr,0); redraw = 0; @@ -1266,27 +1414,34 @@ int topclosed; if (c == ERR) continue; - if (tolower(c) == 'l') { + if (ISALPHA(c) && ISUPPER(c)) + c = TOLOWER(c); + if (c == 'l') { redraw = 1; - } else if (tolower(c) == 'q') { + } else if (c == 'q') { break; - } else if (tolower(c) == 'r') { + } else if (c == 'r') { reverse = !reverse; - } else if (tolower(c) == 's') { - sorting++; - if (sorting > STSORT_MAX) + } else if (c == 'b') { + forward = 0; + } else if (c == 'f') { + forward = 1; + } else if (c == 's') { + if (++sorting > STSORT_MAX) sorting = 0; } } } /* while */ -breakout: +out: printw("\n"); + curs_set(1); nocbreak(); endwin(); - if (tstable != NULL) - free(tstable); + free(tstable); + if (ret != 0) + perror(errstr); } #endif @@ -1298,7 +1453,6 @@ static void showfrstates(ifsp) ipfrstat_t *ifsp; { struct ipfr *ipfrtab[IPFT_SIZE], ifr; - frentry_t fr; int i; /* @@ -1306,7 +1460,8 @@ ipfrstat_t *ifsp; */ PRINTF("IP fragment states:\n\t%lu new\n\t%lu expired\n\t%lu hits\n", ifsp->ifs_new, ifsp->ifs_expire, ifsp->ifs_hits); - PRINTF("\t%lu retrans\n\t%lu too short\n", ifsp->ifs_retrans0, ifsp->ifs_short); + PRINTF("\t%lu retrans\n\t%lu too short\n", + ifsp->ifs_retrans0, ifsp->ifs_short); PRINTF("\t%lu no memory\n\t%lu already exist\n", ifsp->ifs_nomem, ifsp->ifs_exists); PRINTF("\t%lu inuse\n", ifsp->ifs_inuse); @@ -1316,36 +1471,26 @@ ipfrstat_t *ifsp; /* * Print out the contents (if any) of the fragment cache table. */ + PRINTF("\n"); for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i]) { + while (ipfrtab[i] != NULL) { if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], sizeof(ifr)) == -1) break; - PRINTF("%s -> ", hostname(4, &ifr.ipfr_src)); - if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, - sizeof(fr)) == -1) - break; - PRINTF("%s %d %d %d %#02x = %#x\n", - hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, - ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, - fr.fr_flags); + printfraginfo("", &ifr); ipfrtab[i] = ifr.ipfr_next; } + /* + * Print out the contents (if any) of the NAT fragment cache table. + */ if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) return; for (i = 0; i < IPFT_SIZE; i++) - while (ipfrtab[i]) { + while (ipfrtab[i] != NULL) { if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], sizeof(ifr)) == -1) break; - PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src)); - if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, - sizeof(fr)) == -1) - break; - PRINTF("%s %d %d %d %#02x = %#x\n", - hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, - ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, - fr.fr_flags); + printfraginfo("NAT: ", &ifr); ipfrtab[i] = ifr.ipfr_next; } } @@ -1393,6 +1538,7 @@ static void showgroups(fiop) struct friostat *fiop; { static char *gnames[3] = { "Filter", "Accounting", "Authentication" }; + static int gnums[3] = { IPL_LOGIPF, IPL_LOGCOUNT, IPL_LOGAUTH }; frgroup_t *fp, grp; int on, off, i; @@ -1401,13 +1547,15 @@ struct friostat *fiop; for (i = 0; i < 3; i++) { printf("%s groups (active):\n", gnames[i]); - for (fp = fiop->f_groups[i][on]; fp; fp = grp.fg_next) + for (fp = fiop->f_groups[gnums[i]][on]; fp != NULL; + fp = grp.fg_next) if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) break; else printf("%s\n", grp.fg_name); printf("%s groups (inactive):\n", gnames[i]); - for (fp = fiop->f_groups[i][off]; fp; fp = grp.fg_next) + for (fp = fiop->f_groups[gnums[i]][off]; fp != NULL; + fp = grp.fg_next) if (kmemcpy((char *)&grp, (u_long)fp, sizeof(grp))) break; else @@ -1417,11 +1565,11 @@ struct friostat *fiop; static void parse_ipportstr(argument, ip, port) const char *argument; -struct in_addr *ip; +i6addr_t *ip; int *port; { - char *s, *comma; + int ok = 0; /* make working copy of argument, Theoretically you must be able * to write to optarg, but that seems very ugly to me.... @@ -1447,8 +1595,16 @@ int *port; /* get ip address */ if (!strcasecmp(s, "any")) { - ip->s_addr = INADDR_ANY; - } else if (!inet_aton(s, ip)) { + ip->in4.s_addr = INADDR_ANY; +#ifdef USE_INET6 + ip->in6 = in6addr_any; + } else if (use_inet6 && inet_pton(AF_INET6, s, &ip->in6)) { + ok = 1; +#endif + } else if (inet_aton(s, &ip->in4)) + ok = 1; + + if (ok == 0) { fprintf(stderr, "Invalid IP address: %s\n", s); free(s); exit(-2); @@ -1460,12 +1616,43 @@ int *port; #ifdef STATETOP -static char ttlbuf[STSTRSIZE]; +static void sig_resize(s) +int s; +{ + handle_resize = 1; +} + +static void sig_break(s) +int s; +{ + handle_break = 1; +} + +static char *getip(v, addr) +int v; +i6addr_t *addr; +{ +#ifdef USE_INET6 + static char hostbuf[MAXHOSTNAMELEN+1]; +#endif + + if (v == 4) + return inet_ntoa(addr->in4); + +#ifdef USE_INET6 + (void) inet_ntop(AF_INET6, &addr->in6, hostbuf, sizeof(hostbuf) - 1); + hostbuf[MAXHOSTNAMELEN] = '\0'; + return hostbuf; +#else + return "IPv6"; +#endif +} + static char *ttl_to_string(ttl) long int ttl; { - + static char ttlbuf[STSTRSIZE]; int hours, minutes, seconds; /* ttl is in half seconds */ @@ -1476,7 +1663,7 @@ long int ttl; minutes = ttl / 60; seconds = ttl % 60; - if (hours > 0 ) + if (hours > 0) sprintf(ttlbuf, "%2d:%02d:%02d", hours, minutes, seconds); else sprintf(ttlbuf, "%2d:%02d", minutes, seconds); @@ -1551,9 +1738,35 @@ const void *b; register const statetop_t *ap = a; register const statetop_t *bp = b; - if (ntohl(ap->st_src.in4.s_addr) == ntohl(bp->st_src.in4.s_addr)) +#ifdef USE_INET6 + if (use_inet6) { + if (IP6_EQ(&ap->st_src, &bp->st_src)) + return 0; + else if (IP6_GT(&ap->st_src, &bp->st_src)) + return 1; + } else +#endif + { + if (ntohl(ap->st_src.in4.s_addr) == + ntohl(bp->st_src.in4.s_addr)) + return 0; + else if (ntohl(ap->st_src.in4.s_addr) > + ntohl(bp->st_src.in4.s_addr)) + return 1; + } + return -1; +} + +static int sort_srcpt(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (htons(ap->st_sport) == htons(bp->st_sport)) return 0; - else if (ntohl(ap->st_src.in4.s_addr) > ntohl(bp->st_src.in4.s_addr)) + else if (htons(ap->st_sport) > htons(bp->st_sport)) return 1; return -1; } @@ -1565,10 +1778,37 @@ const void *b; register const statetop_t *ap = a; register const statetop_t *bp = b; - if (ntohl(ap->st_dst.in4.s_addr) == ntohl(bp->st_dst.in4.s_addr)) +#ifdef USE_INET6 + if (use_inet6) { + if (IP6_EQ(&ap->st_dst, &bp->st_dst)) + return 0; + else if (IP6_GT(&ap->st_dst, &bp->st_dst)) + return 1; + } else +#endif + { + if (ntohl(ap->st_dst.in4.s_addr) == + ntohl(bp->st_dst.in4.s_addr)) + return 0; + else if (ntohl(ap->st_dst.in4.s_addr) > + ntohl(bp->st_dst.in4.s_addr)) + return 1; + } + return -1; +} + +static int sort_dstpt(a, b) +const void *a; +const void *b; +{ + register const statetop_t *ap = a; + register const statetop_t *bp = b; + + if (htons(ap->st_dport) == htons(bp->st_dport)) return 0; - else if (ntohl(ap->st_dst.in4.s_addr) > ntohl(bp->st_dst.in4.s_addr)) + else if (htons(ap->st_dport) > htons(bp->st_dport)) return 1; return -1; } + #endif diff --git a/usr/src/cmd/ipf/tools/ipftest.c b/usr/src/cmd/ipf/tools/ipftest.c index 3ea511e326..9704597bd9 100644 --- a/usr/src/cmd/ipf/tools/ipftest.c +++ b/usr/src/cmd/ipf/tools/ipftest.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -16,7 +16,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.35 2003/07/01 01:03:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.4 2005/07/16 06:05:28 darrenr Exp $"; #endif extern char *optarg; @@ -29,7 +29,7 @@ extern int fr_running; ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; -ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw; +ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache; ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int opts = OPT_DONOTHING; int use_inet6 = 0; @@ -47,7 +47,7 @@ void fixv4sums __P((mb_t *, ip_t *)); #if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \ - defined(__osf__) + defined(__osf__) || defined(linux) int ipftestioctl __P((int, ioctlcmd_t, ...)); int ipnattestioctl __P((int, ioctlcmd_t, ...)); int ipstatetestioctl __P((int, ioctlcmd_t, ...)); @@ -101,19 +101,15 @@ char *argv[]; MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock"); RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex"); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock"); + RWLOCK_INIT(&ipf_frcache, "ipf cache rwlock"); RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock"); initparse(); - fr_loginit(); - fr_authinit(); - fr_fraginit(); - fr_stateinit(); - fr_natinit(); - appr_init(); - ip_lookup_init(); + if (fr_initialise() == -1) + abort(); fr_running = 1; - while ((c = getopt(argc, argv, "6bdDF:i:I:l:N:P:or:vxX")) != -1) + while ((c = getopt(argc, argv, "6bdDF:i:I:l:N:P:or:RT:vxX")) != -1) switch (c) { case '6' : @@ -165,6 +161,9 @@ char *argv[]; return -1; loaded = 1; break; + case 'R' : + opts |= OPT_NORESOLVE; + break; case 'v' : opts |= OPT_VERBOSE; break; @@ -180,6 +179,9 @@ char *argv[]; return -1; loaded = 1; break; + case 'T' : + ipf_dotuning(-1, optarg, ipftestioctl); + break; case 'x' : opts |= OPT_HEX; break; @@ -272,7 +274,7 @@ char *argv[]; } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF)) printpacket(ip); if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL)) -#if defined(__sgi) && (IRIX < 605) +#if defined(__sgi) && (IRIX < 60500) (*ifp->if_output)(ifp, (void *)m, NULL); #else # if TRU64 >= 1885 @@ -303,19 +305,7 @@ char *argv[]; dumpgroups(); } - for (i = IPL_LOGMAX; i >= 0; i--) - (void) ipflog_clear(i); - - fr_fragunload(); - fr_authunload(); - fr_stateunload(); - fr_natunload(); - appr_unload(); - - i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE); - i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE); - - ip_lookup_unload(); + fr_deinitialise(); return 0; } @@ -323,7 +313,7 @@ char *argv[]; #if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \ - defined(__osf__) + defined(__osf__) || defined(linux) int ipftestioctl(int dev, ioctlcmd_t cmd, ...) { caddr_t data; @@ -338,7 +328,11 @@ int ipftestioctl(int dev, ioctlcmd_t cmd, ...) if (opts & OPT_DEBUG) fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -356,7 +350,11 @@ int ipnattestioctl(int dev, ioctlcmd_t cmd, ...) if (opts & OPT_DEBUG) fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -374,7 +372,11 @@ int ipstatetestioctl(int dev, ioctlcmd_t cmd, ...) if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -392,7 +394,11 @@ int ipauthtestioctl(int dev, ioctlcmd_t cmd, ...) if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -410,7 +416,11 @@ int ipscantestioctl(int dev, ioctlcmd_t cmd, ...) if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -428,7 +438,11 @@ int ipsynctestioctl(int dev, ioctlcmd_t cmd, ...) if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -446,7 +460,11 @@ int ipooltestioctl(int dev, ioctlcmd_t cmd, ...) if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", (u_int)cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } #else int ipftestioctl(dev, cmd, data) @@ -459,7 +477,11 @@ void *data; i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -473,7 +495,11 @@ void *data; i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -487,7 +513,11 @@ void *data; i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -501,7 +531,11 @@ void *data; i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -515,7 +549,11 @@ void *data; i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -529,7 +567,11 @@ void *data; i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD); if ((opts & OPT_DEBUG) || (i != 0)) fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } @@ -543,7 +585,11 @@ void *data; i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD); if (opts & OPT_DEBUG) fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", cmd, data, i); - return i; + if (i != 0) { + errno = i; + return -1; + } + return 0; } #endif @@ -585,8 +631,11 @@ void dumpnat() for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next) printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); printf("\nList of active sessions:\n"); - for (nat = nat_instances; nat; nat = nat->nat_next) + for (nat = nat_instances; nat; nat = nat->nat_next) { printactivenat(nat, opts); + if (nat->nat_aps) + printaps(nat->nat_aps, opts); + } } @@ -599,7 +648,8 @@ void dumpstate() printf("List of active state sessions:\n"); for (ips = ips_list; ips != NULL; ) - ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE)); + ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE), + fr_ticks); } @@ -612,12 +662,12 @@ void dumplookups() printf("List of configured pools\n"); for (i = 0; i < IPL_LOGSIZE; i++) for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next) - printpool(ipl, bcopywrap, opts); + printpool(ipl, bcopywrap, NULL, opts); printf("List of configured hash tables\n"); for (i = 0; i < IPL_LOGSIZE; i++) for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next) - printhash(iph, bcopywrap, opts); + printhash(iph, bcopywrap, NULL, opts); } @@ -666,7 +716,7 @@ char *filename; struct iovec iov; struct uio uio; size_t resid; - int fd; + int fd, i; fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644); if (fd == -1) { @@ -674,26 +724,27 @@ char *filename; return; } - while (1) { - bzero((char *)&iov, sizeof(iov)); - iov.iov_base = buffer; - iov.iov_len = sizeof(buffer); - - bzero((char *)&uio, sizeof(uio)); - uio.uio_iov = &iov; - uio.uio_iovcnt = 1; - uio.uio_resid = iov.iov_len; - resid = uio.uio_resid; - - if (ipflog_read(0, &uio) == 0) { - /* - * If nothing was read then break out. - */ - if (uio.uio_resid == resid) + for (i = 0; i <= IPL_LOGMAX; i++) + while (1) { + bzero((char *)&iov, sizeof(iov)); + iov.iov_base = buffer; + iov.iov_len = sizeof(buffer); + + bzero((char *)&uio, sizeof(uio)); + uio.uio_iov = &iov; + uio.uio_iovcnt = 1; + uio.uio_resid = iov.iov_len; + resid = uio.uio_resid; + + if (ipflog_read(i, &uio) == 0) { + /* + * If nothing was read then break out. + */ + if (uio.uio_resid == resid) + break; + write(fd, buffer, resid - uio.uio_resid); + } else break; - write(fd, buffer, resid - uio.uio_resid); - } else - break; } close(fd); diff --git a/usr/src/cmd/ipf/tools/ipmon.c b/usr/src/cmd/ipf/tools/ipmon.c index 80fbcbe753..0cacc6ce54 100644 --- a/usr/src/cmd/ipf/tools/ipmon.c +++ b/usr/src/cmd/ipf/tools/ipmon.c @@ -29,6 +29,7 @@ #include <string.h> #include <fcntl.h> #include <errno.h> +#include <time.h> #if !defined(__SVR4) && !defined(__svr4__) # if (__FreeBSD_version >= 300000) # include <sys/dirent.h> @@ -49,7 +50,7 @@ #include <netinet/in_systm.h> #include <net/if.h> #include <netinet/ip.h> -#if !defined(__hpux) +#if !defined(__hpux) && !defined(linux) # include <netinet/tcp_fsm.h> #endif #include <netdb.h> @@ -60,8 +61,10 @@ #endif #include <resolv.h> -#include <sys/protosw.h> -#include <netinet/ip_var.h> +#if !defined(linux) +# include <sys/protosw.h> +# include <netinet/ip_var.h> +#endif #include <netinet/tcp.h> #include <netinet/ip_icmp.h> @@ -69,26 +72,17 @@ #include <ctype.h> #include <syslog.h> -#include <netinet/tcpip.h> - -#if SOLARIS2 >= 10 -#include "ip_compat.h" -#include "ip_fil.h" -#include "ip_nat.h" -#include "ip_state.h" -#include "ip_proxy.h" -#else #include "netinet/ip_compat.h" +#include <netinet/tcpip.h> #include "netinet/ip_fil.h" #include "netinet/ip_nat.h" #include "netinet/ip_state.h" #include "netinet/ip_proxy.h" -#endif #include "ipmon.h" #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.22 2003/06/14 02:56:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.10 2005/06/18 02:41:35 darrenr Exp $"; #endif @@ -146,10 +140,8 @@ static char *pidfile = "/etc/ipmon.pid"; static char line[2048]; static int opts = 0; -static FILE *newlog = NULL; static char *logfile = NULL; static FILE *binarylog = NULL; -static FILE *newbinarylog = NULL; static char *binarylogfile = NULL; static int donehup = 0; static void usage __P((char *)); @@ -401,17 +393,7 @@ size_t tablesz; static void handlehup(sig) int sig; { - FILE *fp; - signal(SIGHUP, handlehup); - if (logfile && (fp = fopen(logfile, "a"))) - newlog = fp; - if (binarylogfile && (fp = fopen(binarylogfile, "a"))) - newbinarylog = fp; - init_tabs(); - if (conf_file) - if (load_config(conf_file) == -1) - exit(1); donehup = 1; } @@ -442,6 +424,14 @@ static void init_tabs() p->p_name != NULL && protocols[p->p_proto] == NULL) protocols[p->p_proto] = strdup(p->p_name); endprotoent(); +#if defined(_AIX51) + if (protocols[0]) + free(protocols[0]); + if (protocols[252]) + free(protocols[252]); + protocols[0] = "ip"; + protocols[252] = NULL; +#endif } if (udp_ports != NULL) { @@ -678,7 +668,7 @@ int len; sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) - *t++ = (isprint(*s) ? *s : '.'); + *t++ = (ISPRINT(*s) ? *s : '.'); s--; } @@ -696,7 +686,7 @@ int len; t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) - *t++ = (isprint(*s) ? *s : '.'); + *t++ = (ISPRINT(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } @@ -787,7 +777,7 @@ int blen; (long long)nl->nl_bytes[0], (long long)nl->nl_bytes[1]); #else - (void) sprintf(t, " Pkts %ld Bytes %ld", + (void) sprintf(t, " Pkts %ld/%ld Bytes %ld/%ld", nl->nl_pkts[0], nl->nl_pkts[1], nl->nl_bytes[0], nl->nl_bytes[1]); #endif @@ -876,6 +866,13 @@ int blen; (void) sprintf(t, "%s PR icmpv6 %d", hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), sl->isl_itype); + } else { + (void) sprintf(t, "%s -> ", + hostname(res, sl->isl_v, (u_32_t *)&sl->isl_src)); + t += strlen(t); + (void) sprintf(t, "%s PR %s", + hostname(res, sl->isl_v, (u_32_t *)&sl->isl_dst), + proto); } t += strlen(t); if (sl->isl_tag != FR_NOLOGTAG) { @@ -885,7 +882,14 @@ int blen; if (sl->isl_type != ISL_NEW) { sprintf(t, #ifdef USE_QUAD_T +#ifdef PRId64 + " Forward: Pkts in %" PRId64 " Bytes in %" PRId64 + " Pkts out %" PRId64 " Bytes out %" PRId64 + " Backward: Pkts in %" PRId64 " Bytes in %" PRId64 + " Pkts out %" PRId64 " Bytes out %" PRId64, +#else " Forward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd Backward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd", +#endif /* PRId64 */ #else " Forward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld Backward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld", #endif @@ -944,25 +948,16 @@ int logtype, blen; } if (logtype == IPL_LOGIPF) { - if (ipl->ipl_magic != IPL_MAGIC) { - /* invalid data or out of sync */ - break; - } - print_ipflog(log, buf, psize); + if (ipl->ipl_magic == IPL_MAGIC) + print_ipflog(log, buf, psize); } else if (logtype == IPL_LOGNAT) { - if (ipl->ipl_magic != IPL_MAGIC) { - /* invalid data or out of sync */ - break; - } - print_natlog(log, buf, psize); + if (ipl->ipl_magic == IPL_MAGIC_NAT) + print_natlog(log, buf, psize); } else if (logtype == IPL_LOGSTATE) { - if (ipl->ipl_magic != IPL_MAGIC) { - /* invalid data or out of sync */ - break; - } - print_statelog(log, buf, psize); + if (ipl->ipl_magic == IPL_MAGIC_STATE) + print_statelog(log, buf, psize); } blen -= psize; @@ -984,9 +979,9 @@ int blen; struct icmp *icmp; struct tm *tm; char *t, *proto; - int i, v, lvl, res, len, off, plen, ipoff; - u_32_t *s, *d, cmdflags; + int i, v, lvl, res, len, off, plen, ipoff, defaction; ip_t *ipc, *ip; + u_32_t *s, *d; u_short hl, p; ipflog_t *ipf; iplog_t *ipl; @@ -1020,6 +1015,7 @@ int blen; } #if (defined(MENTAT) || \ (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ + (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) || \ (defined(OpenBSD) && (OpenBSD >= 199603))) || defined(linux) { char ifname[sizeof(ipf->fl_ifname) + 1]; @@ -1028,8 +1024,8 @@ int blen; ifname[sizeof(ipf->fl_ifname)] = '\0'; (void) sprintf(t, "%s", ifname); t += strlen(t); -# if defined(MENTAT) - if (isalpha(*(t - 1))) { +# if defined(MENTAT) || defined(linux) + if (ISALPHA(*(t - 1))) { sprintf(t, "%d", ipf->fl_unit); t += strlen(t); } @@ -1044,7 +1040,12 @@ int blen; (void) sprintf(t, "%*.*s%u", len, len, ipf->fl_ifname, ipf->fl_unit); t += strlen(t); #endif +#if defined(__sgi) || defined(_AIX51) || defined(__powerpc__) || \ + defined(__arm__) + if ((ipf->fl_group[0] == 255) && (ipf->fl_group[1] == '\0')) +#else if ((ipf->fl_group[0] == -1) && (ipf->fl_group[1] == '\0')) +#endif strcat(t, " @-1:"); else if (ipf->fl_group[0] == '\0') (void) strcpy(t, " @0:"); @@ -1064,7 +1065,6 @@ int blen; lvl = LOG_ERR; } - cmdflags = ipf->fl_flags & FR_CMDMASK; if (FR_ISPASS(ipf->fl_flags)) { if (ipf->fl_flags & FR_LOGP) *t++ = 'p'; @@ -1099,7 +1099,7 @@ int blen; p = (u_short)ip6->ip6_nxt; s = (u_32_t *)&ip6->ip6_src; d = (u_32_t *)&ip6->ip6_dst; - plen = ntohs(ip6->ip6_plen); + plen = hl + ntohs(ip6->ip6_plen); #else sprintf(t, "ipv6"); goto printipflog; @@ -1218,11 +1218,13 @@ int blen; IP_HL(ipc) << 2, i); t += strlen(t); if (ipoff & IP_OFFMASK) { - (void) sprintf(t, " frag %s%s%hu@%hu", - ipoff & IP_MF ? "+" : "", - ipoff & IP_DF ? "-" : "", + (void) sprintf(t, + "(frag %d:%hu@%hu%s%s)", + ntohs(ipc->ip_id), i - (IP_HL(ipc) << 2), - (ipoff & IP_OFFMASK) << 3); + (ipoff & IP_OFFMASK) << 3, + ipoff & IP_MF ? "+" : "", + ipoff & IP_DF ? "-" : ""); } } @@ -1234,13 +1236,15 @@ int blen; hostname(res, v, d), proto, hl, plen); t += strlen(t); if (off & IP_OFFMASK) - (void) sprintf(t, " frag %s%s%hu@%hu", + (void) sprintf(t, " (frag %d:%hu@%hu%s%s)", + ntohs(ip->ip_id), + plen - hl, (off & IP_OFFMASK) << 3, ipoff & IP_MF ? "+" : "", - ipoff & IP_DF ? "-" : "", - plen - hl, (off & IP_OFFMASK) << 3); + ipoff & IP_DF ? "-" : ""); } t += strlen(t); +printipflog: if (ipf->fl_flags & FR_KEEPSTATE) { (void) strcpy(t, " K-S"); t += strlen(t); @@ -1256,25 +1260,73 @@ int blen; else if (ipf->fl_dir == 1) strcpy(t, " OUT"); t += strlen(t); - if (ipf->fl_tag) { - sprintf(t, " tag %d", ipf->fl_tag); + if (ipf->fl_logtag != 0) { + sprintf(t, " log-tag %d", ipf->fl_logtag); t += strlen(t); } -printipflog: + if (ipf->fl_nattag.ipt_num[0] != 0) { + strcpy(t, " nat-tag "); + t += strlen(t); + strncpy(t, ipf->fl_nattag.ipt_tag, sizeof(ipf->fl_nattag)); + t += strlen(t); + } + if ((ipf->fl_lflags & FI_LOWTTL) != 0) { + strcpy(t, " low-ttl"); + t += 8; + } + if ((ipf->fl_lflags & FI_OOW) != 0) { + strcpy(t, " OOW"); + t += 4; + } + if ((ipf->fl_lflags & FI_BAD) != 0) { + strcpy(t, " bad"); + t += 4; + } + if ((ipf->fl_lflags & FI_NATED) != 0) { + strcpy(t, " NAT"); + t += 4; + } + if ((ipf->fl_lflags & FI_BADNAT) != 0) { + strcpy(t, " bad-NAT"); + t += 8; + } + if ((ipf->fl_lflags & FI_BADSRC) != 0) { + strcpy(t, " bad-src"); + t += 8; + } + if ((ipf->fl_lflags & FI_MULTICAST) != 0) { + strcpy(t, " multicast"); + t += 10; + } + if ((ipf->fl_lflags & FI_BROADCAST) != 0) { + strcpy(t, " broadcast"); + t += 10; + } + if ((ipf->fl_lflags & (FI_MULTICAST|FI_BROADCAST|FI_MBCAST)) == + FI_MBCAST) { + strcpy(t, " mbcast"); + t += 7; + } *t++ = '\n'; *t++ = '\0'; - if (opts & OPT_SYSLOG) - syslog(lvl, "%s", line); - else - (void) fprintf(log, "%s", line); - if (opts & OPT_HEXHDR) - dumphex(log, opts, buf, sizeof(iplog_t) + sizeof(*ipf)); - if (opts & OPT_HEXBODY) - dumphex(log, opts, (char *)ip, ipf->fl_plen + ipf->fl_hlen); - else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY)) - dumphex(log, opts, (char *)ip + ipf->fl_hlen, ipf->fl_plen); - if (conf_file) - check_action(buf, opts, line); + defaction = 0; + if (conf_file != NULL) + defaction = check_action(buf, line, opts, lvl); + if (defaction == 0) { + if (opts & OPT_SYSLOG) + syslog(lvl, "%s", line); + else + (void) fprintf(log, "%s", line); + if (opts & OPT_HEXHDR) + dumphex(log, opts, buf, + sizeof(iplog_t) + sizeof(*ipf)); + if (opts & OPT_HEXBODY) + dumphex(log, opts, (char *)ip, + ipf->fl_plen + ipf->fl_hlen); + else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY)) + dumphex(log, opts, (char *)ip + ipf->fl_hlen, + ipf->fl_plen); + } } @@ -1378,6 +1430,7 @@ char *argv[]; { struct stat sb; FILE *log = stdout; + FILE *fp; int fd[3], doread, n, i; int tr, nr, regular[3], c; int fdt[3], devices = 0, make_daemon = 0; @@ -1581,17 +1634,18 @@ char *argv[]; tr = read_log(fd[i], &n, buf, sizeof(buf)); if (donehup) { - donehup = 0; - if (newlog) { + if (logfile && (fp = fopen(logfile, "a"))) { fclose(log); - log = newlog; - newlog = NULL; + log = fp; } - if (newbinarylog) { + if (binarylogfile && (fp = fopen(binarylogfile, "a"))) { fclose(binarylog); - binarylog = newbinarylog; - newbinarylog = NULL; + binarylog = fp; } + init_tabs(); + if (conf_file != NULL) + load_config(conf_file); + donehup = 0; } switch (tr) diff --git a/usr/src/cmd/ipf/tools/ipmon_y.y b/usr/src/cmd/ipf/tools/ipmon_y.y index b8ddb45de2..e6dda81c35 100644 --- a/usr/src/cmd/ipf/tools/ipmon_y.y +++ b/usr/src/cmd/ipf/tools/ipmon_y.y @@ -1,5 +1,11 @@ +/* + * Copyright (C) 1993-2005 by Darren Reed. + * See the IPFILTER.LICENCE file for details on licencing. + */ + %{ #include "ipf.h" +#include <syslog.h> #undef OPT_NAT #undef OPT_VERBOSE #include "ipmon_l.h" @@ -25,8 +31,9 @@ typedef struct opt { static void build_action __P((struct opt *)); static opt_t *new_opt __P((int)); +static void free_action __P((ipmon_action_t *)); -static action_t *alist = NULL; +static ipmon_action_t *alist = NULL; %} %union { @@ -37,20 +44,24 @@ static action_t *alist = NULL; union i6addr ip6; } -%token <num> YY_NUMBER YY_HEX -%token <str> YY_STR -%token YY_COMMENT -%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT -%token YY_RANGE_OUT YY_RANGE_IN -%token <ip6> YY_IPV6 +%token <num> YY_NUMBER YY_HEX +%token <str> YY_STR +%token <ip6> YY_IPV6 +%token YY_COMMENT +%token YY_CMP_EQ YY_CMP_NE YY_CMP_LE YY_CMP_GE YY_CMP_LT YY_CMP_GT +%token YY_RANGE_OUT YY_RANGE_IN -%token IPM_ACTION IPM_BODY IPM_COMMENT IPM_DIRECTION IPM_DSTIP IPM_DSTPORT +%token IPM_MATCH IPM_BODY IPM_COMMENT IPM_DIRECTION IPM_DSTIP IPM_DSTPORT %token IPM_EVERY IPM_EXECUTE IPM_GROUP IPM_INTERFACE IPM_IN IPM_NO IPM_OUT %token IPM_PACKET IPM_PACKETS IPM_POOL IPM_PROTOCOL IPM_RESULT IPM_RULE -%token IPM_SECOND IPM_SECONDS IPM_SRCIP IPM_SRCPORT IPM_TAG IPM_YES +%token IPM_SECOND IPM_SECONDS IPM_SRCIP IPM_SRCPORT IPM_LOGTAG IPM_WITH +%token IPM_DO IPM_SAVE IPM_SYSLOG IPM_NOTHING IPM_RAW IPM_TYPE IPM_NAT +%token IPM_STATE IPM_NATTAG IPM_IPF %type <addr> ipv4 -%type <opt> direction dstip dstport every execute group interface option -%type <opt> options protocol result rule srcip srcport tag +%type <opt> direction dstip dstport every execute group interface +%type <opt> protocol result rule srcip srcport logtag matching +%type <opt> matchopt nattag type doopt doing save syslog nothing +%type <num> saveopts saveopt typeopt %% file: line @@ -59,8 +70,10 @@ file: line | file assign ; -line: IPM_ACTION '{' options '}' ';' { build_action($3); resetlexer(); } +line: IPM_MATCH '{' matching '}' IPM_DO '{' doing '}' ';' + { build_action($3); resetlexer(); } | IPM_COMMENT + | YY_COMMENT ; assign: YY_STR assigning YY_STR ';' { set_variable($1, $3); @@ -74,16 +87,16 @@ assigning: '=' { yyvarnext = 1; } ; -options: - option { $$ = $1; } - | option ',' options { $1->o_next = $3; $$ = $1; } +matching: + matchopt { $$ = $1; } + | matchopt ',' matching { $1->o_next = $3; $$ = $1; } ; -option: direction { $$ = $1; } +matchopt: + direction { $$ = $1; } | dstip { $$ = $1; } | dstport { $$ = $1; } | every { $$ = $1; } - | execute { $$ = $1; } | group { $$ = $1; } | interface { $$ = $1; } | protocol { $$ = $1; } @@ -91,7 +104,21 @@ option: direction { $$ = $1; } | rule { $$ = $1; } | srcip { $$ = $1; } | srcport { $$ = $1; } - | tag { $$ = $1; } + | logtag { $$ = $1; } + | nattag { $$ = $1; } + | type { $$ = $1; } + ; + +doing: + doopt { $$ = $1; } + | doopt ',' doing { $1->o_next = $3; $$ = $1; } + ; + +doopt: + execute { $$ = $1; } + | save { $$ = $1; } + | syslog { $$ = $1; } + | nothing { $$ = $1; } ; direction: @@ -123,11 +150,6 @@ every: IPM_EVERY IPM_SECOND { $$ = new_opt(IPM_SECOND); $$->o_num = $2; } ; -execute: - IPM_EXECUTE '=' YY_STR { $$ = new_opt(IPM_EXECUTE); - $$->o_str = $3; } - ; - group: IPM_GROUP '=' YY_NUMBER { $$ = new_opt(IPM_GROUP); $$->o_num = $3; } | IPM_GROUP '=' YY_STR { $$ = new_opt(IPM_GROUP); @@ -139,6 +161,14 @@ interface: $$->o_str = $3; } ; +logtag: IPM_LOGTAG '=' YY_NUMBER { $$ = new_opt(IPM_LOGTAG); + $$->o_num = $3; } + ; + +nattag: IPM_NATTAG '=' YY_STR { $$ = new_opt(IPM_NATTAG); + $$->o_str = $3; } + ; + protocol: IPM_PROTOCOL '=' YY_NUMBER { $$ = new_opt(IPM_PROTOCOL); $$->o_num = $3; } @@ -168,10 +198,42 @@ srcport: $$->o_str = $3; } ; -tag: IPM_TAG '=' YY_NUMBER { $$ = new_opt(IPM_TAG); +type: IPM_TYPE '=' typeopt { $$ = new_opt(IPM_TYPE); $$->o_num = $3; } ; +typeopt: + IPM_IPF { $$ = IPL_MAGIC; } + | IPM_NAT { $$ = IPL_MAGIC_NAT; } + | IPM_STATE { $$ = IPL_MAGIC_STATE; } + ; + +execute: + IPM_EXECUTE YY_STR { $$ = new_opt(IPM_EXECUTE); + $$->o_str = $2; } + ; + +save: IPM_SAVE saveopts YY_STR { $$ = new_opt(IPM_SAVE); + $$->o_num = $2; + $$->o_str = $3; } + ; + +saveopts: { $$ = 0; } + | saveopt { $$ = $1; } + | saveopt ',' saveopts { $$ = $1 | $3; } + ; + +saveopt: + IPM_RAW { $$ = IPMDO_SAVERAW; } + ; + +syslog: IPM_SYSLOG { $$ = new_opt(IPM_SYSLOG); } + ; + +nothing: + IPM_NOTHING { $$ = 0; } + ; + ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER { if ($1 > 255 || $3 > 255 || $5 > 255 || $7 > 255) { yyerror("Invalid octet string for IP address"); @@ -182,9 +244,9 @@ ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER } %% static struct wordtab yywords[] = { - { "action", IPM_ACTION }, { "body", IPM_BODY }, { "direction", IPM_DIRECTION }, + { "do", IPM_DO }, { "dstip", IPM_DSTIP }, { "dstport", IPM_DSTPORT }, { "every", IPM_EVERY }, @@ -192,29 +254,39 @@ static struct wordtab yywords[] = { { "group", IPM_GROUP }, { "in", IPM_IN }, { "interface", IPM_INTERFACE }, + { "ipf", IPM_IPF }, + { "logtag", IPM_LOGTAG }, + { "match", IPM_MATCH }, + { "nat", IPM_NAT }, + { "nattag", IPM_NATTAG }, { "no", IPM_NO }, + { "nothing", IPM_NOTHING }, { "out", IPM_OUT }, { "packet", IPM_PACKET }, { "packets", IPM_PACKETS }, { "protocol", IPM_PROTOCOL }, { "result", IPM_RESULT }, { "rule", IPM_RULE }, + { "save", IPM_SAVE }, + { "raw", IPM_RAW }, { "second", IPM_SECOND }, { "seconds", IPM_SECONDS }, { "srcip", IPM_SRCIP }, { "srcport", IPM_SRCPORT }, - { "tag", IPM_TAG }, - { "yes", IPM_YES }, + { "state", IPM_STATE }, + { "syslog", IPM_SYSLOG }, + { "with", IPM_WITH }, { NULL, 0 } }; -static int macflags[15][2] = { +static int macflags[17][2] = { { IPM_DIRECTION, IPMAC_DIRECTION }, { IPM_DSTIP, IPMAC_DSTIP }, { IPM_DSTPORT, IPMAC_DSTPORT }, - { IPM_EXECUTE, IPMAC_EXECUTE }, { IPM_GROUP, IPMAC_GROUP }, { IPM_INTERFACE, IPMAC_INTERFACE }, + { IPM_LOGTAG, IPMAC_LOGTAG }, + { IPM_NATTAG, IPMAC_NATTAG }, { IPM_PACKET, IPMAC_EVERY }, { IPM_PROTOCOL, IPMAC_PROTOCOL }, { IPM_RESULT, IPMAC_RESULT }, @@ -222,7 +294,8 @@ static int macflags[15][2] = { { IPM_SECOND, IPMAC_EVERY }, { IPM_SRCIP, IPMAC_SRCIP }, { IPM_SRCPORT, IPMAC_SRCPORT }, - { IPM_TAG, IPMAC_TAG }, + { IPM_TYPE, IPMAC_TYPE }, + { IPM_WITH, IPMAC_WITH }, { 0, 0 } }; @@ -238,22 +311,26 @@ int type; o->o_line = yylineNum; o->o_num = 0; o->o_str = (char *)0; + o->o_next = NULL; return o; } static void build_action(olist) opt_t *olist; { - action_t *a; + ipmon_action_t *a; opt_t *o; - u_32_t m; char c; int i; - a = (action_t *)calloc(1, sizeof(*a)); - if (!a) + a = (ipmon_action_t *)calloc(1, sizeof(*a)); + if (a == NULL) return; - while ((o = olist)) { + while ((o = olist) != NULL) { + /* + * Check to see if the same comparator is being used more than + * once per matching statement. + */ for (i = 0; macflags[i][0]; i++) if (macflags[i][0] == o->o_type) break; @@ -276,11 +353,7 @@ opt_t *olist; break; case IPM_DSTIP : a->ac_dip = o->o_ip.s_addr; - for (i = o->o_num, m = 0; i; i--) { - m >>= 1; - m |= 0x80000000; - } - a->ac_dmsk = htonl(m); + a->ac_dmsk = htonl(0xffffffff << (32 - o->o_num)); break; case IPM_DSTPORT : a->ac_dport = htons(o->o_num); @@ -308,6 +381,12 @@ opt_t *olist; else sprintf(a->ac_group, "%d", o->o_num); break; + case IPM_LOGTAG : + a->ac_logtag = o->o_num; + break; + case IPM_NATTAG : + strncpy(a->ac_nattag, o->o_str, sizeof(a->ac_nattag)); + break; case IPM_PACKET : a->ac_packet = o->o_num; break; @@ -322,8 +401,6 @@ opt_t *olist; a->ac_result = IPMR_PASS; else if (!strcasecmp(o->o_str, "block")) a->ac_result = IPMR_BLOCK; - else if (!strcasecmp(o->o_str, "short")) - a->ac_result = IPMR_SHORT; else if (!strcasecmp(o->o_str, "nomatch")) a->ac_result = IPMR_NOMATCH; else if (!strcasecmp(o->o_str, "log")) @@ -334,17 +411,33 @@ opt_t *olist; break; case IPM_SRCIP : a->ac_sip = o->o_ip.s_addr; - for (i = o->o_num, m = 0; i; i--) { - m >>= 1; - m |= 0x80000000; - } - a->ac_smsk = htonl(m); + a->ac_smsk = htonl(0xffffffff << (32 - o->o_num)); break; case IPM_SRCPORT : a->ac_sport = htons(o->o_num); break; - case IPM_TAG : - a->ac_tag = o->o_num; + case IPM_SAVE : + if (a->ac_savefile != NULL) { + fprintf(stderr, "%s redfined on line %d\n", + yykeytostr(o->o_type), yylineNum); + break; + } + a->ac_savefile = strdup(o->o_str); + a->ac_savefp = fopen(o->o_str, "a"); + a->ac_dflag |= o->o_num & IPMDO_SAVERAW; + break; + case IPM_SYSLOG : + if (a->ac_syslog != 0) { + fprintf(stderr, "%s redfined on line %d\n", + yykeytostr(o->o_type), yylineNum); + break; + } + a->ac_syslog = 1; + break; + case IPM_TYPE : + a->ac_type = o->o_num; + break; + case IPM_WITH : break; default : break; @@ -355,54 +448,58 @@ opt_t *olist; free(o->o_str); free(o); } - a->a_next = alist; + a->ac_next = alist; alist = a; } -void check_action(buf, opts, log) -char *buf; -int opts; -char *log; +int check_action(buf, log, opts, lvl) +char *buf, *log; +int opts, lvl; { + ipmon_action_t *a; struct timeval tv; ipflog_t *ipf; tcphdr_t *tcp; iplog_t *ipl; - action_t *a; + int matched; u_long t1; ip_t *ip; + matched = 0; ipl = (iplog_t *)buf; ipf = (ipflog_t *)(ipl +1); ip = (ip_t *)(ipf + 1); tcp = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2)); - for (a = alist; a; a = a->a_next) { - if (a->ac_mflag & IPMAC_DIRECTION) { + for (a = alist; a != NULL; a = a->ac_next) { + if ((a->ac_mflag & IPMAC_DIRECTION) != 0) { if (a->ac_direction == IPM_IN) { - if (!(ipf->fl_flags & FR_INQUE)) + if ((ipf->fl_flags & FR_INQUE) == 0) continue; } else if (a->ac_direction == IPM_OUT) { - if (!(ipf->fl_flags & FR_OUTQUE)) + if ((ipf->fl_flags & FR_OUTQUE) == 0) continue; } } - if (a->ac_mflag & IPMAC_EVERY) { + if ((a->ac_type != 0) && (a->ac_type != ipl->ipl_magic)) + continue; + + if ((a->ac_mflag & IPMAC_EVERY) != 0) { gettimeofday(&tv, NULL); t1 = tv.tv_sec - a->ac_lastsec; if (tv.tv_usec <= a->ac_lastusec) t1--; - if (a->ac_second) { + if (a->ac_second != 0) { if (t1 < a->ac_second) continue; a->ac_lastsec = tv.tv_sec; a->ac_lastusec = tv.tv_usec; } - if (a->ac_packet) { - if (!a->ac_pktcnt) + if (a->ac_packet != 0) { + if (a->ac_pktcnt == 0) a->ac_pktcnt++; else if (a->ac_pktcnt == a->ac_packet) { a->ac_pktcnt = 0; @@ -414,37 +511,37 @@ char *log; } } - if (a->ac_mflag & IPMAC_DSTIP) { + if ((a->ac_mflag & IPMAC_DSTIP) != 0) { if ((ip->ip_dst.s_addr & a->ac_dmsk) != a->ac_dip) continue; } - if (a->ac_mflag & IPMAC_DSTPORT) { + if ((a->ac_mflag & IPMAC_DSTPORT) != 0) { if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP) continue; if (tcp->th_dport != a->ac_dport) continue; } - if (a->ac_mflag & IPMAC_GROUP) { + if ((a->ac_mflag & IPMAC_GROUP) != 0) { if (strncmp(a->ac_group, ipf->fl_group, FR_GROUPLEN) != 0) continue; } - if (a->ac_mflag & IPMAC_INTERFACE) { + if ((a->ac_mflag & IPMAC_INTERFACE) != 0) { if (strcmp(a->ac_iface, ipf->fl_ifname)) continue; } - if (a->ac_mflag & IPMAC_PROTOCOL) { + if ((a->ac_mflag & IPMAC_PROTOCOL) != 0) { if (a->ac_proto != ip->ip_p) continue; } - if (a->ac_mflag & IPMAC_RESULT) { - if (ipf->fl_lflags & FI_SHORT) { - if (a->ac_result != IPMR_SHORT) + if ((a->ac_mflag & IPMAC_RESULT) != 0) { + if ((ipf->fl_flags & FF_LOGNOMATCH) != 0) { + if (a->ac_result != IPMR_NOMATCH) continue; } else if (FR_ISPASS(ipf->fl_flags)) { if (a->ac_result != IPMR_PASS) @@ -452,41 +549,57 @@ char *log; } else if (FR_ISBLOCK(ipf->fl_flags)) { if (a->ac_result != IPMR_BLOCK) continue; - } else if (ipf->fl_flags & FF_LOGNOMATCH) { - if (a->ac_result != IPMR_NOMATCH) - continue; } else { /* Log only */ if (a->ac_result != IPMR_LOG) continue; } } - if (a->ac_mflag & IPMAC_RULE) { + if ((a->ac_mflag & IPMAC_RULE) != 0) { if (a->ac_rule != ipf->fl_rule) continue; } - if (a->ac_mflag & IPMAC_SRCIP) { + if ((a->ac_mflag & IPMAC_SRCIP) != 0) { if ((ip->ip_src.s_addr & a->ac_smsk) != a->ac_sip) continue; } - if (a->ac_mflag & IPMAC_SRCPORT) { + if ((a->ac_mflag & IPMAC_SRCPORT) != 0) { if (ip->ip_p != IPPROTO_UDP && ip->ip_p != IPPROTO_TCP) continue; if (tcp->th_sport != a->ac_sport) continue; } - if (a->ac_mflag & IPMAC_TAG) { - if (a->ac_tag != ipf->fl_tag) + if ((a->ac_mflag & IPMAC_LOGTAG) != 0) { + if (a->ac_logtag != ipf->fl_logtag) continue; } + if ((a->ac_mflag & IPMAC_NATTAG) != 0) { + if (strncmp(a->ac_nattag, ipf->fl_nattag.ipt_tag, + IPFTAG_LEN) != 0) + continue; + } + + matched = 1; + /* * It matched so now execute the command */ - if (a->ac_exec) { + if (a->ac_syslog != 0) { + syslog(lvl, "%s", log); + } + + if (a->ac_savefp != NULL) { + if (a->ac_dflag & IPMDO_SAVERAW) + fwrite(ipl, 1, ipl->ipl_dsize, a->ac_savefp); + else + fputs(log, a->ac_savefp); + } + + if (a->ac_exec != NULL) { switch (fork()) { case 0 : @@ -494,14 +607,14 @@ char *log; FILE *pi; pi = popen(a->ac_run, "w"); - if (pi) { + if (pi != NULL) { fprintf(pi, "%s\n", log); - if (opts & OPT_HEXHDR) { + if ((opts & OPT_HEXHDR) != 0) { dumphex(pi, 0, buf, sizeof(*ipl) + sizeof(*ipf)); } - if (opts & OPT_HEXBODY) { + if ((opts & OPT_HEXBODY) != 0) { dumphex(pi, 0, (char *)ip, ipf->fl_hlen + ipf->fl_plen); @@ -517,15 +630,60 @@ char *log; } } } + + return matched; +} + + +static void free_action(a) +ipmon_action_t *a; +{ + if (a->ac_savefile != NULL) { + free(a->ac_savefile); + a->ac_savefile = NULL; + } + if (a->ac_savefp != NULL) { + fclose(a->ac_savefp); + a->ac_savefp = NULL; + } + if (a->ac_exec != NULL) { + free(a->ac_exec); + if (a->ac_run == a->ac_exec) + a->ac_run = NULL; + a->ac_exec = NULL; + } + if (a->ac_run != NULL) { + free(a->ac_run); + a->ac_run = NULL; + } + if (a->ac_iface != NULL) { + free(a->ac_iface); + a->ac_iface = NULL; + } + a->ac_next = NULL; + free(a); } int load_config(file) char *file; { + ipmon_action_t *a; FILE *fp; + char *s; + + s = getenv("YYDEBUG"); + if (s != NULL) + yydebug = atoi(s); + else + yydebug = 0; + + while ((a = alist) != NULL) { + alist = a->ac_next; + free_action(a); + } - yylineNum = 0; + yylineNum = 1; (void) yysettab(yywords); diff --git a/usr/src/cmd/ipf/tools/ipnat.c b/usr/src/cmd/ipf/tools/ipnat.c index e1d93224c6..6989a511f1 100644 --- a/usr/src/cmd/ipf/tools/ipnat.c +++ b/usr/src/cmd/ipf/tools/ipnat.c @@ -5,7 +5,7 @@ * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) * - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -49,9 +49,13 @@ #include <arpa/inet.h> #include <resolv.h> #include <ctype.h> -#include <nlist.h> +#if defined(linux) +# include <linux/a.out.h> +#else +# include <nlist.h> +#endif #include "ipf.h" -#include "ipl.h" +#include "netinet/ipl.h" #include "kmem.h" #ifdef __hpux @@ -67,7 +71,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.20 2003/07/01 16:30:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.2 2005/05/10 21:19:30 darrenr Exp $"; #endif @@ -90,7 +94,7 @@ int opts; void usage(name) char *name; { - fprintf(stderr, "Usage: %s [-CdFhlnrsv] [-f filename]\n", name); + fprintf(stderr, "Usage: %s [-CFhlnrRsv] [-f filename]\n", name); exit(1); } @@ -112,7 +116,7 @@ char *argv[]; kernel = NULL; mode = O_RDWR; - while ((c = getopt(argc, argv, "CdFf:hlM:N:nrsv")) != -1) + while ((c = getopt(argc, argv, "CdFf:hlM:N:nrRsv")) != -1) switch (c) { case 'C' : @@ -144,6 +148,9 @@ char *argv[]; opts |= OPT_DONOTHING; mode = O_RDONLY; break; + case 'R' : + opts |= OPT_NORESOLVE; + break; case 'r' : opts |= OPT_REMOVE; break; @@ -313,7 +320,7 @@ int opts; break; } if (opts & OPT_HITS) - printf("%d ", ipn.in_hits); + printf("%lu ", ipn.in_hits); printnat(&ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); nsp->ns_list = ipn.in_next; } @@ -324,6 +331,8 @@ int opts; if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) break; printactivenat(&nat, opts); + if (nat.nat_aps) + printaps(nat.nat_aps, opts); } if (opts & OPT_VERBOSE) diff --git a/usr/src/cmd/ipf/tools/ipnat_y.y b/usr/src/cmd/ipf/tools/ipnat_y.y index 064a6abe35..e382d78afd 100644 --- a/usr/src/cmd/ipf/tools/ipnat_y.y +++ b/usr/src/cmd/ipf/tools/ipnat_y.y @@ -4,7 +4,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" @@ -33,11 +33,6 @@ #include <stddef.h> #include <sys/socket.h> #include <sys/ioctl.h> -#ifdef IPFILTER_BPF -# include <net/bpf.h> -# include <pcap-int.h> -# include <pcap.h> -#endif #include <netinet/in.h> #include <netinet/in_systm.h> #include <sys/time.h> @@ -46,17 +41,11 @@ #if __FreeBSD_version >= 300000 # include <net/if_var.h> #endif -#include <netinet/ip.h> -#include <netinet/ip_icmp.h> #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> #include "ipf.h" -#if SOLARIS2 >= 10 -#include "ipl.h" -#else #include "netinet/ipl.h" -#endif #include "ipnat_l.h" #define YYDEBUG 1 @@ -84,6 +73,7 @@ static void setnatproto __P((int)); struct in_addr ipa; frentry_t fr; frtuc_t *frt; + u_short port; struct { u_short p1; u_short p2; @@ -108,7 +98,8 @@ static void setnatproto __P((int)); %token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY %token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG %token IPNY_TLATE -%type <num> hexnumber numports compare range proto +%type <port> portspec +%type <num> hexnumber compare range proto %type <ipa> hostname ipv4 %type <ipp> addr nummask rhaddr %type <pc> portstuff @@ -143,13 +134,17 @@ assigning: xx: { newnatrule(); } ; -rule: map - | mapblock - | redir +rule: map eol + | mapblock eol + | redir eol + ; + +eol: | ';' ; map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions - { nat->in_inip = $3.a.s_addr; + { nat->in_v = 4; + nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; @@ -164,7 +159,8 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions nat_setgroupmap(nat); } | mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions - { nat->in_inip = $3.a.s_addr; + { nat->in_v = 4; + nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; @@ -172,14 +168,15 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions strncpy(nat->in_ifnames[1], nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); - if ((nat->in_flags & IPN_TCPUDP) == 0) + if ((nat->in_flags & IPN_TCPUDPICMPQ) == 0) setnatproto(nat->in_p); if (((nat->in_redir & NAT_MAPBLK) != 0) || ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) nat_setgroupmap(nat); } | mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions - { nat->in_outip = $5.a.s_addr; + { nat->in_v = 4; + nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], @@ -192,13 +189,14 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions nat_setgroupmap(nat); } | mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions - { nat->in_outip = $5.a.s_addr; + { nat->in_v = 4; + nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); - if ((nat->in_flags & IPN_TCPUDP) == 0) + if ((nat->in_flags & IPN_TCPUDPICMPQ) == 0) setnatproto(nat->in_p); if (((nat->in_redir & NAT_MAPBLK) != 0) || ((nat->in_flags & IPN_AUTOPORTMAP) != 0)) @@ -208,7 +206,8 @@ map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions mapblock: mapblockit ifnames addr IPNY_TLATE addr ports mapoptions - { nat->in_inip = $3.a.s_addr; + { nat->in_v = 4; + nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; @@ -224,8 +223,9 @@ mapblock: } ; -redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions - { nat->in_outip = $3.a.s_addr; +redir: rdrit ifnames addr dport IPNY_TLATE dip nport setproto rdroptions + { nat->in_v = 4; + nat->in_outip = $3.a.s_addr; nat->in_outmsk = $3.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], @@ -238,8 +238,9 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions nat->in_pnext != 0)) setnatproto(IPPROTO_TCP); } - | rdrit ifnames rdrfrom IPNY_TLATE dip nport rdrproto rdroptions - { if ((nat->in_p == 0) && + | rdrit ifnames rdrfrom IPNY_TLATE dip nport setproto rdroptions + { nat->in_v = 4; + if ((nat->in_p == 0) && ((nat->in_flags & IPN_TCPUDP) == 0) && (nat->in_pmin != 0 || nat->in_pmax != 0 || @@ -250,8 +251,9 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions nat->in_ifnames[0], sizeof(nat->in_ifnames[0])); } - | rdrit ifnames addr IPNY_TLATE dip rdrproto rdroptions - { nat->in_outip = $3.a.s_addr; + | rdrit ifnames addr IPNY_TLATE dip setproto rdroptions + { nat->in_v = 4; + nat->in_outip = $3.a.s_addr; nat->in_outmsk = $3.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], @@ -260,7 +262,7 @@ redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions } ; -proxy: | IPNY_PROXY IPNY_PORT YY_NUMBER YY_STR '/' proto +proxy: | IPNY_PROXY IPNY_PORT portspec YY_STR '/' proto { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); if (nat->in_dcmp == 0) { nat->in_dport = htons($3); @@ -271,24 +273,35 @@ proxy: | IPNY_PROXY IPNY_PORT YY_NUMBER YY_STR '/' proto free($4); } | IPNY_PROXY IPNY_PORT YY_STR YY_STR '/' proto - { strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); - nat->in_dport = getportproto($3, $6); + { int pnum; + strncpy(nat->in_plabel, $4, sizeof(nat->in_plabel)); + pnum = getportproto($3, $6); + if (pnum == -1) + yyerror("invalid port number"); + nat->in_dport = pnum; setnatproto($6); free($3); free($4); } ; -rdrproto: - | IPNY_TCP { setnatproto(IPPROTO_TCP); } - | IPNY_UDP { setnatproto(IPPROTO_UDP); } - | IPNY_TCPUDP { nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; } - | IPNY_TCP '/' IPNY_UDP { nat->in_flags |= IPN_TCPUDP; - nat->in_p = 0; } - | YY_NUMBER { setnatproto($1); } - | YY_STR { setnatproto(getproto($1)); - free($1); +setproto: + | proto { if (nat->in_p != 0 || + nat->in_flags & IPN_TCPUDP) + yyerror("protocol set twice"); + setnatproto($1); + } + | IPNY_TCPUDP { if (nat->in_p != 0 || + nat->in_flags & IPN_TCPUDP) + yyerror("protocol set twice"); + nat->in_flags |= IPN_TCPUDP; + nat->in_p = 0; + } + | IPNY_TCP '/' IPNY_UDP { if (nat->in_p != 0 || + nat->in_flags & IPN_TCPUDP) + yyerror("protocol set twice"); + nat->in_flags |= IPN_TCPUDP; + nat->in_p = 0; } ; @@ -296,29 +309,43 @@ rhaddr: addr { $$.a = $1.a; $$.m = $1.m; } | IPNY_RANGE ipv4 '-' ipv4 { $$.a = $2; $$.m = $4; nat->in_flags |= IPN_IPRANGE; } + ; + dip: - ipv4 { nat->in_inip = $1.s_addr; + hostname { nat->in_inip = $1.s_addr; nat->in_inmsk = 0xffffffff; } - | ipv4 '/' YY_NUMBER { nat->in_inip = $1.s_addr; - if (nat->in_inip != 0 || - ($3 != 0 && $3 != 32)) - yyerror("Invalid mask for dip"); - ntomask(4, $3, &nat->in_inmsk); } - | ipv4 ',' ipv4 { nat->in_flags |= IPN_SPLIT; + | hostname ',' hostname { nat->in_flags |= IPN_SPLIT; nat->in_inip = $1.s_addr; nat->in_inmsk = $3.s_addr; } ; -dport: | IPNY_PORT YY_NUMBER { nat->in_pmin = htons($2); +portspec: + YY_NUMBER { if ($1 > 65535) /* Unsigned */ + yyerror("invalid port number"); + else + $$ = $1; + } + | YY_STR { if (getport(NULL, $1, &($$)) == -1) + yyerror("invalid port number"); + $$ = ntohs($$); + } + ; + +dport: | IPNY_PORT portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($2); } - | IPNY_PORT YY_NUMBER '-' YY_NUMBER { nat->in_pmin = htons($2); + | IPNY_PORT portspec '-' portspec { nat->in_pmin = htons($2); + nat->in_pmax = htons($4); } + | IPNY_PORT portspec ':' portspec { nat->in_pmin = htons($2); nat->in_pmax = htons($4); } ; -nport: IPNY_PORT YY_NUMBER { nat->in_pnext = htons($2); } +nport: IPNY_PORT portspec { nat->in_pnext = htons($2); } + | IPNY_PORT '=' portspec { nat->in_pnext = htons($3); + nat->in_flags |= IPN_FIXEDDPORT; + } ; -ports: | IPNY_PORTS numports { nat->in_pmin = $2; } +ports: | IPNY_PORTS YY_NUMBER { nat->in_pmin = $2; } | IPNY_PORTS IPNY_AUTO { nat->in_flags |= IPN_AUTOPORTMAP; } ; @@ -353,26 +380,44 @@ ifnames: | ifname ',' otherifname ; -ifname: YY_STR { strncpy(nat->in_ifnames[0], $1, - sizeof(nat->in_ifnames[0])); - free($1); - } +ifname: YY_STR { strncpy(nat->in_ifnames[0], $1, + sizeof(nat->in_ifnames[0])); + nat->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; + free($1); + } ; otherifname: - YY_STR { strncpy(nat->in_ifnames[1], $1, - sizeof(nat->in_ifnames[1])); - free($1); - } + YY_STR { strncpy(nat->in_ifnames[1], $1, + sizeof(nat->in_ifnames[1])); + nat->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; + free($1); + } ; mapport: - IPNY_PORTMAP tcpudp YY_NUMBER ':' YY_NUMBER - { nat->in_pmin = htons($3); - nat->in_pmax = htons($5); } - | IPNY_PORTMAP tcpudp IPNY_AUTO { nat->in_flags |= IPN_AUTOPORTMAP; - nat->in_pmin = htons(1024); - nat->in_pmax = htons(65535); } + IPNY_PORTMAP tcpudp portspec ':' portspec + { nat->in_pmin = htons($3); + nat->in_pmax = htons($5); + } + | IPNY_PORTMAP tcpudp IPNY_AUTO + { nat->in_flags |= IPN_AUTOPORTMAP; + nat->in_pmin = htons(1024); + nat->in_pmax = htons(65535); + } + | IPNY_ICMPIDMAP YY_STR YY_NUMBER ':' YY_NUMBER + { if (strcmp($2, "icmp") != 0) { + yyerror("icmpidmap not followed by icmp"); + } + free($2); + if ($3 < 0 || $3 > 65535) + yyerror("invalid ICMP Id number"); + if ($5 < 0 || $5 > 65535) + yyerror("invalid ICMP Id number"); + nat->in_flags = IPN_ICMPQUERY; + nat->in_pmin = htons($3); + nat->in_pmax = htons($5); + } ; sobject: @@ -433,12 +478,12 @@ nummask: ; portstuff: - compare YY_NUMBER { $$.pc = $1; $$.p1 = $2; } - | YY_NUMBER range YY_NUMBER { $$.pc = $2; $$.p1 = $1; $$.p2 = $3; } + compare portspec { $$.pc = $1; $$.p1 = $2; } + | portspec range portspec { $$.pc = $2; $$.p1 = $1; $$.p1 = $3; } ; mapoptions: - rr frag age mssclamp nattag + rr frag age mssclamp nattag setproto ; rdroptions: @@ -484,10 +529,11 @@ tcpudp: | IPNY_TCP { setnatproto(IPPROTO_TCP); } ; rdrproxy: - | IPNY_PROXY YY_STR + IPNY_PROXY YY_STR { strncpy(nat->in_plabel, $2, sizeof(nat->in_plabel)); nat->in_dport = nat->in_pnext; + nat->in_dport = htons(nat->in_dport); free($2); } | proxy { if (nat->in_plabel[0] != '\0') { @@ -498,10 +544,6 @@ rdrproxy: } ; -numports: - YY_NUMBER { $$ = $1; } - ; - proto: YY_NUMBER { $$ = $1; } | IPNY_TCP { $$ = IPPROTO_TCP; } | IPNY_UDP { $$ = IPPROTO_UDP; } @@ -562,6 +604,7 @@ static wordtab_t yywords[] = { { "map", IPNY_MAP }, { "map-block", IPNY_MAPBLOCK }, { "mssclamp", IPNY_MSSCLAMP }, + { "netmask", IPNY_MASK }, { "port", IPNY_PORT }, { "portmap", IPNY_PORTMAP }, { "ports", IPNY_PORTS }, @@ -572,6 +615,7 @@ static wordtab_t yywords[] = { { "sticky", IPNY_STICKY }, { "tag", IPNY_TAG }, { "tcp", IPNY_TCP }, + { "tcpudp", IPNY_TCPUDP }, { "to", IPNY_TO }, { "udp", IPNY_UDP }, { "-", '-' }, @@ -689,8 +733,23 @@ int p; nat->in_flags |= IPN_UDP; nat->in_flags &= ~IPN_TCP; break; + case IPPROTO_ICMP : + nat->in_flags &= ~IPN_TCPUDP; + if (!(nat->in_flags & IPN_ICMPQUERY)) { + nat->in_dcmp = 0; + nat->in_scmp = 0; + nat->in_pmin = 0; + nat->in_pmax = 0; + nat->in_pnext = 0; + } + break; default : if ((nat->in_redir & NAT_MAPBLK) == 0) { + /* Only reset dcmp/scmp in case dport/sport not set */ + if (0 == nat->in_tuc.ftu_dport) + nat->in_dcmp = 0; + if (0 == nat->in_tuc.ftu_sport) + nat->in_scmp = 0; nat->in_pmin = 0; nat->in_pmax = 0; nat->in_pnext = 0; @@ -698,6 +757,9 @@ int p; } break; } + + if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT) + nat->in_flags &= ~IPN_FIXEDDPORT; } @@ -706,8 +768,8 @@ int fd; ioctlfunc_t ioctlfunc; void *ptr; { + ioctlcmd_t add, del; ipfobj_t obj; - int add, del; ipnat_t *ipn; ipn = ptr; diff --git a/usr/src/cmd/ipf/tools/ippool.c b/usr/src/cmd/ipf/tools/ippool.c index da6cc9273e..9e7919c757 100644 --- a/usr/src/cmd/ipf/tools/ippool.c +++ b/usr/src/cmd/ipf/tools/ippool.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -35,15 +35,9 @@ #include <unistd.h> #include "ipf.h" -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_pool.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" -#endif #include "kmem.h" @@ -142,7 +136,7 @@ char *argv[]; role = IPL_LOGIPF; bzero((char *)&node, sizeof(node)); - while ((c = getopt(argc, argv, "di:m:no:v")) != -1) + while ((c = getopt(argc, argv, "di:m:no:Rv")) != -1) switch (c) { case 'd' : @@ -162,7 +156,9 @@ char *argv[]; if (s != NULL) *s = '\0'; ipset = 1; + node.ipn_addr.adf_len = sizeof(node.ipn_addr); node.ipn_addr.adf_addr.in4.s_addr = inet_addr(optarg); + node.ipn_mask.adf_len = sizeof(node.ipn_mask); node.ipn_mask.adf_addr.in4.s_addr = mask.s_addr; break; case 'm' : @@ -176,11 +172,17 @@ char *argv[]; if (role == IPL_LOGNONE) return -1; break; + case 'R' : + opts |= OPT_NORESOLVE; + break; case 'v' : opts |= OPT_VERBOSE; break; } + if (opts & OPT_DEBUG) + fprintf(stderr, "poolnodecommand: opts = %#x\n", opts); + if (ipset == 0) return -1; if (poolname == NULL) { @@ -213,7 +215,7 @@ char *argv[]; bzero((char *)&iph, sizeof(iph)); bzero((char *)&pool, sizeof(pool)); - while ((c = getopt(argc, argv, "dm:no:S:t:v")) != -1) + while ((c = getopt(argc, argv, "dm:no:RSt:v")) != -1) switch (c) { case 'd' : @@ -233,6 +235,9 @@ char *argv[]; return -1; } break; + case 'R' : + opts |= OPT_NORESOLVE; + break; case 'S' : iph.iph_seed = atoi(optarg); break; @@ -248,6 +253,9 @@ char *argv[]; break; } + if (opts & OPT_DEBUG) + fprintf(stderr, "poolcommand: opts = %#x\n", opts); + if (poolname == NULL) { fprintf(stderr, "poolname not given with add/remove pool\n"); return -1; @@ -296,7 +304,7 @@ char *argv[], *infile; infile = optarg; - while ((c = getopt(argc, argv, "dnrv")) != -1) + while ((c = getopt(argc, argv, "dnRuv")) != -1) switch (c) { case 'd' : @@ -306,7 +314,10 @@ char *argv[], *infile; case 'n' : opts |= OPT_DONOTHING; break; - case 'r' : + case 'R' : + opts |= OPT_NORESOLVE; + break; + case 'u' : opts |= OPT_REMOVE; break; case 'v' : @@ -314,6 +325,9 @@ char *argv[], *infile; break; } + if (opts & OPT_DEBUG) + fprintf(stderr, "loadpoolfile: opts = %#x\n", opts); + if (!(opts & OPT_DONOTHING) && (fd == -1)) { fd = open(IPLOOKUP_NAME, O_RDWR); if (fd == -1) { @@ -347,7 +361,7 @@ char *argv[]; poolname = NULL; role = IPL_LOGALL; - while ((c = getopt(argc, argv, "dm:M:N:o:t:v")) != -1) + while ((c = getopt(argc, argv, "dm:M:N:o:Rt:v")) != -1) switch (c) { case 'd' : @@ -371,6 +385,9 @@ char *argv[]; return -1; } break; + case 'R' : + opts |= OPT_NORESOLVE; + break; case 't' : type = gettype(optarg, NULL); if (type == IPLT_NONE) { @@ -418,14 +435,15 @@ char *argv[]; if (role != IPL_LOGALL) { ptr = plstp->ipls_list[role]; while (ptr != NULL) { - ptr = printpool(ptr, kmemcpywrap, opts); + ptr = printpool(ptr, kmemcpywrap, poolname, + opts); } } else { for (role = 0; role <= IPL_LOGMAX; role++) { ptr = plstp->ipls_list[role]; while (ptr != NULL) { ptr = printpool(ptr, kmemcpywrap, - opts); + poolname, opts); } } role = IPL_LOGALL; @@ -445,14 +463,15 @@ char *argv[]; if (role != IPL_LOGALL) { hptr = htstp->iphs_tables; while (hptr != NULL) { - hptr = printhash(hptr, kmemcpywrap, opts); + hptr = printhash(hptr, kmemcpywrap, + poolname, opts); } } else { for (role = 0; role <= IPL_LOGMAX; role++) { hptr = htstp->iphs_tables; while (hptr != NULL) { hptr = printhash(hptr, kmemcpywrap, - opts); + poolname, opts); } op.iplo_unit = role; @@ -601,6 +620,9 @@ char *argv[]; break; } + if (opts & OPT_DEBUG) + fprintf(stderr, "poolflush: opts = %#x\n", opts); + if (!(opts & OPT_DONOTHING) && (fd == -1)) { fd = open(IPLOOKUP_NAME, O_RDWR); if (fd == -1) { @@ -665,7 +687,7 @@ u_int *minor; { int type; - if (!strcasecmp(optarg, "pool")) { + if (!strcasecmp(optarg, "tree")) { type = IPLT_POOL; } else if (!strcasecmp(optarg, "hash")) { type = IPLT_HASH; diff --git a/usr/src/cmd/ipf/tools/ippool_y.y b/usr/src/cmd/ipf/tools/ippool_y.y index a952538c39..a074dff823 100644 --- a/usr/src/cmd/ipf/tools/ippool_y.y +++ b/usr/src/cmd/ipf/tools/ippool_y.y @@ -4,7 +4,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -36,15 +36,9 @@ #include <unistd.h> #include "ipf.h" -#if SOLARIS2 >= 10 -#include "ip_lookup.h" -#include "ip_pool.h" -#include "ip_htable.h" -#else #include "netinet/ip_lookup.h" #include "netinet/ip_pool.h" #include "netinet/ip_htable.h" -#endif #include "ippool_l.h" #include "kmem.h" @@ -164,25 +158,23 @@ role: ; ipftree: - IPT_TYPE '=' IPT_TREE number '{' { yyexpectaddr = 1; } - addrlist '}' + IPT_TYPE '=' IPT_TREE number start addrlist end { strncpy(iplo.ipo_name, $4, sizeof(iplo.ipo_name)); - $$ = $7; + $$ = $6; } ; ipfhash: - IPT_TYPE '=' IPT_HASH number hashopts '{' { yyexpectaddr = 1; } - hashlist '}' + IPT_TYPE '=' IPT_HASH number hashopts start hashlist end { strncpy(ipht.iph_name, $4, sizeof(ipht.iph_name)); - $$ = $8; + $$ = $7; } ; ipfgroup: - setgroup hashopts '{' grouplist '}' + setgroup hashopts start grouplist end { iphtent_t *e; for (e = $4; e != NULL; e = e->ipe_next) @@ -192,10 +184,10 @@ ipfgroup: FR_GROUPLEN); $$ = $4; } - | hashopts '{' setgrouplist '}' { $$ = $3; } + | hashopts start setgrouplist end { $$ = $3; } ; -number: IPT_NUM '=' YY_NUMBER { sprintf(poolname, "%u", $3); +number: IPT_NUM '=' YY_NUMBER { snprintf(poolname, FR_GROUPLEN, "%u", $3); $$ = poolname; } | IPT_NAME '=' YY_STR { $$ = $3; } @@ -208,7 +200,7 @@ setgroup: $$ = strdup(tmp); } | IPT_GROUP '=' YY_NUMBER { char tmp[FR_GROUPLEN+1]; - sprintf(tmp, "%u", $3); + snprintf(tmp, FR_GROUPLEN, "%u", $3); $$ = strdup(tmp); } ; @@ -220,14 +212,15 @@ hashopts: ; addrlist: - next { $$ = NULL; } + ';' { $$ = NULL; } | range next addrlist { $1->ipn_next = $3; $$ = $1; } | range next { $$ = $1; } - | range { $$ = $1; } + | range ; grouplist: - groupentry next grouplist { $$ = $1; $1->ipe_next = $3; } + ';' { $$ = NULL; } + | groupentry next grouplist { $$ = $1; $1->ipe_next = $3; } | addrmask next grouplist { $$ = calloc(1, sizeof(iphtent_t)); if ($$ == NULL) yyerror("sorry, out of memory"); @@ -242,7 +235,8 @@ grouplist: (char *)&($$->ipe_mask), sizeof($$->ipe_mask)); set_ipv6_addr = 0; - $$->ipe_next = $3; } + $$->ipe_next = $3; + } | groupentry next { $$ = $1; } | addrmask next { $$ = calloc(1, sizeof(iphtent_t)); if ($$ == NULL) @@ -262,34 +256,38 @@ grouplist: ; setgrouplist: - groupentry next { $$ = $1; } + ';' { $$ = NULL; } + | groupentry next { $$ = $1; } | groupentry next setgrouplist { $1->ipe_next = $3; $$ = $1; } ; groupentry: - addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t)); - if ($$ == NULL) - yyerror("sorry, out of memory"); - if (set_ipv6_addr) - $$->ipe_family = AF_INET6; - else - $$->ipe_family = AF_INET; - bcopy((char *)&($1[0]), - (char *)&($$->ipe_addr), - sizeof($$->ipe_addr)); - bcopy((char *)&($1[1]), - (char *)&($$->ipe_mask), - sizeof($$->ipe_mask)); - set_ipv6_addr = 0; - strncpy($$->ipe_group, $3, FR_GROUPLEN); - free($3); } - + addrmask ',' setgroup { $$ = calloc(1, sizeof(iphtent_t)); + if ($$ == NULL) + yyerror("sorry, out of memory"); + if (set_ipv6_addr) + $$->ipe_family = AF_INET6; + else + $$->ipe_family = AF_INET; + bcopy((char *)&($1[0]), + (char *)&($$->ipe_addr), + sizeof($$->ipe_addr)); + bcopy((char *)&($1[1]), + (char *)&($$->ipe_mask), + sizeof($$->ipe_mask)); + set_ipv6_addr = 0; + strncpy($$->ipe_group, $3, + FR_GROUPLEN); + free($3); + } ; range: addrmask { $$ = calloc(1, sizeof(*$$)); if ($$ == NULL) yyerror("sorry, out of memory"); $$->ipn_info = 0; + $$->ipn_addr.adf_len = sizeof($$->ipn_addr); + $$->ipn_mask.adf_len = sizeof($$->ipn_mask); if (set_ipv6_addr) { $$->ipn_addr.adf_family = AF_INET6; $$->ipn_addr.adf_addr = $1[0]; @@ -306,6 +304,8 @@ range: addrmask { $$ = calloc(1, sizeof(*$$)); if ($$ == NULL) yyerror("sorry, out of memory"); $$->ipn_info = 1; + $$->ipn_addr.adf_len = sizeof($$->ipn_addr); + $$->ipn_mask.adf_len = sizeof($$->ipn_mask); if (set_ipv6_addr) { $$->ipn_addr.adf_family = AF_INET6; $$->ipn_addr.adf_addr = $2[0]; @@ -319,12 +319,13 @@ range: addrmask { $$ = calloc(1, sizeof(*$$)); } hashlist: - hashentry next { $$ = $1; } + ';' { $$ = NULL; } + | hashentry next { $$ = $1; } | hashentry next hashlist { $1->ipe_next = $3; $$ = $1; } ; hashentry: - addrmask { $$ = calloc(1, sizeof(iphtent_t)); + addrmask { $$ = calloc(1, sizeof(iphtent_t)); if ($$ == NULL) yyerror("sorry, out of memory"); if (set_ipv6_addr) @@ -337,34 +338,49 @@ hashentry: bcopy((char *)&($1[1]), (char *)&($$->ipe_mask), sizeof($$->ipe_mask)); - set_ipv6_addr = 0; } ; addrmask: - ipaddr '/' mask { $$[0] = $1; $$[1] = $3; } - | ipaddr { $$[0] = $1; + ipaddr '/' mask { $$[0] = $1; $$[1] = $3; + yyexpectaddr = 0; + } + | ipaddr { $$[0] = $1; + yyexpectaddr = 0; if (set_ipv6_addr) fill6bits(128, (u_32_t *)$$[1].in6.s6_addr); else - $$[1].in4.s_addr = 0xffffffff; } + $$[1].in4.s_addr = 0xffffffff; + } ; ipaddr: ipv4 { $$ = $1; } | YY_NUMBER { $$.in4.s_addr = htonl($1); } - | YY_IPV6 { set_ipv6_addr = 1; + | YY_IPV6 { set_ipv6_addr = 1; bcopy(&$1, &$$, sizeof($$)); yyexpectaddr = 0; } + | YY_STR { if (gethost($1, &($$.in4.s_addr)) == -1) + yyerror("Unknown hostname"); + } ; mask: YY_NUMBER { if (set_ipv6_addr) - ntomask(6, $1, (u_32_t *)$$.in6.s6_addr); + ntomask(6, $1, (u_32_t *)$$.in6.s6_addr); else - ntomask(4, $1, (u_32_t *)&$$.in4.s_addr); - } + ntomask(4, $1, (u_32_t *)&$$.in4.s_addr); } | ipv4 { $$ = $1; } ; +start: '{' { yyexpectaddr = 1; } + ; + +end: '}' { yyexpectaddr = 0; } + ; + +next: ',' { yyexpectaddr = 1; } + | ';' { yyexpectaddr = 1; } + ; + size: IPT_SIZE '=' YY_NUMBER { ipht.iph_size = $3; } ; @@ -380,12 +396,6 @@ ipv4: YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER '.' YY_NUMBER $$.in4.s_addr = htonl($$.in4.s_addr); } ; - -next: ';' { yyexpectaddr = 1; } - | ',' { yyexpectaddr = 1; } - ; - - %% static wordtab_t yywords[] = { { "auth", IPT_AUTH }, diff --git a/usr/src/cmd/ipf/tools/lexer.c b/usr/src/cmd/ipf/tools/lexer.c index 72425e4589..39975a55ce 100644 --- a/usr/src/cmd/ipf/tools/lexer.c +++ b/usr/src/cmd/ipf/tools/lexer.c @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -30,7 +30,7 @@ union { FILE *yyin; -#define ishex(c) (isdigit(c) || ((c) >= 'a' && (c) <= 'f') || \ +#define ishex(c) (ISDIGIT(c) || ((c) >= 'a' && (c) <= 'f') || \ ((c) >= 'A' && (c) <= 'F')) #define TOOLONG -3 @@ -61,13 +61,14 @@ static int yyswallow __P((int)); static char *yytexttostr __P((int, int)); static void yystrtotext __P((char *)); - static int yygetc() { int c; if (yypos < yylast) { c = yytext[yypos++]; + if (c == '\n') + yylineNum++; return c; } @@ -79,9 +80,9 @@ static int yygetc() yypos++; } else { c = fgetc(yyin); - if (c == '\n') - yylineNum++; } + if (c == '\n') + yylineNum++; yytext[yypos++] = c; yylast = yypos; yytext[yypos] = '\0'; @@ -93,6 +94,8 @@ static int yygetc() static void yyunputc(c) int c; { + if (c == '\n') + yylineNum--; yytext[--yypos] = c; } @@ -186,6 +189,8 @@ nextchar: } yylast -= yypos; yypos = 0; + lnext = 0; + nokey = 0; goto nextchar; case '\\' : @@ -205,6 +210,9 @@ nextchar: if (lnext == 1) { lnext = 0; + if ((isbuilding == 0) && !ISALNUM(c)) { + return c; + } goto nextchar; } @@ -232,13 +240,13 @@ nextchar: } (void) yygetc(); } else { - if (!isalpha(n)) { + if (!ISALPHA(n)) { yyunputc(n); break; } do { n = yygetc(); - } while (isalpha(n) || isdigit(n) || n == '_'); + } while (ISALPHA(n) || ISDIGIT(n) || n == '_'); yyunputc(n); } @@ -290,7 +298,6 @@ nextchar: yybreakondot = 0; yyvarnext = 0; yytokentype = 0; - yysavedepth = 0; return 0; } @@ -447,10 +454,10 @@ nextchar: /* * No negative numbers with leading - sign.. */ - if (isbuilding == 0 && isdigit(c)) { + if (isbuilding == 0 && ISDIGIT(c)) { do { n = yygetc(); - } while (isdigit(n)); + } while (ISDIGIT(n)); yyunputc(n); rval = YY_NUMBER; goto done; @@ -488,12 +495,13 @@ done: yytokentype = rval; if (yydebug) - printf("lexed(%s) => %d\n", yystr, rval); + printf("lexed(%s) [%d,%d,%d] => %d\n", yystr, string_start, + string_end, pos, rval); switch (rval) { case YY_NUMBER : - yylval.num = atoi(yystr); + sscanf(yystr, "%u", &yylval.num); break; case YY_HEX : |