Module Name: src
Committed By: christos
Date: Sat Mar 24 02:19:01 UTC 2012
Modified Files:
src/external/bsd/ipf/dist: ip_fil.c ip_scan.c radix_ipf.c
src/external/bsd/ipf/dist/ipsend: ip.c iptest.1
src/external/bsd/ipf/dist/lib: load_http.c printactivenat.c
src/external/bsd/ipf/dist/man: ipf.4 ipf.5 ipfstat.8 ipl.4 ipnat.5
ippool.5 mkfilters.1
src/external/bsd/ipf/dist/tools: ipfcomp.c ipfstat.c ipftest.c ipmon.c
ippool.c
Log Message:
bring back all our fixes.
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/external/bsd/ipf/dist/ip_fil.c
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/ipf/dist/ip_scan.c \
src/external/bsd/ipf/dist/radix_ipf.c
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/ipf/dist/ipsend/ip.c \
src/external/bsd/ipf/dist/ipsend/iptest.1
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/ipf/dist/lib/load_http.c \
src/external/bsd/ipf/dist/lib/printactivenat.c
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/ipf/dist/man/ipf.4 \
src/external/bsd/ipf/dist/man/ipf.5 \
src/external/bsd/ipf/dist/man/ipfstat.8 \
src/external/bsd/ipf/dist/man/ipl.4 src/external/bsd/ipf/dist/man/ipnat.5 \
src/external/bsd/ipf/dist/man/ippool.5 \
src/external/bsd/ipf/dist/man/mkfilters.1
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/ipf/dist/tools/ipfcomp.c \
src/external/bsd/ipf/dist/tools/ipfstat.c \
src/external/bsd/ipf/dist/tools/ipftest.c \
src/external/bsd/ipf/dist/tools/ipmon.c \
src/external/bsd/ipf/dist/tools/ippool.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/ipf/dist/ip_fil.c
diff -u src/external/bsd/ipf/dist/ip_fil.c:1.2 src/external/bsd/ipf/dist/ip_fil.c:1.3
--- src/external/bsd/ipf/dist/ip_fil.c:1.2 Fri Mar 23 17:28:57 2012
+++ src/external/bsd/ipf/dist/ip_fil.c Fri Mar 23 22:19:00 2012
@@ -1,15 +1,15 @@
-/* $NetBSD: ip_fil.c,v 1.2 2012/03/23 21:28:57 christos Exp $ */
+/* $NetBSD: ip_fil.c,v 1.3 2012/03/24 02:19:00 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * Id
+ * Id: ip_fil.c,v 2.168.2.8 2012/01/26 05:29:10 darrenr Exp
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.168.2.8 2012/01/26 05:29:10 darrenr Exp";
#endif
#include "ipf.h"
@@ -37,10 +37,17 @@ static int no_output __P((struct ifnet
static int write_output __P((struct ifnet *, struct mbuf *,
struct sockaddr *, struct rtentry *, char *));
# else
+#if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 499001100)
+static int no_output(struct ifnet *, struct mbuf *,
+ const struct sockaddr *, struct rtentry *);
+static int write_output(struct ifnet *, struct mbuf *,
+ const struct sockaddr *, struct rtentry *);
+#else
static int no_output __P((struct ifnet *, struct mbuf *,
struct sockaddr *, struct rtentry *));
static int write_output __P((struct ifnet *, struct mbuf *,
struct sockaddr *, struct rtentry *));
+#endif
# endif
#endif
@@ -133,7 +140,7 @@ no_output(ifp, m, s, rt)
#endif
struct ifnet *ifp;
struct mbuf *m;
- struct sockaddr *s;
+ const struct sockaddr *s;
{
return 0;
}
@@ -153,7 +160,7 @@ write_output(ifp, m, s, rt)
#endif
struct ifnet *ifp;
struct mbuf *m;
- struct sockaddr *s;
+ const struct sockaddr *s;
{
char fname[32];
mb_t *mb;
@@ -203,7 +210,7 @@ ipf_setifpaddr(ifp, addr)
#endif
return;
- ifa = (struct ifaddr *)malloc(sizeof(*ifa));
+ ifa = (struct ifaddr *)calloc(1, sizeof(*ifa));
#if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__)
ifp->if_addrlist.tqh_first = ifa;
#else
@@ -289,7 +296,7 @@ get_unit(name, family)
#endif
if (!ifneta) {
- ifneta = (struct ifnet **)malloc(sizeof(ifp) * 2);
+ ifneta = (struct ifnet **)calloc(1, sizeof(ifp) * 2);
if (!ifneta)
return NULL;
ifneta[1] = NULL;
@@ -310,7 +317,7 @@ get_unit(name, family)
return NULL;
}
ifneta[nifs] = NULL;
- ifneta[nifs - 1] = (struct ifnet *)malloc(sizeof(*ifp));
+ ifneta[nifs - 1] = (struct ifnet *)calloc(1, sizeof(*ifp));
if (!ifneta[nifs - 1]) {
nifs--;
return NULL;
@@ -514,7 +521,7 @@ void
m_copydata(m, off, len, cp)
mb_t *m;
int off, len;
- void *cp;
+ void * cp;
{
bcopy((char *)m + off, cp, len);
}
@@ -608,7 +615,7 @@ ipf_newisn(fin)
/* */
/* Returns the next IPv4 ID to use for this packet. */
/* ------------------------------------------------------------------------ */
-INLINE u_short
+EXTERN_INLINE u_short
ipf_nextipid(fin)
fr_info_t *fin;
{
@@ -631,7 +638,7 @@ ipf_nextipid(fin)
}
-INLINE int
+EXTERN_INLINE int
ipf_checkv4sum(fin)
fr_info_t *fin;
{
@@ -648,7 +655,7 @@ ipf_checkv4sum(fin)
#ifdef USE_INET6
-INLINE int
+EXTERN_INLINE int
ipf_checkv6sum(fin)
fr_info_t *fin;
{
Index: src/external/bsd/ipf/dist/ip_scan.c
diff -u src/external/bsd/ipf/dist/ip_scan.c:1.1.1.1 src/external/bsd/ipf/dist/ip_scan.c:1.2
--- src/external/bsd/ipf/dist/ip_scan.c:1.1.1.1 Fri Mar 23 17:19:58 2012
+++ src/external/bsd/ipf/dist/ip_scan.c Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_scan.c,v 1.1.1.1 2012/03/23 21:19:58 christos Exp $ */
+/* $NetBSD: ip_scan.c,v 1.2 2012/03/24 02:19:00 christos Exp $ */
/*
* Copyright (C) 2009 by Darren Reed.
@@ -60,7 +60,7 @@ struct file;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ip_scan.c,v 2.53.2.2 2012/01/29 03:08:31 darrenr Exp";
#endif
#ifdef IPFILTER_SCAN /* endif at bottom of file */
@@ -598,7 +598,7 @@ ipf_scan_ioctl(data, cmd, mode, uid, ctx
void *ctx;
{
ipscanstat_t ipscs;
- int err = 0;
+ int err;
switch (cmd)
{
Index: src/external/bsd/ipf/dist/radix_ipf.c
diff -u src/external/bsd/ipf/dist/radix_ipf.c:1.1.1.1 src/external/bsd/ipf/dist/radix_ipf.c:1.2
--- src/external/bsd/ipf/dist/radix_ipf.c:1.1.1.1 Fri Mar 23 17:20:01 2012
+++ src/external/bsd/ipf/dist/radix_ipf.c Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: radix_ipf.c,v 1.1.1.1 2012/03/23 21:20:01 christos Exp $ */
+/* $NetBSD: radix_ipf.c,v 1.2 2012/03/24 02:19:00 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -27,7 +27,7 @@
#include "netinet/radix_ipf.h"
#define ADF_OFF offsetof(addrfamily_t, adf_addr)
-#define ADF_OFF_BITS (ADF_OFF << 3)
+#define ADF_OFF_BITS ((ADF_OFF << 3) & 0xffff)
static ipf_rdx_node_t *ipf_rx_insert __P((ipf_rdx_head_t *,
ipf_rdx_node_t nodes[2], int *));
Index: src/external/bsd/ipf/dist/ipsend/ip.c
diff -u src/external/bsd/ipf/dist/ipsend/ip.c:1.1.1.1 src/external/bsd/ipf/dist/ipsend/ip.c:1.2
--- src/external/bsd/ipf/dist/ipsend/ip.c:1.1.1.1 Fri Mar 23 17:20:06 2012
+++ src/external/bsd/ipf/dist/ipsend/ip.c Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ip.c,v 1.1.1.1 2012/03/23 21:20:06 christos Exp $ */
+/* $NetBSD: ip.c,v 1.2 2012/03/24 02:19:00 christos Exp $ */
/*
* ip.c (C) 1995-1998 Darren Reed
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ip.c,v 2.12 2008/08/10 05:51:14 darrenr Exp";
#endif
#include <sys/param.h>
#include <sys/types.h>
@@ -262,7 +262,7 @@ int send_tcp(nfd, mtu, ip, gwip)
hlen = IP_HL(ip) << 2;
t = (tcphdr_t *)((char *)ip + hlen);
ip2 = (struct ip *)lbuf;
- t2 = (tcphdr_t *)((char *)ip2 + hlen);
+ t2 = (tcphdr_t *)((char *)ip2 + sizeof(ip_t));
thlen = TCP_OFF(t) << 2;
if (!thlen)
thlen = sizeof(tcphdr_t);
Index: src/external/bsd/ipf/dist/ipsend/iptest.1
diff -u src/external/bsd/ipf/dist/ipsend/iptest.1:1.1.1.1 src/external/bsd/ipf/dist/ipsend/iptest.1:1.2
--- src/external/bsd/ipf/dist/ipsend/iptest.1:1.1.1.1 Fri Mar 23 17:20:07 2012
+++ src/external/bsd/ipf/dist/ipsend/iptest.1 Fri Mar 23 22:19:00 2012
@@ -1,8 +1,8 @@
-.\" $NetBSD: iptest.1,v 1.1.1.1 2012/03/23 21:20:07 christos Exp $
+.\" $NetBSD: iptest.1,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH IPTEST 1
.SH NAME
-iptest \- automatically generate a packets to test IP functionality
+iptest \- automatically generate packets to test IP functionality
.SH SYNOPSIS
.B iptest
[
@@ -93,7 +93,7 @@ MTU's without setting them so.
Run a...
.DT
.SH SEE ALSO
-ipsend(1), ipresend(1), bpf(4), ipsend(5), dlpi(7p)
+ipresend(1), ipsend(1), bpf(4), ipsend(5)
.SH DIAGNOSTICS
Only one of the numeric test options may be given when \fIiptest\fP is run.
.PP
Index: src/external/bsd/ipf/dist/lib/load_http.c
diff -u src/external/bsd/ipf/dist/lib/load_http.c:1.1.1.1 src/external/bsd/ipf/dist/lib/load_http.c:1.2
--- src/external/bsd/ipf/dist/lib/load_http.c:1.1.1.1 Fri Mar 23 17:20:09 2012
+++ src/external/bsd/ipf/dist/lib/load_http.c Fri Mar 23 22:19:00 2012
@@ -1,11 +1,11 @@
-/* $NetBSD: load_http.c,v 1.1.1.1 2012/03/23 21:20:09 christos Exp $ */
+/* $NetBSD: load_http.c,v 1.2 2012/03/24 02:19:00 christos Exp $ */
/*
* Copyright (C) 2010 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * Id: load_http.c,v 1.5.2.3 2012/01/26 05:44:26 darren_r Exp
+ * Id: load_http.c,v 1.5.2.3 2012/01/26 05:29:16 darrenr Exp
*/
#include "ipf.h"
@@ -33,6 +33,7 @@ load_http(char *url)
int fd, len, left, port, endhdr, removed, linenum = 0;
char *s, *t, *u, buffer[LOAD_BUFSIZE], *myurl;
alist_t *a, *rtop, *rbot;
+ int rem;
/*
* More than this would just be absurd.
@@ -47,18 +48,21 @@ load_http(char *url)
rtop = NULL;
rbot = NULL;
- sprintf(buffer, "GET %s HTTP/1.0\r\n", url);
-
myurl = strdup(url);
if (myurl == NULL)
goto done;
+ rem = sizeof(buffer);
+ left = snprintf(buffer, rem, "GET %s HTTP/1.0\r\n", url);
+ if (left < 0 || left > rem)
+ goto done;
+ rem -= left;
+
s = myurl + 7; /* http:// */
t = strchr(s, '/');
if (t == NULL) {
fprintf(stderr, "load_http has a malformed URL '%s'\n", url);
- free(myurl);
- return NULL;
+ goto done;
}
*t++ = '\0';
@@ -75,7 +79,10 @@ load_http(char *url)
if (u != NULL)
s = u + 1; /* AUTH */
- sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s);
+ left = snprintf(buffer + left, rem, "Host: %s\r\n\r\n", s);
+ if (left < 0 || left > rem)
+ goto done;
+ rem -= left;
u = strchr(s, ':');
if (u != NULL) {
@@ -92,12 +99,9 @@ load_http(char *url)
if (fd == -1)
goto done;
-
len = strlen(buffer);
- if (write(fd, buffer, len) != len) {
- close(fd);
+ if (write(fd, buffer, len) != len)
goto done;
- }
s = buffer;
endhdr = 0;
@@ -149,6 +153,20 @@ load_http(char *url)
linenum++;
*t = '\0';
+ for (u = buffer; isdigit((unsigned char)*u) ||
+ (*u == '.'); u++)
+ continue;
+ if (*u == '/') {
+ char *slash;
+
+ slash = u;
+ u++;
+ while (isdigit((unsigned char)*u))
+ u++;
+ if (!isspace((unsigned char)*u) && *u)
+ u = slash;
+ }
+
/*
* Remove comment and continue to the next line if
* the comment is at the start of the line.
@@ -156,7 +174,7 @@ load_http(char *url)
u = strchr(buffer, '#');
if (u != NULL) {
*u = '\0';
- if (u == buffer);
+ if (u == buffer)
continue;
}
Index: src/external/bsd/ipf/dist/lib/printactivenat.c
diff -u src/external/bsd/ipf/dist/lib/printactivenat.c:1.1.1.1 src/external/bsd/ipf/dist/lib/printactivenat.c:1.2
--- src/external/bsd/ipf/dist/lib/printactivenat.c:1.1.1.1 Fri Mar 23 17:20:09 2012
+++ src/external/bsd/ipf/dist/lib/printactivenat.c Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: printactivenat.c,v 1.1.1.1 2012/03/23 21:20:09 christos Exp $ */
+/* $NetBSD: printactivenat.c,v 1.2 2012/03/24 02:19:00 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -12,7 +12,7 @@
#if !defined(lint)
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: printactivenat.c,v 1.20.2.4 2012/01/26 05:29:16 darrenr Exp";
#endif
@@ -113,7 +113,7 @@ printactivenat(nat, opts, ticks)
PRINTF("\tifp %s", getifname(nat->nat_ifps[0]));
PRINTF(",%s ", getifname(nat->nat_ifps[1]));
#ifdef USE_QUAD_T
- PRINTF("bytes %"PRIu64"/%"PRIu64" pkts %"PRIu64"/%"PRIu64"",
+ PRINTF("bytes %llu/%llu pkts %llu/%llu",
(unsigned long long)nat->nat_bytes[0],
(unsigned long long)nat->nat_bytes[1],
(unsigned long long)nat->nat_pkts[0],
Index: src/external/bsd/ipf/dist/man/ipf.4
diff -u src/external/bsd/ipf/dist/man/ipf.4:1.1.1.1 src/external/bsd/ipf/dist/man/ipf.4:1.2
--- src/external/bsd/ipf/dist/man/ipf.4:1.1.1.1 Fri Mar 23 17:20:10 2012
+++ src/external/bsd/ipf/dist/man/ipf.4 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipf.4,v 1.1.1.1 2012/03/23 21:20:10 christos Exp $
+.\" $NetBSD: ipf.4,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH IPF 4
.SH NAME
@@ -255,3 +255,14 @@ value returned is that of the list which
/dev/ipstate
.SH SEE ALSO
ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
+.SH BUGS
+When a packet encapsulated by ipsec(4) tunnel comes in, ipf(4) looks at
+wire-format packet on inbound and outbound.
+ipf(4) will not look at decapsulated packets on inbound,
+nor packets prior to encapsulation on outbound.
+.PP
+When tunneled packets arrive at the node and are handled by a
+tunneling pseudo interface like gif(4),
+the packets may go through ipf(4) twice, before and after decapsulation.
+In some cases it may be necessary to check, in the ipf(4) rules,
+if the inbound interface is a tunneling pseudo interface or not.
Index: src/external/bsd/ipf/dist/man/ipf.5
diff -u src/external/bsd/ipf/dist/man/ipf.5:1.1.1.1 src/external/bsd/ipf/dist/man/ipf.5:1.2
--- src/external/bsd/ipf/dist/man/ipf.5:1.1.1.1 Fri Mar 23 17:20:11 2012
+++ src/external/bsd/ipf/dist/man/ipf.5 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipf.5,v 1.1.1.1 2012/03/23 21:20:11 christos Exp $
+.\" $NetBSD: ipf.5,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH IPF 5
.SH NAME
@@ -245,7 +245,7 @@ in the same way as it does the TCP RST p
it is necessary to place return-icmp after the block keyword like this:
.PP
.nf
-block return-icmp in proto udp from any to 192.168.0.1/24
+block return-icmp in proto udp from any to 192.168.0.1/24
.fi
.PP
When electing to return an ICMP error packet, it is also possible to
@@ -303,7 +303,7 @@ An example that shows how to send back a
UDP packets to 192.168.1.0/24 is as follows:
.PP
.nf
-block return-icmp(port-unr) in proto udp from any to 192.168.1.0/24
+block return-icmp(port-unr) in proto udp from any to 192.168.1.0/24
.fi
.PP
In the above examples, when sending the ICMP packet, IPFilter will construct
@@ -316,7 +316,7 @@ this:
.PP
.nf
block return-icmp-as-dest(port-unr) in proto udp \\
- from any to 192.168.1.0/24
+ from any to 192.168.1.0/24
.fi
.SS TCP/UDP Port Matching
.PP
@@ -328,9 +328,9 @@ the following logical operations:
.IP "< x"
is true if the port number is greater than or equal to x and less than or
equal to y
-is true if the port number in the packet is less than x
+is true if the port number in the packet is less than x
.IP "<= x"
-is true if the port number in the packet is less than or equal to x
+is true if the port number in the packet is less than or equal to x
.IP "> x"
is true if the port number in the packet is greater than x
.IP ">= x"
@@ -705,7 +705,7 @@ limit the number of state table entries
the number given after limit. A rule that has a limit specified is
always permitted that many state table entries, even if creating an
additional entry would cause the table to have more entries than the
-otherwise global limit.
+otherwise global limit.
.IP
.nf
pass ... keep state(limit 100)
@@ -852,7 +852,7 @@ connection might look something like thi
pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\
from any to any port = 22 flags S keep state
.fi
-.SS Working with packet fragments
+.SS Working with packet fragments
.PP
Fragmented packets result in 1 packet containing all of the layer 3 and 4
header information whilst the data is split across a number of other packets.
@@ -1632,7 +1632,7 @@ from ipf.conf
block in all
call now srcgrpmap/1010 in all
pass in proto tcp from any to any port = 80 group 1020
-pass in proto icmp all icmp-type echo group 1030
+pass in proto icmp all icmp-type echo group 1030
from ippool.conf
----------------
Index: src/external/bsd/ipf/dist/man/ipfstat.8
diff -u src/external/bsd/ipf/dist/man/ipfstat.8:1.1.1.1 src/external/bsd/ipf/dist/man/ipfstat.8:1.2
--- src/external/bsd/ipf/dist/man/ipfstat.8:1.1.1.1 Fri Mar 23 17:20:11 2012
+++ src/external/bsd/ipf/dist/man/ipfstat.8 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipfstat.8,v 1.1.1.1 2012/03/23 21:20:11 christos Exp $
+.\" $NetBSD: ipfstat.8,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH ipfstat 8
.SH NAME
@@ -29,7 +29,7 @@ ipfstat \- reports on packet filter stat
\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
To run and work, it needs to be able to read both /dev/kmem and the
-kernel itself. The kernel name defaults to \fB/vmunix\fP.
+kernel itself. The kernel name defaults to \fB/netbsd\fP.
.PP
The default behaviour of \fBipfstat\fP
is to retrieve and display the accumulated statistics which have been
@@ -188,7 +188,7 @@ more entries is to resize the screen.
.br
/dev/ipstate
.br
-/vmunix
+/netbsd
.SH SEE ALSO
ipf(8)
.SH BUGS
Index: src/external/bsd/ipf/dist/man/ipl.4
diff -u src/external/bsd/ipf/dist/man/ipl.4:1.1.1.1 src/external/bsd/ipf/dist/man/ipl.4:1.2
--- src/external/bsd/ipf/dist/man/ipl.4:1.1.1.1 Fri Mar 23 17:20:11 2012
+++ src/external/bsd/ipf/dist/man/ipl.4 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipl.4,v 1.1.1.1 2012/03/23 21:20:11 christos Exp $
+.\" $NetBSD: ipl.4,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH IPL 4
.SH NAME
@@ -78,4 +78,4 @@ ipf(4)
.SH BUGS
Packet headers are dropped when the internal buffer (static size) fills.
.SH FILES
-/dev/ipl0
+/dev/ipl
Index: src/external/bsd/ipf/dist/man/ipnat.5
diff -u src/external/bsd/ipf/dist/man/ipnat.5:1.1.1.1 src/external/bsd/ipf/dist/man/ipnat.5:1.2
--- src/external/bsd/ipf/dist/man/ipnat.5:1.1.1.1 Fri Mar 23 17:20:12 2012
+++ src/external/bsd/ipf/dist/man/ipnat.5 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipnat.5,v 1.1.1.1 2012/03/23 21:20:12 christos Exp $
+.\" $NetBSD: ipnat.5,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH IPNAT 5
.SH NAME
@@ -736,5 +736,7 @@ R-command - Mature
/etc/services
.br
/etc/hosts
+.br
+/usr/share/examples/ipf Directory with examples.
.SH SEE ALSO
ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)
Index: src/external/bsd/ipf/dist/man/ippool.5
diff -u src/external/bsd/ipf/dist/man/ippool.5:1.1.1.1 src/external/bsd/ipf/dist/man/ippool.5:1.2
--- src/external/bsd/ipf/dist/man/ippool.5:1.1.1.1 Fri Mar 23 17:20:12 2012
+++ src/external/bsd/ipf/dist/man/ippool.5 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: ippool.5,v 1.1.1.1 2012/03/23 21:20:12 christos Exp $
+.\" $NetBSD: ippool.5,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH IPPOOL 5
.SH NAME
@@ -50,10 +50,60 @@ table role = ipf type = tree number = 10
{ 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; };
.fi
.PP
-This is rather long winded. The evolution of the configuration syntax
-has also replaced the use of numbers with names, although numbers can
-still be used as can be seen here:
-.PP
+The IP pool configuration file is used for defining a single object that
+contains a reference to multiple IP address/netmask pairs. A pool may consist
+of a mixture of netmask sizes, from 0 to 32.
+.PP
+At this point in time, only IPv4 addressing is supported.
+.SH OVERVIEW
+.PP
+The IP pool configuration file provides for defining two different mechanisms
+for improving speed in matching IP addresses with rules.
+The first,
+.B table
+, defines a lookup
+.I table
+to provide a single reference in a
+filter rule to multiple targets and the second,
+.B group-map
+, provides a mechanism to target multiple groups from a single filter line.
+.PP
+The
+.B group-map
+command can only be used with filter rules that use the
+.B call
+command to invoke either
+.B fr_srcgrpmap
+or
+.B fr_dstgrpmap
+, to use the source or destination address,
+respectively, for determining which filter group to jump to next for
+continuation of filter packet processing.
+.SH POOL TYPES
+.PP
+Two storage formats are provided: hash tables and tree structure. The hash
+table is intended for use with objects all containing the same netmask or a
+few different sized netmasks of non-overlapping address space and the tree
+is designed for being able to support exceptions to a covering mask, in
+addition to normal searching as you would do with a table. It is not possible
+to use the tree data storage type with
+.B group-map
+configuration entries.
+.SH POOL ROLES
+.PP
+When a pool is defined in the configuration file, it must have an associated
+role. At present the only supported role is
+.B ipf.
+Future development will see futher expansion of their use by other sections
+of IPFilter code.
+.SH EXAMPLES
+The following examples show how the pool configuration file is used with
+the ipf configuration file to enhance the ability for the ipf configuration
+file to be succinct in meaning.
+.TP
+1
+The first example shows how a filter rule makes reference to a specific
+pool for matching of the source address.
.nf
pool ipf/tree (name "100";)
{ 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; };
@@ -84,7 +134,7 @@ found in ipnat.conf(5).
auth
.IP
pools defined for role "auth" are available only for use with "auth" rules
-that are found in ipf.conf(5)
+that are found in ipf.conf(5)
.HP
all
.IP
@@ -117,8 +167,28 @@ the pool contains "2.2.0.0/16" and "!2.2
that match 2.2.0.0/16, except those that match 2.2.2.0/24, will be considered
as a match for this pool.
.PP
+.nf
table role = ipf type = tree number = 100
{ 1.1.1.1/32; 2.2.0.0/16; !2.2.2.0/24; ef00::5/128; };
+.fi
+.PP
+The prior example is the older file format. The declaration that
+defines the pool itself has been updated and can now be expressed
+as below:
+.PP
+.nf
+pool ipf/tree (name "100";)
+ { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; };
+.fi
+.PP
+If the role and table type are left out, such as in the exmaple below,
+the default is to make the table available to all aspects of IPFilter
+and for the storage type to be "tree".
+.PP
+.nf
+pool (name "100";)
+ { 1.1.1.1/32; !2.2.0.0/16; 2.2.2.0/24; ef00::5/128; };
+.fi
.PP
For the sake of clarity and to aid in managing large numbers of addresses
inside address pools, it is possible to specify a location to load the
@@ -227,7 +297,7 @@ the last one used will be the next addre
.RE
.PP
The first example here shows 4 destinations that are used with a
-round-robin selection policy.
+round-robin selection policy.
.PP
.nf
pool nat/dstlist (name servers; policy round-robin;)
Index: src/external/bsd/ipf/dist/man/mkfilters.1
diff -u src/external/bsd/ipf/dist/man/mkfilters.1:1.1.1.1 src/external/bsd/ipf/dist/man/mkfilters.1:1.2
--- src/external/bsd/ipf/dist/man/mkfilters.1:1.1.1.1 Fri Mar 23 17:20:12 2012
+++ src/external/bsd/ipf/dist/man/mkfilters.1 Fri Mar 23 22:19:00 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: mkfilters.1,v 1.1.1.1 2012/03/23 21:20:12 christos Exp $
+.\" $NetBSD: mkfilters.1,v 1.2 2012/03/24 02:19:00 christos Exp $
.\"
.TH MKFILTERS 1
.SH NAME
@@ -10,5 +10,7 @@ mkfilters \- generate a minimal firewall
\fBmkfilters\fP is a perl script that generates a minimal filter rule set for
use with \fBipfilter\fP by parsing the output of \fBifconfig\fP.
.DT
+.SH FILES
+/usr/share/examples/ipf/mkfilters
.SH SEE ALSO
-ipf(8), ipf(5), ipfilter(5), ifconfig(8)
+ipf(8), ipf(5), ipfilter(4), ifconfig(8)
Index: src/external/bsd/ipf/dist/tools/ipfcomp.c
diff -u src/external/bsd/ipf/dist/tools/ipfcomp.c:1.1.1.1 src/external/bsd/ipf/dist/tools/ipfcomp.c:1.2
--- src/external/bsd/ipf/dist/tools/ipfcomp.c:1.1.1.1 Fri Mar 23 17:20:22 2012
+++ src/external/bsd/ipf/dist/tools/ipfcomp.c Fri Mar 23 22:19:01 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ipfcomp.c,v 1.1.1.1 2012/03/23 21:20:22 christos Exp $ */
+/* $NetBSD: ipfcomp.c,v 1.2 2012/03/24 02:19:01 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ipfcomp.c,v 1.38.2.3 2012/01/26 06:06:07 darrenr Exp";
#endif
#include "ipf.h"
@@ -389,7 +389,7 @@ extern frentry_t *ipfrule_match_out_%s _
extern frentry_t *ipf_rules_out_%s[%d];\n",
grp->fg_name, grp->fg_name, outcount);
- for (g = groups; g != g; g = g->fg_next)
+ for (g = groups; g != grp; g = g->fg_next)
if ((strncmp(g->fg_name, grp->fg_name,
FR_GROUPLEN) == 0) &&
g->fg_flags == grp->fg_flags)
Index: src/external/bsd/ipf/dist/tools/ipfstat.c
diff -u src/external/bsd/ipf/dist/tools/ipfstat.c:1.1.1.1 src/external/bsd/ipf/dist/tools/ipfstat.c:1.2
--- src/external/bsd/ipf/dist/tools/ipfstat.c:1.1.1.1 Fri Mar 23 17:20:23 2012
+++ src/external/bsd/ipf/dist/tools/ipfstat.c Fri Mar 23 22:19:01 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ipfstat.c,v 1.1.1.1 2012/03/23 21:20:23 christos Exp $ */
+/* $NetBSD: ipfstat.c,v 1.2 2012/03/24 02:19:01 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -71,7 +71,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ipfstat.c,v 1.94.2.5 2012/01/26 05:29:18 darrenr Exp";
#endif
#ifdef __hpux
@@ -775,6 +775,8 @@ static void printlivelist(fiop, out, set
frgroup_t *g;
ipfobj_t obj;
int n;
+ void *buf;
+ size_t bufsiz;
n = 0;
@@ -795,11 +797,17 @@ static void printlivelist(fiop, out, set
obj.ipfo_size = sizeof(rule);
obj.ipfo_ptr = &rule;
- do {
- u_long array[1000];
+ /*
+ * The API does not know how much we need for filter data. Assume
+ * 10K is large enough. XXX: The code silently fails elsewhere on
+ * allocation, we do the same here.
+ */
+ if ((buf = malloc(bufsiz = sizeof(*fp) + 10240)) == NULL)
+ return;
- memset(array, 0xff, sizeof(array));
- fp = (frentry_t *)array;
+ do {
+ memset(buf, 0xff, bufsiz);
+ fp = buf;
rule.iri_rule = fp;
if (ioctl(ipf_fd, SIOCIPFITER, &obj) == -1) {
ipferror(ipf_fd, "ioctl(SIOCIPFITER)");
@@ -826,13 +834,13 @@ static void printlivelist(fiop, out, set
if (opts & (OPT_HITS|OPT_VERBOSE))
#ifdef USE_QUAD_T
- PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_hits);
+ PRINTF("%llu ", (unsigned long long) fp->fr_hits);
#else
PRINTF("%lu ", fp->fr_hits);
#endif
if (opts & (OPT_ACCNT|OPT_VERBOSE))
#ifdef USE_QUAD_T
- PRINTF("%"PRIu64" ", (unsigned long long) fp->fr_bytes);
+ PRINTF("%llu ", (unsigned long long) fp->fr_bytes);
#else
PRINTF("%lu ", fp->fr_bytes);
#endif
@@ -890,6 +898,7 @@ static void printlivelist(fiop, out, set
free(g);
}
}
+ free(buf);
}
@@ -942,13 +951,13 @@ static void printdeadlist(fiop, out, set
if (opts & (OPT_HITS|OPT_VERBOSE))
#ifdef USE_QUAD_T
- PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_hits);
+ PRINTF("%llu ", (unsigned long long) fb.fr_hits);
#else
PRINTF("%lu ", fb.fr_hits);
#endif
if (opts & (OPT_ACCNT|OPT_VERBOSE))
#ifdef USE_QUAD_T
- PRINTF("%"PRIu64" ", (unsigned long long) fb.fr_bytes);
+ PRINTF("%llu ", (unsigned long long) fb.fr_bytes);
#else
PRINTF("%lu ", fb.fr_bytes);
#endif
@@ -1763,7 +1772,7 @@ static void showauthstates(asp)
auth.igi_data = &fra;
#ifdef USE_QUAD_T
- printf("Authorisation hits: %"PRIu64"\tmisses %"PRIu64"\n",
+ printf("Authorisation hits: %llu\tmisses %llu\n",
(unsigned long long) asp->fas_hits,
(unsigned long long) asp->fas_miss);
#else
Index: src/external/bsd/ipf/dist/tools/ipftest.c
diff -u src/external/bsd/ipf/dist/tools/ipftest.c:1.1.1.1 src/external/bsd/ipf/dist/tools/ipftest.c:1.2
--- src/external/bsd/ipf/dist/tools/ipftest.c:1.1.1.1 Fri Mar 23 17:20:24 2012
+++ src/external/bsd/ipf/dist/tools/ipftest.c Fri Mar 23 22:19:01 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ipftest.c,v 1.1.1.1 2012/03/23 21:20:24 christos Exp $ */
+/* $NetBSD: ipftest.c,v 1.2 2012/03/24 02:19:01 christos Exp $ */
/*
* Copyright (C) 2012 by Darren Reed.
@@ -12,7 +12,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ipftest.c,v 1.78.2.6 2012/01/26 05:29:18 darrenr Exp";
#endif
extern char *optarg;
@@ -736,7 +736,7 @@ void dumprules(rulehead)
for (fr = rulehead; fr != NULL; fr = fr->fr_next) {
#ifdef USE_QUAD_T
- printf("%"PRIu64" ",(unsigned long long)fr->fr_hits);
+ printf("%llu ",(unsigned long long)fr->fr_hits);
#else
printf("%ld ", fr->fr_hits);
#endif
Index: src/external/bsd/ipf/dist/tools/ipmon.c
diff -u src/external/bsd/ipf/dist/tools/ipmon.c:1.1.1.1 src/external/bsd/ipf/dist/tools/ipmon.c:1.2
--- src/external/bsd/ipf/dist/tools/ipmon.c:1.1.1.1 Fri Mar 23 17:20:24 2012
+++ src/external/bsd/ipf/dist/tools/ipmon.c Fri Mar 23 22:19:01 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ipmon.c,v 1.1.1.1 2012/03/23 21:20:24 christos Exp $ */
+/* $NetBSD: ipmon.c,v 1.2 2012/03/24 02:19:01 christos Exp $ */
/*
* Copyright (C) 2010 by Darren Reed.
@@ -16,7 +16,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)Id";
+static const char rcsid[] = "@(#)Id: ipmon.c,v 1.72.2.2 2012/01/26 05:29:18 darrenr Exp";
#endif
@@ -699,7 +699,8 @@ static void print_natlog(conf, buf, blen
}
(void) strftime(t, len, "%T", tm);
t += strlen(t);
- sprintf(t, ".%-.6ld @%hd ", (long)ipl->ipl_usec, nl->nl_rule + 1);
+ (void) sprintf(t, ".%-.6ld @%hd ", (long)ipl->ipl_usec,
+ nl->nl_rule + 1);
t += strlen(t);
switch (nl->nl_action)
@@ -879,7 +880,7 @@ static void print_statelog(conf, buf, bl
}
(void) strftime(t, len, "%T", tm);
t += strlen(t);
- sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
+ (void) sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
t += strlen(t);
family = vtof(sl->isl_v);
@@ -963,19 +964,20 @@ static void print_statelog(conf, buf, bl
t += strlen(t);
}
if (sl->isl_type != ISL_NEW) {
- sprintf(t,
+ static const char fmt[] =
#ifdef USE_QUAD_T
#ifdef PRId64
" Forward: Pkts in %" PRId64 " Bytes in %" PRId64
" Pkts out %" PRId64 " Bytes out %" PRId64
" Backward: Pkts in %" PRId64 " Bytes in %" PRId64
- " Pkts out %" PRId64 " Bytes out %" PRId64,
+ " Pkts out %" PRId64 " Bytes out %" PRId64;
#else
- " Forward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd Backward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd",
+ " Forward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd Backward: Pkts in %qd Bytes in %qd Pkts out %qd Bytes out %qd";
#endif /* PRId64 */
#else
- " Forward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld Backward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld",
+ " Forward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld Backward: Pkts in %ld Bytes in %ld Pkts out %ld Bytes out %ld";
#endif
+ sprintf(t, fmt,
sl->isl_pkts[0], sl->isl_bytes[0],
sl->isl_pkts[1], sl->isl_bytes[1],
sl->isl_pkts[2], sl->isl_bytes[2],
@@ -1109,7 +1111,7 @@ static void print_ipflog(conf, buf, blen
}
(void) strftime(t, len, "%T", tm);
t += strlen(t);
- sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
+ (void) sprintf(t, ".%-.6ld ", (long)ipl->ipl_usec);
t += strlen(t);
if (ipl->ipl_count > 1) {
sprintf(t, "%dx ", ipl->ipl_count);
Index: src/external/bsd/ipf/dist/tools/ippool.c
diff -u src/external/bsd/ipf/dist/tools/ippool.c:1.1.1.1 src/external/bsd/ipf/dist/tools/ippool.c:1.2
--- src/external/bsd/ipf/dist/tools/ippool.c:1.1.1.1 Fri Mar 23 17:20:25 2012
+++ src/external/bsd/ipf/dist/tools/ippool.c Fri Mar 23 22:19:01 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: ippool.c,v 1.1.1.1 2012/03/23 21:20:25 christos Exp $ */
+/* $NetBSD: ippool.c,v 1.2 2012/03/24 02:19:01 christos Exp $ */
/*
* Copyright (C) 2010 by Darren Reed.
@@ -806,6 +806,7 @@ poollist_live(role, poolname, type, fd)
{
ipf_pool_stat_t plstat;
iplookupop_t op;
+ int unit;
int c;
if (type == IPLT_ALL || type == IPLT_POOL) {
@@ -826,8 +827,8 @@ poollist_live(role, poolname, type, fd)
showpools_live(fd, role, &plstat, poolname);
} else {
- for (role = -1; role <= IPL_LOGMAX; role++) {
- op.iplo_unit = role;
+ for (unit = -1; unit <= IPL_LOGMAX; unit++) {
+ op.iplo_unit = unit;
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
@@ -835,10 +836,8 @@ poollist_live(role, poolname, type, fd)
return;
}
- showpools_live(fd, role, &plstat, poolname);
+ showpools_live(fd, unit, &plstat, poolname);
}
-
- role = IPL_LOGALL;
}
}
@@ -861,18 +860,17 @@ poollist_live(role, poolname, type, fd)
}
showhashs_live(fd, role, &htstat, poolname);
} else {
- for (role = 0; role <= IPL_LOGMAX; role++) {
+ for (unit = 0; unit <= IPL_LOGMAX; unit++) {
- op.iplo_unit = role;
+ op.iplo_unit = unit;
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return;
}
- showhashs_live(fd, role, &htstat, poolname);
+ showhashs_live(fd, unit, &htstat, poolname);
}
- role = IPL_LOGALL;
}
}
@@ -895,18 +893,17 @@ poollist_live(role, poolname, type, fd)
}
showdstls_live(fd, role, &dlstat, poolname);
} else {
- for (role = 0; role <= IPL_LOGMAX; role++) {
+ for (unit = 0; unit <= IPL_LOGMAX; unit++) {
- op.iplo_unit = role;
+ op.iplo_unit = unit;
c = ioctl(fd, SIOCLOOKUPSTAT, &op);
if (c == -1) {
ipferror(fd, "ioctl(SIOCLOOKUPSTAT)");
return;
}
- showdstls_live(fd, role, &dlstat, poolname);
+ showdstls_live(fd, unit, &dlstat, poolname);
}
- role = IPL_LOGALL;
}
}
}
