diff options
| author |   kjell <kjell@openbsd.org> | 2001-01-30 04:26:01 +0000 |
|---|---|---|
| committer | kjell <kjell@openbsd.org> | 2001-01-30 04:26:01 +0000 |
| commit | 97a55c291b333704cff3468635bb10c8aaea9e69 (patch) | |
| tree | 52842d0e0236f78691113a568d5f1983f55f3e66 | |
| parent | re-add local ipf changes that were whacked in the 3.4.16 merge. userland to follow (diff) | |
| download | wireguard-openbsd-97a55c291b333704cff3468635bb10c8aaea9e69.tar.xz wireguard-openbsd-97a55c291b333704cff3468635bb10c8aaea9e69.zip | |
reimplement local ipf mods and import some missed patches
| -rw-r--r-- | sbin/ipf/common.c | 33 | ||||
| -rw-r--r-- | sbin/ipf/ifaddr.c | 3 | ||||
| -rw-r--r-- | sbin/ipf/ipf.4 | 32 | ||||
| -rw-r--r-- | sbin/ipf/ipf.5 | 6 | ||||
| -rw-r--r-- | sbin/ipf/ipf.c | 24 | ||||
| -rw-r--r-- | sbin/ipf/opt.c | 4 | ||||
| -rw-r--r-- | sbin/ipf/parse.c | 6 |
7 files changed, 64 insertions, 44 deletions
diff --git a/sbin/ipf/common.c b/sbin/ipf/common.c index 569d6e0427f..edea2441d88 100644 --- a/sbin/ipf/common.c +++ b/sbin/ipf/common.c @@ -1,4 +1,4 @@ -/* $OpenBSD: common.c,v 1.1 2001/01/17 05:00:57 fgsch Exp $ */ +/* $OpenBSD: common.c,v 1.2 2001/01/30 04:26:01 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -36,15 +36,11 @@ #include <resolv.h> #include <ctype.h> #include <syslog.h> -#include <netinet/ip_compat.h> +#include <netinet/ip_fil_compat.h> #include <netinet/ip_fil.h> #include "ipf.h" #include "facpri.h" -#if defined(__OpenBSD__) -#include "ifaddr.h" -#endif - #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-2000 Darren Reed"; static const char rcsid[] = "@(#)$IPFilter: parse.c,v 2.8 1999/12/28 10:49:46 darrenr Exp $"; @@ -55,11 +51,16 @@ extern int opts; #ifdef USE_INET6 extern int use_inet6; #endif +#if defined(__OpenBSD__) +extern int if_addr __P((char *, struct in_addr *)); +#endif + char *proto = NULL; -char flagset[] = "FSRPAU"; -u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; +char flagset[] = "FSRPAUEC"; +u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, + TH_ECN, TH_CWR }; #ifdef USE_INET6 void fill6bits __P((int, u_32_t *)); @@ -72,7 +73,6 @@ static char thishost[MAXHOSTNAMELEN]; void initparse() { gethostname(thishost, sizeof(thishost)); - thishost[sizeof(thishost) - 1] = '\0'; } @@ -252,8 +252,11 @@ int linenum; host = thishost; #if defined(__OpenBSD__) - if (if_addr(host, &ip)) - return *ipa = ip.s_addr; + /* attempt a map from interface name to address */ + if (if_addr(host, &ip)) { + *ipa = ip.s_addr; + return 0; + } #endif if (!(hp = gethostbyname(host))) { @@ -420,8 +423,12 @@ int linenum; if (s && *s == '0') tcpfm = strtol(s, NULL, 0); - if (!tcpfm) - tcpfm = 0xff; + if (!tcpfm) { + if (tcpf == TH_SYN) + tcpfm = 0xff & ~(TH_ECN|TH_CWR); + else + tcpfm = 0xff & ~(TH_ECN); + } *mask = tcpfm; return tcpf; } diff --git a/sbin/ipf/ifaddr.c b/sbin/ipf/ifaddr.c index 5e4d46242ef..59e3fcf1b8a 100644 --- a/sbin/ipf/ifaddr.c +++ b/sbin/ipf/ifaddr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifaddr.c,v 1.6 2001/01/17 05:00:58 fgsch Exp $ */ +/* $OpenBSD: ifaddr.c,v 1.7 2001/01/30 04:26:01 kjell Exp $ */ #include <sys/types.h> #include <sys/socket.h> @@ -8,6 +8,7 @@ #include <arpa/inet.h> #include <string.h> #include <err.h> +#include "ifaddr.h" /* * if_addr(): diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4 index 26cb5b495ba..49471c29b28 100644 --- a/sbin/ipf/ipf.4 +++ b/sbin/ipf/ipf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipf.4,v 1.21 2000/04/13 19:59:39 kjell Exp $ +.\" $OpenBSD: ipf.4,v 1.22 2001/01/30 04:26:01 kjell Exp $ .\" .TH IPF 4 .SH NAME @@ -13,33 +13,33 @@ To add and delete rules to the filter list, three 'basic' ioctls are provided for use. The ioctl's are called as: .LP .nf - ioctl(fd, SIOCADDFR, struct frentry *) - ioctl(fd, SIOCDELFR, struct frentry *) + ioctl(fd, SIOCADDFR, struct frentry **) + ioctl(fd, SIOCDELFR, struct frentry **) ioctl(fd, SIOCIPFFL, int *) .fi .PP However, the full complement is as follows: .LP .nf - ioctl(fd, SIOCADAFR, struct frentry *) (same as SUICADDFR) - ioctl(fd, SIOCRMAFR, struct frentry *) (same as SUICDELFR) - ioctl(fd, SIOCADIFR, struct frentry *) - ioctl(fd, SIOCRMIFR, struct frentry *) - ioctl(fd, SIOCINAFR, struct frentry *) - ioctl(fd, SIOCINIFR, struct frentry *) + ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR) + ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR) + ioctl(fd, SIOCADIFR, struct frentry **) + ioctl(fd, SIOCRMIFR, struct frentry **) + ioctl(fd, SIOCINAFR, struct frentry **) + ioctl(fd, SIOCINIFR, struct frentry **) ioctl(fd, SIOCSETFF, u_int *) ioctl(fd, SIOGGETFF, u_int *) - ioctl(fd, SIOCGETFS, struct friostat *) + ioctl(fd, SIOCGETFS, struct friostat **) ioctl(fd, SIOCIPFFL, int *) ioctl(fd, SIOCIPFFB, int *) ioctl(fd, SIOCSWAPA, u_int *) ioctl(fd, SIOCFRENB, u_int *) ioctl(fd, SIOCFRSYN, u_int *) - ioctl(fd, SIOCFRZST, struct friostat *) - ioctl(fd, SIOCZRLST, struct frentry *) - ioctl(fd, SIOCAUTHW, struct fr_info *) - ioctl(fd, SIOCAUTHR, struct fr_info *) - ioctl(fd, SIOCATHST, struct fr_authstat *) + ioctl(fd, SIOCFRZST, struct friostat **) + ioctl(fd, SIOCZRLST, struct frentry **) + ioctl(fd, SIOCAUTHW, struct fr_info **) + ioctl(fd, SIOCAUTHR, struct fr_info **) + ioctl(fd, SIOCATHST, struct fr_authstat **) .fi .PP The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists, @@ -109,7 +109,7 @@ filter list, the number of the rule which it is to be inserted before must be put in the "fr_hits" field (the first rule is number 0). .LP .PP -Flags which are recognised in fr_pass: +Flags which are recognised in fr_flags: .nf FR_BLOCK 0x000001 /* do not allow packet to pass */ diff --git a/sbin/ipf/ipf.5 b/sbin/ipf/ipf.5 index 81980a553c7..13f02a01a42 100644 --- a/sbin/ipf/ipf.5 +++ b/sbin/ipf/ipf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ipf.5,v 1.25 2000/04/26 21:04:00 deraadt Exp $ +.\" $OpenBSD: ipf.5,v 1.26 2001/01/30 04:26:01 kjell Exp $ .\" .TH IPF 5 .SH NAME @@ -33,7 +33,7 @@ proto = "proto" protocol . ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] . group = [ "head" decnumber ] [ "group" decnumber ] . -block = "block" [ icmp[return-code] | "return-rst" ] . +block = "block" [ return-icmp[return-code] | "return-rst" ] . auth = "auth" | "preauth" . log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . @@ -44,7 +44,7 @@ protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object . -icmp = "return-icmp" | "return-icmp-as-dest" . +return-icmp = "return-icmp" | "return-icmp-as-dest" . object = addr [ port-comp | port-range ] . addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] . port-comp = "port" compare port-num . diff --git a/sbin/ipf/ipf.c b/sbin/ipf/ipf.c index f012e109a8f..6e9a000e136 100644 --- a/sbin/ipf/ipf.c +++ b/sbin/ipf/ipf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipf.c,v 1.25 2001/01/17 05:00:58 fgsch Exp $ */ +/* $OpenBSD: ipf.c,v 1.26 2001/01/30 04:26:01 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -36,10 +36,9 @@ #include <netdb.h> #include <arpa/nameser.h> #include <resolv.h> -#include <netinet/ip_compat.h> +#include <netinet/ip_fil_compat.h> #include <netinet/ip_fil.h> #include <netinet/ip_nat.h> -#include <netinet/ip_state.h> #include "ipf.h" #include <netinet/ipl.h> @@ -79,10 +78,19 @@ static void usage __P((void)); static void showversion __P((void)); static int get_flags __P((void)); +#if SOLARIS +#define OPTS "6AdDEf:F:Il:noPrsUvVyzZ" +#else +#define OPTS "6AdDEf:F:Il:noPrsvVyzZ" +#endif static void usage() { +#if SOLARIS fprintf(stderr, "usage: ipf [-6AdDEInoPrsUvVyzZ] %s %s %s\n", +#else + fprintf(stderr, "usage: ipf [-6AdDEInoPrsvVyzZ] %s %s %s\n", +#endif "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } @@ -94,11 +102,15 @@ char *argv[]; { int c; - while ((c = getopt(argc, argv, "6AdDEf:F:Il:noPrsUvVyzZ")) != -1) { + while ((c = getopt(argc, argv, OPTS)) != -1) + if (c == '?') + usage(); + + optreset=1; + optind=1; + while ((c = getopt(argc, argv, OPTS)) != -1) { switch (c) { - case '?' : - usage(); #ifdef USE_INET6 case '6' : use_inet6 = 1; diff --git a/sbin/ipf/opt.c b/sbin/ipf/opt.c index 38a414bc5c8..d382870b8ad 100644 --- a/sbin/ipf/opt.c +++ b/sbin/ipf/opt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: opt.c,v 1.15 2001/01/17 05:00:59 fgsch Exp $ */ +/* $OpenBSD: opt.c,v 1.16 2001/01/30 04:26:01 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -22,7 +22,7 @@ #include <netinet/tcp.h> #include <net/if.h> #include <arpa/inet.h> -#include <netinet/ip_compat.h> +#include <netinet/ip_fil_compat.h> #include <netinet/tcpip.h> #include <netinet/ip_fil.h> #include "ipf.h" diff --git a/sbin/ipf/parse.c b/sbin/ipf/parse.c index bdecc3bb9d3..8d667630169 100644 --- a/sbin/ipf/parse.c +++ b/sbin/ipf/parse.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.c,v 1.37 2001/01/20 06:36:52 fgsch Exp $ */ +/* $OpenBSD: parse.c,v 1.38 2001/01/30 04:26:02 kjell Exp $ */ /* * Copyright (C) 1993-2000 by Darren Reed. @@ -36,7 +36,7 @@ #include <resolv.h> #include <ctype.h> #include <syslog.h> -#include <netinet/ip_compat.h> +#include <netinet/ip_fil_compat.h> #include <netinet/ip_fil.h> #include "ipf.h" #include "facpri.h" @@ -1103,7 +1103,7 @@ struct frentry *fp; if (fp->fr_ip.fi_fl & FI_TCPUDP) { printf("proto tcp/udp "); pr = -1; - } else if ((pr = fp->fr_ip.fi_p)) { + } else if ((pr = fp->fr_mip.fi_p)) { if ((p = getprotobynumber(fp->fr_proto))) printf("proto %s ", p->p_name); else |