Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/dist/ipf Pull up revisions 1.6-1.10 (requested by martti):
details: https://anonhg.NetBSD.org/src/rev/5d755d210826
branches: netbsd-1-5
changeset: 492693:5d755d210826
user: he <he%NetBSD.org@localhost>
date: Sat Feb 09 16:56:12 2002 +0000
description:
Pull up revisions 1.6-1.10 (requested by martti):
Updated IPFilter to 3.4.23
diffstat:
dist/ipf/parse.c | 256 ++++++++++++++++++++++++++++++++++++++++++++----------
1 files changed, 207 insertions(+), 49 deletions(-)
diffs (truncated from 488 to 300 lines):
diff -r ae5e5ac65acb -r 5d755d210826 dist/ipf/parse.c
--- a/dist/ipf/parse.c Sat Feb 09 16:56:10 2002 +0000
+++ b/dist/ipf/parse.c Sat Feb 09 16:56:12 2002 +0000
@@ -1,11 +1,9 @@
-/* $NetBSD: parse.c,v 1.4.4.1 2000/08/31 14:49:46 veego Exp $ */
+/* $NetBSD: parse.c,v 1.4.4.2 2002/02/09 16:56:12 he Exp $ */
/*
- * Copyright (C) 1993-2000 by Darren Reed.
+ * Copyright (C) 1993-2001 by Darren Reed.
*
- * Redistribution and use in source and binary forms are permitted
- * provided that this notice is preserved and due credit is given
- * to the original author and the contributors.
+ * See the IPFILTER.LICENCE file for details on licencing.
*/
#include <sys/types.h>
#if !defined(__SVR4) && !defined(__svr4__)
@@ -48,9 +46,7 @@
extern struct ipopt_names ionames[], secclass[];
extern int opts;
-#ifdef USE_INET6
extern int use_inet6;
-#endif
int addicmp __P((char ***, struct frentry *, int));
int extras __P((char ***, struct frentry *, int));
@@ -61,6 +57,7 @@
void optprint __P((u_short *, u_long, u_long));
int loglevel __P((char **, u_int *, int));
void printlog __P((frentry_t *));
+void printifname __P((char *, char *, void *));
extern char *proto;
extern char flagset[];
@@ -76,8 +73,8 @@
int linenum;
{
static struct frentry fil;
+ char *cps[31], **cpp, *endptr, *s;
struct protoent *p = NULL;
- char *cps[31], **cpp, *endptr;
int i, cnt = 1, j, ch;
u_int k;
@@ -88,11 +85,7 @@
bzero((char *)&fil, sizeof(fil));
fil.fr_mip.fi_v = 0xf;
-#ifdef USE_INET6
fil.fr_ip.fi_v = use_inet6 ? 6 : 4;
-#else
- fil.fr_ip.fi_v = 4;
-#endif
fil.fr_loglevel = 0xffff;
/*
@@ -110,10 +103,18 @@
}
cpp = cps;
+ /*
+ * The presence of an '@' followed by a number gives the position in
+ * the current rule list to insert this one.
+ */
if (**cpp == '@')
fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
+ /*
+ * Check the first keyword in the rule and any options that are
+ * expected to follow it.
+ */
if (!strcasecmp("block", *cpp)) {
fil.fr_flags |= FR_BLOCK;
if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) &&
@@ -153,6 +154,8 @@
fil.fr_flags |= FR_ACCOUNT;
} else if (!strcasecmp("pass", *cpp)) {
fil.fr_flags |= FR_PASS;
+ } else if (!strcasecmp("nomatch", *cpp)) {
+ fil.fr_flags |= FR_NOMATCH;
} else if (!strcasecmp("auth", *cpp)) {
fil.fr_flags |= FR_AUTH;
} else if (!strcasecmp("preauth", *cpp)) {
@@ -198,6 +201,10 @@
return NULL;
}
+ /*
+ * Get the direction for filtering. Impose restrictions on direction
+ * if blocking with returning ICMP or an RST has been requested.
+ */
if (!strcasecmp("in", *cpp))
fil.fr_flags |= FR_INQUE;
else if (!strcasecmp("out", *cpp)) {
@@ -260,15 +267,30 @@
fil.fr_flags |= FR_QUICK;
}
+ /*
+ * Parse rule options that are available if a rule is tied to an
+ * interface.
+ */
*fil.fr_ifname = '\0';
+ *fil.fr_oifname = '\0';
if (*cpp && !strcasecmp(*cpp, "on")) {
if (!*++cpp) {
fprintf(stderr, "%d: interface name missing\n",
linenum);
return NULL;
}
- (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1);
- fil.fr_ifname[IFNAMSIZ-1] = '\0';
+
+ s = index(*cpp, ',');
+ if (s != NULL) {
+ *s++ = '\0';
+ (void)strncpy(fil.fr_ifnames[1], s, IFNAMSIZ - 1);
+ fil.fr_ifnames[1][IFNAMSIZ - 1] = '\0';
+ } else
+ strcpy(fil.fr_ifnames[1], "*");
+
+ (void)strncpy(fil.fr_ifnames[0], *cpp, IFNAMSIZ - 1);
+ fil.fr_ifnames[0][IFNAMSIZ - 1] = '\0';
+
cpp++;
if (!*cpp) {
if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
@@ -303,6 +325,33 @@
cpp++;
}
}
+
+ /*
+ * Set the "other" interface name. Lets you specify both
+ * inbound and outbound interfaces for state rules. Do not
+ * prevent both interfaces from being the same.
+ */
+ strcpy(fil.fr_ifnames[3], "*");
+ if ((*cpp != NULL) && (*(cpp + 1) != NULL) &&
+ ((((fil.fr_flags & FR_INQUE) != 0) &&
+ (strcasecmp(*cpp, "out-via") == 0)) ||
+ (((fil.fr_flags & FR_OUTQUE) != 0) &&
+ (strcasecmp(*cpp, "in-via") == 0)))) {
+ cpp++;
+
+ s = index(*cpp, ',');
+ if (s != NULL) {
+ *s++ = '\0';
+ (void)strncpy(fil.fr_ifnames[3], s,
+ IFNAMSIZ - 1);
+ fil.fr_ifnames[3][IFNAMSIZ - 1] = '\0';
+ }
+
+ (void)strncpy(fil.fr_ifnames[2], *cpp, IFNAMSIZ - 1);
+ fil.fr_ifnames[2][IFNAMSIZ - 1] = '\0';
+ cpp++;
+ } else
+ strcpy(fil.fr_ifnames[2], "*");
}
if (*cpp && !strcasecmp(*cpp, "tos")) {
if (!*++cpp) {
@@ -344,6 +393,10 @@
if (!strcasecmp(proto, "tcp/udp")) {
fil.fr_ip.fi_fl |= FI_TCPUDP;
fil.fr_mip.fi_fl |= FI_TCPUDP;
+ } else if (use_inet6 && !strcasecmp(proto, "icmp")) {
+ fprintf(stderr,
+"%d: use proto ipv6-icmp with IPv6 (or use proto 1 if you really mean icmp)\n",
+ linenum);
} else {
if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
fprintf(stderr,
@@ -396,7 +449,15 @@
linenum);
return NULL;
}
- if (**cpp == '!') {
+ if (!strcmp(*cpp, "!")) {
+ fil.fr_flags |= FR_NOTSRCIP;
+ if (!*++cpp) {
+ fprintf(stderr,
+ "%d: missing host after from\n",
+ linenum);
+ return NULL;
+ }
+ } else if (**cpp == '!') {
fil.fr_flags |= FR_NOTSRCIP;
(*cpp)++;
}
@@ -426,7 +487,15 @@
return NULL;
}
ch = 0;
- if (**cpp == '!') {
+ if (!strcmp(*cpp, "!")) {
+ fil.fr_flags |= FR_NOTDSTIP;
+ if (!*++cpp) {
+ fprintf(stderr,
+ "%d: missing host after from\n",
+ linenum);
+ return NULL;
+ }
+ } else if (**cpp == '!') {
fil.fr_flags |= FR_NOTDSTIP;
(*cpp)++;
}
@@ -477,7 +546,8 @@
* icmp types for use with the icmp protocol
*/
if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
- if (fil.fr_proto != IPPROTO_ICMP) {
+ if (fil.fr_proto != IPPROTO_ICMP &&
+ fil.fr_proto != IPPROTO_ICMPV6) {
fprintf(stderr,
"%d: icmp with wrong protocol (%d)\n",
linenum, fil.fr_proto);
@@ -497,6 +567,19 @@
return NULL;
/*
+ * This is here to enforce the old interface binding behaviour.
+ * That is, "on X" is equivalent to "<dir> on X <!dir>-via -,X"
+ */
+ if (fil.fr_flags & FR_KEEPSTATE) {
+ if (*fil.fr_ifnames[0] && !*fil.fr_ifnames[3]) {
+ bcopy(fil.fr_ifnames[0], fil.fr_ifnames[3],
+ sizeof(fil.fr_ifnames[3]));
+ strncpy(fil.fr_ifnames[2], "*",
+ sizeof(fil.fr_ifnames[3]));
+ }
+ }
+
+ /*
* head of a new group ?
*/
if (*cpp && !strcasecmp(*cpp, "head")) {
@@ -646,6 +729,15 @@
{
printf("%s %s%s", tag, fdp->fd_ifname,
(fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
+#ifdef USE_INET6
+ if (use_inet6 && IP6_NOTZERO(&fdp->fd_ip6.in6)) {
+ char ipv6addr[80];
+
+ inet_ntop(AF_INET6, &fdp->fd_ip6, ipv6addr,
+ sizeof(fdp->fd_ip6));
+ printf(":%s", ipv6addr);
+ } else
+#endif
if (fdp->fd_ip.s_addr)
printf(":%s", inet_ntoa(fdp->fd_ip));
putchar(' ');
@@ -673,8 +765,8 @@
return -1;
while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
- !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) ||
- !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) ||
+ !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) ||
+ !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) ||
!strncasecmp(**cp, "short", 5))) {
if (***cp == 'n' || ***cp == 'N') {
notopt = 1;
@@ -887,10 +979,10 @@
/*
* set the icmp field to the correct type if "icmp" word is found
*/
-int addicmp(cp, fp, linenum)
-char ***cp;
-struct frentry *fp;
-int linenum;
+int addicmp(cp, fp, linenum)
+char ***cp;
+struct frentry *fp;
+int linenum;
{
char **t;
int i;
@@ -898,8 +990,7 @@
(*cp)++;
if (!**cp)
return -1;
- if (!fp->fr_proto) /* to catch lusers */
- fp->fr_proto = IPPROTO_ICMP;
+
if (isdigit(***cp)) {
if (!ratoi(**cp, &i, 0, 255)) {
fprintf(stderr,
@@ -907,6 +998,10 @@
linenum, **cp);
return -1;
}
+ } else if (fp->fr_proto == IPPROTO_ICMPV6) {
+ fprintf(stderr, "%d: Unknown ICMPv6 type (%s) specified "
+ "(use numeric value instead)\n", linenum, **cp);
+ return -1;
} else {
Home |
Main Index |
Thread Index |
Old Index