diff options
Diffstat (limited to 'sbin/ipf')
189 files changed, 303 insertions, 685 deletions
diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile index 075119abd542..1b0a18d3d9c3 100644 --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - SUBDIR= libipf .WAIT SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool # XXX Temporarily disconnected. diff --git a/sbin/ipf/Makefile.inc b/sbin/ipf/Makefile.inc index 1f256a343b9a..cb3a3df50e0c 100644 --- a/sbin/ipf/Makefile.inc +++ b/sbin/ipf/Makefile.inc @@ -1,10 +1,7 @@ -# $FreeBSD$ - .include <src.opts.mk> WARNS?= 2 NO_WFORMAT= -NO_WARRAY_BOUNDS= CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter diff --git a/sbin/ipf/common/genmask.c b/sbin/ipf/common/genmask.c index 5b715cf4c901..a3b912b67ef3 100644 --- a/sbin/ipf/common/genmask.c +++ b/sbin/ipf/common/genmask.c @@ -9,10 +9,8 @@ #include "ipf.h" -int genmask(family, msk, mskp) - int family; - char *msk; - i6addr_t *mskp; +int +genmask(int family, char *msk, i6addr_t *mskp) { char *endptr = 0L; u_32_t addr; diff --git a/sbin/ipf/common/ipf.h b/sbin/ipf/common/ipf.h index b278d8ec5d6c..3e6ee594b8b6 100644 --- a/sbin/ipf/common/ipf.h +++ b/sbin/ipf/common/ipf.h @@ -1,11 +1,8 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * - * @(#)ipf.h 1.12 6/5/96 * $Id$ */ @@ -47,6 +44,7 @@ #include <errno.h> #include <limits.h> #include <netdb.h> +#include <stdarg.h> #include <stdlib.h> #include <stddef.h> #include <stdio.h> @@ -173,20 +171,14 @@ typedef struct proxyrule { } proxyrule_t; -#if defined(__NetBSD__) || defined(__FreeBSD__) || \ - SOLARIS -# include <stdarg.h> typedef int (* ioctlfunc_t)(int, ioctlcmd_t, ...); -#else -typedef int (* ioctlfunc_t)(dev_t, ioctlcmd_t, void *); -#endif typedef int (* addfunc_t)(int, ioctlfunc_t, void *); typedef int (* copyfunc_t)(void *, void *, size_t); extern char thishost[MAXHOSTNAMELEN]; extern char flagset[]; -extern u_char flags[]; +extern uint16_t flags[]; extern struct ipopt_names ionames[]; extern struct ipopt_names secclass[]; extern char *icmpcodes[MAX_ICMPCODE + 1]; @@ -318,7 +310,7 @@ extern ipf_dstnode_t *printdstlistnode(ipf_dstnode_t *, copyfunc_t, extern void printdstlistpolicy(ippool_policy_t); extern struct ip_pool_s *printpool(struct ip_pool_s *, copyfunc_t, char *, int, wordtab_t *); -extern struct ip_pool_s *printpool_live(struct ip_pool_s *, int, +extern void printpool_live(struct ip_pool_s *, int, char *, int, wordtab_t *); extern void printpooldata(ip_pool_t *, int); extern void printpoolfield(void *, int, int); @@ -338,7 +330,7 @@ extern int remove_hash(struct iphtable_s *, ioctlfunc_t); extern int remove_hashnode(int, char *, struct iphtent_s *, ioctlfunc_t); extern int remove_pool(ip_pool_t *, ioctlfunc_t); extern int remove_poolnode(int, char *, ip_pool_node_t *, ioctlfunc_t); -extern u_char tcpflags(char *); +extern uint16_t tcpflags(char *); extern void printc(struct frentry *); extern void printC(int); extern void emit(int, int, void *, struct frentry *); diff --git a/sbin/ipf/common/ipf_y.y b/sbin/ipf/common/ipf_y.y index ad4200023781..b3f7221672f3 100644 --- a/sbin/ipf/common/ipf_y.y +++ b/sbin/ipf/common/ipf_y.y @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/common/ipmon.h b/sbin/ipf/common/ipmon.h index 4807299c49d2..4d377027eb3d 100644 --- a/sbin/ipf/common/ipmon.h +++ b/sbin/ipf/common/ipmon.h @@ -1,11 +1,8 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. - * - * @(#)ip_fil.h 1.35 6/5/96 * $Id$ */ diff --git a/sbin/ipf/common/ipt.h b/sbin/ipf/common/ipt.h index 9a4d75a85ccb..3ecdabdb61c5 100644 --- a/sbin/ipf/common/ipt.h +++ b/sbin/ipf/common/ipt.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/common/kmem.h b/sbin/ipf/common/kmem.h index c4b65ed63ce9..2adff4363b0b 100644 --- a/sbin/ipf/common/kmem.h +++ b/sbin/ipf/common/kmem.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/common/lexer.c b/sbin/ipf/common/lexer.c index 16fbb2272034..56ac3586af6e 100644 --- a/sbin/ipf/common/lexer.c +++ b/sbin/ipf/common/lexer.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -11,6 +10,7 @@ # include "netinet/ip_scan.h" #endif #include <sys/ioctl.h> +#include <sys/param.h> #include <syslog.h> #ifdef TEST_LEXER # define NO_YACC @@ -449,7 +449,7 @@ buildipv6: oc = c; if (prior == YY_NUMBER && c == ':') { - snprintf(s, sizeof(s), "%d", priornum); + snprintf(s, sizeof(ipv6buf), "%d", priornum); s += strlen(s); } @@ -603,8 +603,7 @@ done: } -static wordtab_t *yyfindkey(key) - char *key; +static wordtab_t *yyfindkey(char *key) { wordtab_t *w; @@ -677,7 +676,7 @@ yysetfixeddict(wordtab_t *newdict) if (yydebug) printf("yysetfixeddict(%lx)\n", (u_long)newdict); - if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) { + if (yysavedepth == nitems(yysavewords)) { fprintf(stderr, "%d: at maximum dictionary depth\n", yylineNum); return; @@ -696,7 +695,7 @@ yysetdict(wordtab_t *newdict) if (yydebug) printf("yysetdict(%lx)\n", (u_long)newdict); - if (yysavedepth == sizeof(yysavewords)/sizeof(yysavewords[0])) { + if (yysavedepth == nitems(yysavewords)) { fprintf(stderr, "%d: at maximum dictionary depth\n", yylineNum); return; diff --git a/sbin/ipf/common/lexer.h b/sbin/ipf/common/lexer.h index cc200f1cad41..c5f9a0c4183e 100644 --- a/sbin/ipf/common/lexer.h +++ b/sbin/ipf/common/lexer.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/common/opts.h b/sbin/ipf/common/opts.h index 17844e89ecfc..1281458c145a 100644 --- a/sbin/ipf/common/opts.h +++ b/sbin/ipf/common/opts.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/common/pcap-ipf.h b/sbin/ipf/common/pcap-ipf.h index b856760eaa53..ba596e795efa 100644 --- a/sbin/ipf/common/pcap-ipf.h +++ b/sbin/ipf/common/pcap-ipf.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/ipf/Makefile b/sbin/ipf/ipf/Makefile index f1b87ac20fae..00cabf50cd89 100644 --- a/sbin/ipf/ipf/Makefile +++ b/sbin/ipf/ipf/Makefile @@ -1,11 +1,10 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ipf SRCS= ${GENHDRS} ipf.c ipfcomp.c ipf_y.c ipf_l.c bpf_filter.c MAN= ipfilter.4 ipfilter.5 ipf.8 ipf.4 ipf.5 ipl.4 MLINKS= ipf.5 ipf.conf.5 ipf.5 ipf6.conf.5 CFLAGS+= -I. -DIPFILTER_BPF -DHAS_SYS_MD5_H +CFLAGS+= -Wno-error=unused-but-set-variable GENHDRS= ipf_l.h ipf_y.h CLEANFILES+= ${GENHDRS} ipf_y.c ipf_l.c diff --git a/sbin/ipf/ipf/Makefile.depend b/sbin/ipf/ipf/Makefile.depend index 84ddd8bb35de..d66414571fe3 100644 --- a/sbin/ipf/ipf/Makefile.depend +++ b/sbin/ipf/ipf/Makefile.depend @@ -1,15 +1,12 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ - lib/libelf \ lib/libkvm \ lib/libpcap \ sbin/ipf/libipf \ diff --git a/sbin/ipf/ipf/bpf-ipf.h b/sbin/ipf/ipf/bpf-ipf.h index 2350e6cf0692..e41e9d71bbb9 100644 --- a/sbin/ipf/ipf/bpf-ipf.h +++ b/sbin/ipf/ipf/bpf-ipf.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -36,10 +35,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * @(#)bpf.h 7.1 (Berkeley) 5/7/91 - * - * @(#) $Header: /devel/CVS/IP-Filter/bpf-ipf.h,v 2.1 2002/10/26 12:14:26 darrenr Exp $ (LBL) */ #ifndef BPF_MAJOR_VERSION @@ -91,7 +86,7 @@ struct bpf_stat { * bpf understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal - * equal to or less than the filter being downloaded. Otherwise, the + * to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. diff --git a/sbin/ipf/ipf/bpf_filter.c b/sbin/ipf/ipf/bpf_filter.c index fbb0138f51d8..bd7012d2f1ab 100644 --- a/sbin/ipf/ipf/bpf_filter.c +++ b/sbin/ipf/ipf/bpf_filter.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 @@ -36,15 +35,8 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * @(#)bpf.c 7.5 (Berkeley) 7/15/91 */ -#if !(defined(lint) || defined(KERNEL) || defined(_KERNEL)) -static const char rcsid[] = - "@(#) $Header: /devel/CVS/IP-Filter/bpf_filter.c,v 2.2.2.3 2006/10/03 11:25:56 darrenr Exp $ (LBL)"; -#endif - #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> @@ -117,9 +109,7 @@ static int m_xhalf(mb_t *, int, int *); } static int -m_xword(m, k, err) - register mb_t *m; - register int k, *err; +m_xword(mb_t *m, int k, int *err) { register int len; register u_char *cp, *np; @@ -153,9 +143,7 @@ m_xword(m, k, err) } static int -m_xhalf(m, k, err) - register mb_t *m; - register int k, *err; +m_xhalf(mb_t *m, int k, int *err) { register int len; register u_char *cp; @@ -185,11 +173,7 @@ m_xhalf(m, k, err) * in all other cases, p is a pointer to a buffer and buflen is its size. */ u_int -bpf_filter(pc, p, wirelen, buflen) - register struct bpf_insn *pc; - register u_char *p; - u_int wirelen; - register u_int buflen; +bpf_filter(struct bpf_insn *pc, u_char *p, u_int wirelen, u_int buflen) { register u_int32 A, X; register int k; @@ -478,9 +462,7 @@ bpf_filter(pc, p, wirelen, buflen) * Otherwise, a bogus program could easily crash the system. */ int -bpf_validate(f, len) - struct bpf_insn *f; - int len; +bpf_validate(struct bpf_insn *f, int len) { u_int i, from; const struct bpf_insn *p; diff --git a/sbin/ipf/ipf/ipf.4 b/sbin/ipf/ipf/ipf.4 index 73a17a0cc8d3..c5b3bac34947 100644 --- a/sbin/ipf/ipf/ipf.4 +++ b/sbin/ipf/ipf/ipf.4 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH IPF 4 .SH NAME ipf \- packet filtering kernel interface @@ -7,7 +6,6 @@ ipf \- packet filtering kernel interface .br #include <netinet/ip_fil.h> .SH IOCTLS -.PP To add and delete rules to the filter list, three 'basic' ioctls are provided for use. The ioctl's are called as: .LP @@ -121,7 +119,7 @@ Flags which are recognised in fr_flags: FR_RETRST 0x000080 /* return a TCP RST packet if blocked */ FR_RETICMP 0x000100 /* return an ICMP packet if blocked */ FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ - FR_NOMATCH 0x000200 /* no match occured */ + FR_NOMATCH 0x000200 /* no match occurred */ FR_ACCOUNT 0x000400 /* count packet bytes */ FR_KEEPFRAG 0x000800 /* keep fragment information */ FR_KEEPSTATE 0x001000 /* keep `connection' state information */ diff --git a/sbin/ipf/ipf/ipf.5 b/sbin/ipf/ipf/ipf.5 index 7f72a817617b..4ff33290814a 100644 --- a/sbin/ipf/ipf/ipf.5 +++ b/sbin/ipf/ipf/ipf.5 @@ -1,9 +1,7 @@ -.\" $FreeBSD$ .TH IPF 5 .SH NAME ipf, ipf.conf \- IPFilter firewall rules file format .SH DESCRIPTION -.PP The ipf.conf file is used to specify rules for the firewall, packet authentication and packet accounting components of IPFilter. To load rules specified in the ipf.conf file, the ipf(8) program is used. @@ -30,9 +28,8 @@ the direction of the packet (in or out) address patterns or "all" to match any address information .RE .SS Long lines -.PP For rules lines that are particularly long, it is possible to split -them over multiple lines implicity like this: +them over multiple lines implicitly like this: .PP .nf pass in on bgeo proto tcp from 1.1.1.1 port > 1000 @@ -46,7 +43,6 @@ pass in on bgeo proto tcp from 1.1.1.1 port > 1000 \\ to 2.2.2.2 port < 5000 flags S keep state .fi .SS Comments -.PP Comments in the ipf.conf file are indicated by the use of the '#' character. This can either be at the start of the line, like this: .PP @@ -61,7 +57,6 @@ Or at the end of a like, like this: pass in proto icmp from any to any # Allow all ICMP packets in .fi .SH Firewall rules -.PP This section goes into detail on how to construct firewall rules that are placed in the ipf.conf file. .PP @@ -70,7 +65,6 @@ firewall rule set or which packets should be blocked or allowed in. Some suggestions will be provided but further reading is expected to fully understand what is safe and unsafe to allow in/out. .SS Filter rule keywords -.PP The first word found in any filter rule describes what the eventual outcome of a packet that matches it will be. Descriptions of the many and various sections that can be used to match on the contents of packet headers will @@ -132,7 +126,6 @@ rule to match a packet is a pass, if there is a later matching rule that is a block and no further rules match the packet, then it will be blocked. .SS Matching Network Interfaces -.PP On systems with more than one network interface, it is necessary to be able to specify different filter rules for each of them. In the first instance, this is because different networks will send us @@ -159,7 +152,6 @@ block in on bge0 all pass out on bge0 all .fi .SS Address matching (basic) -.PP The first and most basic part of matching for filtering rules is to specify IP addresses and TCP/UDP port numbers. The source address information is matched by the "from" information in a filter rule @@ -198,7 +190,6 @@ is processing that part of the configuration file, leading to long delays, if not errors, in loading the filter rules. .RE .SS Protocol Matching -.PP To match packets based on TCP/UDP port information, it is first necessary to indicate which protocol the packet must be. This is done using the "proto" keyword, followed by either the protocol number or a name which @@ -210,7 +201,6 @@ block out proto udp from any to 10.1.1.1 pass in proto icmp from any to 192.168.0.0/16 .fi .SS Sending back error packets -.PP When a packet is just discarded using a block rule, there is no feedback given to the host that sent the packet. This is both good and bad. If this is the desired behaviour and it is not desirable to send any feedback about packets @@ -224,7 +214,7 @@ To address this problem, a block rule can be qualified in two ways. The first of these is specific to TCP and instructs IPFilter to send back a reset (RST) packet. This packet indicates to the remote system that the packet it sent has been rejected and that it shouldn't make any further -attempts( to send packets to that port. Telling IPFilter to return a TCP); +attempts to send packets to that port. Telling IPFilter to return a TCP RST packet in response to something that has been received is achieved with the return-rst keyword like this: .PP @@ -240,18 +230,18 @@ For all of the other protocols handled by the IP protocol suite, to send back an error indicating that the received packet was dropped requires sending back an ICMP error packet. Whilst these can also be used for TCP, the sending host may not treat the received ICMP error as a hard error -in( the same way as it does the TCP RST packet. To return an ICMP error); +in the same way as it does the TCP RST packet. To return an ICMP error it is necessary to place return-icmp after the block keyword like this: .PP .nf block return-icmp in proto udp from any to 192.168.0.1/24 .fi .PP -When( electing to return an ICMP error packet, it is also possible to); +When electing to return an ICMP error packet, it is also possible to select what type of ICMP error is returned. Whilst the full compliment of ICMP unreachable codes can be used by specifying a number instead of the string below, only the following should be used in conjunction with -return-icmp.( Which return code to use is a choice to be made when); +return-icmp. Which return code to use is a choice to be made when weighing up the pro's and con's. Using some of the codes may make it more obvious that a firewall is being used rather than just the host not responding. @@ -296,7 +286,7 @@ proto-unr (protocol unreachable) the IP protocol specified in the packet is not available to receive packets. -.DE +.RE .PP An example that shows how to send back a port unreachable packet for UDP packets to 192.168.1.0/24 is as follows: @@ -318,7 +308,6 @@ block return-icmp-as-dest(port-unr) in proto udp \\ from any to 192.168.1.0/24 .fi .SS TCP/UDP Port Matching -.PP Having specified which protocol is being matched, it is then possible to indicate which port numbers a packet must have in order to match the rule. Due to port numbers being used differently to addresses, it is therefore @@ -362,7 +351,6 @@ If there is no desire to mention any specific source or destintion information in a filter rule then the word "all" can be used to indicate that all addresses are considered to match the rule. .SS IPv4 or IPv6 -.PP If a filter rule is constructed without any addresses then IPFilter will attempt to match both IPv4 and IPv6 packets with it. In the next list of rules, each one can be applied to either network protocol @@ -400,13 +388,11 @@ protocol family qualifier: pass in family inet6 proto udp from any to any port = 53 .fi .SS First match vs last match -.PP To change the default behaviour from being the last matched rule decides the outcome to being the first matched rule, the word "quick" is inserted to the rule. .SH Extended Packet Matching .SS Beyond using plain addresses -.PP On firewalls that are working with large numbers of hosts and networks or simply trying to filter discretely against various hosts, it can be an easier administration task to define a pool of addresses and have @@ -476,7 +462,6 @@ with. pass in proto icmp from any to (bge0)/32 .fi .SS Using address pools -.PP Rather than list out multiple rules that either allow or deny specific addresses, it is possible to create a single object, call an address pool, that contains all of those addresses and reference that in the @@ -506,7 +491,6 @@ There are different operational characteristics with each, so there may be some situations where a pool works better than hash and vice versa. .SS Matching TCP flags -.PP The TCP header contains a field of flags that is used to decide if the packet is a connection request, connection termination, data, etc. By matching on the flags in conjunction with port numbers, it is @@ -537,7 +521,7 @@ URG - this bit is set to indicate that the packet contains urgent data .HP R RST - this bit is set only in packets that are a reply to another -that has been received but is not targetted at any open port +that has been received but is not targeted at any open port .HP C CWN @@ -549,10 +533,10 @@ When matching TCP flags, it is normal to just list the flag that you wish to be set. By default the set of flags it is compared against is "FSRPAU". Rules that say "flags S" will be displayed by ipfstat(8) as having "flags S/FSRPAU". This is normal. -The last two flags, "C" and "E", are optional - they +The last three flags, "E", "W" and "e", are optional - they may or may not be used by an end host and have no bearing on either the acceptance of data nor control of the connection. Masking them -out with "flags S/FSRPAUCE" may cause problems for remote hosts +out with "flags S/FSRPAUEWe" may cause problems for remote hosts making a successful connection. .PP .nf @@ -563,7 +547,6 @@ pass out quick proto tcp from any port = 22 to any flags SA By itself, filtering based on the TCP flags becomes more work but when combined with stateful filtering (see below), the situation changes. .SS Matching on ICMP header information -.PP The TCP and UDP are not the only protocols for which filtering beyond just the IP header is possible, extended matching on ICMP packets is also available. The list of valid ICMP types is different for IPv4 @@ -628,7 +611,6 @@ unreach (unreachable, whoreq (WRU request), whorep (WRU reply). .SH Stateful Packet Filtering -.PP Stateful packet filtering is where IPFilter remembers some information from one or more packets that it has seen and is able to apply it to future packets that it receives from the network. @@ -687,7 +669,7 @@ Once a TCP connection has reached the established state, the default timeout allows for it to be idle for 5 days before it is removed from the state table. The timeouts for the other TCP connection states vary from 240 seconds to 30 seconds. -Both UDP and ICMP state entries have asymetric timeouts where the timeout +Both UDP and ICMP state entries have asymmetric timeouts where the timeout set upon seeing packets in the forward direction is much larger than for the reverse direction. For UDP the default timeouts are 120 and 12 seconds, for ICMP 60 and 6 seconds. This is a reflection of the @@ -695,7 +677,6 @@ use of these protocols being more for query-response than for ongoing connections. For all other protocols the timeout is 60 seconds in both directions. .SS Stateful filtering options -.PP The following options can be used with stateful filtering: .HP limit @@ -813,7 +794,6 @@ If there is no IP protocol implied by addresses or other features of the rule, IPFilter will assume that no netmask is an all ones netmask for both IPv4 and IPv6. .SS Tieing down a connection -.PP For any connection that transits a firewall, each packet will be seen twice: once going in and once going out. Thus a connection has 4 flows of packets: @@ -852,7 +832,6 @@ pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\ from any to any port = 22 flags S keep state .fi .SS Working with packet fragments -.PP Fragmented packets result in 1 packet containing all of the layer 3 and 4 header information whilst the data is split across a number of other packets. .PP @@ -884,15 +863,14 @@ An example of how this is done is as follows: pass in proto udp from any port = 2049 to any with frags keep frags .fi .SH Building a tree of rules -.PP Writing your filter rules as one long list of rules can be both inefficient in terms of processing the rules and difficult to understand. To make the construction of filter rules easier, it is possible to place them in groups. A rule can be both a member of a group and the head of a new group. .PP Using filter groups requires at least two rules: one to be in the group -one one to send matchign packets to the group. If a packet matches a -filtre rule that is a group head but does not match any of the rules +one one to send matching packets to the group. If a packet matches a +filter rule that is a group head but does not match any of the rules in that group, then the packet is considered to have matched the head rule. .PP @@ -948,7 +926,6 @@ to deliver spam, I could load the following rule to complement the above: block in quick from 10.1.1.1 to any group spammers .fi .SS Decapsulation -.PP Rule groups also form a different but vital role for decapsulation rules. With the following simple rule, if IPFilter receives an IP packet that has an AH header as its layer 4 payload, IPFilter would adjust its view of the @@ -983,7 +960,6 @@ It is possible to construct a decapsulate rule without the group head at the end that ipf(8) will accept but such rules will not result in anything happening. .SS Policy Based Routing -.PP With firewalls being in the position they often are, at the boundary of different networks connecting together and multiple connections that have different properties, it is often desirable to have packets flow @@ -1035,10 +1011,9 @@ pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\ to any port = 80 flags S keep state .fi .SS Matching IPv4 options -.PP The design for IPv4 allows for the header to be upto 64 bytes long, however most traffic only uses the basic header which is 20 bytes long. -The other 44 bytes can be uesd to store IP options. These options are +The other 44 bytes can be used to store IP options. These options are generally not necessary for proper interaction and function on the Internet today. For most people it is sufficient to block and drop all packets that have any options set. This can be achieved with this @@ -1091,7 +1066,7 @@ some of the nodes the packet must go through, with the ssrr option, every next hop router must be specified. .PP The complete list of IPv4 options that can be matched on is: -addext (Address Extention), +addext (Address Extension), cipso (Classical IP Security Option), dps (Dynamic Packet State), e-sec (Extended Security), @@ -1116,7 +1091,6 @@ ump (Upstream Multicast Packet), visa (Experimental Access Control) and zsu (Experimental Measurement). .SS Security with CIPSO and IPSO -.PP IPFilter supports filtering on IPv4 packets using security attributes embedded in the IP options part of the packet. These options are usually only used on networks and systems that are using lablled security. Unless you know that @@ -1140,7 +1114,6 @@ block in quick all with opt sec-class unclass pass in all with opt sec-class secret .fi .SS Matching IPv6 extension headers -.PP Just as it is possible to filter on the various IPv4 header options, so too it is possible to filter on the IPv6 extension headers that are placed between the IPv6 header and the transport protocol header. @@ -1154,7 +1127,6 @@ mobility (IP mobility), none, routing. .SS Logging -.PP There are two ways in which packets can be logged with IPFilter. The first is with a rule that specifically says log these types of packets and the second is a qualifier to one of the other keywords. Thus it is @@ -1212,7 +1184,6 @@ pass in log level local1.info proto tcp \\ ipfstat(8) reports how many packets have been successfully logged and how many failed attempts to log a packet there were. .SS Filter rule comments -.PP If there is a desire to associate a text string, be it an administrative comment or otherwise, with an IPFilter rule, this can be achieved by giving the filter rule a comment. The comment is loaded with the rule into the @@ -1225,7 +1196,6 @@ pass out quick proto tcp from any port = 80 \\ to any comment "all web server traffic is ok" .fi .SS Tags -.PP To enable filtering and NAT to correctly match up packets with rules, tags can be added at with NAT (for inbound packets) and filtering (for outbound packets.) This allows a filter to be correctly mated with its @@ -1250,7 +1220,6 @@ such as grep, extracting log records of interest is simplified. block in quick log ... set-tag(log=33) .fi .SH Filter Rule Expiration -.PP IPFilter allows rules to be added into the kernel that it will remove after a specific period of time by specifying rule-ttl at the end of a rule. When listing rules in the kernel using ipfstat(8), rules that are going @@ -1265,7 +1234,6 @@ pass in on fxp0 proto tcp from any \\ to port = 22 flags S keep state rule-ttl 30 .fi .SH Internal packet attributes -.PP In addition to being able to filter on very specific network and transport header fields, it is possible to filter on other attributes that IPFilter attaches to a packet. These attributes are placed in a rule after the @@ -1333,7 +1301,6 @@ block in all pass in all with not bad .fi .SH Tuning IPFilter -.PP The ipf.conf file can also be used to tune the behaviour of IPFilter, allowing, for example, timeouts for the NAT/state table(s) to be set along with their sizes. The presence and names of tunables may change @@ -1358,7 +1325,7 @@ A list of the currently available variables inside IPFilter that may be tuned from ipf.conf are as follows: .HP active -set through -s command line switch of ipf(8). See ipf(8) for detals. +set through -s command line switch of ipf(8). See ipf(8) for details. .HP chksrc when set, enables reverse path verification on source addresses and @@ -1431,7 +1398,7 @@ sets the size of the in-kernel log buffer in bytes. log_suppress when set, IPFilter will check to see if the packet it is logging is similar to the one it previously logged and if so, increases -the occurance count for that packet. The previously logged packet +the occurrence count for that packet. The previously logged packet must not have yet been read by ipmon(8). .HP min_ttl @@ -1468,8 +1435,8 @@ when the fill percentage of the NAT table exceeds this mark, more aggressive flushing is enabled. .HP nat_table_wm_low -this sets the percentage at which the NAT table's agressive flushing -will turn itself off at. +this sets the percentage at which the NAT table's aggressive flushing +will turn itself off. .HP rdr_rules_size size of the hash table to store rdr rules. @@ -1493,7 +1460,7 @@ state_size size of the hash table used for stateful filtering .HP state_wm_freq -this controls how often the agressive flushing should be run once the +this controls how often the aggressive flushing should be run once the state table exceeds state_wm_high in percentage full. .HP state_wm_high @@ -1501,7 +1468,7 @@ when the fill percentage of the state table exceeds this mark, more aggressive flushing is enabled. .HP state_wm_low -this sets the percentage at which the state table's agressive flushing +this sets the percentage at which the state table's aggressive flushing will turn itself off at. .HP tcp_close_wait @@ -1544,7 +1511,6 @@ update_ipid when set, turns on changing the IP id field in NAT'd packets to a random number. .SS Table of visible variables -.PP A list of all of the tunables, their minimum, maximum and current values is as follows. .PP @@ -1603,7 +1569,6 @@ udp_timeout 1 MAXINT 240 update_ipid 0 1 0 .fi .SH Calling out to internal functions -.PP IPFilter provides a pair of functions that can be called from a rule that allow for a single rule to jump out to a group rather than walk through a list of rules to find the group. If you've got multiple @@ -1638,7 +1603,6 @@ group-map in role=ipf number=1010 { 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; }; .fi .SS IPFilter matching expressions -.PP An experimental feature that has been added to filter rules is to use the same expression matching that is available with various commands to flush and list state/NAT table entries. The use of such an expression @@ -1648,7 +1612,6 @@ precludes the filter rule from using the normal IP header matching. pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state .fi .SS Filter rules with BPF -.PP On platforms that have the BPF built into the kernel, IPFilter can be built to allow BPF expressions in filter rules. This allows for packet matching to be on arbitrary data in the packt. The use of a BPF expression @@ -1666,7 +1629,6 @@ accurately reconstruct the original text filter. The end result is that while ipf.conf() can be easy to read, understanding the output from ipfstat might not be. .SH VARIABLES -.PP This configuration file, like all others used with IPFilter, supports the use of variable substitution throughout the text. .PP diff --git a/sbin/ipf/ipf/ipf.8 b/sbin/ipf/ipf/ipf.8 index 3a84e7776b47..fba145b0c785 100644 --- a/sbin/ipf/ipf/ipf.8 +++ b/sbin/ipf/ipf/ipf.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH IPF 8 .SH NAME ipf \- alters packet filtering lists for IP packet input and output @@ -23,7 +22,6 @@ ipf \- alters packet filtering lists for IP packet input and output <\fIfilename\fP> [...]] .SH DESCRIPTION -.PP \fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the file for a set of rules which are to be added or removed from the packet filter rule set. @@ -49,7 +47,7 @@ supports \fBlanguage\fI. At present, the only target language supported is \fBC\fB (-cc) for which two files - \fBip_rules.c\fP and \fBip_rules.h\fP are generated in the \fBCURRENT DIRECTORY\fP when \fBipf\fP is being run. These files can be used with the -\fBIPFILTER_COMPILED\fP kernel option to build filter rules staticlly into +\fBIPFILTER_COMPILED\fP kernel option to build filter rules statically into the kernel. .TP .B \-d @@ -159,7 +157,8 @@ Zero global statistics held in the kernel for filtering only (this doesn't affect fragment or state statistics). .DT .SH ENVIRONMENT -.NM utilizes the following environment variable. +.B ipf +utilizes the following environment variable. .TP .B IPF_PREDEFINED ipfilter variables, see VARIABLES in ipf(5), can be specified in this @@ -176,9 +175,7 @@ IPF_PREDEFINED='my_server="10.1.1.1"; my_client="10.1.1.2";' .SH SEE ALSO ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8) .SH DIAGNOSTICS -.PP Needs to be run as root for the packet filtering lists to actually be affected inside the kernel. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipf/ipf.c b/sbin/ipf/ipf/ipf.c index de5121d94767..cf14c06ee829 100644 --- a/sbin/ipf/ipf/ipf.c +++ b/sbin/ipf/ipf/ipf.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -11,10 +10,6 @@ #include <sys/ioctl.h> #include "netinet/ipl.h" -#if !defined(lint) -static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #if !defined(__SVR4) && defined(__GNUC__) extern char *index(const char *, int); @@ -367,7 +362,7 @@ flushfilter(char *arg, int *filter) if (!(opts & OPT_DONOTHING)) { if (use_inet6) { fprintf(stderr, - "IPv6 rules are no longer seperate\n"); + "IPv6 rules are no longer separate\n"); } else if (filter != NULL) { ipfobj_t obj; diff --git a/sbin/ipf/ipf/ipfcomp.c b/sbin/ipf/ipf/ipfcomp.c index cf01838d7966..9d0b3642e732 100644 --- a/sbin/ipf/ipf/ipfcomp.c +++ b/sbin/ipf/ipf/ipfcomp.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include "ipf.h" @@ -690,7 +685,7 @@ emitGroup(int num, int dir, void *v, frentry_t *fr, char *group, if (n) { /* * Calculate the indentation interval upto the last common - * common comparison being made. + * comparison being made. */ for (i = 0, in = 1; i < FRC_MAX; i++) { if (n[i].c != m[i].c) diff --git a/sbin/ipf/ipf/ipfilter.4 b/sbin/ipf/ipf/ipfilter.4 index 10fd18e0606f..39676e3c1dae 100644 --- a/sbin/ipf/ipf/ipfilter.4 +++ b/sbin/ipf/ipf/ipfilter.4 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IP\ FILTER 4 .SH NAME @@ -124,7 +123,7 @@ file syslog .PP ipsend(1) -generates arbitary IP packets for ethernet connected machines. +generates arbitrary IP packets for ethernet connected machines. .PP ipresend(1) reads in a data file of saved IP packets (ie @@ -232,8 +231,7 @@ various stages introduced by IP Filter. .fi .SH MORE INFORMATION -More information (including pointers to the FAQ and the mailing list) can be -obtained from the sofware's official homepage: www.ipfilter.org +The IP Filter FAQ can be found at https://www.phildev.net/ipf/ .SH SEE ALSO ipf(4), ipf(5), ipf(8), ipfilter(5), ipfs(8), ipfstat(8), ipftest(1), diff --git a/sbin/ipf/ipf/ipfilter.5 b/sbin/ipf/ipf/ipfilter.5 index 97e504df15fa..0a1da67d70cd 100644 --- a/sbin/ipf/ipf/ipfilter.5 +++ b/sbin/ipf/ipf/ipfilter.5 @@ -1,9 +1,7 @@ -.\" $FreeBSD$ .TH IPFILTER 1 .SH NAME IP Filter .SH DESCRIPTION -.PP IP Filter is a package providing packet filtering capabilities for a variety of operating systems. On a properly setup system, it can be used to build a firewall. diff --git a/sbin/ipf/ipf/ipl.4 b/sbin/ipf/ipf/ipl.4 index da1d9e61ce0f..a59d1b2bf7b1 100644 --- a/sbin/ipf/ipf/ipl.4 +++ b/sbin/ipf/ipf/ipl.4 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPL 4 .SH NAME diff --git a/sbin/ipf/ipfs/Makefile b/sbin/ipf/ipfs/Makefile index 6f76f9db5d76..09bf881deca3 100644 --- a/sbin/ipf/ipfs/Makefile +++ b/sbin/ipf/ipfs/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - PACKAGE=ipf PROG= ipfs MAN= ipfs.8 diff --git a/sbin/ipf/ipfs/Makefile.depend b/sbin/ipf/ipfs/Makefile.depend index 2b60f342cc06..177321b7cb0b 100644 --- a/sbin/ipf/ipfs/Makefile.depend +++ b/sbin/ipf/ipfs/Makefile.depend @@ -1,15 +1,12 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ - lib/libelf \ lib/libkvm \ sbin/ipf/libipf \ diff --git a/sbin/ipf/ipfs/ipfs.8 b/sbin/ipf/ipfs/ipfs.8 index 01d0c707d60c..cf668cc09400 100644 --- a/sbin/ipf/ipfs/ipfs.8 +++ b/sbin/ipf/ipfs/ipfs.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPFS 8 .SH NAME @@ -41,7 +40,6 @@ ipfs \- saves and restores information for NAT and state tables. .B \-i <if1>,<if2> .SH DESCRIPTION -.PP \fBipfs\fP allows state information created for NAT entries and rules using \fIkeep state\fP to be locked (modification prevented) and then saved to disk, allowing for the system to experience a reboot, followed by the restoration @@ -118,10 +116,8 @@ operation and unlocked once complete. .SH SEE ALSO ipf(8), ipl(4), ipmon(8), ipnat(8) .SH DIAGNOSTICS -.PP Perhaps the -W and -R operations should set the locking but rather than undo it, restore it to what it was previously. Fragment table information is currently not saved. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipfs/ipfs.c b/sbin/ipf/ipfs/ipfs.c index 3f1202894fad..6225c6e1154d 100644 --- a/sbin/ipf/ipfs/ipfs.c +++ b/sbin/ipf/ipfs/ipfs.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -31,9 +30,6 @@ #include "ipf.h" #include "netinet/ipl.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif #ifndef IPF_SAVEDIR # define IPF_SAVEDIR "/var/db/ipf" diff --git a/sbin/ipf/ipfstat/Makefile b/sbin/ipf/ipfstat/Makefile index 80c2e89a2c88..795e89e0a14f 100644 --- a/sbin/ipf/ipfstat/Makefile +++ b/sbin/ipf/ipfstat/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - NOGCCERROR= # defined PACKAGE= ipf diff --git a/sbin/ipf/ipfstat/Makefile.depend b/sbin/ipf/ipfstat/Makefile.depend index 8e480ba0d4ec..2d8f0cbb9bab 100644 --- a/sbin/ipf/ipfstat/Makefile.depend +++ b/sbin/ipf/ipfstat/Makefile.depend @@ -1,17 +1,15 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ - lib/libelf \ lib/libkvm \ - lib/ncurses/ncursesw \ + lib/ncurses/ncurses \ + lib/ncurses/tinfo \ sbin/ipf/libipf \ diff --git a/sbin/ipf/ipfstat/ipfstat.8 b/sbin/ipf/ipfstat/ipfstat.8 index 3762bccbdccf..0d9bbb72e81c 100644 --- a/sbin/ipf/ipfstat/ipfstat.8 +++ b/sbin/ipf/ipfstat/ipfstat.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH ipfstat 8 .SH NAME ipfstat \- reports on packet filter statistics and filter list diff --git a/sbin/ipf/ipfstat/ipfstat.c b/sbin/ipf/ipfstat/ipfstat.c index 11b3043f919c..fd0ac83097a0 100644 --- a/sbin/ipf/ipfstat/ipfstat.c +++ b/sbin/ipf/ipfstat/ipfstat.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -38,10 +37,6 @@ # include <paths.h> #endif -#if !defined(lint) -static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif extern char *optarg; @@ -162,8 +157,7 @@ static int sort_dstpt(const void *, const void *); #endif -static void usage(name) - char *name; +static void usage(char *name) { #ifdef USE_INET6 fprintf(stderr, "Usage: %s [-46aAdfghIilnoRsv]\n", name); @@ -329,7 +323,7 @@ int main(int argc, char *argv[]) case 'm' : filter = parseipfexpr(optarg, NULL); if (filter == NULL) { - fprintf(stderr, "Error parseing '%s'\n", + fprintf(stderr, "Error parsing '%s'\n", optarg); exit(1); } @@ -1574,7 +1568,7 @@ static void topipstates(i6addr_t saddr, i6addr_t daddr, int sport, int dport, /* * For an IPv4 IP address we need at most 15 characters, * 4 tuples of 3 digits, separated by 3 dots. Enforce this - * length, so the colums do not change positions based + * length, so the columns do not change positions based * on the size of the IP address. This length makes the * output fit in a 80 column terminal. * We are lacking a good solution for IPv6 addresses (that diff --git a/sbin/ipf/ipfsync/ipfsyncd.c b/sbin/ipf/ipfsync/ipfsyncd.c index ead92b70371c..e22aa7c1423c 100644 --- a/sbin/ipf/ipfsync/ipfsyncd.c +++ b/sbin/ipf/ipfsync/ipfsyncd.c @@ -3,10 +3,6 @@ * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipfsyncd.c,v 1.1.2.2 2012/07/22 08:04:24 darren_r Exp $"; -#endif #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> diff --git a/sbin/ipf/ipfsync/ipsyncm.c b/sbin/ipf/ipfsync/ipsyncm.c index d57196379210..74dada9f56c5 100644 --- a/sbin/ipf/ipfsync/ipsyncm.c +++ b/sbin/ipf/ipfsync/ipsyncm.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> diff --git a/sbin/ipf/ipfsync/ipsyncs.c b/sbin/ipf/ipfsync/ipsyncs.c index a53cfb8c9508..4aec6925f079 100644 --- a/sbin/ipf/ipfsync/ipsyncs.c +++ b/sbin/ipf/ipfsync/ipsyncs.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> diff --git a/sbin/ipf/ipftest/Makefile b/sbin/ipf/ipftest/Makefile index 671d9eeb8046..d446ab9d22be 100644 --- a/sbin/ipf/ipftest/Makefile +++ b/sbin/ipf/ipftest/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ipftest SRCS= ${GENHDRS} ipftest.c fil.c ip_frag.c ip_state.c ip_nat.c \ diff --git a/sbin/ipf/ipftest/Makefile.depend b/sbin/ipf/ipftest/Makefile.depend index cfe5ad5352e5..59af14fecc53 100644 --- a/sbin/ipf/ipftest/Makefile.depend +++ b/sbin/ipf/ipftest/Makefile.depend @@ -1,4 +1,3 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ diff --git a/sbin/ipf/ipftest/ip_fil.c b/sbin/ipf/ipftest/ip_fil.c index f5955ddffdfe..6df3bed8224e 100644 --- a/sbin/ipf/ipftest/ip_fil.c +++ b/sbin/ipf/ipftest/ip_fil.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -7,10 +6,6 @@ * * $Id$ */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include "ipf.h" #include "md5.h" @@ -558,7 +553,7 @@ ipf_newisn(fin) /* ------------------------------------------------------------------------ */ /* Function: ipf_nextipid */ -/* Returns: int - 0 == success, -1 == error (packet should be droppped) */ +/* Returns: int - 0 == success, -1 == error (packet should be dropped) */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* Returns the next IPv4 ID to use for this packet. */ diff --git a/sbin/ipf/ipftest/ipftest.1 b/sbin/ipf/ipftest/ipftest.1 index 10232d338d9f..456304c9d0b2 100644 --- a/sbin/ipf/ipftest/ipftest.1 +++ b/sbin/ipf/ipftest/ipftest.1 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH ipftest 1 .SH NAME ipftest \- test packet filter rules with arbitrary input. @@ -35,7 +34,6 @@ interface <optionlist> ] .SH DESCRIPTION -.PP \fBipftest\fP is provided for the purpose of being able to test a set of filter rules without having to put them in place, in operation and proceed to test their effectiveness. The hope is that this minimises disruptions @@ -127,7 +125,7 @@ This is the default if no \fB\-F\fP argument is specified. The format used is as follows: .nf "in"|"out" "on" if ["tcp"|"udp"|"icmp"] - srchost[,srcport] dsthost[,destport] [FSRPAU] + srchost[,srcport] dsthost[,destport] [FSRPAUEWe] .fi .PP This allows for a packet going "in" or "out" of an interface (if) to be diff --git a/sbin/ipf/ipftest/ipftest.c b/sbin/ipf/ipftest/ipftest.c index e7a0d71fffca..2dfbe20592b3 100644 --- a/sbin/ipf/ipftest/ipftest.c +++ b/sbin/ipf/ipftest/ipftest.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -10,10 +9,6 @@ #include <sys/ioctl.h> #include <sys/file.h> -#if !defined(lint) -static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif extern char *optarg; extern struct ipread pcap, iptext, iphex; diff --git a/sbin/ipf/ipftest/md5.c b/sbin/ipf/ipftest/md5.c index d27430b1f212..54c0ac1ed5b0 100644 --- a/sbin/ipf/ipftest/md5.c +++ b/sbin/ipf/ipftest/md5.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ diff --git a/sbin/ipf/ipftest/md5.h b/sbin/ipf/ipftest/md5.h index 6f59500daf19..ab94cd21eac7 100644 --- a/sbin/ipf/ipftest/md5.h +++ b/sbin/ipf/ipftest/md5.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* *********************************************************************** diff --git a/sbin/ipf/iplang/iplang.h b/sbin/ipf/iplang/iplang.h index f38ef9671701..acf8369afb15 100644 --- a/sbin/ipf/iplang/iplang.h +++ b/sbin/ipf/iplang/iplang.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/iplang/iplang_l.l b/sbin/ipf/iplang/iplang_l.l index 58538d8e4d1c..ce1ae2031454 100644 --- a/sbin/ipf/iplang/iplang_l.l +++ b/sbin/ipf/iplang/iplang_l.l @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ %{ /* diff --git a/sbin/ipf/iplang/iplang_y.y b/sbin/ipf/iplang/iplang_y.y index e6c88ddcd9bc..9e8ebf4e4312 100644 --- a/sbin/ipf/iplang/iplang_y.y +++ b/sbin/ipf/iplang/iplang_y.y @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ %{ /* @@ -7,7 +6,6 @@ * See the IPFILTER.LICENCE file for details on licencing. * * Id: iplang_y.y,v 2.9.2.4 2006/03/17 12:11:29 darrenr Exp $ - * $FreeBSD$ */ #include <stdio.h> @@ -1047,9 +1045,9 @@ void set_tcpsum(char **arg) void set_tcpflags(char **arg) { - static char flags[] = "ASURPF"; + static char flags[] = "ASURPFEWe"; static int flagv[] = { TH_ACK, TH_SYN, TH_URG, TH_RST, TH_PUSH, - TH_FIN } ; + TH_FIN, TH_ECE, TH_CWR, TH_AE } ; char *s, *t; for (s = *arg; *s; s++) @@ -1058,10 +1056,11 @@ void set_tcpflags(char **arg) fprintf(stderr, "unknown TCP flag %c\n", *s); break; } - tcp->th_flags = strtol(*arg, NULL, 0); + __tcp_set_flags(tcp, strtol(*arg, NULL, 0)); break; } else - tcp->th_flags |= flagv[t - flags]; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | + flagv[t - flags]); free(*arg); *arg = NULL; } diff --git a/sbin/ipf/ipmon/Makefile b/sbin/ipf/ipmon/Makefile index 7225f8c8bcb1..257e3b999777 100644 --- a/sbin/ipf/ipmon/Makefile +++ b/sbin/ipf/ipmon/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ipmon SRCS= ${GENHDRS} ipmon.c ipmon_y.c ipmon_l.c @@ -7,6 +5,7 @@ MAN= ipmon.5 ipmon.8 MLINKS= ipmon.5 ipmon.conf.5 CFLAGS+= -DLOGFAC=LOG_LOCAL0 -I. +CFLAGS+= -Wno-error=unused-but-set-variable GENHDRS+= ipmon_l.h ipmon_y.h CLEANFILES+= ${GENHDRS} ipmon_y.c ipmon_l.c diff --git a/sbin/ipf/ipmon/Makefile.depend b/sbin/ipf/ipmon/Makefile.depend index cfe5ad5352e5..4d9091bff680 100644 --- a/sbin/ipf/ipmon/Makefile.depend +++ b/sbin/ipf/ipmon/Makefile.depend @@ -1,15 +1,12 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ - lib/libelf \ lib/libkvm \ sbin/ipf/libipf \ usr.bin/yacc.host \ diff --git a/sbin/ipf/ipmon/ipmon.5 b/sbin/ipf/ipmon/ipmon.5 index 95126f0c83c3..c6a4b6c12a42 100644 --- a/sbin/ipf/ipmon/ipmon.5 +++ b/sbin/ipf/ipmon/ipmon.5 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPMON 5 .SH NAME @@ -53,7 +52,6 @@ The lines above would save all ipf log entries to /var/log/ipf-log, send all of the entries for NAT (ipnat related) to syslog and generate an email to root for each log entry from the state tables. .SH SYNTAX - MATCHING -.PP In the above example, the matching segment was confined to matching on the type of log entry generated. The full list of fields that can be used here is: @@ -190,7 +188,6 @@ it can then be used in any .I do statement. .SH EXAMPLES -.PP Some further examples are: .nf @@ -209,7 +206,6 @@ match { dstip 127.0.0.1; } do { local("local options"); }; # .fi .SH MATCHING -.PP All entries of the rules present in the file are compared for matches - there is no first or last rule match. .SH FILES diff --git a/sbin/ipf/ipmon/ipmon.8 b/sbin/ipf/ipmon/ipmon.8 index 3f4036d96e21..901d1a2a804e 100644 --- a/sbin/ipf/ipmon/ipmon.8 +++ b/sbin/ipf/ipmon/ipmon.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH ipmon 8 .SH NAME ipmon \- monitors /dev/ipl for logged packets @@ -28,7 +27,6 @@ ipmon \- monitors /dev/ipl for logged packets .B <filename> ] .SH DESCRIPTION -.LP \fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from the packet filter. The binary data read from the device is reprinted in human readable form, however, IP#'s are not mapped back to hostnames, nor are @@ -192,5 +190,4 @@ recorded data. .SH SEE ALSO ipl(4), ipmon(5), ipf(8), ipfstat(8), ipnat(8) .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipmon/ipmon.c b/sbin/ipf/ipmon/ipmon.c index f71a33b1034e..a07401ff5e88 100644 --- a/sbin/ipf/ipmon/ipmon.c +++ b/sbin/ipf/ipmon/ipmon.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -14,10 +13,6 @@ #include <fcntl.h> #include <signal.h> -#if !defined(lint) -static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #define STRERROR(x) strerror(x) @@ -82,7 +77,8 @@ struct flags tcpfl[] = { { TH_URG, 'U' }, { TH_PUSH,'P' }, { TH_ECN, 'E' }, - { TH_CWR, 'C' }, + { TH_CWR, 'W' }, + { TH_AE, 'e' }, { 0, '\0' } }; @@ -304,7 +300,6 @@ static icmp_subtype_t * find_icmpsubtype(int type, icmp_subtype_t *table, size_t tablesz) { icmp_subtype_t *ist; - int i; if (tablesz < 2) return (NULL); @@ -312,11 +307,10 @@ find_icmpsubtype(int type, icmp_subtype_t *table, size_t tablesz) if ((type < 0) || (type > table[tablesz - 2].ist_val)) return (NULL); - i = type; if (table[type].ist_val == type) return (table + type); - for (i = 0, ist = table; ist->ist_val != -2; i++, ist++) + for (ist = table; ist->ist_val != -2; ist++) if (ist->ist_val == type) return (ist); return (NULL); @@ -327,7 +321,6 @@ static icmp_type_t * find_icmptype(int type, icmp_type_t *table, size_t tablesz) { icmp_type_t *it; - int i; if (tablesz < 2) return (NULL); @@ -335,11 +328,10 @@ find_icmptype(int type, icmp_type_t *table, size_t tablesz) if ((type < 0) || (type > table[tablesz - 2].it_val)) return (NULL); - i = type; if (table[type].it_val == type) return (table + type); - for (i = 0, it = table; it->it_val != -2; i++, it++) + for (it = table; it->it_val != -2; it++) if (it->it_val == type) return (it); return (NULL); @@ -470,10 +462,7 @@ read_log(int fd, int *lenp, char *buf, int bufsize) char * -portlocalname(res, proto, port) - int res; - char *proto; - u_int port; +portlocalname(int res, char *proto, u_int port) { static char pname[8]; char *s; @@ -590,7 +579,7 @@ dumphex(FILE *log, int dopts, char *buf, int len) } if ((j + 1) & 0xf) - *t++ = ' ';; + *t++ = ' '; } if (j & 0xf) { @@ -1208,7 +1197,7 @@ print_ipflog(config_t *conf, char *buf, int blen) *t++ = ' '; *t++ = '-'; for (i = 0; tcpfl[i].value; i++) - if (tp->th_flags & tcpfl[i].value) + if (__tcp_get_flags(tp) & tcpfl[i].value) *t++ = tcpfl[i].flag; if (ipmonopts & IPMON_VERBOSE) { sprintf(t, " %lu %lu %hu", diff --git a/sbin/ipf/ipmon/ipmon_y.y b/sbin/ipf/ipmon/ipmon_y.y index c70e17adcec0..9d3a7ff30c93 100644 --- a/sbin/ipf/ipmon/ipmon_y.y +++ b/sbin/ipf/ipmon/ipmon_y.y @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/ipnat/Makefile b/sbin/ipf/ipnat/Makefile index 1bdbe61235fb..869a399bd44f 100644 --- a/sbin/ipf/ipnat/Makefile +++ b/sbin/ipf/ipnat/Makefile @@ -1,11 +1,10 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ipnat SRCS= ${GENHDRS} ipnat.c ipnat_y.c ipnat_l.c MAN= ipnat.8 ipnat.4 ipnat.5 MLINKS= ipnat.5 ipnat.conf.5 CFLAGS+= -I. +CFLAGS+= -Wno-error=unused-but-set-variable GENHDRS= ipnat_l.h ipnat_y.h CLEANFILES+= ${GENHDRS} ipnat_y.c ipnat_l.c diff --git a/sbin/ipf/ipnat/Makefile.depend b/sbin/ipf/ipnat/Makefile.depend index cfe5ad5352e5..4d9091bff680 100644 --- a/sbin/ipf/ipnat/Makefile.depend +++ b/sbin/ipf/ipnat/Makefile.depend @@ -1,15 +1,12 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ - lib/libelf \ lib/libkvm \ sbin/ipf/libipf \ usr.bin/yacc.host \ diff --git a/sbin/ipf/ipnat/ipnat.1 b/sbin/ipf/ipnat/ipnat.1 index f24141546171..0e41ccc42b2a 100644 --- a/sbin/ipf/ipnat/ipnat.1 +++ b/sbin/ipf/ipnat/ipnat.1 @@ -8,7 +8,6 @@ ipnat \- user interface to the NAT ] .B \-f <\fIfilename\fP> .SH DESCRIPTION -.PP \fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the file for a set of rules which are to be added or removed from the IP NAT. .PP diff --git a/sbin/ipf/ipnat/ipnat.4 b/sbin/ipf/ipnat/ipnat.4 index 80c5ba444708..d848378d8e98 100644 --- a/sbin/ipf/ipnat/ipnat.4 +++ b/sbin/ipf/ipnat/ipnat.4 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH IPNAT 4 .SH NAME ipnat \- Network Address Translation kernel interface @@ -11,7 +10,6 @@ ipnat \- Network Address Translation kernel interface .br #include <netinet/ip_nat.h> .SH IOCTLS -.PP To add and delete rules to the NAT list, two 'basic' ioctls are provided for use. The ioctl's are called as: .LP diff --git a/sbin/ipf/ipnat/ipnat.5 b/sbin/ipf/ipnat/ipnat.5 index 81502946b82c..c6c8c2e54fc2 100644 --- a/sbin/ipf/ipnat/ipnat.5 +++ b/sbin/ipf/ipnat/ipnat.5 @@ -1,10 +1,8 @@ -.\" $FreeBSD$ .\" .TH IPNAT 5 .SH NAME ipnat, ipnat.conf \- IPFilter NAT file format .SH DESCRIPTION -.PP The .B ipnat.conf file is used to specify rules for the Network Address Translation (NAT) @@ -31,7 +29,6 @@ to text that appears before the "->" and the "right hand side" (RHS) for text that appears after it. In essence, the LHS is the packet matching and the RHS is the new data to be used. .SH VARIABLES -.PP This configuration file, like all others used with IPFilter, supports the use of variable substitution throughout the text. .nf @@ -150,7 +147,7 @@ For TCP connections exiting a connection such as PPPoE where the MTU is slightly smaller than normal ethernet, it can be useful to reduce the Maximum Segment Size (MSS) offered by the internal machines to match, reducing the liklihood that the either end will attempt to send packets -that are too big and result in fragmentation. This is acheived using the +that are too big and result in fragmentation. This is achieved using the .B mssclamp option with TCP .B map @@ -221,7 +218,7 @@ that requires the destination port number to be 21 if this rule is to be activated. The word "ftp" is the proxy identifier that the kernel will try and resolve internally, "tcp" the protocol that packets must match. .PP -See below for a list of proxies and their relative staus. +See below for a list of proxies and their relative status. .PP To associate NAT rules with filtering rules, it is possible to set and match tags during either inbound or outbound processing. At present the @@ -281,7 +278,6 @@ of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next IP address with the \fBmap\fP command. .SS Extended matching -.PP If it is desirable to match on both the source and destination of a packet before applying an address translation to it, this can be achieved by using the same from-to syntax as is used in \fBipf.conf\fP(5). What follows @@ -323,7 +319,6 @@ the defined pool only has /24's or /32's. Pools may also be used .I wherever the from-to syntax in \fBipnat.conf\fR(5) is allowed. .SH INBOUND DESTINATION TRANSLATION (redirection) -.PP Redirection of packets is used to change the destination fields in a packet and is supported for packets that are moving \fIin\fP on a network interface. While the same general syntax for @@ -337,7 +332,7 @@ a network or range of network addresses, so a rule written like this: rdr le0 0/0 -> 192.168.1.0 .fi .PP -Will not spread packets across all 256 IP addresses in that class C network. +Will not spread packets across all 256 IP addresses in that /24 subnet. If you were to try a rule like this: .nf @@ -356,7 +351,7 @@ rdr le0 from 1.1.0.0/16 to any -> 192.168.1.3 rdr le0 ! from 1.1.0.0/16 to any -> 192.168.1.4 .fi .PP -If there is a consective set of addresses you wish to spread the packets +If there is a consecutive set of addresses you wish to spread the packets over, then this can be done in one of two ways, the word "range" optional to preserve: .nf @@ -383,9 +378,9 @@ rdr le0 0/0 -> 192.168.1.5,192.168.1.7 round-robin rdr le0 0/0 -> 192.168.1.9 round-robin .fi .PP -If there are a large number of redirect rules and hosts being targetted +If there are a large number of redirect rules and hosts being targeted then it may be desirable to have all those from a single source address -be targetted at the same destination address. To achieve this, the +be targeted at the same destination address. To achieve this, the word .B sticky is appended to the rule like this: @@ -400,9 +395,9 @@ The .B sticky feature can only be combined with .B round-robin -and the use of comma. +and the use of a comma. .PP -For TCP and UDP packets, it is possible to both match on the destiantion +For TCP and UDP packets, it is possible to both match on the destination port number and to modify it. For example, to change the destination port from 80 to 3128, we would use a rule like this: .nf @@ -466,7 +461,6 @@ rdr le0,ppp0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 tag tagged .fi .SH REWRITING SOURCE AND DESTINATION -.PP Whilst the above two commands provide a lot of flexibility in changing addressing fields in packets, often it can be of benefit to translate \fIboth\fP source \fBand\fR destination at the same time or to change @@ -550,7 +544,6 @@ rewrite from any to any port = 80 -> src 1.1.2.3 - 1.1.2.6 dst 2.2.3.4 - 2.2.3.6; .fi .SH DIVERTING PACKETS -.PP If you'd like to send packets to a UDP socket rather than just another computer to be decapsulated, this can be achieved using a .B divert @@ -573,7 +566,7 @@ On the LHS is a normal set of matching capabilities but on the RHS it is a requirement to specify both the source and destination addresses and ports. .PP -As this feature is intended to be used with targetting packets at sockets +As this feature is intended to be used with targeting packets at sockets and not IPFilter running on other systems, there is no rule provided to \fIundivert\fR packets. .TP @@ -599,7 +592,6 @@ are flushed out, it is expected that the operator will similarly flush the NAT table and thus NAT sessions are not removed when the NAT rules are flushed out. .SH RULE ORDERING -.PP .B NOTE: Rules in .B ipnat.conf @@ -656,7 +648,6 @@ rdr le0 from 1.1.1.0/24 to 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp .PP Then no packets will match the 2nd rule, they'll all match the first. .SH IPv6 -.PP In all of the examples above, where an IPv4 address is present, an IPv6 address can also be used. All rules must use either IPv4 addresses with both halves of the NAT rule or IPv6 addresses for both halves. Mixing @@ -668,7 +659,6 @@ For shorthand notations such as "0/32", the equivalent for IPv6 is implicit direction that the address should be IPv6, not IPv4. To be unambiguous with 0/0, for IPv6 use ::0/0. .SH KERNEL PROXIES -.PP IP Filter comes with a few, simple, proxies built into the code that is loaded into the kernel to allow secondary channels to be opened without forcing the packets through a user program. The current state of the proxies is listed diff --git a/sbin/ipf/ipnat/ipnat.8 b/sbin/ipf/ipnat/ipnat.8 index a49f33736b40..b3893f117709 100644 --- a/sbin/ipf/ipnat/ipnat.8 +++ b/sbin/ipf/ipnat/ipnat.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPNAT 8 .SH NAME @@ -16,7 +15,6 @@ ipnat \- user interface to the NAT subsystem ] .B \-f <\fIfilename\fP> .SH DESCRIPTION -.PP \fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the file for a set of rules which are to be added or removed from the IP NAT. .PP diff --git a/sbin/ipf/ipnat/ipnat.c b/sbin/ipf/ipnat/ipnat.c index 5558ef8693d0..8eb2e240f6cf 100644 --- a/sbin/ipf/ipnat/ipnat.c +++ b/sbin/ipf/ipnat/ipnat.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -50,10 +49,6 @@ # define STRERROR(x) strerror(x) -#if !defined(lint) -static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #if SOLARIS diff --git a/sbin/ipf/ipnat/ipnat_y.y b/sbin/ipf/ipnat/ipnat_y.y index 175026b4083e..11f62c98aa8c 100644 --- a/sbin/ipf/ipnat/ipnat_y.y +++ b/sbin/ipf/ipnat/ipnat_y.y @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/ippool/Makefile b/sbin/ipf/ippool/Makefile index 622952be0477..8ed864ee9267 100644 --- a/sbin/ipf/ippool/Makefile +++ b/sbin/ipf/ippool/Makefile @@ -1,10 +1,9 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ippool SRCS= ${GENHDRS} ippool_y.c ippool_l.c ippool.c MAN= ippool.5 ippool.8 CFLAGS+= -I. +CFLAGS+= -Wno-error=unused-but-set-variable GENHDRS= ippool_l.h ippool_y.h CLEANFILES+= ${GENHDRS} ippool_y.c ippool_l.c diff --git a/sbin/ipf/ippool/Makefile.depend b/sbin/ipf/ippool/Makefile.depend index cfe5ad5352e5..4d9091bff680 100644 --- a/sbin/ipf/ippool/Makefile.depend +++ b/sbin/ipf/ippool/Makefile.depend @@ -1,15 +1,12 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/arpa \ include/xlocale \ lib/${CSU_DIR} \ lib/libc \ lib/libcompiler_rt \ - lib/libelf \ lib/libkvm \ sbin/ipf/libipf \ usr.bin/yacc.host \ diff --git a/sbin/ipf/ippool/ippool.5 b/sbin/ipf/ippool/ippool.5 index 4de19a4b3625..b45675bea069 100644 --- a/sbin/ipf/ippool/ippool.5 +++ b/sbin/ipf/ippool/ippool.5 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPPOOL 5 .SH NAME @@ -39,7 +38,6 @@ heirarchical matching, so it is possible to define a subnet as matching but then exclude specific addresses from it. .SS Evolving Configuration -.PP Over time the configuration syntax used by ippool.conf(5) has evolved. Originally the syntax used was more verbose about what a particular value was being used for, for example: @@ -66,7 +64,6 @@ configuration syntax and all output using "ippool -l" will also be in the new configuration syntax. .SS IPFilter devices and pools -.PP To cater to different administration styles, ipool.conf(5) allows you to tie a pool to a specific role in IPFilter. The recognised role names are: .HP @@ -90,7 +87,6 @@ all pools that are defined for the "all" role are available to all types of rules, be they NAT rules in ipnat.conf(5) or firewall rules in ipf.conf(5). .SH Address Pools -.PP An address pool can be used in ipf.conf(5) and ipnat.conf(5) for matching the source or destination address of packets. They can be referred to either by name or number and can hold an arbitrary number of address patterns to @@ -109,7 +105,7 @@ only ever match an entry in a pool that is of the same address family. The address pool searches the list of addresses configured for the best match. The "best match" is considered to be the match that has the highest number of bits set in the mask. Thus if both 2.2.0.0/16 and 2.2.2.0/24 are -present in an address pool, the addres 2.2.2.1 will match 2.2.2.0/24 and +present in an address pool, the address 2.2.2.1 will match 2.2.2.0/24 and 2.2.1.1 will match 2.2.0.0/16. The reason for this is to allow exceptions to be added through the use of negative matching. In the following example, the pool contains "2.2.0.0/16" and "!2.2.2.0/24", meaning that all packets @@ -125,7 +121,7 @@ addresses from. To do this simply use a "file://" URL where you would specify an actual IP address. .PP .nf -pool ipf/tree (name rfc1918;) { file:///etc/ipf/rfc1918; }; +pool ipf/tree (name rfc1918;) { "file:///etc/ipf/rfc1918;" }; .fi .PP The contents of the file might look something like this: @@ -164,7 +160,6 @@ block in from pool/microsoft to any Note that there are limitations on the output returned by whois servers so be aware that their output may not be 100% perfect for your goal. .SH Destination Lists -.PP Destination lists are provided for use primarily with NAT redirect rules (rdr). Their purpose is to allow more sophisticated methods of selecting which host to send traffic to next than the simple round-robin technique @@ -243,7 +238,6 @@ pool all/dstlist (name servers; policy weighted connection;) { bge0:1.1.1.2; bge0:1.1.1.4; bge1:1.1.1.5; bge1:1.1.1.9; }; .fi .SH Group maps -.PP Group maps are provided to allow more efficient processing of packets where there are a larger number of subnets and groups of rules for those subnets. Group maps are used with "call" rules in ipf.conf(5) that @@ -283,7 +277,6 @@ The limitation with group maps is that only the source address or the destination address can be used to map the packet to the starting group, not both, in your ipf.conf(5) file. .SH Hash Tables -.PP The hash table is operationally similar to the address pool. It is used as a store for a collection of address to match on, saving the need to write a lengthy list of rules. As with address pools, searching diff --git a/sbin/ipf/ippool/ippool.8 b/sbin/ipf/ippool/ippool.8 index bcc8f3cbd71d..c879c97b01dd 100644 --- a/sbin/ipf/ippool/ippool.8 +++ b/sbin/ipf/ippool/ippool.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPPOOL 8 .SH NAME @@ -18,7 +17,7 @@ ippool \- user interface to the IPFilter pools -F [-dv] [-o <role>] [-t <type>] .br .B ippool --l [-dv] [-m <name>] [-t <type>] [-o <role>] [-M <core>] [-N <namelist>] +-l [-dDv] [-m <name>] [-t <type>] [-o <role>] [-M <core>] [-N <namelist>] .br .B ippool -r [-dnv] [-m <name>] [-o <role>] [-t <type>] -i <ipaddr>[/<netmask>] @@ -29,7 +28,6 @@ ippool \- user interface to the IPFilter pools .B ippool -s [-dtv] .SH DESCRIPTION -.PP .B Ippool is used to manage information stored in the IP pools subsystem of IPFilter. Configuration file information may be parsed and loaded into the kernel, @@ -121,6 +119,10 @@ as a number of seconds. When parsing a configuration file, rather than load new pool data into the kernel, unload it. .TP +.B -D +When used in conjuction with -l, dump the ippool configuration to stdout in +a format that can be subsequently used as input into ippool -f. +.TP .SH FILES .br /dev/iplookup diff --git a/sbin/ipf/ippool/ippool.c b/sbin/ipf/ippool/ippool.c index 3e8918e1fcfa..797f83af1419 100644 --- a/sbin/ipf/ippool/ippool.c +++ b/sbin/ipf/ippool/ippool.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -47,15 +46,15 @@ int poolnodecommand(int, int, char *[]); int loadpoolfile(int, char *[], char *); int poollist(int, char *[]); void poollist_dead(int, char *, int, char *, char *); -void poollist_live(int, char *, int, int); +int poollist_live(int, char *, int, int); int poolflush(int, char *[]); int poolstats(int, char *[]); int gettype(char *, u_int *); int getrole(char *); int setnodeaddr(int, int, void *ptr, char *arg); -void showpools_live(int, int, ipf_pool_stat_t *, char *); -void showhashs_live(int, int, iphtstat_t *, char *); -void showdstls_live(int, int, ipf_dstl_stat_t *, char *); +int showpools_live(int, int, ipf_pool_stat_t *, char *); +int showhashs_live(int, int, iphtstat_t *, char *); +int showdstls_live(int, int, ipf_dstl_stat_t *, char *); int opts = 0; int fd = -1; @@ -670,12 +669,15 @@ poollist(int argc, char *argv[]) poolname = NULL; role = IPL_LOGALL; - while ((c = getopt(argc, argv, "dm:M:N:o:t:v")) != -1) + while ((c = getopt(argc, argv, "dDm:M:N:o:t:v")) != -1) switch (c) { case 'd' : opts |= OPT_DEBUG; break; + case 'D' : + opts |= OPT_SAVEOUT; + break; case 'm' : poolname = optarg; break; @@ -740,9 +742,10 @@ poollist(int argc, char *argv[]) } op.iplo_unit = role; - if (live_kernel) - poollist_live(role, poolname, type, fd); - else + if (live_kernel) { + if (poollist_live(role, poolname, type, fd) != 0) + return (1); + } else poollist_dead(role, poolname, type, kernel, core); return (0); } @@ -817,7 +820,7 @@ poollist_dead(int role, char *poolname, int type, char *kernel, char *core) } -void +int poollist_live(int role, char *poolname, int type, int fd) { ipf_pool_stat_t plstat; @@ -837,10 +840,11 @@ poollist_live(int role, char *poolname, int type, int fd) c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); - return; + return (1); } - showpools_live(fd, role, &plstat, poolname); + if (showpools_live(fd, role, &plstat, poolname)) + return (1); } else { for (role = -1; role <= IPL_LOGMAX; role++) { op.iplo_unit = role; @@ -848,10 +852,11 @@ poollist_live(int role, char *poolname, int type, int fd) c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); - return; + return (1); } - showpools_live(fd, role, &plstat, poolname); + if (showpools_live(fd, role, &plstat, poolname)) + return (1); } role = IPL_LOGALL; @@ -873,9 +878,10 @@ poollist_live(int role, char *poolname, int type, int fd) c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); - return; + return (1); } - showhashs_live(fd, role, &htstat, poolname); + if (showhashs_live(fd, role, &htstat, poolname)) + return (1); } else { for (role = 0; role <= IPL_LOGMAX; role++) { @@ -883,10 +889,11 @@ poollist_live(int role, char *poolname, int type, int fd) c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); - return; + return (1); } - showhashs_live(fd, role, &htstat, poolname); + if (showhashs_live(fd, role, &htstat, poolname)) + return(1); } role = IPL_LOGALL; } @@ -907,9 +914,10 @@ poollist_live(int role, char *poolname, int type, int fd) c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); - return; + return (1); } - showdstls_live(fd, role, &dlstat, poolname); + if (showdstls_live(fd, role, &dlstat, poolname)) + return (1); } else { for (role = 0; role <= IPL_LOGMAX; role++) { @@ -917,18 +925,20 @@ poollist_live(int role, char *poolname, int type, int fd) c = ioctl(fd, SIOCLOOKUPSTAT, &op); if (c == -1) { ipferror(fd, "ioctl(SIOCLOOKUPSTAT)"); - return; + return (1); } - showdstls_live(fd, role, &dlstat, poolname); + if (showdstls_live(fd, role, &dlstat, poolname)) + return (1); } role = IPL_LOGALL; } } + return (0); } -void +int showpools_live(int fd, int role, ipf_pool_stat_t *plstp, char *poolname) { ipflookupiter_t iter; @@ -953,7 +963,7 @@ showpools_live(int fd, int role, ipf_pool_stat_t *plstp, char *poolname) while (plstp->ipls_list[role + 1] != NULL) { if (ioctl(fd, SIOCLOOKUPITER, &obj)) { ipferror(fd, "ioctl(SIOCLOOKUPITER)"); - break; + return (1); } if (((pool.ipo_flags & IPOOL_DELETE) == 0) || ((opts & OPT_DEBUG) != 0)) @@ -961,10 +971,11 @@ showpools_live(int fd, int role, ipf_pool_stat_t *plstp, char *poolname) plstp->ipls_list[role + 1] = pool.ipo_next; } + return (0); } -void +int showhashs_live(int fd, int role, iphtstat_t *htstp, char *poolname) { ipflookupiter_t iter; @@ -987,17 +998,18 @@ showhashs_live(int fd, int role, iphtstat_t *htstp, char *poolname) while (htstp->iphs_tables != NULL) { if (ioctl(fd, SIOCLOOKUPITER, &obj)) { ipferror(fd, "ioctl(SIOCLOOKUPITER)"); - break; + return (1); } printhash_live(&table, fd, poolname, opts, pool_fields); htstp->iphs_tables = table.iph_next; } + return (0); } -void +int showdstls_live(int fd, int role, ipf_dstl_stat_t *dlstp, char *poolname) { ipflookupiter_t iter; @@ -1020,13 +1032,14 @@ showdstls_live(int fd, int role, ipf_dstl_stat_t *dlstp, char *poolname) while (dlstp->ipls_list[role] != NULL) { if (ioctl(fd, SIOCLOOKUPITER, &obj)) { ipferror(fd, "ioctl(SIOCLOOKUPITER)"); - break; + return (1); } printdstl_live(&table, fd, poolname, opts, pool_fields); dlstp->ipls_list[role] = table.ipld_next; } + return (0); } diff --git a/sbin/ipf/ippool/ippool_y.y b/sbin/ipf/ippool/ippool_y.y index c798ff50596b..6baa48dfa01c 100644 --- a/sbin/ipf/ippool/ippool_y.y +++ b/sbin/ipf/ippool/ippool_y.y @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/ipresend/Makefile b/sbin/ipf/ipresend/Makefile index a4403d537547..f866891c4c97 100644 --- a/sbin/ipf/ipresend/Makefile +++ b/sbin/ipf/ipresend/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ipresend SRCS= ipresend.c ip.c resend.c sbpf.c sock.c 44arp.c diff --git a/sbin/ipf/ipresend/Makefile.depend b/sbin/ipf/ipresend/Makefile.depend index a1632c6f3baa..b40d4509a124 100644 --- a/sbin/ipf/ipresend/Makefile.depend +++ b/sbin/ipf/ipresend/Makefile.depend @@ -1,4 +1,3 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ diff --git a/sbin/ipf/ipscan/Makefile b/sbin/ipf/ipscan/Makefile index 0c7c8783e785..1f62d796076e 100644 --- a/sbin/ipf/ipscan/Makefile +++ b/sbin/ipf/ipscan/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - PACKAGE= ipf PROG= ipscan SRCS= ${GENHDRS} ipscan_y.c diff --git a/sbin/ipf/ipscan/ipscan.5 b/sbin/ipf/ipscan/ipscan.5 index 91bf9b0f5ebe..76738b607080 100644 --- a/sbin/ipf/ipscan/ipscan.5 +++ b/sbin/ipf/ipscan/ipscan.5 @@ -1,10 +1,8 @@ -.\" $FreeBSD$ .\" .TH IPSCAN 5 .SH NAME ipscan, ipscan.conf \- ipscan file format .SH DESCRIPTION -.PP WARNING: This feature is to be considered experimental and may change significantly until a final implementation is drawn up. .PP @@ -21,7 +19,7 @@ match-char ::= "*" | "?" | "." .fi .PP In this example an ip-address is a dotted-quad IPv4 address and a port-number -is a number betwee 1 and 65535, inclusive. The match string is must be of +is a number between 1 and 65535, inclusive. The match string is must be of same length as the literal string that it is matching (literal). The length of either string is limited to 16 bytes. .PP diff --git a/sbin/ipf/ipscan/ipscan.8 b/sbin/ipf/ipscan/ipscan.8 index 513dc94a8050..da4068a1e8f2 100644 --- a/sbin/ipf/ipscan/ipscan.8 +++ b/sbin/ipf/ipscan/ipscan.8 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPSCAN 8 .SH NAME @@ -11,7 +10,6 @@ ipscan \- user interface to the IPFilter content scanning ] .B \-f <\fIfilename\fP> .SH DESCRIPTION -.PP \fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the file to build up a content scanning configuration to load into the kernel. Currently only the first 16 bytes of a connection can be compared. diff --git a/sbin/ipf/ipscan/ipscan_y.y b/sbin/ipf/ipscan/ipscan_y.y index 21d1b15aed70..b6693e294dae 100644 --- a/sbin/ipf/ipscan/ipscan_y.y +++ b/sbin/ipf/ipscan/ipscan_y.y @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/ipsend/44arp.c b/sbin/ipf/ipsend/44arp.c index e7a15b5d5cad..0a11c8732a12 100644 --- a/sbin/ipf/ipsend/44arp.c +++ b/sbin/ipf/ipsend/44arp.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Based upon 4.4BSD's /usr/sbin/arp diff --git a/sbin/ipf/ipsend/arp.c b/sbin/ipf/ipsend/arp.c index 1d8f4213f246..a9409093213f 100644 --- a/sbin/ipf/ipsend/arp.c +++ b/sbin/ipf/ipsend/arp.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * arp.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/types.h> #include <sys/socket.h> # include <sys/sockio.h> diff --git a/sbin/ipf/ipsend/dlcommon.c b/sbin/ipf/ipsend/dlcommon.c index 86554660240d..a73f7df96d54 100644 --- a/sbin/ipf/ipsend/dlcommon.c +++ b/sbin/ipf/ipsend/dlcommon.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Common (shared) DLPI test routines. diff --git a/sbin/ipf/ipsend/dltest.h b/sbin/ipf/ipsend/dltest.h index 086782c1fbb7..fe6e33735849 100644 --- a/sbin/ipf/ipsend/dltest.h +++ b/sbin/ipf/ipsend/dltest.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Common DLPI Test Suite header file diff --git a/sbin/ipf/ipsend/ip.c b/sbin/ipf/ipsend/ip.c index 7c623103b901..8cdfca893d15 100644 --- a/sbin/ipf/ipsend/ip.c +++ b/sbin/ipf/ipsend/ip.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * ip.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <netinet/in_systm.h> @@ -266,7 +261,7 @@ send_tcp(int nfd, int mtu, ip_t *ip, struct in_addr gwip) i = sizeof(struct tcpiphdr) / sizeof(long); - if ((t2->th_flags == TH_SYN) && !ntohs(ip->ip_off) && + if ((__tcp_get_flags(t2) == TH_SYN) && !ntohs(ip->ip_off) && (lbuf[i] != htonl(0x020405b4))) { lbuf[i] = htonl(0x020405b4); bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4, diff --git a/sbin/ipf/ipsend/ipresend.1 b/sbin/ipf/ipsend/ipresend.1 index 6761a183caea..e7714349e6af 100644 --- a/sbin/ipf/ipsend/ipresend.1 +++ b/sbin/ipf/ipsend/ipresend.1 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPRESEND 1 .SH NAME @@ -21,7 +20,6 @@ ipresend \- resend IP packets out to network <\fIfilename\fP> ] .SH DESCRIPTION -.PP \fBipresend\fP was designed to allow packets to be resent, once captured, back out onto the network for use in testing. \fIipresend\fP supports a number of different file formats as input, including saved snoop/tcpdump @@ -98,10 +96,8 @@ The input file is composed of text descriptions of IP packets. .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS -.PP Needs to be run as root. .SH BUGS -.PP Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipsend/ipresend.c b/sbin/ipf/ipsend/ipresend.c index c9e625f02e2a..c00367a4a586 100644 --- a/sbin/ipf/ipsend/ipresend.c +++ b/sbin/ipf/ipsend/ipresend.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * ipresend.c (C) 1995-1998 Darren Reed @@ -6,10 +5,6 @@ * See the IPFILTER.LICENCE file for details on licencing. * */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> diff --git a/sbin/ipf/ipsend/ipsend.1 b/sbin/ipf/ipsend/ipsend.1 index 7f0a8e39538a..3cbb991694b1 100644 --- a/sbin/ipf/ipsend/ipsend.1 +++ b/sbin/ipf/ipsend/ipsend.1 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPSEND 1 .SH NAME @@ -36,12 +35,11 @@ ipsend \- sends IP packets <\fIwindow\fP> ] <destination> [TCP-flags] .SH DESCRIPTION -.PP \fBipsend\fP can be compiled in two ways. The first is used to send one-off packets to a destination host, using command line options to specify various attributes present in the headers. The \fIdestination\fP must be given as the last command line option, except for when TCP flags are specified as -a combination of A, S, F, U, P and R, last. +a combination of A, S, F, U, P, R, E, W and e, last. .PP The other way it may be compiled, with DOSOCKET defined, is to allow an attempt at making a TCP connection using a with ipsend resending the SYN @@ -104,8 +102,6 @@ enable verbose mode. .SH SEE ALSO ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p) .SH DIAGNOSTICS -.PP Needs to be run as root. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipsend/ipsend.5 b/sbin/ipf/ipsend/ipsend.5 index 346f4e7ced8f..67c456e54d34 100644 --- a/sbin/ipf/ipsend/ipsend.5 +++ b/sbin/ipf/ipsend/ipsend.5 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .TH IPSEND 5 .SH NAME ipsend \- IP packet description language @@ -8,7 +7,6 @@ text file which fits the grammar described below. The purpose of this grammar is to allow IP packets to be described in an arbitary way which also allows encapsulation to be so done to an arbitary level. .SH GRAMMAR -.LP .nf line ::= iface | arp | send | defrouter | ipv4line . @@ -81,7 +79,6 @@ databodyopts ::= "len" number | "value" string | "file" filename . icmpechoopts ::= "icmpseq" number | "icmpid" number . .fi .SH COMMANDS -.PP Before sending any packets or defining any packets, it is necessary to describe the interface(s) which will be used to send packets out. .TP @@ -253,7 +250,8 @@ unset, it defaults to 0 and is automatically calculated. .TP .B flags <tcp-flags> sets the TCP flags field to match the flags specified. Valid flags are -"S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH). +"S" (SYN), "A" (ACK), "R" (RST), "F" (FIN), "U" (URG), "P" (PUSH), +"E" (ECE), "W" (CWR), "e" (AE). .TP .B opt indicates that TCP header options follow. As TCP options are added to the diff --git a/sbin/ipf/ipsend/ipsend.c b/sbin/ipf/ipsend/ipsend.c index 1996c01dec6c..78a8ccaa3f30 100644 --- a/sbin/ipf/ipsend/ipsend.c +++ b/sbin/ipf/ipsend/ipsend.c @@ -1,13 +1,8 @@ -/* $FreeBSD$ */ /* * ipsend.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> @@ -370,22 +365,31 @@ main(int argc, char **argv) switch(c) { case 'S' : case 's' : - tcp->th_flags |= TH_SYN; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_SYN); break; case 'A' : case 'a' : - tcp->th_flags |= TH_ACK; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_ACK); break; case 'F' : case 'f' : - tcp->th_flags |= TH_FIN; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_FIN); break; case 'R' : case 'r' : - tcp->th_flags |= TH_RST; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_RST); break; case 'P' : case 'p' : - tcp->th_flags |= TH_PUSH; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_PUSH); break; case 'U' : case 'u' : - tcp->th_flags |= TH_URG; + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_URG); + break; + case 'E' : + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_ECE); + break; + case 'W' : + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_CWR); + break; + case 'e' : + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | TH_AE); break; } @@ -395,8 +399,8 @@ main(int argc, char **argv) printf("Source: %s\n", inet_ntoa(ip->ip_src)); printf("Dest: %s\n", inet_ntoa(ip->ip_dst)); printf("Gateway: %s\n", inet_ntoa(gwip)); - if (ip->ip_p == IPPROTO_TCP && tcp->th_flags) - printf("Flags: %#x\n", tcp->th_flags); + if (ip->ip_p == IPPROTO_TCP && __tcp_get_flags(tcp) != 0) + printf("Flags: %#x\n", __tcp_get_flags(tcp)); printf("mtu: %d\n", mtu); if (ip->ip_p == IPPROTO_UDP) { diff --git a/sbin/ipf/ipsend/ipsend.h b/sbin/ipf/ipsend/ipsend.h index bfec90f1c5b3..6eb30e2be3b4 100644 --- a/sbin/ipf/ipsend/ipsend.h +++ b/sbin/ipf/ipsend/ipsend.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * ipsend.h (C) 1997-1998 Darren Reed @@ -8,7 +7,7 @@ * conditions, enough of the TCP header is missing for unpredictable * results unless the filter is aware that this can happen. * - * The author provides this program as-is, with no gaurantee for its + * The author provides this program as-is, with no guarantee for its * suitability for any specific purpose. The author takes no responsibility * for the misuse/abuse of this program and provides it for the sole purpose * of testing packet filter policies. This file maybe distributed freely diff --git a/sbin/ipf/ipsend/ipsopt.c b/sbin/ipf/ipsend/ipsopt.c index 0e053e2c75bb..ffad9c008461 100644 --- a/sbin/ipf/ipsend/ipsopt.c +++ b/sbin/ipf/ipsend/ipsopt.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -6,10 +5,6 @@ * See the IPFILTER.LICENCE file for details on licencing. * */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> diff --git a/sbin/ipf/ipsend/iptest.1 b/sbin/ipf/ipsend/iptest.1 index 8f25f4abf256..5ccebc681cbc 100644 --- a/sbin/ipf/ipsend/iptest.1 +++ b/sbin/ipf/ipsend/iptest.1 @@ -1,4 +1,3 @@ -.\" $FreeBSD$ .\" .TH IPTEST 1 .SH NAME @@ -24,7 +23,6 @@ iptest \- automatically generate a packets to test IP functionality <\fIsource\fP> ] <destination> .SH DESCRIPTION -.PP \fBiptest\fP ... .SH OPTIONS .TP @@ -99,5 +97,4 @@ Only one of the numeric test options may be given when \fIiptest\fP is run. .PP Needs to be run as root. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipsend/iptest.c b/sbin/ipf/ipsend/iptest.c index ed92ab9306ea..db31168cd380 100644 --- a/sbin/ipf/ipsend/iptest.c +++ b/sbin/ipf/ipsend/iptest.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * ipsend.c (C) 1995-1998 Darren Reed @@ -6,10 +5,6 @@ * See the IPFILTER.LICENCE file for details on licencing. * */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> diff --git a/sbin/ipf/ipsend/iptests.c b/sbin/ipf/ipsend/iptests.c index cbda02893162..6a72a0adfffd 100644 --- a/sbin/ipf/ipsend/iptests.c +++ b/sbin/ipf/ipsend/iptests.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -6,10 +5,6 @@ * See the IPFILTER.LICENCE file for details on licencing. * */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #if defined(__NetBSD__) && defined(__vax__) @@ -79,7 +74,6 @@ typedef int boolean_t; # include <netinet/in_pcb.h> # endif #include "ipsend.h" -# include <netinet/tcp_timer.h> # include <netinet/tcp_var.h> #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 106000000) # define USE_NANOSLEEP @@ -908,7 +902,6 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) int nfd, i; t = (tcphdr_t *)((char *)ip + (IP_HL(ip) << 2)); - t->th_x2 = 0; TCP_OFF_A(t, 0); t->th_sport = htons(1); t->th_dport = htons(1); @@ -925,13 +918,12 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) if (!ptest || (ptest == 1)) { /* - * Test 1: flags variations, 0 - 3f + * Test 1: flags variations, 0 - 1ff */ TCP_OFF_A(t, sizeof(*t) >> 2); printf("5.1 Test TCP flag combinations\n"); - for (i = 0; i <= (TH_URG|TH_ACK|TH_PUSH|TH_RST|TH_SYN|TH_FIN); - i++) { - t->th_flags = i; + for (i = 0; i <= TH_FLAGS; i++) { + __tcp_set_flags(t, i); (void) send_tcp(nfd, mtu, ip, gwip); printf("%d\r", i); fflush(stdout); @@ -941,7 +933,7 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) } if (!ptest || (ptest == 2)) { - t->th_flags = TH_SYN; + __tcp_set_flags(t, TH_SYN); /* * Test 2: seq = 0, seq = 1, seq = 0x7fffffff, seq=0x80000000, * seq = 0xa000000, seq = 0xffffffff @@ -984,7 +976,7 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) } if (!ptest || (ptest == 3)) { - t->th_flags = TH_ACK; + __tcp_set_flags(t, TH_ACK); /* * Test 3: ack = 0, ack = 1, ack = 0x7fffffff, ack = 0x8000000 * ack = 0xa000000, ack = 0xffffffff @@ -1027,7 +1019,7 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) } if (!ptest || (ptest == 4)) { - t->th_flags = TH_SYN; + __tcp_set_flags(t, TH_SYN); /* * Test 4: win = 0, win = 32768, win = 65535 */ @@ -1097,7 +1089,7 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) /* * Test 5: urp */ - t->th_flags = TH_ACK|TH_URG; + __tcp_set_flags(t, TH_ACK|TH_URG); printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n", ntohs(t->th_sport), ntohs(t->th_dport)); t->th_urp = htons(1); @@ -1116,7 +1108,7 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); t->th_urp = 0; - t->th_flags &= ~TH_URG; + __tcp_set_flags(t, __tcp_get_flags(t) & ~TH_URG); ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); } @@ -1124,7 +1116,7 @@ ip_test5(char *dev, int mtu, ip_t *ip, struct in_addr gwip, int ptest) /* * Test 6: data offset, off = 0, off is inside, off is outside */ - t->th_flags = TH_ACK; + __tcp_set_flags(t, TH_ACK); printf("5.6.1 TCP off = 1-15, len = 40\n"); for (i = 1; i < 16; i++) { TCP_OFF_A(t, ntohs(i)); @@ -1146,7 +1138,7 @@ skip_five_and_six: TCP_OFF_A(t, 0); if (!ptest || (ptest == 7)) { - t->th_flags = TH_SYN; + __tcp_set_flags(t, TH_SYN); /* * Test 7: sport = 0, sport = 1, sport = 32767 * sport = 32768, sport = 65535 @@ -1184,7 +1176,7 @@ skip_five_and_six: if (!ptest || (ptest == 8)) { t->th_sport = htons(1); - t->th_flags = TH_SYN; + __tcp_set_flags(t, TH_SYN); /* * Test 8: dport = 0, dport = 1, dport = 32767 * dport = 32768, dport = 65535 @@ -1226,7 +1218,7 @@ skip_five_and_six: /* chose SMTP port 25 */ t->th_sport = htons(25); t->th_dport = htons(25); - t->th_flags = TH_SYN; + __tcp_set_flags(t, TH_SYN); ip->ip_src = ip->ip_dst; (void) send_tcp(nfd, mtu, ip, gwip); fflush(stdout); diff --git a/sbin/ipf/ipsend/resend.c b/sbin/ipf/ipsend/resend.c index c3f86baaadc3..a306edddff19 100644 --- a/sbin/ipf/ipsend/resend.c +++ b/sbin/ipf/ipsend/resend.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * resend.c (C) 1995-1998 Darren Reed @@ -6,10 +5,6 @@ * See the IPFILTER.LICENCE file for details on licencing. * */ -#if !defined(lint) -static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> @@ -55,9 +50,9 @@ dumppacket(ip_t *ip) if (ip->ip_p == IPPROTO_TCP) { printf(" seq %lu:%lu flags ", (u_long)t->th_seq, (u_long)t->th_ack); - for (j = 0, i = 1; i < 256; i *= 2, j++) - if (t->th_flags & i) - printf("%c", "FSRPAU--"[j]); + for (j = 0, i = 1; i < TH_FLAGS; i <<= 1, j++) + if (__tcp_get_flags(t) & i) + printf("%c", "FSRPAUEWe"[j]); } putchar('\n'); } diff --git a/sbin/ipf/ipsend/sbpf.c b/sbin/ipf/ipsend/sbpf.c index b46585f1f340..6d5d60292ce9 100644 --- a/sbin/ipf/ipsend/sbpf.c +++ b/sbin/ipf/ipsend/sbpf.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * (C)opyright 1995-1998 Darren Reed. (from tcplog) * @@ -40,10 +39,6 @@ #include "ipsend.h" -#if !defined(lint) -static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif /* * the code herein is dervied from libpcap. diff --git a/sbin/ipf/ipsend/sdlpi.c b/sbin/ipf/ipsend/sdlpi.c index 5570495dd2d7..d4195c456622 100644 --- a/sbin/ipf/ipsend/sdlpi.c +++ b/sbin/ipf/ipsend/sdlpi.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) @@ -39,10 +38,6 @@ #include "ipsend.h" -#if !defined(lint) -static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #define CHUNKSIZE 8192 #define BUFSPACE (4*CHUNKSIZE) diff --git a/sbin/ipf/ipsend/snit.c b/sbin/ipf/ipsend/snit.c index 187299436d2d..6dc9df06714f 100644 --- a/sbin/ipf/ipsend/snit.c +++ b/sbin/ipf/ipsend/snit.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) @@ -39,10 +38,6 @@ #include "ipsend.h" -#if !defined(lint) -static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #define CHUNKSIZE 8192 #define BUFSPACE (4*CHUNKSIZE) diff --git a/sbin/ipf/ipsend/sock.c b/sbin/ipf/ipsend/sock.c index f95538fd9824..7ffacc950d22 100644 --- a/sbin/ipf/ipsend/sock.c +++ b/sbin/ipf/ipsend/sock.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * sock.c (C) 1995-1998 Darren Reed * * See the IPFILTER.LICENCE file for details on licencing. * */ -#if !defined(lint) -static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <sys/param.h> #include <sys/types.h> #include <sys/time.h> @@ -63,7 +58,6 @@ typedef int boolean_t; #include <netinet/ip_var.h> #define _WANT_INPCB #include <netinet/in_pcb.h> -#include <netinet/tcp_timer.h> #define _WANT_TCPCB #include <netinet/tcp_var.h> #include <stdio.h> diff --git a/sbin/ipf/ipsend/sockraw.c b/sbin/ipf/ipsend/sockraw.c index 16384230f543..ab65f63753c7 100644 --- a/sbin/ipf/ipsend/sockraw.c +++ b/sbin/ipf/ipsend/sockraw.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * (C)opyright 2000 Darren Reed. @@ -29,9 +28,6 @@ #include <errno.h> #include "ipsend.h" -#if !defined(lint) && defined(LIBC_SCCS) -static char sirix[] = "@(#)sirix.c 1.0 10/9/97 (C)1997 Marc Boucher"; -#endif int diff --git a/sbin/ipf/libipf/Makefile b/sbin/ipf/libipf/Makefile index a8f43e24fb74..bdd56876dadd 100644 --- a/sbin/ipf/libipf/Makefile +++ b/sbin/ipf/libipf/Makefile @@ -1,5 +1,3 @@ -# $FreeBSD$ - PACKAGE= ipf LIB= ipf INTERNALLIB= diff --git a/sbin/ipf/libipf/Makefile.depend b/sbin/ipf/libipf/Makefile.depend index 55e67ede0b51..f9d041194c3e 100644 --- a/sbin/ipf/libipf/Makefile.depend +++ b/sbin/ipf/libipf/Makefile.depend @@ -1,4 +1,3 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ diff --git a/sbin/ipf/libipf/addicmp.c b/sbin/ipf/libipf/addicmp.c index da52f1caacfe..f84cae01644e 100644 --- a/sbin/ipf/libipf/addicmp.c +++ b/sbin/ipf/libipf/addicmp.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/addipopt.c b/sbin/ipf/libipf/addipopt.c index a6c699ddc701..ab0579d00063 100644 --- a/sbin/ipf/libipf/addipopt.c +++ b/sbin/ipf/libipf/addipopt.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/bcopywrap.c b/sbin/ipf/libipf/bcopywrap.c index 9eec27f4538c..e20462ea9b04 100644 --- a/sbin/ipf/libipf/bcopywrap.c +++ b/sbin/ipf/libipf/bcopywrap.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/binprint.c b/sbin/ipf/libipf/binprint.c index 131e3f62d481..8d09b347db2c 100644 --- a/sbin/ipf/libipf/binprint.c +++ b/sbin/ipf/libipf/binprint.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/buildopts.c b/sbin/ipf/libipf/buildopts.c index 7f2397bf7c95..27eb1b7323f0 100644 --- a/sbin/ipf/libipf/buildopts.c +++ b/sbin/ipf/libipf/buildopts.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/checkrev.c b/sbin/ipf/libipf/checkrev.c index 148acaff571b..ded9ce04d500 100644 --- a/sbin/ipf/libipf/checkrev.c +++ b/sbin/ipf/libipf/checkrev.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/connecttcp.c b/sbin/ipf/libipf/connecttcp.c index 5e0d86c1d098..7ab9d3430f58 100644 --- a/sbin/ipf/libipf/connecttcp.c +++ b/sbin/ipf/libipf/connecttcp.c @@ -10,7 +10,7 @@ #include <ctype.h> /* - * Format expected is one addres per line, at the start of each line. + * Format expected is one address per line, at the start of each line. */ int connecttcp(char *server, int port) diff --git a/sbin/ipf/libipf/count4bits.c b/sbin/ipf/libipf/count4bits.c index 52942771f800..10e9d6bb2207 100644 --- a/sbin/ipf/libipf/count4bits.c +++ b/sbin/ipf/libipf/count4bits.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/count6bits.c b/sbin/ipf/libipf/count6bits.c index fd4f11226c0b..ff013046613c 100644 --- a/sbin/ipf/libipf/count6bits.c +++ b/sbin/ipf/libipf/count6bits.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/debug.c b/sbin/ipf/libipf/debug.c index 0e3276e21705..9fcdf98317bd 100644 --- a/sbin/ipf/libipf/debug.c +++ b/sbin/ipf/libipf/debug.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/facpri.c b/sbin/ipf/libipf/facpri.c index 3286248d3205..9325a03c8dc3 100644 --- a/sbin/ipf/libipf/facpri.c +++ b/sbin/ipf/libipf/facpri.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -11,7 +10,7 @@ #include <stdio.h> #include <string.h> #include <limits.h> -#include <sys/types.h> +#include <sys/param.h> #if !defined(__SVR4) && !defined(__svr4__) #include <strings.h> #endif @@ -21,9 +20,6 @@ #include <syslog.h> #include "facpri.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif typedef struct table { @@ -80,7 +76,7 @@ fac_toname(int facpri) fac = facpri & LOG_FACMASK; j = fac >> 3; - if (j < (sizeof(facs)/sizeof(facs[0]))) { + if (j < nitems(facs)) { if (facs[j].value == fac) return (facs[j].name); } diff --git a/sbin/ipf/libipf/facpri.h b/sbin/ipf/libipf/facpri.h index 5698c0ebe047..dac5c591410c 100644 --- a/sbin/ipf/libipf/facpri.h +++ b/sbin/ipf/libipf/facpri.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/fill6bits.c b/sbin/ipf/libipf/fill6bits.c index b8f5914ef426..e9e8b7fe7099 100644 --- a/sbin/ipf/libipf/fill6bits.c +++ b/sbin/ipf/libipf/fill6bits.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/flags.c b/sbin/ipf/libipf/flags.c index 05fcc9874866..b476936e0dba 100644 --- a/sbin/ipf/libipf/flags.c +++ b/sbin/ipf/libipf/flags.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -19,7 +18,10 @@ #ifndef TH_CWR # define TH_CWR 0x80 #endif +#ifndef TH_AE +# define TH_AE 0x100 +#endif -char flagset[] = "FSRPAUEC"; -u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, - TH_ECN, TH_CWR }; +char flagset[] = "FSRPAUEWe"; +uint16_t flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, + TH_ECN, TH_CWR, TH_AE }; diff --git a/sbin/ipf/libipf/gethost.c b/sbin/ipf/libipf/gethost.c index aefdbbae9fb3..6ae34a577519 100644 --- a/sbin/ipf/libipf/gethost.c +++ b/sbin/ipf/libipf/gethost.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/getifname.c b/sbin/ipf/libipf/getifname.c index a2d9ef6885d1..970f2a6707bb 100644 --- a/sbin/ipf/libipf/getifname.c +++ b/sbin/ipf/libipf/getifname.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/getnattype.c b/sbin/ipf/libipf/getnattype.c index 3e3853208dc1..30bae7ce0216 100644 --- a/sbin/ipf/libipf/getnattype.c +++ b/sbin/ipf/libipf/getnattype.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -10,9 +9,6 @@ #include "ipf.h" #include "kmem.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif /* diff --git a/sbin/ipf/libipf/getport.c b/sbin/ipf/libipf/getport.c index ea52fad3234c..8b659b2761b3 100644 --- a/sbin/ipf/libipf/getport.c +++ b/sbin/ipf/libipf/getport.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/getportproto.c b/sbin/ipf/libipf/getportproto.c index 9f84ab21c476..637b000d8d51 100644 --- a/sbin/ipf/libipf/getportproto.c +++ b/sbin/ipf/libipf/getportproto.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/getproto.c b/sbin/ipf/libipf/getproto.c index 4d3f2d9e1ea2..139bfd3ee41a 100644 --- a/sbin/ipf/libipf/getproto.c +++ b/sbin/ipf/libipf/getproto.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/getsumd.c b/sbin/ipf/libipf/getsumd.c index 3d66d273f843..ede6f7ea134d 100644 --- a/sbin/ipf/libipf/getsumd.c +++ b/sbin/ipf/libipf/getsumd.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/hostname.c b/sbin/ipf/libipf/hostname.c index 3b179954bbff..1c3d3451b487 100644 --- a/sbin/ipf/libipf/hostname.c +++ b/sbin/ipf/libipf/hostname.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/icmpcode.c b/sbin/ipf/libipf/icmpcode.c index e898ebfa39a5..b7fc15451e08 100644 --- a/sbin/ipf/libipf/icmpcode.c +++ b/sbin/ipf/libipf/icmpcode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/inet_addr.c b/sbin/ipf/libipf/inet_addr.c index 367c25f44d51..d64b3da41361 100644 --- a/sbin/ipf/libipf/inet_addr.c +++ b/sbin/ipf/libipf/inet_addr.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * ++Copyright++ 1983, 1990, 1993 @@ -55,10 +54,6 @@ * --Copyright-- */ -#if !defined(lint) -static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.8.2.3 2004/12/09 19:41:20 darrenr Exp $"; -#endif /* LIBC_SCCS and not lint */ #include <sys/param.h> #include <netinet/in.h> diff --git a/sbin/ipf/libipf/initparse.c b/sbin/ipf/libipf/initparse.c index c85d6d3ed69d..2cb8906555dd 100644 --- a/sbin/ipf/libipf/initparse.c +++ b/sbin/ipf/libipf/initparse.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/interror.c b/sbin/ipf/libipf/interror.c index ca97254cb382..981823ca6bb9 100644 --- a/sbin/ipf/libipf/interror.c +++ b/sbin/ipf/libipf/interror.c @@ -17,7 +17,7 @@ typedef struct { static ipf_error_entry_t *find_error(int); -#define IPF_NUM_ERRORS 475 +#define IPF_NUM_ERRORS 477 /* * NO REUSE OF NUMBERS! @@ -70,7 +70,7 @@ static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = { { 42, "ipfilter not enabled for NAT ioctl" }, { 43, "ipfilter not enabled for state ioctl" }, { 44, "ipfilter not enabled for auth ioctl" }, - { 45, "ipfilter not enbaled for sync ioctl" }, + { 45, "ipfilter not enabled for sync ioctl" }, { 46, "ipfilter not enabled for scan ioctl" }, { 47, "ipfilter not enabled for lookup ioctl" }, { 48, "unrecognised device minor number for ioctl" }, @@ -144,7 +144,7 @@ static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = { { 116, "error copying in match array" }, { 117, "match array type is not IPFOBJ_IPFEXPR" }, { 118, "bad size for match array" }, - { 119, "cannot allocate memory for match aray" }, + { 119, "cannot allocate memory for match array" }, { 120, "error copying in match array" }, { 121, "error verifying contents of match array" }, { 122, "need write permissions to set ipf lock status" }, @@ -206,7 +206,7 @@ static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = { { 30002, "could not malloc memory for new hash table" }, { 30003, "error coping in hash table structure" }, { 30004, "hash table already exists" }, - { 30005, "mismach between new hash table and operation unit" }, + { 30005, "mismatch between new hash table and operation unit" }, { 30006, "could not malloc memory for hash table base" }, { 30007, "could not find hash table" }, { 30008, "mismatch between hash table and operation unit" }, @@ -229,7 +229,7 @@ static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = { { 30025, "hash table size must be at least 1"}, { 30026, "cannot allocate memory for hash table context" }, /* -------------------------------------------------------------------------- */ - { 40001, "invalid minor device numebr for log read" }, + { 40001, "invalid minor device number for log read" }, { 40002, "read size too small" }, { 40003, "interrupted waiting for log data to read" }, { 40004, "interrupted waiting for log data to read" }, @@ -276,7 +276,7 @@ static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = { { 50038, "invalid unit for lookup iterator" }, { 50039, "invalid unit for lookup iterator" }, { 50040, "could not find token for lookup iterator" }, - { 50041, "unrecognised object type for lookup interator" }, + { 50041, "unrecognised object type for lookup iterator" }, { 50042, "error copying in lookup delete node operation" }, /* -------------------------------------------------------------------------- */ { 60001, "insufficient privilege for NAT write operation" }, @@ -333,7 +333,7 @@ log" }, { 60051, "iterator error copying out NAT entry data" }, { 60052, "iterator data supplied with NULL pointer" }, { 60053, "unknown NAT iterator type" }, - { 60054, "unknwon next address type" }, + { 60054, "unknown next address type" }, { 60055, "iterator suppled with unknown type for get-next" }, { 60056, "unknown lookup group for next address" }, { 60057, "error copying out NAT log flush results" }, @@ -355,6 +355,7 @@ log" }, { 60073, "unknown lookup group for next address (ipv6)" }, { 60074, "unknown next address type (ipv6)" }, { 60075, "one object at a time must be copied" }, + { 60076, "NAT ioctl denied in jail without VNET" }, /* -------------------------------------------------------------------------- */ { 70001, "incorrect object size to get pool stats" }, { 70002, "could not malloc memory for new pool node" }, @@ -418,7 +419,7 @@ log" }, { 100006, "" }, { 100007, "" }, { 100008, "need write permissions to flush state log" }, - { 100009, "erorr copyout results of flushing state log" }, + { 100009, "error copyout results of flushing state log" }, { 100010, "need write permissions to turn state logging on/off" }, { 100011, "error copying in new state logging state" }, { 100012, "error copying out current state logging state" }, @@ -516,6 +517,7 @@ log" }, { 130015, "ipf_init_all failed" }, { 130016, "finding pfil head failed" }, { 130017, "ipfilter is already initialised and running" }, + { 130018, "ioctl denied in jail without VNET" }, }; @@ -525,7 +527,7 @@ find_error(int errnum) ipf_error_entry_t *ie; int l = -1, r = IPF_NUM_ERRORS + 1, step; - step = (r - l) / 2;; + step = (r - l) / 2; while (step != 0) { ie = ipf_errors + l + step; @@ -536,7 +538,7 @@ find_error(int errnum) r = step; else l = step; - step = (r - l) / 2;; + step = (r - l) / 2; } return (NULL); diff --git a/sbin/ipf/libipf/ionames.c b/sbin/ipf/libipf/ionames.c index 9b586422a392..9b2442f4e6e3 100644 --- a/sbin/ipf/libipf/ionames.c +++ b/sbin/ipf/libipf/ionames.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/ipf_dotuning.c b/sbin/ipf/libipf/ipf_dotuning.c index 1db47d76eac1..74d5dd154aae 100644 --- a/sbin/ipf/libipf/ipf_dotuning.c +++ b/sbin/ipf/libipf/ipf_dotuning.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -20,7 +19,7 @@ void ipf_dotuning(int fd, char *tuneargs, ioctlfunc_t iocfn) bzero((char *)&tu, sizeof(tu)); obj.ipfo_rev = IPFILTER_VERSION; - obj.ipfo_size = sizeof(tu);; + obj.ipfo_size = sizeof(tu); obj.ipfo_ptr = (void *)&tu; obj.ipfo_type = IPFOBJ_TUNEABLE; diff --git a/sbin/ipf/libipf/ipft_hx.c b/sbin/ipf/libipf/ipft_hx.c index a540b52da05d..98c0d1eb0114 100644 --- a/sbin/ipf/libipf/ipft_hx.c +++ b/sbin/ipf/libipf/ipft_hx.c @@ -1,14 +1,9 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <ctype.h> diff --git a/sbin/ipf/libipf/ipft_pc.c b/sbin/ipf/libipf/ipft_pc.c index 349b9390e745..ff4acd5d1753 100644 --- a/sbin/ipf/libipf/ipft_pc.c +++ b/sbin/ipf/libipf/ipft_pc.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -10,9 +9,6 @@ #include "ipf.h" #include "ipt.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif struct llc { int lc_type; diff --git a/sbin/ipf/libipf/ipft_tx.c b/sbin/ipf/libipf/ipft_tx.c index 87215f5b7b6e..1e23f06be3fd 100644 --- a/sbin/ipf/libipf/ipft_tx.c +++ b/sbin/ipf/libipf/ipft_tx.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -7,10 +6,6 @@ * * $Id$ */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif #include <ctype.h> @@ -25,9 +20,9 @@ static int text_open(char *), text_close(void); static int text_readip(mb_t *, char **, int *); static int parseline(char *, ip_t *, char **, int *); -static char myflagset[] = "FSRPAUEC"; -static u_char myflags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, - TH_ACK, TH_URG, TH_ECN, TH_CWR }; +static char myflagset[] = "FSRPAUEWe"; +static uint16_t myflags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, + TH_ACK, TH_URG, TH_ECN, TH_CWR, TH_AE }; struct ipread iptext = { text_open, text_close, text_readip, R_DO_CKSUM }; static FILE *tfp = NULL; @@ -270,15 +265,16 @@ parseline(char *line, ip_t *ip, char **ifn, int *out) if (*cpp != NULL) { char *s, *t; - tcp->th_flags = 0; + __tcp_set_flags(tcp, 0); for (s = *cpp; *s; s++) - if ((t = strchr(myflagset, *s))) - tcp->th_flags |= myflags[t-myflagset]; - if (tcp->th_flags) + if ((t = strchr(myflagset, *s))) + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | + myflags[t-myflagset]); + if (__tcp_get_flags(tcp)) cpp++; } - if (tcp->th_flags & TH_URG) + if (__tcp_get_flags(tcp) & TH_URG) tcp->th_urp = htons(1); if (*cpp && !strncasecmp(*cpp, "seq=", 4)) { @@ -441,15 +437,16 @@ parseipv6(char **cpp, ip6_t *ip6, char **ifn, int *out) if (*cpp != NULL) { char *s, *t; - tcp->th_flags = 0; + __tcp_set_flags(tcp, 0); for (s = *cpp; *s; s++) - if ((t = strchr(myflagset, *s))) - tcp->th_flags |= myflags[t-myflagset]; - if (tcp->th_flags) + if ((t = strchr(myflagset, *s))) + __tcp_set_flags(tcp, __tcp_get_flags(tcp) | + myflags[t-myflagset]); + if (__tcp_get_flags(tcp)) cpp++; } - if (tcp->th_flags & TH_URG) + if (__tcp_get_flags(tcp) & TH_URG) tcp->th_urp = htons(1); if (*cpp && !strncasecmp(*cpp, "seq=", 4)) { diff --git a/sbin/ipf/libipf/ipoptsec.c b/sbin/ipf/libipf/ipoptsec.c index 7617daec33dd..fad2a564371e 100644 --- a/sbin/ipf/libipf/ipoptsec.c +++ b/sbin/ipf/libipf/ipoptsec.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/kmem.c b/sbin/ipf/libipf/kmem.c index c39e36aa5add..6ebd0dee6b72 100644 --- a/sbin/ipf/libipf/kmem.c +++ b/sbin/ipf/libipf/kmem.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -30,10 +29,6 @@ #include "kmem.h" -#if !defined(lint) -static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id$"; -#endif diff --git a/sbin/ipf/libipf/kmem.h b/sbin/ipf/libipf/kmem.h index bcf6a0be7e27..623d5760c614 100644 --- a/sbin/ipf/libipf/kmem.h +++ b/sbin/ipf/libipf/kmem.h @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/kmemcpywrap.c b/sbin/ipf/libipf/kmemcpywrap.c index fab86242c449..43f8833be72d 100644 --- a/sbin/ipf/libipf/kmemcpywrap.c +++ b/sbin/ipf/libipf/kmemcpywrap.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/kvatoname.c b/sbin/ipf/libipf/kvatoname.c index 47b226f13450..1e53cd9c2cd5 100644 --- a/sbin/ipf/libipf/kvatoname.c +++ b/sbin/ipf/libipf/kvatoname.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/load_hash.c b/sbin/ipf/libipf/load_hash.c index 63894a3cfa72..bfee0fc64642 100644 --- a/sbin/ipf/libipf/load_hash.c +++ b/sbin/ipf/libipf/load_hash.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/load_hashnode.c b/sbin/ipf/libipf/load_hashnode.c index 46e5552fdbab..12b11687710d 100644 --- a/sbin/ipf/libipf/load_hashnode.c +++ b/sbin/ipf/libipf/load_hashnode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -54,9 +53,28 @@ load_hashnode(int unit, char *name, iphtent_t *node, int ttl, if (err != 0) if (!(opts & OPT_DONOTHING)) { - char msg[80]; + char msg[255]; + char ipaddr[80], mask_msg[10], mask[8]; - snprintf(msg, sizeof(msg), "%s node from lookup hash table", what); + inet_ntop(ipe.ipe_family, + ipe.ipe_addr.vptr, ipaddr, + sizeof(ipaddr)); +#ifdef USE_INET6 + if (ipe.ipe_family == AF_INET) { +#endif + inet_ntop(ipe.ipe_family, + ipe.ipe_mask.vptr, mask, + sizeof(mask)); + mask_msg[0]='/'; + mask_msg[1]='\0'; + strlcat(mask_msg, mask, sizeof(mask_msg)); +#ifdef USE_INET6 + } else { + mask_msg[0]='\0'; + } +#endif + + snprintf(msg, sizeof(msg), "%s node from lookup hash table(%s) node(%s%s)", what, name, ipaddr, mask_msg); return (ipf_perror_fd(pool_fd(), iocfunc, msg)); } return (0); diff --git a/sbin/ipf/libipf/load_http.c b/sbin/ipf/libipf/load_http.c index 738a6f8006f9..7ad0bfd733bf 100644 --- a/sbin/ipf/libipf/load_http.c +++ b/sbin/ipf/libipf/load_http.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -25,7 +24,7 @@ #define LOAD_BUFSIZE (MAX_URL_LEN * 2 + 128) /* - * Format expected is one addres per line, at the start of each line. + * Format expected is one address per line, at the start of each line. */ alist_t * load_http(char *url) diff --git a/sbin/ipf/libipf/load_pool.c b/sbin/ipf/libipf/load_pool.c index c502f3dc77e0..0d90c81e81ff 100644 --- a/sbin/ipf/libipf/load_pool.c +++ b/sbin/ipf/libipf/load_pool.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/load_poolnode.c b/sbin/ipf/libipf/load_poolnode.c index 849bd60791a7..880a6cd1c681 100644 --- a/sbin/ipf/libipf/load_poolnode.c +++ b/sbin/ipf/libipf/load_poolnode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -53,11 +52,30 @@ load_poolnode(int role, char *name, ip_pool_node_t *node, int ttl, if (err != 0) { if ((opts & OPT_DONOTHING) == 0) { - char msg[80]; + char msg[255]; + char ipaddr[80], mask_msg[10], mask[8]; - snprintf(msg, sizeof(msg), "%s pool node(%s/", what, - inet_ntoa(pn.ipn_addr.adf_addr.in4)); - strcat(msg, inet_ntoa(pn.ipn_mask.adf_addr.in4)); + inet_ntop(pn.ipn_addr.adf_family, + pn.ipn_addr.adf_addr.vptr, ipaddr, + sizeof(ipaddr)); + +#ifdef USE_INET6 + if (pn.ipn_mask.adf_family == AF_INET) { +#endif + inet_ntop(pn.ipn_mask.adf_family, + pn.ipn_mask.adf_addr.vptr, mask, + sizeof(mask)); + mask_msg[0]='/'; + mask_msg[1]='\0'; + strlcat(mask_msg, mask, sizeof(mask_msg)); +#ifdef USE_INET6 + } else { + mask_msg[0]='\0'; + } +#endif + + snprintf(msg, sizeof(msg), "%s pool(%s) node(%s%s)", + what, name, ipaddr, mask_msg); return (ipf_perror_fd(pool_fd(), iocfunc, msg)); } } diff --git a/sbin/ipf/libipf/mutex_emul.c b/sbin/ipf/libipf/mutex_emul.c index 3152d2e47013..d7f34671d953 100644 --- a/sbin/ipf/libipf/mutex_emul.c +++ b/sbin/ipf/libipf/mutex_emul.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -85,10 +84,7 @@ eMmutex_init(eMmutex_t *mtx, char *who, char *file, int line) void -eMmutex_destroy(mtx, file, line) - eMmutex_t *mtx; - char *file; - int line; +eMmutex_destroy(eMmutex_t *mtx, char *file, int line) { if (mutex_debug & 1) fprintf(mutex_file, diff --git a/sbin/ipf/libipf/nametokva.c b/sbin/ipf/libipf/nametokva.c index 6b86657eba97..06635238165c 100644 --- a/sbin/ipf/libipf/nametokva.c +++ b/sbin/ipf/libipf/nametokva.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/nat_setgroupmap.c b/sbin/ipf/libipf/nat_setgroupmap.c index 8a4b461c5a88..97a5211688c3 100644 --- a/sbin/ipf/libipf/nat_setgroupmap.c +++ b/sbin/ipf/libipf/nat_setgroupmap.c @@ -1,13 +1,9 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. * * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif #include "ipf.h" diff --git a/sbin/ipf/libipf/ntomask.c b/sbin/ipf/libipf/ntomask.c index 0947784106ba..3664d255254c 100644 --- a/sbin/ipf/libipf/ntomask.c +++ b/sbin/ipf/libipf/ntomask.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/optname.c b/sbin/ipf/libipf/optname.c index 1523d31b710a..93bf276c7818 100644 --- a/sbin/ipf/libipf/optname.c +++ b/sbin/ipf/libipf/optname.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/optprint.c b/sbin/ipf/libipf/optprint.c index f18ad00dba2a..a70ed28d611f 100644 --- a/sbin/ipf/libipf/optprint.c +++ b/sbin/ipf/libipf/optprint.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/optprintv6.c b/sbin/ipf/libipf/optprintv6.c index d043ff774031..e53a879fa439 100644 --- a/sbin/ipf/libipf/optprintv6.c +++ b/sbin/ipf/libipf/optprintv6.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/optvalue.c b/sbin/ipf/libipf/optvalue.c index 370a9d272ed2..44635b04a13a 100644 --- a/sbin/ipf/libipf/optvalue.c +++ b/sbin/ipf/libipf/optvalue.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/parseipfexpr.c b/sbin/ipf/libipf/parseipfexpr.c index 215e43b2978d..be86456e143b 100644 --- a/sbin/ipf/libipf/parseipfexpr.c +++ b/sbin/ipf/libipf/parseipfexpr.c @@ -75,7 +75,7 @@ parseipfexpr(char *line, char **errorptr) for (ops = strtok(temp, ";"); ops != NULL; ops = strtok(NULL, ";")) { arg = strchr(ops, '='); if ((arg < ops + 2) || (arg == NULL)) { - error = "bad 'arg' vlaue"; + error = "bad 'arg' value"; goto parseerror; } @@ -93,11 +93,7 @@ parseipfexpr(char *line, char **errorptr) break; } if (e->ipoe_word == NULL) { - error = malloc(32); - if (error != NULL) { - snprintf(error, sizeof(error), "keyword (%.10s) not found", - ops); - } + asprintf(&error, "keyword (%.10s) not found", ops); goto parseerror; } diff --git a/sbin/ipf/libipf/poolio.c b/sbin/ipf/libipf/poolio.c index 765d37fae350..f12120fd5467 100644 --- a/sbin/ipf/libipf/poolio.c +++ b/sbin/ipf/libipf/poolio.c @@ -28,10 +28,7 @@ pool_open(void) } int -pool_ioctl(iocfunc, cmd, ptr) - ioctlfunc_t iocfunc; - ioctlcmd_t cmd; - void *ptr; +pool_ioctl(ioctlfunc_t iocfunc, ioctlcmd_t cmd, void *ptr) { return (*iocfunc)(poolfd, cmd, ptr); } diff --git a/sbin/ipf/libipf/portname.c b/sbin/ipf/libipf/portname.c index f567b26fc3fd..034c8255537d 100644 --- a/sbin/ipf/libipf/portname.c +++ b/sbin/ipf/libipf/portname.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/print_toif.c b/sbin/ipf/libipf/print_toif.c index 438207bf7e72..2dcaec7394f9 100644 --- a/sbin/ipf/libipf/print_toif.c +++ b/sbin/ipf/libipf/print_toif.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printactiveaddr.c b/sbin/ipf/libipf/printactiveaddr.c index 66b5b00aaf98..70deafa345e0 100644 --- a/sbin/ipf/libipf/printactiveaddr.c +++ b/sbin/ipf/libipf/printactiveaddr.c @@ -9,9 +9,6 @@ #include "ipf.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id: printactiveaddr.c,v 1.3.2.2 2012/07/22 08:04:24 darren_r Exp $"; -#endif void diff --git a/sbin/ipf/libipf/printactivenat.c b/sbin/ipf/libipf/printactivenat.c index 222f85a5818b..ba792d3b2be0 100644 --- a/sbin/ipf/libipf/printactivenat.c +++ b/sbin/ipf/libipf/printactivenat.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -11,9 +10,6 @@ #include "ipf.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif static int proto_opened = 0; diff --git a/sbin/ipf/libipf/printaps.c b/sbin/ipf/libipf/printaps.c index 00e4db4cb2b8..df27c48b72c8 100644 --- a/sbin/ipf/libipf/printaps.c +++ b/sbin/ipf/libipf/printaps.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -12,9 +11,6 @@ #include "kmem.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif void diff --git a/sbin/ipf/libipf/printbuf.c b/sbin/ipf/libipf/printbuf.c index 3a9281217f6a..0fef3c5de854 100644 --- a/sbin/ipf/libipf/printbuf.c +++ b/sbin/ipf/libipf/printbuf.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printfr.c b/sbin/ipf/libipf/printfr.c index 2ffb65f69207..f507c8065c82 100644 --- a/sbin/ipf/libipf/printfr.c +++ b/sbin/ipf/libipf/printfr.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printfraginfo.c b/sbin/ipf/libipf/printfraginfo.c index fcafdde707be..4693e9335ffb 100644 --- a/sbin/ipf/libipf/printfraginfo.c +++ b/sbin/ipf/libipf/printfraginfo.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -14,7 +13,6 @@ void printfraginfo(char *prefix, struct ipfr *ifr) { - frentry_t fr; int family; PRINTF("%s", prefix); @@ -25,14 +23,8 @@ printfraginfo(char *prefix, struct ipfr *ifr) PRINTF("inet"); family = AF_INET; } - fr.fr_flags = 0xffffffff; PRINTF(" %s -> ", hostname(family, &ifr->ipfr_src)); -/* - if (kmemcpy((char *)&fr, (u_long)ifr->ipfr_rule, - sizeof(fr)) == -1) - return; - */ PRINTF("%s id %x ttl %lu pr %d pkts %u bytes %u seen0 %d ref %d\n", hostname(family, &ifr->ipfr_dst), ifr->ipfr_id, ifr->ipfr_ttl, ifr->ipfr_p, ifr->ipfr_pkts, ifr->ipfr_bytes, diff --git a/sbin/ipf/libipf/printhash.c b/sbin/ipf/libipf/printhash.c index 2db6ace81256..f5ebb57a1c33 100644 --- a/sbin/ipf/libipf/printhash.c +++ b/sbin/ipf/libipf/printhash.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printhash_live.c b/sbin/ipf/libipf/printhash_live.c index 3caaa5e022fe..b8ee31b27597 100644 --- a/sbin/ipf/libipf/printhash_live.c +++ b/sbin/ipf/libipf/printhash_live.c @@ -61,5 +61,8 @@ printhash_live(iphtable_t *hp, int fd, char *name, int opts, wordtab_t *fields) if ((opts & OPT_DEBUG) == 0) PRINTF(" };\n"); + + (void) ioctl(fd,SIOCIPFDELTOK, &iter.ili_key); + return (hp->iph_next); } diff --git a/sbin/ipf/libipf/printhashnode.c b/sbin/ipf/libipf/printhashnode.c index 777083d456ac..b3c7140c84d3 100644 --- a/sbin/ipf/libipf/printhashnode.c +++ b/sbin/ipf/libipf/printhashnode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printhostmap.c b/sbin/ipf/libipf/printhostmap.c index bdb15d84995f..bd8b71ceec16 100644 --- a/sbin/ipf/libipf/printhostmap.c +++ b/sbin/ipf/libipf/printhostmap.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printhostmask.c b/sbin/ipf/libipf/printhostmask.c index f5495458fa04..7f607dbedcfc 100644 --- a/sbin/ipf/libipf/printhostmask.c +++ b/sbin/ipf/libipf/printhostmask.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printifname.c b/sbin/ipf/libipf/printifname.c index e6a38a8692ad..4f19c30aef2a 100644 --- a/sbin/ipf/libipf/printifname.c +++ b/sbin/ipf/libipf/printifname.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printip.c b/sbin/ipf/libipf/printip.c index 7cf55f04afec..e4249541f946 100644 --- a/sbin/ipf/libipf/printip.c +++ b/sbin/ipf/libipf/printip.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printlog.c b/sbin/ipf/libipf/printlog.c index a04842530504..c9faf40595c9 100644 --- a/sbin/ipf/libipf/printlog.c +++ b/sbin/ipf/libipf/printlog.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printmask.c b/sbin/ipf/libipf/printmask.c index 1130c5190f58..bdb28d8ee4a2 100644 --- a/sbin/ipf/libipf/printmask.c +++ b/sbin/ipf/libipf/printmask.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printnat.c b/sbin/ipf/libipf/printnat.c index e778d9393d9a..0b032955c8d8 100644 --- a/sbin/ipf/libipf/printnat.c +++ b/sbin/ipf/libipf/printnat.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -12,9 +11,6 @@ #include "kmem.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif /* diff --git a/sbin/ipf/libipf/printnataddr.c b/sbin/ipf/libipf/printnataddr.c index ee00b5b14d6c..e6003f0b076b 100644 --- a/sbin/ipf/libipf/printnataddr.c +++ b/sbin/ipf/libipf/printnataddr.c @@ -10,9 +10,6 @@ #include "kmem.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnataddr.c,v 1.4.2.2 2012/07/22 08:04:24 darren_r Exp $"; -#endif void diff --git a/sbin/ipf/libipf/printpacket.c b/sbin/ipf/libipf/printpacket.c index 9444f93fe840..f8407c3a3102 100644 --- a/sbin/ipf/libipf/printpacket.c +++ b/sbin/ipf/libipf/printpacket.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -14,12 +13,12 @@ # define IP_OFFMASK 0x3fff #endif - void printpacket(int dir, mb_t *m) { u_short len, off; tcphdr_t *tcp; + uint16_t tcpflags; ip_t *ip; ip = MTOD(m, ip_t *); @@ -83,24 +82,27 @@ printpacket(int dir, mb_t *m) if (!(off & IP_OFFMASK)) { if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) PRINTF(",%d", ntohs(tcp->th_dport)); - if ((ip->ip_p == IPPROTO_TCP) && (tcp->th_flags != 0)) { + if ((ip->ip_p == IPPROTO_TCP) && + ((tcpflags = __tcp_get_flags(tcp)) != 0)) { putchar(' '); - if (tcp->th_flags & TH_FIN) + if (tcpflags & TH_FIN) putchar('F'); - if (tcp->th_flags & TH_SYN) + if (tcpflags & TH_SYN) putchar('S'); - if (tcp->th_flags & TH_RST) + if (tcpflags & TH_RST) putchar('R'); - if (tcp->th_flags & TH_PUSH) + if (tcpflags & TH_PUSH) putchar('P'); - if (tcp->th_flags & TH_ACK) + if (tcpflags & TH_ACK) putchar('A'); - if (tcp->th_flags & TH_URG) + if (tcpflags & TH_URG) putchar('U'); - if (tcp->th_flags & TH_ECN) + if (tcpflags & TH_ECN) putchar('E'); - if (tcp->th_flags & TH_CWR) - putchar('C'); + if (tcpflags & TH_CWR) + putchar('W'); + if (tcpflags & TH_AE) + putchar('e'); } } diff --git a/sbin/ipf/libipf/printpacket6.c b/sbin/ipf/libipf/printpacket6.c index 42d1a36b96b3..c015eabdada5 100644 --- a/sbin/ipf/libipf/printpacket6.c +++ b/sbin/ipf/libipf/printpacket6.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printpool.c b/sbin/ipf/libipf/printpool.c index b3bdd02b64b4..86f389c6cbaf 100644 --- a/sbin/ipf/libipf/printpool.c +++ b/sbin/ipf/libipf/printpool.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printpool_live.c b/sbin/ipf/libipf/printpool_live.c index 324deb629d0b..9bb19f2888b4 100644 --- a/sbin/ipf/libipf/printpool_live.c +++ b/sbin/ipf/libipf/printpool_live.c @@ -9,7 +9,7 @@ #include "netinet/ipl.h" -ip_pool_t * +void printpool_live(ip_pool_t *pool, int fd, char *name, int opts, wordtab_t *fields) { @@ -19,14 +19,16 @@ printpool_live(ip_pool_t *pool, int fd, char *name, int opts, ipfobj_t obj; if ((name != NULL) && strncmp(name, pool->ipo_name, FR_GROUPLEN)) - return (pool->ipo_next); + return; if (fields == NULL) printpooldata(pool, opts); if ((pool->ipo_flags & IPOOL_DELETE) != 0) PRINTF("# "); - if ((opts & OPT_DEBUG) == 0) + if (opts & OPT_SAVEOUT) + PRINTF("{\n"); + else if ((opts & OPT_DEBUG) == 0) PRINTF("\t{"); obj.ipfo_rev = IPFILTER_VERSION; @@ -48,9 +50,13 @@ printpool_live(ip_pool_t *pool, int fd, char *name, int opts, while (!last && (ioctl(fd, SIOCLOOKUPITER, &obj) == 0)) { if (entry.ipn_next == NULL) last = 1; + if (opts & OPT_SAVEOUT) + PRINTF("\t"); (void) printpoolnode(&entry, opts, fields); if ((opts & OPT_DEBUG) == 0) putchar(';'); + if (opts & OPT_SAVEOUT) + PRINTF("\n"); printed++; } } @@ -58,10 +64,12 @@ printpool_live(ip_pool_t *pool, int fd, char *name, int opts, if (printed == 0) putchar(';'); - if ((opts & OPT_DEBUG) == 0) + if (opts & OPT_SAVEOUT) + PRINTF("};\n"); + else if ((opts & OPT_DEBUG) == 0) PRINTF(" };\n"); (void) ioctl(fd,SIOCIPFDELTOK, &iter.ili_key); - return (pool->ipo_next); + return; } diff --git a/sbin/ipf/libipf/printpooldata.c b/sbin/ipf/libipf/printpooldata.c index ce754f9a89bb..bd5af316eb19 100644 --- a/sbin/ipf/libipf/printpooldata.c +++ b/sbin/ipf/libipf/printpooldata.c @@ -12,7 +12,9 @@ void printpooldata(ip_pool_t *pool, int opts) { - if ((opts & OPT_DEBUG) == 0) { + if (opts & OPT_SAVEOUT) { + PRINTF("pool "); + } else if ((opts & OPT_DEBUG) == 0) { if ((pool->ipo_flags & IPOOL_ANON) != 0) PRINTF("# 'anonymous' tree %s\n", pool->ipo_name); if ((pool->ipo_flags & IPOOL_DELETE) != 0) @@ -32,7 +34,11 @@ printpooldata(ip_pool_t *pool, int opts) printunit(pool->ipo_unit); - if ((opts & OPT_DEBUG) == 0) { + if ((opts & OPT_SAVEOUT)) { + PRINTF("/tree (%s \"\%s\";)\n", + (!*pool->ipo_name || ISDIGIT(*pool->ipo_name)) ? \ + "number" : "name", pool->ipo_name); + } else if ((opts & OPT_DEBUG) == 0) { PRINTF(" type=tree %s=%s\n", (!*pool->ipo_name || ISDIGIT(*pool->ipo_name)) ? \ "number" : "name", pool->ipo_name); diff --git a/sbin/ipf/libipf/printpoolnode.c b/sbin/ipf/libipf/printpoolnode.c index 023aca47c7ff..8cec3fcae757 100644 --- a/sbin/ipf/libipf/printpoolnode.c +++ b/sbin/ipf/libipf/printpoolnode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printportcmp.c b/sbin/ipf/libipf/printportcmp.c index 556a3ac2fb0b..2e3ee471e3e2 100644 --- a/sbin/ipf/libipf/printportcmp.c +++ b/sbin/ipf/libipf/printportcmp.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printproto.c b/sbin/ipf/libipf/printproto.c index 7bc4952b3b7c..3d4c881ff6d0 100644 --- a/sbin/ipf/libipf/printproto.c +++ b/sbin/ipf/libipf/printproto.c @@ -7,9 +7,6 @@ #include "ipf.h" -#if !defined(lint) -static const char rcsid[] = "@(#)$Id$"; -#endif void diff --git a/sbin/ipf/libipf/printsbuf.c b/sbin/ipf/libipf/printsbuf.c index c9c89ef6eb01..4d3de8468dee 100644 --- a/sbin/ipf/libipf/printsbuf.c +++ b/sbin/ipf/libipf/printsbuf.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printstate.c b/sbin/ipf/libipf/printstate.c index 1f135231ff58..3b6f6c3b07d4 100644 --- a/sbin/ipf/libipf/printstate.c +++ b/sbin/ipf/libipf/printstate.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/printtcpflags.c b/sbin/ipf/libipf/printtcpflags.c index d134fb4a3120..349e18be127e 100644 --- a/sbin/ipf/libipf/printtcpflags.c +++ b/sbin/ipf/libipf/printtcpflags.c @@ -4,10 +4,10 @@ void printtcpflags(u_32_t tcpf, u_32_t tcpfm) { - u_char *t; + uint16_t *t; char *s; - if (tcpf & ~TCPF_ALL) { + if (tcpf & ~TH_FLAGS) { PRINTF("0x%x", tcpf); } else { for (s = flagset, t = flags; *s; s++, t++) { @@ -18,7 +18,7 @@ printtcpflags(u_32_t tcpf, u_32_t tcpfm) if (tcpfm) { (void)putchar('/'); - if (tcpfm & ~TCPF_ALL) { + if (tcpfm & ~TH_FLAGS) { PRINTF("0x%x", tcpfm); } else { for (s = flagset, t = flags; *s; s++, t++) diff --git a/sbin/ipf/libipf/printtunable.c b/sbin/ipf/libipf/printtunable.c index b748efd5129a..8cd212a2b8b4 100644 --- a/sbin/ipf/libipf/printtunable.c +++ b/sbin/ipf/libipf/printtunable.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/remove_hash.c b/sbin/ipf/libipf/remove_hash.c index 3af2a3f427d7..c6778e372224 100644 --- a/sbin/ipf/libipf/remove_hash.c +++ b/sbin/ipf/libipf/remove_hash.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/remove_hashnode.c b/sbin/ipf/libipf/remove_hashnode.c index f6679d6acd95..95fada0a81e5 100644 --- a/sbin/ipf/libipf/remove_hashnode.c +++ b/sbin/ipf/libipf/remove_hashnode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/remove_pool.c b/sbin/ipf/libipf/remove_pool.c index 0f67368b2b33..21d01fdbc0a4 100644 --- a/sbin/ipf/libipf/remove_pool.c +++ b/sbin/ipf/libipf/remove_pool.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/remove_poolnode.c b/sbin/ipf/libipf/remove_poolnode.c index b3c39aa21ec8..2d8caa158604 100644 --- a/sbin/ipf/libipf/remove_poolnode.c +++ b/sbin/ipf/libipf/remove_poolnode.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/resetlexer.c b/sbin/ipf/libipf/resetlexer.c index e6fbbce4ccc0..307ed657a46a 100644 --- a/sbin/ipf/libipf/resetlexer.c +++ b/sbin/ipf/libipf/resetlexer.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/rwlock_emul.c b/sbin/ipf/libipf/rwlock_emul.c index e15d9610887f..ec8a61c5cff2 100644 --- a/sbin/ipf/libipf/rwlock_emul.c +++ b/sbin/ipf/libipf/rwlock_emul.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/tcp_flags.c b/sbin/ipf/libipf/tcp_flags.c index e652819bebb1..9247933ee85b 100644 --- a/sbin/ipf/libipf/tcp_flags.c +++ b/sbin/ipf/libipf/tcp_flags.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2000-2004 by Darren Reed. @@ -10,13 +9,13 @@ #include "ipf.h" -extern char flagset[]; -extern u_char flags[]; +extern char flagset[]; +extern uint16_t flags[]; -u_char tcp_flags(char *flgs, u_char *mask, int linenum) +uint16_t tcp_flags(char *flgs, uint16_t *mask, int linenum) { - u_char tcpf = 0, tcpfm = 0; + uint16_t tcpf = 0, tcpfm = 0; char *s; s = strchr(flgs, '/'); @@ -38,9 +37,9 @@ u_char tcp_flags(char *flgs, u_char *mask, int linenum) if (!tcpfm) { if (tcpf == TH_SYN) - tcpfm = 0xff & ~(TH_ECN|TH_CWR); + tcpfm = TH_FLAGS & ~(TH_ECN|TH_CWR); else - tcpfm = 0xff & ~(TH_ECN); + tcpfm = TH_FLAGS & ~(TH_ECN); } *mask = tcpfm; return (tcpf); diff --git a/sbin/ipf/libipf/tcpflags.c b/sbin/ipf/libipf/tcpflags.c index ef2950836393..46b64e96deda 100644 --- a/sbin/ipf/libipf/tcpflags.c +++ b/sbin/ipf/libipf/tcpflags.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -20,14 +19,17 @@ #ifndef TH_CWR # define TH_CWR 0x80 #endif +#ifndef TH_AE +# define TH_AE 0x100 +#endif -extern char flagset[]; -extern u_char flags[]; +extern char flagset[]; +extern uint16_t flags[]; -u_char tcpflags(char *flgs) +uint16_t tcpflags(char *flgs) { - u_char tcpf = 0; + uint16_t tcpf = 0; char *s, *t; for (s = flgs; *s; s++) { diff --git a/sbin/ipf/libipf/tcpoptnames.c b/sbin/ipf/libipf/tcpoptnames.c index 24e41bb18b8b..3044f939438d 100644 --- a/sbin/ipf/libipf/tcpoptnames.c +++ b/sbin/ipf/libipf/tcpoptnames.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/v6ionames.c b/sbin/ipf/libipf/v6ionames.c index 9f1207f13431..485af14f7863 100644 --- a/sbin/ipf/libipf/v6ionames.c +++ b/sbin/ipf/libipf/v6ionames.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/v6optvalue.c b/sbin/ipf/libipf/v6optvalue.c index c0d13bc51d85..5d09ad1b584d 100644 --- a/sbin/ipf/libipf/v6optvalue.c +++ b/sbin/ipf/libipf/v6optvalue.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. diff --git a/sbin/ipf/libipf/var.c b/sbin/ipf/libipf/var.c index d3a03b6e46d7..0ccc888b3246 100644 --- a/sbin/ipf/libipf/var.c +++ b/sbin/ipf/libipf/var.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. @@ -24,8 +23,7 @@ static variable_t *find_var(char *); static char *expand_string(char *, int); -static variable_t *find_var(name) - char *name; +static variable_t *find_var(char *name) { variable_t *v; diff --git a/sbin/ipf/libipf/verbose.c b/sbin/ipf/libipf/verbose.c index 47988c084516..cfa22083ed02 100644 --- a/sbin/ipf/libipf/verbose.c +++ b/sbin/ipf/libipf/verbose.c @@ -1,4 +1,3 @@ -/* $FreeBSD$ */ /* * Copyright (C) 2012 by Darren Reed. |