Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/dist/ipf Pull up revision 1.1.1.1 (new) (requested by d...
details: https://anonhg.NetBSD.org/src/rev/2c3638c43f40
branches: netbsd-1-4
changeset: 469933:2c3638c43f40
user: he <he%NetBSD.org@localhost>
date: Mon Dec 20 21:01:41 1999 +0000
description:
Pull up revision 1.1.1.1 (new) (requested by darrenr):
Update IPF to version 3.3.5.
diffstat:
dist/ipf/BNF | 76 +
dist/ipf/BugReport | 10 +
dist/ipf/FWTK/Index | 3 +
dist/ipf/FWTK/README | 18 +
dist/ipf/FWTK/README.ipfilter | 20 +
dist/ipf/FWTK/ftp-gw.diff | 232 ++
dist/ipf/FWTK/fwtk-2.1-transparency.txt | 707 ++++++++
dist/ipf/FWTK/fwtk_transparent.diff | 1025 ++++++++++++
dist/ipf/FWTK/fwtkp | 812 +++++++++
dist/ipf/FWTK/tproxy.diff | 82 +
dist/ipf/HISTORY | 1323 ++++++++++++++++
dist/ipf/IMPORTANT | 46 +
dist/ipf/LICENCE | 16 +
dist/ipf/Makefile | 242 ++
dist/ipf/README | 98 +
dist/ipf/UPGRADE_NOTICE | 10 +
dist/ipf/Y2K | 3 +
dist/ipf/etc/protocols | 95 +
dist/ipf/etc/services | 2535 +++++++++++++++++++++++++++++++
dist/ipf/facpri.c | 148 +
dist/ipf/facpri.h | 44 +
dist/ipf/ip_lfil.c | 981 +++++++++++
dist/ipf/ip_sfil.c | 742 +++++++++
dist/ipf/ipf.h | 91 +
dist/ipf/ipft_ef.c | 156 +
dist/ipf/ipft_hx.c | 174 ++
dist/ipf/ipft_pc.c | 233 ++
dist/ipf/ipft_sn.c | 215 ++
dist/ipf/ipft_td.c | 193 ++
dist/ipf/ipft_tx.c | 352 ++++
dist/ipf/iplang/BNF | 69 +
dist/ipf/iplang/Makefile | 30 +
dist/ipf/iplang/iplang.h | 56 +
dist/ipf/iplang/iplang.tst | 11 +
dist/ipf/iplang/iplang_y.y | 1868 ++++++++++++++++++++++
dist/ipf/ipt.c | 252 +++
dist/ipf/ipt.h | 41 +
dist/ipf/kmem.c | 104 +
dist/ipf/kmem.h | 36 +
dist/ipf/misc.c | 116 +
dist/ipf/mkfilters | 116 +
dist/ipf/ml_ipl.c | 169 ++
dist/ipf/mln_ipl.c | 269 +++
dist/ipf/natparse.c | 796 +++++++++
dist/ipf/opt.c | 180 ++
dist/ipf/parse.c | 1585 +++++++++++++++++++
dist/ipf/pcap.h | 37 +
dist/ipf/relay.c | 182 ++
dist/ipf/snoop.h | 49 +
dist/ipf/todo | 42 +
50 files changed, 16690 insertions(+), 0 deletions(-)
diffs (truncated from 16890 to 300 lines):
diff -r 0218053c9b9c -r 2c3638c43f40 dist/ipf/BNF
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/BNF Mon Dec 20 21:01:41 1999 +0000
@@ -0,0 +1,76 @@
+filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
+ [ proto ] [ ip ] [ group ].
+
+insert = "@" decnumber .
+action = block | "pass" | log | "count" | skip | auth | call .
+in-out = "in" | "out" .
+options = [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
+tos = "tos" decnumber | "tos" hexnumber .
+ttl = "ttl" decnumber .
+proto = "proto" protocol .
+ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
+group = [ "head" decnumber ] [ "group" decnumber ] .
+
+block = "block" [ icmp [return-code] | "return-rst" ] .
+auth = "auth" | "preauth" .
+log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
+call = "call" [ "now" ] function-name .
+skip = "skip" decnumber .
+dup = "dup-to" interface-name[":"ipaddr] .
+froute = "fastroute" | "to" interface-name .
+protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
+srcdst = "all" | fromto .
+fromto = "from" object "to" object .
+
+icmp = "return-icmp" | "return-icmp-as-dest" .
+loglevel = facility"."priority | priority .
+object = addr [ port-comp | port-range ] .
+addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
+port-comp = "port" compare port-num .
+port-range = "port" port-num range port-num .
+flags = "flags" flag { flag } [ "/" flag { flag } ] .
+with = "with" | "and" .
+icmp = "icmp-type" icmp-type [ "code" decnumber ] .
+return-code = "("icmp-code")" .
+keep = "keep" "state" | "keep" "frags" .
+
+nummask = host-name [ "/" decnumber ] .
+host-name = ipaddr | hostname | "any" .
+ipaddr = host-num "." host-num "." host-num "." host-num .
+host-num = digit [ digit [ digit ] ] .
+port-num = service-name | decnumber .
+
+withopt = [ "not" | "no" ] opttype [ withopt ] .
+opttype = "ipopts" | "short" | "frag" | "opt" ipopts .
+optname = ipopts [ "," optname ] .
+ipopts = optlist | "sec-class" [ secname ] .
+secname = seclvl [ "," secname ] .
+seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
+ "reserv-4" | "secret" | "topsecret" .
+icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
+ "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
+ "inforep" | "maskreq" | "maskrep" | "routerad" |
+ "routersol" | decnumber .
+icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
+ "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
+ "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
+optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
+ "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
+ "visa" | "imitd" | "eip" | "finn" .
+facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
+ "lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
+ "audit" | "logalert" | "local0" | "local1" | "local2" |
+ "local3" | "local4" | "local5" | "local6" | "local7" .
+priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
+ "info" | "debug" .
+
+hexnumber = "0" "x" hexstring .
+hexstring = hexdigit [ hexstring ] .
+decnumber = digit [ decnumber ] .
+
+compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
+ "le" | "ge" .
+range = "<>" | "><" .
+hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
+digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
+flag = "F" | "S" | "R" | "P" | "A" | "U" .
diff -r 0218053c9b9c -r 2c3638c43f40 dist/ipf/BugReport
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/BugReport Mon Dec 20 21:01:41 1999 +0000
@@ -0,0 +1,10 @@
+IP Filter bug report form.
+--------------------------
+IP Filter Version:
+Operating System Version:
+Configuration: <LKM or compiled-into-kernel>
+
+Description of problem:
+
+How to repeat:
+
diff -r 0218053c9b9c -r 2c3638c43f40 dist/ipf/FWTK/Index
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FWTK/Index Mon Dec 20 21:01:41 1999 +0000
@@ -0,0 +1,3 @@
+README - Readme for ftp-gw.diff and fwtkp
+README.ipfilter - README for fwtk_transparent.diff
+fwtk_transparent.diff - patches for 2.0beta
diff -r 0218053c9b9c -r 2c3638c43f40 dist/ipf/FWTK/README
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FWTK/README Mon Dec 20 21:01:41 1999 +0000
@@ -0,0 +1,18 @@
+
+There are two patch files in this directory, each allowing for the Firewall
+Toolkit to be used in a transparent proxy configuration.
+
+ftp-gw.diff - A patch written by myself for use only with IP Filter and
+ ftp-gw from the Firewall Toolkit. You need to copy ip_nat.h,
+ ip_fil.h and ip_compat.h to the ftp-gw directory to compile
+ once this patch has been applied.
+
+fwtkp - A set of patches written by James B. Croall (jcroall%foo.org@localhost)
+ for use with both IP Filter and ipfwadm (for Linux) and more
+ of the various FWTK gateway plugins, including:
+ ftp-gw http-gw plug-gw rlogin-gw tn-gw
+
+Both patches when applied to the Firewall toolkit require the same
+configuration for IP Filter.
+
+Darren
diff -r 0218053c9b9c -r 2c3638c43f40 dist/ipf/FWTK/README.ipfilter
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FWTK/README.ipfilter Mon Dec 20 21:01:41 1999 +0000
@@ -0,0 +1,20 @@
+
+there was a patch for fwtk with ip_filter 3.1.5 from James B. Croall
+(thanx for his work) which I put onto fwtk 2.0beta.
+
+Now, if you decide to do transparent proxying with ip-filter you
+have to put -DUSE_IP_FILTER to COPTS in Makefile.config.
+With Solaris 2.x you have to correctly replace the path to your
+ip_filter sources. (lib/hnam.c needs ip_nat.h)
+
+I also patched plug-gw to be configured to accept not only one
+destination with the parameter "-all-destinations" in netperm-table.
+Perhaps this is a security hole...
+
+The patched fwtk worked fine for me with linux (kernel 2.0.28 and ipfadm 2.1)
+and Solaris 2.5 (ip_filter 3.1.5).
+
+If you try to enhance the transparent proxy features for other
+architectures, see lib/hnam.c (getdsthost).
+
+Michael Kutzner, Michael.Kutzner%paderlinx.de@localhost
diff -r 0218053c9b9c -r 2c3638c43f40 dist/ipf/FWTK/ftp-gw.diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FWTK/ftp-gw.diff Mon Dec 20 21:01:41 1999 +0000
@@ -0,0 +1,232 @@
+*** ftp-gw.c.orig Sun Jun 22 16:27:42 1997
+--- ftp-gw.c Sun Jun 22 17:02:16 1997
+***************
+*** 11,31 ****
+--- 11,41 ----
+ */
+ static char RcsId[] = "$Header: /cvsroot/src/dist/ipf/FWTK/Attic/ftp-gw.diff,v 1.1.1.1.2.2 1999/12/20 21:01:46 he Exp $";
+
++ /*
++ * Patches for IP Filter NAT extensions written by Darren Reed, 7/7/96
++ * darrenr%cyber.com.au@localhost
++ */
++ static char vIpFilter[] = "v3.1.11";
+
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <syslog.h>
++ #include <unistd.h>
++ #include <fcntl.h>
+ #include <sys/signal.h>
+ #include <sys/ioctl.h>
+ #include <sys/errno.h>
+ extern int errno;
++ #ifdef sun
+ extern char *sys_errlist[];
++ #endif
+ #include <arpa/ftp.h>
+ #include <arpa/telnet.h>
+ #include <sys/time.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++ #include <net/if.h>
+
+ extern char *rindex();
+ extern char *index();
+***************
+*** 36,41 ****
+--- 46,54 ----
+
+ #include "firewall.h"
+
++ #include "ip_compat.h"
++ #include "ip_fil.h"
++ #include "ip_nat.h"
+
+ #ifndef BSIZ
+ #define BSIZ 2048
+***************
+*** 83,88 ****
+--- 96,103 ----
+ static int cmd_noop();
+ static int cmd_abor();
+ static int cmd_passthru();
++ static int nat_destination();
++ static int connectdest();
+ static void saveline();
+ static void flushsaved();
+ static void trap_sigurg();
+***************
+*** 317,323 ****
+ if(authallflg)
+ if(say(0,"220-Proxy first requires authentication"))
+ exit(1);
+! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
+ if(say(0,xuf))
+ exit(1);
+ }
+--- 332,341 ----
+ if(authallflg)
+ if(say(0,"220-Proxy first requires authentication"))
+ exit(1);
+! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
+! if(say(0,xuf))
+! exit(1);
+! sprintf(xuf,"220-%s TIS ftp-gw with IP Filter %s NAT extensions",huf,vIpFilter);
+ if(say(0,xuf))
+ exit(1);
+ }
+***************
+*** 338,343 ****
+--- 356,363 ----
+ exit(1);
+ }
+
++ nat_destination(0);
++
+ /* main loop */
+ while(1) {
+ FD_ZERO(&rdy);
+***************
+*** 608,619 ****
+ static char narg[] = "501 Missing or extra username";
+ static char noad[] = "501 Use user@site to connect via proxy";
+ char buf[1024];
+- char mbuf[512];
+ char *p;
+ char *dest;
+ char *user;
+ int x;
+- int msg_int;
+ short port = FTPPORT;
+
+ /* kludgy but effective. if authorizing everything call auth instead */
+--- 628,637 ----
+***************
+*** 643,648 ****
+--- 661,687 ----
+ return(sayn(0,noad,sizeof(noad)));
+ }
+
++ if((rfd == -1) && (x = connectdest(dest,port)))
++ return x;
++ sprintf(buf,"USER %s",user);
++ if(say(rfd,buf))
++ return(1);
++ x = getresp(rfd,buf,sizeof(buf),1);
++ if(sendsaved(0,x))
++ return(1);
++ return(say(0,buf));
++ }
++
++ static int
++ connectdest(dest,port)
++ char *dest;
++ short port;
++ {
++ char buf[1024];
++ char mbuf[512];
++ int msg_int;
++ int x;
++
+ if(*dest == '\0')
+ dest = "localhost";
+
+***************
+*** 685,693 ****
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+! sprintf(buf,"521 %s: %s",dest,ebuf);
+ return(say(0,buf));
+ }
+ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
+ saveline(buf);
+
+--- 724,733 ----
+ char ebuf[512];
+
Home |
Main Index |
Thread Index |
Old Index