Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/dist/ipf Import IP Filter 3.4.1
details: https://anonhg.NetBSD.org/src/rev/7a13779ed203
branches: trunk
changeset: 485684:7a13779ed203
user: veego <veego%NetBSD.org@localhost>
date: Wed May 03 10:55:27 2000 +0000
description:
Import IP Filter 3.4.1
diffstat:
dist/ipf/FreeBSD-4.0/ipv6-patch | 61 +++
dist/ipf/FreeBSD-4.0/kinstall | 50 ++
dist/ipf/FreeBSD-4.0/unkinstall | 48 ++
dist/ipf/IPF.KANJI | 465 ++++++++++++++++++++++++
dist/ipf/LICENCE | 2 +-
dist/ipf/Makefile | 69 ++-
dist/ipf/common.c | 578 ++++++++++++++++++++++++++++++
dist/ipf/facpri.c | 6 +-
dist/ipf/facpri.h | 6 +-
dist/ipf/ipf.h | 33 +-
dist/ipf/ipfs.c | 765 ++++++++++++++++++++++++++++++++++++++++
dist/ipf/ipft_ef.c | 6 +-
dist/ipf/ipft_hx.c | 6 +-
dist/ipf/ipft_pc.c | 6 +-
dist/ipf/ipft_sn.c | 6 +-
dist/ipf/ipft_td.c | 6 +-
dist/ipf/ipft_tx.c | 18 +-
dist/ipf/ipt.h | 6 +-
dist/ipf/kmem.c | 6 +-
dist/ipf/kmem.h | 6 +-
dist/ipf/misc.c | 6 +-
dist/ipf/ml_ipl.c | 4 +-
dist/ipf/mlfk_ipl.c | 183 +++++++++
dist/ipf/mln_ipl.c | 4 +-
dist/ipf/natparse.c | 721 ++++++++++++++++++-------------------
dist/ipf/opt.c | 8 +-
dist/ipf/pcap.h | 6 +-
dist/ipf/relay.c | 5 +-
dist/ipf/snoop.h | 6 +-
dist/ipf/todo | 63 +++-
30 files changed, 2693 insertions(+), 462 deletions(-)
diffs (truncated from 3916 to 300 lines):
diff -r 3a7f9c0797b4 -r 7a13779ed203 dist/ipf/FreeBSD-4.0/ipv6-patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FreeBSD-4.0/ipv6-patch Wed May 03 10:55:27 2000 +0000
@@ -0,0 +1,61 @@
+*** ip6_input.c.orig Sun Feb 13 14:32:01 2000
+--- ip6_input.c Wed Apr 26 22:31:34 2000
+***************
+*** 121,126 ****
+--- 121,127 ----
+
+ extern struct domain inet6domain;
+ extern struct ip6protosw inet6sw[];
++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+
+ u_char ip6_protox[IPPROTO_MAX];
+ static int ip6qmaxlen = IFQ_MAXLEN;
+***************
+*** 302,307 ****
+--- 303,317 ----
+ ip6stat.ip6s_badvers++;
+ in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
+ goto bad;
++ }
++
++ if (fr_checkp) {
++ struct mbuf *m1 = m;
++
++ if ((*fr_checkp)(ip6, sizeof(*ip6), m->m_pkthdr.rcvif,
++ 0, &m1) || !m1)
++ return;
++ ip6 = mtod(m = m1, struct ip6_hdr *);
+ }
+
+ ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
+*** ip6_output.c.orig Fri Mar 10 01:57:16 2000
+--- ip6_output.c Wed Apr 26 22:34:34 2000
+***************
+*** 108,113 ****
+--- 108,115 ----
+ #include <netinet6/ip6_fw.h>
+ #endif
+
++ extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
++
+ static MALLOC_DEFINE(M_IPMOPTS, "ip6_moptions", "internet multicast options");
+
+ struct ip6_exthdrs {
+***************
+*** 754,759 ****
+--- 756,770 ----
+ ip6->ip6_src.s6_addr16[1] = 0;
+ if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
+ ip6->ip6_dst.s6_addr16[1] = 0;
++ }
++
++ if (fr_checkp) {
++ struct mbuf *m1 = m;
++
++ if ((error = (*fr_checkp)(ip6, sizeof(*ip6), ifp, 1, &m1)) ||
++ !m1)
++ goto done;
++ ip6 = mtod(m = m1, struct ip6_hdr *);
+ }
+
+ #ifdef IPV6FIREWALL
diff -r 3a7f9c0797b4 -r 7a13779ed203 dist/ipf/FreeBSD-4.0/kinstall
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FreeBSD-4.0/kinstall Wed May 03 10:55:27 2000 +0000
@@ -0,0 +1,50 @@
+#!/bin/csh -f
+#
+set dir=`pwd`
+set karch=`uname -m`
+if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
+if ( -d /sys/$karch ) set archdir="/sys/$karch"
+set confdir="$archdir/conf"
+
+if ( $dir =~ */FreeBSD* ) cd ..
+echo -n "Installing "
+foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
+ ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
+ ip_compat.h ip_auth.[ch] ip_log.c)
+ echo -n "$i ";
+ cp $i /sys/netinet
+ chmod 644 /sys/netinet/$i
+end
+echo ""
+echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
+ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
+
+echo ""
+echo "Patching ip6_input.c and ip6_output.c"
+cat FreeBSD-4.0/ipv6-patch | (cd /sys/netinet6; patch)
+
+set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
+echo -n "Kernel configuration to update [$config] "
+set newconfig=$<
+if ( "$newconfig" != "" ) then
+ set config="$confdir/$newconfig"
+else
+ set newconfig=$config
+endif
+echo "Rewriting $newconfig..."
+if ( -f $confdir/$newconfig ) then
+ mv $confdir/$newconfig $confdir/$newconfig.bak
+endif
+if ( -d $archdir/../compile/$newconfig ) then
+ set bak=".bak"
+ set dot=0
+ while ( -d $archdir/../compile/${newconfig}.${bak} )
+ set bak=".bak.$dot"
+ set dot=`expr 1 + $dot`
+ end
+ mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
+endif
+awk '{print $0;if($2=="INET"){print"options IPFILTER\noptions IPFILTER_LOG"}}'\
+ $confdir/$newconfig.bak > $confdir/$newconfig
+echo "You will now need to run config on $newconfig and build a new kernel."
+exit 0
diff -r 3a7f9c0797b4 -r 7a13779ed203 dist/ipf/FreeBSD-4.0/unkinstall
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/FreeBSD-4.0/unkinstall Wed May 03 10:55:27 2000 +0000
@@ -0,0 +1,48 @@
+#!/bin/csh -f
+#
+#
+set dir=`pwd`
+set karch=`uname -m`
+if ( -d /sys/arch/$karch ) set archdir="/sys/arch/$karch"
+if ( -d /sys/$karch ) set archdir="/sys/$karch"
+set confdir="$archdir/conf"
+
+if ( $dir =~ */FreeBSD* ) cd ..
+echo -n "Uninstalling "
+foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
+ ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
+ ip_log.c mlf_ipl.c ipl.h)
+ echo -n "$i ";
+ /bin/rm -f /sys/netinet/$i
+end
+echo ""
+
+echo "Removing link from /usr/include/osreldate.h to /sys/sys/osreldate.h"
+rm /sys/sys/osreldate.h
+
+echo "Removing patch to ip6_input.c and ip6_output.c"
+cat FreeBSD-4.0/ipv6-patch | (cd /sys/netinet6; patch -R)
+
+set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
+echo -n "Kernel configuration to update [$config] "
+set newconfig=$<
+if ( "$newconfig" != "" ) then
+ set config="$confdir/$newconfig"
+else
+ set newconfig=$config
+endif
+if ( -f $confdir/$newconfig ) then
+ mv $confdir/$newconfig $confdir/$newconfig.bak
+endif
+if ( -d $archdir/../compile/$newconfig ) then
+ set bak=".bak"
+ set dot=0
+ while ( -d $archdir/../compile/${newconfig}.${bak} )
+ set bak=".bak.$dot"
+ set dot=`expr 1 + $dot`
+ end
+ mv $archdir/../compile/$newconfig $archdir/../compile/${newconfig}.${bak}
+endif
+egrep -v IPFILTER $confdir/$newconfig.bak > $confdir/$newconfig
+echo 'You will now need to run "config" and build a new kernel.'
+exit 0
diff -r 3a7f9c0797b4 -r 7a13779ed203 dist/ipf/IPF.KANJI
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dist/ipf/IPF.KANJI Wed May 03 10:55:27 2000 +0000
@@ -0,0 +1,465 @@
+IP filter �$B%7%g!<%H%,%$%I�(B Dec, 1999
+
+�$B%[!<%`%Z!<%8�(B: http://coombs.anu.edu.au/~avalon/ip-filter.html
+FTP: ftp://coombs.anu.edu.au/pub/net/ip-filter/
+
+ �$B30;3�(B �$B=c@8�(B <sumio%is.s.u-tokyo.ac.jp@localhost>
+ �$B;3K\�(B �$BBY1'�(B <ymmt%is.s.u-tokyo.ac.jp@localhost>
+
+-----
+�$B$O$8$a$K�(B
+
+IP filter �$B$r�(B gateway �$B%^%7%s$K%$%s%9%H!<%k$9$k$3$H$G%Q%1%C%H%U%#�(B
+�$B%k%?%j%s%0$r9T$&$3$H$,$G$-$^$9!#�(B
+
+�$B%$%s%9%H!<%k$NJ}K!$O!"�(BINSTALL�$B$K=q$$$F$"$k$N$G!"$=$A$i$r;2>H$7$F�(B
+�$B$/$@$5$$!#�(BIP filter �$B$N%P!<%8%g%s�(B 3.3.5 �$B$O!"�(B
+ Solaris/Solaris-x86 2.3 - 8 (early access)
+ SunOS 4.1.1 - 4.1.4
+ NetBSD 1.0 - 1.4
+ FreeBSD 2.0.0 - 2.2.8
+ BSD/OS-1.1 - 4
+ IRIX 6.2
+�$B$GF0:n$9$k$3$H$,3NG'$5$l$F$$$^$9!#�(B
+
+�$B$J$*!"�(B64 bit kernel �$B$NAv$C$F$k�(B Solaris7 �$B%^%7%s$G$O!"�(Bgcc �$B$H$+$G%3�(B
+�$B%s%Q%$%k$7$?�(B kernel driver �$B$OF0:n$7$^$;$s!#�(B
+
+�$B$=$N$h$&$J>l9g$K$O!"�(Bprecompiled binary �$B$r�(B
+ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.2-sparcv9.pkg.gz
+(1999�$BG/�(B12�$B7n�(B14�$BF|8=:_!"$^$@�(B3.3.5�$B$O%Q%C%1!<%8$K$J$C$F$$$^$;$s�(B)
+�$B$+$i<h$C$F$/$k$+!"�(BWorkshop Compiler 5.0 �$B$G%3%s%Q%$%k$7$F�(B 64bit
+driver �$B$r:n$C$F$/$@$5$$!#�(B
+
+-----
+�$B@_Dj%U%!%$%k$N5-=RJ}K!�(B
+
+IP filter�$B$N@_Dj$O!V$I$N%"%I%l%9!W$N!V$I$N%]!<%H!W$+$i!V$I$N%"%I�(B
+�$B%l%9!W$N!V$I$N%]!<%H!W$X$N%Q%1%C%H$r�(B block �$B$9$k$+�(B pass �$B$9$k$+!"�(B
+�$B$r;XDj$9$k$3$H$G9T$$$^$9!#�(B
+
+�$B0J2<$NNc$G$O!"2f!9$,4IM}$7$F$$$k%5%V%M%C%H$h$j30$+$iFb$N%"%/%;%9�(B
+�$B$O!"0lIt$N%^%7%s$r=|$$$F$OA4$F%V%m%C%/$7!"Fb$+$i30$X$N%"%/%;%9$O!"�(B
+�$B86B'$H$7$FA4$FAGDL$7$9$k%]%j%7!<$G5-=R$5$l$F$$$^$9!#�(B
+
+�$B0J2<!"4IM}$7$F$$$k%5%V%M%C%H$r�(B
+ 123.45.1.0/24
+�$B$H$7$FNc$r<($7$^$9!#�(B24�$B$O%5%V%M%C%H%^%9%/$G$9!#�(B
+
+�$B$^$?!"�(Bgateway �$B$O�(B
+ 123.45.1.111 (hme0)
+�$B$,�(B LAN�$BB&$N%$%s%?!<%U%'!<%9!"�(B
+ 123.45.2.10 (hme1)
+�$B$,30B&$N%$%s%?!<%U%'!<%9$H$7$^$9!#�(B
+
+
+===================== �$B$3$3$+$i�(B ====================
+########## quickly deny malicious packets
+#
+block in quick from any to any with short
+block in log quick from any to any with ipopts
+===================== �$B$3$3$^$G�(B ====================
+
+�$B$^$:$O$3$N%k!<%k$G!"IT@5$J%Q%1%C%H$r$O$M$^$9!#�(Bblock �$B$O�(B block �$B$9�(B
+�$B$k0UL#$G!"H?BP$KDL$9>l9g$O�(B pass �$B$H$J$j$^$9!#�(B
+
+log �$B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$9$k%Q%1%C%H$N%m%0$r<h$k;X<($G�(B
+�$B$9!#%m%0$O�(B /dev/ipl �$B$H$$$&%G%P%$%9%U%!%$%k$+$i%"%/%;%9$G$-$^$9$,!"�(B
+�$B$3$N%G%P%$%9$O�(B bounded buffer �$B$J$N$G!"$"$kDxEY0J>e$N%m%0$O>C$($F�(B
+�$B$7$^$$$^$9!#�(B
+
+/dev/ipl �$B$NFbMF$rFI$_=P$9$K$O�(B ipmon �$B$H$$$&%W%m%0%i%`$r;H$$$^$9!#�(B
+ipmon �$B$O�(B stdout, syslog, �$B$b$7$/$ODL>o$N%U%!%$%k$K%m%0$r=PNO$7$^�(B
+�$B$9!#5/F0;~$K�(B ipmon �$B$rN)$A>e$2$k$J$i!"<!$N$h$&$J9T$r�(B rc �$B%U%!%$%k�(B
+�$B$K=q$/$H$h$$$G$7$g$&!#�(B
+
+ipmon -n -o I ${IPMONLOG} < /dev/null > /dev/null 2>&1 &
+
+${IPMONLOG} �$B$OE,Ev$J%U%!%$%kL>$KCV49$7$F$/$@$5$$!#�(Bsyslog �$B$K=PNO�(B
+�$B$9$k>l9g$O!"�(B-s �$B%*%W%7%g%s$rIU$1$^$9!#�(Bsyslog �$B$K=PNO$9$k>l9g!"�(B
+local0.info �$B$r5-O?$9$k$h$&$K�(B syslog.conf �$B$rJT=8$7$F$/$@$5$$!#�(B
+�$BNc$($P!"�(B
+
+local0.info ifdef(`LOGHOST', /var/log/syslog, @loghost)
+
+
+quick �$B$H$$$&$N$O!"$3$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$O0J9_$N%k!<%k$r�(B
+�$BD4$Y$:$K!"%"%/%7%g%s�(B(block or pass)�$B$K=>$o$;$k$H$$$&$b$N$G$9!#$?�(B
+�$B$@$7!"Nc30$,$"$j$^$9!#8e=R$7$^$9!#�(B
+
+
+===================== �$B$3$3$+$i�(B ====================
+########## group setup
+#
+block in on hme1 all head 100
+block out on hme1 all head 150
+pass in quick on hme0 all
+pass out quick on hme0 all
+===================== �$B$3$3$^$G�(B ====================
+
+�$B<!$K@)8f$r$+$1$k%$%s%?!<%U%'!<%9Kh$K%Q%1%C%H$KE,MQ$9$k%k!<%k$rJ,�(B
+�$BN`$7$^$9!#�(Bhme0 �$B$O�(B LAN �$BB&$N%$%s%?!<%U%'!<%9$J$N$G!"B(:B$K5v2D�(B
+(pass quick)�$B$7$F$$$^$9!#�(B
+
+all �$B$H$$$&$N$O!"�(Bfrom any to any �$B$N>JN,7A$G$9!#�(B
+
+�$B30It$H$N%$%s%?!<%U%'!<%9$G$"$k�(B hme1 �$B$O�(B incoming �$B$H�(B outgoing �$B$G!"�(B
+�$B$=$l$>$l�(B group 100 �$BHV$H�(B 150 �$BHV$KJ,N`$7$^$9!#�(Bhead �$B$H$$$&$N$O!"$3�(B
+�$B$N%k!<%k$K%^%C%A$7$?%Q%1%C%H$r<!$NHV9f$N%0%k!<%W$KJ,N`$9$k$H$$$&�(B
+�$B0UL#$G$9!#�(B
+
+
+===================== �$B$3$3$+$i�(B ====================
+########## deny IP spoofing
+#
+block in log quick from 127.0.0.0/8 to any group 100
+block in log quick from 123.45.2.10/32 to any group 100
+block in log quick from 123.45.1.111/24 to any group 100
+#
+########## deny reserved addresses
+#
+block in log quick from 10.0.0.0/8 to any group 100
+block in log quick from 192.168.0.0/16 to any group 100
+block in log quick from 172.16.0.0/12 to any group 100
+#
+===================== �$B$3$3$^$G�(B ====================
Home |
Main Index |
Thread Index |
Old Index