4 * Copyright (C) 2002-2006 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
14 static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
15 static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $";
19 extern struct frentry *ipfilter[2][2];
20 extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex;
21 extern struct ifnet *get_unit __P((char *, int));
22 extern void init_ifp __P((void));
23 extern ipnat_t *natparse __P((char *, int));
24 extern int fr_running;
25 extern hostmap_t **ipf_hm_maptable;
26 extern hostmap_t *ipf_hm_maplist;
28 ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert;
29 ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
30 ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache;
31 ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth, ipf_tokens;
32 int opts = OPT_DONOTHING;
35 int pfil_delayed_copy = 0;
36 int main __P((int, char *[]));
37 int loadrules __P((char *, int));
38 int kmemcpy __P((char *, long, int));
39 int kstrncpy __P((char *, long, int n));
40 void dumpnat __P((void));
41 void dumpstate __P((void));
42 void dumplookups __P((void));
43 void dumpgroups __P((void));
44 void drain_log __P((char *));
45 void fixv4sums __P((mb_t *, ip_t *));
47 #if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \
48 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
49 defined(__osf__) || defined(linux)
50 int ipftestioctl __P((int, ioctlcmd_t, ...));
51 int ipnattestioctl __P((int, ioctlcmd_t, ...));
52 int ipstatetestioctl __P((int, ioctlcmd_t, ...));
53 int ipauthtestioctl __P((int, ioctlcmd_t, ...));
54 int ipscantestioctl __P((int, ioctlcmd_t, ...));
55 int ipsynctestioctl __P((int, ioctlcmd_t, ...));
56 int ipooltestioctl __P((int, ioctlcmd_t, ...));
58 int ipftestioctl __P((dev_t, ioctlcmd_t, void *));
59 int ipnattestioctl __P((dev_t, ioctlcmd_t, void *));
60 int ipstatetestioctl __P((dev_t, ioctlcmd_t, void *));
61 int ipauthtestioctl __P((dev_t, ioctlcmd_t, void *));
62 int ipsynctestioctl __P((dev_t, ioctlcmd_t, void *));
63 int ipscantestioctl __P((dev_t, ioctlcmd_t, void *));
64 int ipooltestioctl __P((dev_t, ioctlcmd_t, void *));
67 static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ipftestioctl,
81 char *datain, *iface, *ifname, *logout;
82 int fd, i, dir, c, loaded, dump, hlen;
101 MUTEX_INIT(&ipf_rw, "ipf rw mutex");
102 MUTEX_INIT(&ipf_timeoutlock, "ipf timeout lock");
103 RWLOCK_INIT(&ipf_global, "ipf filter load/unload mutex");
104 RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock");
105 RWLOCK_INIT(&ipf_ipidfrag, "ipf IP NAT-Frag rwlock");
106 RWLOCK_INIT(&ipf_frcache, "ipf filter cache");
107 RWLOCK_INIT(&ipf_tokens, "ipf token rwlock");
110 if (fr_initialise() == -1)
114 while ((c = getopt(argc, argv, "6bCdDF:i:I:l:N:P:or:RS:T:vxX")) != -1)
121 fprintf(stderr, "IPv6 not supported\n");
138 if (strcasecmp(optarg, "pcap") == 0)
140 else if (strcasecmp(optarg, "etherfind") == 0)
142 else if (strcasecmp(optarg, "snoop") == 0)
144 else if (strcasecmp(optarg, "tcpdump") == 0)
146 else if (strcasecmp(optarg, "hex") == 0)
148 else if (strcasecmp(optarg, "text") == 0)
161 if (ipnat_parsefile(-1, ipnat_addrule, ipnattestioctl,
171 if (ippool_parsefile(-1, optarg, ipooltestioctl) == -1)
176 if (ipf_parsefile(-1, ipf_addrule, iocfunctions,
182 sip.s_addr = inet_addr(optarg);
185 opts |= OPT_NORESOLVE;
188 ipf_dotuning(-1, optarg, ipftestioctl);
199 (void)fprintf(stderr,"no rules loaded\n");
203 if (opts & OPT_SAVEOUT)
207 fd = (*r->r_open)(datain);
209 fd = (*r->r_open)("-");
214 ip = MTOD(m, ip_t *);
215 while ((i = (*r->r_readip)(MTOD(m, char *), sizeof(m->mb_buf),
216 &iface, &dir)) > 0) {
217 if ((iface == NULL) || (*iface == '\0'))
219 ifp = get_unit(iface, IP_V(ip));
221 ip->ip_off = ntohs(ip->ip_off);
222 ip->ip_len = ntohs(ip->ip_len);
223 if ((r->r_flags & R_DO_CKSUM) || docksum)
225 hlen = IP_HL(ip) << 2;
227 dir = !(sip.s_addr == ip->ip_src.s_addr);
231 hlen = sizeof(ip6_t);
233 /* ipfr_slowtimer(); */
236 i = fr_check(ip, hlen, ifp, dir, &m);
237 if ((opts & OPT_NAT) == 0)
241 (void)printf("preauth");
244 (void)printf("account");
247 (void)printf("auth");
250 (void)printf("block");
253 (void)printf("pass");
257 (void)printf("bad-packet");
259 (void)printf("nomatch");
262 (void)printf("block return-rst");
265 (void)printf("block return-icmp");
268 (void)printf("block return-icmp-as-dest");
271 (void)printf("recognised return %#x\n", i);
275 ip->ip_off = htons(ip->ip_off);
276 ip->ip_len = htons(ip->ip_len);
279 if (!(opts & OPT_BRIEF)) {
282 printf("--------------");
283 } else if ((opts & (OPT_BRIEF|OPT_NAT)) == (OPT_NAT|OPT_BRIEF))
285 if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL))
286 #if defined(__sgi) && (IRIX < 60500)
287 (*ifp->if_output)(ifp, (void *)m, NULL);
290 (*ifp->if_output)(ifp, (void *)m, NULL, 0, 0);
292 (*ifp->if_output)(ifp, (void *)m, NULL, 0);
295 if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
298 if (iface != ifname) {
306 fprintf(stderr, "readip failed: %d\n", i);
309 if (logout != NULL) {
326 #if defined(__NetBSD__) || defined(__OpenBSD__) || SOLARIS || \
327 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) || \
328 defined(__osf__) || defined(linux)
329 int ipftestioctl(int dev, ioctlcmd_t cmd, ...)
336 data = va_arg(ap, caddr_t);
339 i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD);
340 if (opts & OPT_DEBUG)
341 fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n",
342 (u_int)cmd, data, i);
351 int ipnattestioctl(int dev, ioctlcmd_t cmd, ...)
358 data = va_arg(ap, caddr_t);
361 i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD);
362 if (opts & OPT_DEBUG)
363 fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n",
364 (u_int)cmd, data, i);
373 int ipstatetestioctl(int dev, ioctlcmd_t cmd, ...)
380 data = va_arg(ap, caddr_t);
383 i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
384 if ((opts & OPT_DEBUG) || (i != 0))
385 fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n",
386 (u_int)cmd, data, i);
395 int ipauthtestioctl(int dev, ioctlcmd_t cmd, ...)
402 data = va_arg(ap, caddr_t);
405 i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
406 if ((opts & OPT_DEBUG) || (i != 0))
407 fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n",
408 (u_int)cmd, data, i);
417 int ipscantestioctl(int dev, ioctlcmd_t cmd, ...)
424 data = va_arg(ap, caddr_t);
427 i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
428 if ((opts & OPT_DEBUG) || (i != 0))
429 fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n",
430 (u_int)cmd, data, i);
439 int ipsynctestioctl(int dev, ioctlcmd_t cmd, ...)
446 data = va_arg(ap, caddr_t);
449 i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
450 if ((opts & OPT_DEBUG) || (i != 0))
451 fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n",
452 (u_int)cmd, data, i);
461 int ipooltestioctl(int dev, ioctlcmd_t cmd, ...)
468 data = va_arg(ap, caddr_t);
471 i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
472 if ((opts & OPT_DEBUG) || (i != 0))
473 fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n",
474 (u_int)cmd, data, i);
482 int ipftestioctl(dev, cmd, data)
489 i = iplioctl(IPL_LOGIPF, cmd, data, FWRITE|FREAD);
490 if ((opts & OPT_DEBUG) || (i != 0))
491 fprintf(stderr, "iplioctl(IPF,%#x,%p) = %d\n", cmd, data, i);
500 int ipnattestioctl(dev, cmd, data)
507 i = iplioctl(IPL_LOGNAT, cmd, data, FWRITE|FREAD);
508 if ((opts & OPT_DEBUG) || (i != 0))
509 fprintf(stderr, "iplioctl(NAT,%#x,%p) = %d\n", cmd, data, i);
518 int ipstatetestioctl(dev, cmd, data)
525 i = iplioctl(IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
526 if ((opts & OPT_DEBUG) || (i != 0))
527 fprintf(stderr, "iplioctl(STATE,%#x,%p) = %d\n", cmd, data, i);
536 int ipauthtestioctl(dev, cmd, data)
543 i = iplioctl(IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
544 if ((opts & OPT_DEBUG) || (i != 0))
545 fprintf(stderr, "iplioctl(AUTH,%#x,%p) = %d\n", cmd, data, i);
554 int ipsynctestioctl(dev, cmd, data)
561 i = iplioctl(IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
562 if ((opts & OPT_DEBUG) || (i != 0))
563 fprintf(stderr, "iplioctl(SYNC,%#x,%p) = %d\n", cmd, data, i);
572 int ipscantestioctl(dev, cmd, data)
579 i = iplioctl(IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
580 if ((opts & OPT_DEBUG) || (i != 0))
581 fprintf(stderr, "iplioctl(SCAN,%#x,%p) = %d\n", cmd, data, i);
590 int ipooltestioctl(dev, cmd, data)
597 i = iplioctl(IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
598 if (opts & OPT_DEBUG)
599 fprintf(stderr, "iplioctl(POOL,%#x,%p) = %d\n", cmd, data, i);
609 int kmemcpy(addr, offset, size)
614 bcopy((char *)offset, addr, size);
619 int kstrncpy(buf, pos, n)
628 while ((n > 0) && (*buf++ = *ptr++))
635 * Display the built up NAT table rules and mapping entries.
643 printf("List of active MAP/Redirect filters:\n");
644 for (ipn = nat_list; ipn != NULL; ipn = ipn->in_next)
645 printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
646 printf("\nList of active sessions:\n");
647 for (nat = nat_instances; nat; nat = nat->nat_next) {
648 printactivenat(nat, opts, 0, 0);
650 printaps(nat->nat_aps, opts);
653 printf("\nHostmap table:\n");
654 for (hm = ipf_hm_maplist; hm != NULL; hm = hm->hm_next)
660 * Display the built up state table rules and mapping entries.
666 printf("List of active state sessions:\n");
667 for (ips = ips_list; ips != NULL; )
668 ips = printstate(ips, opts & (OPT_DEBUG|OPT_VERBOSE),
679 printf("List of configured pools\n");
680 for (i = 0; i < IPL_LOGSIZE; i++)
681 for (ipl = ip_pool_list[i]; ipl != NULL; ipl = ipl->ipo_next)
682 printpool(ipl, bcopywrap, NULL, opts);
684 printf("List of configured hash tables\n");
685 for (i = 0; i < IPL_LOGSIZE; i++)
686 for (iph = ipf_htables[i]; iph != NULL; iph = iph->iph_next)
687 printhash(iph, bcopywrap, NULL, opts);
697 printf("List of groups configured (set 0)\n");
698 for (i = 0; i < IPL_LOGSIZE; i++)
699 for (fg = ipfgroups[i][0]; fg != NULL; fg = fg->fg_next) {
700 printf("Dev.%d. Group %s Ref %d Flags %#x\n",
701 i, fg->fg_name, fg->fg_ref, fg->fg_flags);
702 for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) {
704 printf("%qu ",(unsigned long long)fr->fr_hits);
706 printf("%ld ", fr->fr_hits);
708 printfr(fr, ipftestioctl);
712 printf("List of groups configured (set 1)\n");
713 for (i = 0; i < IPL_LOGSIZE; i++)
714 for (fg = ipfgroups[i][1]; fg != NULL; fg = fg->fg_next) {
715 printf("Dev.%d. Group %s Ref %d Flags %#x\n",
716 i, fg->fg_name, fg->fg_ref, fg->fg_flags);
717 for (fr = fg->fg_start; fr != NULL; fr = fr->fr_next) {
719 printf("%qu ",(unsigned long long)fr->fr_hits);
721 printf("%ld ", fr->fr_hits);
723 printfr(fr, ipftestioctl);
729 void drain_log(filename)
732 char buffer[DEFAULT_IPFLOGSIZE];
738 fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
740 perror("drain_log:open");
744 for (i = 0; i <= IPL_LOGMAX; i++)
746 bzero((char *)&iov, sizeof(iov));
747 iov.iov_base = buffer;
748 iov.iov_len = sizeof(buffer);
750 bzero((char *)&uio, sizeof(uio));
753 uio.uio_resid = iov.iov_len;
754 resid = uio.uio_resid;
756 if (ipflog_read(i, &uio) == 0) {
758 * If nothing was read then break out.
760 if (uio.uio_resid == resid)
762 write(fd, buffer, resid - uio.uio_resid);
771 void fixv4sums(m, ip)
778 ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2);
780 csump = (u_char *)ip;
781 csump += IP_HL(ip) << 2;
787 csump += offsetof(tcphdr_t, th_sum);
791 csump += offsetof(udphdr_t, uh_sum);
795 csump += offsetof(icmphdr_t, icmp_cksum);
804 *(u_short *)csump = fr_cksum(m, ip, ip->ip_p, hdr, ip->ip_len);