4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
10 #include <sys/ioctl.h>
14 static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
15 static const char rcsid[] = "@(#)$Id$";
19 extern struct ipread pcap, iptext, iphex;
20 extern struct ifnet *get_unit(char *, int);
21 extern void init_ifp(void);
22 extern ipnat_t *natparse(char *, int);
23 extern hostmap_t **ipf_hm_maptable;
24 extern hostmap_t *ipf_hm_maplist;
26 ipfmutex_t ipl_mutex, ipf_auth_mx, ipf_rw, ipf_stinsert;
27 ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock;
28 ipfrwlock_t ipf_mutex, ipf_global, ipf_ipidfrag, ip_poolrw, ipf_frcache;
29 ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_authlk;
30 ipfrwlock_t ipf_tokens;
31 int opts = OPT_DONTOPEN;
34 int pfil_delayed_copy = 0;
35 int main(int, char *[]);
36 int loadrules(char *, int);
37 int kmemcpy(char *, long, int);
38 int kstrncpy(char *, long, int n);
41 void dumpgroups(ipf_main_softc_t *);
42 void dumprules(frentry_t *);
43 void drain_log(char *);
44 void fixv4sums(mb_t *, ip_t *);
46 int ipftestioctl(int, ioctlcmd_t, ...);
47 int ipnattestioctl(int, ioctlcmd_t, ...);
48 int ipstatetestioctl(int, ioctlcmd_t, ...);
49 int ipauthtestioctl(int, ioctlcmd_t, ...);
50 int ipscantestioctl(int, ioctlcmd_t, ...);
51 int ipsynctestioctl(int, ioctlcmd_t, ...);
52 int ipooltestioctl(int, ioctlcmd_t, ...);
54 static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ipftestioctl,
62 static ipf_main_softc_t *softc = NULL;
66 main(int argc, char *argv[])
68 char *datain, *iface, *ifname, *logout;
69 int fd, i, dir, c, loaded, dump, hlen;
92 softc = ipf_create_all(NULL);
96 if (ipf_init_all(softc) == -1)
100 if (ipftestioctl(IPL_LOGIPF, SIOCFRENB, &i) != 0)
103 while ((c = getopt(argc, argv, "6bCdDF:i:I:l:N:P:or:RS:T:vxX")) != -1)
110 fprintf(stderr, "IPv6 not supported\n");
127 if (strcasecmp(optarg, "pcap") == 0)
129 else if (strcasecmp(optarg, "hex") == 0)
131 else if (strcasecmp(optarg, "text") == 0)
144 if (ipnat_parsefile(-1, ipnat_addrule, ipnattestioctl,
154 if (ippool_parsefile(-1, optarg, ipooltestioctl) == -1)
159 if (ipf_parsefile(-1, ipf_addrule, iocfunctions,
165 sip.s_addr = inet_addr(optarg);
168 opts |= OPT_NORESOLVE;
171 ipf_dotuning(-1, optarg, ipftestioctl);
182 (void)fprintf(stderr,"no rules loaded\n");
186 if (opts & OPT_SAVEOUT)
190 fd = (*r->r_open)(datain);
192 fd = (*r->r_open)("-");
195 perror("error opening input");
199 m->m_data = (char *)m->mb_buf;
200 while ((i = (*r->r_readip)(m, &iface, &dir)) > 0) {
202 if ((iface == NULL) || (*iface == '\0'))
205 ip = MTOD(m, ip_t *);
206 ifp = get_unit(iface, IP_V(ip));
209 if ((r->r_flags & R_DO_CKSUM) || docksum)
211 hlen = IP_HL(ip) << 2;
213 dir = !(sip.s_addr == ip->ip_src.s_addr);
217 hlen = sizeof(ip6_t);
219 /* ipfr_slowtimer(); */
224 i = ipf_check(softc, ip, hlen, ifp, dir, &m);
225 if ((opts & OPT_NAT) == 0)
229 (void)printf("preauth");
232 (void)printf("account");
235 (void)printf("auth");
238 (void)printf("block");
241 (void)printf("pass");
245 (void)printf("bad-packet");
247 (void)printf("nomatch");
250 (void)printf("block return-rst");
253 (void)printf("block return-icmp");
256 (void)printf("block return-icmp-as-dest");
259 (void)printf("recognised return %#x\n", i);
263 if (!(opts & OPT_BRIEF)) {
268 printpacket(dir, &mb);
269 printf("--------------");
270 } else if ((opts & (OPT_BRIEF|OPT_NAT)) ==
271 (OPT_NAT|OPT_BRIEF)) {
275 PRINTF("%d\n", blockreason);
278 ipf_state_flush(softc, 1, 0);
280 if (dir && (ifp != NULL) && IP_V(ip) && (m != NULL))
281 (*ifp->if_output)(ifp, (void *)m, NULL, 0);
283 while ((m != NULL) && (m != &mb)) {
289 if ((opts & (OPT_BRIEF|OPT_NAT)) != (OPT_NAT|OPT_BRIEF))
292 if (iface != ifname) {
297 m->mb_data = (char *)m->mb_buf;
301 fprintf(stderr, "readip failed: %d\n", i);
304 if (logout != NULL) {
309 dumpnat(softc->ipf_nat_soft);
310 ipf_state_dump(softc, softc->ipf_state_soft);
311 ipf_lookup_dump(softc, softc->ipf_state_soft);
317 ipf_destroy_all(softc);
324 if (getenv("FINDLEAKS")) {
332 int ipftestioctl(int dev, ioctlcmd_t cmd, ...)
338 dev = dev; /* gcc -Wextra */
340 data = va_arg(ap, caddr_t);
343 i = ipfioctl(softc, IPL_LOGIPF, cmd, data, FWRITE|FREAD);
344 if (opts & OPT_DEBUG)
345 fprintf(stderr, "ipfioctl(IPF,%#x,%p) = %d (%d)\n",
346 (u_int)cmd, data, i, softc->ipf_interror);
356 ipnattestioctl(int dev, ioctlcmd_t cmd, ...)
362 dev = dev; /* gcc -Wextra */
364 data = va_arg(ap, caddr_t);
367 i = ipfioctl(softc, IPL_LOGNAT, cmd, data, FWRITE|FREAD);
368 if (opts & OPT_DEBUG)
369 fprintf(stderr, "ipfioctl(NAT,%#x,%p) = %d\n",
370 (u_int)cmd, data, i);
380 ipstatetestioctl(int dev, ioctlcmd_t cmd, ...)
386 dev = dev; /* gcc -Wextra */
388 data = va_arg(ap, caddr_t);
391 i = ipfioctl(softc, IPL_LOGSTATE, cmd, data, FWRITE|FREAD);
392 if ((opts & OPT_DEBUG) || (i != 0))
393 fprintf(stderr, "ipfioctl(STATE,%#x,%p) = %d\n",
394 (u_int)cmd, data, i);
404 ipauthtestioctl(int dev, ioctlcmd_t cmd, ...)
410 dev = dev; /* gcc -Wextra */
412 data = va_arg(ap, caddr_t);
415 i = ipfioctl(softc, IPL_LOGAUTH, cmd, data, FWRITE|FREAD);
416 if ((opts & OPT_DEBUG) || (i != 0))
417 fprintf(stderr, "ipfioctl(AUTH,%#x,%p) = %d\n",
418 (u_int)cmd, data, i);
428 ipscantestioctl(int dev, ioctlcmd_t cmd, ...)
434 dev = dev; /* gcc -Wextra */
436 data = va_arg(ap, caddr_t);
439 i = ipfioctl(softc, IPL_LOGSCAN, cmd, data, FWRITE|FREAD);
440 if ((opts & OPT_DEBUG) || (i != 0))
441 fprintf(stderr, "ipfioctl(SCAN,%#x,%p) = %d\n",
442 (u_int)cmd, data, i);
452 ipsynctestioctl(int dev, ioctlcmd_t cmd, ...)
458 dev = dev; /* gcc -Wextra */
460 data = va_arg(ap, caddr_t);
463 i = ipfioctl(softc, IPL_LOGSYNC, cmd, data, FWRITE|FREAD);
464 if ((opts & OPT_DEBUG) || (i != 0))
465 fprintf(stderr, "ipfioctl(SYNC,%#x,%p) = %d\n",
466 (u_int)cmd, data, i);
476 ipooltestioctl(int dev, ioctlcmd_t cmd, ...)
482 dev = dev; /* gcc -Wextra */
484 data = va_arg(ap, caddr_t);
487 i = ipfioctl(softc, IPL_LOGLOOKUP, cmd, data, FWRITE|FREAD);
488 if ((opts & OPT_DEBUG) || (i != 0))
489 fprintf(stderr, "ipfioctl(POOL,%#x,%p) = %d (%d)\n",
490 (u_int)cmd, data, i, softc->ipf_interror);
500 kmemcpy(char *addr, long offset, int size)
502 bcopy((char *)offset, addr, size);
508 kstrncpy(char *buf, long pos, int n)
514 while ((n > 0) && (*buf++ = *ptr++))
521 * Display the built up NAT table rules and mapping entries.
526 ipf_nat_softc_t *softn = arg;
531 printf("List of active MAP/Redirect filters:\n");
532 for (ipn = softn->ipf_nat_list; ipn != NULL; ipn = ipn->in_next)
533 printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE));
534 printf("\nList of active sessions:\n");
535 for (nat = softn->ipf_nat_instances; nat; nat = nat->nat_next) {
536 printactivenat(nat, opts, 0);
538 printf("\tproxy active\n");
541 printf("\nHostmap table:\n");
542 for (hm = softn->ipf_hm_maplist; hm != NULL; hm = hm->hm_next)
543 printhostmap(hm, hm->hm_hv);
548 dumpgroups(ipf_main_softc_t *softc)
553 printf("List of groups configured (set 0)\n");
554 for (i = 0; i < IPL_LOGSIZE; i++)
555 for (fg = softc->ipf_groups[i][0]; fg != NULL;
557 printf("Dev.%d. Group %s Ref %d Flags %#x\n",
558 i, fg->fg_name, fg->fg_ref, fg->fg_flags);
559 dumprules(fg->fg_start);
562 printf("List of groups configured (set 1)\n");
563 for (i = 0; i < IPL_LOGSIZE; i++)
564 for (fg = softc->ipf_groups[i][1]; fg != NULL;
566 printf("Dev.%d. Group %s Ref %d Flags %#x\n",
567 i, fg->fg_name, fg->fg_ref, fg->fg_flags);
568 dumprules(fg->fg_start);
571 printf("Rules configured (set 0, in)\n");
572 dumprules(softc->ipf_rules[0][0]);
573 printf("Rules configured (set 0, out)\n");
574 dumprules(softc->ipf_rules[1][0]);
575 printf("Rules configured (set 1, in)\n");
576 dumprules(softc->ipf_rules[0][1]);
577 printf("Rules configured (set 1, out)\n");
578 dumprules(softc->ipf_rules[1][1]);
580 printf("Accounting rules configured (set 0, in)\n");
581 dumprules(softc->ipf_acct[0][0]);
582 printf("Accounting rules configured (set 0, out)\n");
583 dumprules(softc->ipf_acct[0][1]);
584 printf("Accounting rules configured (set 1, in)\n");
585 dumprules(softc->ipf_acct[1][0]);
586 printf("Accounting rules configured (set 1, out)\n");
587 dumprules(softc->ipf_acct[1][1]);
591 dumprules(frentry_t *rulehead)
595 for (fr = rulehead; fr != NULL; fr = fr->fr_next) {
597 printf("%"PRIu64" ",(unsigned long long)fr->fr_hits);
599 printf("%ld ", fr->fr_hits);
601 printfr(fr, ipftestioctl);
607 drain_log(char *filename)
609 char buffer[DEFAULT_IPFLOGSIZE];
615 fd = open(filename, O_CREAT|O_TRUNC|O_WRONLY, 0644);
617 perror("drain_log:open");
621 for (i = 0; i <= IPL_LOGMAX; i++)
623 bzero((char *)&iov, sizeof(iov));
624 iov.iov_base = buffer;
625 iov.iov_len = sizeof(buffer);
627 bzero((char *)&uio, sizeof(uio));
630 uio.uio_resid = iov.iov_len;
631 resid = uio.uio_resid;
633 if (ipf_log_read(softc, i, &uio) == 0) {
635 * If nothing was read then break out.
637 if (uio.uio_resid == resid)
639 write(fd, buffer, resid - uio.uio_resid);
649 fixv4sums(mb_t *m, ip_t *ip)
651 u_char *csump, *hdr, p;
657 bzero((char *)&tmp, sizeof(tmp));
659 csump = (u_char *)ip;
662 ip->ip_sum = ipf_cksum((u_short *)ip, IP_HL(ip) << 2);
663 tmp.fin_hlen = IP_HL(ip) << 2;
664 csump += IP_HL(ip) << 2;
666 len = ntohs(ip->ip_len);
668 } else if (IP_V(ip) == 6) {
669 tmp.fin_hlen = sizeof(ip6_t);
670 csump += sizeof(ip6_t);
671 p = ((ip6_t *)ip)->ip6_nxt;
672 len = ntohs(((ip6_t *)ip)->ip6_plen);
673 len += sizeof(ip6_t);
677 tmp.fin_dlen = len - tmp.fin_hlen;
683 csump += offsetof(tcphdr_t, th_sum);
687 csump += offsetof(udphdr_t, uh_sum);
691 csump += offsetof(icmphdr_t, icmp_cksum);
705 *(u_short *)csump = fr_cksum(&tmp, ip, p, hdr);
710 ip_fillid(struct ip *ip)
712 static uint16_t ip_id;
projects / FreeBSD / FreeBSD.git / blob