10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * Copyright (C) 1993-2001 by Darren Reed.
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * See the IPFILTER.LICENCE file for details on licencing.
50Sstevel@tonic-gate *
6*8170SJohn.Ojemann@Sun.COM * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
70Sstevel@tonic-gate * Use is subject to license terms.
80Sstevel@tonic-gate */
90Sstevel@tonic-gate
100Sstevel@tonic-gate #ifdef __FreeBSD__
110Sstevel@tonic-gate # ifndef __FreeBSD_cc_version
120Sstevel@tonic-gate # include <osreldate.h>
130Sstevel@tonic-gate # else
140Sstevel@tonic-gate # if __FreeBSD_cc_version < 430000
150Sstevel@tonic-gate # include <osreldate.h>
160Sstevel@tonic-gate # endif
170Sstevel@tonic-gate # endif
180Sstevel@tonic-gate #endif
190Sstevel@tonic-gate #include "ipf.h"
200Sstevel@tonic-gate #include <fcntl.h>
210Sstevel@tonic-gate #include <sys/ioctl.h>
220Sstevel@tonic-gate #include "netinet/ipl.h"
230Sstevel@tonic-gate
240Sstevel@tonic-gate #if !defined(lint)
250Sstevel@tonic-gate static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
262393Syz155240 static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $";
270Sstevel@tonic-gate #endif
280Sstevel@tonic-gate
290Sstevel@tonic-gate #if !defined(__SVR4) && defined(__GNUC__)
300Sstevel@tonic-gate extern char *index __P((const char *, int));
310Sstevel@tonic-gate #endif
320Sstevel@tonic-gate
330Sstevel@tonic-gate extern char *optarg;
340Sstevel@tonic-gate extern int optind;
350Sstevel@tonic-gate extern frentry_t *frtop;
360Sstevel@tonic-gate
370Sstevel@tonic-gate
382393Syz155240 void ipf_frsync __P((void));
390Sstevel@tonic-gate void zerostats __P((void));
400Sstevel@tonic-gate int main __P((int, char *[]));
410Sstevel@tonic-gate
420Sstevel@tonic-gate int opts = 0;
430Sstevel@tonic-gate int outputc = 0;
440Sstevel@tonic-gate int use_inet6 = 0;
450Sstevel@tonic-gate
460Sstevel@tonic-gate static void procfile __P((char *, char *)), flushfilter __P((char *));
470Sstevel@tonic-gate static void set_state __P((u_int)), showstats __P((friostat_t *));
480Sstevel@tonic-gate static void packetlogon __P((char *)), swapactive __P((void));
490Sstevel@tonic-gate static int opendevice __P((char *, int));
500Sstevel@tonic-gate static void closedevice __P((void));
510Sstevel@tonic-gate static char *ipfname = IPL_NAME;
520Sstevel@tonic-gate static void usage __P((void));
530Sstevel@tonic-gate static int showversion __P((void));
540Sstevel@tonic-gate static int get_flags __P((void));
550Sstevel@tonic-gate static void ipf_interceptadd __P((int, ioctlfunc_t, void *));
560Sstevel@tonic-gate
570Sstevel@tonic-gate static int fd = -1;
580Sstevel@tonic-gate static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
590Sstevel@tonic-gate ioctl, ioctl, ioctl,
600Sstevel@tonic-gate ioctl, ioctl };
610Sstevel@tonic-gate
620Sstevel@tonic-gate
usage()630Sstevel@tonic-gate static void usage()
640Sstevel@tonic-gate {
652393Syz155240 fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n",
662393Syz155240 "[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]",
672393Syz155240 "[-f filename] [-T <tuneopts>]");
680Sstevel@tonic-gate exit(1);
690Sstevel@tonic-gate }
700Sstevel@tonic-gate
710Sstevel@tonic-gate
main(argc,argv)720Sstevel@tonic-gate int main(argc,argv)
730Sstevel@tonic-gate int argc;
740Sstevel@tonic-gate char *argv[];
750Sstevel@tonic-gate {
760Sstevel@tonic-gate int c;
770Sstevel@tonic-gate
780Sstevel@tonic-gate if (argc < 2)
790Sstevel@tonic-gate usage();
800Sstevel@tonic-gate
812393Syz155240 while ((c = getopt(argc, argv, "6Ac:dDEf:F:Il:noPrRsT:vVyzZ")) != -1) {
820Sstevel@tonic-gate switch (c)
830Sstevel@tonic-gate {
840Sstevel@tonic-gate case '?' :
850Sstevel@tonic-gate usage();
860Sstevel@tonic-gate break;
870Sstevel@tonic-gate #ifdef USE_INET6
880Sstevel@tonic-gate case '6' :
890Sstevel@tonic-gate use_inet6 = 1;
900Sstevel@tonic-gate break;
910Sstevel@tonic-gate #endif
920Sstevel@tonic-gate case 'A' :
930Sstevel@tonic-gate opts &= ~OPT_INACTIVE;
940Sstevel@tonic-gate break;
952393Syz155240 case 'c' :
962393Syz155240 if (strcmp(optarg, "c") == 0)
972393Syz155240 outputc = 1;
980Sstevel@tonic-gate break;
990Sstevel@tonic-gate case 'E' :
1000Sstevel@tonic-gate set_state((u_int)1);
1010Sstevel@tonic-gate break;
1020Sstevel@tonic-gate case 'D' :
1030Sstevel@tonic-gate set_state((u_int)0);
1040Sstevel@tonic-gate break;
1050Sstevel@tonic-gate case 'd' :
1060Sstevel@tonic-gate opts ^= OPT_DEBUG;
1070Sstevel@tonic-gate break;
1080Sstevel@tonic-gate case 'f' :
1090Sstevel@tonic-gate procfile(argv[0], optarg);
1100Sstevel@tonic-gate break;
1110Sstevel@tonic-gate case 'F' :
1120Sstevel@tonic-gate flushfilter(optarg);
1130Sstevel@tonic-gate break;
1140Sstevel@tonic-gate case 'I' :
1150Sstevel@tonic-gate opts ^= OPT_INACTIVE;
1160Sstevel@tonic-gate break;
1170Sstevel@tonic-gate case 'l' :
1180Sstevel@tonic-gate packetlogon(optarg);
1190Sstevel@tonic-gate break;
1200Sstevel@tonic-gate case 'n' :
1210Sstevel@tonic-gate opts ^= OPT_DONOTHING;
1220Sstevel@tonic-gate break;
1230Sstevel@tonic-gate case 'o' :
1240Sstevel@tonic-gate break;
1250Sstevel@tonic-gate case 'P' :
1260Sstevel@tonic-gate ipfname = IPAUTH_NAME;
1270Sstevel@tonic-gate break;
1282393Syz155240 case 'R' :
1292393Syz155240 opts ^= OPT_NORESOLVE;
1302393Syz155240 break;
1310Sstevel@tonic-gate case 'r' :
1320Sstevel@tonic-gate opts ^= OPT_REMOVE;
1330Sstevel@tonic-gate break;
1340Sstevel@tonic-gate case 's' :
1350Sstevel@tonic-gate swapactive();
1360Sstevel@tonic-gate break;
1370Sstevel@tonic-gate case 'T' :
1382393Syz155240 if (opendevice(ipfname, 1) >= 0)
1392393Syz155240 ipf_dotuning(fd, optarg, ioctl);
1400Sstevel@tonic-gate break;
1410Sstevel@tonic-gate case 'v' :
1420Sstevel@tonic-gate opts += OPT_VERBOSE;
1430Sstevel@tonic-gate break;
1440Sstevel@tonic-gate case 'V' :
1450Sstevel@tonic-gate if (showversion())
1460Sstevel@tonic-gate exit(1);
1470Sstevel@tonic-gate break;
1480Sstevel@tonic-gate case 'y' :
1492393Syz155240 ipf_frsync();
1500Sstevel@tonic-gate break;
1510Sstevel@tonic-gate case 'z' :
1520Sstevel@tonic-gate opts ^= OPT_ZERORULEST;
1530Sstevel@tonic-gate break;
1540Sstevel@tonic-gate case 'Z' :
1550Sstevel@tonic-gate zerostats();
1560Sstevel@tonic-gate break;
1570Sstevel@tonic-gate }
1580Sstevel@tonic-gate }
1590Sstevel@tonic-gate
1600Sstevel@tonic-gate if (optind < 2)
1610Sstevel@tonic-gate usage();
1620Sstevel@tonic-gate
1630Sstevel@tonic-gate if (fd != -1)
1640Sstevel@tonic-gate (void) close(fd);
1650Sstevel@tonic-gate
1660Sstevel@tonic-gate return(0);
1670Sstevel@tonic-gate /* NOTREACHED */
1680Sstevel@tonic-gate }
1690Sstevel@tonic-gate
1700Sstevel@tonic-gate
opendevice(ipfdev,check)1710Sstevel@tonic-gate static int opendevice(ipfdev, check)
1720Sstevel@tonic-gate char *ipfdev;
1730Sstevel@tonic-gate int check;
1740Sstevel@tonic-gate {
1750Sstevel@tonic-gate if (opts & OPT_DONOTHING)
1760Sstevel@tonic-gate return -2;
1770Sstevel@tonic-gate
1780Sstevel@tonic-gate if (check && checkrev(ipfname) == -1) {
1790Sstevel@tonic-gate fprintf(stderr, "User/kernel version check failed\n");
1800Sstevel@tonic-gate return -2;
1810Sstevel@tonic-gate }
1820Sstevel@tonic-gate
1830Sstevel@tonic-gate if (!ipfdev)
1840Sstevel@tonic-gate ipfdev = ipfname;
1850Sstevel@tonic-gate
1860Sstevel@tonic-gate if (fd == -1)
1870Sstevel@tonic-gate if ((fd = open(ipfdev, O_RDWR)) == -1)
1880Sstevel@tonic-gate if ((fd = open(ipfdev, O_RDONLY)) == -1)
1890Sstevel@tonic-gate perror("open device");
1900Sstevel@tonic-gate return fd;
1910Sstevel@tonic-gate }
1920Sstevel@tonic-gate
1930Sstevel@tonic-gate
closedevice()1940Sstevel@tonic-gate static void closedevice()
1950Sstevel@tonic-gate {
1960Sstevel@tonic-gate close(fd);
1970Sstevel@tonic-gate fd = -1;
1980Sstevel@tonic-gate }
1990Sstevel@tonic-gate
2000Sstevel@tonic-gate
get_flags()2010Sstevel@tonic-gate static int get_flags()
2020Sstevel@tonic-gate {
2030Sstevel@tonic-gate int i;
2040Sstevel@tonic-gate
2050Sstevel@tonic-gate if ((opendevice(ipfname, 1) != -2) &&
2060Sstevel@tonic-gate (ioctl(fd, SIOCGETFF, &i) == -1)) {
2070Sstevel@tonic-gate perror("SIOCGETFF");
2080Sstevel@tonic-gate return 0;
2090Sstevel@tonic-gate }
2100Sstevel@tonic-gate return i;
2110Sstevel@tonic-gate }
2120Sstevel@tonic-gate
2130Sstevel@tonic-gate
set_state(enable)2140Sstevel@tonic-gate static void set_state(enable)
2150Sstevel@tonic-gate u_int enable;
2160Sstevel@tonic-gate {
2170Sstevel@tonic-gate if (opendevice(ipfname, 0) != -2)
2180Sstevel@tonic-gate if (ioctl(fd, SIOCFRENB, &enable) == -1) {
2190Sstevel@tonic-gate if (errno == EBUSY)
2200Sstevel@tonic-gate fprintf(stderr,
2210Sstevel@tonic-gate "IP FIlter: already initialized\n");
2220Sstevel@tonic-gate else
2230Sstevel@tonic-gate perror("SIOCFRENB");
2240Sstevel@tonic-gate }
2250Sstevel@tonic-gate return;
2260Sstevel@tonic-gate }
2270Sstevel@tonic-gate
2280Sstevel@tonic-gate
procfile(name,file)2290Sstevel@tonic-gate static void procfile(name, file)
2300Sstevel@tonic-gate char *name, *file;
2310Sstevel@tonic-gate {
2320Sstevel@tonic-gate (void) opendevice(ipfname, 1);
2330Sstevel@tonic-gate
2340Sstevel@tonic-gate initparse();
2350Sstevel@tonic-gate
2360Sstevel@tonic-gate ipf_parsefile(fd, ipf_interceptadd, iocfunctions, file);
2370Sstevel@tonic-gate
2380Sstevel@tonic-gate if (outputc) {
2390Sstevel@tonic-gate printC(0);
2400Sstevel@tonic-gate printC(1);
2410Sstevel@tonic-gate emit(-1, -1, NULL, NULL);
2420Sstevel@tonic-gate }
2430Sstevel@tonic-gate }
2440Sstevel@tonic-gate
2450Sstevel@tonic-gate
ipf_interceptadd(fd,ioctlfunc,ptr)2460Sstevel@tonic-gate static void ipf_interceptadd(fd, ioctlfunc, ptr)
2470Sstevel@tonic-gate int fd;
2480Sstevel@tonic-gate ioctlfunc_t ioctlfunc;
2490Sstevel@tonic-gate void *ptr;
2500Sstevel@tonic-gate {
2510Sstevel@tonic-gate if (outputc)
2520Sstevel@tonic-gate printc(ptr);
2530Sstevel@tonic-gate
2540Sstevel@tonic-gate ipf_addrule(fd, ioctlfunc, ptr);
2550Sstevel@tonic-gate }
2560Sstevel@tonic-gate
2570Sstevel@tonic-gate
packetlogon(opt)2580Sstevel@tonic-gate static void packetlogon(opt)
2590Sstevel@tonic-gate char *opt;
2600Sstevel@tonic-gate {
2612393Syz155240 int flag, xfd, logopt, change = 0;
2620Sstevel@tonic-gate
2630Sstevel@tonic-gate flag = get_flags();
2640Sstevel@tonic-gate if (flag != 0) {
2650Sstevel@tonic-gate if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
2660Sstevel@tonic-gate printf("log flag is currently %#x\n", flag);
2670Sstevel@tonic-gate }
2680Sstevel@tonic-gate
2690Sstevel@tonic-gate flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
2700Sstevel@tonic-gate
2710Sstevel@tonic-gate if (strstr(opt, "pass")) {
2720Sstevel@tonic-gate flag |= FF_LOGPASS;
2730Sstevel@tonic-gate if (opts & OPT_VERBOSE)
2740Sstevel@tonic-gate printf("set log flag: pass\n");
2752393Syz155240 change = 1;
2760Sstevel@tonic-gate }
2770Sstevel@tonic-gate if (strstr(opt, "nomatch")) {
2780Sstevel@tonic-gate flag |= FF_LOGNOMATCH;
2790Sstevel@tonic-gate if (opts & OPT_VERBOSE)
2800Sstevel@tonic-gate printf("set log flag: nomatch\n");
2812393Syz155240 change = 1;
2820Sstevel@tonic-gate }
2830Sstevel@tonic-gate if (strstr(opt, "block") || index(opt, 'd')) {
2840Sstevel@tonic-gate flag |= FF_LOGBLOCK;
2850Sstevel@tonic-gate if (opts & OPT_VERBOSE)
2860Sstevel@tonic-gate printf("set log flag: block\n");
2872393Syz155240 change = 1;
2882393Syz155240 }
2892393Syz155240 if (strstr(opt, "none")) {
2902393Syz155240 if (opts & OPT_VERBOSE)
2912393Syz155240 printf("disable all log flags\n");
2922393Syz155240 change = 1;
2930Sstevel@tonic-gate }
2940Sstevel@tonic-gate
2952393Syz155240 if (change == 1) {
2962393Syz155240 if (opendevice(ipfname, 1) != -2 &&
2972393Syz155240 (ioctl(fd, SIOCSETFF, &flag) != 0))
2982393Syz155240 perror("ioctl(SIOCSETFF)");
2992393Syz155240 }
3000Sstevel@tonic-gate
3010Sstevel@tonic-gate if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
3020Sstevel@tonic-gate flag = get_flags();
3032393Syz155240 printf("log flags are now %#x\n", flag);
3040Sstevel@tonic-gate }
3050Sstevel@tonic-gate
3060Sstevel@tonic-gate if (strstr(opt, "state")) {
3070Sstevel@tonic-gate if (opts & OPT_VERBOSE)
3080Sstevel@tonic-gate printf("set state log flag\n");
3090Sstevel@tonic-gate xfd = open(IPSTATE_NAME, O_RDWR);
3100Sstevel@tonic-gate if (xfd >= 0) {
3110Sstevel@tonic-gate logopt = 0;
3120Sstevel@tonic-gate if (ioctl(xfd, SIOCGETLG, &logopt))
3130Sstevel@tonic-gate perror("ioctl(SIOCGETLG)");
3140Sstevel@tonic-gate else {
3150Sstevel@tonic-gate logopt = 1 - logopt;
3160Sstevel@tonic-gate if (ioctl(xfd, SIOCSETLG, &logopt))
3170Sstevel@tonic-gate perror("ioctl(SIOCSETLG)");
3180Sstevel@tonic-gate }
3190Sstevel@tonic-gate close(xfd);
3200Sstevel@tonic-gate }
3210Sstevel@tonic-gate }
3220Sstevel@tonic-gate
3230Sstevel@tonic-gate if (strstr(opt, "nat")) {
3240Sstevel@tonic-gate if (opts & OPT_VERBOSE)
3250Sstevel@tonic-gate printf("set nat log flag\n");
3260Sstevel@tonic-gate xfd = open(IPNAT_NAME, O_RDWR);
3270Sstevel@tonic-gate if (xfd >= 0) {
3280Sstevel@tonic-gate logopt = 0;
3290Sstevel@tonic-gate if (ioctl(xfd, SIOCGETLG, &logopt))
3300Sstevel@tonic-gate perror("ioctl(SIOCGETLG)");
3310Sstevel@tonic-gate else {
3320Sstevel@tonic-gate logopt = 1 - logopt;
3330Sstevel@tonic-gate if (ioctl(xfd, SIOCSETLG, &logopt))
3340Sstevel@tonic-gate perror("ioctl(SIOCSETLG)");
3350Sstevel@tonic-gate }
3360Sstevel@tonic-gate close(xfd);
3370Sstevel@tonic-gate }
3380Sstevel@tonic-gate }
3390Sstevel@tonic-gate }
3400Sstevel@tonic-gate
3410Sstevel@tonic-gate
flushfilter(arg)3420Sstevel@tonic-gate static void flushfilter(arg)
3430Sstevel@tonic-gate char *arg;
3440Sstevel@tonic-gate {
3450Sstevel@tonic-gate int fl = 0, rem;
3460Sstevel@tonic-gate
3470Sstevel@tonic-gate if (!arg || !*arg)
3480Sstevel@tonic-gate return;
3490Sstevel@tonic-gate if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
3500Sstevel@tonic-gate if (*arg == 'S')
351*8170SJohn.Ojemann@Sun.COM fl = FLUSH_TABLE_ALL;
3520Sstevel@tonic-gate else
353*8170SJohn.Ojemann@Sun.COM fl = FLUSH_TABLE_CLOSING;
3540Sstevel@tonic-gate rem = fl;
3550Sstevel@tonic-gate
3560Sstevel@tonic-gate closedevice();
3572393Syz155240 if (opendevice(IPSTATE_NAME, 1) == -2)
3582393Syz155240 exit(1);
359637Sml37995
3602393Syz155240 if (!(opts & OPT_DONOTHING)) {
361637Sml37995 if (use_inet6) {
3622393Syz155240 if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
3632393Syz155240 perror("ioctl(SIOCIPFL6)");
3642393Syz155240 exit(1);
3652393Syz155240 }
366637Sml37995 } else {
3672393Syz155240 if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
3682393Syz155240 perror("ioctl(SIOCIPFFL)");
3692393Syz155240 exit(1);
3702393Syz155240 }
371637Sml37995 }
372637Sml37995 }
3730Sstevel@tonic-gate if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
3740Sstevel@tonic-gate printf("remove flags %s (%d)\n", arg, rem);
3750Sstevel@tonic-gate printf("removed %d filter rules\n", fl);
3760Sstevel@tonic-gate }
3770Sstevel@tonic-gate closedevice();
3780Sstevel@tonic-gate return;
3790Sstevel@tonic-gate }
3800Sstevel@tonic-gate
3810Sstevel@tonic-gate #ifdef SIOCIPFFA
3820Sstevel@tonic-gate if (!strcmp(arg, "u")) {
3830Sstevel@tonic-gate closedevice();
3840Sstevel@tonic-gate /*
3850Sstevel@tonic-gate * Flush auth rules and packets
3860Sstevel@tonic-gate */
3870Sstevel@tonic-gate if (opendevice(IPL_AUTH, 1) == -1)
3880Sstevel@tonic-gate perror("open(IPL_AUTH)");
3890Sstevel@tonic-gate else {
3900Sstevel@tonic-gate if (ioctl(fd, SIOCIPFFA, &fl) == -1)
3910Sstevel@tonic-gate perror("ioctl(SIOCIPFFA)");
3920Sstevel@tonic-gate }
3930Sstevel@tonic-gate closedevice();
3940Sstevel@tonic-gate return;
3950Sstevel@tonic-gate }
3960Sstevel@tonic-gate #endif
3970Sstevel@tonic-gate
3980Sstevel@tonic-gate if (strchr(arg, 'i') || strchr(arg, 'I'))
3990Sstevel@tonic-gate fl = FR_INQUE;
4000Sstevel@tonic-gate if (strchr(arg, 'o') || strchr(arg, 'O'))
4010Sstevel@tonic-gate fl = FR_OUTQUE;
4020Sstevel@tonic-gate if (strchr(arg, 'a') || strchr(arg, 'A'))
4030Sstevel@tonic-gate fl = FR_OUTQUE|FR_INQUE;
4040Sstevel@tonic-gate if (opts & OPT_INACTIVE)
4050Sstevel@tonic-gate fl |= FR_INACTIVE;
4060Sstevel@tonic-gate rem = fl;
4070Sstevel@tonic-gate
4082393Syz155240 if (opendevice(ipfname, 1) == -2)
4092393Syz155240 exit(1);
4102393Syz155240
4112393Syz155240 if (!(opts & OPT_DONOTHING)) {
412637Sml37995 if (use_inet6) {
4132393Syz155240 if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
4142393Syz155240 perror("ioctl(SIOCIPFL6)");
4152393Syz155240 exit(1);
4162393Syz155240 }
417637Sml37995 } else {
4182393Syz155240 if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
4192393Syz155240 perror("ioctl(SIOCIPFFL)");
4202393Syz155240 exit(1);
4212393Syz155240 }
422637Sml37995 }
423637Sml37995 }
424637Sml37995
4250Sstevel@tonic-gate if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
4260Sstevel@tonic-gate printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
4270Sstevel@tonic-gate (rem & FR_OUTQUE) ? "O" : "", rem);
4280Sstevel@tonic-gate printf("removed %d filter rules\n", fl);
4290Sstevel@tonic-gate }
4300Sstevel@tonic-gate return;
4310Sstevel@tonic-gate }
4320Sstevel@tonic-gate
4330Sstevel@tonic-gate
swapactive()4340Sstevel@tonic-gate static void swapactive()
4350Sstevel@tonic-gate {
4360Sstevel@tonic-gate int in = 2;
4370Sstevel@tonic-gate
4380Sstevel@tonic-gate if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1)
4390Sstevel@tonic-gate perror("ioctl(SIOCSWAPA)");
4400Sstevel@tonic-gate else
4410Sstevel@tonic-gate printf("Set %d now inactive\n", in);
4420Sstevel@tonic-gate }
4430Sstevel@tonic-gate
4440Sstevel@tonic-gate
ipf_frsync()4452393Syz155240 void ipf_frsync()
4460Sstevel@tonic-gate {
4470Sstevel@tonic-gate int frsyn = 0;
4480Sstevel@tonic-gate
4490Sstevel@tonic-gate if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
4500Sstevel@tonic-gate perror("SIOCFRSYN");
4510Sstevel@tonic-gate else
4520Sstevel@tonic-gate printf("filter sync'd\n");
4530Sstevel@tonic-gate }
4540Sstevel@tonic-gate
4550Sstevel@tonic-gate
zerostats()4560Sstevel@tonic-gate void zerostats()
4570Sstevel@tonic-gate {
4580Sstevel@tonic-gate friostat_t fio;
4590Sstevel@tonic-gate friostat_t *fiop = &fio;
4600Sstevel@tonic-gate
4610Sstevel@tonic-gate if (opendevice(ipfname, 1) != -2) {
4620Sstevel@tonic-gate if (ioctl(fd, SIOCFRZST, &fiop) == -1) {
4630Sstevel@tonic-gate perror("ioctl(SIOCFRZST)");
4640Sstevel@tonic-gate exit(-1);
4650Sstevel@tonic-gate }
4660Sstevel@tonic-gate showstats(fiop);
4670Sstevel@tonic-gate }
4680Sstevel@tonic-gate
4690Sstevel@tonic-gate }
4700Sstevel@tonic-gate
4710Sstevel@tonic-gate
4720Sstevel@tonic-gate /*
4730Sstevel@tonic-gate * read the kernel stats for packets blocked and passed
4740Sstevel@tonic-gate */
showstats(fp)4750Sstevel@tonic-gate static void showstats(fp)
4760Sstevel@tonic-gate friostat_t *fp;
4770Sstevel@tonic-gate {
4780Sstevel@tonic-gate printf("bad packets:\t\tin %lu\tout %lu\n",
4790Sstevel@tonic-gate fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
4800Sstevel@tonic-gate printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
4810Sstevel@tonic-gate fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
4820Sstevel@tonic-gate fp->f_st[0].fr_nom);
4830Sstevel@tonic-gate printf(" counted %lu\n", fp->f_st[0].fr_acct);
4840Sstevel@tonic-gate printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
4850Sstevel@tonic-gate fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
4860Sstevel@tonic-gate fp->f_st[1].fr_nom);
4870Sstevel@tonic-gate printf(" counted %lu\n", fp->f_st[0].fr_acct);
4880Sstevel@tonic-gate printf(" input packets logged:\tblocked %lu passed %lu\n",
4890Sstevel@tonic-gate fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
4900Sstevel@tonic-gate printf("output packets logged:\tblocked %lu passed %lu\n",
4910Sstevel@tonic-gate fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
4920Sstevel@tonic-gate printf(" packets logged:\tinput %lu-%lu output %lu-%lu\n",
4930Sstevel@tonic-gate fp->f_st[0].fr_pkl, fp->f_st[0].fr_skip,
4940Sstevel@tonic-gate fp->f_st[1].fr_pkl, fp->f_st[1].fr_skip);
4950Sstevel@tonic-gate }
4960Sstevel@tonic-gate
4970Sstevel@tonic-gate
showversion()4980Sstevel@tonic-gate static int showversion()
4990Sstevel@tonic-gate {
5000Sstevel@tonic-gate struct friostat fio;
5010Sstevel@tonic-gate ipfobj_t ipfo;
5020Sstevel@tonic-gate u_32_t flags;
5030Sstevel@tonic-gate char *s;
5040Sstevel@tonic-gate int vfd;
5050Sstevel@tonic-gate
5060Sstevel@tonic-gate bzero((caddr_t)&ipfo, sizeof(ipfo));
5070Sstevel@tonic-gate ipfo.ipfo_rev = IPFILTER_VERSION;
5080Sstevel@tonic-gate ipfo.ipfo_size = sizeof(fio);
5090Sstevel@tonic-gate ipfo.ipfo_ptr = (void *)&fio;
5100Sstevel@tonic-gate ipfo.ipfo_type = IPFOBJ_IPFSTAT;
5110Sstevel@tonic-gate
5120Sstevel@tonic-gate printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
5130Sstevel@tonic-gate
5140Sstevel@tonic-gate if ((vfd = open(ipfname, O_RDONLY)) == -1) {
5150Sstevel@tonic-gate perror("open device");
5160Sstevel@tonic-gate return 1;
5170Sstevel@tonic-gate }
5180Sstevel@tonic-gate
5190Sstevel@tonic-gate if (ioctl(vfd, SIOCGETFS, &ipfo)) {
5200Sstevel@tonic-gate perror("ioctl(SIOCGETFS)");
5210Sstevel@tonic-gate close(vfd);
5220Sstevel@tonic-gate return 1;
5230Sstevel@tonic-gate }
5240Sstevel@tonic-gate close(vfd);
5250Sstevel@tonic-gate flags = get_flags();
5260Sstevel@tonic-gate
5270Sstevel@tonic-gate printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
5280Sstevel@tonic-gate (int)sizeof(fio.f_version), fio.f_version);
5290Sstevel@tonic-gate printf("Running: %s\n", (fio.f_running > 0) ? "yes" : "no");
5300Sstevel@tonic-gate printf("Log Flags: %#x = ", flags);
5310Sstevel@tonic-gate s = "";
5320Sstevel@tonic-gate if (flags & FF_LOGPASS) {
5330Sstevel@tonic-gate printf("pass");
5340Sstevel@tonic-gate s = ", ";
5350Sstevel@tonic-gate }
5360Sstevel@tonic-gate if (flags & FF_LOGBLOCK) {
5370Sstevel@tonic-gate printf("%sblock", s);
5380Sstevel@tonic-gate s = ", ";
5390Sstevel@tonic-gate }
5400Sstevel@tonic-gate if (flags & FF_LOGNOMATCH) {
5410Sstevel@tonic-gate printf("%snomatch", s);
5420Sstevel@tonic-gate s = ", ";
5430Sstevel@tonic-gate }
5440Sstevel@tonic-gate if (flags & FF_BLOCKNONIP) {
5450Sstevel@tonic-gate printf("%snonip", s);
5460Sstevel@tonic-gate s = ", ";
5470Sstevel@tonic-gate }
5480Sstevel@tonic-gate if (!*s)
5490Sstevel@tonic-gate printf("none set");
5500Sstevel@tonic-gate putchar('\n');
5510Sstevel@tonic-gate
5520Sstevel@tonic-gate printf("Default: ");
5530Sstevel@tonic-gate if (FR_ISPASS(fio.f_defpass))
5540Sstevel@tonic-gate s = "pass";
5550Sstevel@tonic-gate else if (FR_ISBLOCK(fio.f_defpass))
5560Sstevel@tonic-gate s = "block";
5570Sstevel@tonic-gate else
5580Sstevel@tonic-gate s = "nomatch -> block";
5590Sstevel@tonic-gate printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
5600Sstevel@tonic-gate printf("Active list: %d\n", fio.f_active);
5612393Syz155240 printf("Feature mask: %#x\n", fio.f_features);
5620Sstevel@tonic-gate
5630Sstevel@tonic-gate return 0;
5640Sstevel@tonic-gate }
565