aboutsummaryrefslogtreecommitdiff
path: root/contrib/ipfilter/tools
Commit message (Collapse)AuthorAgeFilesLines
* ipfilter: Remove remaining unused bitsCy Schubert2021-12-207-1473/+0
| | | | | | | | | | | Remove the remaining unused source files. These were never used. This is the last of a three commit series to move ipfilter. Discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
* ipfilter: Move userland bits to sbinCy Schubert2021-12-2015-17540/+0
| | | | | | | | | | | | | | | | Through fixes and improvements our ipfilter sources have diverged enough to warrant move from contrib into sbin/ipf. Now that I'm planning on implementing MSS clamping as in iptables it makes more sense to move ipfilter to sbin. This is the second of three commits of the ipfilter move. Suggested by glebius on two occaions. Suggested by and discussed with: glebius Reviewed by: glebius, kp (for #network) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D33510
* ipfilter userland: Replace sprintf with range checking version (snprintf)Cy Schubert2021-12-148-99/+104
| | | | MFC after: 1 week
* ippool: remove set-but-not-unused varsCy Schubert2021-12-111-14/+2
| | | | | | | Display of stats from a kernel core dump was never fully implemented. Remove the dangling vars and remove the documentation. MFC after: 3 days
* ipfcomp: remove set-but-not-unused varsCy Schubert2021-12-111-2/+0
| | | | MFC after: 3 days
* Simplify BSD macro tests.Cy Schubert2021-02-062-2/+2
| | | | | | All FreeBSD and NetBSD are BSD >= 199306 and have been for a long time. MFC after: 1 week
* Replace the redundant MENTAT macro with SOLARIS.Cy Schubert2021-02-021-2/+2
| | | | | | | MENTAT and SOLARIS are synonymous. Remove the extraneous duplicate macro. MFC after: 1 week
* Retire the K&R/STD C __P prototype declarations.Cy Schubert2021-02-0218-260/+260
| | | | | | | | | In the old days when K&R C and STD C were each in use a workaround (read hack) was required to allow the same code to work on each without modification. All C compilers support STD C. We can finally put the __P prototype to rest. MFC after: 1 week
* -4 and -6 only make sense with -i, -o, and -t.Cy Schubert2020-07-171-0/+9
| | | | | | | | PR: 247952 MFC after: 1 week Notes: svn path=/head/; revision=363283
* The output from usage() need not contain usage for -t when STATETOPCy Schubert2020-07-171-0/+2
| | | | | | | | | | is not compiled in. PR: 247952 MFC after: 1 week Notes: svn path=/head/; revision=363282
* Make ipfstat -t header generic when IPv4 and IPv6 output areCy Schubert2020-07-171-0/+3
| | | | | | | | | | displayed in the same display. PR: 247952 MFC after: 1 week Notes: svn path=/head/; revision=363281
* ipfstat -t defaults to IPv4 output. Make consistent with ipfstat -iCy Schubert2020-07-171-3/+3
| | | | | | | | | | | and ipfstat -o where without an argument IPv4 and IPv6 states are shown. Use -4 and -6 to limit the display to IPv4 or IPv6 respectively. PR: 247952 MFC after: 1 week Notes: svn path=/head/; revision=363280
* Historically ipfstat listings and stats only listed IPv4 or IPv6 output.Cy Schubert2020-07-171-16/+35
| | | | | | | | | | | | | | | ipfstat would list IPv4 outputs by default while -6 would produce IPv6 outputs. This commit combines the ipfstat -i and -o outputs into one listing of IPv4 and IPv6 rules. The -4 option lists only IPv4 rules (as the default before) while -6 continues to list only rules that affect IPv6. PR: 247952 Reported by: joeb1@a1poweruser.com MFC after: 1 week Notes: svn path=/head/; revision=363279
* fr_family (the protocol family) must be AF_INET or AF_INET6, as inCy Schubert2020-07-171-2/+2
| | | | | | | | | | | | | the kernel, not an arbitrary 4 or 6. This only affected printing ipfilter stats and rules from a kernel dump. (This is currently undocumented.) PR: 247952 MFC after: 1 week Notes: svn path=/head/; revision=363278
* Only use the use_inet6 variable when INET6 is a build option.Cy Schubert2020-07-171-2/+12
| | | | | | | | | | | This is a prerequisite to upcoming argument processing cleanups which will resolve consistency as was done with ippool previously. PR: 247952 MFC after: 1 week Notes: svn path=/head/; revision=363277
* ipfilter: remove duplicate definition of 'thishost'Kyle Evans2020-03-291-1/+0
| | | | | | | | | | | | thishost is already defined in lib/initparse.c; no need for this one. This fixes the ipfilter build with -fno-common. -fno-common will become the default in GCC10/LLVM11. MFC after: 3 days Notes: svn path=/head/; revision=359413
* As with ipf(8), give ippool(8) the ability to load IP pools from multipleCy Schubert2020-02-181-1/+5
| | | | | | | | | | | files. This allows for loading, during the same invocation of ippool, of multiple sources of input using multiple tools to concurrently maintain the files such as fail2ban, macro preprocessors, and manually. MFC after: 1 week Notes: svn path=/head/; revision=358064
* Implement the dynamic add (-A) and removal (-R) of ippool poolsCy Schubert2019-09-271-7/+26
| | | | | | | | | | | | | | | | | | from the command line. Prior to this the functionality was mostly there however since the pool type (-t) was not recognized by the -A and -R command options -- not recognized by getopt(). Additionally the code to implement the dynamic add and removal of pools didn't work. When dynamically adding (-A) a pool a type (-t) to specify if the pool is a tree or hash pool must be specified. When dynamically removing (-R) a pool, omitting -t will cause a search-and-destroy which will remove both types of pools matching the name given (-m). PR: 218433 MFC after: 1 week Notes: svn path=/head/; revision=352786
* The no resolve (OPT_NORESOLVE) does nothing. Additionally, it (-R)Cy Schubert2019-09-271-12/+3
| | | | | | | | | | | conflicts with the command option of the same name (also -R). Remove the superfluous and confusing non-global non-command -R option. PR: 218433 MFC after: 1 week Notes: svn path=/head/; revision=352785
* Teach the ippool parser about address families. This is a precursorCy Schubert2019-09-261-0/+16
| | | | | | | | | | to implementing IPv6 support within ippool which requires reworking radix_ipf.c. MFC after: 1 month Notes: svn path=/head/; revision=352738
* Return a return code scripts might expect. I missed this whileCy Schubert2019-06-271-1/+1
| | | | | | | | | | | | | reviewing and rewriting a patch in PR/238816. PR: 238816 Reported by: rgrimes@ Pointy hat to: cy@ MFC after: 1 week X-MFC with: r349450 Notes: svn path=/head/; revision=349451
* Update usage() to refect the current state of ipmon.Cy Schubert2019-06-271-2/+5
| | | | | | | | PR: 238816 MFC after: 1 week Notes: svn path=/head/; revision=349450
* ipfilter #ifdef cleanup.Cy Schubert2019-02-039-289/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove #ifdefs for ancient and irrelevant operating systems from ipfilter. When ipfilter was written the UNIX and UNIX-like systems in use were diverse and plentiful. IRIX, Tru64 (OSF/1) don't exist any more. OpenBSD removed ipfilter shortly after the first time the ipfilter license terms changed in the early 2000's. ipfilter on AIX, HP/UX, and Linux never really caught on. Removal of code for operating systems that ipfilter will never run on again will simplify the code making it easier to fix bugs, complete partially implemented features, and extend ipfilter. Unsupported previous version FreeBSD code and some older NetBSD code has also been removed. What remains is supported FreeBSD, NetBSD, and illumos. FreeBSD and NetBSD have collaborated exchanging patches, while illumos has expressed willingness to have their ipfilter updated to 5.1.2, provided their zone-specific updates to their ipfilter are merged (which are of interest to FreeBSD to allow control of ipfilters in jails from the global zone). Reviewed by: glebius@ MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D19006 Notes: svn path=/head/; revision=343701
* loadpoolfile() implements a -R (NORESOLVE) option which is not listedCy Schubert2017-08-051-1/+1
| | | | | | | in usage(). This commit trues up usage() with loadpoolfile(). Notes: svn path=/head/; revision=322075
* Document supported poollist() (ippool -l) options in usage() and inCy Schubert2017-07-051-1/+1
| | | | | | | ippool.8 man page. Notes: svn path=/head/; revision=320664
* In poolnodecommand() (ippool -a and ippool -r) -m (pool name) is notCy Schubert2017-06-281-1/+1
| | | | | | | optional. Notes: svn path=/head/; revision=320428
* Replace AF_INET6 ifdefs with USE_INET6 to be consistent with the restCy Schubert2017-06-271-2/+2
| | | | | | | of the ipfilter souce tree. Notes: svn path=/head/; revision=320395
* Replace AF_INET6 ifdefs with USE_INET6 ifdefs. This is more consistentCy Schubert2017-06-231-1/+1
| | | | | | | | | | and guaranteed to build everywhere in ipfilter. Not all of this commit can be MFCed. Some is original code while others are not. Notes: svn path=/head/; revision=320257
* In poolnodcommand(): TTL (-T) is only valid when adding a node to aCy Schubert2017-06-221-4/+8
| | | | | | | | pool (ippool -a) not when removing a node from a pool (ippool -r). Flag -T as an error in ippool -r. Notes: svn path=/head/; revision=320232
* poolflush() has no positional arguments.Cy Schubert2017-06-221-1/+1
| | | | Notes: svn path=/head/; revision=320221
* Fix -S handling within poolcommand(). Specifying a seed (-S) is onlyCy Schubert2017-06-211-1/+4
| | | | | | | | | valid when adding a pool (ippool -A), not when removing a pool (ippool -R). It is a command line syntax error if specifying a seed (-S) is specified when emoving a pool (-R). Notes: svn path=/head/; revision=320187
* Flag poolnodecommand() (ippool -a and ippool -r) command line syntaxCy Schubert2017-06-201-0/+6
| | | | | | | errors. Notes: svn path=/head/; revision=320143
* poolcommand() (ippool -A and ippool -R) seed takes an argument.Cy Schubert2017-06-191-1/+1
| | | | Notes: svn path=/head/; revision=320120
* Flag poolcommand() (ippool -A and ippool -R) command line syntax errors.Cy Schubert2017-06-191-0/+6
| | | | Notes: svn path=/head/; revision=320095
* Chase r319848: remove -v option from getopt() call.Cy Schubert2017-06-141-1/+1
| | | | Notes: svn path=/head/; revision=319930
* -n (do nothing) is not a commmand option.Cy Schubert2017-06-141-4/+1
| | | | Notes: svn path=/head/; revision=319929
* -v (verbose) is not a command option. (See ippool.1 for a definitionCy Schubert2017-06-121-3/+0
| | | | | | | of command options). Notes: svn path=/head/; revision=319848
* Flag loadpoolfile() (ippool -f) command line syntax errors.Cy Schubert2017-06-111-0/+6
| | | | Notes: svn path=/head/; revision=319822
* Identify poolstats() (ippool -s) command line syntax errors.Cy Schubert2017-06-111-0/+6
| | | | Notes: svn path=/head/; revision=319821
* Identify command line syntax errors in poolflush() (ippool -F).Cy Schubert2017-06-111-0/+6
| | | | Notes: svn path=/head/; revision=319820
* Remove redundant assignment of infile from optarg in loadpoolfile()Cy Schubert2017-06-101-2/+0
| | | | | | | | which was previously assigned from optarg in the argument list from main(). Notes: svn path=/head/; revision=319810
* Disable the -O (output fields) option in poollist() (ippool -l) forCy Schubert2017-06-101-1/+8
| | | | | | | | | | | now. The option does not presently work. However, similar functions in ipfstat (for state) and ipnat (for nat) do work and provide outputs that can be easily parsed by shell scripts or subsequently loaded into CSV files. The intention here is to return to this option to make it work. I suspect the problem is in printpoolfields.c. Notes: svn path=/head/; revision=319795
* Flag poollist() (ippool -l) command line syntax errors.Cy Schubert2017-06-101-0/+6
| | | | Notes: svn path=/head/; revision=319794
* Remove NORESOLVE (-R) option from poollist() (ippool -l). It is notCy Schubert2017-05-311-4/+1
| | | | | | | used in poollist(). Notes: svn path=/head/; revision=319273
* Implement ippool command line IPv6 address parse support (for the -iCy Schubert2017-05-161-16/+51
| | | | | | | | | option). PR: 218433 Notes: svn path=/head/; revision=318333
* Ifdef out a redundant if statement when INET6 is disabled.Cy Schubert2017-05-051-0/+2
| | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=317830
* Use warnx() to issue error message.Cy Schubert2017-04-161-1/+2
| | | | | | | | | Reported by: cem MFC after: 1 week X-MFC with: r316993, r316994 Notes: svn path=/head/; revision=316997
* Fix CID 1372600, possible NULL pointer dereference shouldCy Schubert2017-04-161-0/+4
| | | | | | | | | | reallocarray() fail. Reported by: Coverity CID 1372600 MFC after: 1 week Notes: svn path=/head/; revision=316994
* calloc() and realloc() modernization.Cy Schubert2017-03-163-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | This commit replaces calloc calls, which called calloc() as if it were malloc() by allocating a multiple of objects as a sizeof multiplied by the number of objects. The patch rectifies this by calling calloc() as it was meant to be called. This commit also replaces realloc() with reallocarray() in a similar fashion as above. Instead of calculating the memory to reallocated (changed) by multiplying sizeof by the number of objects, the sizeof and number are passed as separate arguments to reallocarray(), letting reallocarray() do the multiplication instead. Like the calloc() adjustment above, this is approach is cleaner and more elegant than than the previous code. This has been tested on my production firewall and a laptop (also running ipfilter). Submitted by: pfg MFC after: 6 weeks Notes: svn path=/head/; revision=315368
* Use normal KNF cuddling of elses.Cy Schubert2017-01-261-2/+1
| | | | | | | | | Reported by: bde MFC after: 2 weeks X-MFC with: r312777 Notes: svn path=/head/; revision=312791
generated by cgit v1.3 (git 2.53.0) at 2026-03-24 12:36:39 +0000