diff -cr ip_fil3.2.10/HISTORY ip_fil3.2.10p1/HISTORY
*** ip_fil3.2.10/HISTORY	Sun Nov 22 13:25:56 1998
--- ip_fil3.2.10p1/HISTORY	Tue Dec 29 21:16:43 1998
***************
*** 12,17 ****
--- 12,23 ----
  # and especially those who have found the time to port IP Filter to new
  # platforms.
  #
+ 3.2.10-Patch1	29/12/98
+ 
+ fix changing of IP destination address in ip_natin()
+ 
+ use native in_cksum routine on *BSD/Solaris platforms.
+ 
  3.2.10		22/11/98 - Released
  
  3.2.10beta9	17/11/98 - Released
diff -cr ip_fil3.2.10/SunOS5/pkginfo ip_fil3.2.10p1/SunOS5/pkginfo
*** ip_fil3.2.10/SunOS5/pkginfo	Sun Nov 22 13:25:59 1998
--- ip_fil3.2.10p1/SunOS5/pkginfo	Tue Dec 29 21:13:51 1998
***************
*** 5,11 ****
  PKG=ipf
  NAME=IP Filter
  ARCH=sparc,i386
! VERSION=3.2,REV=10
  CATEGORY=system
  DESC=This package contains tools for building a firewall
  VENDOR=Darren Reed
--- 5,11 ----
  PKG=ipf
  NAME=IP Filter
  ARCH=sparc,i386
! VERSION=3.2,REV=10p1
  CATEGORY=system
  DESC=This package contains tools for building a firewall
  VENDOR=Darren Reed
diff -cr ip_fil3.2.10/fil.c ip_fil3.2.10p1/fil.c
*** ip_fil3.2.10/fil.c	Sun Nov 22 12:50:15 1998
--- ip_fil3.2.10p1/fil.c	Tue Dec 29 21:09:35 1998
***************
*** 7,13 ****
   */
  #if !defined(lint)
  static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp $";
  #endif
  
  #include <sys/errno.h>
--- 7,13 ----
   */
  #if !defined(lint)
  static const char sccsid[] = "@(#)fil.c	1.36 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.31 1998/12/29 10:01:35 darrenr Exp $";
  #endif
  
  #include <sys/errno.h>
***************
*** 400,406 ****
  		/*
  		 * Match the flags ?  If not, abort this match.
  		 */
! 		if (fr->fr_tcpf &&
  		    fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
  			FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
  				 fr->fr_tcpfm, fr->fr_tcpf));
--- 400,406 ----
  		/*
  		 * Match the flags ?  If not, abort this match.
  		 */
! 		if (fr->fr_tcpfm &&
  		    fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
  			FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
  				 fr->fr_tcpfm, fr->fr_tcpf));
***************
*** 950,963 ****
  tcphdr_t *tcp;
  int len;
  {
  	union {
  		u_char	c[2];
  		u_short	s;
  	} bytes;
! 	u_32_t sum;
! 	u_short	*sp, slen;
! # if SOLARIS || defined(__sgi)
! 	int add, hlen;
  # endif
  
  	/*
--- 950,1008 ----
  tcphdr_t *tcp;
  int len;
  {
+ 	u_short *sp, slen, ts;
+ 	u_int sum, sum2;
+ 	int hlen;
+ 
+ 	/*
+ 	 * Add up IP Header portion
+ 	 */
+ 	hlen = ip->ip_hl << 2;
+ 	slen = ip->ip_len - hlen;
+ 	sum = htons(ip->ip_p);
+ 	sum += htons(slen);
+ 	sp = (u_short *)&ip->ip_src;
+ 	sum += *sp++;	/* ip_src */
+ 	sum += *sp++;
+ 	sum += *sp++;	/* ip_dst */
+ 	sum += *sp++;
+ 	ts = tcp->th_sum;
+ 	tcp->th_sum = 0;
+ #ifdef	KERNEL
+ # if SOLARIS
+ 	sum2 = ip_cksum(m, hlen, sum);
+ 	sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+ 	sum2 = ~sum2 & 0xffff;
+ # else /* SOLARIS */
+ #  if defined(BSD) || defined(sun)
+ #   if BSD >= 199306
+ 	m->m_data += hlen;
+ #   else
+ 	m->m_off += hlen;
+ #   endif
+ 	m->m_len -= hlen;
+ 	sum2 = in_cksum(m, slen);
+ 	m->m_len += hlen;
+ #   if BSD >= 199306
+ 	m->m_data -= hlen;
+ #   else
+ 	m->m_off -= hlen;
+ #   endif
+ 	/*
+ 	 * Both sum and sum2 are partial sums, so combine them together.
+ 	 */
+ 	sum = (sum & 0xffff) + (sum >> 16);
+ 	sum = ~sum & 0xffff;
+ 	sum2 += sum;
+ 	sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+ #  else /* defined(BSD) || defined(sun) */
+ {
  	union {
  		u_char	c[2];
  		u_short	s;
  	} bytes;
! # if defined(__sgi)
! 	int add;
  # endif
  
  	/*
***************
*** 965,973 ****
  	 */
  	sp = (u_short *)&ip->ip_src;
  	len -= (ip->ip_hl << 2);
- 	slen = (u_short)len;
  	sum = ntohs(IPPROTO_TCP);
! 	sum += htons(slen);
  	sum += *sp++;	/* ip_src */
  	sum += *sp++;
  	sum += *sp++;	/* ip_dst */
--- 1010,1017 ----
  	 */
  	sp = (u_short *)&ip->ip_src;
  	len -= (ip->ip_hl << 2);
  	sum = ntohs(IPPROTO_TCP);
! 	sum += htons((u_short)len);
  	sum += *sp++;	/* ip_src */
  	sum += *sp++;
  	sum += *sp++;	/* ip_dst */
***************
*** 985,1014 ****
  	sp += 2;	/* Skip over checksum */
  	sum += *sp++;	/* urp */
  
! #if SOLARIS
! 	/*
! 	 * In case we had to copy the IP & TCP header out of mblks,
! 	 * skip over the mblk bits which are the header
! 	 */
! 	if ((caddr_t)ip != (caddr_t)m->b_rptr) {
! 		hlen = (caddr_t)sp - (caddr_t)ip;
! 		while (hlen) {
! 			add = MIN(hlen, m->b_wptr - m->b_rptr);
! 			sp = (u_short *)((caddr_t)m->b_rptr + add);
! 			hlen -= add;
! 			if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
! 				m = m->b_cont;
! 				if (!hlen) {
! 					if (!m)
! 						break;
! 					sp = (u_short *)m->b_rptr;
! 				}
! 				PANIC((!m),("fr_tcpsum(1): not enough data"));
! 			}
! 		}
! 	}
! #endif
! #ifdef	__sgi
  	/*
  	 * In case we had to copy the IP & TCP header out of mbufs,
  	 * skip over the mbuf bits which are the header
--- 1029,1035 ----
  	sp += 2;	/* Skip over checksum */
  	sum += *sp++;	/* urp */
  
! # ifdef	__sgi
  	/*
  	 * In case we had to copy the IP & TCP header out of mbufs,
  	 * skip over the mbuf bits which are the header
***************
*** 1030,1056 ****
  			}
  		}
  	}
! #endif
  
  	if (!(len -= sizeof(*tcp)))
  		goto nodata;
  	while (len > 1) {
- #if SOLARIS
- 		if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
- 			m = m->b_cont;
- 			PANIC((!m),("fr_tcpsum(2): not enough data"));
- 			sp = (u_short *)m->b_rptr;
- 		}
- 		if ((caddr_t)(sp + 1) > (caddr_t)m->b_wptr) {
- 			bytes.c[0] = *(u_char *)sp;
- 			m = m->b_cont;
- 			PANIC((!m),("fr_tcpsum(3): not enough data"));
- 			sp = (u_short *)m->b_rptr;
- 			bytes.c[1] = *(u_char *)sp;
- 			sum += bytes.s;
- 			sp = (u_short *)((u_char *)sp + 1);
- 		}
- #else
  		if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
  			m = m->m_next;
  			PANIC((!m),("fr_tcpsum(2): not enough data"));
--- 1051,1061 ----
  			}
  		}
  	}
! # endif
  
  	if (!(len -= sizeof(*tcp)))
  		goto nodata;
  	while (len > 1) {
  		if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
  			m = m->m_next;
  			PANIC((!m),("fr_tcpsum(2): not enough data"));
***************
*** 1065,1071 ****
  			sum += bytes.s;
  			sp = (u_short *)((u_char *)sp + 1);
  		}
- #endif /* SOLARIS */
  		if ((u_long)sp & 1) {
  			bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
  			sum += bytes.s;
--- 1070,1075 ----
***************
*** 1078,1085 ****
  nodata:
  	while (sum > 0xffff)
  		sum = (sum & 0xffff) + (sum >> 16);
! 	sum = (u_short)(~sum & 0xffff);
! 	return sum;
  }
  
  
--- 1082,1096 ----
  nodata:
  	while (sum > 0xffff)
  		sum = (sum & 0xffff) + (sum >> 16);
! 	sum2 = (u_short)(~sum & 0xffff);
! }
! #  endif /*  defined(BSD) || defined(sun) */
! # endif /* SOLARIS */
! #else /* KERNEL */
! 	sum2 = 0;
! #endif /* KERNEL */
! 	tcp->th_sum = ts;
! 	return sum2;
  }
  
  
***************
*** 1117,1123 ****
   * SUCH DAMAGE.
   *
   *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
!  * $Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp $
   */
  /*
   * Copy data from an mbuf chain starting "off" bytes from the beginning,
--- 1128,1134 ----
   * SUCH DAMAGE.
   *
   *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
!  * $Id: fil.c,v 2.0.2.41.2.31 1998/12/29 10:01:35 darrenr Exp $
   */
  /*
   * Copy data from an mbuf chain starting "off" bytes from the beginning,
Only in ip_fil3.2.10p1: fil.c.old
diff -cr ip_fil3.2.10/ip_compat.h ip_fil3.2.10p1/ip_compat.h
*** ip_fil3.2.10/ip_compat.h	Sun Nov 22 12:50:20 1998
--- ip_fil3.2.10p1/ip_compat.h	Tue Dec 29 21:13:18 1998
***************
*** 785,789 ****
--- 785,796 ----
  #ifndef	ICMP_ROUTERSOLICIT
  # define	ICMP_ROUTERSOLICIT	10
  #endif
+ /*
+  * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
+  * another IP header and then 64 bits of data, totalling 56.  Of course,
+  * the last 64 bits is dependant on that being available.
+  */
+ #define	ICMPERR_MINPKTLEN	(20 + 8 + 20)
+ #define	ICMPERR_MAXPKTLEN	(20 + 8 + 20 + 8)
  
  #endif	/* __IP_COMPAT_H__ */
diff -cr ip_fil3.2.10/ip_nat.c ip_fil3.2.10p1/ip_nat.c
*** ip_fil3.2.10/ip_nat.c	Sun Nov 22 12:50:27 1998
--- ip_fil3.2.10p1/ip_nat.c	Tue Dec 29 21:12:46 1998
***************
*** 770,776 ****
  	 * Only a basic IP header (no options) should be with an ICMP error
  	 * header.
  	 */
! 	if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t)))
  		return NULL;
  	type = icmp->icmp_type;
  	/*
--- 770,776 ----
  	 * Only a basic IP header (no options) should be with an ICMP error
  	 * header.
  	 */
! 	if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN))
  		return NULL;
  	type = icmp->icmp_type;
  	/*
***************
*** 782,787 ****
--- 782,789 ----
  		return NULL;
  
  	oip = (ip_t *)((char *)fin->fin_dp + 8);
+ 	if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
+ 		return NULL;
  	if (oip->ip_p == IPPROTO_TCP)
  		flags = IPN_TCP;
  	else if (oip->ip_p == IPPROTO_UDP)
***************
*** 1240,1245 ****
--- 1242,1248 ----
  			nat->nat_pkts++;
  			MUTEX_EXIT(&ipf_rw);
  			ip->ip_dst = nat->nat_inip;
+ 			fin->fin_fi.fi_dst = nat->nat_inip;
  
  			/*
  			 * Fix up checksums, not by recalculating them, but
diff -cr ip_fil3.2.10/ipl.h ip_fil3.2.10p1/ipl.h
*** ip_fil3.2.10/ipl.h	Sun Nov 22 13:25:57 1998
--- ip_fil3.2.10p1/ipl.h	Tue Dec 22 20:51:35 1998
***************
*** 11,16 ****
  #ifndef	__IPL_H__
  #define	__IPL_H__
  
! #define	IPL_VERSION	"IP Filter v3.2.10"
  
  #endif
--- 11,16 ----
  #ifndef	__IPL_H__
  #define	__IPL_H__
  
! #define	IPL_VERSION	"IP Filter v3.2.10p1"
  
  #endif