diff -cr ip_fil3.2.10/HISTORY ip_fil3.2.10p1/HISTORY *** ip_fil3.2.10/HISTORY Sun Nov 22 13:25:56 1998 --- ip_fil3.2.10p1/HISTORY Tue Dec 29 21:16:43 1998 *************** *** 12,17 **** --- 12,23 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.2.10-Patch1 29/12/98 + + fix changing of IP destination address in ip_natin() + + use native in_cksum routine on *BSD/Solaris platforms. + 3.2.10 22/11/98 - Released 3.2.10beta9 17/11/98 - Released diff -cr ip_fil3.2.10/SunOS5/pkginfo ip_fil3.2.10p1/SunOS5/pkginfo *** ip_fil3.2.10/SunOS5/pkginfo Sun Nov 22 13:25:59 1998 --- ip_fil3.2.10p1/SunOS5/pkginfo Tue Dec 29 21:13:51 1998 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=10 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=10p1 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.2.10/fil.c ip_fil3.2.10p1/fil.c *** ip_fil3.2.10/fil.c Sun Nov 22 12:50:15 1998 --- ip_fil3.2.10p1/fil.c Tue Dec 29 21:09:35 1998 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.31 1998/12/29 10:01:35 darrenr Exp $"; #endif #include *************** *** 400,406 **** /* * Match the flags ? If not, abort this match. */ ! if (fr->fr_tcpf && fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) { FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, fr->fr_tcpfm, fr->fr_tcpf)); --- 400,406 ---- /* * Match the flags ? If not, abort this match. */ ! if (fr->fr_tcpfm && fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) { FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf, fr->fr_tcpfm, fr->fr_tcpf)); *************** *** 950,963 **** tcphdr_t *tcp; int len; { union { u_char c[2]; u_short s; } bytes; ! u_32_t sum; ! u_short *sp, slen; ! # if SOLARIS || defined(__sgi) ! int add, hlen; # endif /* --- 950,1008 ---- tcphdr_t *tcp; int len; { + u_short *sp, slen, ts; + u_int sum, sum2; + int hlen; + + /* + * Add up IP Header portion + */ + hlen = ip->ip_hl << 2; + slen = ip->ip_len - hlen; + sum = htons(ip->ip_p); + sum += htons(slen); + sp = (u_short *)&ip->ip_src; + sum += *sp++; /* ip_src */ + sum += *sp++; + sum += *sp++; /* ip_dst */ + sum += *sp++; + ts = tcp->th_sum; + tcp->th_sum = 0; + #ifdef KERNEL + # if SOLARIS + sum2 = ip_cksum(m, hlen, sum); + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = ~sum2 & 0xffff; + # else /* SOLARIS */ + # if defined(BSD) || defined(sun) + # if BSD >= 199306 + m->m_data += hlen; + # else + m->m_off += hlen; + # endif + m->m_len -= hlen; + sum2 = in_cksum(m, slen); + m->m_len += hlen; + # if BSD >= 199306 + m->m_data -= hlen; + # else + m->m_off -= hlen; + # endif + /* + * Both sum and sum2 are partial sums, so combine them together. + */ + sum = (sum & 0xffff) + (sum >> 16); + sum = ~sum & 0xffff; + sum2 += sum; + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + # else /* defined(BSD) || defined(sun) */ + { union { u_char c[2]; u_short s; } bytes; ! # if defined(__sgi) ! int add; # endif /* *************** *** 965,973 **** */ sp = (u_short *)&ip->ip_src; len -= (ip->ip_hl << 2); - slen = (u_short)len; sum = ntohs(IPPROTO_TCP); ! sum += htons(slen); sum += *sp++; /* ip_src */ sum += *sp++; sum += *sp++; /* ip_dst */ --- 1010,1017 ---- */ sp = (u_short *)&ip->ip_src; len -= (ip->ip_hl << 2); sum = ntohs(IPPROTO_TCP); ! sum += htons((u_short)len); sum += *sp++; /* ip_src */ sum += *sp++; sum += *sp++; /* ip_dst */ *************** *** 985,1014 **** sp += 2; /* Skip over checksum */ sum += *sp++; /* urp */ ! #if SOLARIS ! /* ! * In case we had to copy the IP & TCP header out of mblks, ! * skip over the mblk bits which are the header ! */ ! if ((caddr_t)ip != (caddr_t)m->b_rptr) { ! hlen = (caddr_t)sp - (caddr_t)ip; ! while (hlen) { ! add = MIN(hlen, m->b_wptr - m->b_rptr); ! sp = (u_short *)((caddr_t)m->b_rptr + add); ! hlen -= add; ! if ((caddr_t)sp >= (caddr_t)m->b_wptr) { ! m = m->b_cont; ! if (!hlen) { ! if (!m) ! break; ! sp = (u_short *)m->b_rptr; ! } ! PANIC((!m),("fr_tcpsum(1): not enough data")); ! } ! } ! } ! #endif ! #ifdef __sgi /* * In case we had to copy the IP & TCP header out of mbufs, * skip over the mbuf bits which are the header --- 1029,1035 ---- sp += 2; /* Skip over checksum */ sum += *sp++; /* urp */ ! # ifdef __sgi /* * In case we had to copy the IP & TCP header out of mbufs, * skip over the mbuf bits which are the header *************** *** 1030,1056 **** } } } ! #endif if (!(len -= sizeof(*tcp))) goto nodata; while (len > 1) { - #if SOLARIS - if ((caddr_t)sp >= (caddr_t)m->b_wptr) { - m = m->b_cont; - PANIC((!m),("fr_tcpsum(2): not enough data")); - sp = (u_short *)m->b_rptr; - } - if ((caddr_t)(sp + 1) > (caddr_t)m->b_wptr) { - bytes.c[0] = *(u_char *)sp; - m = m->b_cont; - PANIC((!m),("fr_tcpsum(3): not enough data")); - sp = (u_short *)m->b_rptr; - bytes.c[1] = *(u_char *)sp; - sum += bytes.s; - sp = (u_short *)((u_char *)sp + 1); - } - #else if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { m = m->m_next; PANIC((!m),("fr_tcpsum(2): not enough data")); --- 1051,1061 ---- } } } ! # endif if (!(len -= sizeof(*tcp))) goto nodata; while (len > 1) { if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { m = m->m_next; PANIC((!m),("fr_tcpsum(2): not enough data")); *************** *** 1065,1071 **** sum += bytes.s; sp = (u_short *)((u_char *)sp + 1); } - #endif /* SOLARIS */ if ((u_long)sp & 1) { bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); sum += bytes.s; --- 1070,1075 ---- *************** *** 1078,1085 **** nodata: while (sum > 0xffff) sum = (sum & 0xffff) + (sum >> 16); ! sum = (u_short)(~sum & 0xffff); ! return sum; } --- 1082,1096 ---- nodata: while (sum > 0xffff) sum = (sum & 0xffff) + (sum >> 16); ! sum2 = (u_short)(~sum & 0xffff); ! } ! # endif /* defined(BSD) || defined(sun) */ ! # endif /* SOLARIS */ ! #else /* KERNEL */ ! sum2 = 0; ! #endif /* KERNEL */ ! tcp->th_sum = ts; ! return sum2; } *************** *** 1117,1123 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1128,1134 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.0.2.41.2.31 1998/12/29 10:01:35 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, Only in ip_fil3.2.10p1: fil.c.old diff -cr ip_fil3.2.10/ip_compat.h ip_fil3.2.10p1/ip_compat.h *** ip_fil3.2.10/ip_compat.h Sun Nov 22 12:50:20 1998 --- ip_fil3.2.10p1/ip_compat.h Tue Dec 29 21:13:18 1998 *************** *** 785,789 **** --- 785,796 ---- #ifndef ICMP_ROUTERSOLICIT # define ICMP_ROUTERSOLICIT 10 #endif + /* + * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data, + * another IP header and then 64 bits of data, totalling 56. Of course, + * the last 64 bits is dependant on that being available. + */ + #define ICMPERR_MINPKTLEN (20 + 8 + 20) + #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) #endif /* __IP_COMPAT_H__ */ diff -cr ip_fil3.2.10/ip_nat.c ip_fil3.2.10p1/ip_nat.c *** ip_fil3.2.10/ip_nat.c Sun Nov 22 12:50:27 1998 --- ip_fil3.2.10p1/ip_nat.c Tue Dec 29 21:12:46 1998 *************** *** 770,776 **** * Only a basic IP header (no options) should be with an ICMP error * header. */ ! if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t))) return NULL; type = icmp->icmp_type; /* --- 770,776 ---- * Only a basic IP header (no options) should be with an ICMP error * header. */ ! if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN)) return NULL; type = icmp->icmp_type; /* *************** *** 782,787 **** --- 782,789 ---- return NULL; oip = (ip_t *)((char *)fin->fin_dp + 8); + if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) + return NULL; if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) *************** *** 1240,1245 **** --- 1242,1248 ---- nat->nat_pkts++; MUTEX_EXIT(&ipf_rw); ip->ip_dst = nat->nat_inip; + fin->fin_fi.fi_dst = nat->nat_inip; /* * Fix up checksums, not by recalculating them, but diff -cr ip_fil3.2.10/ipl.h ip_fil3.2.10p1/ipl.h *** ip_fil3.2.10/ipl.h Sun Nov 22 13:25:57 1998 --- ip_fil3.2.10p1/ipl.h Tue Dec 22 20:51:35 1998 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.10" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.10p1" #endif