diff -cr ip_fil3.2.10/HISTORY ip_fil3.2.10p1/HISTORY
*** ip_fil3.2.10/HISTORY Sun Nov 22 13:25:56 1998
--- ip_fil3.2.10p1/HISTORY Tue Dec 29 21:16:43 1998
***************
*** 12,17 ****
--- 12,23 ----
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+ 3.2.10-Patch1 29/12/98
+
+ fix changing of IP destination address in ip_natin()
+
+ use native in_cksum routine on *BSD/Solaris platforms.
+
3.2.10 22/11/98 - Released
3.2.10beta9 17/11/98 - Released
diff -cr ip_fil3.2.10/SunOS5/pkginfo ip_fil3.2.10p1/SunOS5/pkginfo
*** ip_fil3.2.10/SunOS5/pkginfo Sun Nov 22 13:25:59 1998
--- ip_fil3.2.10p1/SunOS5/pkginfo Tue Dec 29 21:13:51 1998
***************
*** 5,11 ****
PKG=ipf
NAME=IP Filter
ARCH=sparc,i386
! VERSION=3.2,REV=10
CATEGORY=system
DESC=This package contains tools for building a firewall
VENDOR=Darren Reed
--- 5,11 ----
PKG=ipf
NAME=IP Filter
ARCH=sparc,i386
! VERSION=3.2,REV=10p1
CATEGORY=system
DESC=This package contains tools for building a firewall
VENDOR=Darren Reed
diff -cr ip_fil3.2.10/fil.c ip_fil3.2.10p1/fil.c
*** ip_fil3.2.10/fil.c Sun Nov 22 12:50:15 1998
--- ip_fil3.2.10p1/fil.c Tue Dec 29 21:09:35 1998
***************
*** 7,13 ****
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp $";
#endif
#include <sys/errno.h>
--- 7,13 ----
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.31 1998/12/29 10:01:35 darrenr Exp $";
#endif
#include <sys/errno.h>
***************
*** 400,406 ****
/*
* Match the flags ? If not, abort this match.
*/
! if (fr->fr_tcpf &&
fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
fr->fr_tcpfm, fr->fr_tcpf));
--- 400,406 ----
/*
* Match the flags ? If not, abort this match.
*/
! if (fr->fr_tcpfm &&
fr->fr_tcpf != (fin->fin_tcpf & fr->fr_tcpfm)) {
FR_DEBUG(("f. %#x & %#x != %#x\n", fin->fin_tcpf,
fr->fr_tcpfm, fr->fr_tcpf));
***************
*** 950,963 ****
tcphdr_t *tcp;
int len;
{
union {
u_char c[2];
u_short s;
} bytes;
! u_32_t sum;
! u_short *sp, slen;
! # if SOLARIS || defined(__sgi)
! int add, hlen;
# endif
/*
--- 950,1008 ----
tcphdr_t *tcp;
int len;
{
+ u_short *sp, slen, ts;
+ u_int sum, sum2;
+ int hlen;
+
+ /*
+ * Add up IP Header portion
+ */
+ hlen = ip->ip_hl << 2;
+ slen = ip->ip_len - hlen;
+ sum = htons(ip->ip_p);
+ sum += htons(slen);
+ sp = (u_short *)&ip->ip_src;
+ sum += *sp++; /* ip_src */
+ sum += *sp++;
+ sum += *sp++; /* ip_dst */
+ sum += *sp++;
+ ts = tcp->th_sum;
+ tcp->th_sum = 0;
+ #ifdef KERNEL
+ # if SOLARIS
+ sum2 = ip_cksum(m, hlen, sum);
+ sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+ sum2 = ~sum2 & 0xffff;
+ # else /* SOLARIS */
+ # if defined(BSD) || defined(sun)
+ # if BSD >= 199306
+ m->m_data += hlen;
+ # else
+ m->m_off += hlen;
+ # endif
+ m->m_len -= hlen;
+ sum2 = in_cksum(m, slen);
+ m->m_len += hlen;
+ # if BSD >= 199306
+ m->m_data -= hlen;
+ # else
+ m->m_off -= hlen;
+ # endif
+ /*
+ * Both sum and sum2 are partial sums, so combine them together.
+ */
+ sum = (sum & 0xffff) + (sum >> 16);
+ sum = ~sum & 0xffff;
+ sum2 += sum;
+ sum2 = (sum2 & 0xffff) + (sum2 >> 16);
+ # else /* defined(BSD) || defined(sun) */
+ {
union {
u_char c[2];
u_short s;
} bytes;
! # if defined(__sgi)
! int add;
# endif
/*
***************
*** 965,973 ****
*/
sp = (u_short *)&ip->ip_src;
len -= (ip->ip_hl << 2);
- slen = (u_short)len;
sum = ntohs(IPPROTO_TCP);
! sum += htons(slen);
sum += *sp++; /* ip_src */
sum += *sp++;
sum += *sp++; /* ip_dst */
--- 1010,1017 ----
*/
sp = (u_short *)&ip->ip_src;
len -= (ip->ip_hl << 2);
sum = ntohs(IPPROTO_TCP);
! sum += htons((u_short)len);
sum += *sp++; /* ip_src */
sum += *sp++;
sum += *sp++; /* ip_dst */
***************
*** 985,1014 ****
sp += 2; /* Skip over checksum */
sum += *sp++; /* urp */
! #if SOLARIS
! /*
! * In case we had to copy the IP & TCP header out of mblks,
! * skip over the mblk bits which are the header
! */
! if ((caddr_t)ip != (caddr_t)m->b_rptr) {
! hlen = (caddr_t)sp - (caddr_t)ip;
! while (hlen) {
! add = MIN(hlen, m->b_wptr - m->b_rptr);
! sp = (u_short *)((caddr_t)m->b_rptr + add);
! hlen -= add;
! if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
! m = m->b_cont;
! if (!hlen) {
! if (!m)
! break;
! sp = (u_short *)m->b_rptr;
! }
! PANIC((!m),("fr_tcpsum(1): not enough data"));
! }
! }
! }
! #endif
! #ifdef __sgi
/*
* In case we had to copy the IP & TCP header out of mbufs,
* skip over the mbuf bits which are the header
--- 1029,1035 ----
sp += 2; /* Skip over checksum */
sum += *sp++; /* urp */
! # ifdef __sgi
/*
* In case we had to copy the IP & TCP header out of mbufs,
* skip over the mbuf bits which are the header
***************
*** 1030,1056 ****
}
}
}
! #endif
if (!(len -= sizeof(*tcp)))
goto nodata;
while (len > 1) {
- #if SOLARIS
- if ((caddr_t)sp >= (caddr_t)m->b_wptr) {
- m = m->b_cont;
- PANIC((!m),("fr_tcpsum(2): not enough data"));
- sp = (u_short *)m->b_rptr;
- }
- if ((caddr_t)(sp + 1) > (caddr_t)m->b_wptr) {
- bytes.c[0] = *(u_char *)sp;
- m = m->b_cont;
- PANIC((!m),("fr_tcpsum(3): not enough data"));
- sp = (u_short *)m->b_rptr;
- bytes.c[1] = *(u_char *)sp;
- sum += bytes.s;
- sp = (u_short *)((u_char *)sp + 1);
- }
- #else
if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
m = m->m_next;
PANIC((!m),("fr_tcpsum(2): not enough data"));
--- 1051,1061 ----
}
}
}
! # endif
if (!(len -= sizeof(*tcp)))
goto nodata;
while (len > 1) {
if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) {
m = m->m_next;
PANIC((!m),("fr_tcpsum(2): not enough data"));
***************
*** 1065,1071 ****
sum += bytes.s;
sp = (u_short *)((u_char *)sp + 1);
}
- #endif /* SOLARIS */
if ((u_long)sp & 1) {
bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s));
sum += bytes.s;
--- 1070,1075 ----
***************
*** 1078,1085 ****
nodata:
while (sum > 0xffff)
sum = (sum & 0xffff) + (sum >> 16);
! sum = (u_short)(~sum & 0xffff);
! return sum;
}
--- 1082,1096 ----
nodata:
while (sum > 0xffff)
sum = (sum & 0xffff) + (sum >> 16);
! sum2 = (u_short)(~sum & 0xffff);
! }
! # endif /* defined(BSD) || defined(sun) */
! # endif /* SOLARIS */
! #else /* KERNEL */
! sum2 = 0;
! #endif /* KERNEL */
! tcp->th_sum = ts;
! return sum2;
}
***************
*** 1117,1123 ****
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
! * $Id: fil.c,v 2.0.2.41.2.27 1998/11/22 01:50:15 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
--- 1128,1134 ----
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
! * $Id: fil.c,v 2.0.2.41.2.31 1998/12/29 10:01:35 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
Only in ip_fil3.2.10p1: fil.c.old
diff -cr ip_fil3.2.10/ip_compat.h ip_fil3.2.10p1/ip_compat.h
*** ip_fil3.2.10/ip_compat.h Sun Nov 22 12:50:20 1998
--- ip_fil3.2.10p1/ip_compat.h Tue Dec 29 21:13:18 1998
***************
*** 785,789 ****
--- 785,796 ----
#ifndef ICMP_ROUTERSOLICIT
# define ICMP_ROUTERSOLICIT 10
#endif
+ /*
+ * ICMP error replies have an IP header (20 bytes), 8 bytes of ICMP data,
+ * another IP header and then 64 bits of data, totalling 56. Of course,
+ * the last 64 bits is dependant on that being available.
+ */
+ #define ICMPERR_MINPKTLEN (20 + 8 + 20)
+ #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8)
#endif /* __IP_COMPAT_H__ */
diff -cr ip_fil3.2.10/ip_nat.c ip_fil3.2.10p1/ip_nat.c
*** ip_fil3.2.10/ip_nat.c Sun Nov 22 12:50:27 1998
--- ip_fil3.2.10p1/ip_nat.c Tue Dec 29 21:12:46 1998
***************
*** 770,776 ****
* Only a basic IP header (no options) should be with an ICMP error
* header.
*/
! if ((ip->ip_hl != 5) || (ip->ip_len < sizeof(*icmp) + sizeof(ip_t)))
return NULL;
type = icmp->icmp_type;
/*
--- 770,776 ----
* Only a basic IP header (no options) should be with an ICMP error
* header.
*/
! if ((ip->ip_hl != 5) || (ip->ip_len < ICMPERR_MINPKTLEN))
return NULL;
type = icmp->icmp_type;
/*
***************
*** 782,787 ****
--- 782,789 ----
return NULL;
oip = (ip_t *)((char *)fin->fin_dp + 8);
+ if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
+ return NULL;
if (oip->ip_p == IPPROTO_TCP)
flags = IPN_TCP;
else if (oip->ip_p == IPPROTO_UDP)
***************
*** 1240,1245 ****
--- 1242,1248 ----
nat->nat_pkts++;
MUTEX_EXIT(&ipf_rw);
ip->ip_dst = nat->nat_inip;
+ fin->fin_fi.fi_dst = nat->nat_inip;
/*
* Fix up checksums, not by recalculating them, but
diff -cr ip_fil3.2.10/ipl.h ip_fil3.2.10p1/ipl.h
*** ip_fil3.2.10/ipl.h Sun Nov 22 13:25:57 1998
--- ip_fil3.2.10p1/ipl.h Tue Dec 22 20:51:35 1998
***************
*** 11,16 ****
#ifndef __IPL_H__
#define __IPL_H__
! #define IPL_VERSION "IP Filter v3.2.10"
#endif
--- 11,16 ----
#ifndef __IPL_H__
#define __IPL_H__
! #define IPL_VERSION "IP Filter v3.2.10p1"
#endif