Common subdirectories: ip_fil4.1.3/4bsd and ip_fil4.1.4/4bsd Common subdirectories: ip_fil4.1.3/BSD and ip_fil4.1.4/BSD Common subdirectories: ip_fil4.1.3/BSDOS and ip_fil4.1.4/BSDOS Common subdirectories: ip_fil4.1.3/BSDOS3 and ip_fil4.1.4/BSDOS3 Common subdirectories: ip_fil4.1.3/BSDOS4 and ip_fil4.1.4/BSDOS4 Common subdirectories: ip_fil4.1.3/FWTK and ip_fil4.1.4/FWTK Common subdirectories: ip_fil4.1.3/FreeBSD and ip_fil4.1.4/FreeBSD Common subdirectories: ip_fil4.1.3/FreeBSD-2.2 and ip_fil4.1.4/FreeBSD-2.2 Common subdirectories: ip_fil4.1.3/FreeBSD-3 and ip_fil4.1.4/FreeBSD-3 Common subdirectories: ip_fil4.1.3/FreeBSD-4.0 and ip_fil4.1.4/FreeBSD-4.0 diff -cr ip_fil4.1.3/HISTORY ip_fil4.1.4/HISTORY *** ip_fil4.1.3/HISTORY Sun Jul 18 14:18:44 2004 --- ip_fil4.1.4/HISTORY Sun Jan 9 01:41:43 2005 *************** *** 10,15 **** --- 10,80 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 4.1.4 - Released 9 January 2005 + + force NAT rules to only match ipv4 NAT rules (which all are, currently, + by default) + + include state synchronisation fixes from Frank Volf + + make the maximum log size for internally buffered log entries accessible + via "ipf -T" + + redesign start of fr_check() to avoid putting duplicate information in + ipfilter about how much data needs to be pulled up for a protocol to be + properly filtered. + + tidy up sending ICMP error messages - some bad inputs could result in + data not being freed and/or no error returned. + + make the maximum size of the log buffer run-time tunable + + fix bug in parsing TCP header when looking for MSS option that could make + the system hang + + change pool lookups that fail to find a match to return "no match" + rather than fail. + + add run-time tunable debugging for proxy support code and FTP proxy. + + fix state table updates for entries where the first packet as an ICMPv6 + multicast message + + fix hang when flushing state for v4/v6 and other (v6/v4) entries are present + too + + attaching filtering to ipv6 pfil hook wasn't present for solaris + + don't allow rules with "keep state" and "with oow" + + move a bunch of userland only code from fil.c to ip_fil.c + + make fr_coalesce() more resiliant to bad input, just returning an error + instead of crashing, making calling it easier in many places + + When m_pulldown doesn't return NULL, it doesn't necessarily return a pointer + to the same mbuf passed in as the first arg. + + remove fr_unreach and use ENETUNREACH by default. + + printing out of tag data in ipf rules doesn't match input syntax + + ipftest(1) man page update + + ipfs command line option parsing still rejects some valid syntaxes + + SIGHUP handling by ipmon was not as safe as it could be + + fix various parsing regressions, including "", "tcpudp", ordering + of "keep" options + + patches from Frank Volk: add udp_acktimeout to sysctl list for FreeBSD, + ICMP packet length not calculated correctly in send_icmp_err, reply-to + not printed by ipfstat, keep state with icmp passing (mtrr) + + patches for return-rst and return-icmp from Attila Fueloep + (lichtscheu@gesindel.org) + 4.1.3 - Released 18 July 2004 do some more fine tuning on NAT checksum adjustments Common subdirectories: ip_fil4.1.3/HPUX and ip_fil4.1.4/HPUX Common subdirectories: ip_fil4.1.3/IRIX and ip_fil4.1.4/IRIX Common subdirectories: ip_fil4.1.3/Linux and ip_fil4.1.4/Linux diff -cr ip_fil4.1.3/Makefile ip_fil4.1.4/Makefile *** ip_fil4.1.3/Makefile Thu Jul 8 23:12:00 2004 --- ip_fil4.1.4/Makefile Tue Nov 9 05:42:40 2004 *************** *** 5,11 **** # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.76.2.9 2004/07/08 13:12:00 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin --- 5,11 ---- # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.76.2.13 2004/11/08 18:42:40 darrenr Exp $ # SHELL=/bin/sh BINDEST=/usr/local/bin *************** *** 65,70 **** --- 65,71 ---- # it to /usr/src/linux-2.4 or similar. # LINUXKERNEL=/usr/src/linux + LINUX=`uname -r | awk -F. ' { printf"%d",$$1;for(i=1;ifi_secmsk = 0; fi->fi_auth = 0; ! coalesced = 0; p = ip6->ip6_nxt; - fi->fi_p = p; fi->fi_ttl = ip6->ip6_hlim; fi->fi_src.in6 = ip6->ip6_src; fi->fi_dst.in6 = ip6->ip6_dst; --- 385,392 ---- fi->fi_secmsk = 0; fi->fi_auth = 0; ! coalesced = (fin->fin_flx & FI_COALESCE) ? 1 : 0; p = ip6->ip6_nxt; fi->fi_ttl = ip6->ip6_hlim; fi->fi_src.in6 = ip6->ip6_src; fi->fi_dst.in6 = ip6->ip6_dst; *************** *** 392,398 **** fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); hdrcount = 0; ! while(go && (~fin->fin_flx & FI_SHORT) && (~fin->fin_flx & FI_BAD)) { switch (p) { case IPPROTO_UDP : --- 393,399 ---- fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); hdrcount = 0; ! while (go && !(fin->fin_flx & (FI_BAD|FI_SHORT))) { switch (p) { case IPPROTO_UDP : *************** *** 399,484 **** frpr_udp6(fin); go = 0; break; case IPPROTO_TCP : frpr_tcp6(fin); go = 0; break; case IPPROTO_ICMPV6 : frpr_icmp6(fin); go = 0; break; case IPPROTO_HOPOPTS : /* * Actually, hop by hop header is only allowed right * after IPv6 header! */ if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced == -1) return; } ! if (hdrcount != 0) ! fin->fin_flx |= FI_BAD; ! else ! frpr_hopopts6(fin); break; case IPPROTO_DSTOPTS : if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced == -1) return; } ! frpr_dstopts6(fin); break; case IPPROTO_ROUTING : if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced == -1) return; } ! frpr_routing6(fin); break; case IPPROTO_ESP : frpr_esp(fin); /*FALLTHROUGH*/ case IPPROTO_AH : case IPPROTO_IPV6 : ! for(i = 0; ip6exthdr[i].ol_val != IPPROTO_NONE; i++) ! if(ip6exthdr[i].ol_val == fin->fin_p) break; ! fin->fin_flx |= ip6exthdr[i].ol_bit; go = 0; break; case IPPROTO_NONE : go = 0; break; case IPPROTO_FRAGMENT : if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced == -1) return; } ! frpr_fragment6(fin); break; default : go = 0; break; } - p = fi->fi_p; hdrcount++; } } /* ------------------------------------------------------------------------ */ /* Function: frpr_hopopts6 */ ! /* Returns: void */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* This is function checks pending hop by hop options extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_hopopts6(fin) fr_info_t *fin; { struct ip6_ext *hdr; --- 400,500 ---- frpr_udp6(fin); go = 0; break; + case IPPROTO_TCP : frpr_tcp6(fin); go = 0; break; + case IPPROTO_ICMPV6 : frpr_icmp6(fin); go = 0; break; + + case IPPROTO_GRE : + frpr_gre(fin); + go = 0; + break; + case IPPROTO_HOPOPTS : /* * Actually, hop by hop header is only allowed right * after IPv6 header! */ + if (hdrcount != 0) + fin->fin_flx |= FI_BAD; + if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced != 1) return; } ! p = frpr_hopopts6(fin); break; + case IPPROTO_DSTOPTS : if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced != 1) return; } ! p = frpr_dstopts6(fin); break; + case IPPROTO_ROUTING : if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced != 1) return; } ! p = frpr_routing6(fin); break; + case IPPROTO_ESP : frpr_esp(fin); /*FALLTHROUGH*/ case IPPROTO_AH : case IPPROTO_IPV6 : ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == p) { ! fin->fin_flx |= ip6exthdr[i].ol_bit; break; ! } go = 0; break; + case IPPROTO_NONE : go = 0; break; + case IPPROTO_FRAGMENT : if (coalesced == 0) { coalesced = fr_coalesce(fin); ! if (coalesced != 1) return; } ! p = frpr_fragment6(fin); break; + default : go = 0; break; } hdrcount++; } + fi->fi_p = p; } /* ------------------------------------------------------------------------ */ /* Function: frpr_hopopts6 */ ! /* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* This is function checks pending hop by hop options extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_hopopts6(fin) fr_info_t *fin; { struct ip6_ext *hdr; *************** *** 490,527 **** /* 8 is default length of extension hdr */ if ((fin->fin_dlen - 8) < 0) { fin->fin_flx |= FI_SHORT; ! return; } hdr = fin->fin_dp; shift = 8 + (hdr->ip6e_len << 3); if (shift > fin->fin_dlen) { /* Nasty extension header length? */ fin->fin_flx |= FI_BAD; ! return; } ! for (i = 0; ip6exthdr[i].ol_val != IPPROTO_NONE; i++) ! if(ip6exthdr[i].ol_val == fin->fin_p) break; - fin->fin_optmsk |= ip6exthdr[i].ol_bit; fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; - fin->fin_p = hdr->ip6e_nxt; ! return; } /* ------------------------------------------------------------------------ */ /* Function: frpr_routing6 */ ! /* Returns: void */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* This is function checks pending routing extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_routing6(fin) fr_info_t *fin; { struct ip6_ext *hdr; --- 506,546 ---- /* 8 is default length of extension hdr */ if ((fin->fin_dlen - 8) < 0) { fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; } + if (frpr_pullup(fin, 8) == -1) + return IPPROTO_NONE; + hdr = fin->fin_dp; shift = 8 + (hdr->ip6e_len << 3); if (shift > fin->fin_dlen) { /* Nasty extension header length? */ fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; } ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_HOPOPTS) { ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; break; + } fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; ! return hdr->ip6e_nxt; } /* ------------------------------------------------------------------------ */ /* Function: frpr_routing6 */ ! /* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* This is function checks pending routing extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_routing6(fin) fr_info_t *fin; { struct ip6_ext *hdr; *************** *** 533,542 **** /* 8 is default length of extension hdr */ if ((fin->fin_dlen - 8) < 0) { fin->fin_flx |= FI_SHORT; ! return; } hdr = fin->fin_dp; shift = 8 + (hdr->ip6e_len << 3); /* * Nasty extension header length? --- 552,564 ---- /* 8 is default length of extension hdr */ if ((fin->fin_dlen - 8) < 0) { fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; } + if (frpr_pullup(fin, 8) == -1) + return IPPROTO_NONE; hdr = fin->fin_dp; + shift = 8 + (hdr->ip6e_len << 3); /* * Nasty extension header length? *************** *** 544,573 **** if ((shift > fin->fin_dlen) || (shift < sizeof(struct ip6_hdr)) || ((shift - sizeof(struct ip6_hdr)) & 15)) { fin->fin_flx |= FI_BAD; ! return; } ! for (i = 0; ip6exthdr[i].ol_val != IPPROTO_NONE; i++) ! if(ip6exthdr[i].ol_val == fin->fin_p) break; ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; - fin->fin_p = hdr->ip6e_nxt; ! return; } /* ------------------------------------------------------------------------ */ /* Function: frpr_fragment6 */ ! /* Returns: void */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* Examine the IPv6 fragment header and extract fragment offset information.*/ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_fragment6(fin) fr_info_t *fin; { struct ip6_frag *frag; --- 566,596 ---- if ((shift > fin->fin_dlen) || (shift < sizeof(struct ip6_hdr)) || ((shift - sizeof(struct ip6_hdr)) & 15)) { fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; } ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_ROUTING) { ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; break; ! } ! fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; ! return hdr->ip6e_nxt; } /* ------------------------------------------------------------------------ */ /* Function: frpr_fragment6 */ ! /* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* IPv6 Only */ /* Examine the IPv6 fragment header and extract fragment offset information.*/ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_fragment6(fin) fr_info_t *fin; { struct ip6_frag *frag; *************** *** 574,625 **** struct ip6_ext *hdr; int i; /* * Only one frgament header is allowed per IPv6 packet but it need * not be the first nor last (not possible in some cases.) */ ! for (i = 0; ip6exthdr[i].ol_val != IPPROTO_NONE; i++) ! if (ip6exthdr[i].ol_val == fin->fin_p) break; if (fin->fin_optmsk & ip6exthdr[i].ol_bit) { fin->fin_flx |= FI_BAD; ! return; } ! fin->fin_flx |= (FI_FRAG|FI_V6EXTHDR); fin->fin_optmsk |= ip6exthdr[i].ol_bit; hdr = fin->fin_dp; /* ! * Length must be zero, i.e. it is no length. */ if (hdr->ip6e_len != 0) { fin->fin_flx |= FI_BAD; ! return; } if ((int)(fin->fin_dlen - sizeof(*frag)) < 0) { fin->fin_flx |= FI_SHORT; ! return; } frag = fin->fin_dp; fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK; ! if (!(frag->ip6f_offlg & IP6F_MORE_FRAG)) ! fin->fin_flx |= FI_FRAGTAIL; fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag); fin->fin_dlen -= sizeof(*frag); - fin->fin_p = frag->ip6f_nxt; ! return; } /* ------------------------------------------------------------------------ */ /* Function: frpr_dstopts6 */ ! /* Returns: void */ /* Parameters: fin(I) - pointer to packet information */ /* nextheader(I) - stores next header value */ /* */ --- 597,652 ---- struct ip6_ext *hdr; int i; + fin->fin_flx |= (FI_FRAG|FI_V6EXTHDR); + /* * Only one frgament header is allowed per IPv6 packet but it need * not be the first nor last (not possible in some cases.) */ ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_FRAGMENT) break; if (fin->fin_optmsk & ip6exthdr[i].ol_bit) { fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; } ! fin->fin_optmsk |= ip6exthdr[i].ol_bit; + if (frpr_pullup(fin, 8) == -1) + return IPPROTO_NONE; hdr = fin->fin_dp; /* ! * Length must be zero, i.e. it has no length. */ if (hdr->ip6e_len != 0) { fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; } if ((int)(fin->fin_dlen - sizeof(*frag)) < 0) { fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; } frag = fin->fin_dp; fin->fin_off = frag->ip6f_offlg & IP6F_OFF_MASK; ! fin->fin_off <<= 3; ! if (fin->fin_off != 0) ! fin->fin_flx |= FI_FRAGBODY; fin->fin_dp = (char *)fin->fin_dp + sizeof(*frag); fin->fin_dlen -= sizeof(*frag); ! return frag->ip6f_nxt; } /* ------------------------------------------------------------------------ */ /* Function: frpr_dstopts6 */ ! /* Returns: int - value of the next header or IPPROTO_NONE if error */ /* Parameters: fin(I) - pointer to packet information */ /* nextheader(I) - stores next header value */ /* */ *************** *** 626,632 **** /* IPv6 Only */ /* This is function checks pending destination options extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE void frpr_dstopts6(fin) fr_info_t *fin; { struct ip6_ext *hdr; --- 653,659 ---- /* IPv6 Only */ /* This is function checks pending destination options extension header */ /* ------------------------------------------------------------------------ */ ! static INLINE int frpr_dstopts6(fin) fr_info_t *fin; { struct ip6_ext *hdr; *************** *** 636,659 **** /* 8 is default length of extension hdr */ if ((fin->fin_dlen - 8) < 0) { fin->fin_flx |= FI_SHORT; ! return; } hdr = fin->fin_dp; shift = 8 + (hdr->ip6e_len << 3); if (shift > fin->fin_dlen) { /* Nasty extension header length? */ fin->fin_flx |= FI_BAD; ! return; } ! for (i = 0; ip6exthdr[i].ol_val != IPPROTO_NONE; i++) ! if(ip6exthdr[i].ol_val == fin->fin_p) break; fin->fin_optmsk |= ip6exthdr[i].ol_bit; fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; - fin->fin_p = hdr->ip6e_nxt; ! return; } --- 663,689 ---- /* 8 is default length of extension hdr */ if ((fin->fin_dlen - 8) < 0) { fin->fin_flx |= FI_SHORT; ! return IPPROTO_NONE; } + + if (frpr_pullup(fin, 8) == -1) + return IPPROTO_NONE; hdr = fin->fin_dp; + shift = 8 + (hdr->ip6e_len << 3); if (shift > fin->fin_dlen) { /* Nasty extension header length? */ fin->fin_flx |= FI_BAD; ! return IPPROTO_NONE; } ! for (i = 0; ip6exthdr[i].ol_bit != 0; i++) ! if (ip6exthdr[i].ol_val == IPPROTO_DSTOPTS) break; fin->fin_optmsk |= ip6exthdr[i].ol_bit; fin->fin_dp = (char *)fin->fin_dp + shift; fin->fin_dlen -= shift; ! return hdr->ip6e_nxt; } *************** *** 672,677 **** --- 702,710 ---- int minicmpsz = sizeof(struct icmp6_hdr); struct icmp6_hdr *icmp6; + if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t)) == -1) + return; + if (fin->fin_dlen > 1) { icmp6 = fin->fin_dp; *************** *** 689,695 **** case ICMP6_PARAM_PROB : if ((fin->fin_m != NULL) && (M_LEN(fin->fin_m) < fin->fin_plen)) { ! if (fr_coalesce(fin) == -1) return; } fin->fin_flx |= FI_ICMPERR; --- 722,728 ---- case ICMP6_PARAM_PROB : if ((fin->fin_m != NULL) && (M_LEN(fin->fin_m) < fin->fin_plen)) { ! if (fr_coalesce(fin) != 1) return; } fin->fin_flx |= FI_ICMPERR; *************** *** 746,751 **** --- 779,814 ---- /* ------------------------------------------------------------------------ */ + /* Function: frpr_pullup */ + /* Returns: int - 0 == pullup succeeded, -1 == failure */ + /* Parameters: fin(I) - pointer to packet information */ + /* plen(I) - length (excluding L3 header) to pullup */ + /* */ + /* Short inline function to cut down on code duplication to perform a call */ + /* to fr_pullup to ensure there is the required amount of data, */ + /* consecutively in the packet buffer. */ + /* ------------------------------------------------------------------------ */ + static INLINE int frpr_pullup(fin, plen) + fr_info_t *fin; + int plen; + { + #if defined(_KERNEL) + if (fin->fin_m != NULL) { + if (fin->fin_dp != NULL) + plen += (char *)fin->fin_dp - + ((char *)fin->fin_ip + fin->fin_hlen); + plen += fin->fin_hlen; + if (M_LEN(fin->fin_m) < plen) { + if (fr_pullup(fin->fin_m, fin, plen) == NULL) + return -1; + } + } + #endif + return 0; + } + + + /* ------------------------------------------------------------------------ */ /* Function: frpr_short */ /* Returns: void */ /* Parameters: fin(I) - pointer to packet information */ *************** *** 793,798 **** --- 856,864 ---- int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; + if (frpr_pullup(fin, ICMPERR_ICMPHLEN) == -1) + return; + fr_checkv4sum(fin); if (!fin->fin_off && (fin->fin_dlen > 1)) { *************** *** 833,843 **** case ICMP_REDIRECT : case ICMP_TIMXCEED : case ICMP_PARAMPROB : ! if ((fin->fin_m != NULL) && ! (M_LEN(fin->fin_m) < fin->fin_plen)) { ! if (fr_coalesce(fin) == -1) ! return; ! } fin->fin_flx |= FI_ICMPERR; break; default : --- 899,906 ---- case ICMP_REDIRECT : case ICMP_TIMXCEED : case ICMP_PARAMPROB : ! if (fr_coalesce(fin) != 1) ! return; fin->fin_flx |= FI_ICMPERR; break; default : *************** *** 874,890 **** if (fin->fin_off != 0) return; ! #if defined(_KERNEL) && !defined(__sgi) ! if ((fin->fin_m != NULL) && !(fi->fi_flx & FI_SHORT)) { ! if (M_LEN(fin->fin_m) < sizeof(*tcp) + fin->fin_hlen) { ! if (fr_pullup(fin->fin_m, fin, ! sizeof(*tcp) + fin->fin_hlen) == NULL) ! return; ! } ! } ! #endif ! tcp = fin->fin_dp; if (fin->fin_dlen > 3) { fin->fin_sport = ntohs(tcp->th_sport); fin->fin_dport = ntohs(tcp->th_dport); --- 937,946 ---- if (fin->fin_off != 0) return; ! if (frpr_pullup(fin, sizeof(*tcp)) == -1) ! return; tcp = fin->fin_dp; + if (fin->fin_dlen > 3) { fin->fin_sport = ntohs(tcp->th_sport); fin->fin_dport = ntohs(tcp->th_dport); *************** *** 945,951 **** } } - #if 0 /* * At this point, it's not exactly clear what is to be gained by * marking up which TCP options are and are not present. The one we --- 1001,1006 ---- *************** *** 957,972 **** if (tlen == sizeof(tcphdr_t)) return; ! #if defined(_KERNEL) && !defined(__sgi) ! if (fin->fin_m != NULL) { ! if (M_LEN(fin->fin_m) < tlen + fin->fin_hlen) { ! if (fr_pullup(fin->fin_m, fin, ! tlen + fin->fin_hlen) == NULL) ! return; ! } ! } ! #endif s = (u_char *)(tcp + 1); off = IP_HL(ip) << 2; # ifdef _KERNEL --- 1012,1022 ---- if (tlen == sizeof(tcphdr_t)) return; ! if (frpr_pullup(fin, tlen) == -1) ! return; + #if 0 + ip = fin->fin_ip; s = (u_char *)(tcp + 1); off = IP_HL(ip) << 2; # ifdef _KERNEL *************** *** 1085,1092 **** static INLINE void frpr_esp(fin) fr_info_t *fin; { ! frpr_short(fin, 8); } --- 1135,1149 ---- static INLINE void frpr_esp(fin) fr_info_t *fin; { + if (frpr_pullup(fin, 8) == -1) + return; ! if (fin->fin_v == 4) ! frpr_short(fin, 8); ! #ifdef USE_INET6 ! else if (fin->fin_v == 6) ! frpr_short6(fin, sizeof(grehdr_t)); ! #endif } *************** *** 1100,1107 **** static INLINE void frpr_gre(fin) fr_info_t *fin; { ! frpr_short(fin, sizeof(grehdr_t)); } --- 1157,1171 ---- static INLINE void frpr_gre(fin) fr_info_t *fin; { + if (frpr_pullup(fin, sizeof(grehdr_t)) == -1) + return; ! if (fin->fin_v == 4) ! frpr_short(fin, sizeof(grehdr_t)); ! #ifdef USE_INET6 ! else if (fin->fin_v == 6) ! frpr_short6(fin, sizeof(grehdr_t)); ! #endif } *************** *** 1166,1178 **** off &= IP_MF|IP_OFFMASK; if (off != 0) { fi->fi_flx |= FI_FRAG; - if ((off & IP_MF) == 0) - fi->fi_flx |= FI_FRAGTAIL; off &= IP_OFFMASK; if (off != 0) { off <<= 3; ! if (off + fin->fin_dlen > 0xffff) fi->fi_flx |= FI_BAD; } } fin->fin_off = off; --- 1230,1242 ---- off &= IP_MF|IP_OFFMASK; if (off != 0) { fi->fi_flx |= FI_FRAG; off &= IP_OFFMASK; if (off != 0) { + fin->fin_flx |= FI_FRAGBODY; off <<= 3; ! if (off + fin->fin_dlen > 0xffff) { fi->fi_flx |= FI_BAD; + } } } fin->fin_off = off; *************** *** 1760,1765 **** --- 1824,1838 ---- passt = fr->fr_flags; /* + * Allowing a rule with the "keep state" flag set to match + * packets that have been tagged "out of window" by the TCP + * state tracking is foolish as the attempt to add a new + * state entry to the table will fail. + */ + if ((passt & FR_KEEPSTATE) && (fin->fin_flx & FI_OOW)) + continue; + + /* * If the rule is a "call now" rule, then call the function * in the rule, if it exists and use the results from that. * If the function pointer is bad, just make like we ignore *************** *** 1766,1772 **** * it, except for increasing the hit counter. */ if ((passt & FR_CALLNOW) != 0) { ! ATOMIC_INCL(fr->fr_hits); if ((fr->fr_func != NULL) && (fr->fr_func != (ipfunc_t)-1)) { frentry_t *frs; --- 1839,1845 ---- * it, except for increasing the hit counter. */ if ((passt & FR_CALLNOW) != 0) { ! ATOMIC_INC64(fr->fr_hits); if ((fr->fr_func != NULL) && (fr->fr_func != (ipfunc_t)-1)) { frentry_t *frs; *************** *** 1809,1815 **** if (passt & (FR_RETICMP|FR_FAKEICMP)) fin->fin_icode = fr->fr_icode; FR_DEBUG(("pass %#x\n", pass)); ! ATOMIC_INCL(fr->fr_hits); fin->fin_rule = rulen; (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN); if (fr->fr_grp != NULL) { --- 1882,1888 ---- if (passt & (FR_RETICMP|FR_FAKEICMP)) fin->fin_icode = fr->fr_icode; FR_DEBUG(("pass %#x\n", pass)); ! ATOMIC_INC64(fr->fr_hits); fin->fin_rule = rulen; (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN); if (fr->fr_grp != NULL) { *************** *** 1918,1924 **** bcopy((char *)fc, (char *)fin, FI_COPYSIZE); ATOMIC_INCL(frstats[out].fr_chit); if ((fr = fin->fin_fr) != NULL) { ! ATOMIC_INCL(fr->fr_hits); pass = fr->fr_flags; } } else { --- 1991,1997 ---- bcopy((char *)fc, (char *)fin, FI_COPYSIZE); ATOMIC_INCL(frstats[out].fr_chit); if ((fr = fin->fin_fr) != NULL) { ! ATOMIC_INC64(fr->fr_hits); pass = fr->fr_flags; } } else { *************** *** 2000,2006 **** /* * Finally, if we've asked to track state for this packet, set it up. */ ! if (pass & FR_KEEPSTATE) { if (fr_addstate(fin, NULL, 0) != NULL) { ATOMIC_INCL(frstats[out].fr_ads); } else { --- 2073,2079 ---- /* * Finally, if we've asked to track state for this packet, set it up. */ ! if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) { if (fr_addstate(fin, NULL, 0) != NULL) { ATOMIC_INCL(frstats[out].fr_ads); } else { *************** *** 2069,2079 **** */ fr_info_t frinfo; fr_info_t *fin = &frinfo; - int v = IP_V(ip), len, p; u_32_t pass = fr_pass; frentry_t *fr = NULL; mb_t *mc = NULL; mb_t *m; /* * The first part of fr_check() deals with making sure that what goes --- 2142,2155 ---- */ fr_info_t frinfo; fr_info_t *fin = &frinfo; u_32_t pass = fr_pass; frentry_t *fr = NULL; + int v = IP_V(ip); mb_t *mc = NULL; mb_t *m; + #ifdef USE_INET6 + ip6_t *ip6; + #endif /* * The first part of fr_check() deals with making sure that what goes *************** *** 2083,2093 **** * to hold all the required packet headers. */ #ifdef _KERNEL - # ifdef __sgi - char hbuf[256]; - int copied = 0; - # endif - int up = 0; # ifdef MENTAT qpktinfo_t *qpi = qif; --- 2159,2164 ---- *************** *** 2147,2288 **** m = *mp; #endif /* _KERNEL */ fin->fin_ipoff = (char *)ip - MTOD(m, char *); #ifdef USE_INET6 if (v == 6) { ! len = ntohs(((ip6_t*)ip)->ip6_plen); /* * Jumbo grams are quite likely too big for internal buffer * structures to handle comfortably, for now, so just drop ! * them for now. */ ! if (len == 0) { pass = FR_BLOCK|FR_NOMATCH; goto filtered; } ! len += sizeof(ip6_t); ! p = ((ip6_t *)ip)->ip6_nxt; } else #endif { ! p = ip->ip_p; ! # if (OpenBSD >= 200311) && defined(_KERNEL) ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); #endif ! len = ip->ip_len; } - fin->fin_v = v; - fin->fin_m = m; - fin->fin_mp = mp; - fin->fin_out = out; - fin->fin_ifp = ifp; - fin->fin_plen = len; - fin->fin_hlen = (u_short )hlen; - fin->fin_dp = (char *)ip + hlen; - - if (p == IPPROTO_TCP || p == IPPROTO_UDP || - (v == 4 && p == IPPROTO_ICMP) - #ifdef USE_INET6 - || (v == 6 && p == IPPROTO_ICMPV6) - #endif - ) { - #if defined(_KERNEL) - int plen = 0; - - if ((v == 6) || (ip->ip_off & IP_OFFMASK) == 0) { - switch(p) - { - case IPPROTO_TCP: - plen = sizeof(tcphdr_t); - break; - case IPPROTO_UDP: - plen = sizeof(udphdr_t); - break; - /* 96 - enough for complete ICMP error IP header */ - case IPPROTO_ICMP: - plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); - break; - case IPPROTO_ESP: - plen = 8; - break; - case IPPROTO_GRE: - plen = sizeof(grehdr_t); - break; - # ifdef USE_INET6 - case IPPROTO_ICMPV6 : - /* - * XXX does not take intermediate header - * into account. - */ - plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t); - break; - # endif - } - } - - up = MIN(hlen + plen, len); - if (up > M_LEN(m)) { - # ifdef __sgi - /* Under IRIX, avoid m_pullup as it makes ping panic */ - if ((up > sizeof(hbuf)) || (m_length(m) < up)) { - ATOMIC_INCL(frstats[out].fr_pull[1]); - pass = FR_BLOCK|FR_NOMATCH; - goto filtered; - } - m_copydata(m, 0, up, hbuf); - copied = 1; - ATOMIC_INCL(frstats[out].fr_pull[0]); - ip = (ip_t *)hbuf; - # else /* __ sgi */ - /* - * Having determined that we need to pullup some data, - * try to bring as much of the packet up into a single - * buffer with the first pullup. This hopefully means - * less need for doing futher pullups. Not needed for - * Solaris because fr_precheck() does it anyway. - * - * The main potential for trouble here is if MLEN/MHLEN - * become quite small, lets say < 64 bytes...but if - * that did happen, BSD networking as a whole would be - * slow/inefficient. - */ - # ifdef MHLEN - /* - * Assume that M_PKTHDR is set and just work with what - * is left rather than check.. Should not make any - * real difference, anyway. - */ - if ((MHLEN > up) && (len > up)) - up = MIN(len, MHLEN); - # else - # ifdef MLEN - if ((MLEN > up) && (len > up)) - up = MIN(len, MLEN); - # endif /* MLEN */ - # endif /* MHLEN */ - fin->fin_ip = ip; - ip = fr_pullup(m, fin, up); - if (ip == NULL) - goto finished; - # endif /* __sgi */ - } - #else - /*EMPTY*/ - #endif /* _KERNEL */ - } - - fin->fin_error = fr_unreach; if (fr_makefrip(hlen, ip, fin) == -1) goto finished; - ip = fin->fin_ip; - if (v == 6) { - ATOMIC_INCL(frstats[out].fr_ipv6); - } - /* * For at least IPv6 packets, if a m_pullup() fails then this pointer * becomes NULL and so we have no packet to free. --- 2218,2263 ---- m = *mp; #endif /* _KERNEL */ + fin->fin_v = v; + fin->fin_m = m; + fin->fin_ip = ip; + fin->fin_mp = mp; + fin->fin_out = out; + fin->fin_ifp = ifp; + fin->fin_error = ENETUNREACH; + fin->fin_hlen = (u_short )hlen; + fin->fin_dp = (char *)ip + hlen; + fin->fin_ipoff = (char *)ip - MTOD(m, char *); #ifdef USE_INET6 if (v == 6) { ! ATOMIC_INCL(frstats[out].fr_ipv6); /* * Jumbo grams are quite likely too big for internal buffer * structures to handle comfortably, for now, so just drop ! * them. */ ! ip6 = (ip6_t *)ip; ! fin->fin_plen = ntohs(ip6->ip6_plen); ! if (fin->fin_plen == 0) { pass = FR_BLOCK|FR_NOMATCH; goto filtered; } ! fin->fin_plen += sizeof(ip6_t); } else #endif { ! #if (OpenBSD >= 200311) && defined(_KERNEL) ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); #endif ! fin->fin_plen = ip->ip_len; } if (fr_makefrip(hlen, ip, fin) == -1) goto finished; /* * For at least IPv6 packets, if a m_pullup() fails then this pointer * becomes NULL and so we have no packet to free. *************** *** 2298,2304 **** fin->fin_flx |= FI_BADSRC; } #endif ! if (ip->ip_ttl < fr_minttl) { ATOMIC_INCL(frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } --- 2273,2279 ---- fin->fin_flx |= FI_BADSRC; } #endif ! if (fin->fin_ip->ip_ttl < fr_minttl) { ATOMIC_INCL(frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } *************** *** 2305,2311 **** } #ifdef USE_INET6 else if (v == 6) { ! if (((ip6_t *)ip)->ip6_hlim < fr_minttl) { ATOMIC_INCL(frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } --- 2280,2287 ---- } #ifdef USE_INET6 else if (v == 6) { ! ip6 = (ip6_t *)ip; ! if (ip6->ip6_hlim < fr_minttl) { ATOMIC_INCL(frstats[0].fr_badttl); fin->fin_flx |= FI_LOWTTL; } *************** *** 2355,2360 **** --- 2331,2337 ---- (void) fr_acctpkt(fin, NULL); if (fr_checknatout(fin, &pass) == -1) { + RWLOCK_EXIT(&ipf_mutex); goto finished; } else if ((fr_update_ipid != 0) && (v == 4)) { if (fr_updateipid(fin) == -1) { *************** *** 2471,2485 **** RWLOCK_EXIT(&ipf_mutex); if (!FR_ISPASS(pass)) { ! if (m != NULL) { ! FREE_MB_T(m); m = *mp = NULL; } } #if defined(_KERNEL) && defined(__sgi) else { ! if (copied && (fin->fin_flx & FI_NATED) && up && (m != NULL)) { ! COPYBACK(m, 0, up, hbuf); } } #endif --- 2448,2463 ---- RWLOCK_EXIT(&ipf_mutex); if (!FR_ISPASS(pass)) { ! if (*mp != NULL) { ! FREE_MB_T(*mp); m = *mp = NULL; } } #if defined(_KERNEL) && defined(__sgi) else { ! if ((fin->fin_hbuf != NULL) && ! (mtod(fin->fin_m, struct ip *) != fin->fin_ip)) { ! COPYBACK(m, 0, fin->fin_plen, fin->fin_hbuf); } } #endif *************** *** 2487,2493 **** RWLOCK_EXIT(&ipf_global); #ifdef _KERNEL # if OpenBSD >= 200311 ! if (FR_ISPASS(pass)) { ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); } --- 2465,2472 ---- RWLOCK_EXIT(&ipf_global); #ifdef _KERNEL # if OpenBSD >= 200311 ! if (FR_ISPASS(pass) && (v == 4)) { ! ip = fin->fin_ip; ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); } *************** *** 2630,2635 **** --- 2609,2616 ---- /* NB: This function assumes we've pullup'd enough for all of the IP header */ /* and the TCP header. We also assume that data blocks aren't allocated in */ /* odd sizes. */ + /* */ + /* Expects ip_len to be in host byte order when called. */ /* ------------------------------------------------------------------------ */ u_short fr_cksum(m, ip, l4proto, l4hdr) mb_t *m; *************** *** 2904,2910 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.243.2.25 2004/06/30 11:26:08 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 2885,2891 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.243.2.45 2005/01/08 14:28:12 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 3429,3446 **** /* ------------------------------------------------------------------------ */ /* Function: frsynclist */ /* Returns: void */ ! /* Parameters: Nil */ /* Write Locks: ipf_mutex */ /* */ /* Walk through a list of filter rules and resolve any interface names into */ /* pointers. Where dynamic addresses are used, also update the IP address */ ! /* used in the rule. One might wonder why terminating fr_ifnames[] with a */ ! /* \0 byte is done here. The reason is that this is the only place where */ ! /* the names are resolved into pointers for filter rules and there are */ ! /* multiple ways for rules to get into the kernel. */ /* ------------------------------------------------------------------------ */ ! static void frsynclist(fr) frentry_t *fr; { frdest_t *fdp; int v, i; --- 3410,3427 ---- /* ------------------------------------------------------------------------ */ /* Function: frsynclist */ /* Returns: void */ ! /* Parameters: fr(I) - start of filter list to sync interface names for */ ! /* ifp(I) - interface pointer for limiting sync lookups */ /* Write Locks: ipf_mutex */ /* */ /* Walk through a list of filter rules and resolve any interface names into */ /* pointers. Where dynamic addresses are used, also update the IP address */ ! /* used in the rule. The interface pointer is used to limit the lookups to */ ! /* a specific set of matching names if it is non-NULL. */ /* ------------------------------------------------------------------------ */ ! static void frsynclist(fr, ifp) frentry_t *fr; + void *ifp; { frdest_t *fdp; int v, i; *************** *** 3452,3467 **** * Lookup all the interface names that are part of the rule. */ for (i = 0; i < 4; i++) { ! if ((fr->fr_ifnames[i][1] == '\0') && ! ((fr->fr_ifnames[i][0] == '-') || ! (fr->fr_ifnames[i][0] == '*'))) { ! fr->fr_ifas[i] = NULL; ! } else if (fr->fr_ifnames[i][0] != '\0') { ! fr->fr_ifnames[i][LIFNAMSIZ - 1] = '\0'; ! fr->fr_ifas[i] = GETIFP(fr->fr_ifnames[i], v); ! if (fr->fr_ifas[i] == (void *)NULL) ! fr->fr_ifas[i] = (void *)-1; ! } } if (fr->fr_type == FR_T_IPF) { --- 3433,3441 ---- * Lookup all the interface names that are part of the rule. */ for (i = 0; i < 4; i++) { ! if ((ifp != NULL) && (fr->fr_ifas[i] != ifp)) ! continue; ! fr->fr_ifas[i] = fr_resolvenic(fr->fr_ifnames[i], v); } if (fr->fr_type == FR_T_IPF) { *************** *** 3480,3505 **** } fdp = &fr->fr_tifs[0]; ! if (fdp->fd_ifname[0] != '\0') { ! fdp->fd_ifp = GETIFP(fdp->fd_ifname, v); ! if (fdp->fd_ifp == NULL) ! fdp->fd_ifp = (void *)-1; ! } fdp = &fr->fr_tifs[1]; ! if (fdp->fd_ifname[0] != '\0') { ! fdp->fd_ifp = GETIFP(fdp->fd_ifname, v); ! if (fdp->fd_ifp == NULL) ! fdp->fd_ifp = (void *)-1; ! } fdp = &fr->fr_dif; ! if (fdp->fd_ifname[0] != '\0') { fr->fr_flags &= ~FR_DUP; ! fdp->fd_ifp = GETIFP(fdp->fd_ifname, v); ! if (fdp->fd_ifp == NULL) ! fdp->fd_ifp = (void *)-1; ! else fr->fr_flags |= FR_DUP; } --- 3454,3472 ---- } fdp = &fr->fr_tifs[0]; ! if ((ifp == NULL) || (fdp->fd_ifp == ifp)) ! fr_resolvedest(fdp, v); fdp = &fr->fr_tifs[1]; ! if ((ifp == NULL) || (fdp->fd_ifp == ifp)) ! fr_resolvedest(fdp, v); fdp = &fr->fr_dif; ! if ((ifp == NULL) || (fdp->fd_ifp == ifp)) { ! fr_resolvedest(fdp, v); ! fr->fr_flags &= ~FR_DUP; ! if (fdp->fd_ifp != (void *)-1) fr->fr_flags |= FR_DUP; } *************** *** 3532,3582 **** /* filter rules, NAT entries and the state table and check if anything */ /* needs to be changed/updated. */ /* ------------------------------------------------------------------------ */ ! void frsync() { int i; - # if !defined(MENTAT) && !defined(linux) - struct ifnet *ifp; ! # if defined(__OpenBSD__) || ((NetBSD >= 199511) && (NetBSD < 1991011)) || \ ! (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) ! # if (NetBSD >= 199905) || defined(__OpenBSD__) ! for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) ! # elif defined(__FreeBSD_version) && (__FreeBSD_version >= 500043) ! IFNET_RLOCK(); ! TAILQ_FOREACH(ifp, &ifnet, if_link); ! # else ! for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) ! # endif ! # else ! for (ifp = ifnet; ifp; ifp = ifp->if_next) ! # endif ! { ! fr_natsync(ifp); ! fr_statesync(ifp); ! } ! # if defined(__FreeBSD_version) && (__FreeBSD_version >= 500043) ! IFNET_RUNLOCK(); ! # endif # endif WRITE_ENTER(&ipf_mutex); ! frsynclist(ipacct[0][fr_active]); ! frsynclist(ipacct[1][fr_active]); ! frsynclist(ipfilter[0][fr_active]); ! frsynclist(ipfilter[1][fr_active]); ! frsynclist(ipacct6[0][fr_active]); ! frsynclist(ipacct6[1][fr_active]); ! frsynclist(ipfilter6[0][fr_active]); ! frsynclist(ipfilter6[1][fr_active]); for (i = 0; i < IPL_LOGSIZE; i++) { frgroup_t *g; for (g = ipfgroups[i][0]; g != NULL; g = g->fg_next) ! frsynclist(g->fg_start); for (g = ipfgroups[i][1]; g != NULL; g = g->fg_next) ! frsynclist(g->fg_start); } RWLOCK_EXIT(&ipf_mutex); } --- 3499,3531 ---- /* filter rules, NAT entries and the state table and check if anything */ /* needs to be changed/updated. */ /* ------------------------------------------------------------------------ */ ! void frsync(ifp) ! void *ifp; { int i; ! # if !SOLARIS ! fr_natsync(ifp); ! fr_statesync(ifp); # endif WRITE_ENTER(&ipf_mutex); ! frsynclist(ipacct[0][fr_active], ifp); ! frsynclist(ipacct[1][fr_active], ifp); ! frsynclist(ipfilter[0][fr_active], ifp); ! frsynclist(ipfilter[1][fr_active], ifp); ! frsynclist(ipacct6[0][fr_active], ifp); ! frsynclist(ipacct6[1][fr_active], ifp); ! frsynclist(ipfilter6[0][fr_active], ifp); ! frsynclist(ipfilter6[1][fr_active], ifp); for (i = 0; i < IPL_LOGSIZE; i++) { frgroup_t *g; for (g = ipfgroups[i][0]; g != NULL; g = g->fg_next) ! frsynclist(g->fg_start, ifp); for (g = ipfgroups[i][1]; g != NULL; g = g->fg_next) ! frsynclist(g->fg_start, ifp); } RWLOCK_EXIT(&ipf_mutex); } *************** *** 3605,3617 **** caddr_t ca; int err; ! #if SOLARIS err = COPYIN(src, (caddr_t)&ca, sizeof(ca)); if (err != 0) return err; ! #else bcopy(src, (caddr_t)&ca, sizeof(ca)); ! #endif err = COPYIN(ca, dst, size); return err; } --- 3554,3566 ---- caddr_t ca; int err; ! # if SOLARIS err = COPYIN(src, (caddr_t)&ca, sizeof(ca)); if (err != 0) return err; ! # else bcopy(src, (caddr_t)&ca, sizeof(ca)); ! # endif err = COPYIN(ca, dst, size); return err; } *************** *** 3635,3695 **** caddr_t ca; int err; ! #if SOLARIS err = COPYIN(dst, (caddr_t)&ca, sizeof(ca)); if (err != 0) return err; ! #else bcopy(dst, (caddr_t)&ca, sizeof(ca)); ! #endif err = COPYOUT(src, ca, size); return err; } - - #else /* _KERNEL */ - - - /* - * See above for description, except that all addressing is in user space. - */ - int copyoutptr(src, dst, size) - void *src, *dst; - size_t size; - { - caddr_t ca; - - bcopy(dst, (char *)&ca, sizeof(ca)); - bcopy(src, ca, size); - return 0; - } - - - /* - * See above for description, except that all addressing is in user space. - */ - int copyinptr(src, dst, size) - void *src, *dst; - size_t size; - { - caddr_t ca; - - bcopy(src, (char *)&ca, sizeof(ca)); - bcopy(ca, dst, size); - return 0; - } - - - /* - * return the first IP Address associated with an interface - */ - int fr_ifpaddr(v, flags, ifptr, inp, inpmask) - int v, flags; - void *ifptr; - struct in_addr *inp, *inpmask; - { - return 0; - } - #endif --- 3584,3599 ---- caddr_t ca; int err; ! # if SOLARIS err = COPYIN(dst, (caddr_t)&ca, sizeof(ca)); if (err != 0) return err; ! # else bcopy(dst, (caddr_t)&ca, sizeof(ca)); ! # endif err = COPYOUT(src, ca, size); return err; } #endif *************** *** 4057,4064 **** fprev = &fg->fg_start; } ! for (f = *fprev; f != NULL; fprev = &f->fr_next) ! if (fp->fr_collect <= f->fr_collect) break; ftail = fprev; --- 3961,3968 ---- fprev = &fg->fg_start; } ! for (f = *fprev; (f = *fprev) != NULL; fprev = &f->fr_next) ! if (fp->fr_collect < f->fr_collect) break; ftail = fprev; *************** *** 4101,4108 **** break; #endif case FR_T_IPF : ! if (fp->fr_dsize == 0) return EINVAL; switch (fp->fr_satype) { case FRI_BROADCAST : --- 4005,4021 ---- break; #endif case FR_T_IPF : ! if (fp->fr_dsize != sizeof(fripf_t)) return EINVAL; + + /* + * Allowing a rule with both "keep state" and "with oow" is + * pointless because adding a state entry to the table will + * fail with the out of window (oow) flag set. + */ + if ((fp->fr_flags & FR_KEEPSTATE) && (fp->fr_flx & FI_OOW)) + return EINVAL; + switch (fp->fr_satype) { case FRI_BROADCAST : *************** *** 4170,4176 **** /* * Lookup all the interface names that are part of the rule. */ ! frsynclist(fp); fp->fr_statecnt = 0; /* --- 4083,4089 ---- /* * Lookup all the interface names that are part of the rule. */ ! frsynclist(fp, NULL); fp->fr_statecnt = 0; /* *************** *** 5338,5344 **** } #endif #if !defined(_KERNEL) ! FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum)); #endif if (hdrsum == sum) return 0; --- 5251,5261 ---- } #endif #if !defined(_KERNEL) ! if (sum == hdrsum) { ! FR_DEBUG(("checkl4sum: %hx == %hx\n", sum, hdrsum)); ! } else { ! FR_DEBUG(("checkl4sum: %hx != %hx\n", sum, hdrsum)); ! } #endif if (hdrsum == sum) return 0; *************** *** 5478,5484 **** /* ------------------------------------------------------------------------ */ /* Function: fr_coalesce */ ! /* Returns: 1 == success, -1 == failure */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* Attempt to get all of the packet data into a single, contiguous buffer. */ --- 5395,5401 ---- /* ------------------------------------------------------------------------ */ /* Function: fr_coalesce */ ! /* Returns: 1 == success, -1 == failure, 0 == no change */ /* Parameters: fin(I) - pointer to packet information */ /* */ /* Attempt to get all of the packet data into a single, contiguous buffer. */ *************** *** 5487,5493 **** int fr_coalesce(fin) fr_info_t *fin; { ! #if !defined(__sgi) && defined(_KERNEL) if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) { ATOMIC_INCL(fr_badcoalesces[fin->fin_out]); # ifdef MENTAT --- 5404,5420 ---- int fr_coalesce(fin) fr_info_t *fin; { ! if ((fin->fin_flx & FI_COALESCE) != 0) ! return 1; ! ! /* ! * If the mbuf pointers indicate that there is no mbuf to work with, ! * return but do not indicate success or failure. ! */ ! if (fin->fin_m == NULL || fin->fin_mp == NULL) ! return 0; ! ! #if defined(_KERNEL) if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) { ATOMIC_INCL(fr_badcoalesces[fin->fin_out]); # ifdef MENTAT *************** *** 5504,5610 **** } - /* ------------------------------------------------------------------------ */ - /* Function: fr_pullup */ - /* Returns: NULL == pullup failed, else pointer to protocol header */ - /* Parameters: m(I) - pointer to buffer where data packet starts */ - /* fin(I) - pointer to packet information */ - /* len(I) - number of bytes to pullup */ - /* */ - /* Attempt to move at least len bytes (from the start of the buffer) into a */ - /* single buffer for ease of access. Operating system native functions are */ - /* used to manage buffers - if necessary. If the entire packet ends up in */ - /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ - /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ - /* and ONLY if the pullup succeeds. */ - /* ------------------------------------------------------------------------ */ - #if defined(_KERNEL) && !defined(__sgi) - void *fr_pullup(min, fin, len) - mb_t *min; - fr_info_t *fin; - int len; - { - # ifdef MENTAT - qpktinfo_t *qpi = fin->fin_qpi; - # endif - int out = fin->fin_out, dpoff, ipoff; - mb_t *m = min; - char *ip; - - if (m == NULL) - return NULL; - - ip = (char *)fin->fin_ip; - if ((fin->fin_flx & FI_COALESCE) != 0) - return ip; - - ipoff = fin->fin_ipoff; - if (fin->fin_dp != NULL) - dpoff = (char *)fin->fin_dp - (char *)ip; - else - dpoff = 0; - - if (M_LEN(m) < len) { - # ifdef MENTAT - int inc = 0; - - if (ipoff > 0) { - if ((ipoff & 3) != 0) { - inc = 4 - (ipoff & 3); - if (m->b_rptr - inc >= m->b_datap->db_base) - m->b_rptr -= inc; - else - inc = 0; - } - } - if (!pullupmsg(m, len + ipoff + inc)) { - ATOMIC_INCL(frstats[out].fr_pull[1]); - return NULL; - } - m->b_rptr += inc; - ATOMIC_INCL(frstats[out].fr_pull[0]); - ip = MTOD(m, char *) + ipoff; - qpi->qpi_data = ip; - # else - # ifndef linux - # ifdef MHLEN - if (len > MHLEN) - # else - if (len > MLEN) - # endif - { - # ifdef HAVE_M_PULLDOWN - m = m_pulldown(m, 0, len, NULL); - # else - FREE_MB_T(m); - m = NULL; - # endif - } else - # endif /* linux */ - { - m = m_pullup(m, len); - } - *fin->fin_mp = m; - fin->fin_m = m; - if (m == NULL) { - ATOMIC_INCL(frstats[out].fr_pull[1]); - return NULL; - } - ip = MTOD(m, char *) + ipoff; - ATOMIC_INCL(frstats[out].fr_pull[0]); - # endif /* MENTAT */ - } - fin->fin_ip = (ip_t *)ip; - if (fin->fin_dp != NULL) - fin->fin_dp = (char *)fin->fin_ip + dpoff; - - if (len == fin->fin_plen) - fin->fin_flx |= FI_COALESCE; - return ip; - } - #endif /* _KERNEL && !__sgi */ - - /* * The following table lists all of the tunable variables that can be * accessed via SIOCIPFGET/SIOCIPFSET/SIOCIPFGETNEXt. The format of each row --- 5431,5436 ---- *************** *** 5632,5639 **** sizeof(fr_chksrc), 0 }, { { &fr_pass }, "fr_pass", 0, 0xffffffff, sizeof(fr_pass), 0 }, - { { &fr_unreach }, "fr_unreach", 0, 0xff, - sizeof(fr_unreach), 0 }, /* state */ { { &fr_tcpidletimeout }, "fr_tcpidletimeout", 1, 0x7fffffff, sizeof(fr_tcpidletimeout), IPFT_WRDISABLED }, --- 5458,5463 ---- *************** *** 5705,5716 **** --- 5529,5674 ---- sizeof(ipl_logmax), IPFT_WRDISABLED }, { { &ipl_logall }, "ipl_logall", 0, 1, sizeof(ipl_logall), 0 }, + { { &ipl_logsize }, "ipl_logsize", 0, 0x80000, + sizeof(ipl_logsize), 0 }, #endif { { NULL }, NULL, 0, 0 } }; + static ipftuneable_t *ipf_tunelist = NULL; + /* ------------------------------------------------------------------------ */ + /* Function: fr_findtunebycookie */ + /* Returns: NULL = search failed, else pointer to tune struct */ + /* Parameters: cookie(I) - cookie value to search for amongst tuneables */ + /* next(O) - pointer to place to store the cookie for the */ + /* "next" tuneable, if it is desired. */ + /* */ + /* This function is used to walk through all of the existing tunables with */ + /* successive calls. It searches the known tunables for the one which has */ + /* a matching value for "cookie" - ie its address. When returning a match, */ + /* the next one to be found may be returned inside next. */ + /* ------------------------------------------------------------------------ */ + static ipftuneable_t *fr_findtunebycookie(cookie, next) + void *cookie, **next; + { + ipftuneable_t *ta, **tap; + + for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++) + if (ta == cookie) { + if (next != NULL) { + /* + * If the next entry in the array has a name + * present, then return a pointer to it for + * where to go next, else return a pointer to + * the dynaminc list as a key to search there + * next. This facilitates a weak linking of + * the two "lists" together. + */ + if ((ta + 1)->ipft_name != NULL) + *next = ta + 1; + else + *next = &ipf_tunelist; + } + return ta; + } + + for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next) + if (tap == cookie) { + if (next != NULL) + *next = &ta->ipft_next; + return ta; + } + + if (next != NULL) + *next = NULL; + return NULL; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_findtunebyname */ + /* Returns: NULL = search failed, else pointer to tune struct */ + /* Parameters: name(I) - name of the tuneable entry to find. */ + /* */ + /* Search the static array of tuneables and the list of dynamic tuneables */ + /* for an entry with a matching name. If we can find one, return a pointer */ + /* to the matching structure. */ + /* ------------------------------------------------------------------------ */ + static ipftuneable_t *fr_findtunebyname(name) + char *name; + { + ipftuneable_t *ta; + + for (ta = ipf_tuneables; ta->ipft_name != NULL; ta++) + if (!strcmp(ta->ipft_name, name)) { + return ta; + } + + for (ta = ipf_tunelist; ta != NULL; ta = ta->ipft_next) + if (!strcmp(ta->ipft_name, name)) { + return ta; + } + + return NULL; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_addipftune */ + /* Returns: int - 0 == success, else failure */ + /* Parameters: newtune - pointer to new tune struct to add to tuneables */ + /* */ + /* Appends the tune structure pointer to by "newtune" to the end of the */ + /* current list of "dynamic" tuneable parameters. Once added, the owner */ + /* of the object is not expected to ever change "ipft_next". */ + /* ------------------------------------------------------------------------ */ + int fr_addipftune(newtune) + ipftuneable_t *newtune; + { + ipftuneable_t *ta, **tap; + + ta = fr_findtunebyname(newtune->ipft_name); + if (ta != NULL) + return EEXIST; + + for (tap = &ipf_tunelist; *tap != NULL; tap = &(*tap)->ipft_next) + ; + + newtune->ipft_next = NULL; + *tap = newtune; + return 0; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_delipftune */ + /* Returns: int - 0 == success, else failure */ + /* Parameters: oldtune - pointer to tune struct to remove from the list of */ + /* current dynamic tuneables */ + /* */ + /* Search for the tune structure, by pointer, in the list of those that are */ + /* dynamically added at run time. If found, adjust the list so that this */ + /* structure is no longer part of it. */ + /* ------------------------------------------------------------------------ */ + int fr_delipftune(oldtune) + ipftuneable_t *oldtune; + { + ipftuneable_t *ta, **tap; + + for (tap = &ipf_tunelist; (ta = *tap) != NULL; tap = &ta->ipft_next) + if (ta == oldtune) { + *tap = oldtune->ipft_next; + oldtune->ipft_next = NULL; + return 0; + } + + return ESRCH; + } + + + /* ------------------------------------------------------------------------ */ /* Function: fr_ipftune */ /* Returns: int - 0 == success, else failure */ /* Parameters: cmd(I) - ioctl command number */ *************** *** 5737,5744 **** return error; tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; - ta = ipf_tuneables; cookie = tu.ipft_cookie; switch (cmd) { --- 5695,5702 ---- return error; tu.ipft_name[sizeof(tu.ipft_name) - 1] = '\0'; cookie = tu.ipft_cookie; + ta = NULL; switch (cmd) { *************** *** 5753,5768 **** * at the front of the list. */ if (cookie != NULL) { ! for (; ta->ipft_name != NULL; ta++) ! if (ta == cookie) { ! ta++; ! break; ! } ! if (ta->ipft_name == NULL) ! ta = NULL; } - cookie = ta; - tu.ipft_cookie = cookie; if (ta != NULL) { /* * Entry found, but does the data pointed to by that --- 5711,5721 ---- * at the front of the list. */ if (cookie != NULL) { ! ta = fr_findtunebycookie(cookie, &tu.ipft_cookie); ! } else { ! ta = ipf_tuneables; ! tu.ipft_cookie = ta + 1; } if (ta != NULL) { /* * Entry found, but does the data pointed to by that *************** *** 5800,5819 **** */ error = ESRCH; if (cookie != NULL) { ! for (; ta->ipft_name != NULL; ta++) ! if (ta == cookie) { ! error = 0; ! break; ! } } else if (tu.ipft_name[0] != '\0') { ! for (; ta->ipft_name != NULL; ta++) ! if (!strncmp(ta->ipft_name, tu.ipft_name, ! MIN(sizeof(tu.ipft_name), ! strlen(ta->ipft_name) + 1))) ! break; ! if (ta->ipft_name == NULL) ! ta = NULL; ! else error = 0; } if (error != 0) --- 5753,5764 ---- */ error = ESRCH; if (cookie != NULL) { ! ta = fr_findtunebycookie(cookie, NULL); ! if (ta != NULL) ! error = 0; } else if (tu.ipft_name[0] != '\0') { ! ta = fr_findtunebyname(tu.ipft_name); ! if (ta != NULL) error = 0; } if (error != 0) *************** *** 5823,5829 **** /* * Fetch the tuning parameters for a particular value */ - tu.ipft_cookie = ta; tu.ipft_vlong = 0; if (ta->ipft_sz == sizeof(u_long)) tu.ipft_vlong = *ta->ipft_plong; --- 5768,5773 ---- *************** *** 6014,6020 **** /* ------------------------------------------------------------------------ */ ! /* Function: fr_resolvdest */ /* Returns: Nil */ /* Parameters: fdp(IO) - pointer to destination information to resolve */ /* v(I) - IP protocol version to match */ --- 5958,5964 ---- /* ------------------------------------------------------------------------ */ ! /* Function: fr_resolvedest */ /* Returns: Nil */ /* Parameters: fdp(IO) - pointer to destination information to resolve */ /* v(I) - IP protocol version to match */ *************** *** 6025,6031 **** /* found, then set the interface pointer to be -1 as NULL is considered to */ /* indicate there is no information at all in the structure. */ /* ------------------------------------------------------------------------ */ ! void fr_resolvdest(fdp, v) frdest_t *fdp; int v; { --- 5969,5975 ---- /* found, then set the interface pointer to be -1 as NULL is considered to */ /* indicate there is no information at all in the structure. */ /* ------------------------------------------------------------------------ */ ! void fr_resolvedest(fdp, v) frdest_t *fdp; int v; { *************** *** 6040,6043 **** --- 5984,6056 ---- ifp = (void *)-1; } fdp->fd_ifp = ifp; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_icmp4errortype */ + /* Returns: int - 1 == success, 0 == failure */ + /* Parameters: icmptype(I) - ICMP type number */ + /* */ + /* Tests to see if the ICMP type number passed is an error type or not. */ + /* ------------------------------------------------------------------------ */ + int fr_icmp4errortype(icmptype) + int icmptype; + { + + switch (icmptype) + { + case ICMP_SOURCEQUENCH : + case ICMP_PARAMPROB : + case ICMP_REDIRECT : + case ICMP_TIMXCEED : + case ICMP_UNREACH : + return 1; + default: + return 0; + } + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_resolvenic */ + /* Returns: void* - NULL = wildcard name, -1 = failed to find NIC, else */ + /* pointer to interface structure for NIC */ + /* Parameters: name(I) - complete interface name */ + /* v(I) - IP protocol version */ + /* */ + /* Look for a network interface structure that firstly has a matching name */ + /* to that passed in and that is also being used for that IP protocol */ + /* version (necessary on some platforms where there are separate listings */ + /* for both IPv4 and IPv6 on the same physical NIC. */ + /* */ + /* One might wonder why name gets terminated with a \0 byte in here. The */ + /* reason is an interface name could get into the kernel structures of ipf */ + /* in any number of ways and so long as they all use the same sized array */ + /* to put the name in, it makes sense to ensure it gets null terminated */ + /* before it is used for its intended purpose - finding its match in the */ + /* kernel's list of configured interfaces. */ + /* */ + /* NOTE: This SHOULD ONLY be used with IPFilter structures that have an */ + /* array for the name that is LIFNAMSIZ bytes (at least) in length. */ + /* ------------------------------------------------------------------------ */ + void *fr_resolvenic(name, v) + char *name; + int v; + { + void *nic; + + if (name[0] == '\0') + return NULL; + + if ((name[1] == '\0') && ((name[0] == '-') || (name[0] == '*'))) { + return NULL; + } + + name[LIFNAMSIZ - 1] = '\0'; + + nic = GETIFP(name, v); + if (nic == NULL) + nic = (void *)-1; + return nic; } diff -cr ip_fil4.1.3/hpux.c ip_fil4.1.4/hpux.c *** ip_fil4.1.3/hpux.c Sun Mar 7 01:32:49 2004 --- ip_fil4.1.4/hpux.c Thu Dec 16 05:30:29 2004 *************** *** 470,481 **** register struct frentry *f; register ipnat_t *np; ! frsync(); ! /* ! * Resync. any NAT `connections' using this interface and its IP #. ! */ ! fr_natsync(qif); ! fr_statesync(qif); return 0; } --- 470,476 ---- register struct frentry *f; register ipnat_t *np; ! frsync(NULL); return 0; } diff -cr ip_fil4.1.3/ip_auth.c ip_fil4.1.4/ip_auth.c *** ip_fil4.1.3/ip_auth.c Tue Jun 8 23:14:12 2004 --- ip_fil4.1.4/ip_auth.c Thu Aug 26 21:25:21 2004 *************** *** 117,123 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.2 2004/06/08 13:14:12 darrenr Exp $"; #endif --- 117,123 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.3 2004/08/26 11:25:21 darrenr Exp $"; #endif *************** *** 260,266 **** RWLOCK_EXIT(&ipf_auth); if (passp != NULL) *passp = pass; ! ATOMIC_INCL(fr_authstats.fas_hits); return fr; } i++; --- 260,266 ---- RWLOCK_EXIT(&ipf_auth); if (passp != NULL) *passp = pass; ! ATOMIC_INC64(fr_authstats.fas_hits); return fr; } i++; *************** *** 269,275 **** } fr_authstats.fas_miss++; RWLOCK_EXIT(&ipf_auth); ! ATOMIC_INCL(fr_authstats.fas_miss); return NULL; } --- 269,275 ---- } fr_authstats.fas_miss++; RWLOCK_EXIT(&ipf_auth); ! ATOMIC_INC64(fr_authstats.fas_miss); return NULL; } diff -cr ip_fil4.1.3/ip_compat.h ip_fil4.1.4/ip_compat.h *** ip_fil4.1.3/ip_compat.h Sun Jul 11 20:38:57 2004 --- ip_fil4.1.4/ip_compat.h Sun Jan 9 01:22:59 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.142.2.18 2004/07/11 10:38:57 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.142.2.24 2005/01/08 14:22:59 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 804,827 **** # if (__FreeBSD_version >= 500043) # include # include # define KMUTEX_T struct mtx ! # define KRWLOCK_T struct sx # endif ! # if (__FreeBSD_version >= 501113) ! # include ! # define IFNAME(x) ((struct ifnet *)x)->if_xname ! # define COPYIFNAME(x, b) \ (void) strncpy(b, \ ((struct ifnet *)x)->if_xname, \ LIFNAMSIZ) ! # endif ! # if (__FreeBSD_version >= 500043) ! # define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index) & 7) ! # else ! # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) ! # endif # ifdef _KERNEL # define GETKTIME(x) microtime((struct timeval *)x) --- 804,836 ---- # if (__FreeBSD_version >= 500043) # include # include + /* + * Whilst the sx(9) locks on FreeBSD have the right semantics and interface + * for what we want to use them for, despite testing showing they work - + * with a WITNESS kernel, it generates LOR messages. + */ # define KMUTEX_T struct mtx ! # if 1 ! # define KRWLOCK_T struct mtx ! # else ! # define KRWLOCK_T struct sx ! # endif # endif ! # if (__FreeBSD_version >= 501113) ! # include ! # define IFNAME(x) ((struct ifnet *)x)->if_xname ! # define COPYIFNAME(x, b) \ (void) strncpy(b, \ ((struct ifnet *)x)->if_xname, \ LIFNAMSIZ) ! # endif ! # if (__FreeBSD_version >= 500043) ! # define CACHE_HASH(x) ((((struct ifnet *)fin->fin_ifp)->if_index) & 7) ! # else ! # define CACHE_HASH(x) ((IFNAME(fin->fin_ifp)[0] + \ ((struct ifnet *)fin->fin_ifp)->if_unit) & 7) ! # endif # ifdef _KERNEL # define GETKTIME(x) microtime((struct timeval *)x) *************** *** 835,869 **** # if (__FreeBSD_version >= 500043) # define USE_MUTEXES # define MUTEX_ENTER(x) mtx_lock(&(x)->ipf_lk) - # define READ_ENTER(x) sx_slock(&(x)->ipf_lk) - # define WRITE_ENTER(x) sx_xlock(&(x)->ipf_lk) - # define MUTEX_DOWNGRADE(x) sx_downgrade(&(x)->ipf_lk) - # define RWLOCK_INIT(x, y) sx_init(&(x)->ipf_lk, (y)) - # define RW_DESTROY(x) sx_destroy(&(x)->ipf_lk) - # define RWLOCK_EXIT(x) do { \ - if ((x)->ipf_lk.sx_cnt < 0) \ - sx_xunlock(&(x)->ipf_lk); \ - else \ - sx_sunlock(&(x)->ipf_lk); \ - } while (0) # define MUTEX_EXIT(x) mtx_unlock(&(x)->ipf_lk) # define MUTEX_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\ MTX_DEF) # define MUTEX_DESTROY(x) mtx_destroy(&(x)->ipf_lk) # define MUTEX_NUKE(x) bzero((x), sizeof(*(x))) # include # define ATOMIC_INC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)++; \ mtx_unlock(&ipf_rw.ipf_lk); } # define ATOMIC_DEC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)--; \ mtx_unlock(&ipf_rw.ipf_lk); } ! # define ATOMIC_INCL(x) atomic_add_long(x, 1) # define ATOMIC_INC64(x) ATOMIC_INC(x) ! # define ATOMIC_INC32(x) atomic_add_32(x, 1) ! # define ATOMIC_INC16(x) atomic_add_16(x, 1) ! # define ATOMIC_DECL(x) ATOMIC_DEC(x) ! # define ATOMIC_DEC64(x) atomic_subtract_(x, -1) ! # define ATOMIC_DEC32(x) atomic_subtract_32(x, -1) ! # define ATOMIC_DEC16(x) atomic_subtract_16(x, -1) # define SPL_X(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; --- 844,897 ---- # if (__FreeBSD_version >= 500043) # define USE_MUTEXES # define MUTEX_ENTER(x) mtx_lock(&(x)->ipf_lk) # define MUTEX_EXIT(x) mtx_unlock(&(x)->ipf_lk) # define MUTEX_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\ MTX_DEF) # define MUTEX_DESTROY(x) mtx_destroy(&(x)->ipf_lk) # define MUTEX_NUKE(x) bzero((x), sizeof(*(x))) + /* + * Whilst the sx(9) locks on FreeBSD have the right semantics and interface + * for what we want to use them for, despite testing showing they work - + * with a WITNESS kernel, it generates LOR messages. + */ + # if 1 + # define READ_ENTER(x) mtx_lock(&(x)->ipf_lk) + # define WRITE_ENTER(x) mtx_lock(&(x)->ipf_lk) + # define RWLOCK_EXIT(x) mtx_unlock(&(x)->ipf_lk) + # define MUTEX_DOWNGRADE(x) ; + # define RWLOCK_INIT(x,y) mtx_init(&(x)->ipf_lk, (y), NULL,\ + MTX_DEF) + # define RW_DESTROY(x) mtx_destroy(&(x)->ipf_lk) + # else + # define READ_ENTER(x) sx_slock(&(x)->ipf_lk) + # define WRITE_ENTER(x) sx_xlock(&(x)->ipf_lk) + # define MUTEX_DOWNGRADE(x) sx_downgrade(&(x)->ipf_lk) + # define RWLOCK_INIT(x, y) sx_init(&(x)->ipf_lk, (y)) + # define RW_DESTROY(x) sx_destroy(&(x)->ipf_lk) + # ifdef sx_unlock + # define RWLOCK_EXIT(x) sx_unlock(x) + # else + # define RWLOCK_EXIT(x) do { \ + if ((x)->ipf_lk.sx_cnt < 0) \ + sx_xunlock(&(x)->ipf_lk); \ + else \ + sx_sunlock(&(x)->ipf_lk); \ + } while (0) + # endif + # endif # include # define ATOMIC_INC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)++; \ mtx_unlock(&ipf_rw.ipf_lk); } # define ATOMIC_DEC(x) { mtx_lock(&ipf_rw.ipf_lk); (x)--; \ mtx_unlock(&ipf_rw.ipf_lk); } ! # define ATOMIC_INCL(x) atomic_add_long(&(x), 1) # define ATOMIC_INC64(x) ATOMIC_INC(x) ! # define ATOMIC_INC32(x) atomic_add_32(&(x), 1) ! # define ATOMIC_INC16(x) atomic_add_16(&(x), 1) ! # define ATOMIC_DECL(x) atomic_add_long(&(x), -1) ! # define ATOMIC_DEC64(x) ATOMIC_DEC(x) ! # define ATOMIC_DEC32(x) atomic_add_32(&(x), -1) ! # define ATOMIC_DEC16(x) atomic_add_16(&(x), -1) # define SPL_X(x) ; # define SPL_NET(x) ; # define SPL_IMP(x) ; *************** *** 1024,1030 **** /* L I N U X */ /* ----------------------------------------------------------------------- */ #if defined(linux) && !defined(OS_RECOGNISED) ! # if LINUX >= 020600 # define HDR_T_PRIVATE 1 # endif # undef USE_INET6 --- 1052,1060 ---- /* L I N U X */ /* ----------------------------------------------------------------------- */ #if defined(linux) && !defined(OS_RECOGNISED) ! #include ! #include ! # if LINUX >= 20600 # define HDR_T_PRIVATE 1 # endif # undef USE_INET6 *************** *** 1089,1120 **** extern mb_t *m_pullup __P((mb_t *, int)); # define mbuf sk_buff ! # define mtod(m, t) ((t)(m)->data) ! # define m_len len ! # define m_next next ! # define M_DUPLICATE(m) skb_clone((m), in_interrupt() ? GFP_ATOMIC : \ GFP_KERNEL) ! # define MSGDSIZE(m) (m)->len ! # define M_LEN(m) (m)->len ! # define splnet(x) ; ! # define printf printk ! # define bcopy(s,d,z) memmove(d, s, z) ! # define bzero(s,z) memset(s, 0, z) ! # define bcmp(a,b,z) memcmp(a, b, z) ! # define ifnet net_device ! # define if_xname name ! # define if_unit ifindex ! # define KMALLOC(x,t) (x) = (t)kmalloc(sizeof(*(x)), \ in_interrupt() ? GFP_ATOMIC : GFP_KERNEL) ! # define KFREE(x) kfree(x) ! # define KMALLOCS(x,t,s) (x) = (t)kmalloc((s), \ in_interrupt() ? GFP_ATOMIC : GFP_KERNEL) ! # define KFREES(x,s) kfree(x) ! # define GETIFP(n,v) dev_get_by_name(n) # else # include --- 1119,1150 ---- extern mb_t *m_pullup __P((mb_t *, int)); # define mbuf sk_buff ! # define mtod(m, t) ((t)(m)->data) ! # define m_len len ! # define m_next next ! # define M_DUPLICATE(m) skb_clone((m), in_interrupt() ? GFP_ATOMIC : \ GFP_KERNEL) ! # define MSGDSIZE(m) (m)->len ! # define M_LEN(m) (m)->len ! # define splnet(x) ; ! # define printf printk ! # define bcopy(s,d,z) memmove(d, s, z) ! # define bzero(s,z) memset(s, 0, z) ! # define bcmp(a,b,z) memcmp(a, b, z) ! # define ifnet net_device ! # define if_xname name ! # define if_unit ifindex ! # define KMALLOC(x,t) (x) = (t)kmalloc(sizeof(*(x)), \ in_interrupt() ? GFP_ATOMIC : GFP_KERNEL) ! # define KFREE(x) kfree(x) ! # define KMALLOCS(x,t,s) (x) = (t)kmalloc((s), \ in_interrupt() ? GFP_ATOMIC : GFP_KERNEL) ! # define KFREES(x,s) kfree(x) ! # define GETIFP(n,v) dev_get_by_name(n) # else # include *************** *** 1131,1136 **** --- 1161,1167 ---- char if_xname[IFNAMSIZ]; int if_unit; int (* if_output) __P((struct ifnet *, struct mbuf *, struct sockaddr *, struct rtentry *)); + struct ifaddr *if_addrlist; }; # define IFNAME(x) ((struct ifnet *)x)->if_xname *************** *** 1488,1493 **** --- 1519,1540 ---- #endif /* + * Because the ctype(3) posix definition, if used "safely" in code everywhere, + * would mean all normal code that walks through strings needed casts. Yuck. + */ + #define ISALNUM(x) isalnum((u_char)(x)) + #define ISALPHA(x) isalpha((u_char)(x)) + #define ISASCII(x) isascii((u_char)(x)) + #define ISDIGIT(x) isdigit((u_char)(x)) + #define ISPRINT(x) isprint((u_char)(x)) + #define ISSPACE(x) isspace((u_char)(x)) + #define ISUPPER(x) isupper((u_char)(x)) + #define ISXDIGIT(x) isxdigit((u_char)(x)) + #define ISLOWER(x) islower((u_char)(x)) + #define TOUPPER(x) toupper((u_char)(x)) + #define TOLOWER(x) tolower((u_char)(x)) + + /* * If mutexes aren't being used, turn all the mutex functions into null-ops. */ #if !defined(USE_MUTEXES) diff -cr ip_fil4.1.3/ip_fil.c ip_fil4.1.4/ip_fil.c *** ip_fil4.1.3/ip_fil.c Wed May 19 11:22:05 2004 --- ip_fil4.1.4/ip_fil.c Sun Jan 9 01:22:18 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.4 2004/05/19 01:22:05 darrenr Exp $"; #endif #ifndef SOLARIS --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.133.2.9 2005/01/08 14:22:18 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 62,67 **** --- 62,68 ---- #include #include #include + #include #ifdef __hpux # define _NET_ROUTE_INCLUDED *************** *** 144,149 **** --- 145,151 ---- static int nifs = 0; static int frzerostats __P((caddr_t)); + static void fr_setifpaddr __P((struct ifnet *, char *)); void init_ifp __P((void)); #if defined(__sgi) && (IRIX < 60500) static int no_output __P((struct ifnet *, struct mbuf *, *************** *** 402,408 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 404,410 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 511,521 **** } struct ifnet *get_unit(name, v) char *name; int v; { ! struct ifnet *ifp, **ifa, **old_ifneta; #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) --- 513,570 ---- } + static void fr_setifpaddr(ifp, addr) + struct ifnet *ifp; + char *addr; + { + #ifdef __sgi + struct in_ifaddr *ifa; + #else + struct ifaddr *ifa; + #endif + + #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + if (ifp->if_addrlist.tqh_first != NULL) + #else + # ifdef __sgi + if (ifp->in_ifaddr != NULL) + # else + if (ifp->if_addrlist != NULL) + # endif + #endif + return; + + ifa = (struct ifaddr *)malloc(sizeof(*ifa)); + #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + ifp->if_addrlist.tqh_first = ifa; + #else + # ifdef __sgi + ifp->in_ifaddr = ifa; + # else + ifp->if_addrlist = ifa; + # endif + #endif + + if (ifa != NULL) { + struct sockaddr_in *sin; + + #ifdef __sgi + sin = (struct sockaddr_in *)&ifa->ia_addr; + #else + sin = (struct sockaddr_in *)&ifa->ifa_addr; + #endif + sin->sin_addr.s_addr = inet_addr(addr); + if (sin->sin_addr.s_addr == 0) + abort(); + } + } + struct ifnet *get_unit(name, v) char *name; int v; { ! struct ifnet *ifp, **ifpp, **old_ifneta; ! char *addr; #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) *************** *** 523,531 **** if (name == NULL) name = "anon0"; ! for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ! if (!strcmp(name, ifp->if_xname)) return ifp; } #else char *s, ifname[LIFNAMSIZ+1]; --- 572,587 ---- if (name == NULL) name = "anon0"; ! addr = strchr(name, '='); ! if (addr != NULL) ! *addr++ = '\0'; ! ! for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { ! if (!strcmp(name, ifp->if_xname)) { ! if (addr != NULL) ! fr_setifpaddr(ifp, addr); return ifp; + } } #else char *s, ifname[LIFNAMSIZ+1]; *************** *** 533,542 **** if (name == NULL) name = "anon0"; ! for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { COPYIFNAME(ifp, ifname); ! if (!strcmp(name, ifname)) return ifp; } #endif --- 589,605 ---- if (name == NULL) name = "anon0"; ! addr = strchr(name, '='); ! if (addr != NULL) ! *addr++ = '\0'; ! ! for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { COPYIFNAME(ifp, ifname); ! if (!strcmp(name, ifname)) { ! if (addr != NULL) ! fr_setifpaddr(ifp, addr); return ifp; + } } #endif *************** *** 555,561 **** old_ifneta = ifneta; nifs++; ifneta = (struct ifnet **)realloc(ifneta, ! (nifs + 1) * sizeof(*ifa)); if (!ifneta) { free(old_ifneta); nifs = 0; --- 618,624 ---- old_ifneta = ifneta; nifs++; ifneta = (struct ifnet **)realloc(ifneta, ! (nifs + 1) * sizeof(ifp)); if (!ifneta) { free(old_ifneta); nifs = 0; *************** *** 575,583 **** (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) (void) strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); #else ! for (s = name; *s && !isdigit(*s); s++) ; ! if (*s && isdigit(*s)) { ifp->if_unit = atoi(s); ifp->if_name = (char *)malloc(s - name + 1); (void) strncpy(ifp->if_name, name, s - name); --- 638,646 ---- (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) (void) strncpy(ifp->if_xname, name, sizeof(ifp->if_xname)); #else ! for (s = name; *s && !ISDIGIT(*s); s++) ; ! if (*s && ISDIGIT(*s)) { ifp->if_unit = atoi(s); ifp->if_name = (char *)malloc(s - name + 1); (void) strncpy(ifp->if_name, name, s - name); *************** *** 588,593 **** --- 651,661 ---- } #endif ifp->if_output = no_output; + + if (addr != NULL) { + fr_setifpaddr(ifp, addr); + } + return ifp; } *************** *** 610,616 **** void init_ifp() { ! struct ifnet *ifp, **ifa; char fname[32]; int fd; --- 678,684 ---- void init_ifp() { ! struct ifnet *ifp, **ifpp; char fname[32]; int fd; *************** *** 617,623 **** #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) ! for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s", ifp->if_xname); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); --- 685,691 ---- #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) || defined(linux) || \ (defined(__FreeBSD__) && (__FreeBSD_version >= 501113)) ! for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s", ifp->if_xname); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); *************** *** 628,634 **** } #else ! for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); --- 696,702 ---- } #else ! for (ifpp = ifneta; ifpp && (ifp = *ifpp); ifpp++) { ifp->if_output = write_output; sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); fd = open(fname, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600); *************** *** 685,691 **** } ! void frsync() { return; } --- 753,760 ---- } ! void frsync(ifp) ! void *ifp; { return; } *************** *** 823,825 **** --- 892,965 ---- fin->fin_flx |= FI_BAD; } #endif + + + /* + * See above for description, except that all addressing is in user space. + */ + int copyoutptr(src, dst, size) + void *src, *dst; + size_t size; + { + caddr_t ca; + + bcopy(dst, (char *)&ca, sizeof(ca)); + bcopy(src, ca, size); + return 0; + } + + + /* + * See above for description, except that all addressing is in user space. + */ + int copyinptr(src, dst, size) + void *src, *dst; + size_t size; + { + caddr_t ca; + + bcopy(src, (char *)&ca, sizeof(ca)); + bcopy(ca, dst, size); + return 0; + } + + + /* + * return the first IP Address associated with an interface + */ + int fr_ifpaddr(v, atype, ifptr, inp, inpmask) + int v, atype; + void *ifptr; + struct in_addr *inp, *inpmask; + { + struct ifnet *ifp = ifptr; + #ifdef __sgi + struct in_ifaddr *ifa; + #else + struct ifaddr *ifa; + #endif + + #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) + ifa = ifp->if_addrlist.tqh_first; + #else + # ifdef __sgi + ifa = (struct in_ifaddr *)ifp->in_ifaddr; + # else + ifa = ifp->if_addrlist; + # endif + #endif + if (ifa != NULL) { + struct sockaddr_in *sin, mask; + + mask.sin_addr.s_addr = 0xffffffff; + + #ifdef __sgi + sin = (struct sockaddr_in *)&ifa->ia_addr; + #else + sin = (struct sockaddr_in *)&ifa->ifa_addr; + #endif + + return fr_ifpfillv4addr(atype, sin, &mask, inp, inpmask); + } + return 0; + } diff -cr ip_fil4.1.3/ip_fil.h ip_fil4.1.4/ip_fil.h *** ip_fil4.1.3/ip_fil.h Tue Jun 8 23:14:17 2004 --- ip_fil4.1.4/ip_fil.h Sun Jan 9 01:26:18 2005 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.170.2.5 2004/06/08 13:14:17 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.170.2.15 2005/01/08 14:26:18 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 230,239 **** #define FI_BAD 0x0400 #define FI_OOW 0x0800 /* Out of state window, else match */ #define FI_ICMPERR 0x1000 ! #define FI_FRAGTAIL 0x2000 #define FI_BADSRC 0x4000 #define FI_LOWTTL 0x8000 ! #define FI_CMP 0xcff3 /* Not FI_FRAG,FI_FRAGTAIL */ #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */ #define FI_WITH 0xeffe /* Not FI_TCPUDP */ #define FI_V6EXTHDR 0x10000 --- 230,239 ---- #define FI_BAD 0x0400 #define FI_OOW 0x0800 /* Out of state window, else match */ #define FI_ICMPERR 0x1000 ! #define FI_FRAGBODY 0x2000 #define FI_BADSRC 0x4000 #define FI_LOWTTL 0x8000 ! #define FI_CMP 0xcfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */ #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */ #define FI_WITH 0xeffe /* Not FI_TCPUDP */ #define FI_V6EXTHDR 0x10000 *************** *** 303,308 **** --- 303,311 ---- mb_t *fin_qfm; /* pointer to mblk where pkt starts */ void *fin_qpi; #endif + #ifdef __sgi + void *fin_hbuf; + #endif } fr_info_t; #define fin_v fin_fi.fi_v *************** *** 622,627 **** --- 625,631 ---- #define FR_STSTRICT 0x200000 /* strict keep state */ #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */ #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */ + #define FR_STATESYNC 0x1000000 /* synchronize state to slave */ #define FR_NOMATCH 0x8000000 /* no match occured */ /* 0x10000000 FF_LOGPASS */ /* 0x20000000 FF_LOGBLOCK */ *************** *** 763,770 **** #ifndef IPFILTER_LOGSIZE # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE #else ! # if IPF_LOGSIZE < DEFAULT_IPFLOGSIZE ! # error IPFILTER_LOGSISZE too small. Must be >= DEFAULT_IPFLOGSIZE # endif #endif --- 767,774 ---- #ifndef IPFILTER_LOGSIZE # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE #else ! # if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE ! # error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE # endif #endif *************** *** 1034,1039 **** --- 1038,1044 ---- u_long ipft_max; int ipft_sz; int ipft_flags; + struct ipftuneable *ipft_next; } ipftuneable_t; #define ipft_addr ipft_una.ipftp_void *************** *** 1113,1119 **** extern int iplclose __P((dev_t, int)); extern void m_freem __P((mb_t *)); #else /* #ifndef _KERNEL */ - extern void *fr_pullup __P((mb_t *, fr_info_t *, int)); # if defined(__NetBSD__) && defined(PFIL_HOOKS) extern void ipfilterattach __P((int)); # endif --- 1118,1123 ---- *************** *** 1131,1136 **** --- 1135,1141 ---- extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); extern int iplread __P((dev_t, uio_t *, cred_t *)); + extern int iplwrite __P((dev_t, uio_t *, cred_t *)); # endif # ifdef __hpux extern int iplopen __P((dev_t, int, intptr_t, int)); *************** *** 1137,1142 **** --- 1142,1148 ---- extern int iplclose __P((dev_t, int, int)); extern int iplioctl __P((dev_t, int, caddr_t, int)); extern int iplread __P((dev_t, uio_t *)); + extern int iplwrite __P((dev_t, uio_t *)); extern int iplselect __P((dev_t, int)); # endif extern int ipfsync __P((void)); *************** *** 1151,1156 **** --- 1157,1163 ---- extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); extern int iplread __P((dev_t, uio_t *, cred_t *)); + extern int iplwrite __P((dev_t, uio_t *, cred_t *)); extern int ipfsync __P((void)); extern int ipfilter_sgi_attach __P((void)); extern void ipfilter_sgi_detach __P((void)); *************** *** 1164,1170 **** --- 1171,1181 ---- # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ defined(__OpenBSD__) || (__FreeBSD_version >= 300000) # if (__FreeBSD_version >= 500024) + # if (__FreeBSD_version >= 502116) + extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *)); + # else extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *)); + # endif /* __FreeBSD_version >= 502116 */ # else extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # endif /* __FreeBSD_version >= 500024 */ *************** *** 1172,1179 **** --- 1183,1195 ---- extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); # endif # if (__FreeBSD_version >= 500024) + # if (__FreeBSD_version >= 502116) + extern int iplopen __P((struct cdev*, int, int, struct thread *)); + extern int iplclose __P((struct cdev*, int, int, struct thread *)); + # else extern int iplopen __P((dev_t, int, int, struct thread *)); extern int iplclose __P((dev_t, int, int, struct thread *)); + # endif /* __FreeBSD_version >= 502116 */ # else extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *)); *************** *** 1188,1195 **** --- 1204,1216 ---- # endif # endif /* (_BSDI_VERSION >= 199510) */ # if BSD >= 199306 + # if (__FreeBSD_version >= 502116) + extern int iplread __P((struct cdev*, struct uio *, int)); + extern int iplwrite __P((struct cdev*, struct uio *, int)); + # else extern int iplread __P((dev_t, struct uio *, int)); extern int iplwrite __P((dev_t, struct uio *, int)); + # endif /* __FreeBSD_version >= 502116 */ # else # ifndef linux extern int iplread __P((dev_t, struct uio *)); *************** *** 1215,1220 **** --- 1236,1242 ---- extern u_short ipf_cksum __P((u_short *, int)); extern int copyinptr __P((void *, void *, size_t)); extern int copyoutptr __P((void *, void *, size_t)); + extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); extern int fr_inobj __P((void *, void *, int)); extern int fr_inobjsz __P((void *, void *, int, int)); extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int)); *************** *** 1221,1231 **** extern int fr_ipftune __P((ioctlcmd_t, void *)); extern int fr_outobj __P((void *, void *, int)); extern int fr_outobjsz __P((void *, void *, int, int)); ! extern int fr_send_reset __P((fr_info_t *)); ! extern int fr_send_icmp_err __P((int, fr_info_t *, int)); ! extern void fr_resolvdest __P((struct frdest *, int)); extern int fr_resolvefunc __P((void *)); ! extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); #if (__FreeBSD_version < 490000) || !defined(_KERNEL) extern int ppsratecheck __P((struct timeval *, int *, int)); #endif --- 1243,1254 ---- extern int fr_ipftune __P((ioctlcmd_t, void *)); extern int fr_outobj __P((void *, void *, int)); extern int fr_outobjsz __P((void *, void *, int, int)); ! extern void *fr_pullup __P((mb_t *, fr_info_t *, int)); ! extern void fr_resolvedest __P((struct frdest *, int)); extern int fr_resolvefunc __P((void *)); ! extern void *fr_resolvenic __P((char *, int)); ! extern int fr_send_icmp_err __P((int, fr_info_t *, int)); ! extern int fr_send_reset __P((fr_info_t *)); #if (__FreeBSD_version < 490000) || !defined(_KERNEL) extern int ppsratecheck __P((struct timeval *, int *, int)); #endif *************** *** 1248,1255 **** struct in_addr *)); #endif extern int frflush __P((minor_t, int, int)); ! extern void frsync __P((void)); extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int)); extern int fr_derefrule __P((frentry_t **)); extern void fr_delgroup __P((char *, minor_t, int)); --- 1271,1281 ---- struct in_addr *)); #endif + extern int fr_addipftune __P((ipftuneable_t *)); + extern int fr_delipftune __P((ipftuneable_t *)); + extern int frflush __P((minor_t, int, int)); ! extern void frsync __P((void *)); extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int)); extern int fr_derefrule __P((frentry_t **)); extern void fr_delgroup __P((char *, minor_t, int)); *************** *** 1272,1277 **** --- 1298,1304 ---- extern void fr_forgetifp __P((void *)); extern frentry_t *fr_getrulen __P((int, char *, u_32_t)); extern void fr_getstat __P((struct friostat *)); + extern int fr_icmp4errortype __P((int)); extern int fr_ifpaddr __P((int, int, void *, struct in_addr *, struct in_addr *)); extern int fr_initialise __P((void)); *************** *** 1289,1295 **** extern int fr_verifysrc __P((fr_info_t *fin)); extern int fr_zerostats __P((char *)); - extern int fr_unreach; extern int fr_running; extern u_long fr_frouteok[2]; extern int fr_pass; --- 1316,1321 ---- *************** *** 1306,1311 **** --- 1332,1338 ---- extern int ipl_buffer_sz; extern int ipl_logmax; extern int ipl_logall; + extern int ipl_logsize; extern u_long fr_ticks; extern fr_info_t frcache[2][8]; extern char ipfilter_version[]; diff -cr ip_fil4.1.3/ip_fil_bsdos.c ip_fil4.1.4/ip_fil_bsdos.c *** ip_fil4.1.3/ip_fil_bsdos.c Wed Jun 23 06:57:47 2004 --- ip_fil4.1.4/ip_fil_bsdos.c Thu Dec 16 05:30:31 2004 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_bsdos.c,v 2.45.2.8 2004/06/22 20:57:47 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_bsdos.c,v 2.45.2.16 2004/12/15 18:30:31 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 365,371 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 365,371 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 377,382 **** --- 377,383 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 412,417 **** --- 413,419 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 469,474 **** --- 471,482 ---- register struct uio *uio; int ioflag; { + + # ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_read(uio); + # endif + #ifdef IPFILTER_LOG return ipflog_read(GET_MINOR(dev), uio); #else *************** *** 478,483 **** --- 486,515 ---- /* + * iplwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ + #if (BSD >= 199306) + int iplwrite(dev, uio, ioflag) + int ioflag; + #else + int iplwrite(dev, uio) + #endif + dev_t dev; + register struct uio *uio; + { + + #ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + #endif + return ENXIO; + } + + + /* * fr_send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ *************** *** 530,535 **** --- 562,568 ---- m->m_pkthdr.len = m->m_len; m->m_pkthdr.rcvif = (struct ifnet *)0; ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); #ifdef USE_INET6 ip6 = (ip6_t *)ip; #endif *************** *** 556,562 **** #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0 --- 589,595 ---- #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0 *************** *** 581,595 **** fr_info_t *fin; mb_t *m, **mpp; { ip_t *ip, *oip; ip = mtod(m, ip_t *); ! oip = fin->fin_ip; IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; ip->ip_id = fin->fin_ip->ip_id; --- 614,632 ---- fr_info_t *fin; mb_t *m, **mpp; { + fr_info_t fnew; ip_t *ip, *oip; + int hlen; ip = mtod(m, ip_t *); ! bzero((char *)&fnew, sizeof(fnew)); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; + oip = fin->fin_ip; IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; ip->ip_id = fin->fin_ip->ip_id; *************** *** 596,601 **** --- 633,639 ---- ip->ip_off = ip_mtudisc ? IP_DF : 0; ip->ip_ttl = ip_defttl; ip->ip_sum = 0; + hlen = sizeof(*oip); break; #ifdef USE_INET6 case 6 : *************** *** 604,609 **** --- 642,650 ---- ip6->ip6_vfc = 0x60; ip6->ip6_hlim = IPDEFTTL; + + fnew.fin_v = 6; + hlen = sizeof(*ip6); } #endif default : *************** *** 612,618 **** #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! return fr_fastroute(m, mpp, fin, NULL); } --- 653,669 ---- #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 627,633 **** struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6, *ip62; struct in6_addr dst6; #endif ip_t *ip, *ip2; --- 678,684 ---- struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6; struct in6_addr dst6; #endif ip_t *ip, *ip2; *************** *** 654,661 **** return -1; avail = MHLEN; - avail = 0; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 705,710 ---- *************** *** 668,673 **** --- 717,723 ---- case ICMP_MASKREQ : break; default : + FREE_MB_T(m); return 0; } *************** *** 716,734 **** dst6 = fin->fin_dst6; } #endif ! iclen = hlen + sizeof(*icmp) + xtra; avail -= (max_linkhdr + iclen); - m->m_data += max_linkhdr; - m->m_pkthdr.rcvif = (struct ifnet *)0; - if (xtra > avail) - xtra = avail; - iclen += xtra; - m->m_pkthdr.len = iclen; if (avail < 0) { FREE_MB_T(m); return -1; } m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); --- 766,788 ---- dst6 = fin->fin_dst6; } #endif + else { + FREE_MB_T(m); + return -1; + } ! iclen = hlen + sizeof(*icmp); avail -= (max_linkhdr + iclen); if (avail < 0) { FREE_MB_T(m); return -1; } + if (xtra > avail) + xtra = avail; + iclen += xtra; + m->m_data += max_linkhdr; + m->m_pkthdr.rcvif = (struct ifnet *)0; + m->m_pkthdr.len = iclen; m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); *************** *** 748,756 **** #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip62 = (ip6_t *)ip2; ! ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; --- 802,808 ---- #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; *************** *** 764,769 **** --- 816,822 ---- } else #endif { + ip2->ip_len = htons(ip2->ip_len); ip->ip_p = IPPROTO_ICMP; ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = fin->fin_saddr; *************** *** 856,862 **** dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; --- 909,915 ---- dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp != NULL) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; *************** *** 871,877 **** if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } else if (fdp) { if (fdp->fd_ip.s_addr) { dst->sin_addr = fdp->fd_ip; ip->ip_dst = fdp->fd_ip; --- 924,931 ---- if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr) { dst->sin_addr = fdp->fd_ip; ip->ip_dst = fdp->fd_ip; diff -cr ip_fil4.1.3/ip_fil_freebsd.c ip_fil4.1.4/ip_fil_freebsd.c *** ip_fil4.1.3/ip_fil_freebsd.c Tue Jul 6 21:15:48 2004 --- ip_fil4.1.4/ip_fil_freebsd.c Sun Jan 9 01:28:16 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.13 2004/07/06 11:15:48 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_freebsd.c,v 2.53.2.23 2005/01/08 14:28:16 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 403,409 **** --- 403,413 ---- # else ) # endif + #if defined(_KERNEL) && (__FreeBSD_version >= 502116) + struct cdev *dev; + #else dev_t dev; + #endif ioctlcmd_t cmd; caddr_t data; int mode; *************** *** 569,575 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 573,579 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 581,586 **** --- 585,591 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 616,621 **** --- 621,627 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 633,639 **** --- 639,649 ---- #else ) #endif + #if defined(_KERNEL) && (__FreeBSD_version >= 502116) + struct cdev *dev; + #else dev_t dev; + #endif int flags; { u_int min = GET_MINOR(dev); *************** *** 658,664 **** --- 668,678 ---- #else ) #endif + #if defined(_KERNEL) && (__FreeBSD_version >= 502116) + struct cdev *dev; + #else dev_t dev; + #endif int flags; { u_int min = GET_MINOR(dev); *************** *** 682,690 **** --- 696,714 ---- #else int iplread(dev, uio) #endif + #if defined(_KERNEL) && (__FreeBSD_version >= 502116) + struct cdev *dev; + #else dev_t dev; + #endif register struct uio *uio; { + + # ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_read(uio); + # endif + #ifdef IPFILTER_LOG return ipflog_read(GET_MINOR(dev), uio); #else *************** *** 694,699 **** --- 718,747 ---- /* + * iplwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ + #if (BSD >= 199306) + int iplwrite(dev, uio, ioflag) + int ioflag; + #else + int iplwrite(dev, uio) + #endif + dev_t dev; + register struct uio *uio; + { + + #ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + #endif + return ENXIO; + } + + + /* * fr_send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ *************** *** 748,753 **** --- 796,802 ---- m->m_pkthdr.rcvif = (struct ifnet *)0; #endif ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); #ifdef USE_INET6 ip6 = (ip6_t *)ip; #endif *************** *** 774,780 **** #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; --- 823,829 ---- #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; *************** *** 799,812 **** --- 848,865 ---- fr_info_t *fin; mb_t *m, **mpp; { + fr_info_t fnew; ip_t *ip, *oip; + int hlen; ip = mtod(m, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; oip = fin->fin_ip; IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; *************** *** 818,823 **** --- 871,877 ---- #endif ip->ip_ttl = ip_defttl; ip->ip_sum = 0; + hlen = sizeof(*oip); break; #ifdef USE_INET6 case 6 : *************** *** 827,832 **** --- 881,888 ---- ip6->ip6_vfc = 0x60; ip6->ip6_hlim = IPDEFTTL; + fnew.fin_v = 6; + hlen = sizeof(*ip6); break; } #endif *************** *** 836,842 **** #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! return fr_fastroute(m, mpp, fin, NULL); } --- 892,908 ---- #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 851,857 **** struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6, *ip62; struct in6_addr dst6; #endif ip_t *ip, *ip2; --- 917,923 ---- struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6; struct in6_addr dst6; #endif ip_t *ip, *ip2; *************** *** 881,887 **** xtra = 0; hlen = 0; ohlen = 0; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 947,952 ---- *************** *** 894,899 **** --- 959,965 ---- case ICMP_MASKREQ : break; default : + FREE_MB_T(m); return 0; } *************** *** 943,963 **** dst6 = fin->fin_dst6; } #endif ! else return -1; ! iclen = hlen + sizeof(*icmp) + xtra; avail -= (max_linkhdr + iclen); - m->m_data += max_linkhdr; - m->m_pkthdr.rcvif = (struct ifnet *)0; - if (xtra > avail) - xtra = avail; - iclen += xtra; - m->m_pkthdr.len = iclen; if (avail < 0) { FREE_MB_T(m); return -1; } m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); --- 1009,1031 ---- dst6 = fin->fin_dst6; } #endif ! else { ! FREE_MB_T(m); return -1; + } ! iclen = hlen + sizeof(*icmp); avail -= (max_linkhdr + iclen); if (avail < 0) { FREE_MB_T(m); return -1; } + if (xtra > avail) + xtra = avail; + iclen += xtra; + m->m_data += max_linkhdr; + m->m_pkthdr.rcvif = (struct ifnet *)0; + m->m_pkthdr.len = iclen; m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); *************** *** 977,985 **** #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip62 = (ip6_t *)ip2; ! ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; --- 1045,1051 ---- #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; *************** *** 993,998 **** --- 1059,1065 ---- } else #endif { + ip2->ip_len = htons(ip2->ip_len); ip->ip_p = IPPROTO_ICMP; ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = fin->fin_saddr; *************** *** 1114,1120 **** if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; ! } else if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; } --- 1181,1188 ---- if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; } *************** *** 1532,1535 **** --- 1600,1685 ---- len += m->m_len; } return len; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + #ifdef MHLEN + /* + * Assume that M_PKTHDR is set and just work with what is left + * rather than check.. + * Should not make any real difference, anyway. + */ + if (len > MHLEN) + #else + if (len > MLEN) + #endif + { + #ifdef HAVE_M_PULLDOWN + if (m_pulldown(m, 0, len, NULL) == NULL) + m = NULL; + #else + FREE_MB_T(*fin->fin_mp); + m = NULL; + #endif + } else + { + m = m_pullup(m, len); + } + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_fil_hpux.c ip_fil4.1.4/ip_fil_hpux.c *** ip_fil4.1.3/ip_fil_hpux.c Mon May 10 22:42:04 2004 --- ip_fil4.1.4/ip_fil_hpux.c Sun Jan 9 01:28:17 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_hpux.c,v 2.45.2.5 2004/05/10 12:42:04 darrenr Exp $"; #endif #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_hpux.c,v 2.45.2.10 2005/01/08 14:28:17 darrenr Exp $"; #endif #include *************** *** 474,479 **** --- 474,480 ---- m->b_wptr = m->b_rptr + hlen; bzero((char *)m->b_rptr, hlen); ip = (ip_t *)m->b_rptr; + bzero((char *)ip, hlen); ip->ip_v = fin->fin_v; tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2)); tcp2->th_dport = tcp->th_sport; *************** *** 496,501 **** --- 497,503 ---- #ifdef USE_INET6 if (fin->fin_v == 6) { ip6 = (ip6_t *)m->b_rptr; + ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_src = fin->fin_dst6; ip6->ip6_dst = fin->fin_src6; ip6->ip6_plen = htons(sizeof(*tcp)); *************** *** 508,514 **** ip->ip_id = fr_nextipid(fin); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_p = IPPROTO_TCP; ! ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp)); ip->ip_tos = fin->fin_ip->ip_tos; tcp2->th_sum = fr_cksum(m, ip, IPPROTO_TCP, tcp2); } --- 510,516 ---- ip->ip_id = fr_nextipid(fin); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_p = IPPROTO_TCP; ! ip->ip_len = sizeof(*ip) + sizeof(*tcp); ip->ip_tos = fin->fin_ip->ip_tos; tcp2->th_sum = fr_cksum(m, ip, IPPROTO_TCP, tcp2); } *************** *** 526,532 **** ip6_t *ip6; ip6 = (ip6_t *)m->b_rptr; - ip6->ip6_flow = 0; ip6->ip6_vfc = 0x60; ip6->ip6_hlim = 127; } else --- 528,533 ---- *************** *** 537,544 **** ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; ip->ip_ttl = *ip_ttl_ptr; ! ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(*ip)); ip->ip_off = htons(*ip_mtudisc == 1 ? IP_DF : 0); } i = pfil_sendbuf(m); READ_ENTER(&ipf_global); --- 538,546 ---- ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; ip->ip_ttl = *ip_ttl_ptr; ! ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(*ip_mtudisc == 1 ? IP_DF : 0); + ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(*ip)); } i = pfil_sendbuf(m); READ_ENTER(&ipf_global); *************** *** 638,643 **** --- 640,646 ---- csz = sz; sz -= sizeof(ip6_t); ip6 = (ip6_t *)m->b_rptr; + ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons((u_short)sz); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_src = dst6; *************** *** 652,658 **** ip->ip_p = IPPROTO_ICMP; ip->ip_id = fin->fin_ip->ip_id; ip->ip_tos = fin->fin_ip->ip_tos; ! ip->ip_len = htons((u_short)sz); if (dst == 0) { if (fr_ifpaddr(4, FRI_NORMAL, qpi->qpi_real, &dst4, NULL) == -1) { --- 655,661 ---- ip->ip_p = IPPROTO_ICMP; ip->ip_id = fin->fin_ip->ip_id; ip->ip_tos = fin->fin_ip->ip_tos; ! ip->ip_len = (u_short)sz; if (dst == 0) { if (fr_ifpaddr(4, FRI_NORMAL, qpi->qpi_real, &dst4, NULL) == -1) { *************** *** 665,670 **** --- 668,674 ---- ip->ip_dst = fin->fin_src; bcopy((char *)fin->fin_ip, (char *)&icmp->icmp_ip, sizeof(*fin->fin_ip)); + icmp->icmp_ip.ip_len = htons(icmp->icmp_ip.ip_len); bcopy((char *)fin->fin_ip + fin->fin_hlen, (char *)&icmp->icmp_ip + sizeof(*fin->fin_ip), 8); icmp->icmp_cksum = ipf_cksum((u_short *)icmp, *************** *** 852,854 **** --- 856,959 ---- # endif } #endif /* USE_INET6 */ + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + qpktinfo_t *qpi = fin->fin_qpi; + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + int inc = 0; + + if (ipoff > 0) { + if ((ipoff & 3) != 0) { + inc = 4 - (ipoff & 3); + if (m->b_rptr - inc >= m->b_datap->db_base) + m->b_rptr -= inc; + else + inc = 0; + } + } + m = msgpullup(min, len + ipoff + inc); + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + FREE_MB_T(*fin->fin_mp); + *fin->fin_mp = NULL; + fin->fin_m = NULL; + return NULL; + } + + /* + * Because msgpullup allocates a new mblk, we need to delink + * (and free) the old one and link on the new one. + */ + if (min == *fin->fin_mp) { /* easy case 1st */ + FREE_MB_T(*fin->fin_mp); + *fin->fin_mp = m; + } else { + mb_t *m2; + + for (m2 = *fin->fin_mp; m2 != NULL; m2 = m2->b_next) + if (m2->b_next == min) + break; + if (m2 == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + FREE_MB_T(*fin->fin_mp); + FREE_MB_T(m); + return NULL; + } + FREE_MB_T(min); + m2->b_next = m; + } + + fin->fin_m = m; + m->b_rptr += inc; + ip = MTOD(m, char *) + ipoff; + qpi->qpi_data = ip; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; + } diff -cr ip_fil4.1.3/ip_fil_irix.c ip_fil4.1.4/ip_fil_irix.c *** ip_fil4.1.3/ip_fil_irix.c Tue May 25 00:00:06 2004 --- ip_fil4.1.4/ip_fil_irix.c Sun Jan 9 01:28:17 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_irix.c,v 2.42.2.6 2004/05/24 14:00:06 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_irix.c,v 2.42.2.14 2005/01/08 14:28:17 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 74,80 **** #endif static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); ! static int fr_send_ip __P((fr_info_t *, struct mbuf *)); extern ipfmutex_t ipf_rw; extern ipfrwlock_t ipf_mutex; --- 74,80 ---- #endif static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); ! static int fr_send_ip __P((fr_info_t *, struct mbuf *, struct mbuf **)); extern ipfmutex_t ipf_rw; extern ipfrwlock_t ipf_mutex; *************** *** 333,339 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 333,339 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 345,350 **** --- 345,351 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 380,385 **** --- 381,387 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 477,482 **** --- 479,485 ---- m->m_pkthdr.rcvif = (struct ifnet *)0; # endif ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); # ifdef USE_INET6 ip6 = (ip6_t *)ip; # endif *************** *** 503,509 **** # ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; --- 506,512 ---- # ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; *************** *** 511,517 **** ip6->ip6_dst = fin->fin_src6; tcp2->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(*ip6), sizeof(*tcp2)); ! return fr_send_ip(fin, m); } # endif ip->ip_p = IPPROTO_TCP; --- 514,520 ---- ip6->ip6_dst = fin->fin_src6; tcp2->th_sum = in6_cksum(m, IPPROTO_TCP, sizeof(*ip6), sizeof(*tcp2)); ! return fr_send_ip(fin, m, &m); } # endif ip->ip_p = IPPROTO_TCP; *************** *** 520,541 **** ip->ip_dst.s_addr = fin->fin_saddr; tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2)); ip->ip_len = hlen + sizeof(*tcp2); ! return fr_send_ip(fin, m); } ! static int fr_send_ip(fin, m) fr_info_t *fin; ! struct mbuf *m; { ip_t *ip; ip = mtod(m, ip_t *); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : IP_HL_A(ip, sizeof(ip_t) >> 2); ip->ip_tos = fin->fin_ip->ip_tos; ip->ip_id = fin->fin_ip->ip_id; --- 523,548 ---- ip->ip_dst.s_addr = fin->fin_saddr; tcp2->th_sum = in_cksum(m, hlen + sizeof(*tcp2)); ip->ip_len = hlen + sizeof(*tcp2); ! return fr_send_ip(fin, m, &m); } ! static int fr_send_ip(fin, m, mpp) fr_info_t *fin; ! struct mbuf *m, **mpp; { + fr_info_t fnew; ip_t *ip; + int hlen; ip = mtod(m, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; IP_HL_A(ip, sizeof(ip_t) >> 2); ip->ip_tos = fin->fin_ip->ip_tos; ip->ip_id = fin->fin_ip->ip_id; *************** *** 543,548 **** --- 550,556 ---- ip->ip_off = IP_DF; ip->ip_ttl = tcp_ttl; ip->ip_sum = 0; + hlen = sizeof(*ip); break; #ifdef USE_INET6 case 6 : *************** *** 560,566 **** #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! return fr_fastroute(m, &m, fin, NULL); } --- 568,584 ---- #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 596,602 **** #endif avail = 0; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 614,619 ---- *************** *** 661,680 **** dst6 = fin->fin_dst6; } #endif ! iclen = hlen + sizeof(*icmp) + xtra; # if (BSD >= 199103) avail -= (max_linkhdr + iclen); m->m_data += max_linkhdr; m->m_pkthdr.rcvif = (struct ifnet *)0; m->m_pkthdr.len = iclen; #else avail -= (m->m_off + iclen); - #endif if (avail < 0) { ! m_freem(m); return -1; } m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); --- 678,707 ---- dst6 = fin->fin_dst6; } #endif + else { + FREE_MB_T(m); + return -1; + } ! iclen = hlen + sizeof(*icmp); # if (BSD >= 199103) avail -= (max_linkhdr + iclen); + if (avail < 0) { + FREE_MB_T(m); + return -1; + } m->m_data += max_linkhdr; m->m_pkthdr.rcvif = (struct ifnet *)0; + iclen += xtra; m->m_pkthdr.len = iclen; #else avail -= (m->m_off + iclen); if (avail < 0) { ! FREE_MB_T(m); return -1; } + iclen += xtra; + #endif m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); *************** *** 696,702 **** if (fin->fin_v == 6) { ip62 = (ip6_t *)ip2; ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; --- 723,730 ---- if (fin->fin_v == 6) { ip62 = (ip6_t *)ip2; ! ip62->ip6_plen = htons(ip62->ip6_plen); ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; *************** *** 710,715 **** --- 738,744 ---- } else #endif { + ip2->ip_len = htons(ip2->ip_len); ip->ip_p = IPPROTO_ICMP; ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = fin->fin_saddr; *************** *** 722,728 **** ip->ip_len = iclen; ip->ip_p = IPPROTO_ICMP; } ! err = fr_send_ip(fin, m); return err; } --- 751,757 ---- ip->ip_len = iclen; ip->ip_p = IPPROTO_ICMP; } ! err = fr_send_ip(fin, m, &m); return err; } *************** *** 807,813 **** dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; --- 836,842 ---- dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp != NULL) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; *************** *** 822,828 **** if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } else if (fdp) dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; rtalloc(ro); --- 851,858 ---- if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } ! if (fdp != NULL) dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; rtalloc(ro); *************** *** 1223,1225 **** --- 1253,1315 ---- #endif } #endif /* USE_INET6 */ + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + KMALLOCS(fin->fin_hbuf, void *, fin->fin_plen); + if (fin->fin_hbuf == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + m_copydata(m, 0, fin->fin_plen, fin->fin_hbuf); + ip = fin->fin_hbuf; + fin->fin_flx |= FI_COALESCE; + } else if (len == fin->fin_plen) { + fin->fin_flx |= FI_COALESCE; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + return ip; + } diff -cr ip_fil4.1.3/ip_fil_linux.c ip_fil4.1.4/ip_fil_linux.c *** ip_fil4.1.3/ip_fil_linux.c Mon Jul 19 21:28:04 2004 --- ip_fil4.1.4/ip_fil_linux.c Sun Jan 9 01:28:18 2005 *************** *** 1,13 **** ! #if LINUX >= 020600 # define __irq_h 1 /* stop it being included! */ #else # define _LINUX_TCP_H #endif ! #include #include "ipf-linux.h" #include #include #include --- 1,16 ---- ! #include ! #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) # define __irq_h 1 /* stop it being included! */ #else # define _LINUX_TCP_H #endif ! #include #include "ipf-linux.h" + #include #include + #include #include *************** *** 23,29 **** static u_int ipf_linux_inout __P((u_int, struct sk_buff **, const struct net_device *, const struct net_device *, int (*okfn)(struct sk_buff *))); ! #if LINUX >= 020600 static struct nf_hook_ops ipf_hooks[] = { { .hook = ipf_linux_inout, --- 26,32 ---- static u_int ipf_linux_inout __P((u_int, struct sk_buff **, const struct net_device *, const struct net_device *, int (*okfn)(struct sk_buff *))); ! #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) static struct nf_hook_ops ipf_hooks[] = { { .hook = ipf_linux_inout, *************** *** 259,265 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 262,268 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 319,324 **** --- 322,328 ---- bzero(MTOD(m, char *), hlen); ip = MTOD(m, ip_t *); + bzero((char *)ip, hlen); ip->ip_v = fin->fin_v; tcp2 = (tcphdr_t *)((char *)ip + hlen - sizeof(*tcp2)); tcp2->th_dport = tcp->th_sport; *************** *** 332,338 **** tcp2->th_ack = htonl(tcp2->th_ack); tcp2->th_flags = TH_RST|TH_ACK; } ! tcp2->th_off = sizeof(struct tcphdr) >> 2; #ifdef USE_INET6 if (fin->fin_v == 6) { --- 336,342 ---- tcp2->th_ack = htonl(tcp2->th_ack); tcp2->th_flags = TH_RST|TH_ACK; } ! tcp2->th_off = sizeof(*tcp2) >> 2; #ifdef USE_INET6 if (fin->fin_v == 6) { *************** *** 359,372 **** --- 363,380 ---- fr_info_t *fin; struct sk_buff *sk, **skp; { + fr_info_t fnew; ip_t *ip, *oip; + int hlen; ip = MTOD(sk, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); oip = fin->fin_ip; switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; ip->ip_hl = sizeof(*oip) >> 2; ip->ip_tos = oip->ip_tos; ip->ip_id = 0; *************** *** 373,384 **** ip->ip_ttl = sysctl_ip_default_ttl; ip->ip_sum = 0; ip->ip_off = 0x4000; break; default : return EINVAL; } ! return fr_fastroute(sk, skp, fin, NULL); } --- 381,402 ---- ip->ip_ttl = sysctl_ip_default_ttl; ip->ip_sum = 0; ip->ip_off = 0x4000; + hlen = sizeof(*ip); break; default : return EINVAL; } ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = sk; ! fnew.fin_ip = ip; ! fnew.fin_mp = skp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(sk, skp, &fnew, NULL); } *************** *** 477,484 **** if (isdst == 0) { if (fr_ifpaddr(6, FRI_NORMAL, qif->qf_ill, ! (struct in_addr *)&dst6, NULL) == -1) return -1; } else dst6 = fin->fin_dst6; --- 495,504 ---- if (isdst == 0) { if (fr_ifpaddr(6, FRI_NORMAL, qif->qf_ill, ! (struct in_addr *)&dst6, NULL) == -1) { ! FREE_MB_T(m); return -1; + } } else dst6 = fin->fin_dst6; *************** *** 501,508 **** ip->ip_len = (u_short)sz; if (isdst == 0) { if (fr_ifpaddr(4, FRI_NORMAL, fin->fin_ifp, ! &dst4, NULL) == -1) return -1; } else dst4 = fin->fin_dst; ip->ip_src = dst4; --- 521,530 ---- ip->ip_len = (u_short)sz; if (isdst == 0) { if (fr_ifpaddr(4, FRI_NORMAL, fin->fin_ifp, ! &dst4, NULL) == -1) { ! FREE_MB_T(m); return -1; + } } else dst4 = fin->fin_dst; ip->ip_src = dst4; *************** *** 509,514 **** --- 531,537 ---- ip->ip_dst = fin->fin_src; bcopy((char *)fin->fin_ip, (char *)&icmp->icmp_ip, sizeof(*fin->fin_ip)); + icmp->icmp_ip.ip_len = htons(fin->fin_plen); bcopy((char *)fin->fin_ip + fin->fin_hlen, (char *)&icmp->icmp_ip + sizeof(*fin->fin_ip), 8); icmp->icmp_cksum = ip_compute_csum((u_char *)icmp, *************** *** 597,603 **** if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; ! } else if (fdp) { if (fdp->fd_ip.s_addr) dip = fdp->fd_ip; } --- 620,627 ---- if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr) dip = fdp->fd_ip; } *************** *** 605,611 **** switch (fin->fin_v) { case 4 : ! #if LINUX < 020600 err = ip_route_output(&rt, dip.s_addr, 0, RT_TOS(ip->ip_tos) | RTO_CONN, 0); #else --- 629,635 ---- switch (fin->fin_v) { case 4 : ! #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) err = ip_route_output(&rt, dip.s_addr, 0, RT_TOS(ip->ip_tos) | RTO_CONN, 0); #else *************** *** 662,668 **** } min->dst = &rt->u.dst; ! #if LINUX < 020421 if (min->len > min->dst->pmtu) { err = EMSGSIZE; goto bad; --- 686,692 ---- } min->dst = &rt->u.dst; ! #if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,21) if (min->len > min->dst->pmtu) { err = EMSGSIZE; goto bad; *************** *** 1015,1018 **** --- 1039,1103 ---- return m; kfree_skb(m); return NULL; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + m = m_pullup(m, len); + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_fil_netbsd.c ip_fil4.1.4/ip_fil_netbsd.c *** ip_fil4.1.3/ip_fil_netbsd.c Tue Jul 6 21:15:50 2004 --- ip_fil4.1.4/ip_fil_netbsd.c Sun Jan 9 01:28:19 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_netbsd.c,v 2.55.2.12 2004/07/06 11:15:50 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_netbsd.c,v 2.55.2.23 2005/01/08 14:28:19 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 78,84 **** --- 78,86 ---- # define csuminfo csum_flags #endif + #if __NetBSD_Version__ < 200000000 extern struct protosw inetsw[]; + #endif static int (*fr_savep) __P((ip_t *, int, void *, int, struct mbuf **)); static int fr_send_ip __P((fr_info_t *, mb_t *, mb_t **)); *************** *** 128,133 **** --- 130,149 ---- struct ip *ip = mtod(*mp, struct ip *); int rv, hlen = ip->ip_hl << 2; + #if __NetBSD_Version >= 200080000 + /* + * ensure that mbufs are writable beforehand + * as it's assumed by ipf code. + * XXX inefficient + */ + error = m_makewritable(mp, 0, M_COPYALL, M_DONTWAIT); + if (error) { + m_freem(*mp); + *mp = NULL; + return error; + } + #endif + #if defined(M_CSUM_TCPv4) /* * If the packet is out-bound, we can't delay checksums *************** *** 562,568 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 578,584 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 574,579 **** --- 590,596 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 609,614 **** --- 626,632 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 670,675 **** --- 688,699 ---- dev_t dev; register struct uio *uio; { + + # ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_read(uio); + # endif + #ifdef IPFILTER_LOG return ipflog_read(GET_MINOR(dev), uio); #else *************** *** 679,684 **** --- 703,732 ---- /* + * iplwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ + #if (BSD >= 199306) + int iplwrite(dev, uio, ioflag) + int ioflag; + #else + int iplwrite(dev, uio) + #endif + dev_t dev; + register struct uio *uio; + { + + #ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + #endif + return ENXIO; + } + + + /* * fr_send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ *************** *** 733,738 **** --- 781,787 ---- m->m_pkthdr.len = m->m_len; m->m_pkthdr.rcvif = (struct ifnet *)0; ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); #ifdef USE_INET6 ip6 = (ip6_t *)ip; #endif *************** *** 760,766 **** #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; --- 809,815 ---- #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; *************** *** 785,798 **** --- 834,851 ---- fr_info_t *fin; mb_t *m, **mpp; { + fr_info_t fnew; ip_t *ip, *oip; + int hlen; ip = mtod(m, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; oip = fin->fin_ip; IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; *************** *** 800,805 **** --- 853,859 ---- ip->ip_off = ip_mtudisc ? IP_DF : 0; ip->ip_ttl = ip_defttl; ip->ip_sum = 0; + hlen = sizeof(*oip); break; #ifdef USE_INET6 case 6 : *************** *** 809,814 **** --- 863,870 ---- ip6->ip6_vfc = 0x60; ip6->ip6_hlim = IPDEFTTL; + fnew.fin_v = 6; + hlen = sizeof(*ip6); break; } #endif *************** *** 818,824 **** #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! return fr_fastroute(m, mpp, fin, NULL); } --- 874,890 ---- #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 833,839 **** struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6, *ip62; struct in6_addr dst6; #endif ip_t *ip, *ip2; --- 899,905 ---- struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6; struct in6_addr dst6; #endif ip_t *ip, *ip2; *************** *** 860,871 **** return -1; avail = MHLEN; - xtra = 0; hlen = 0; ohlen = 0; - avail = 0; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 926,934 ---- *************** *** 878,883 **** --- 941,947 ---- case ICMP_MASKREQ : break; default : + FREE_MB_T(m); return 0; } *************** *** 929,949 **** dst6 = fin->fin_dst6; } #endif ! else return -1; ! iclen = hlen + sizeof(*icmp) + xtra; avail -= (max_linkhdr + iclen); - m->m_data += max_linkhdr; - m->m_pkthdr.rcvif = (struct ifnet *)0; - if (xtra > avail) - xtra = avail; - iclen += xtra; - m->m_pkthdr.len = iclen; if (avail < 0) { FREE_MB_T(m); return -1; } m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); --- 993,1015 ---- dst6 = fin->fin_dst6; } #endif ! else { ! FREE_MB_T(m); return -1; + } ! iclen = hlen + sizeof(*icmp); avail -= (max_linkhdr + iclen); if (avail < 0) { FREE_MB_T(m); return -1; } + if (xtra > avail) + xtra = avail; + iclen += xtra; + m->m_data += max_linkhdr; + m->m_pkthdr.rcvif = (struct ifnet *)0; + m->m_pkthdr.len = iclen; m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); *************** *** 970,978 **** #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip62 = (ip6_t *)ip2; ! ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; --- 1036,1042 ---- #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; *************** *** 986,991 **** --- 1050,1056 ---- } else #endif { + ip2->ip_len = htons(ip2->ip_len); ip->ip_p = IPPROTO_ICMP; ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = fin->fin_saddr; *************** *** 1018,1026 **** u_short ip_off; frentry_t *fr; - #ifdef USE_INET6 if (fin->fin_v == 6) { error = ipfr_fastroute6(m0, mpp, fin, fdp); if ((error != 0) && (*mpp != NULL)) { FREE_MB_T(*mpp); *mpp = NULL; --- 1083,1094 ---- u_short ip_off; frentry_t *fr; if (fin->fin_v == 6) { + #ifdef USE_INET6 error = ipfr_fastroute6(m0, mpp, fin, fdp); + #else + error = EPROTONOSUPPORT; + #endif if ((error != 0) && (*mpp != NULL)) { FREE_MB_T(*mpp); *mpp = NULL; *************** *** 1027,1033 **** } return error; } - #endif hlen = fin->fin_hlen; ip = mtod(m0, struct ip *); --- 1095,1100 ---- *************** *** 1065,1072 **** */ if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) ! return 0; ! } else if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; } --- 1132,1140 ---- */ if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) ! return -1; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; } *************** *** 1127,1137 **** --- 1195,1215 ---- * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { + int i = 0; + + if (m->m_flags & M_EXT) + i = 1; + ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); #if defined(M_CSUM_IPv4) + # if (__NetBSD_Version__ >= 105009999) + #if (ifp->if_csum_flags_tx & M_CSUM_IPv4) + m->m_pkthdr.csuminfo |= M_CSUM_IPv4; + # else if (ifp->if_capabilities & IFCAP_CSUM_IPv4) m->m_pkthdr.csuminfo |= M_CSUM_IPv4; + # endif /* (__NetBSD_Version__ >= 105009999) */ else if (ip->ip_sum == 0) ip->ip_sum = in_cksum(m, hlen); #else *************** *** 1140,1147 **** --- 1218,1230 ---- #endif /* M_CSUM_IPv4 */ error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); + if (i) { + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + } goto done; } + /* * Too large for interface; fragment if possible. * Must be able to put at least 8 bytes per fragment. *************** *** 1265,1270 **** --- 1348,1354 ---- struct route_in6 ip6route; struct sockaddr_in6 *dst6; struct route_in6 *ro; + struct rtentry *rt; struct ifnet *ifp; frentry_t *fr; u_long mtu; *************** *** 1286,1292 **** if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return 0; ! } else if (fdp != NULL) { if (IP6_NOTZERO(&fdp->fd_ip6)) dst6->sin6_addr = fdp->fd_ip6.in6; } --- 1370,1377 ---- if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return 0; ! } ! if (fdp != NULL) { if (IP6_NOTZERO(&fdp->fd_ip6)) dst6->sin6_addr = fdp->fd_ip6.in6; } *************** *** 1301,1306 **** --- 1386,1393 ---- goto bad; } + rt = fdp ? NULL : ro->ro_rt; + /* KAME */ if (IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr)) dst6->sin6_addr.s6_addr16[1] = htons(ifp->if_index); *************** *** 1322,1329 **** #endif if ((error == 0) && (m0->m_pkthdr.len <= mtu)) { *mpp = NULL; ! error = nd6_output(ifp, fin->fin_ifp, m0, ! dst6, ro->ro_rt); } else { error = EMSGSIZE; } --- 1409,1415 ---- #endif if ((error == 0) && (m0->m_pkthdr.len <= mtu)) { *mpp = NULL; ! error = nd6_output(ifp, ifp, m0, dst6, rt); } else { error = EMSGSIZE; } *************** *** 1631,1634 **** --- 1717,1802 ---- len += m->m_len; } return len; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + #ifdef MHLEN + /* + * Assume that M_PKTHDR is set and just work with what is left + * rather than check.. + * Should not make any real difference, anyway. + */ + if (len > MHLEN) + #else + if (len > MLEN) + #endif + { + #ifdef HAVE_M_PULLDOWN + if (m_pulldown(m, 0, len, NULL) == NULL) + m = NULL; + #else + FREE_MB_T(*fin->fin_mp); + m = NULL; + #endif + } else + { + m = m_pullup(m, len); + } + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_fil_openbsd.c ip_fil4.1.4/ip_fil_openbsd.c *** ip_fil4.1.3/ip_fil_openbsd.c Wed Jun 23 06:57:49 2004 --- ip_fil4.1.4/ip_fil_openbsd.c Sun Jan 9 01:28:19 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_openbsd.c,v 2.50.2.10 2004/06/22 20:57:49 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_openbsd.c,v 2.50.2.20 2005/01/08 14:28:19 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 327,333 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 327,333 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 339,344 **** --- 339,345 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 374,379 **** --- 375,381 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 421,426 **** --- 423,434 ---- register struct uio *uio; int ioflag; { + + # ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_read(uio); + # endif + #ifdef IPFILTER_LOG return ipflog_read(GET_MINOR(dev), uio); #else *************** *** 430,435 **** --- 438,467 ---- /* + * iplwrite + * both of these must operate with at least splnet() lest they be + * called during packet processing and cause an inconsistancy to appear in + * the filter lists. + */ + #if (BSD >= 199306) + int iplwrite(dev, uio, ioflag) + int ioflag; + #else + int iplwrite(dev, uio) + #endif + dev_t dev; + register struct uio *uio; + { + + #ifdef IPFILTER_SYNC + if (GET_MINOR(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + #endif + return ENXIO; + } + + + /* * fr_send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ *************** *** 482,487 **** --- 514,520 ---- m->m_pkthdr.len = m->m_len; m->m_pkthdr.rcvif = (struct ifnet *)0; ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); #ifdef USE_INET6 ip6 = (ip6_t *)ip; #endif *************** *** 508,514 **** #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; --- 541,547 ---- #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; *************** *** 533,546 **** --- 566,583 ---- fr_info_t *fin; mb_t *m, **mpp; { + fr_info_t fnew; ip_t *ip, *oip; + int hlen; ip = mtod(m, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; oip = fin->fin_ip; IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; *************** *** 548,553 **** --- 585,591 ---- ip->ip_off = ip_mtudisc ? IP_DF : 0; ip->ip_ttl = ip_defttl; ip->ip_sum = 0; + hlen = sizeof(*oip); break; #ifdef USE_INET6 case 6 : *************** *** 557,562 **** --- 595,602 ---- ip6->ip6_vfc = 0x60; ip6->ip6_hlim = IPDEFTTL; + fnew.fin_v = 6; + hlen = sizeof(*ip6); break; } #endif *************** *** 566,572 **** #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! return fr_fastroute(m, mpp, fin, NULL); } --- 606,622 ---- #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 581,587 **** struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6, *ip62; struct in6_addr dst6; #endif ip_t *ip, *ip2; --- 631,637 ---- struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6; struct in6_addr dst6; #endif ip_t *ip, *ip2; *************** *** 611,618 **** xtra = 0; hlen = 0; ohlen = 0; - avail = 0; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 661,666 ---- *************** *** 625,630 **** --- 673,679 ---- case ICMP_MASKREQ : break; default : + FREE_MB_T(m); return 0; } *************** *** 674,694 **** dst6 = fin->fin_dst6; } #endif ! else return -1; ! iclen = hlen + sizeof(*icmp) + xtra; avail -= (max_linkhdr + iclen); - m->m_data += max_linkhdr; - m->m_pkthdr.rcvif = (struct ifnet *)0; - if (xtra > avail) - xtra = avail; - iclen += xtra; - m->m_pkthdr.len = iclen; if (avail < 0) { FREE_MB_T(m); return -1; } m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); --- 723,745 ---- dst6 = fin->fin_dst6; } #endif ! else { ! FREE_MB_T(m); return -1; + } ! iclen = hlen + sizeof(*icmp); avail -= (max_linkhdr + iclen); if (avail < 0) { FREE_MB_T(m); return -1; } + if (xtra > avail) + xtra = avail; + iclen += xtra; + m->m_data += max_linkhdr; + m->m_pkthdr.rcvif = (struct ifnet *)0; + m->m_pkthdr.len = iclen; m->m_len = iclen; ip = mtod(m, ip_t *); icmp = (struct icmp *)((char *)ip + hlen); *************** *** 709,717 **** #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip62 = (ip6_t *)ip2; ! ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; --- 760,766 ---- #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; *************** *** 725,730 **** --- 774,780 ---- } else #endif { + ip2->ip_len = htons(ip2->ip_len); ip->ip_p = IPPROTO_ICMP; ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = fin->fin_saddr; *************** *** 817,823 **** if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; ! } else if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; } --- 867,874 ---- if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; } *************** *** 1038,1044 **** dst6 = (struct sockaddr_in6 *)&ro->ro_dst; dst6->sin6_family = AF_INET6; dst6->sin6_len = sizeof(struct sockaddr_in6); ! dst6->sin6_addr = fin->fin_fi.fi_src.in6; if (fdp != NULL) ifp = fdp->fd_ifp; --- 1089,1095 ---- dst6 = (struct sockaddr_in6 *)&ro->ro_dst; dst6->sin6_family = AF_INET6; dst6->sin6_len = sizeof(struct sockaddr_in6); ! dst6->sin6_addr = fin->fin_fi.fi_dst.in6; if (fdp != NULL) ifp = fdp->fd_ifp; *************** *** 1048,1059 **** if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return 0; ! } else if (fdp != NULL) { if (IP6_NOTZERO(&fdp->fd_ip6)) dst6->sin6_addr = fdp->fd_ip6.in6; } - if (ifp == NULL) - return -2; rtalloc((struct route *)ro); --- 1099,1109 ---- if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) return 0; ! } ! if (fdp != NULL) { if (IP6_NOTZERO(&fdp->fd_ip6)) dst6->sin6_addr = fdp->fd_ip6.in6; } rtalloc((struct route *)ro); *************** *** 1328,1331 **** --- 1378,1463 ---- len += m->m_len; } return len; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + #ifdef MHLEN + /* + * Assume that M_PKTHDR is set and just work with what is left + * rather than check.. + * Should not make any real difference, anyway. + */ + if (len > MHLEN) + #else + if (len > MLEN) + #endif + { + #ifdef HAVE_M_PULLDOWN + if (m_pulldown(m, 0, len, NULL) == NULL) + m = NULL; + #else + FREE_MB_T(*fin->fin_mp); + m = NULL; + #endif + } else + { + m = m_pullup(m, len); + } + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_fil_osf.c ip_fil4.1.4/ip_fil_osf.c *** ip_fil4.1.3/ip_fil_osf.c Wed Jun 23 06:57:50 2004 --- ip_fil4.1.4/ip_fil_osf.c Sun Jan 9 01:28:20 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_osf.c,v 2.44.2.8 2004/06/22 20:57:50 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_osf.c,v 2.44.2.17 2005/01/08 14:28:20 darrenr Exp $"; #endif #if defined(KERNEL) || defined(_KERNEL) *************** *** 337,343 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 337,343 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 349,354 **** --- 349,355 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 384,389 **** --- 385,391 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 488,493 **** --- 490,496 ---- m->m_pkthdr.rcvif = (struct ifnet *)0; ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); #ifdef USE_INET6 ip6 = (ip6_t *)ip; #endif *************** *** 514,520 **** #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; --- 517,523 ---- #ifdef USE_INET6 if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(sizeof(struct tcphdr)); ip6->ip6_nxt = IPPROTO_TCP; ip6->ip6_hlim = 0; *************** *** 541,550 **** fr_info_t *fin; mb_t *m, **mpp; { ip_t *ip, *oip; ! int ttl; ip = mtod(m, ip_t *); switch (fin->fin_p) { --- 544,555 ---- fr_info_t *fin; mb_t *m, **mpp; { + fr_info_t fnew; ip_t *ip, *oip; ! int ttl, hlen; ip = mtod(m, ip_t *); + bzero((char *)&fnew, sizeof(fnew)); switch (fin->fin_p) { *************** *** 564,569 **** --- 569,575 ---- switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; oip = fin->fin_ip; IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; *************** *** 571,576 **** --- 577,583 ---- ip->ip_off = 0; ip->ip_ttl = ttl; ip->ip_sum = 0; + hlen = sizeof(*oip); break; #ifdef USE_INET6 case 6 : *************** *** 577,588 **** { ip6_t *ip6 = (ip6_t *)ip; ! # if TRU64 <= 732 ip6->ip6_vcf = 0x60; # else ip6->ip6_vfc = 0x60; # endif ip6->ip6_hlim = ttl; } #endif default : --- 584,598 ---- { ip6_t *ip6 = (ip6_t *)ip; ! # if TRU64 <= 1885 ip6->ip6_vcf = 0x60; # else ip6->ip6_vfc = 0x60; # endif ip6->ip6_hlim = ttl; + + fnew.fin_v = 6; + hlen = sizeof(*ip6); } #endif default : *************** *** 591,597 **** #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! return fr_fastroute(m, mpp, fin, NULL); } --- 601,617 ---- #ifdef IPSEC m->m_pkthdr.rcvif = NULL; #endif ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 606,612 **** struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6, *ip62; struct in6_addr dst6; #endif ip_t *ip, *ip2; --- 626,632 ---- struct mbuf *m; void *ifp; #ifdef USE_INET6 ! ip6_t *ip6; struct in6_addr dst6; #endif ip_t *ip, *ip2; *************** *** 633,639 **** return -1; avail = MHLEN; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 653,658 ---- *************** *** 646,651 **** --- 665,671 ---- case ICMP_MASKREQ : break; default : + FREE_MB_T(m); return 0; } *************** *** 694,699 **** --- 714,723 ---- dst6 = fin->fin_dst6; } #endif + else { + FREE_MB_T(m); + return -1; + } iclen = hlen + sizeof(*icmp) + xtra; avail -= (max_linkhdr + iclen); *************** *** 727,735 **** #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip62 = (ip6_t *)ip2; ! ! ip6->ip6_flow = 0; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; --- 751,757 ---- #ifdef USE_INET6 ip6 = (ip6_t *)ip; if (fin->fin_v == 6) { ! ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons(iclen - hlen); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_hlim = 0; *************** *** 745,750 **** --- 767,773 ---- } else #endif { + ip2->ip_len = htons(ip2->ip_len); ip->ip_p = IPPROTO_ICMP; ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = fin->fin_saddr; *************** *** 856,862 **** dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; --- 879,885 ---- dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp != NULL) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; *************** *** 871,877 **** if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } else if (fdp) { if (fdp->fd_ip.s_addr) { dst->sin_addr = fdp->fd_ip; ip->ip_dst = fdp->fd_ip; --- 894,901 ---- if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr) { dst->sin_addr = fdp->fd_ip; ip->ip_dst = fdp->fd_ip; *************** *** 1315,1318 **** --- 1339,1424 ---- len += m->m_len; } return len; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + #ifdef MHLEN + /* + * Assume that M_PKTHDR is set and just work with what is left + * rather than check.. + * Should not make any real difference, anyway. + */ + if (len > MHLEN) + #else + if (len > MLEN) + #endif + { + #ifdef HAVE_M_PULLDOWN + if (m_pulldown(m, 0, len, NULL) == NULL) + m = NULL; + #else + FREE_MB_T(*fin->fin_mp); + m = NULL; + #endif + } else + { + m = m_pullup(m, len); + } + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_fil_solaris.c ip_fil4.1.4/ip_fil_solaris.c *** ip_fil4.1.3/ip_fil_solaris.c Mon May 10 22:42:07 2004 --- ip_fil4.1.4/ip_fil_solaris.c Sun Jan 9 01:28:21 2005 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_solaris.c,v 2.62.2.5 2004/05/10 12:42:07 darrenr Exp $"; #endif #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_solaris.c,v 2.62.2.15 2005/01/08 14:28:21 darrenr Exp $"; #endif #include *************** *** 57,63 **** extern int fr_flags, fr_active; ! static int fr_send_ip __P((fr_info_t *fin, mblk_t *m)); ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; --- 57,63 ---- extern int fr_flags, fr_active; ! static int fr_send_ip __P((fr_info_t *fin, mblk_t *m, mblk_t **mp)); ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_stinsert; ipfmutex_t ipf_nat_new, ipf_natio, ipf_timeoutlock; *************** *** 522,528 **** #endif /* IPFILTER_LOG */ - #ifdef IPFILTER_SYNC /* * iplread/ipllog * both of these must operate with at least splnet() lest they be --- 522,527 ---- *************** *** 537,547 **** #ifdef IPFDEBUG cmn_err(CE_CONT, "iplwrite(%x,%x,%x)\n", dev, uio, cp); #endif ! if (getminor(dev) != IPL_LOGSYNC) ! return ENXIO; ! return ipfsync_write(uio); ! } #endif /* IPFILTER_SYNC */ /* --- 536,547 ---- #ifdef IPFDEBUG cmn_err(CE_CONT, "iplwrite(%x,%x,%x)\n", dev, uio, cp); #endif ! #ifdef IPFILTER_SYNC ! if (getminor(dev) == IPL_LOGSYNC) ! return ipfsync_write(uio); #endif /* IPFILTER_SYNC */ + return ENXIO; + } /* *************** *** 582,588 **** m->b_rptr += 64; MTYPE(m) = M_DATA; m->b_wptr = m->b_rptr + hlen; ! bzero((char *)m->b_rptr, hlen); tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2)); tcp2->th_dport = tcp->th_sport; tcp2->th_sport = tcp->th_dport; --- 582,589 ---- m->b_rptr += 64; MTYPE(m) = M_DATA; m->b_wptr = m->b_rptr + hlen; ! ip = (ip_t *)m->b_rptr; ! bzero((char *)ip, hlen); tcp2 = (struct tcphdr *)(m->b_rptr + hlen - sizeof(*tcp2)); tcp2->th_dport = tcp->th_sport; tcp2->th_sport = tcp->th_dport; *************** *** 597,607 **** } tcp2->th_off = sizeof(struct tcphdr) >> 2; - ip = (ip_t *)m->b_rptr; ip->ip_v = fin->fin_v; #ifdef USE_INET6 if (fin->fin_v == 6) { ip6 = (ip6_t *)m->b_rptr; ip6->ip6_src = fin->fin_dst6; ip6->ip6_dst = fin->fin_src6; ip6->ip6_plen = htons(sizeof(*tcp)); --- 598,608 ---- } tcp2->th_off = sizeof(struct tcphdr) >> 2; ip->ip_v = fin->fin_v; #ifdef USE_INET6 if (fin->fin_v == 6) { ip6 = (ip6_t *)m->b_rptr; + ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_src = fin->fin_dst6; ip6->ip6_dst = fin->fin_src6; ip6->ip6_plen = htons(sizeof(*tcp)); *************** *** 614,648 **** ip->ip_id = fr_nextipid(fin); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_p = IPPROTO_TCP; ! ip->ip_len = htons(sizeof(*ip) + sizeof(*tcp)); ip->ip_tos = fin->fin_ip->ip_tos; tcp2->th_sum = fr_cksum(m, ip, IPPROTO_TCP, tcp2); } ! return fr_send_ip(fin, m); } /*ARGSUSED*/ ! static int fr_send_ip(fin, m) fr_info_t *fin; ! mblk_t *m; { ! int i; #ifdef USE_INET6 if (fin->fin_v == 6) { ip6_t *ip6; ! ip6 = (ip6_t *)m->b_rptr; ! ip6->ip6_flow = 0; ip6->ip6_vfc = 0x60; ip6->ip6_hlim = 127; } else #endif { ! ip_t *ip; ! ! ip = (ip_t *)m->b_rptr; if (ip_ttl_ptr != NULL) ip->ip_ttl = (u_char)(*ip_ttl_ptr); else --- 615,655 ---- ip->ip_id = fr_nextipid(fin); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_p = IPPROTO_TCP; ! ip->ip_len = sizeof(*ip) + sizeof(*tcp); ip->ip_tos = fin->fin_ip->ip_tos; tcp2->th_sum = fr_cksum(m, ip, IPPROTO_TCP, tcp2); } ! return fr_send_ip(fin, m, &m); } /*ARGSUSED*/ ! static int fr_send_ip(fin, m, mpp) fr_info_t *fin; ! mblk_t *m, **mpp; { ! qpktinfo_t qpi, *qpip; ! fr_info_t fnew; ! qif_t *qif; ! ip_t *ip; ! int i, hlen; + ip = (ip_t *)m->b_rptr; + bzero((char *)&fnew, sizeof(fnew)); + #ifdef USE_INET6 if (fin->fin_v == 6) { ip6_t *ip6; ! ip6 = (ip6_t *)ip; ip6->ip6_vfc = 0x60; ip6->ip6_hlim = 127; + fnew.fin_v = 6; + hlen = sizeof(*ip6); } else #endif { ! fnew.fin_v = 4; if (ip_ttl_ptr != NULL) ip->ip_ttl = (u_char)(*ip_ttl_ptr); else *************** *** 651,659 **** ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0); else ip->ip_off = htons(IP_DF); ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(*ip)); } ! i = fr_fastroute(m, &m, fin, NULL); return i; } --- 658,700 ---- ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0); else ip->ip_off = htons(IP_DF); + /* + * The dance with byte order and ip_len/ip_off is because in + * fr_fastroute, it expects them to be in host byte order but + * ipf_cksum expects them to be in network byte order. + */ + ip->ip_len = htons(ip->ip_len); ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(*ip)); + ip->ip_len = ntohs(ip->ip_len); + ip->ip_off = ntohs(ip->ip_off); + hlen = sizeof(*ip); } ! ! qpip = fin->fin_qpi; ! qpi.qpi_q = qpip->qpi_q; ! qpi.qpi_off = 0; ! qpi.qpi_name = qpip->qpi_name; ! qif = qpip->qpi_real; ! qpi.qpi_real = qif; ! qpi.qpi_ill = qif->qf_ill; ! qpi.qpi_hl = qif->qf_hl; ! qpi.qpi_ppa = qif->qf_ppa; ! qpi.qpi_num = qif->qf_num; ! qpi.qpi_flags = qif->qf_flags; ! qpi.qpi_max_frag = qif->qf_max_frag; ! qpi.qpi_m = m; ! qpi.qpi_data = ip; ! fnew.fin_qpi = &qpi; ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! i = fr_fastroute(m, mpp, &fnew, NULL); return i; } *************** *** 759,764 **** --- 800,806 ---- csz = sz; sz -= sizeof(ip6_t); ip6 = (ip6_t *)m->b_rptr; + ip6->ip6_flow = ((ip6_t *)fin->fin_ip)->ip6_flow; ip6->ip6_plen = htons((u_short)sz); ip6->ip6_nxt = IPPROTO_ICMPV6; ip6->ip6_src = dst6; *************** *** 788,793 **** --- 830,836 ---- sizeof(*fin->fin_ip)); bcopy((char *)fin->fin_ip + fin->fin_hlen, (char *)&icmp->icmp_ip + sizeof(*fin->fin_ip), 8); + icmp->icmp_ip.ip_len = htons(icmp->icmp_ip.ip_len); icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sz - sizeof(ip_t)); } *************** *** 796,802 **** * Need to exit out of these so we don't recursively call rw_enter * from fr_qout. */ ! return fr_send_ip(fin, m); } --- 839,845 ---- * Need to exit out of these so we don't recursively call rw_enter * from fr_qout. */ ! return fr_send_ip(fin, m, &m); } *************** *** 915,921 **** /* */ /* Returns the next IPv4 ID to use for this packet. */ /* ------------------------------------------------------------------------ */ ! INLINE u_short fr_nextipid(fin) fr_info_t *fin; { static u_short ipid = 0; --- 958,964 ---- /* */ /* Returns the next IPv4 ID to use for this packet. */ /* ------------------------------------------------------------------------ */ ! u_short fr_nextipid(fin) fr_info_t *fin; { static u_short ipid = 0; *************** *** 1072,1077 **** --- 1115,1121 ---- qpktinfo_t *qpi; frentry_t *fr; frdest_t fd; + qif_t *qif; ill_t *ifp; u_char *s; ip_t *ip; *************** *** 1083,1088 **** --- 1127,1133 ---- struct in6_addr dst6; #endif + dir = NULL; fr = fin->fin_fr; ip = fin->fin_ip; qpi = fin->fin_qpi; *************** *** 1108,1114 **** * If the fdp is NULL then there is no set route for this packet. */ if (fdp == NULL) { ! ifp = fin->fin_ifp; switch (fin->fin_v) { --- 1153,1159 ---- * If the fdp is NULL then there is no set route for this packet. */ if (fdp == NULL) { ! qif = fin->fin_ifp; switch (fin->fin_v) { *************** *** 1123,1131 **** } fdp = &fd; } else { ! ifp = fdp->fd_ifp; ! if (ifp == NULL || ifp == (void *)-1) goto bad_fastroute; } --- 1168,1176 ---- } fdp = &fd; } else { ! qif = fdp->fd_ifp; ! if (qif == NULL || qif == (void *)-1) goto bad_fastroute; } *************** *** 1135,1141 **** * direction. */ if ((fr != NULL) && (fin->fin_rev != 0)) { ! if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst.s_addr = fin->fin_fi.fi_daddr; } else { --- 1180,1186 ---- * direction. */ if ((fr != NULL) && (fin->fin_rev != 0)) { ! if ((qif != NULL) && (fdp == &fr->fr_tif)) return -1; dst.s_addr = fin->fin_fi.fi_daddr; } else { *************** *** 1178,1185 **** dir = NULL; #else if (dir != NULL) ! if (dir->ire_fp_mp == NULL || dir->ire_dlureq_mp == NULL) dir = NULL; #endif if (dir != NULL) { --- 1223,1232 ---- dir = NULL; #else if (dir != NULL) ! if (dir->ire_fp_mp == NULL || dir->ire_dlureq_mp == NULL) { ! ire_refrele(dir); dir = NULL; + } #endif if (dir != NULL) { *************** *** 1194,1204 **** #endif if (fin->fin_out == 0) { ! void *saveifp; u_32_t pass; ! saveifp = fin->fin_ifp; ! fin->fin_ifp = ifp; fin->fin_out = 1; fr_acctpkt(fin, &pass); fin->fin_fr = NULL; --- 1241,1251 ---- #endif if (fin->fin_out == 0) { ! void *saveqif; u_32_t pass; ! saveqif = fin->fin_ifp; ! fin->fin_ifp = qif; fin->fin_out = 1; fr_acctpkt(fin, &pass); fin->fin_fr = NULL; *************** *** 1218,1224 **** } fin->fin_out = 0; ! fin->fin_ifp = saveifp; } #ifndef sparc if (fin->fin_v == 4) { --- 1265,1271 ---- } fin->fin_out = 0; ! fin->fin_ifp = saveqif; } #ifndef sparc if (fin->fin_v == 4) { *************** *** 1230,1235 **** --- 1277,1284 ---- } #endif + ifp = qif->qf_ill; + if (mp != NULL) { s = mb->b_rptr; if ( *************** *** 1277,1282 **** --- 1326,1334 ---- #endif putnext(q, mb); ATOMIC_INCL(fr_frouteok[0]); + #if SOLARIS2 >= 8 + ire_refrele(dir); + #endif READ_ENTER(&ipf_global); return 0; } *************** *** 1283,1289 **** --- 1335,1446 ---- } bad_fastroute: + #if SOLARIS2 >= 8 + if (dir != NULL) + ire_refrele(dir); + #endif freemsg(mb); ATOMIC_INCL(fr_frouteok[1]); return -1; + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + qpktinfo_t *qpi = fin->fin_qpi; + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + int inc = 0; + + if (ipoff > 0) { + if ((ipoff & 3) != 0) { + inc = 4 - (ipoff & 3); + if (m->b_rptr - inc >= m->b_datap->db_base) + m->b_rptr -= inc; + else + inc = 0; + } + } + m = msgpullup(min, len + ipoff + inc); + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + FREE_MB_T(*fin->fin_mp); + *fin->fin_mp = NULL; + fin->fin_m = NULL; + return NULL; + } + + /* + * Because msgpullup allocates a new mblk, we need to delink + * (and free) the old one and link on the new one. + */ + if (min == *fin->fin_mp) { /* easy case 1st */ + FREE_MB_T(*fin->fin_mp); + *fin->fin_mp = m; + } else { + mb_t *m2; + + for (m2 = *fin->fin_mp; m2 != NULL; m2 = m2->b_next) + if (m2->b_next == min) + break; + if (m2 == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + FREE_MB_T(*fin->fin_mp); + FREE_MB_T(m); + return NULL; + } + FREE_MB_T(min); + m2->b_next = m; + } + + fin->fin_m = m; + m->b_rptr += inc; + ip = MTOD(m, char *) + ipoff; + qpi->qpi_data = ip; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_fil_sunos4.c ip_fil4.1.4/ip_fil_sunos4.c *** ip_fil4.1.3/ip_fil_sunos4.c Thu Jun 17 11:58:14 2004 --- ip_fil4.1.4/ip_fil_sunos4.c Sun Jan 9 01:28:22 2005 *************** *** 54,60 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_sunos4.c,v 2.46.2.7 2004/06/17 01:58:14 darrenr Exp $"; #endif extern struct protosw inetsw[]; --- 54,60 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil_sunos4.c,v 2.46.2.16 2005/01/08 14:28:22 darrenr Exp $"; #endif extern struct protosw inetsw[]; *************** *** 306,312 **** if (!(mode & FWRITE)) error = EPERM; else { ! frsync(); } break; default : --- 306,312 ---- if (!(mode & FWRITE)) error = EPERM; else { ! frsync(NULL); } break; default : *************** *** 318,323 **** --- 318,324 ---- } + #if 0 void fr_forgetifp(ifp) void *ifp; { *************** *** 339,344 **** --- 340,346 ---- RWLOCK_EXIT(&ipf_mutex); fr_natsync(ifp); } + #endif /* *************** *** 371,376 **** --- 373,379 ---- return min; } + /* * iplread/ipllog * both of these must operate with at least splnet() lest they be *************** *** 390,395 **** --- 393,413 ---- /* + * iplwrite + */ + int iplwrite(dev, uio) + dev_t dev; + register struct uio *uio; + { + #ifdef IPFILTER_SYNC + if (getminor(dev) == IPL_LOGSYNC) + return ipfsync_write(uio); + #endif /* IPFILTER_SYNC */ + return ENXIO; + } + + + /* * fr_send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ *************** *** 421,426 **** --- 439,445 ---- hlen = sizeof(ip_t); m->m_len = sizeof(*tcp2) + hlen; ip = mtod(m, struct ip *); + bzero((char *)ip, hlen); tcp2 = (struct tcphdr *)((char *)ip + hlen); tcp2->th_sport = tcp->th_dport; *************** *** 457,471 **** fr_info_t *fin; mb_t *m, **mpp; { ip_t *ip, *oip; ip = mtod(m, ip_t *); ! oip = fin->fin_ip; IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; ip->ip_id = fin->fin_ip->ip_id; --- 476,494 ---- fr_info_t *fin; mb_t *m, **mpp; { + fr_info_t fnew; ip_t *ip, *oip; + int hlen; ip = mtod(m, ip_t *); ! bzero((char *)&fnew, sizeof(fnew)); IP_V_A(ip, fin->fin_v); switch (fin->fin_v) { case 4 : + fnew.fin_v = 4; + oip = fin->fin_ip; IP_HL_A(ip, sizeof(*oip) >> 2); ip->ip_tos = oip->ip_tos; ip->ip_id = fin->fin_ip->ip_id; *************** *** 472,482 **** ip->ip_off = 0; ip->ip_ttl = tcp_ttl; ip->ip_sum = 0; break; default : return EINVAL; } ! return fr_fastroute(m, mpp, fin, NULL); } --- 495,516 ---- ip->ip_off = 0; ip->ip_ttl = tcp_ttl; ip->ip_sum = 0; + hlen = sizeof(*oip); break; default : return EINVAL; } ! ! fnew.fin_ifp = fin->fin_ifp; ! fnew.fin_flx = FI_NOCKSUM; ! fnew.fin_m = m; ! fnew.fin_ip = ip; ! fnew.fin_mp = mpp; ! fnew.fin_hlen = hlen; ! fnew.fin_dp = (char *)ip + hlen; ! (void) fr_makefrip(hlen, ip, &fnew); ! ! return fr_fastroute(m, mpp, &fnew, NULL); } *************** *** 506,513 **** code = fin->fin_icode; - avail = 0; - m = NULL; ifp = fin->fin_ifp; if (fin->fin_v == 4) { if ((fin->fin_p == IPPROTO_ICMP) && --- 540,545 ---- *************** *** 520,525 **** --- 552,558 ---- case ICMP_MASKREQ : break; default : + FREE_MB_T(m); return 0; } *************** *** 538,543 **** --- 571,579 ---- xtra = MIN(fin->fin_dlen, 8); else xtra = 0; + } else { + FREE_MB_T(m); + return -1; } iclen = hlen + sizeof(*icmp) + xtra; *************** *** 633,639 **** dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; --- 669,675 ---- dst->sin_family = AF_INET; fr = fin->fin_fr; ! if (fdp != NULL) ifp = fdp->fd_ifp; else { ifp = fin->fin_ifp; *************** *** 648,654 **** if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } else if (fdp) { if (fdp->fd_ip.s_addr) { dst->sin_addr = fdp->fd_ip; ip->ip_dst = fdp->fd_ip; --- 684,691 ---- if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } ! if (fdp != NULL) { if (fdp->fd_ip.s_addr) { dst->sin_addr = fdp->fd_ip; ip->ip_dst = fdp->fd_ip; *************** *** 947,950 **** --- 984,1053 ---- if (fr_checkl4sum(fin) == -1) fin->fin_flx |= FI_BAD; #endif + } + + + /* ------------------------------------------------------------------------ */ + /* Function: fr_pullup */ + /* Returns: NULL == pullup failed, else pointer to protocol header */ + /* Parameters: m(I) - pointer to buffer where data packet starts */ + /* fin(I) - pointer to packet information */ + /* len(I) - number of bytes to pullup */ + /* */ + /* Attempt to move at least len bytes (from the start of the buffer) into a */ + /* single buffer for ease of access. Operating system native functions are */ + /* used to manage buffers - if necessary. If the entire packet ends up in */ + /* a single buffer, set the FI_COALESCE flag even though fr_coalesce() has */ + /* not been called. Both fin_ip and fin_dp are updated before exiting _IF_ */ + /* and ONLY if the pullup succeeds. */ + /* */ + /* We assume that 'min' is a pointer to a buffer that is part of the chain */ + /* of buffers that starts at *fin->fin_mp. */ + /* ------------------------------------------------------------------------ */ + void *fr_pullup(min, fin, len) + mb_t *min; + fr_info_t *fin; + int len; + { + int out = fin->fin_out, dpoff, ipoff; + mb_t *m = min; + char *ip; + + if (m == NULL) + return NULL; + + ip = (char *)fin->fin_ip; + if ((fin->fin_flx & FI_COALESCE) != 0) + return ip; + + ipoff = fin->fin_ipoff; + if (fin->fin_dp != NULL) + dpoff = (char *)fin->fin_dp - (char *)ip; + else + dpoff = 0; + + if (M_LEN(m) < len) { + if (len > MLEN) { + FREE_MB_T(*fin->fin_mp); + m = NULL; + } else { + m = m_pullup(m, len); + } + *fin->fin_mp = m; + fin->fin_m = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ip = MTOD(m, char *) + ipoff; + } + + ATOMIC_INCL(frstats[out].fr_pull[0]); + fin->fin_ip = (ip_t *)ip; + if (fin->fin_dp != NULL) + fin->fin_dp = (char *)fin->fin_ip + dpoff; + + if (len == fin->fin_plen) + fin->fin_flx |= FI_COALESCE; + return ip; } diff -cr ip_fil4.1.3/ip_ftp_pxy.c ip_fil4.1.4/ip_ftp_pxy.c *** ip_fil4.1.3/ip_ftp_pxy.c Wed Jun 23 06:55:52 2004 --- ip_fil4.1.4/ip_ftp_pxy.c Fri Dec 10 06:40:58 2004 *************** *** 6,15 **** * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.88.2.4 2004/06/22 20:55:52 darrenr Exp $ */ - #undef IPF_FTP_DEBUG #define IPF_FTP_PROXY #define IPF_MINPORTLEN 18 --- 6,14 ---- * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.88.2.8 2004/12/09 19:40:58 darrenr Exp $ */ #define IPF_FTP_PROXY #define IPF_MINPORTLEN 18 *************** *** 61,67 **** int ippr_ftp_pasvreply __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, u_int, char *, char *, u_int)); - static frentry_t ftppxyfr; int ftp_proxy_init = 0; int ippr_ftp_pasvonly = 0; --- 60,65 ---- *************** *** 68,75 **** --- 66,97 ---- int ippr_ftp_insecure = 0; /* Do not require logins before transfers */ int ippr_ftp_pasvrdr = 0; int ippr_ftp_forcepasv = 0; /* PASV must be last command prior to 227 */ + #if defined(_KERNEL) + int ippr_ftp_debug = 0; + #else + int ippr_ftp_debug = 2; + #endif + /* + * 1 - security + * 2 - errors + * 3 - error debugging + * 4 - parsing errors + * 5 - parsing info + * 6 - parsing debug + */ + static frentry_t ftppxyfr; + static ipftuneable_t ftptune = { + { &ippr_ftp_debug }, + "ippr_ftp_debug", + 0, + 10, + sizeof(ippr_ftp_debug), + 0, + NULL + }; + /* * Initialize local structures. */ *************** *** 80,85 **** --- 102,108 ---- ftppxyfr.fr_flags = FR_INQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE; MUTEX_INIT(&ftppxyfr.fr_lock, "FTP Proxy Mutex"); ftp_proxy_init = 1; + (void) fr_addipftune(&ftptune); return 0; } *************** *** 87,92 **** --- 110,117 ---- void ippr_ftp_fini() { + (void) fr_delipftune(&ftptune); + if (ftp_proxy_init == 1) { MUTEX_DESTROY(&ftppxyfr.fr_lock); ftp_proxy_init = 0; *************** *** 151,159 **** * Check for client sending out PORT message. */ if (dlen < IPF_MINPORTLEN) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen); ! #endif return 0; } /* --- 176,184 ---- * Check for client sending out PORT message. */ if (dlen < IPF_MINPORTLEN) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", ! dlen); return 0; } /* *************** *** 165,180 **** */ a1 = ippr_ftp_atoi(&s); if (s == NULL) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 1); ! #endif return 0; } a2 = ippr_ftp_atoi(&s); if (s == NULL) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 2); ! #endif return 0; } /* --- 190,203 ---- */ a1 = ippr_ftp_atoi(&s); if (s == NULL) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 1); return 0; } a2 = ippr_ftp_atoi(&s); if (s == NULL) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 2); return 0; } /* *************** *** 187,203 **** (a1 != ntohl(nat->nat_inip.s_addr))) || ((nat->nat_dir == NAT_INBOUND) && (a1 != ntohl(nat->nat_oip.s_addr)))) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:%s != nat->nat_inip\n", "a1"); ! #endif return APR_ERR(1); } a5 = ippr_ftp_atoi(&s); if (s == NULL) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 3); ! #endif return 0; } if (*s == ')') --- 210,224 ---- (a1 != ntohl(nat->nat_inip.s_addr))) || ((nat->nat_dir == NAT_INBOUND) && (a1 != ntohl(nat->nat_oip.s_addr)))) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_port:%s != nat->nat_inip\n", "a1"); return APR_ERR(1); } a5 = ippr_ftp_atoi(&s); if (s == NULL) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_port:ippr_ftp_atoi(%d) failed\n", 3); return 0; } if (*s == ')') *************** *** 212,220 **** s += 2; a6 = a5 & 0xff; } else { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:missing %s\n", "cr-lf"); ! #endif return 0; } a5 >>= 8; --- 233,240 ---- s += 2; a6 = a5 & 0xff; } else { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_port:missing %s\n", "cr-lf"); return 0; } a5 >>= 8; *************** *** 243,251 **** nlen = strlen(newbuf); inc = nlen - olen; if ((inc + ip->ip_len) > 65535) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc); ! #endif return 0; } --- 263,271 ---- nlen = strlen(newbuf); inc = nlen - olen; if ((inc + ip->ip_len) > 65535) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", ! inc); return 0; } *************** *** 283,291 **** * security crap. */ if (sp < 1024) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_port:sp(%d) < 1024\n", sp); ! #endif return 0; } /* --- 303,310 ---- * security crap. */ if (sp < 1024) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_port:sp(%d) < 1024\n", sp); return 0; } /* *************** *** 385,392 **** for (i = 0; (i < 5) && (i < dlen); i++) { c = rptr[i]; ! if (isalpha(c)) { ! cmd[i] = toupper(c); } else { cmd[i] = c; } --- 404,411 ---- for (i = 0; (i < 5) && (i < dlen); i++) { c = rptr[i]; ! if (ISALPHA(c)) { ! cmd[i] = TOUPPER(c); } else { cmd[i] = c; } *************** *** 453,462 **** if (ippr_ftp_forcepasv != 0 && ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n", ! ftp->ftp_side[0].ftps_cmds); ! #endif return 0; } --- 472,480 ---- if (ippr_ftp_forcepasv != 0 && ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n", ! ftp->ftp_side[0].ftps_cmds); return 0; } *************** *** 467,481 **** * Check for PASV reply message. */ if (dlen < IPF_MIN227LEN) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen); ! #endif return 0; } else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN)) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:%d reply wrong\n", 227); ! #endif return 0; } --- 485,498 ---- * Check for PASV reply message. */ if (dlen < IPF_MIN227LEN) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", ! dlen); return 0; } else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN)) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_pasv:%d reply wrong\n", 227); return 0; } *************** *** 483,489 **** * Skip the PASV reply + space */ s = f->ftps_rptr + PASV_REPLEN; ! while (*s && !isdigit(*s)) s++; /* * Pick out the address components, two at a time. --- 500,506 ---- * Skip the PASV reply + space */ s = f->ftps_rptr + PASV_REPLEN; ! while (*s && !ISDIGIT(*s)) s++; /* * Pick out the address components, two at a time. *************** *** 490,505 **** */ a1 = ippr_ftp_atoi(&s); if (s == NULL) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 1); ! #endif return 0; } a2 = ippr_ftp_atoi(&s); if (s == NULL) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 2); ! #endif return 0; } --- 507,520 ---- */ a1 = ippr_ftp_atoi(&s); if (s == NULL) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 1); return 0; } a2 = ippr_ftp_atoi(&s); if (s == NULL) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 2); return 0; } *************** *** 514,530 **** (a1 != ntohl(nat->nat_inip.s_addr))) || ((nat->nat_dir == NAT_OUTBOUND) && (a1 != ntohl(nat->nat_oip.s_addr)))) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:%s != nat->nat_oip\n", "a1"); ! #endif return 0; } a5 = ippr_ftp_atoi(&s); if (s == NULL) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 3); ! #endif return 0; } --- 529,543 ---- (a1 != ntohl(nat->nat_inip.s_addr))) || ((nat->nat_dir == NAT_OUTBOUND) && (a1 != ntohl(nat->nat_oip.s_addr)))) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_pasv:%s != nat->nat_oip\n", "a1"); return 0; } a5 = ippr_ftp_atoi(&s); if (s == NULL) { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_pasv:ippr_ftp_atoi(%d) failed\n", 3); return 0; } *************** *** 540,548 **** if ((*s == '\r') && (*(s + 1) == '\n')) { s += 2; } else { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:missing %s", "cr-lf\n"); ! #endif return 0; } --- 553,560 ---- if ((*s == '\r') && (*(s + 1) == '\n')) { s += 2; } else { ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_pasv:missing %s", "cr-lf\n"); return 0; } *************** *** 605,613 **** nlen = strlen(newmsg); inc = nlen - olen; if ((inc + ip->ip_len) > 65535) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_pasv:inc(%d) + ip->ip_len > 65535\n", inc); ! #endif return 0; } --- 617,625 ---- nlen = strlen(newmsg); inc = nlen - olen; if ((inc + ip->ip_len) > 65535) { ! if (ippr_ftp_debug > 0) ! printf("ippr_ftp_pasv:inc(%d) + ip->ip_len > 65535\n", ! inc); return 0; } *************** *** 736,742 **** if (*rptr == ' ') goto server_cmd_ok; ! if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) --- 748,754 ---- if (*rptr == ' ') goto server_cmd_ok; ! if (!ISDIGIT(*rptr) || !ISDIGIT(*(rptr + 1)) || !ISDIGIT(*(rptr + 2))) return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) *************** *** 795,803 **** char cmd[5]; if (i < 5) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_client_valid:i(%d) < 5\n", (int)i); ! #endif return 2; } s = buf; --- 807,814 ---- char cmd[5]; if (i < 5) { ! if (ippr_ftp_debug > 3) ! printf("ippr_ftp_client_valid:i(%d) < 5\n", (int)i); return 2; } s = buf; *************** *** 804,823 **** c = *s++; i--; ! if (isalpha(c)) { ! cmd[0] = toupper(c); c = *s++; i--; ! if (isalpha(c)) { ! cmd[1] = toupper(c); c = *s++; i--; ! if (isalpha(c)) { ! cmd[2] = toupper(c); c = *s++; i--; ! if (isalpha(c)) { ! cmd[3] = toupper(c); c = *s++; i--; if ((c != ' ') && (c != '\r')) --- 815,834 ---- c = *s++; i--; ! if (ISALPHA(c)) { ! cmd[0] = TOUPPER(c); c = *s++; i--; ! if (ISALPHA(c)) { ! cmd[1] = TOUPPER(c); c = *s++; i--; ! if (ISALPHA(c)) { ! cmd[2] = TOUPPER(c); c = *s++; i--; ! if (ISALPHA(c)) { ! cmd[3] = TOUPPER(c); c = *s++; i--; if ((c != ' ') && (c != '\r')) *************** *** 830,839 **** goto bad_client_command; } else { bad_client_command: ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_client_valid:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n", ! ftps->ftps_junk, (int)len, (int)i, c, (int)len, (int)len, buf); ! #endif return 1; } --- 841,850 ---- goto bad_client_command; } else { bad_client_command: ! if (ippr_ftp_debug > 3) ! printf("ippr_ftp_client_valid:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n", ! ftps->ftps_junk, (int)len, (int)i, c, ! (int)len, (int)len, buf); return 1; } *************** *** 874,888 **** if (c == ' ') goto search_eol; ! if (isdigit(c)) { cmd = (c - '0') * 100; c = *s++; i--; ! if (isdigit(c)) { cmd += (c - '0') * 10; c = *s++; i--; ! if (isdigit(c)) { cmd += (c - '0'); c = *s++; i--; --- 885,899 ---- if (c == ' ') goto search_eol; ! if (ISDIGIT(c)) { cmd = (c - '0') * 100; c = *s++; i--; ! if (ISDIGIT(c)) { cmd += (c - '0') * 10; c = *s++; i--; ! if (ISDIGIT(c)) { cmd += (c - '0'); c = *s++; i--; *************** *** 894,903 **** goto bad_server_command; } else { bad_server_command: ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_server_valid:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n", ! ftps->ftps_junk, (int)len, (int)i, c, (int)len, (int)len, buf); ! #endif return 1; } search_eol: --- 905,914 ---- goto bad_server_command; } else { bad_server_command: ! if (ippr_ftp_debug > 3) ! printf("ippr_ftp_server_valid:bad:junk %d len %d/%d c 0x%x buf [%*.*s]\n", ! ftps->ftps_junk, (int)len, (int)i, ! c, (int)len, (int)len, buf); return 1; } search_eol: *************** *** 908,916 **** return 0; } } ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_server_valid:junk after cmd[%s]\n", buf); ! #endif return 2; } --- 919,927 ---- return 0; } } ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_server_valid:junk after cmd[%*.*s]\n", ! (int)len, (int)len, buf); return 2; } *************** *** 972,977 **** --- 983,991 ---- #else mlen = MSGDSIZE(m) - off; #endif + if (ippr_ftp_debug > 4) + printf("ippr_ftp_process: mlen %d\n", mlen); + if (mlen <= 0) { if ((tcp->th_flags & TH_OPENING) == TH_OPENING) { f->ftps_seq[0] = thseq + 1; *************** *** 992,1009 **** ackoff = aps->aps_ackoff[!sel2]; } else { seqoff = aps->aps_ackoff[sel]; ! #if PROXY_DEBUG ! printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq, ! aps->aps_ackmin[sel]); ! #endif if (aps->aps_ackmin[sel] > seqoff + thseq) seqoff = aps->aps_ackoff[!sel]; ackoff = aps->aps_seqoff[sel2]; ! #if PROXY_DEBUG ! printf("ackoff %d thack %x seqmin %x\n", ackoff, thack, ! aps->aps_seqmin[sel2]); ! #endif if (ackoff > 0) { if (aps->aps_seqmin[sel2] > ackoff + thack) ackoff = aps->aps_seqoff[!sel2]; --- 1006,1021 ---- ackoff = aps->aps_ackoff[!sel2]; } else { seqoff = aps->aps_ackoff[sel]; ! if (ippr_ftp_debug > 2) ! printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq, ! aps->aps_ackmin[sel]); if (aps->aps_ackmin[sel] > seqoff + thseq) seqoff = aps->aps_ackoff[!sel]; ackoff = aps->aps_seqoff[sel2]; ! if (ippr_ftp_debug > 2) ! printf("ackoff %d thack %x seqmin %x\n", ackoff, thack, ! aps->aps_seqmin[sel2]); if (ackoff > 0) { if (aps->aps_seqmin[sel2] > ackoff + thack) ackoff = aps->aps_seqoff[!sel2]; *************** *** 1012,1028 **** ackoff = aps->aps_seqoff[!sel2]; } } ! #if PROXY_DEBUG ! printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n", ! rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff, ! thack, ackoff, mlen, fin->fin_plen, off); ! printf("sel %d seqmin %x/%x offset %d/%d\n", sel, ! aps->aps_seqmin[sel], aps->aps_seqmin[sel2], ! aps->aps_seqoff[sel], aps->aps_seqoff[sel2]); ! printf("sel %d ackmin %x/%x offset %d/%d\n", sel2, ! aps->aps_ackmin[sel], aps->aps_ackmin[sel2], ! aps->aps_ackoff[sel], aps->aps_ackoff[sel2]); ! #endif /* * XXX - Ideally, this packet should get dropped because we now know --- 1024,1040 ---- ackoff = aps->aps_seqoff[!sel2]; } } ! if (ippr_ftp_debug > 2) { ! printf("%s: %x seq %x/%d ack %x/%d len %d/%d off %d\n", ! rv ? "IN" : "OUT", tcp->th_flags, thseq, seqoff, ! thack, ackoff, mlen, fin->fin_plen, off); ! printf("sel %d seqmin %x/%x offset %d/%d\n", sel, ! aps->aps_seqmin[sel], aps->aps_seqmin[sel2], ! aps->aps_seqoff[sel], aps->aps_seqoff[sel2]); ! printf("sel %d ackmin %x/%x offset %d/%d\n", sel2, ! aps->aps_ackmin[sel], aps->aps_ackmin[sel2], ! aps->aps_ackoff[sel], aps->aps_ackoff[sel2]); ! } /* * XXX - Ideally, this packet should get dropped because we now know *************** *** 1029,1038 **** * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ ! #if PROXY_DEBUG ! printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n", ! rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff); ! #endif ok = 0; if (t->ftps_seq[0] == 0) { --- 1041,1050 ---- * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ ! if (ippr_ftp_debug > 2) { ! printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n", ! rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff); ! } ok = 0; if (t->ftps_seq[0] == 0) { *************** *** 1061,1093 **** } } ! #if PROXY_DEBUG ! if (!ok) ! printf("%s ok\n", "not"); ! #endif if (!mlen) { if (t->ftps_seq[0] + ackoff != thack) { ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf( ! "ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n", ! t->ftps_seq[0], ackoff, thack); ! #endif return APR_ERR(1); } ! #if PROXY_DEBUG ! printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); ! #endif if (tcp->th_flags & TH_FIN) { if (thseq == f->ftps_seq[1]) { f->ftps_seq[0] = f->ftps_seq[1] - seqoff; f->ftps_seq[1] = thseq + 1 - seqoff; } else { ! #if PROXY_DEBUG || !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("FIN: thseq %x seqoff %d ftps_seq %x\n", ! thseq, seqoff, f->ftps_seq[0]); ! #endif return APR_ERR(1); } } --- 1073,1106 ---- } } ! if (ippr_ftp_debug > 2) { ! if (!ok) ! printf("%s ok\n", "not"); ! } if (!mlen) { if (t->ftps_seq[0] + ackoff != thack) { ! if (ippr_ftp_debug > 1) { ! printf("ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n", ! t->ftps_seq[0], ackoff, thack); ! } return APR_ERR(1); } ! if (ippr_ftp_debug > 2) { ! printf("f:seq[0] %x seq[1] %x\n", ! f->ftps_seq[0], f->ftps_seq[1]); ! } ! if (tcp->th_flags & TH_FIN) { if (thseq == f->ftps_seq[1]) { f->ftps_seq[0] = f->ftps_seq[1] - seqoff; f->ftps_seq[1] = thseq + 1 - seqoff; } else { ! if (ippr_ftp_debug > 1) { ! printf("FIN: thseq %x seqoff %d ftps_seq %x\n", ! thseq, seqoff, f->ftps_seq[0]); ! } return APR_ERR(1); } } *************** *** 1108,1122 **** if (ok == 0) { inc = thseq - f->ftps_seq[0]; ! #if PROXY_DEBUG || !defined(_KERNEL) ! printf("inc %d sel %d rv %d\n", inc, sel, rv); ! printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], ! f->ftps_seq[1]); ! printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel], ! aps->aps_ackoff[sel]); ! printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel], ! aps->aps_seqoff[sel]); ! #endif return APR_ERR(1); } --- 1121,1135 ---- if (ok == 0) { inc = thseq - f->ftps_seq[0]; ! if (ippr_ftp_debug > 1) { ! printf("inc %d sel %d rv %d\n", inc, sel, rv); ! printf("th_seq %x ftps_seq %x/%x\n", ! thseq, f->ftps_seq[0], f->ftps_seq[1]); ! printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel], ! aps->aps_ackoff[sel]); ! printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel], ! aps->aps_seqoff[sel]); ! } return APR_ERR(1); } *************** *** 1134,1143 **** mlen -= len; off += len; wptr += len; ! #if defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_process:len %d/%d off %d wptr %lx junk %d\n", ! len, mlen, off, wptr, f->ftps_junk); ! #endif f->ftps_wptr = wptr; if (f->ftps_junk == 2) f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, --- 1147,1157 ---- mlen -= len; off += len; wptr += len; ! ! if (ippr_ftp_debug > 3) ! printf("ippr_ftp_process:len %d/%d off %d wptr %lx junk %d\n", ! len, mlen, off, (u_long)wptr, f->ftps_junk); ! f->ftps_wptr = wptr; if (f->ftps_junk == 2) f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, *************** *** 1146,1156 **** while ((f->ftps_junk == 0) && (wptr > rptr)) { len = wptr - rptr; f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, len); ! #if defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_valid=%d len %d rv %d ptr %lx/%lx\n", ! f->ftps_junk, len, rv, rptr, wptr); ! printf("buf [%*.*s]\n", len, len, rptr); ! #endif if (f->ftps_junk == 0) { f->ftps_rptr = rptr; if (rv) --- 1160,1173 ---- while ((f->ftps_junk == 0) && (wptr > rptr)) { len = wptr - rptr; f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr, len); ! ! if (ippr_ftp_debug > 3) { ! printf("ippr_ftp_valid=%d len %d rv %d ptr %lx/%lx\n", ! f->ftps_junk, len, rv, (u_long)rptr, ! (u_long)wptr); ! printf("buf [%*.*s]\n", len, len, rptr); ! } ! if (f->ftps_junk == 0) { f->ftps_rptr = rptr; if (rv) *************** *** 1170,1178 **** */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { /* f->ftps_seq[1] += inc; */ ! #if !defined(_KERNEL) || defined(IPF_FTP_DEBUG) ! printf("ippr_ftp_process:cmds == 0 junk == %d\n", 1); ! #endif return APR_ERR(2); } --- 1187,1195 ---- */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { /* f->ftps_seq[1] += inc; */ ! ! if (ippr_ftp_debug > 1) ! printf("ippr_ftp_process:cmds == 0 junk == %d\n", 1); return APR_ERR(2); } *************** *** 1216,1230 **** /* f->ftps_seq[1] += inc; */ if (tcp->th_flags & TH_FIN) f->ftps_seq[1]++; ! #if PROXY_DEBUG ! # ifdef __sgi ! mlen = fin->fin_plen; ! # else ! mlen = MSGDSIZE(m); ! # endif ! mlen -= off; ! printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); #endif f->ftps_rptr = rptr; f->ftps_wptr = wptr; --- 1233,1248 ---- /* f->ftps_seq[1] += inc; */ if (tcp->th_flags & TH_FIN) f->ftps_seq[1]++; ! if (ippr_ftp_debug > 3) { ! #ifdef __sgi ! mlen = fin->fin_plen; ! #else ! mlen = MSGDSIZE(m); #endif + mlen -= off; + printf("ftps_seq[1] = %x inc %d len %d\n", + f->ftps_seq[1], inc, mlen); + } f->ftps_rptr = rptr; f->ftps_wptr = wptr; *************** *** 1284,1290 **** register char *s = *ptr, c; register u_char i = 0, j = 0; ! while (((c = *s++) != '\0') && isdigit(c)) { i *= 10; i += c - '0'; } --- 1302,1308 ---- register char *s = *ptr, c; register u_char i = 0, j = 0; ! while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } *************** *** 1292,1298 **** *ptr = NULL; return 0; } ! while (((c = *s++) != '\0') && isdigit(c)) { j *= 10; j += c - '0'; } --- 1310,1316 ---- *ptr = NULL; return 0; } ! while (((c = *s++) != '\0') && ISDIGIT(c)) { j *= 10; j += c - '0'; } *************** *** 1328,1334 **** * Skip the EPSV command + space */ s = f->ftps_rptr + 33; ! while (*s && !isdigit(*s)) s++; /* --- 1346,1352 ---- * Skip the EPSV command + space */ s = f->ftps_rptr + 33; ! while (*s && !ISDIGIT(*s)) s++; /* *************** *** 1335,1341 **** * As per RFC 2428, there are no addres components in the EPSV * response. So we'll go straight to getting the port. */ ! while (*s && isdigit(*s)) { ap *= 10; ap += *s++ - '0'; } --- 1353,1359 ---- * As per RFC 2428, there are no addres components in the EPSV * response. So we'll go straight to getting the port. */ ! while (*s && ISDIGIT(*s)) { ap *= 10; ap += *s++ - '0'; } diff -cr ip_fil4.1.3/ip_htable.c ip_fil4.1.4/ip_htable.c *** ip_fil4.1.3/ip_htable.c Sun Mar 7 01:32:58 2004 --- ip_fil4.1.4/ip_htable.c Mon Oct 18 01:49:15 2004 *************** *** 51,57 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.1 2004/03/06 14:32:58 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP --- 51,57 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_htable.c,v 2.34.2.2 2004/10/17 15:49:15 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP *************** *** 375,380 **** --- 375,389 ---- } + /* ------------------------------------------------------------------------ */ + /* Function: fr_iphmfindip */ + /* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */ + /* Parameters: tptr(I) - pointer to the pool to search */ + /* version(I) - IP protocol version (4 or 6) */ + /* aptr(I) - pointer to address information */ + /* */ + /* Search the hash table for a given address and return a search result. */ + /* ------------------------------------------------------------------------ */ int fr_iphmfindip(tptr, version, aptr) void *tptr, *aptr; int version; *************** *** 385,394 **** int rval; if (version != 4) ! return 1; if (tptr == NULL || aptr == NULL) ! return 1; iph = tptr; addr = aptr; --- 394,403 ---- int rval; if (version != 4) ! return -1; if (tptr == NULL || aptr == NULL) ! return -1; iph = tptr; addr = aptr; diff -cr ip_fil4.1.3/ip_irc_pxy.c ip_fil4.1.4/ip_irc_pxy.c *** ip_fil4.1.3/ip_irc_pxy.c Tue May 25 00:01:48 2004 --- ip_fil4.1.4/ip_irc_pxy.c Fri Dec 10 06:40:59 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_irc_pxy.c,v 2.39.2.2 2004/05/24 14:01:48 darrenr Exp $ */ #define IPF_IRC_PROXY --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_irc_pxy.c,v 2.39.2.3 2004/12/09 19:40:59 darrenr Exp $ */ #define IPF_IRC_PROXY *************** *** 93,102 **** s++; c = *s; ircp->irc_snick = s; ! if (!isalpha(c)) return 0; i--; ! for (c = *s; !isspace(c) && (i > 0); i--) c = *s++; if (i < 31) return 0; --- 93,102 ---- s++; c = *s; ircp->irc_snick = s; ! if (!ISALPHA(c)) return 0; i--; ! for (c = *s; !ISSPACE(c) && (i > 0); i--) c = *s++; if (i < 31) return 0; *************** *** 118,126 **** /* * Loosely check that the destination is a nickname of some sort */ ! if (!isalpha(c)) return 0; ! for (; !isspace(c) && (i > 0); i--) c = *s++; if (i < 20) return 0; --- 118,126 ---- /* * Loosely check that the destination is a nickname of some sort */ ! if (!ISALPHA(c)) return 0; ! for (; !ISSPACE(c) && (i > 0); i--) c = *s++; if (i < 20) return 0; *************** *** 164,170 **** * Check for the arg */ c = *s; ! if (isspace(c)) return 0; ircp->irc_arg = s; for (; (c != ' ') && (c != '\001') && (i > 0); i--) --- 164,170 ---- * Check for the arg */ c = *s; ! if (ISSPACE(c)) return 0; ircp->irc_arg = s; for (; (c != ' ') && (c != '\001') && (i > 0); i--) *************** *** 179,191 **** s++; i--; c = *s; ! if (!isdigit(c)) return 0; ircp->irc_addr = s; /* * Get the IP# */ ! for (l = 0; isdigit(c) && (i > 0); i--) { l *= 10; l += c - '0'; c = *s++; --- 179,191 ---- s++; i--; c = *s; ! if (!ISDIGIT(c)) return 0; ircp->irc_addr = s; /* * Get the IP# */ ! for (l = 0; ISDIGIT(c) && (i > 0); i--) { l *= 10; l += c - '0'; c = *s++; *************** *** 201,212 **** s++; i--; c = *s; ! if (!isdigit(c)) return 0; /* * Get the port# */ ! for (l = 0; isdigit(c) && (i > 0); i--) { l *= 10; l += c - '0'; c = *s++; --- 201,212 ---- s++; i--; c = *s; ! if (!ISDIGIT(c)) return 0; /* * Get the port# */ ! for (l = 0; ISDIGIT(c) && (i > 0); i--) { l *= 10; l += c - '0'; c = *s++; diff -cr ip_fil4.1.3/ip_log.c ip_fil4.1.4/ip_log.c *** ip_fil4.1.3/ip_log.c Wed Jul 14 00:25:36 2004 --- ip_fil4.1.4/ip_log.c Sat Oct 16 17:59:27 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.75.2.5 2004/07/13 14:25:36 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.75.2.6 2004/10/16 07:59:27 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) *************** *** 155,160 **** --- 155,161 ---- int ipl_logmax = IPL_LOGMAX; int ipl_logall = 0; int ipl_log_init = 0; + int ipl_logsize = IPFILTER_LOGSIZE; int ipl_magic[IPL_LOGSIZE] = { IPL_MAGIC, IPL_MAGIC_NAT, IPL_MAGIC_STATE, IPL_MAGIC, IPL_MAGIC, IPL_MAGIC, IPL_MAGIC, IPL_MAGIC }; *************** *** 453,459 **** return -1; SPL_NET(s); MUTEX_ENTER(&ipl_mutex); ! if ((iplused[dev] + len) > IPFILTER_LOGSIZE) { MUTEX_EXIT(&ipl_mutex); SPL_X(s); KFREES(buf, len); --- 454,460 ---- return -1; SPL_NET(s); MUTEX_ENTER(&ipl_mutex); ! if ((iplused[dev] + len) > ipl_logsize) { MUTEX_EXIT(&ipl_mutex); SPL_X(s); KFREES(buf, len); *************** *** 548,554 **** if (uio->uio_resid == 0) return 0; if ((uio->uio_resid < sizeof(iplog_t)) || ! (uio->uio_resid > IPFILTER_LOGSIZE)) return EINVAL; /* --- 549,555 ---- if (uio->uio_resid == 0) return 0; if ((uio->uio_resid < sizeof(iplog_t)) || ! (uio->uio_resid > ipl_logsize)) return EINVAL; /* diff -cr ip_fil4.1.3/ip_nat.c ip_fil4.1.4/ip_nat.c *** ip_fil4.1.3/ip_nat.c Wed Jun 30 00:22:01 2004 --- ip_fil4.1.4/ip_nat.c Mon Jan 3 00:20:31 2005 *************** *** 105,111 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.14 2004/06/29 14:22:01 darrenr Exp $"; #endif --- 105,111 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.27 2005/01/02 13:20:31 darrenr Exp $"; #endif *************** *** 186,192 **** static INLINE int nat_icmpquerytype4 __P((int)); static int nat_siocaddnat __P((ipnat_t *, ipnat_t **, int)); static void nat_siocdelnat __P((ipnat_t *, ipnat_t **, int)); - static INLINE int nat_icmperrortype4 __P((int)); static INLINE int nat_finalise __P((fr_info_t *, nat_t *, natinfo_t *, tcphdr_t *, nat_t **, int)); static void nat_resolverule __P((ipnat_t *)); --- 186,191 ---- *************** *** 415,421 **** /* */ /* Check if an ip address has already been allocated for a given mapping */ /* that is not doing port based translation. If is not yet allocated, then */ ! /* create a new entry. */ /* ------------------------------------------------------------------------ */ static struct hostmap *nat_hostmap(np, src, dst, map, port) ipnat_t *np; --- 414,420 ---- /* */ /* Check if an ip address has already been allocated for a given mapping */ /* that is not doing port based translation. If is not yet allocated, then */ ! /* create a new entry if a non-NULL NAT rule pointer has been supplied. */ /* ------------------------------------------------------------------------ */ static struct hostmap *nat_hostmap(np, src, dst, map, port) ipnat_t *np; *************** *** 651,656 **** --- 650,657 ---- */ if ((cmd == (ioctlcmd_t)SIOCADNAT) || (cmd == (ioctlcmd_t)SIOCRMNAT)) { nat = &natd; + if (nat->in_v == 0) /* For backward compat. */ + nat->in_v = 4; nat->in_flags &= IPN_USERFLAGS; if ((nat->in_redir & NAT_MAPBLK) == 0) { if ((nat->in_flags & IPN_SPLIT) == 0) *************** *** 992,1006 **** ipnat_t *n; { n->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; ! if (!strncmp(n->in_ifnames[0], "*", LIFNAMSIZ)) { ! n->in_ifps[0] = NULL; ! } else if (!strncmp(n->in_ifnames[0], "-", LIFNAMSIZ)) { ! n->in_ifps[0] = (void *)-1; ! } else { ! n->in_ifps[0] = (void *)GETIFP(n->in_ifnames[0], 4); ! if (n->in_ifps[0] == NULL) ! n->in_ifps[0] = (void *)-1; ! } n->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; if (n->in_ifnames[1][0] == '\0') { --- 993,999 ---- ipnat_t *n; { n->in_ifnames[0][LIFNAMSIZ - 1] = '\0'; ! n->in_ifps[0] = fr_resolvenic(n->in_ifnames[0], 4); n->in_ifnames[1][LIFNAMSIZ - 1] = '\0'; if (n->in_ifnames[1][0] == '\0') { *************** *** 1007,1021 **** (void) strncpy(n->in_ifnames[1], n->in_ifnames[0], LIFNAMSIZ); n->in_ifps[1] = n->in_ifps[0]; } else { ! if (!strncmp(n->in_ifnames[1], "*", LIFNAMSIZ)) { ! n->in_ifps[1] = NULL; ! } else if (!strncmp(n->in_ifnames[1], "-", LIFNAMSIZ)) { ! n->in_ifps[1] = (void *)-1; ! } else { ! n->in_ifps[1] = (void *)GETIFP(n->in_ifnames[1], 4); ! if (n->in_ifps[1] == NULL) ! n->in_ifps[1] = (void *)-1; ! } } if (n->in_plabel[0] != '\0') { --- 1000,1006 ---- (void) strncpy(n->in_ifnames[1], n->in_ifnames[0], LIFNAMSIZ); n->in_ifps[1] = n->in_ifps[0]; } else { ! n->in_ifps[1] = fr_resolvenic(n->in_ifnames[0], 4); } if (n->in_plabel[0] != '\0') { *************** *** 1370,1375 **** --- 1355,1361 ---- goto junkput; } ipnn->ipn_nat.nat_fr = fr; + fr->fr_ref = 0; (void) fr_outobj(data, ipnn, IPFOBJ_NATSAVE); bcopy((char *)&ipnn->ipn_fr, (char *)fr, sizeof(*fr)); MUTEX_NUKE(&fr->fr_lock); *************** *** 1389,1396 **** KFREES(ipnn, ipn.ipn_dsize); ipnn = NULL; } ! if (nat_insert(nat, nat->nat_rev) == 0) return 0; error = ENOMEM; --- 1375,1388 ---- KFREES(ipnn, ipn.ipn_dsize); ipnn = NULL; } ! if (nat_insert(nat, nat->nat_rev) == 0) { ! if (fr != NULL) { ! MUTEX_ENTER(&fr->fr_lock); ! fr->fr_ref++; ! MUTEX_EXIT(&fr->fr_lock); ! } return 0; + } error = ENOMEM; *************** *** 1633,1638 **** --- 1625,1632 ---- /* */ /* Given an empty NAT structure, populate it with new information about a */ /* new NAT session, as defined by the matching NAT rule. */ + /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/ + /* to the new IP address for the translation. */ /* ------------------------------------------------------------------------ */ static INLINE int nat_newmap(fin, nat, ni) fr_info_t *fin; *************** *** 1855,1871 **** ni->nai_sum2 += ntohs(port); } ! if (flags & IPN_TCPUDPICMP) { nat->nat_inport = sport; nat->nat_outport = port; /* sport */ nat->nat_oport = dport; ((tcphdr_t *)fin->fin_dp)->th_sport = port; ! } if (flags & IPN_ICMPQUERY) { ((icmphdr_t *)fin->fin_dp)->icmp_id = port; nat->nat_inport = port; nat->nat_outport = port; } ! ni->nai_ip.s_addr = htonl(in.s_addr); ni->nai_port = port; ni->nai_nport = dport; return 0; --- 1849,1865 ---- ni->nai_sum2 += ntohs(port); } ! if (flags & IPN_TCPUDP) { nat->nat_inport = sport; nat->nat_outport = port; /* sport */ nat->nat_oport = dport; ((tcphdr_t *)fin->fin_dp)->th_sport = port; ! } else if (flags & IPN_ICMPQUERY) { ((icmphdr_t *)fin->fin_dp)->icmp_id = port; nat->nat_inport = port; nat->nat_outport = port; } ! ni->nai_ip.s_addr = in.s_addr; ni->nai_port = port; ni->nai_nport = dport; return 0; *************** *** 1881,1886 **** --- 1875,1882 ---- /* ni(I) - pointer to structure with misc. information needed */ /* to create new NAT entry. */ /* */ + /* ni.nai_ip is passed in uninitialised and must be set, in host byte order,*/ + /* to the new IP address for the translation. */ /* ------------------------------------------------------------------------ */ static INLINE int nat_newrdr(fin, nat, ni) fr_info_t *fin; *************** *** 1896,1902 **** move = 1; hm = NULL; ! in = ni->nai_ip; np = ni->nai_np; flags = ni->nai_flags; sport = ni->nai_sport; --- 1892,1898 ---- move = 1; hm = NULL; ! in.s_addr = 0; np = ni->nai_np; flags = ni->nai_flags; sport = ni->nai_sport; *************** *** 1914,1920 **** hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst, in, (u_32_t)dport); if (hm != NULL) { ! ni->nai_ip.s_addr = hm->hm_mapip.s_addr; np = hm->hm_ipnat; ni->nai_np = np; move = 0; --- 1910,1916 ---- hm = nat_hostmap(NULL, fin->fin_src, fin->fin_dst, in, (u_32_t)dport); if (hm != NULL) { ! in.s_addr = ntohl(hm->hm_mapip.s_addr); np = hm->hm_ipnat; ni->nai_np = np; move = 0; *************** *** 2121,2127 **** bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; ! MUTEX_ENTER(&ipf_nat_new); /* * Search the current table for a match. --- 2117,2125 ---- bzero((char *)nat, sizeof(*nat)); nat->nat_flags = flags; ! if ((flags & NAT_SLAVE) == 0) { ! MUTEX_ENTER(&ipf_nat_new); ! } /* * Search the current table for a match. *************** *** 2135,2142 **** natl = nat_outlookup(fin, nflags, (u_int)fin->fin_p, fin->fin_src, fin->fin_dst); if (natl != NULL) { ! MUTEX_EXIT(&ipf_nat_new); ! return natl; } move = nat_newmap(fin, nat, &ni); --- 2133,2140 ---- natl = nat_outlookup(fin, nflags, (u_int)fin->fin_p, fin->fin_src, fin->fin_dst); if (natl != NULL) { ! nat = natl; ! goto done; } move = nat_newmap(fin, nat, &ni); *************** *** 2152,2159 **** natl = nat_inlookup(fin, nflags, (u_int)fin->fin_p, fin->fin_src, fin->fin_dst); if (natl != NULL) { ! MUTEX_EXIT(&ipf_nat_new); ! return natl; } move = nat_newrdr(fin, nat, &ni); --- 2150,2157 ---- natl = nat_inlookup(fin, nflags, (u_int)fin->fin_p, fin->fin_src, fin->fin_dst); if (natl != NULL) { ! nat = natl; ! goto done; } move = nat_newrdr(fin, nat, &ni); *************** *** 2190,2196 **** if ((flags & IPN_TCP) && dohwcksum && (((ill_t *)qpi->qpi_ill)->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) { if (direction == NAT_OUTBOUND) ! ni.nai_sum1 = LONG_SUM(ntohl(in.s_addr)); else ni.nai_sum1 = LONG_SUM(ntohl(fin->fin_saddr)); ni.nai_sum1 += LONG_SUM(ntohl(fin->fin_daddr)); --- 2188,2194 ---- if ((flags & IPN_TCP) && dohwcksum && (((ill_t *)qpi->qpi_ill)->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) { if (direction == NAT_OUTBOUND) ! ni.nai_sum1 = LONG_SUM(in.s_addr); else ni.nai_sum1 = LONG_SUM(ntohl(fin->fin_saddr)); ni.nai_sum1 += LONG_SUM(ntohl(fin->fin_daddr)); *************** *** 2220,2242 **** } if (nat_finalise(fin, nat, &ni, tcp, natsave, direction) == -1) { ! if ((hm = nat->nat_hm) != NULL) ! nat_hostmapdel(hm); ! MUTEX_EXIT(&ipf_nat_new); ! KFREE(nat); ! return NULL; } if (flags & SI_WILDP) nat_stats.ns_wilds++; ! MUTEX_EXIT(&ipf_nat_new); ! return nat; badnat: nat_stats.ns_badnat++; if ((hm = nat->nat_hm) != NULL) nat_hostmapdel(hm); - MUTEX_EXIT(&ipf_nat_new); KFREE(nat); ! return NULL; } --- 2218,2239 ---- } if (nat_finalise(fin, nat, &ni, tcp, natsave, direction) == -1) { ! goto badnat; } if (flags & SI_WILDP) nat_stats.ns_wilds++; ! goto done; badnat: nat_stats.ns_badnat++; if ((hm = nat->nat_hm) != NULL) nat_hostmapdel(hm); KFREE(nat); ! nat = NULL; ! done: ! if ((flags & NAT_SLAVE) == 0) { ! MUTEX_EXIT(&ipf_nat_new); ! } ! return nat; } *************** *** 2359,2371 **** nat->nat_pkts[1] = 0; nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0'; ! if (nat->nat_ifnames[0][0] !='\0') { ! nat->nat_ifps[0] = GETIFP(nat->nat_ifnames[0], 4); ! } ! nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0'; if (nat->nat_ifnames[1][0] !='\0') { ! nat->nat_ifps[1] = GETIFP(nat->nat_ifnames[1], 4); } else { nat->nat_ifps[1] = nat->nat_ifps[0]; } --- 2356,2370 ---- nat->nat_pkts[1] = 0; nat->nat_ifnames[0][LIFNAMSIZ - 1] = '\0'; ! nat->nat_ifps[0] = fr_resolvenic(nat->nat_ifnames[0], 4); ! if (nat->nat_ifnames[1][0] !='\0') { ! nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0'; ! nat->nat_ifps[1] = fr_resolvenic(nat->nat_ifnames[1], 4); } else { + (void) strncpy(nat->nat_ifnames[1], nat->nat_ifnames[0], + LIFNAMSIZ); + nat->nat_ifnames[1][LIFNAMSIZ - 1] = '\0'; nat->nat_ifps[1] = nat->nat_ifps[0]; } *************** *** 2406,2412 **** /* dir(I) - direction of packet (in/out) */ /* */ /* Check if the ICMP error message is related to an existing TCP, UDP or */ ! /* ICMP query nat entry. */ /* ------------------------------------------------------------------------ */ nat_t *nat_icmperrorlookup(fin, dir) fr_info_t *fin; --- 2405,2412 ---- /* dir(I) - direction of packet (in/out) */ /* */ /* Check if the ICMP error message is related to an existing TCP, UDP or */ ! /* ICMP query nat entry. It is assumed that the packet is already of the */ ! /* the required length. */ /* ------------------------------------------------------------------------ */ nat_t *nat_icmperrorlookup(fin, dir) fr_info_t *fin; *************** *** 2421,2452 **** u_int p; icmp = fin->fin_dp; /* * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with an ICMP error ! * header. */ ! if (fin->fin_hlen != sizeof(ip_t) || ! (fin->fin_plen < ICMPERR_MINPKTLEN)) return NULL; - type = icmp->icmp_type; - /* - * If it's not an error type, then return. - */ - if (!nat_icmperrortype4(type)) - return NULL; - - /* * Check packet size */ oip = (ip_t *)((char *)fin->fin_dp + 8); minlen = IP_HL(oip) << 2; ! if (minlen < sizeof(ip_t)) return NULL; - if (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen) - return NULL; /* * Is the buffer big enough for all of it ? It's the size of the IP * header claimed in the encapsulated part which is of concern. It --- 2421,2444 ---- u_int p; icmp = fin->fin_dp; + type = icmp->icmp_type; /* * Does it at least have the return (basic) IP header ? * Only a basic IP header (no options) should be with an ICMP error ! * header. Also, if it's not an error type, then return. */ ! if ((fin->fin_hlen != sizeof(ip_t)) || ! !fr_icmp4errortype(type)) return NULL; /* * Check packet size */ oip = (ip_t *)((char *)fin->fin_dp + 8); minlen = IP_HL(oip) << 2; ! if ((minlen < sizeof(ip_t)) || ! (fin->fin_plen < ICMPERR_IPICMPHLEN + minlen)) return NULL; /* * Is the buffer big enough for all of it ? It's the size of the IP * header claimed in the encapsulated part which is of concern. It *************** *** 2559,2570 **** struct in_addr in; icmphdr_t *icmp; int flags, dlen; ! udphdr_t *udp; tcphdr_t *tcp; nat_t *nat; ip_t *oip; ! if ((fin->fin_flx & (FI_SHORT|FI_FRAGTAIL))) return NULL; /* * nat_icmperrorlookup() will return NULL for `defective' packets. --- 2551,2563 ---- struct in_addr in; icmphdr_t *icmp; int flags, dlen; ! u_short *csump; tcphdr_t *tcp; nat_t *nat; ip_t *oip; + void *dp; ! if ((fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) return NULL; /* * nat_icmperrorlookup() will return NULL for `defective' packets. *************** *** 2572,2591 **** if ((fin->fin_v != 4) || !(nat = nat_icmperrorlookup(fin, dir))) return NULL; flags = 0; sumd2 = 0; *nflags = IPN_ICMPERR; icmp = fin->fin_dp; oip = (ip_t *)&icmp->icmp_ip; ! if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; ! else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; ! else if (oip->ip_p == IPPROTO_ICMP) flags = IPN_ICMPQUERY; ! udp = (udphdr_t *)((((char *)oip) + (IP_HL(oip) << 2))); ! tcp = (tcphdr_t *)udp; ! dlen = fin->fin_plen - ((char *)udp - (char *)fin->fin_ip); /* * Need to adjust ICMP header to include the real IP#'s and --- 2565,2592 ---- if ((fin->fin_v != 4) || !(nat = nat_icmperrorlookup(fin, dir))) return NULL; + tcp = NULL; + csump = NULL; flags = 0; sumd2 = 0; *nflags = IPN_ICMPERR; icmp = fin->fin_dp; oip = (ip_t *)&icmp->icmp_ip; ! dp = (((char *)oip) + (IP_HL(oip) << 2)); ! if (oip->ip_p == IPPROTO_TCP) { ! tcp = (tcphdr_t *)dp; ! csump = (u_short *)&tcp->th_sum; flags = IPN_TCP; ! } else if (oip->ip_p == IPPROTO_UDP) { ! udphdr_t *udp; ! ! udp = (udphdr_t *)dp; ! tcp = (tcphdr_t *)dp; ! csump = (u_short *)&udp->uh_sum; flags = IPN_UDP; ! } else if (oip->ip_p == IPPROTO_ICMP) flags = IPN_ICMPQUERY; ! dlen = fin->fin_plen - ((char *)dp - (char *)fin->fin_ip); /* * Need to adjust ICMP header to include the real IP#'s and *************** *** 2649,2662 **** * Fix UDP pseudo header checksum to compensate for the * IP address change. */ ! if ((oip->ip_p == IPPROTO_UDP) && (dlen >= 8) && (udp->uh_sum != 0)) { /* * The UDP checksum is optional, only adjust it * if it has been set. */ ! sum1 = ntohs(udp->uh_sum); ! fix_datacksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); /* * Fix ICMP checksum to compensate the UDP --- 2650,2663 ---- * Fix UDP pseudo header checksum to compensate for the * IP address change. */ ! if ((oip->ip_p == IPPROTO_UDP) && (dlen >= 8) && (*csump != 0)) { /* * The UDP checksum is optional, only adjust it * if it has been set. */ ! sum1 = ntohs(*csump); ! fix_datacksum(csump, sumd); ! sum2 = ntohs(*csump); /* * Fix ICMP checksum to compensate the UDP *************** *** 2672,2682 **** * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). */ else if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { ! sum1 = ntohs(tcp->th_sum); ! fix_datacksum(&tcp->th_sum, sumd); ! sum2 = ntohs(tcp->th_sum); /* * Fix ICMP checksum to compensate the TCP --- 2673,2684 ---- * IP address change. Before we can do the change, we * must make sure that oip is sufficient large to hold * the TCP checksum (normally it does not!). + * 18 = offsetof(tcphdr_t, th_sum) + 2 */ else if (oip->ip_p == IPPROTO_TCP && dlen >= 18) { ! sum1 = ntohs(*csump); ! fix_datacksum(csump, sumd); ! sum2 = ntohs(*csump); /* * Fix ICMP checksum to compensate the TCP *************** *** 2742,2754 **** * it has been set. */ if ((oip->ip_p == IPPROTO_UDP) && ! (dlen >= 8) && (udp->uh_sum != 0)) { sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(udp->uh_sum); ! fix_datacksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); /* * Fix ICMP checksum to compenstate --- 2744,2756 ---- * it has been set. */ if ((oip->ip_p == IPPROTO_UDP) && ! (dlen >= 8) && (*csump != 0)) { sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(*csump); ! fix_datacksum(csump, sumd); ! sum2 = ntohs(*csump); /* * Fix ICMP checksum to compenstate *************** *** 2768,2776 **** sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(tcp->th_sum); ! fix_datacksum(&tcp->th_sum, sumd); ! sum2 = ntohs(tcp->th_sum); /* * Fix ICMP checksum to compensate --- 2770,2778 ---- sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(*csump); ! fix_datacksum(csump, sumd); ! sum2 = ntohs(*csump); /* * Fix ICMP checksum to compensate *************** *** 2798,2810 **** * it if it has been set. */ if ((oip->ip_p == IPPROTO_UDP) && ! (dlen >= 8) && (udp->uh_sum != 0)) { sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(udp->uh_sum); ! fix_datacksum(&udp->uh_sum, sumd); ! sum2 = ntohs(udp->uh_sum); /* * Fix ICMP checksum to compensate --- 2800,2812 ---- * it if it has been set. */ if ((oip->ip_p == IPPROTO_UDP) && ! (dlen >= 8) && (*csump != 0)) { sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(*csump); ! fix_datacksum(csump, sumd); ! sum2 = ntohs(*csump); /* * Fix ICMP checksum to compensate *************** *** 2824,2832 **** sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(tcp->th_sum); ! fix_datacksum(&tcp->th_sum, sumd); ! sum2 = ntohs(tcp->th_sum); /* * Fix ICMP checksum to compensate --- 2826,2834 ---- sumd = sum1 - sum2; sumd2 += sumd; ! sum1 = ntohs(*csump); ! fix_datacksum(csump, sumd); ! sum2 = ntohs(*csump); /* * Fix ICMP checksum to compensate *************** *** 2855,2861 **** * XXX - what if this is bogus hl and we go off the end ? * In this case, nat_icmperrorlookup() will have returned NULL. */ ! orgicmp = (icmphdr_t *)udp; if (nat->nat_dir == NAT_OUTBOUND) { if (orgicmp->icmp_id != nat->nat_inport) { --- 2857,2863 ---- * XXX - what if this is bogus hl and we go off the end ? * In this case, nat_icmperrorlookup() will have returned NULL. */ ! orgicmp = (icmphdr_t *)dp; if (nat->nat_dir == NAT_OUTBOUND) { if (orgicmp->icmp_id != nat->nat_inport) { *************** *** 3409,3415 **** ft = &np->in_tuc; if (!(fin->fin_flx & FI_TCPUDP) || ! (fin->fin_flx & (FI_SHORT|FI_FRAGTAIL))) { if (ft->ftu_scmp || ft->ftu_dcmp) return 0; return 1; --- 3411,3417 ---- ft = &np->in_tuc; if (!(fin->fin_flx & FI_TCPUDP) || ! (fin->fin_flx & (FI_SHORT|FI_FRAGBODY))) { if (ft->ftu_scmp || ft->ftu_dcmp) return 0; return 1; *************** *** 3490,3495 **** --- 3492,3498 ---- struct ifnet *ifp, *sifp; icmphdr_t *icmp = NULL; tcphdr_t *tcp = NULL; + int rval, natfailed; ipnat_t *np = NULL; u_int nflags = 0; u_32_t ipa, iph; *************** *** 3496,3506 **** int natadd = 1; frentry_t *fr; nat_t *nat; - int rval; if (nat_stats.ns_rules == 0 || fr_nat_lock != 0) return 0; fr = fin->fin_fr; sifp = fin->fin_ifp; if ((fr != NULL) && !(fr->fr_flags & FR_DUP) && --- 3499,3509 ---- int natadd = 1; frentry_t *fr; nat_t *nat; if (nat_stats.ns_rules == 0 || fr_nat_lock != 0) return 0; + natfailed = 0; fr = fin->fin_fr; sifp = fin->fin_ifp; if ((fr != NULL) && !(fr->fr_flags & FR_DUP) && *************** *** 3565,3570 **** --- 3568,3575 ---- { if ((np->in_ifps[0] && (np->in_ifps[0] != ifp))) continue; + if (np->in_v != fin->fin_v) + continue; if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags)) continue; if (np->in_flags & IPN_FILTER) { *************** *** 3589,3595 **** NAT_OUTBOUND))) { np->in_hits++; break; ! } } if ((np == NULL) && (nmsk != 0)) { while (nmsk) { --- 3594,3601 ---- NAT_OUTBOUND))) { np->in_hits++; break; ! } else ! natfailed = -1; } if ((np == NULL) && (nmsk != 0)) { while (nmsk) { *************** *** 3615,3621 **** fin->fin_nat = nat; } } else ! rval = 0; RWLOCK_EXIT(&ipf_nat); if (rval == -1) { --- 3621,3627 ---- fin->fin_nat = nat; } } else ! rval = natfailed; RWLOCK_EXIT(&ipf_nat); if (rval == -1) { *************** *** 3680,3686 **** CALC_SUMD(s1, s2, sumd); fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd); } ! #if !defined(_KERNEL) || (defined(MENTAT) || defined(__sgi)) else { if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(fin, &fin->fin_ip->ip_sum, --- 3686,3692 ---- CALC_SUMD(s1, s2, sumd); fix_outcksum(fin, &fin->fin_ip->ip_sum, sumd); } ! #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) else { if (nat->nat_dir == NAT_OUTBOUND) fix_outcksum(fin, &fin->fin_ip->ip_sum, *************** *** 3766,3771 **** --- 3772,3778 ---- u_32_t *passp; { u_int nflags, natadd; + int rval, natfailed; struct ifnet *ifp; struct in_addr in; icmphdr_t *icmp; *************** *** 3774,3780 **** ipnat_t *np; nat_t *nat; u_32_t iph; - int rval; if (nat_stats.ns_rules == 0 || fr_nat_lock != 0) return 0; --- 3781,3786 ---- *************** *** 3784,3789 **** --- 3790,3796 ---- dport = 0; natadd = 1; nflags = 0; + natfailed = 0; ifp = fin->fin_ifp; if (!(fin->fin_flx & FI_SHORT) && (fin->fin_off == 0)) { *************** *** 3845,3850 **** --- 3852,3859 ---- for (np = rdr_rules[hv]; np; np = np->in_rnext) { if (np->in_ifps[0] && (np->in_ifps[0] != ifp)) continue; + if (np->in_v != fin->fin_v) + continue; if (np->in_p && (np->in_p != fin->fin_p)) continue; if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags)) *************** *** 3871,3877 **** if (nat != NULL) { np->in_hits++; break; ! } } if ((np == NULL) && (rmsk != 0)) { --- 3880,3887 ---- if (nat != NULL) { np->in_hits++; break; ! } else ! natfailed = -1; } if ((np == NULL) && (rmsk != 0)) { *************** *** 3898,3904 **** fin->fin_state = nat->nat_state; } } else ! rval = 0; RWLOCK_EXIT(&ipf_nat); if (rval == -1) { --- 3908,3914 ---- fin->fin_state = nat->nat_state; } } else ! rval = natfailed; RWLOCK_EXIT(&ipf_nat); if (rval == -1) { *************** *** 3985,3991 **** * fast forwarding (so that it doesn't need to be recomputed) but with * header checksum offloading, perhaps it is a moot point. */ ! #if !defined(_KERNEL) || (defined(MENTAT) || defined(__sgi) || defined(__osf__)) if (nat->nat_dir == NAT_OUTBOUND) fix_incksum(fin, &fin->fin_ip->ip_sum, nat->nat_ipsumd); else --- 3995,4001 ---- * fast forwarding (so that it doesn't need to be recomputed) but with * header checksum offloading, perhaps it is a moot point. */ ! #if !defined(_KERNEL) || defined(MENTAT) || defined(__sgi) || defined(__osf__) if (nat->nat_dir == NAT_OUTBOUND) fix_incksum(fin, &fin->fin_ip->ip_sum, nat->nat_ipsumd); else *************** *** 4283,4298 **** } for (n = nat_list; (n != NULL); n = n->in_next) { ! if (n->in_ifps[0] == ifp) { ! n->in_ifps[0] = (void *)GETIFP(n->in_ifnames[0], 4); ! if (n->in_ifps[0] == NULL) ! n->in_ifps[0] = (void *)-1; ! } ! if (n->in_ifps[1] == ifp) { ! n->in_ifps[1] = (void *)GETIFP(n->in_ifnames[1], 4); ! if (n->in_ifps[1] == NULL) ! n->in_ifps[1] = (void *)-1; ! } } RWLOCK_EXIT(&ipf_nat); SPL_X(s); --- 4293,4302 ---- } for (n = nat_list; (n != NULL); n = n->in_next) { ! if ((ifp == NULL) || (n->in_ifps[0] == ifp)) ! n->in_ifps[0] = fr_resolvenic(n->in_ifnames[0], 4); ! if ((ifp == NULL) || (n->in_ifps[1] == ifp)) ! n->in_ifps[1] = fr_resolvenic(n->in_ifnames[1], 4); } RWLOCK_EXIT(&ipf_nat); SPL_X(s); *************** *** 4342,4372 **** /* ------------------------------------------------------------------------ */ - /* Function: nat_icmperrortype4 */ - /* Returns: int - 1 == success, 0 == failure */ - /* Parameters: icmptype(I) - ICMP type number */ - /* */ - /* Tests to see if the ICMP type number passed is an error type or not. */ - /* ------------------------------------------------------------------------ */ - static INLINE int nat_icmperrortype4(icmptype) - int icmptype; - { - - switch (icmptype) - { - case ICMP_SOURCEQUENCH : - case ICMP_PARAMPROB : - case ICMP_REDIRECT : - case ICMP_TIMXCEED : - case ICMP_UNREACH : - return 1; - default: - return 0; - } - } - - - /* ------------------------------------------------------------------------ */ /* Function: nat_log */ /* Returns: Nil */ /* Parameters: nat(I) - pointer to NAT structure */ --- 4346,4351 ---- *************** *** 4431,4437 **** void nat_ifdetach(ifp) void *ifp; { ! frsync(); return; } #endif --- 4410,4416 ---- void nat_ifdetach(ifp) void *ifp; { ! frsync(ifp); return; } #endif *************** *** 4485,4497 **** MUTEX_NUKE(&clone->nat_lock); np = clone->nat_ptr; if (np != NULL) { np->in_use++; } - clone->nat_flags &= ~SI_CLONE; - clone->nat_flags |= SI_CLONED; - fr = clone->nat_fr; if (fr != NULL) { MUTEX_ENTER(&fr->fr_lock); --- 4464,4483 ---- MUTEX_NUKE(&clone->nat_lock); + clone->nat_flags &= ~SI_CLONE; + clone->nat_flags |= SI_CLONED; + + + if (nat_insert(clone, fin->fin_rev) == -1) { + KFREE(clone); + return NULL; + } np = clone->nat_ptr; if (np != NULL) { + if (nat_logging) + nat_log(clone, (u_int)np->in_redir); np->in_use++; } fr = clone->nat_fr; if (fr != NULL) { MUTEX_ENTER(&fr->fr_lock); *************** *** 4499,4508 **** MUTEX_EXIT(&fr->fr_lock); } - if (nat_insert(clone, fin->fin_rev) == -1) { - KFREE(clone); - return NULL; - } /* * Because the clone is created outside the normal loop of things and --- 4485,4490 ---- *************** *** 4629,4635 **** if (cp + 1 >= ep) break; advance = cp[1]; ! if (cp + advance > ep) break; switch (opt) { --- 4611,4617 ---- if (cp + 1 >= ep) break; advance = cp[1]; ! if ((cp + advance > ep) || (advance <= 0)) break; switch (opt) { diff -cr ip_fil4.1.3/ip_nat.h ip_fil4.1.4/ip_nat.h *** ip_fil4.1.3/ip_nat.h Sun Jun 20 20:25:28 2004 --- ip_fil4.1.4/ip_nat.h Tue Dec 21 10:12:05 2004 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.90.2.4 2004/06/20 10:25:28 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.90.2.5 2004/12/20 23:12:05 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 187,193 **** u_int in_hv; int in_flineno; /* conf. file line number */ u_short in_pnext; ! u_char in_xxx1[2]; /* From here to the end is covered by IPN_CMPSIZ */ u_32_t in_flags; u_32_t in_mssclamp; /* if != 0 clamp MSS to this */ --- 187,194 ---- u_int in_hv; int in_flineno; /* conf. file line number */ u_short in_pnext; ! u_char in_v; ! u_char in_xxx; /* From here to the end is covered by IPN_CMPSIZ */ u_32_t in_flags; u_32_t in_mssclamp; /* if != 0 clamp MSS to this */ diff -cr ip_fil4.1.3/ip_pool.c ip_fil4.1.4/ip_pool.c *** ip_fil4.1.3/ip_pool.c Mon Jun 14 09:45:18 2004 --- ip_fil4.1.4/ip_pool.c Mon Oct 18 01:49:14 2004 *************** *** 77,83 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.9 2004/06/13 23:45:18 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP --- 77,83 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_pool.c,v 2.55.2.11 2004/10/17 15:49:14 darrenr Exp $"; #endif #ifdef IPFILTER_LOOKUP *************** *** 365,371 **** /* ------------------------------------------------------------------------ */ /* Function: ip_pool_search */ ! /* Returns: int - 0 == +ve match, -1 == error, 1 == -ve match */ /* Parameters: tptr(I) - pointer to the pool to search */ /* version(I) - IP protocol version (4 or 6) */ /* dptr(I) - pointer to address information */ --- 365,371 ---- /* ------------------------------------------------------------------------ */ /* Function: ip_pool_search */ ! /* Returns: int - 0 == +ve match, -1 == error, 1 == -ve/no match */ /* Parameters: tptr(I) - pointer to the pool to search */ /* version(I) - IP protocol version (4 or 6) */ /* dptr(I) - pointer to address information */ *************** *** 388,394 **** if (ipo == NULL) return -1; ! rv = -1; m = NULL; addr = (i6addr_t *)dptr; bzero(&v, sizeof(v)); --- 388,394 ---- if (ipo == NULL) return -1; ! rv = 1; m = NULL; addr = (i6addr_t *)dptr; bzero(&v, sizeof(v)); diff -cr ip_fil4.1.3/ip_pptp_pxy.c ip_fil4.1.4/ip_pptp_pxy.c *** ip_fil4.1.3/ip_pptp_pxy.c Tue Jun 8 00:20:05 2004 --- ip_fil4.1.4/ip_pptp_pxy.c Fri Nov 26 02:37:37 2004 *************** *** 4,10 **** * Simple PPTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_pptp_pxy.c,v 2.10.2.5 2004/06/07 14:20:05 darrenr Exp $ * */ #define IPF_PPTP_PROXY --- 4,10 ---- * Simple PPTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_pptp_pxy.c,v 2.10.2.6 2004/11/25 15:37:37 darrenr Exp $ * */ #define IPF_PPTP_PROXY *************** *** 118,124 **** fi.fin_flx &= ~FI_TCPUDP; fi.fin_flx |= FI_IGNORE; ! nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, 0, NAT_OUTBOUND); pptp->pptp_nat = nat2; if (nat2 != NULL) { (void) nat_proto(&fi, nat2, 0); --- 118,124 ---- fi.fin_flx &= ~FI_TCPUDP; fi.fin_flx |= FI_IGNORE; ! nat2 = nat_new(&fi, ipn, &pptp->pptp_nat, NAT_SLAVE, NAT_OUTBOUND); pptp->pptp_nat = nat2; if (nat2 != NULL) { (void) nat_proto(&fi, nat2, 0); diff -cr ip_fil4.1.3/ip_proxy.c ip_fil4.1.4/ip_proxy.c *** ip_fil4.1.3/ip_proxy.c Sun Jul 11 20:40:54 2004 --- ip_fil4.1.4/ip_proxy.c Mon Oct 18 01:21:28 2004 *************** *** 103,109 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.7 2004/07/11 10:40:54 darrenr Exp $"; #endif static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); --- 103,109 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.62.2.9 2004/10/17 15:21:28 darrenr Exp $"; #endif static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); *************** *** 110,115 **** --- 110,120 ---- #define AP_SESS_SIZE 53 + #if defined(_KERNEL) + int ipf_proxy_debug = 0; + #else + int ipf_proxy_debug = 2; + #endif ap_session_t *ap_sess_tab[AP_SESS_SIZE]; ap_session_t *ap_sess_list = NULL; aproxy_t *ap_proxylist = NULL; *************** *** 179,192 **** for (a = ap_proxies; a->apr_p; a++) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, ! sizeof(ap->apr_label))) return -1; for (a = ap_proxylist; a->apr_p; a = a->apr_next) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, ! sizeof(ap->apr_label))) return -1; ap->apr_next = ap_proxylist; ap_proxylist = ap; if (ap->apr_init != NULL) --- 184,205 ---- for (a = ap_proxies; a->apr_p; a++) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, ! sizeof(ap->apr_label))) { ! if (ipf_proxy_debug > 1) ! printf("appr_add: %s/%d already present (B)\n", ! a->apr_label, a->apr_p); return -1; + } for (a = ap_proxylist; a->apr_p; a = a->apr_next) if ((a->apr_p == ap->apr_p) && !strncmp(a->apr_label, ap->apr_label, ! sizeof(ap->apr_label))) { ! if (ipf_proxy_debug > 1) ! printf("appr_add: %s/%d already present (D)\n", ! a->apr_label, a->apr_p); return -1; + } ap->apr_next = ap_proxylist; ap_proxylist = ap; if (ap->apr_init != NULL) *************** *** 207,218 **** int error; a = appr_lookup(ctl->apc_p, ctl->apc_label); ! if (a == NULL) error = ESRCH; ! else if (a->apr_ctl == NULL) error = ENXIO; ! else error = (*a->apr_ctl)(a, ctl); return error; } --- 220,241 ---- int error; a = appr_lookup(ctl->apc_p, ctl->apc_label); ! if (a == NULL) { ! if (ipf_proxy_debug > 1) ! printf("appr_ctl: can't find %s/%d\n", ! ctl->apc_label, ctl->apc_p); error = ESRCH; ! } else if (a->apr_ctl == NULL) { ! if (ipf_proxy_debug > 1) ! printf("appr_ctl: no ctl function for %s/%d\n", ! ctl->apc_label, ctl->apc_p); error = ENXIO; ! } else { error = (*a->apr_ctl)(a, ctl); + if ((error != 0) && (ipf_proxy_debug > 1)) + printf("appr_ctl: %s/%d ctl error %d\n", + a->apr_label, a->apr_p, error); + } return error; } *************** *** 231,240 **** if (a == ap) { a->apr_flags |= APR_DELETE; *app = a->apr_next; ! if (ap->apr_ref != 0) return 1; return 0; } return -1; } --- 254,269 ---- if (a == ap) { a->apr_flags |= APR_DELETE; *app = a->apr_next; ! if (ap->apr_ref != 0) { ! if (ipf_proxy_debug > 2) ! printf("appr_del: orphaning %s/%d\n", ! ap->apr_label, ap->apr_p); return 1; + } return 0; } + if (ipf_proxy_debug > 1) + printf("appr_del: proxy %lx not found\n", (u_long)ap); return -1; } *************** *** 294,300 **** if (error == 0) error = appr_ctl(&ctl); ! if (ctl.apc_dsize > 0 && ptr != NULL && ctl.apc_data == ptr) { KFREES(ptr, ctl.apc_dsize); } break; --- 323,330 ---- if (error == 0) error = appr_ctl(&ctl); ! if ((ctl.apc_dsize > 0) && (ptr != NULL) && ! (ctl.apc_data == ptr)) { KFREES(ptr, ctl.apc_dsize); } break; *************** *** 316,338 **** { aproxy_t *apr; ipnat_t *ipn; - #if PROXY_DEBUG - printf("appr_match(%lx,%lx)\n", fin, nat); - #endif - if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) - return -1; - ipn = nat->nat_ptr; ! if (ipn == NULL) return -1; apr = ipn->in_apr; ! if ((apr == NULL) || (apr->apr_flags & APR_DELETE) || ! (nat->nat_aps == NULL)) return -1; ! if (apr->apr_match != NULL) ! if ((*apr->apr_match)(fin, nat->nat_aps, nat) != 0) return -1; return 0; } --- 346,382 ---- { aproxy_t *apr; ipnat_t *ipn; + int result; ipn = nat->nat_ptr; ! if (ipf_proxy_debug > 8) ! printf("appr_match(%lx,%lx) aps %lx ptr %lx\n", ! (u_long)fin, (u_long)nat, (u_long)nat->nat_aps, ! (u_long)ipn); ! ! if ((fin->fin_flx & (FI_SHORT|FI_BAD)) != 0) { ! if (ipf_proxy_debug > 0) ! printf("appr_match: flx 0x%x (BAD|SHORT)\n", ! fin->fin_flx); return -1; + } + apr = ipn->in_apr; ! if ((apr == NULL) || (apr->apr_flags & APR_DELETE)) { ! if (ipf_proxy_debug > 0) ! printf("appr_match:apr %lx apr_flags 0x%x\n", ! (u_long)apr, apr ? apr->apr_flags : 0); return -1; ! } ! ! if (apr->apr_match != NULL) { ! result = (*apr->apr_match)(fin, nat->nat_aps, nat); ! if (result != 0) { ! if (ipf_proxy_debug > 4) ! printf("appr_match: result %d\n", result); return -1; + } + } return 0; } *************** *** 349,369 **** register ap_session_t *aps; aproxy_t *apr; ! #if PROXY_DEBUG ! printf("appr_new(%lx,%lx)\n", fin, nat); ! #endif ! if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) return -1; apr = nat->nat_ptr->in_apr; ! if (!apr || (apr->apr_flags & APR_DELETE) || ! (fin->fin_p != apr->apr_p)) return -1; KMALLOC(aps, ap_session_t *); ! if (!aps) return -1; bzero((char *)aps, sizeof(*aps)); aps->aps_p = fin->fin_p; aps->aps_data = NULL; --- 393,426 ---- register ap_session_t *aps; aproxy_t *apr; ! if (ipf_proxy_debug > 8) ! printf("appr_new(%lx,%lx) \n", (u_long)fin, (u_long)nat); ! ! if ((nat->nat_ptr == NULL) || (nat->nat_aps != NULL)) { ! if (ipf_proxy_debug > 0) ! printf("appr_new: nat_ptr %lx nat_aps %lx\n", ! (u_long)nat->nat_ptr, (u_long)nat->nat_aps); return -1; + } apr = nat->nat_ptr->in_apr; ! if ((apr->apr_flags & APR_DELETE) || ! (fin->fin_p != apr->apr_p)) { ! if (ipf_proxy_debug > 2) ! printf("appr_new: apr_flags 0x%x p %d/%d\n", ! apr->apr_flags, fin->fin_p, apr->apr_p); return -1; + } KMALLOC(aps, ap_session_t *); ! if (!aps) { ! if (ipf_proxy_debug > 0) ! printf("appr_new: malloc failed (%u)\n", ! sizeof(ap_session_t)); return -1; + } + bzero((char *)aps, sizeof(*aps)); aps->aps_p = fin->fin_p; aps->aps_data = NULL; *************** *** 375,380 **** --- 432,440 ---- KFREES(aps->aps_data, aps->aps_psiz); } KFREE(aps); + if (ipf_proxy_debug > 2) + printf("appr_new: new(%lx) failed\n", + (u_long)apr->apr_new); return -1; } aps->aps_nat = nat; *************** *** 413,426 **** u_32_t s1, s2, sd; #endif ! if (fin->fin_flx & FI_BAD) return -1; #ifndef IPFILTER_CKSUM if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) { ! # if PROXY_DEBUG || !defined(_KERNEL) ! printf("proxy l4 checksum failure on %p\n", fin); ! # endif if (fin->fin_p == IPPROTO_TCP) frstats[fin->fin_out].fr_tcpbad++; return -1; --- 473,489 ---- u_32_t s1, s2, sd; #endif ! if (fin->fin_flx & FI_BAD) { ! if (ipf_proxy_debug > 0) ! printf("appr_check: flx 0x%x (BAD)\n", fin->fin_flx); return -1; + } #ifndef IPFILTER_CKSUM if ((fin->fin_out == 0) && (fr_checkl4sum(fin) == -1)) { ! if (ipf_proxy_debug > 0) ! printf("appr_check: l4 checksum failure %d\n", ! fin->fin_p); if (fin->fin_p == IPPROTO_TCP) frstats[fin->fin_out].fr_tcpbad++; return -1; *************** *** 435,442 **** */ #if defined(MENTAT) || defined(HAVE_M_PULLDOWN) if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE)) ! if (fr_coalesce(fin) == -1) return -1; #endif ip = fin->fin_ip; --- 498,508 ---- */ #if defined(MENTAT) || defined(HAVE_M_PULLDOWN) if ((fin->fin_dlen > 0) && !(fin->fin_flx & FI_COALESCE)) ! if (fr_coalesce(fin) == -1) { ! if (ipf_proxy_debug > 0) ! printf("appr_check: fr_coalesce failed %x\n", fin->fin_flx); return -1; + } #endif ip = fin->fin_ip; *************** *** 475,491 **** } rv = APR_EXIT(err); ! if (rv == 1) { ! #if PROXY_DEBUG || !defined(_KERNEL) ! printf("%d:proxy says bad packet received (%x)\n", ! fin->fin_out, err); ! #endif return -1; ! } if (rv == 2) { - #if PROXY_DEBUG || !defined(_KERNEL) - printf("proxy says free app proxy data (%x)\n", err); - #endif appr_free(apr); nat->nat_aps = NULL; return -1; --- 541,554 ---- } rv = APR_EXIT(err); ! if (((ipf_proxy_debug > 0) && (rv != 0)) || ! (ipf_proxy_debug > 8)) ! printf("appr_check: out %d err %x rv %d\n", ! fin->fin_out, err, rv); ! if (rv == 1) return -1; ! if (rv == 2) { appr_free(apr); nat->nat_aps = NULL; return -1; *************** *** 553,561 **** { aproxy_t *ap; ! #if PROXY_DEBUG ! printf("appr_lookup(%d,%s)\n", pr, name); ! #endif for (ap = ap_proxies; ap->apr_p; ap++) if ((ap->apr_p == pr) && --- 616,623 ---- { aproxy_t *ap; ! if (ipf_proxy_debug > 8) ! printf("appr_lookup(%d,%s)\n", pr, name); for (ap = ap_proxies; ap->apr_p; ap++) if ((ap->apr_p == pr) && *************** *** 570,575 **** --- 632,639 ---- ap->apr_ref++; return ap; } + if (ipf_proxy_debug > 2) + printf("appr_lookup: failed for %d/%s\n", pr, name); return NULL; } *************** *** 638,647 **** /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && (seq1 > aps->aps_seqmin[!sel])) { ! #if PROXY_DEBUG ! printf("proxy out switch set seq %d -> %d %x > %x\n", ! sel, !sel, seq1, aps->aps_seqmin[!sel]); ! #endif sel = aps->aps_sel[out] = !sel; } --- 702,711 ---- /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && (seq1 > aps->aps_seqmin[!sel])) { ! if (ipf_proxy_debug > 7) ! printf("proxy out switch set seq %d -> %d %x > %x\n", ! sel, !sel, seq1, ! aps->aps_seqmin[!sel]); sel = aps->aps_sel[out] = !sel; } *************** *** 658,668 **** if (inc && (seq1 > aps->aps_seqmin[!sel])) { aps->aps_seqmin[sel] = seq1 + nlen - 1; aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; ! #if PROXY_DEBUG ! printf("proxy seq set %d at %x to %d + %d\n", sel, ! aps->aps_seqmin[sel], aps->aps_seqoff[sel], ! inc); ! #endif } /***/ --- 722,731 ---- if (inc && (seq1 > aps->aps_seqmin[!sel])) { aps->aps_seqmin[sel] = seq1 + nlen - 1; aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; ! if (ipf_proxy_debug > 7) ! printf("proxy seq set %d at %x to %d + %d\n", ! sel, aps->aps_seqmin[sel], ! aps->aps_seqoff[sel], inc); } /***/ *************** *** 673,682 **** /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && (seq1 > aps->aps_ackmin[!sel])) { ! #if PROXY_DEBUG ! printf("proxy out switch set ack %d -> %d %x > %x\n", ! sel, !sel, seq1, aps->aps_ackmin[!sel]); ! #endif sel = aps->aps_sel[1 - out] = !sel; } --- 736,745 ---- /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && (seq1 > aps->aps_ackmin[!sel])) { ! if (ipf_proxy_debug > 7) ! printf("proxy out switch set ack %d -> %d %x > %x\n", ! sel, !sel, seq1, ! aps->aps_ackmin[!sel]); sel = aps->aps_sel[1 - out] = !sel; } *************** *** 692,701 **** /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && (seq1 > aps->aps_ackmin[!sel])) { ! #if PROXY_DEBUG ! printf("proxy in switch set ack %d -> %d %x > %x\n", ! sel, !sel, seq1, aps->aps_ackmin[!sel]); ! #endif sel = aps->aps_sel[out] = !sel; } --- 755,763 ---- /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && (seq1 > aps->aps_ackmin[!sel])) { ! if (ipf_proxy_debug > 7) ! printf("proxy in switch set ack %d -> %d %x > %x\n", ! sel, !sel, seq1, aps->aps_ackmin[!sel]); sel = aps->aps_sel[out] = !sel; } *************** *** 712,722 **** if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; ! #if PROXY_DEBUG ! printf("proxy ack set %d at %x to %d + %d\n", !sel, ! aps->aps_seqmin[!sel], aps->aps_seqoff[sel], ! inc); ! #endif } /***/ --- 774,784 ---- if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; ! ! if (ipf_proxy_debug > 7) ! printf("proxy ack set %d at %x to %d + %d\n", ! !sel, aps->aps_seqmin[!sel], ! aps->aps_seqoff[sel], inc); } /***/ *************** *** 727,745 **** /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && (seq1 > aps->aps_seqmin[!sel])) { ! #if PROXY_DEBUG ! printf("proxy in switch set seq %d -> %d %x > %x\n", ! sel, !sel, seq1, aps->aps_seqmin[!sel]); ! #endif sel = aps->aps_sel[1 - out] = !sel; } if (aps->aps_seqoff[sel] != 0) { ! #if PROXY_DEBUG ! printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, ! aps->aps_seqoff[sel], seq1, ! aps->aps_seqmin[sel]); ! #endif if (seq1 > aps->aps_seqmin[sel]) { seq2 = aps->aps_seqoff[sel]; tcp->th_ack = htonl(seq1 - seq2); --- 789,805 ---- /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && (seq1 > aps->aps_seqmin[!sel])) { ! if (ipf_proxy_debug > 7) ! printf("proxy in switch set seq %d -> %d %x > %x\n", ! sel, !sel, seq1, aps->aps_seqmin[!sel]); sel = aps->aps_sel[1 - out] = !sel; } if (aps->aps_seqoff[sel] != 0) { ! if (ipf_proxy_debug > 7) ! printf("sel %d seqoff %d seq1 %x seqmin %x\n", ! sel, aps->aps_seqoff[sel], seq1, ! aps->aps_seqmin[sel]); if (seq1 > aps->aps_seqmin[sel]) { seq2 = aps->aps_seqoff[sel]; tcp->th_ack = htonl(seq1 - seq2); *************** *** 747,756 **** } } } ! #if PROXY_DEBUG ! printf("appr_fixseqack: seq %lx ack %lx\n", ntohl(tcp->th_seq), ! ntohl(tcp->th_ack)); ! #endif return ch ? 2 : 0; } --- 807,816 ---- } } } ! ! if (ipf_proxy_debug > 8) ! printf("appr_fixseqack: seq %x ack %x\n", ! ntohl(tcp->th_seq), ntohl(tcp->th_ack)); return ch ? 2 : 0; } diff -cr ip_fil4.1.3/ip_rcmd_pxy.c ip_fil4.1.4/ip_rcmd_pxy.c *** ip_fil4.1.3/ip_rcmd_pxy.c Tue May 25 00:01:49 2004 --- ip_fil4.1.4/ip_rcmd_pxy.c Fri Dec 10 06:41:00 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_rcmd_pxy.c,v 1.41.2.2 2004/05/24 14:01:49 darrenr Exp $ * * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_rcmd_pxy.c,v 1.41.2.3 2004/12/09 19:41:00 darrenr Exp $ * * Simple RCMD transparent proxy for in-kernel use. For use with the NAT * code. *************** *** 86,92 **** register char *s = ptr, c; register u_short i = 0; ! while (((c = *s++) != '\0') && isdigit(c)) { i *= 10; i += c - '0'; } --- 86,92 ---- register char *s = ptr, c; register u_short i = 0; ! while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } diff -cr ip_fil4.1.3/ip_rpcb_pxy.c ip_fil4.1.4/ip_rpcb_pxy.c *** ip_fil4.1.3/ip_rpcb_pxy.c Tue May 4 13:47:49 2004 --- ip_fil4.1.4/ip_rpcb_pxy.c Fri Dec 10 06:41:00 2004 *************** *** 37,43 **** * o The enclosed hack of STREAMS support is pretty sick and most likely * broken. * ! * $Id: ip_rpcb_pxy.c,v 2.25.2.1 2004/05/04 03:47:49 darrenr Exp $ */ #define IPF_RPCB_PROXY --- 37,43 ---- * o The enclosed hack of STREAMS support is pretty sick and most likely * broken. * ! * $Id: ip_rpcb_pxy.c,v 2.25.2.2 2004/12/09 19:41:00 darrenr Exp $ */ #define IPF_RPCB_PROXY *************** *** 682,692 **** * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of * an IP address and [ef] are the bytes of a L4 port. */ ! if (!(isdigit(uastr[0]) && isdigit(uastr[l-1]))) return(-1); b = uastr; for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { ! if (isdigit(*c)) { dd = 0; continue; } --- 682,692 ---- * Expected format: a.b.c.d.e.f where [a-d] correspond to bytes of * an IP address and [ef] are the bytes of a L4 port. */ ! if (!(ISDIGIT(uastr[0]) && ISDIGIT(uastr[l-1]))) return(-1); b = uastr; for (c = &uastr[1], d = 0, dd = 0; c < &uastr[l-1]; c++) { ! if (ISDIGIT(*c)) { dd = 0; continue; } *************** *** 740,746 **** register char *s = ptr, c; register u_int i = 0; ! while (((c = *s++) != '\0') && isdigit(c)) { i *= 10; i += c - '0'; } --- 740,746 ---- register char *s = ptr, c; register u_int i = 0; ! while (((c = *s++) != '\0') && ISDIGIT(c)) { i *= 10; i += c - '0'; } diff -cr ip_fil4.1.3/ip_scan.c ip_fil4.1.4/ip_scan.c *** ip_fil4.1.3/ip_scan.c Tue Jan 27 11:24:56 2004 --- ip_fil4.1.4/ip_scan.c Fri Dec 10 06:41:01 2004 *************** *** 58,64 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40 2004/01/27 00:24:56 darrenr Exp $"; #endif #ifdef IPFILTER_SCAN /* endif at bottom of file */ --- 58,64 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_scan.c,v 2.40.2.1 2004/12/09 19:41:01 darrenr Exp $"; #endif #ifdef IPFILTER_SCAN /* endif at bottom of file */ *************** *** 298,304 **** return 1; break; case '?' : ! if (!isalpha(*up) || ((*s & 0x5f) != (*up & 0x5f))) return 1; break; case '*' : --- 298,304 ---- return 1; break; case '?' : ! if (!ISALPHA(*up) || ((*s & 0x5f) != (*up & 0x5f))) return 1; break; case '*' : diff -cr ip_fil4.1.3/ip_state.c ip_fil4.1.4/ip_state.c *** ip_fil4.1.3/ip_state.c Mon Jun 14 09:49:34 2004 --- ip_fil4.1.4/ip_state.c Tue Dec 21 10:36:48 2004 *************** *** 107,113 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.13 2004/06/13 23:49:34 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; --- 107,113 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.23 2004/12/20 23:36:48 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; *************** *** 596,603 **** --- 596,606 ---- isn->is_sti.tqe_parent = isn; isn->is_sync = NULL; fr = ips.ips_rule; + if (fr == NULL) { + READ_ENTER(&ipf_state); fr_stinsert(isn, 0); + RWLOCK_EXIT(&ipf_state); return 0; } *************** *** 619,645 **** */ for (i = 0; i < 4; i++) { name = fr->fr_ifnames[i]; ! if ((name[1] == '\0') && ! ((name[0] == '-') || (name[0] == '*'))) { ! fr->fr_ifas[i] = NULL; ! } else if (*name != '\0') { ! name[LIFNAMSIZ - 1] = '\0'; ! fr->fr_ifas[i] = GETIFP(name, fr->fr_v); ! if (fr->fr_ifas[i] == NULL) ! fr->fr_ifas[i] = (void *)-1; ! else { ! COPYIFNAME(fr->fr_ifas[i], ! isn->is_ifname[i]); ! } ! } ! isn->is_ifp[out] = fr->fr_ifas[i]; } fr->fr_dsize = 0; fr->fr_data = NULL; ! fr_resolvdest(&fr->fr_tif, fr->fr_v); ! fr_resolvdest(&fr->fr_dif, fr->fr_v); /* * send a copy back to userland of what we ended up --- 622,638 ---- */ for (i = 0; i < 4; i++) { name = fr->fr_ifnames[i]; ! fr->fr_ifas[i] = fr_resolvenic(name, fr->fr_v); ! name = isn->is_ifname[i]; ! isn->is_ifp[i] = fr_resolvenic(name, isn->is_v); } + fr->fr_ref = 0; fr->fr_dsize = 0; fr->fr_data = NULL; ! fr_resolvedest(&fr->fr_tif, fr->fr_v); ! fr_resolvedest(&fr->fr_dif, fr->fr_v); /* * send a copy back to userland of what we ended up *************** *** 652,667 **** KFREE(fr); return EFAULT; } } else { for (is = ips_list; is; is = is->is_next) ! if (is->is_rule == fr) break; ! if (!is) { KFREE(isn); ! return ESRCH; } } ! fr_stinsert(isn, 0); return 0; } --- 645,671 ---- KFREE(fr); return EFAULT; } + READ_ENTER(&ipf_state); + fr_stinsert(isn, 0); + RWLOCK_EXIT(&ipf_state); + } else { + READ_ENTER(&ipf_state); for (is = ips_list; is; is = is->is_next) ! if (is->is_rule == fr) { ! fr_stinsert(isn, 0); break; ! } ! ! if (is == NULL) { KFREE(isn); ! isn = NULL; } + RWLOCK_EXIT(&ipf_state); + + return (isn == NULL) ? ESRCH : 0; } ! return 0; } *************** *** 675,705 **** /* Inserts a state structure into the hash table (for lookups) and the list */ /* of state entries (for enumeration). Resolves all of the interface names */ /* to pointers and adjusts running stats for the hash table as appropriate. */ /* ------------------------------------------------------------------------ */ void fr_stinsert(is, rev) ipstate_t *is; int rev; { u_int hv; - char *name; int i; MUTEX_INIT(&is->is_lock, "ipf state entry"); /* * Look up all the interface names in the state entry. */ ! for (i = 0; i < 4; i++) { ! name = is->is_ifname[i]; ! if ((name[1] == '\0') && ! ((name[0] == '-') || (name[0] == '*'))) { ! is->is_ifp[0] = NULL; ! } else if (*name != '\0') { ! is->is_ifp[i] = GETIFP(name, is->is_v); ! if (is->is_ifp[i] == NULL) ! is->is_ifp[i] = (void *)-1; ! } ! } /* * If we could trust is_hv, then the modulous would not be needed, but --- 679,710 ---- /* Inserts a state structure into the hash table (for lookups) and the list */ /* of state entries (for enumeration). Resolves all of the interface names */ /* to pointers and adjusts running stats for the hash table as appropriate. */ + /* */ + /* Locking: it is assumed that some kind of lock on ipf_state is held. */ /* ------------------------------------------------------------------------ */ void fr_stinsert(is, rev) ipstate_t *is; int rev; { + frentry_t *fr; u_int hv; int i; MUTEX_INIT(&is->is_lock, "ipf state entry"); + fr = is->is_rule; + if (fr != NULL) { + MUTEX_ENTER(&fr->fr_lock); + fr->fr_ref++; + fr->fr_statecnt++; + MUTEX_EXIT(&fr->fr_lock); + } + /* * Look up all the interface names in the state entry. */ ! for (i = 0; i < 4; i++) ! is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], is->is_v); /* * If we could trust is_hv, then the modulous would not be needed, but *************** *** 708,713 **** --- 713,724 ---- hv = is->is_hv % fr_statesize; is->is_hv = hv; + /* + * We need to get both of these locks...the first because it is + * possible that once the insert is complete another packet might + * come along, match the entry and want to update it. + */ + MUTEX_ENTER(&is->is_lock); MUTEX_ENTER(&ipf_stinsert); /* *************** *** 731,736 **** --- 742,748 ---- MUTEX_EXIT(&ipf_stinsert); fr_setstatequeue(is, rev); + MUTEX_EXIT(&is->is_lock); } *************** *** 762,768 **** int out; if (fr_state_lock || ! (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGTAIL|FI_BAD))) return NULL; if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN)) --- 774,780 ---- int out; if (fr_state_lock || ! (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD))) return NULL; if ((fin->fin_flx & FI_OOW) && !(fin->fin_tcpf & TH_SYN)) *************** *** 818,825 **** IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) { /* * So you can do keep state with neighbour discovery. */ ! flags |= SI_W_DADDR; hv -= is->is_daddr; } else { hv += is->is_dst.i6[1]; --- 830,841 ---- IN6_IS_ADDR_MULTICAST(&is->is_dst.in6)) { /* * So you can do keep state with neighbour discovery. + * + * Here we could use the address from the neighbour + * solicit message to put in the state structure and + * we could use that without a wildcard flag too... */ ! is->is_flags |= SI_W_DADDR; hv -= is->is_daddr; } else { hv += is->is_dst.i6[1]; *************** *** 838,846 **** case IPPROTO_ICMPV6 : ic = fin->fin_dp; - if ((ic->icmp_type & ICMP6_INFOMSG_MASK) == 0) - return NULL; - switch (ic->icmp_type) { case ICMP6_ECHO_REQUEST : --- 854,859 ---- *************** *** 1002,1011 **** */ if (fr != NULL) { (void) strncpy(is->is_group, fr->fr_group, FR_GROUPLEN); - MUTEX_ENTER(&fr->fr_lock); - fr->fr_ref++; - fr->fr_statecnt++; - MUTEX_EXIT(&fr->fr_lock); if (fr->fr_age[0] != 0) { is->is_tqehead[0] = fr_addtimeoutqueue(&ips_utqe, fr->fr_age[0]); --- 1015,1020 ---- *************** *** 1043,1048 **** --- 1052,1062 ---- COPYIFNAME(fin->fin_ifp, is->is_ifname[out << 1]); } + /* + * It may seem strange to set is_ref to 2, but fr_check() will call + * fr_statederef() after calling fr_addstate() and the idea is to + * have it exist at the end of fr_check() with is_ref == 1. + */ is->is_ref = 2; is->is_pass = pass; is->is_pkts[0] = 0, is->is_bytes[0] = 0; *************** *** 1059,1064 **** --- 1073,1081 ---- if (pass & FR_STSTRICT) is->is_flags |= IS_STRICT; + if (pass & FR_STATESYNC) + is->is_flags |= IS_STATESYNC; + /* * We want to check everything that is a property of this packet, * but we don't (automatically) care about it's fragment status as *************** *** 1100,1106 **** #endif } #ifdef IPFILTER_SYNC ! if ((is->is_flags & SI_CLONE) == 0) is->is_sync = ipfsync_new(SMC_STATE, fin, is); #endif if (ipstate_logging) --- 1117,1123 ---- #endif } #ifdef IPFILTER_SYNC ! if ((is->is_flags & IS_STATESYNC) && ((is->is_flags & SI_CLONE) == 0)) is->is_sync = ipfsync_new(SMC_STATE, fin, is); #endif if (ipstate_logging) *************** *** 1319,1325 **** if (((i == 0) && !(is->is_flags & IS_ISNSYN)) || ((i == 1) && !(is->is_flags & IS_ISNACK))) { ! old = tcp->th_seq; new = fr_newisn(fin); is->is_isninc[i] = new - old; CALC_SUMD(old, new, sumd); --- 1336,1342 ---- if (((i == 0) && !(is->is_flags & IS_ISNSYN)) || ((i == 1) && !(is->is_flags & IS_ISNACK))) { ! old = ntohl(tcp->th_seq); new = fr_newisn(fin); is->is_isninc[i] = new - old; CALC_SUMD(old, new, sumd); *************** *** 1483,1489 **** ipstate_t *is; { ipstate_t *clone; - frentry_t *fr; u_32_t send; if (ips_num == fr_statemax) { --- 1500,1505 ---- *************** *** 1523,1535 **** clone->is_maxswin = 1; } - fr = clone->is_rule; - if (fr != NULL) { - MUTEX_ENTER(&fr->fr_lock); - fr->fr_ref++; - fr->fr_statecnt++; - MUTEX_EXIT(&fr->fr_lock); - } clone->is_flags &= ~SI_CLONE; clone->is_flags |= SI_CLONED; fr_stinsert(clone, fin->fin_rev); --- 1539,1544 ---- *************** *** 1544,1550 **** (void) ipsc_attachis(is); #endif #ifdef IPFILTER_SYNC ! clone->is_sync = ipfsync_new(SMC_STATE, fin, clone); #endif return clone; } --- 1553,1560 ---- (void) ipsc_attachis(is); #endif #ifdef IPFILTER_SYNC ! if (is->is_flags & IS_STATESYNC) ! clone->is_sync = ipfsync_new(SMC_STATE, fin, clone); #endif return clone; } *************** *** 1640,1661 **** /* * Only one of the source or destination address can be flaged as a * wildcard. Fill in the missing address, if set. */ if ((flags & (SI_W_SADDR|SI_W_DADDR))) { if ((flags & SI_W_SADDR) != 0) { if (rev == 0) { ! is->is_src = fin->fin_fi.fi_src; } else { ! is->is_src = fin->fin_fi.fi_dst; } } else if ((flags & SI_W_DADDR) != 0) { if (rev == 0) { ! is->is_dst = fin->fin_fi.fi_dst; } else { ! is->is_dst = fin->fin_fi.fi_src; } } - is->is_flags &= ~(SI_W_SADDR|SI_W_DADDR); if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) { ATOMIC_DECL(ips_stats.iss_wild); } --- 1650,1711 ---- /* * Only one of the source or destination address can be flaged as a * wildcard. Fill in the missing address, if set. + * For IPv6, if the address being copied in is multicast, then + * don't reset the wild flag - multicast causes it to be set in the + * first place! */ if ((flags & (SI_W_SADDR|SI_W_DADDR))) { + fr_ip_t *fi = &fin->fin_fi; + if ((flags & SI_W_SADDR) != 0) { if (rev == 0) { ! #ifdef USE_INET6 ! if (is->is_v == 6 && ! IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6)) ! /*EMPTY*/; ! else ! #endif ! { ! is->is_src = fi->fi_src; ! is->is_flags &= ~SI_W_SADDR; ! } } else { ! #ifdef USE_INET6 ! if (is->is_v == 6 && ! IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6)) ! /*EMPTY*/; ! else ! #endif ! { ! is->is_src = fi->fi_dst; ! is->is_flags &= ~SI_W_SADDR; ! } } } else if ((flags & SI_W_DADDR) != 0) { if (rev == 0) { ! #ifdef USE_INET6 ! if (is->is_v == 6 && ! IN6_IS_ADDR_MULTICAST(&fi->fi_dst.in6)) ! /*EMPTY*/; ! else ! #endif ! { ! is->is_dst = fi->fi_dst; ! is->is_flags &= ~SI_W_DADDR; ! } } else { ! #ifdef USE_INET6 ! if (is->is_v == 6 && ! IN6_IS_ADDR_MULTICAST(&fi->fi_src.in6)) ! /*EMPTY*/; ! else ! #endif ! { ! is->is_dst = fi->fi_src; ! is->is_flags &= ~SI_W_DADDR; ! } } } if ((is->is_flags & (SI_WILDA|SI_WILDP)) == 0) { ATOMIC_DECL(ips_stats.iss_wild); } *************** *** 1695,1713 **** if ((flags & SI_W_SPORT) != 0) { if (rev == 0) { is->is_sport = sp; ! is->is_send = htonl(tcp->th_seq); } else { is->is_sport = dp; ! is->is_send = htonl(tcp->th_ack); } is->is_maxsend = is->is_send + 1; } else if ((flags & SI_W_DPORT) != 0) { if (rev == 0) { is->is_dport = dp; ! is->is_dend = htonl(tcp->th_ack); } else { is->is_dport = sp; ! is->is_dend = htonl(tcp->th_seq); } is->is_maxdend = is->is_dend + 1; } --- 1745,1763 ---- if ((flags & SI_W_SPORT) != 0) { if (rev == 0) { is->is_sport = sp; ! is->is_send = ntohl(tcp->th_seq); } else { is->is_sport = dp; ! is->is_send = ntohl(tcp->th_ack); } is->is_maxsend = is->is_send + 1; } else if ((flags & SI_W_DPORT) != 0) { if (rev == 0) { is->is_dport = dp; ! is->is_dend = ntohl(tcp->th_ack); } else { is->is_dport = sp; ! is->is_dend = ntohl(tcp->th_seq); } is->is_maxdend = is->is_dend + 1; } *************** *** 1752,1762 **** ipstate_t *is, **isp; u_short sport, dport; u_char pr; i6addr_t dst, src; struct icmp *ic; u_short savelen; icmphdr_t *icmp; - int backward, i; fr_info_t ofin; tcphdr_t *tcp; int type, len; --- 1802,1812 ---- ipstate_t *is, **isp; u_short sport, dport; u_char pr; + int backward, i, oi; i6addr_t dst, src; struct icmp *ic; u_short savelen; icmphdr_t *icmp; fr_info_t ofin; tcphdr_t *tcp; int type, len; *************** *** 1910,1918 **** RWLOCK_EXIT(&ipf_state); return NULL; } ! backward = IP6_NEQ(&is->is_src, &dst); ! i = (backward << 1) + fin->fin_out; ! if (is->is_icmppkts[i] > is->is_pkts[i]) continue; ips_stats.iss_hits++; is->is_icmppkts[i]++; --- 1960,1978 ---- RWLOCK_EXIT(&ipf_state); return NULL; } ! /* ! * i : the index of this packet (the icmp ! * unreachable) ! * oi : the index of the original packet found ! * in the icmp header (i.e. the packet ! * causing this icmp) ! * backward : original packet was backward ! * compared to the state ! */ ! backward = IP6_NEQ(&is->is_src, &src); ! i = (!backward << 1) + fin->fin_out; ! oi = (backward << 1) + ofin.fin_out; ! if (is->is_icmppkts[i] > is->is_pkts[oi]) continue; ips_stats.iss_hits++; is->is_icmppkts[i]++; *************** *** 1957,1966 **** if ((is->is_p == pr) && (is->is_v == 4) && (is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP))) { ! backward = IP6_NEQ(&is->is_dst, &src); ! i = (backward << 1) + fin->fin_out; if (((is->is_pass & FR_NOICMPERR) != 0) || ! (is->is_icmppkts[i] > is->is_pkts[i])) break; ips_stats.iss_hits++; is->is_icmppkts[i]++; --- 2017,2035 ---- if ((is->is_p == pr) && (is->is_v == 4) && (is = fr_matchsrcdst(&ofin, is, &src, &dst, tcp, FI_ICMPCMP))) { ! /* ! * i : the index of this packet (the icmp unreachable) ! * oi : the index of the original packet found in the ! * icmp header (i.e. the packet causing this icmp) ! * backward : original packet was backward compared to ! * the state ! */ ! backward = IP6_NEQ(&is->is_src, &src); ! i = (!backward << 1) + fin->fin_out; ! oi = (backward << 1) + ofin.fin_out; ! if (((is->is_pass & FR_NOICMPERR) != 0) || ! (is->is_icmppkts[i] > is->is_pkts[oi])) break; ips_stats.iss_hits++; is->is_icmppkts[i]++; *************** *** 2132,2137 **** --- 2201,2212 ---- /* * No matching icmp state entry. Perhaps this is a * response to another state entry. + * + * XXX With some ICMP6 packets, the "other" address is already + * in the packet, after the ICMP6 header, and this could be + * used in place of the multicast address. However, taking + * advantage of this requires some significant code changes + * to handle the specific types where that is the case. */ if ((ips_stats.iss_wild != 0) && (v == 6) && (tryagain == 0) && !IN6_IS_ADDR_MULTICAST(&fin->fin_fi.fi_src.in6)) { *************** *** 2298,2305 **** * For TCP packets, ifq == NULL. For all others, check if this new * queue is different to the last one it was on and move it if so. */ - MUTEX_ENTER(&is->is_lock); tqe = &is->is_sti; if ((tqe->tqe_flags & TQE_RULEBASED) != 0) ifq = is->is_tqehead[fin->fin_rev]; --- 2373,2380 ---- * For TCP packets, ifq == NULL. For all others, check if this new * queue is different to the last one it was on and move it if so. */ tqe = &is->is_sti; + MUTEX_ENTER(&is->is_lock); if ((tqe->tqe_flags & TQE_RULEBASED) != 0) ifq = is->is_tqehead[fin->fin_rev]; *************** *** 2311,2317 **** MUTEX_EXIT(&is->is_lock); #ifdef IPFILTER_SYNC ! ipfsync_update(SMC_STATE, fin, is->is_sync); #endif ATOMIC_INCL(ips_stats.iss_hits); --- 2386,2393 ---- MUTEX_EXIT(&is->is_lock); #ifdef IPFILTER_SYNC ! if (is->is_flags & IS_STATESYNC) ! ipfsync_update(SMC_STATE, fin, is->is_sync); #endif ATOMIC_INCL(ips_stats.iss_hits); *************** *** 2348,2354 **** u_int pass; if (fr_state_lock || (ips_list == NULL) || ! (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGTAIL|FI_BAD))) return NULL; is = NULL; --- 2424,2430 ---- u_int pass; if (fr_state_lock || (ips_list == NULL) || ! (fin->fin_flx & (FI_SHORT|FI_STATE|FI_FRAGBODY|FI_BAD))) return NULL; is = NULL; *************** *** 2464,2481 **** { tcphdr_t *tcp; int rev; tcp = fin->fin_dp; rev = fin->fin_rev; if ((is->is_flags & IS_ISNSYN) != 0) { if (rev == 0) { ! tcp->th_seq += is->is_isninc[0]; fix_outcksum(fin, &tcp->th_sum, is->is_sumd[0]); } } if ((is->is_flags & IS_ISNACK) != 0) { if (rev == 1) { ! tcp->th_seq += is->is_isninc[1]; fix_outcksum(fin, &tcp->th_sum, is->is_sumd[1]); } } --- 2540,2562 ---- { tcphdr_t *tcp; int rev; + u_32_t seq; tcp = fin->fin_dp; rev = fin->fin_rev; if ((is->is_flags & IS_ISNSYN) != 0) { if (rev == 0) { ! seq = ntohl(tcp->th_seq); ! seq += is->is_isninc[0]; ! tcp->th_seq = htonl(seq); fix_outcksum(fin, &tcp->th_sum, is->is_sumd[0]); } } if ((is->is_flags & IS_ISNACK) != 0) { if (rev == 1) { ! seq = ntohl(tcp->th_seq); ! seq += is->is_isninc[1]; ! tcp->th_seq = htonl(seq); fix_outcksum(fin, &tcp->th_sum, is->is_sumd[1]); } } *************** *** 2497,2514 **** { tcphdr_t *tcp; int rev; tcp = fin->fin_dp; rev = fin->fin_rev; if ((is->is_flags & IS_ISNSYN) != 0) { if (rev == 1) { ! tcp->th_ack -= is->is_isninc[0]; fix_incksum(fin, &tcp->th_sum, is->is_sumd[0]); } } if ((is->is_flags & IS_ISNACK) != 0) { if (rev == 0) { ! tcp->th_ack -= is->is_isninc[1]; fix_incksum(fin, &tcp->th_sum, is->is_sumd[1]); } } --- 2578,2600 ---- { tcphdr_t *tcp; int rev; + u_32_t ack; tcp = fin->fin_dp; rev = fin->fin_rev; if ((is->is_flags & IS_ISNSYN) != 0) { if (rev == 1) { ! ack = ntohl(tcp->th_ack); ! ack -= is->is_isninc[0]; ! tcp->th_ack = htonl(ack); fix_incksum(fin, &tcp->th_sum, is->is_sumd[0]); } } if ((is->is_flags & IS_ISNACK) != 0) { if (rev == 0) { ! ack = ntohl(tcp->th_ack); ! ack -= is->is_isninc[1]; ! tcp->th_ack = htonl(ack); fix_incksum(fin, &tcp->th_sum, is->is_sumd[1]); } } *************** *** 2523,2528 **** --- 2609,2617 ---- /* Walk through all state entries and if an interface pointer match is */ /* found then look it up again, based on its name in case the pointer has */ /* changed since last time. */ + /* */ + /* If ifp is passed in as being non-null then we are only doing updates for */ + /* existing, matching, uses of it. */ /* ------------------------------------------------------------------------ */ void fr_statesync(ifp) void *ifp; *************** *** 2545,2557 **** * Look up all the interface names in the state entry. */ for (i = 0; i < 4; i++) { ! if (is->is_ifp[i] == ifp) { ! is->is_ifname[i][LIFNAMSIZ - 1] = '\0'; ! is->is_ifp[i] = GETIFP(is->is_ifname[i], ! is->is_v); ! if (is->is_ifp[i] == NULL) ! is->is_ifp[i] = (void *)-1; ! } } } RWLOCK_EXIT(&ipf_state); --- 2634,2642 ---- * Look up all the interface names in the state entry. */ for (i = 0; i < 4; i++) { ! if (ifp == NULL || ifp == is->is_ifp[i]) ! is->is_ifp[i] = fr_resolvenic(is->is_ifname[i], ! is->is_v); } } RWLOCK_EXIT(&ipf_state); *************** *** 2747,2754 **** for (isp = &ips_list; ((is = *isp) != NULL); ) { delete = 0; ! if ((proto != 0) && (is->is_v != proto)) continue; switch (which) { --- 2832,2841 ---- for (isp = &ips_list; ((is = *isp) != NULL); ) { delete = 0; ! if ((proto != 0) && (is->is_v != proto)) { ! isp = &is->is_next; continue; + } switch (which) { *************** *** 2887,2892 **** --- 2974,2981 ---- /* */ /* dir == 0 : a packet from source to dest */ /* dir == 1 : a packet from dest to source */ + /* */ + /* Locking: it is assumed that the parent of the tqe structure is locked. */ /* ------------------------------------------------------------------------ */ int fr_tcp_age(tqe, fin, tqtab, flags) ipftqent_t *tqe; *************** *** 2943,2955 **** * we saw an A, guess 'dir' is in ESTABLISHED * mode */ ! if (ostate == IPF_TCPS_CLOSED) { nstate = IPF_TCPS_HALF_ESTAB; rval = 1; ! } else if (ostate == IPF_TCPS_ESTABLISHED || ! ostate == IPF_TCPS_HALF_ESTAB) { nstate = IPF_TCPS_ESTABLISHED; rval = 1; } } /* --- 3032,3051 ---- * we saw an A, guess 'dir' is in ESTABLISHED * mode */ ! switch (ostate) ! { ! case IPF_TCPS_CLOSED : ! case IPF_TCPS_SYN_RECEIVED : nstate = IPF_TCPS_HALF_ESTAB; rval = 1; ! break; ! case IPF_TCPS_HALF_ESTAB : ! case IPF_TCPS_ESTABLISHED : nstate = IPF_TCPS_ESTABLISHED; rval = 1; + break; + default : + break; } } /* diff -cr ip_fil4.1.3/ip_state.h ip_fil4.1.4/ip_state.h *** ip_fil4.1.3/ip_state.h Wed Jun 30 21:26:12 2004 --- ip_fil4.1.4/ip_state.h Mon Nov 1 05:44:39 2004 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.68.2.1 2004/06/30 11:26:12 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.68.2.2 2004/10/31 18:44:39 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 117,122 **** --- 117,123 ---- #define IS_STRICT 0x20000 #define IS_ISNSYN 0x40000 #define IS_ISNACK 0x80000 + #define IS_STATESYNC 0x100000 /* * IS_SC flags are for scan-operations that need to be recognised in state. */ diff -cr ip_fil4.1.3/ip_sync.c ip_fil4.1.4/ip_sync.c *** ip_fil4.1.3/ip_sync.c Mon Mar 22 23:21:54 2004 --- ip_fil4.1.4/ip_sync.c Mon Nov 1 05:45:58 2004 *************** *** 96,102 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.1 2004/03/22 12:21:54 darrenr Exp $"; #endif #define SYNC_STATETABSZ 256 --- 96,102 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_sync.c,v 2.40.2.2 2004/10/31 18:45:58 darrenr Exp $"; #endif #define SYNC_STATETABSZ 256 *************** *** 118,123 **** --- 118,124 ---- su_idx = 0, /* next available sync update entry */ sl_tail = 0, /* next sync log entry to read */ su_tail = 0; /* next sync update entry to read */ + int ipf_sync_debug = 0; # if !defined(sparc) && !defined(__hppa) *************** *** 261,266 **** --- 262,268 ---- # define ipfsync_storder(x,y) # endif /* !defined(sparc) && !defined(__hppa) */ + /* enable this for debugging */ # ifdef _KERNEL /* ------------------------------------------------------------------------ */ *************** *** 275,311 **** struct uio *uio; { synchdr_t sh; - int err = 0; ! /* ! * All writes will be in multiples of 4 and at least 8 bytes. */ ! if ((uio->uio_resid & 3) || (uio->uio_resid < 8)) ! return EINVAL; ! while ((uio->uio_resid > 0) && ! UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio) == 0) { ! sh.sm_num = ntohl(sh.sm_num); ! if (sh.sm_v != 4 && sh.sm_v != 6) ! continue; ! if ((sh.sm_cmd > SMC_MAXCMD) || (sh.sm_table > SMC_MAXTBL)) ! continue; /* ! * We currently only synchronise state information and NAT ! * information - and even then, the NAT information is not ! * yet sync'd for proxied connections. */ - if (sh.sm_table == SMC_STATE) - err = ipfsync_state(&sh, uio); - else if (sh.sm_table == SMC_NAT) - err = ipfsync_nat(&sh, uio); - if (err) - break; - } ! return err; } --- 277,405 ---- struct uio *uio; { synchdr_t sh; ! /* ! * THIS MUST BE SUFFICIENT LARGE TO STORE ! * ANY POSSIBLE DATA TYPE */ ! char data[2048]; ! int err = 0; ! # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__) ! uio->uio_rw = UIO_WRITE; ! # endif + /* Try to get bytes */ + while (uio->uio_resid > 0) { + + if (uio->uio_resid >= sizeof(sh)) { + + err = UIOMOVE((caddr_t)&sh, sizeof(sh), UIO_WRITE, uio); + + if (err) { + if (ipf_sync_debug > 2) + printf("uiomove(header) failed: %d\n", + err); + return err; + } + + /* convert to host order */ + sh.sm_magic = ntohl(sh.sm_magic); + sh.sm_len = ntohl(sh.sm_len); + sh.sm_num = ntohl(sh.sm_num); + + if (ipf_sync_debug > 8) + printf("[%d] Read v:%d p:%d cmd:%d table:%d rev:%d len:%d magic:%x\n", + sh.sm_num, sh.sm_v, sh.sm_p, sh.sm_cmd, + sh.sm_table, sh.sm_rev, sh.sm_len, + sh.sm_magic); + + if (sh.sm_magic != SYNHDRMAGIC) { + if (ipf_sync_debug > 2) + printf("uiomove(header) invalud %x\n", + "magic"); + return EINVAL; + } + + if (sh.sm_v != 4 && sh.sm_v != 6) { + if (ipf_sync_debug > 2) + printf("uiomove(header) invalid %s\n", + "protocol"); + return EINVAL; + } + + if (sh.sm_cmd > SMC_MAXCMD) { + if (ipf_sync_debug > 2) + printf("uiomove(header) invalid %s\n", + "command"); + return EINVAL; + } + + + if (sh.sm_table > SMC_MAXTBL) { + if (ipf_sync_debug > 2) + printf("uiomove(header) invalid %s\n", + "table"); + return EINVAL; + } + + } else { + /* unsufficient data, wait until next call */ + if (ipf_sync_debug > 2) + printf("uiomove(header) insufficient data"); + return EAGAIN; + } + + /* ! * We have a header, so try to read the amount of data ! * needed for the request */ ! /* not supported */ ! if (sh.sm_len == 0) { ! if (ipf_sync_debug > 2) ! printf("uiomove(data zero length %s\n", ! "not supported"); ! return EINVAL; ! } ! ! if (uio->uio_resid >= sh.sm_len) { ! ! err = UIOMOVE((caddr_t)data, sh.sm_len, UIO_WRITE, uio); ! ! if (err) { ! if (ipf_sync_debug > 2) ! printf("uiomove(data) failed: %d\n", ! err); ! return err; ! } ! ! if (ipf_sync_debug > 7) ! printf("uiomove(data) %d bytes read\n", ! sh.sm_len); ! ! if (sh.sm_table == SMC_STATE) ! err = ipfsync_state(&sh, data); ! else if (sh.sm_table == SMC_NAT) ! err = ipfsync_nat(&sh, data); ! if (ipf_sync_debug > 7) ! printf("[%d] Finished with error %d\n", ! sh.sm_num, err); ! ! } else { ! /* insufficient data, wait until next call */ ! if (ipf_sync_debug > 2) ! printf("uiomove(data) %s %d bytes, got %d\n", ! "insufficient data, need", ! sh.sm_len, uio->uio_resid); ! return EAGAIN; ! } ! } ! ! /* no more data */ ! return 0; } *************** *** 406,414 **** /* create a new state entry or update one. Deletion is left to the state */ /* structures being timed out correctly. */ /* ------------------------------------------------------------------------ */ ! int ipfsync_state(sp, uio) synchdr_t *sp; ! struct uio *uio; { synctcp_update_t su; ipstate_t *is, sn; --- 500,508 ---- /* create a new state entry or update one. Deletion is left to the state */ /* structures being timed out correctly. */ /* ------------------------------------------------------------------------ */ ! int ipfsync_state(sp, data) synchdr_t *sp; ! void *data; { synctcp_update_t su; ipstate_t *is, sn; *************** *** 415,433 **** synclist_t *sl; frentry_t *fr; u_int hv; ! int err; - # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__) - uio->uio_rw = UIO_WRITE; - # endif hv = sp->sm_num & (SYNC_STATETABSZ - 1); switch (sp->sm_cmd) { case SMC_CREATE : ! err = UIOMOVE((caddr_t)&sn, sizeof(sn), UIO_WRITE, uio); ! if (err != 0) ! break; KMALLOC(is, ipstate_t *); if (is == NULL) { err = ENOMEM; --- 509,523 ---- synclist_t *sl; frentry_t *fr; u_int hv; ! int err = 0; hv = sp->sm_num & (SYNC_STATETABSZ - 1); switch (sp->sm_cmd) { case SMC_CREATE : ! ! bcopy(data, &sn, sizeof(sn)); KMALLOC(is, ipstate_t *); if (is == NULL) { err = ENOMEM; *************** *** 460,471 **** } RWLOCK_EXIT(&ipf_mutex); is->is_rule = fr; is->is_sync = sl; sl->sl_idx = -1; sl->sl_ips = is; ! sl->sl_num = ntohl(sp->sm_num); WRITE_ENTER(&ipf_syncstate); WRITE_ENTER(&ipf_state); --- 550,564 ---- } RWLOCK_EXIT(&ipf_mutex); + if (ipf_sync_debug > 4) + printf("[%d] Filter rules = %p\n", sp->sm_num, fr); + is->is_rule = fr; is->is_sync = sl; sl->sl_idx = -1; sl->sl_ips = is; ! bcopy(sp, &sl->sl_hdr, sizeof(struct synchdr)); WRITE_ENTER(&ipf_syncstate); WRITE_ENTER(&ipf_state); *************** *** 484,502 **** * * Put this state entry on its timeout queue. */ ! fr_setstatequeue(is, sp->sm_rev); break; case SMC_UPDATE : ! err = UIOMOVE((caddr_t)&su, sizeof(su), UIO_WRITE, uio); ! if (err != 0) ! break; READ_ENTER(&ipf_syncstate); for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next) if (sl->sl_hdr.sm_num == sp->sm_num) break; if (sl == NULL) { RWLOCK_EXIT(&ipf_syncstate); err = ENOENT; break; --- 577,601 ---- * * Put this state entry on its timeout queue. */ ! /*fr_setstatequeue(is, sp->sm_rev);*/ break; case SMC_UPDATE : ! bcopy(data, &su, sizeof(su)); + if (ipf_sync_debug > 4) + printf("[%d] Update age %lu state %d/%d \n", + sp->sm_num, su.stu_age, su.stu_state[0], + su.stu_state[1]); + READ_ENTER(&ipf_syncstate); for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next) if (sl->sl_hdr.sm_num == sp->sm_num) break; if (sl == NULL) { + if (ipf_sync_debug > 1) + printf("[%d] State not found - can't update\n", + sp->sm_num); RWLOCK_EXIT(&ipf_syncstate); err = ENOENT; break; *************** *** 504,509 **** --- 603,614 ---- READ_ENTER(&ipf_state); + if (ipf_sync_debug > 6) + printf("[%d] Data from state v:%d p:%d cmd:%d table:%d rev:%d\n", + sp->sm_num, sl->sl_hdr.sm_v, sl->sl_hdr.sm_p, + sl->sl_hdr.sm_cmd, sl->sl_hdr.sm_table, + sl->sl_hdr.sm_rev); + is = sl->sl_ips; MUTEX_ENTER(&is->is_lock); *************** *** 510,515 **** --- 615,621 ---- switch (sp->sm_p) { case IPPROTO_TCP : + /* XXX FV --- shouldn't we do ntohl/htonl???? XXX */ is->is_send = su.stu_data[0].td_end; is->is_maxsend = su.stu_data[0].td_maxend; is->is_maxswin = su.stu_data[0].td_maxwin; *************** *** 522,528 **** --- 628,639 ---- default : break; } + + if (ipf_sync_debug > 6) + printf("[%d] Setting timers for state\n", sp->sm_num); + fr_setstatequeue(is, sp->sm_rev); + MUTEX_EXIT(&is->is_lock); break; *************** *** 535,540 **** --- 646,656 ---- RWLOCK_EXIT(&ipf_state); RWLOCK_EXIT(&ipf_syncstate); } + + if (ipf_sync_debug > 6) + printf("[%d] Update completed with error %d\n", + sp->sm_num, err); + return err; } # endif /* _KERNEL */ *************** *** 573,581 **** /* create a new NAT entry or update one. Deletion is left to the NAT */ /* structures being timed out correctly. */ /* ------------------------------------------------------------------------ */ ! int ipfsync_nat(sp, uio) synchdr_t *sp; ! struct uio *uio; { synclogent_t sle; syncupdent_t su; --- 689,697 ---- /* create a new NAT entry or update one. Deletion is left to the NAT */ /* structures being timed out correctly. */ /* ------------------------------------------------------------------------ */ ! int ipfsync_nat(sp, data) synchdr_t *sp; ! void *data; { synclogent_t sle; syncupdent_t su; *************** *** 584,601 **** u_int hv = 0; int err; - # if (BSD >= 199306) || defined(__FreeBSD__) || defined(__osf__) - uio->uio_rw = UIO_WRITE; - # endif - READ_ENTER(&ipf_syncstate); switch (sp->sm_cmd) { case SMC_CREATE : ! err = UIOMOVE((caddr_t)&sle, sizeof(sle), UIO_WRITE, uio); ! if (err != 0) ! break; KMALLOC(n, nat_t *); if (n == NULL) { --- 700,711 ---- u_int hv = 0; int err; READ_ENTER(&ipf_syncstate); switch (sp->sm_cmd) { case SMC_CREATE : ! bcopy(data, &sle, sizeof(sle)); KMALLOC(n, nat_t *); if (n == NULL) { *************** *** 632,640 **** break; case SMC_UPDATE : ! err = UIOMOVE((caddr_t)&su, sizeof(su), UIO_WRITE, uio); ! if (err != 0) ! break; READ_ENTER(&ipf_syncstate); for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next) --- 742,748 ---- break; case SMC_UPDATE : ! bcopy(data, &su, sizeof(su)); READ_ENTER(&ipf_syncstate); for (sl = syncstatetab[hv]; (sl != NULL); sl = sl->sl_next) *************** *** 729,734 **** --- 837,843 ---- sl->sl_num = ipf_syncnum; MUTEX_EXIT(&ipf_syncadd); + sl->sl_magic = htonl(SYNHDRMAGIC); sl->sl_v = fin->fin_v; sl->sl_p = fin->fin_p; sl->sl_cmd = SMC_CREATE; *************** *** 745,750 **** --- 854,860 ---- ptr = NULL; sz = 0; } + sl->sl_len = sz; /* * Create the log entry to be read by a user daemon. When it has been *************** *** 755,760 **** --- 865,871 ---- bcopy((char *)&sl->sl_hdr, (char *)&sle->sle_hdr, sizeof(sle->sle_hdr)); sle->sle_hdr.sm_num = htonl(sle->sle_hdr.sm_num); + sle->sle_hdr.sm_len = htonl(sle->sle_hdr.sm_len); if (ptr != NULL) { bcopy((char *)ptr, (char *)&sle->sle_un, sz); if (tab == SMC_STATE) { *************** *** 811,820 **** --- 922,933 ---- sl->sl_idx = su_idx++; bcopy((char *)&sl->sl_hdr, (char *)&slu->sup_hdr, sizeof(slu->sup_hdr)); + slu->sup_hdr.sm_magic = htonl(SYNHDRMAGIC); slu->sup_hdr.sm_sl = sl; slu->sup_hdr.sm_cmd = SMC_UPDATE; slu->sup_hdr.sm_table = tab; slu->sup_hdr.sm_num = htonl(sl->sl_num); + slu->sup_hdr.sm_len = htonl(sizeof(struct synctcp_update)); slu->sup_hdr.sm_rev = fin->fin_rev; # if 0 if (fin->fin_p == IPPROTO_TCP) { diff -cr ip_fil4.1.3/ip_sync.h ip_fil4.1.4/ip_sync.h *** ip_fil4.1.3/ip_sync.h Sun Jan 4 00:34:59 2004 --- ip_fil4.1.4/ip_sync.h Fri Nov 5 06:29:07 2004 *************** *** 4,23 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_sync.h,v 2.11 2004/01/03 13:34:59 darrenr Exp $ */ typedef struct synchdr { ! u_char sm_v; /* version: 4,6 */ ! u_char sm_p; /* protocol */ ! u_char sm_cmd; /* command */ ! u_char sm_table; /* NAT, STATE, etc */ ! u_int sm_num; /* table entry number */ ! int sm_rev; /* forward/reverse */ struct synclist *sm_sl; /* back pointer to parent */ } synchdr_t; /* * Commands * No delete required as expirey will take care of that! --- 4,30 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_sync.h,v 2.11.2.2 2004/11/04 19:29:07 darrenr Exp $ */ + #ifndef __IP_SYNC_H__ + #define __IP_SYNC_H__ + typedef struct synchdr { ! u_32_t sm_magic; /* magic */ ! u_char sm_v; /* version: 4,6 */ ! u_char sm_p; /* protocol */ ! u_char sm_cmd; /* command */ ! u_char sm_table; /* NAT, STATE, etc */ ! u_int sm_num; /* table entry number */ ! int sm_rev; /* forward/reverse */ ! int sm_len; /* length of the data section */ struct synclist *sm_sl; /* back pointer to parent */ } synchdr_t; + #define SYNHDRMAGIC 0x0FF51DE5 + /* * Commands * No delete required as expirey will take care of that! *************** *** 41,47 **** typedef struct synctcp_update { u_long stu_age; tcpdata_t stu_data[2]; ! u_char stu_state[2]; } synctcp_update_t; --- 48,54 ---- typedef struct synctcp_update { u_long stu_age; tcpdata_t stu_data[2]; ! int stu_state[2]; } synctcp_update_t; *************** *** 60,65 **** --- 67,73 ---- #define sl_ptr sl_un.slu_ptr #define sl_ips sl_un.slu_ips #define sl_ipn sl_un.slu_ipn + #define sl_magic sl_hdr.sm_magic #define sl_v sl_hdr.sm_v #define sl_p sl_hdr.sm_p #define sl_cmd sl_hdr.sm_cmd *************** *** 66,71 **** --- 74,80 ---- #define sl_rev sl_hdr.sm_rev #define sl_table sl_hdr.sm_table #define sl_num sl_hdr.sm_num + #define sl_len sl_hdr.sm_len /* * NOTE: SYNCLOG_SZ is defined *low*. It should be the next power of two *************** *** 98,104 **** extern void ipfsync_del __P((synclist_t *)); extern void ipfsync_update __P((int, fr_info_t *, synclist_t *)); extern int ipfsync_init __P((void)); ! extern int ipfsync_nat __P((synchdr_t *sp, struct uio *uio)); ! extern int ipfsync_state __P((synchdr_t *sp, struct uio *uio)); extern int ipfsync_read __P((struct uio *uio)); extern int ipfsync_write __P((struct uio *uio)); --- 107,115 ---- extern void ipfsync_del __P((synclist_t *)); extern void ipfsync_update __P((int, fr_info_t *, synclist_t *)); extern int ipfsync_init __P((void)); ! extern int ipfsync_nat __P((synchdr_t *sp, void *data)); ! extern int ipfsync_state __P((synchdr_t *sp, void *data)); extern int ipfsync_read __P((struct uio *uio)); extern int ipfsync_write __P((struct uio *uio)); + + #endif /* IP_SYNC */ diff -cr ip_fil4.1.3/ipf.h ip_fil4.1.4/ipf.h *** ip_fil4.1.3/ipf.h Tue Apr 20 21:53:08 2004 --- ip_fil4.1.4/ipf.h Tue Nov 2 22:15:35 2004 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.71.2.3 2004/04/20 11:53:08 darrenr Exp $ */ #ifndef __IPF_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.71.2.4 2004/11/02 11:15:35 darrenr Exp $ */ #ifndef __IPF_H__ *************** *** 77,82 **** --- 77,83 ---- #include "netinet/ip_pool.h" #include "netinet/ip_scan.h" #include "netinet/ip_htable.h" + #include "netinet/ip_sync.h" #include "opts.h" diff -cr ip_fil4.1.3/ipl.h ip_fil4.1.4/ipl.h *** ip_fil4.1.3/ipl.h Sun Jul 18 14:13:45 2004 --- ip_fil4.1.4/ipl.h Sun Jan 9 01:41:42 2005 *************** *** 4,17 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.52.2.4 2004/07/18 04:13:45 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v4.1.3" ! #define IPFILTER_VERSION 4010300 #endif --- 4,17 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.52.2.5 2005/01/08 14:41:42 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v4.1.4" ! #define IPFILTER_VERSION 4010400 #endif Common subdirectories: ip_fil4.1.3/iplang and ip_fil4.1.4/iplang Common subdirectories: ip_fil4.1.3/ipsd and ip_fil4.1.4/ipsd Common subdirectories: ip_fil4.1.3/ipsend and ip_fil4.1.4/ipsend Common subdirectories: ip_fil4.1.3/l4check and ip_fil4.1.4/l4check Common subdirectories: ip_fil4.1.3/lib and ip_fil4.1.4/lib diff -cr ip_fil4.1.3/linux.c ip_fil4.1.4/linux.c *** ip_fil4.1.3/linux.c Sun Mar 7 01:33:12 2004 --- ip_fil4.1.4/linux.c Tue Nov 9 05:42:42 2004 *************** *** 1,9 **** #include "ipf-linux.h" #include - #include #ifdef CONFIG_PROC_FS - #include #include #endif --- 1,8 ---- + #include "ipf-linux.h" #include #ifdef CONFIG_PROC_FS #include #endif *************** *** 11,17 **** MODULE_SUPPORTED_DEVICE("ipf"); MODULE_AUTHOR("Darren Reed"); MODULE_DESCRIPTION("IP-Filter Firewall"); ! MODULE_LICENSE("(C)Copyright 2003 Darren Reed"); MODULE_PARM(fr_flags, "i"); MODULE_PARM(fr_control_forwarding, "i"); --- 10,16 ---- MODULE_SUPPORTED_DEVICE("ipf"); MODULE_AUTHOR("Darren Reed"); MODULE_DESCRIPTION("IP-Filter Firewall"); ! MODULE_LICENSE("(C)Copyright 2003-2004 Darren Reed"); MODULE_PARM(fr_flags, "i"); MODULE_PARM(fr_control_forwarding, "i"); *************** *** 18,24 **** MODULE_PARM(fr_update_ipid, "i"); MODULE_PARM(fr_chksrc, "i"); MODULE_PARM(fr_pass, "i"); - MODULE_PARM(fr_unreach, "i"); MODULE_PARM(ipstate_logging, "i"); MODULE_PARM(nat_logging, "i"); MODULE_PARM(ipl_suppress, "i"); --- 17,22 ---- *************** *** 146,151 **** --- 144,152 ---- #endif static struct file_operations ipf_fops = { + #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) + .owner = THIS_MODULE, + #endif open: ipf_open, read: ipf_read, write: ipf_write, *************** *** 154,161 **** --- 155,164 ---- #ifdef CONFIG_DEVFS_FS + #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) static devfs_handle_t dh[IPL_LOGSIZE]; #endif + #endif static int ipfmajor = 0; *************** *** 177,183 **** ipfmajor = register_chrdev(0, "ipf", &ipf_fops); if (ipfmajor < 0) { ! printf("unable to get major for ipf devs\n"); return -EINVAL; } --- 180,186 ---- ipfmajor = register_chrdev(0, "ipf", &ipf_fops); if (ipfmajor < 0) { ! printf("unable to get major for ipf devs (%d)\n", ipfmajor); return -EINVAL; } *************** *** 185,193 **** --- 188,200 ---- for (i = 0; ipf_devfiles[i] != NULL; i++) { s = strrchr(ipf_devfiles[i], '/'); if (s != NULL) { + #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) dh[i] = devfs_register(NULL, s + 1, DEVFS_FL_DEFAULT, ipfmajor, i, 0600|S_IFCHR, &ipf_fops, NULL); + #else + devfs_mk_cdev(MKDEV(ipfmajor, i),0600|S_IFCHR,s+1); + #endif } } #endif *************** *** 214,234 **** printk(KERN_INFO "%s initialized. Default = %s all, " "Logging = %s%s\n", ipfilter_version, defpass, ! #ifdef IPFILTER_LOG "enabled", ! #else "disabled", ! #endif ! #ifdef IPFILTER_COMPILED " (COMPILED)" ! #else "" ! #endif ); fr_running = 1; } ! #endif return i; } --- 221,243 ---- printk(KERN_INFO "%s initialized. Default = %s all, " "Logging = %s%s\n", ipfilter_version, defpass, ! # ifdef IPFILTER_LOG "enabled", ! # else "disabled", ! # endif ! # ifdef IPFILTER_COMPILED " (COMPILED)" ! # else "" ! # endif ); fr_running = 1; } ! #else ! printf("IPFilter: device major number: %d\n", ipfmajor); ! #endif /* CONFIG_PROC_FS */ return i; } *************** *** 264,273 **** for (i = 0; ipf_devfiles[i] != NULL; i++) { s = strrchr(ipf_devfiles[i], '/'); if (s != NULL) devfs_unregister_chrdev(ipfmajor, s + 1); } #endif ! unregister_chrdev(ipfmajor, "ipf"); printk(KERN_INFO "%s unloaded\n", ipfilter_version); return 0; --- 273,288 ---- for (i = 0; ipf_devfiles[i] != NULL; i++) { s = strrchr(ipf_devfiles[i], '/'); if (s != NULL) + #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,0) devfs_unregister_chrdev(ipfmajor, s + 1); + #else + devfs_remove(s+1); + #endif } #endif ! ! if (ipfmajor >= 0) ! unregister_chrdev(ipfmajor, "ipf"); printk(KERN_INFO "%s unloaded\n", ipfilter_version); return 0; *************** *** 290,293 **** module_init(ipf_init) module_exit(ipf_fini) - --- 305,307 ---- Common subdirectories: ip_fil4.1.3/man and ip_fil4.1.4/man diff -cr ip_fil4.1.3/mlf_ipl.c ip_fil4.1.4/mlf_ipl.c *** ip_fil4.1.3/mlf_ipl.c Mon Dec 1 13:05:15 2003 --- ip_fil4.1.4/mlf_ipl.c Fri Aug 27 03:35:09 2004 *************** *** 118,125 **** &fr_defnatage, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, &fr_ipfrttl, 0, ""); - SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_unreach, CTLFLAG_RW, - &fr_unreach, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, &fr_running, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, --- 118,123 ---- diff -cr ip_fil4.1.3/mlfk_ipl.c ip_fil4.1.4/mlfk_ipl.c *** ip_fil4.1.3/mlfk_ipl.c Tue Mar 30 02:23:48 2004 --- ip_fil4.1.4/mlfk_ipl.c Mon Nov 1 05:45:30 2004 *************** *** 25,31 **** --- 25,35 ---- #include #include + #if __FreeBSD_version >= 502116 + static struct cdev *ipf_devs[IPL_LOGSIZE]; + #else static dev_t ipf_devs[IPL_LOGSIZE]; + #endif static int sysctl_ipf_int ( SYSCTL_HANDLER_ARGS ); static int ipf_modload(void); *************** *** 55,60 **** --- 59,66 ---- &fr_tcpclosed, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udptimeout, CTLFLAG_RWO, &fr_udptimeout, 0, ""); + SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_udpacktimeout, CTLFLAG_RWO, + &fr_udpacktimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_icmptimeout, CTLFLAG_RWO, &fr_icmptimeout, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_defnatage, CTLFLAG_RWO, *************** *** 61,68 **** &fr_defnatage, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_ipfrttl, CTLFLAG_RW, &fr_ipfrttl, 0, ""); - SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_unreach, CTLFLAG_RW, - &fr_unreach, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, &fr_running, 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_statesize, CTLFLAG_RWO, --- 67,72 ---- *************** *** 89,94 **** --- 93,102 ---- #define CDEV_MAJOR 79 #if __FreeBSD_version >= 501000 static struct cdevsw ipl_cdevsw = { + #if __FreeBSD_version >= 502103 + .d_version = D_VERSION, + .d_flags = 0, /* D_NEEDGIANT - Should be SMP safe */ + #endif .d_open = iplopen, .d_close = iplclose, .d_read = iplread, *************** *** 101,107 **** /* open */ iplopen, /* close */ iplclose, /* read */ iplread, ! /* write */ nowrite, /* ioctl */ iplioctl, /* poll */ nopoll, /* mmap */ nommap, --- 109,115 ---- /* open */ iplopen, /* close */ iplclose, /* read */ iplread, ! /* write */ iplwrite, /* ioctl */ iplioctl, /* poll */ nopoll, /* mmap */ nommap, *************** *** 119,125 **** #endif static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME, ! IPSCAN_NAME, IPSYNC_NAME, IPLOOKUP_NAME, NULL }; static int --- 127,133 ---- #endif static char *ipf_devfiles[] = { IPL_NAME, IPNAT_NAME, IPSTATE_NAME, IPAUTH_NAME, ! IPSYNC_NAME, IPSCAN_NAME, IPLOOKUP_NAME, NULL }; static int diff -cr ip_fil4.1.3/mli_ipl.c ip_fil4.1.4/mli_ipl.c *** ip_fil4.1.3/mli_ipl.c Sun Feb 8 04:27:33 2004 --- ip_fil4.1.4/mli_ipl.c Thu Dec 16 05:30:41 2004 *************** *** 534,540 **** if (nif_interfaces != in_interfaces) { /* if the number of interfaces has changed, resync */ MUTEX_EXIT(&ipfi_mutex); ! frsync(); } else MUTEX_EXIT(&ipfi_mutex); } --- 534,540 ---- if (nif_interfaces != in_interfaces) { /* if the number of interfaces has changed, resync */ MUTEX_EXIT(&ipfi_mutex); ! frsync(NULL); } else MUTEX_EXIT(&ipfi_mutex); } diff -cr ip_fil4.1.3/mln_ipl.c ip_fil4.1.4/mln_ipl.c *** ip_fil4.1.3/mln_ipl.c Sun Mar 7 01:33:14 2004 --- ip_fil4.1.4/mln_ipl.c Sat Nov 13 13:48:50 2004 *************** *** 82,88 **** iplopen, /* open */ iplclose, /* close */ iplread, /* read */ ! 0, /* write */ iplioctl, /* ioctl */ 0, /* stop */ 0, /* tty */ --- 82,88 ---- iplopen, /* open */ iplclose, /* close */ iplread, /* read */ ! iplwrite, /* write */ iplioctl, /* ioctl */ 0, /* stop */ 0, /* tty */ *************** *** 97,103 **** iplopen, /* open */ iplclose, /* close */ iplread, /* read */ ! (void *)nullop, /* write */ iplioctl, /* ioctl */ (void *)nullop, /* stop */ (void *)nullop, /* reset */ --- 97,103 ---- iplopen, /* open */ iplclose, /* close */ iplread, /* read */ ! iplwrite, /* write */ iplioctl, /* ioctl */ (void *)nullop, /* stop */ (void *)nullop, /* reset */ *************** *** 149,159 **** --- 149,161 ---- return EEXIST; #if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) + # if (__NetBSD_Version__ < 200000000) err = devsw_attach(args->lkm_devname, args->lkm_bdev, &args->lkm_bdevmaj, args->lkm_cdev, &args->lkm_cdevmaj); if (err != 0) return (err); + # endif ipl_major = args->lkm_cdevmaj; #else for (i = 0; i < nchrdev; i++) diff -cr ip_fil4.1.3/mlo_ipl.c ip_fil4.1.4/mlo_ipl.c *** ip_fil4.1.3/mlo_ipl.c Sun Mar 7 01:33:16 2004 --- ip_fil4.1.4/mlo_ipl.c Mon Nov 1 05:45:31 2004 *************** *** 60,66 **** iplopen, /* open */ iplclose, /* close */ iplread, /* read */ ! (void *)nullop, /* write */ iplioctl, /* ioctl */ (void *)nullop, /* stop */ (void *)NULL, /* tty */ --- 60,66 ---- iplopen, /* open */ iplclose, /* close */ iplread, /* read */ ! iplwrite, /* write */ iplioctl, /* ioctl */ (void *)nullop, /* stop */ (void *)NULL, /* tty */ diff -cr ip_fil4.1.3/mls_ipl.c ip_fil4.1.4/mls_ipl.c *** ip_fil4.1.3/mls_ipl.c Sun Mar 7 01:33:16 2004 --- ip_fil4.1.4/mls_ipl.c Fri Nov 5 06:24:54 2004 *************** *** 40,46 **** #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.7.2.1 2004/03/06 14:33:16 darrenr Exp $"; #endif extern int ipldetach __P((void)); --- 40,46 ---- #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.7.2.2 2004/11/04 19:24:54 darrenr Exp $"; #endif extern int ipldetach __P((void)); *************** *** 76,82 **** iplopen, iplclose, iplread, ! NULL, /* write */ NULL, /* strategy */ NULL, /* dump */ 0, /* psize */ --- 76,82 ---- iplopen, iplclose, iplread, ! iplwrite, NULL, /* strategy */ NULL, /* dump */ 0, /* psize */ Common subdirectories: ip_fil4.1.3/net and ip_fil4.1.4/net Common subdirectories: ip_fil4.1.3/netinet and ip_fil4.1.4/netinet Common subdirectories: ip_fil4.1.3/perl and ip_fil4.1.4/perl Common subdirectories: ip_fil4.1.3/rules and ip_fil4.1.4/rules Common subdirectories: ip_fil4.1.3/samples and ip_fil4.1.4/samples diff -cr ip_fil4.1.3/solaris.c ip_fil4.1.4/solaris.c *** ip_fil4.1.3/solaris.c Sun Mar 7 01:33:17 2004 --- ip_fil4.1.4/solaris.c Thu Dec 16 04:13:20 2004 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.73.2.1 2004/03/06 14:33:17 darrenr Exp $" #include #include --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.73.2.5 2004/12/15 17:13:20 darrenr Exp $" #include #include *************** *** 57,65 **** extern struct filterstats frstats[]; extern int fr_running; extern int fr_flags; - #ifdef IPFILTER_SYNC extern int iplwrite __P((dev_t, struct uio *, cred_t *)); - #endif extern ipnat_t *nat_list; --- 57,63 ---- *************** *** 91,101 **** nodev, /* print */ nodev, /* dump */ iplread, - #ifdef IPFILTER_SYNC iplwrite, /* write */ - #else - nodev, /* write */ - #endif iplioctl, /* ioctl */ nodev, /* devmap */ nodev, /* mmap */ --- 89,95 ---- *************** *** 310,315 **** --- 304,314 ---- if (pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT, &pfh_inet4)) cmn_err(CE_WARN, "IP Filter: %s(pfh_inet4) failed", "pfil_add_hook"); + #ifdef USE_INET6 + if (pfil_add_hook(fr_check, PFIL_IN|PFIL_OUT, &pfh_inet6)) + cmn_err(CE_WARN, "IP Filter: %s(pfh_inet6) failed", + "pfil_add_hook"); + #endif if (pfil_add_hook(fr_qifsync, PFIL_IN|PFIL_OUT, &pfh_sync)) cmn_err(CE_WARN, "IP Filter: %s(pfh_sync) failed", "pfil_add_hook"); *************** *** 330,336 **** --- 329,337 ---- } attach_failed: + #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: failed to attach\n"); + #endif /* * Use our own detach routine to toss * away any stuff we allocated above. *************** *** 370,375 **** --- 371,381 ---- if (pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT, &pfh_inet4)) cmn_err(CE_WARN, "IP Filter: %s(pfh_inet4) failed", "pfil_remove_hook"); + #ifdef USE_INET6 + if (pfil_remove_hook(fr_check, PFIL_IN|PFIL_OUT, &pfh_inet6)) + cmn_err(CE_WARN, "IP Filter: %s(pfh_inet6) failed", + "pfil_add_hook"); + #endif if (pfil_remove_hook(fr_qifsync, PFIL_IN|PFIL_OUT, &pfh_sync)) cmn_err(CE_WARN, "IP Filter: %s(pfh_sync) failed", "pfil_remove_hook"); *************** *** 457,463 **** mblk_t **mp; { ! frsync(); /* * Resync. any NAT `connections' using this interface and its IP #. */ --- 463,469 ---- mblk_t **mp; { ! frsync(qif); /* * Resync. any NAT `connections' using this interface and its IP #. */ *************** *** 473,490 **** */ int ipfsync() { ! qpktinfo_t qpi; ! qif_t *qf; ! ! frsync(); ! /* ! * Resync. any NAT `connections' using this interface and its IP #. ! */ ! qf = NULL; ! while (qif_walk(&qf)) { ! qpi.qpi_real = qf; ! (void) fr_qifsync(NULL, 0, (void *)qf->qf_ill, -1, &qpi, NULL); ! } return 0; } --- 479,485 ---- */ int ipfsync() { ! frsync(NULL); return 0; } Common subdirectories: ip_fil4.1.3/test and ip_fil4.1.4/test Common subdirectories: ip_fil4.1.3/tools and ip_fil4.1.4/tools diff -cr ip_fil4.1.3/tru64.c ip_fil4.1.4/tru64.c *** ip_fil4.1.3/tru64.c Wed May 12 05:51:37 2004 --- ip_fil4.1.4/tru64.c Thu Dec 16 05:30:42 2004 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: tru64.c,v 2.11.2.2 2004/05/11 19:51:37 darrenr Exp $"; #endif #include #include --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: tru64.c,v 2.11.2.4 2004/12/15 18:30:42 darrenr Exp $"; #endif #include #include *************** *** 233,241 **** (caddr_t)&fr_minttl, 0, 1, 0 }, { "fr_running", CFG_ATTR_INTTYPE, CFG_OP_QUERY, (caddr_t)&fr_minttl, 0, 1, 0 }, - { "fr_unreach", CFG_ATTR_INTTYPE, CFG_OP_QUERY | - CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE, - (caddr_t) &fr_unreach, 0, 255, 0 }, { "fr_control_forwarding", CFG_ATTR_INTTYPE, CFG_OP_QUERY | CFG_OP_CONFIGURE | CFG_OP_RECONFIGURE, --- 233,238 ---- *************** *** 609,615 **** } if (cmd == (ioctlcmd_t)SIOCAIFADDR) ! frsync(); RWLOCK_EXIT(&ipf_tru64); } --- 606,612 ---- } if (cmd == (ioctlcmd_t)SIOCAIFADDR) ! frsync(NULL); RWLOCK_EXIT(&ipf_tru64); } diff -cr ip_fil4.1.3/BSD/Makefile ip_fil4.1.4/BSD/Makefile *** ip_fil4.1.3/BSD/Makefile Tue Jul 6 21:20:15 2004 --- ip_fil4.1.4/BSD/Makefile Mon Jan 3 00:22:15 2005 *************** *** 74,83 **** include $(TOP)/lib/Makefile ! build all: $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat ippool \ ! ipscan ipsyncm ipsyncs $(LKM) $(LKMR) -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done' ipfstat: $(FILS) $(OBJ)/libipf.a $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ -o $@ $(LIBS) $(STATETOP_LIB) -lkvm --- 74,94 ---- include $(TOP)/lib/Makefile ! build all: machine $(OBJ)/libipf.a ipf ipfs ipfstat ipftest ipmon ipnat \ ! ippool ipscan ipsyncm ipsyncs $(LKM) $(LKMR) -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$$i $(TOP); done' + machine: Makefile.kmod + if [ -f Makefile.kmod ] ; then \ + make -f Makefile.kmod depend MKUPDATE=no; \ + fi + + Makefile.kmod: + if [ -f /usr/share/mk/bsd.kmod.mk -a "`uname -s`" = "NetBSD" ] ; then \ + rm -f Makefile.kmod; \ + ln -s /usr/share/mk/bsd.kmod.mk Makefile.kmod; \ + fi + ipfstat: $(FILS) $(OBJ)/libipf.a $(CC) $(CCARGS) $(STATETOP_CFLAGS) $(STATETOP_INC) $(FILS) \ -o $@ $(LIBS) $(STATETOP_LIB) -lkvm *************** *** 440,449 **** ${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h ${MAKE} -f Makefile.ipsend ${MFLAGS} clean -(for i in *; do \ if [ -d $${i} -a -f $${i}/Makefile ] ; then \ cd $${i}; (make TOP=../.. clean); cd ..; \ ! rm $${i}/Makefile $${i}/Makefile.ipsend; \ rmdir $${i}; \ fi \ done) --- 451,464 ---- ${RM} -f ipsyncm ipsyncs ipfs ip_rules.c ip_rules.h ${MAKE} -f Makefile.ipsend ${MFLAGS} clean + if [ -f Makefile.kmod ] ; then \ + ${MAKE} -f Makefile.kmod ${MFLAGS} clean; \ + fi -(for i in *; do \ if [ -d $${i} -a -f $${i}/Makefile ] ; then \ cd $${i}; (make TOP=../.. clean); cd ..; \ ! /bin/rm -f $${i}/Makefile $${i}/Makefile.ipsend; \ ! /bin/rm -f $${i}/Makefile.kmod; \ rmdir $${i}; \ fi \ done) diff -cr ip_fil4.1.3/BSD/kupgrade ip_fil4.1.4/BSD/kupgrade *** ip_fil4.1.3/BSD/kupgrade Sun Jul 11 20:41:56 2004 --- ip_fil4.1.4/BSD/kupgrade Fri Oct 8 05:04:40 2004 *************** *** 20,25 **** --- 20,28 ---- if [ -d /sys/contrib/ipfilter ] ; then ipfdir=/sys/contrib/ipfilter/netinet fi + if [ -d /sys/dist/ipf ] ; then + ipfdir=/sys/dist/ipf/netinet + fi confdir="$archdir/conf" if [ -f /dev/ipnat ] ; then major=`ls -l /dev/ipnat | sed -e 's/.* $[0-9]*$,.*/\1/'` *************** *** 62,72 **** ;; esac ! if [ -d $ipfdir/$filc ] ; then echo -n "$filc -> $ipfdir/$filc " cp $filc $ipfdir/$filc chmod 644 $ipfdir/$filc ! else echo -n "$filc -> $ipfdir/ip_fil.c " cp $filc $ipfdir/ip_fil.c chmod 644 $ipfdir/ip_fil.c --- 65,76 ---- ;; esac ! if [ -f $ipfdir/$filc ] ; then echo -n "$filc -> $ipfdir/$filc " cp $filc $ipfdir/$filc chmod 644 $ipfdir/$filc ! fi ! if [ -f $ipfdir/ip_fil.c ] ; then echo -n "$filc -> $ipfdir/ip_fil.c " cp $filc $ipfdir/ip_fil.c chmod 644 $ipfdir/ip_fil.c *************** *** 166,172 **** mv files files.preipf4 cp -p files.preipf4 files fi ! if [ $fullrev -ge 010600 ] ; then for i in htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then --- 170,176 ---- mv files files.preipf4 cp -p files.preipf4 files fi ! if [ $fullrev -ge 010600 -a $fullrev -lt 020000 ] ; then for i in htable pool lookup; do grep ip_$i.c files >/dev/null 2>&1 if [ $? -ne 0 ] ; then Common subdirectories: ip_fil4.1.3/BSDOS3/OBJS and ip_fil4.1.4/BSDOS3/OBJS Common subdirectories: ip_fil4.1.3/BSDOS4/OBJS and ip_fil4.1.4/BSDOS4/OBJS Common subdirectories: ip_fil4.1.3/HPUX/IPF-ALL and ip_fil4.1.4/HPUX/IPF-ALL diff -cr ip_fil4.1.3/HPUX/ipf.psf.dist ip_fil4.1.4/HPUX/ipf.psf.dist *** ip_fil4.1.3/HPUX/ipf.psf.dist Sun Jul 18 14:13:45 2004 --- ip_fil4.1.4/HPUX/ipf.psf.dist Sun Jan 9 01:41:45 2005 *************** *** 4,12 **** # # Copyright: Copyright (c) 2000 Darren Reed # ! # Description: PSF for IP FIlter 4.1.3 # ! # $Id: ipf.psf.dist,v 1.1.2.4 2004/07/18 04:13:45 darrenr Exp $ # The vendor definition here applies to all subsequently defined products. --- 4,12 ---- # # Copyright: Copyright (c) 2000 Darren Reed # ! # Description: PSF for IP FIlter 4.1.4 # ! # $Id: ipf.psf.dist,v 1.1.2.5 2005/01/08 14:41:45 darrenr Exp $ # The vendor definition here applies to all subsequently defined products. *************** *** 24,32 **** # Bundle definition(s): bundle tag IPF ! title IP Filter 4.1.3 description Firewall/NAT ! revision A.04.01.03 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 24,32 ---- # Bundle definition(s): bundle tag IPF ! title IP Filter 4.1.4 description Firewall/NAT ! revision A.04.01.04 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX *************** *** 37,52 **** is_reference false vendor_tag IPFilter hp_srdo swtype=O;user=B;bundle_type=O ! contents IPF-RUN,r=A.04.01.03,a=HP-UX_HPREV_32/64,v=IPFilter end # bundle IPF # Product definition(s): product tag IPF-RUN ! title IP Filter 4.1.3 description Firewall/NAT copyright < ../../SunOS5/copyright ! revision A.04.01.03 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 37,52 ---- is_reference false vendor_tag IPFilter hp_srdo swtype=O;user=B;bundle_type=O ! contents IPF-RUN,r=A.04.01.04,a=HP-UX_HPREV_32/64,v=IPFilter end # bundle IPF # Product definition(s): product tag IPF-RUN ! title IP Filter 4.1.4 description Firewall/NAT copyright < ../../SunOS5/copyright ! revision A.04.01.04 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX *************** *** 68,76 **** # InternetSrvcs.IPF-ALL fileset tag IPF-ALL ! title IP Filter 4.1.3 : IPF-ALL description < ../IPF-ALL/description ! revision A.04.01.03 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 68,76 ---- # InternetSrvcs.IPF-ALL fileset tag IPF-ALL ! title IP Filter 4.1.4 : IPF-ALL description < ../IPF-ALL/description ! revision A.04.01.04 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX diff -cr ip_fil4.1.3/Linux/Makefile ip_fil4.1.4/Linux/Makefile *** ip_fil4.1.3/Linux/Makefile Tue Jul 6 21:20:17 2004 --- ip_fil4.1.4/Linux/Makefile Tue Nov 9 05:42:44 2004 *************** *** 18,35 **** # For Linux # CPUTYPE:=`uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/` ! ARCH:=`uname -m` OBJ=. TOP=.. TOOL=$(TOP)/tools ! CPU:=`uname -i` ! MODDIR=/lib/modules/`uname -r`/kernel/net/ipv4/ ! CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m` HERE=Linux #LEXLIB=-ll DEST=$(OBJ) DEBUG=-g - GENSRC=../$(HERE)/$(OBJ) LINUXKERNEL=/usr/src/linux LIBS=-L$(OBJ) -lipf $(LIBBPF) INC=-nostdinc -I$(TOP) -I$(LINUXKERNEL)/include/ --- 18,37 ---- # For Linux # CPUTYPE:=`uname -m | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/` ! ARCH:=$(shell uname -m) OBJ=. TOP=.. TOOL=$(TOP)/tools ! CPU:=$(shell uname -i) ! KREV:=$(shell uname -r) ! MODEXT:=$(shell modprobe -l | head -n 1 | sed -e 's/.*\.$[^\.]*$$$/\1/') ! MODDIR=/lib/modules/$(KREV) ! IPV4DIR=$(MODDIR)/kernel/net/ipv4/ ! CPUDIR=$(shell uname -s|sed -e 's@/@@g')-$(KREV)-$(ARCH) HERE=Linux #LEXLIB=-ll DEST=$(OBJ) DEBUG=-g LINUXKERNEL=/usr/src/linux LIBS=-L$(OBJ) -lipf $(LIBBPF) INC=-nostdinc -I$(TOP) -I$(LINUXKERNEL)/include/ *************** *** 38,43 **** --- 40,48 ---- -fno-strict-aliasing -fno-common -DLINUX=$(LINUX) -I/usr/src/linux/asm/${mcore} IPDEF=$(DEF) -DGATEWAY -DDIRECTED_BROADCAST IPFILC=ip_lfil.c + XCFLAGS=-DLINUX=$(LINUX) -I.. -I`pwd`/.. -I`pwd`/../.. $(LOOKUP) $(IPFLOG) -O2 + EXTRA_CFLAGS += $(XCFLAGS) + # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ 'CFLAGS=$(CFLAGS)' "IPFLKM=$(IPFLKM)" \ "IPFLOG=$(IPFLOG)" "LOGFAC=$(LOGFAC)" "POLICY=$(POLICY)" \ *************** *** 84,103 **** $(OBJ): @if [ ! -d $(OBJ) ] ; then \ mkdir $(OBJ) ; \ ! ln -s ../Makefile $(OBJ) ; \ ln -s ../Makefile.ipsend $(OBJ) ; \ fi build all: $(OBJ) $(OBJ)/ipf $(OBJ)/ipfs $(OBJ)/ipfstat $(OBJ)/ipftest \ ! $(OBJ)/ipmon $(OBJ)/ipnat $(OBJ)/ippool $(OBJ)/ipfilter.o -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$(OBJ)/$$i $(TOP); done' $(OBJ)/ipfstat: $(FILS) $(OBJ)/libipf.a $(TOP)/ip_fil.h $(TOP)/ipf.h \ $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_state.h \ $(TOP)/ip_nat.h -if [ ! -f /usr/lib/libelf.so ] ; then \ ! (cd /usr/lib; a=`echo libelf.so.*|head -1`; \ if [ "$$a" != "" ] ; then ln -s $$a libelf.so; fi) \ fi $(CC) $(CCARGS) $(FILS) -o $@ -lelf $(LIBS) $(STATETOP_LIB) --- 89,116 ---- $(OBJ): @if [ ! -d $(OBJ) ] ; then \ mkdir $(OBJ) ; \ ! if [ $(LINUX) -ge 20600 ] ; then \ ! ln -s ../Makefile.kbuild $(OBJ)/Makefile ; \ ! fi ; \ ln -s ../Makefile.ipsend $(OBJ) ; \ fi build all: $(OBJ) $(OBJ)/ipf $(OBJ)/ipfs $(OBJ)/ipfstat $(OBJ)/ipftest \ ! $(OBJ)/ipmon $(OBJ)/ipnat $(OBJ)/ippool -sh -c 'for i in ipf ipftest ipmon ippool ipnat ipscan ipsyncm ipsyncs; do /bin/rm -f $(TOP)/$$i; ln -s `pwd`/$(OBJ)/$$i $(TOP); done' + ipflkm: + if [ $(LINUX) -lt 20499 ] ; then \ + make $(OBJ)/ipfilter.o ; \ + else \ + (cd $(OBJ); unset MAKEFLAGS; make -C "$(MODDIR)/build" SUBDIRS="`pwd`" TOP="`pwd`/../.." CPUDIR="$(CPUDIR)" EXTRA_CFLAGS="$(EXTRA_CFLAGS)" OBJ= modules); \ + fi $(OBJ)/ipfstat: $(FILS) $(OBJ)/libipf.a $(TOP)/ip_fil.h $(TOP)/ipf.h \ $(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_state.h \ $(TOP)/ip_nat.h -if [ ! -f /usr/lib/libelf.so ] ; then \ ! (cd /usr/lib; a=`echo libelf.so.*|head -n 1`; \ if [ "$$a" != "" ] ; then ln -s $$a libelf.so; fi) \ fi $(CC) $(CCARGS) $(FILS) -o $@ -lelf $(LIBS) $(STATETOP_LIB) *************** *** 112,118 **** $(OBJ)/ipnat: $(IPNAT) $(OBJ)/libipf.a -if [ ! -f /usr/lib/libelf.so ] ; then \ ! (cd /usr/lib; a=`echo libelf.so.*|head -1`; \ if [ "$$a" != "" ] ; then ln -s $$a libelf.so; fi) \ fi $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf $(LEXLIB) --- 125,131 ---- $(OBJ)/ipnat: $(IPNAT) $(OBJ)/libipf.a -if [ ! -f /usr/lib/libelf.so ] ; then \ ! (cd /usr/lib; a=`echo libelf.so.*|head -n 1`; \ if [ "$$a" != "" ] ; then ln -s $$a libelf.so; fi) \ fi $(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf $(LEXLIB) *************** *** 448,457 **** fi \ done) ! install: $(SPECFILE) ipfilter mkdir -p $(ROOTDIR) $(ROOTDIR)/usr/include/netinet mkdir -p $(ROOTDIR)$(SBINDEST) $(ROOTDIR)$(BINDEST) ! mkdir -p $(ROOTDIR)$(MODDIR) mkdir -p $(ROOTDIR)/etc/init.d mkdir -p $(ROOTDIR)/etc/sysconfig mkdir -p $(ROOTDIR)$(MANDIR)/man1 --- 461,470 ---- fi \ done) ! install: $(CPUDIR)/$(SPECFILE) $(CPUDIR)/ipfilter mkdir -p $(ROOTDIR) $(ROOTDIR)/usr/include/netinet mkdir -p $(ROOTDIR)$(SBINDEST) $(ROOTDIR)$(BINDEST) ! mkdir -p $(ROOTDIR)$(IPV4DIR) mkdir -p $(ROOTDIR)/etc/init.d mkdir -p $(ROOTDIR)/etc/sysconfig mkdir -p $(ROOTDIR)$(MANDIR)/man1 *************** *** 465,480 **** $(CHMOD) 444 $(ROOTDIR)/usr/include/netinet/ip_$$i.h; \ done $(CP) $(TOP)/ipl.h $(ROOTDIR)/usr/include/netinet/ipl.h ! -if [ -d $(MODDIR) ] ; then \ ! cp ipfilter.o $(ROOTDIR)$(MODDIR); \ fi (for i in ipfstat ipf ipnat ippool ipfs; do \ ! $(INSTALL) -c -s -g wheel -m 755 -o root $$i $(ROOTDIR)$(SBINDEST); \ done;) (for i in ipmon ipftest; do \ ! $(INSTALL) -c -s -g wheel -m 755 -o root $$i $(ROOTDIR)$(BINDEST); \ done;) ! (../../bsdinstall -c -g wheel -m 755 -o root ipfilter $(ROOTDIR)/etc/init.d) (cd $(TOP)/man; make INSTALL=../bsdinstall MANDIR=$(ROOTDIR)$(MANDIR) install; cd $(TOP)) for i in BASIC_1.FW BASIC_2.FW BASIC.NAT example.1 example.2 \ example.3 example.4 example.5 example.6 example.7 \ --- 478,493 ---- $(CHMOD) 444 $(ROOTDIR)/usr/include/netinet/ip_$$i.h; \ done $(CP) $(TOP)/ipl.h $(ROOTDIR)/usr/include/netinet/ipl.h ! -if [ -d $(IPV4DIR) ] ; then \ ! cp $(CPUDIR)/ipfilter.o $(ROOTDIR)$(IPV4DIR)/ipfilter.$(MODEXT); \ fi (for i in ipfstat ipf ipnat ippool ipfs; do \ ! (cd $(CPUDIR); ../$(INSTALL) -c -s -g wheel -m 755 -o root $$i $(ROOTDIR)$(SBINDEST)); \ done;) (for i in ipmon ipftest; do \ ! (cd $(CPUDIR); ../$(INSTALL) -c -s -g wheel -m 755 -o root $$i $(ROOTDIR)$(BINDEST)); \ done;) ! (cd $(CPUDIR); ../$(INSTALL) -c -g wheel -m 755 -o root ipfilter $(ROOTDIR)/etc/init.d) (cd $(TOP)/man; make INSTALL=../bsdinstall MANDIR=$(ROOTDIR)$(MANDIR) install; cd $(TOP)) for i in BASIC_1.FW BASIC_2.FW BASIC.NAT example.1 example.2 \ example.3 example.4 example.5 example.6 example.7 \ *************** *** 485,497 **** $(CHMOD) 444 $(ROOTDIR)/usr/share/ipfilter/examples/$$i; \ chown root:root $(ROOTDIR)/usr/share/ipfilter/examples/$$i; \ done ! rpmbuild -bb $(SPECFILE) rpm -i ipfilter ! $(SPECFILE): ../$(SPECFILE).dist ! sed -e "s/KERNELBUILD/`uname -r`/" \ ! -e "s/TURNONIPFILTER/`../howchkconfig`/" \ $< > $@ ! ipfilter: ! ../mkinit --- 498,512 ---- $(CHMOD) 444 $(ROOTDIR)/usr/share/ipfilter/examples/$$i; \ chown root:root $(ROOTDIR)/usr/share/ipfilter/examples/$$i; \ done ! rpmbuild -bb $(CPUDIR)/$(SPECFILE) rpm -i ipfilter ! $(CPUDIR)/$(SPECFILE): $(SPECFILE).dist ! sed -e "s/KERNELBUILD/$(KREV)/" \ ! -e "s/MODEXT/$(MODEXT)/" \ ! -e "s/TURNONIPFILTER/`./howchkconfig`/" \ $< > $@ ! $(CPUDIR)/ipfilter: ! ./mkinit `pwd`/$(CPUDIR) ! Only in ip_fil4.1.4/Linux: Makefile.kbuild diff -cr ip_fil4.1.3/Linux/ipf-linux.h ip_fil4.1.4/Linux/ipf-linux.h *** ip_fil4.1.3/Linux/ipf-linux.h Wed Jun 30 01:12:55 2004 --- ip_fil4.1.4/Linux/ipf-linux.h Tue Nov 9 05:42:45 2004 *************** *** 2,11 **** #define __IPF_LINUX_H__ #include #ifndef CONFIG_NETFILTER # define CONFIG_NETFILTER #endif ! #if LINUX >= 020600 # define __irq_h 1 /* stop it being included! */ # include #else --- 2,12 ---- #define __IPF_LINUX_H__ #include + #include #ifndef CONFIG_NETFILTER # define CONFIG_NETFILTER #endif ! #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) # define __irq_h 1 /* stop it being included! */ # include #else *************** *** 16,21 **** --- 17,23 ---- #include #include #include + #include #include #include #include *************** *** 28,34 **** #include #include #include ! #if LINUX >= 020600 # include #else # define ipftcphdr tcphdr --- 30,36 ---- #include #include #include ! #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) # include #else # define ipftcphdr tcphdr *************** *** 143,149 **** __u16 ether_type; }; ! #if LINUX >= 020600 typedef struct ipftcphdr tcphdr_t; typedef struct ipfudphdr udphdr_t; #endif --- 145,151 ---- __u16 ether_type; }; ! #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) typedef struct ipftcphdr tcphdr_t; typedef struct ipfudphdr udphdr_t; #endif Only in ip_fil4.1.3/Linux: ipfilter diff -cr ip_fil4.1.3/Linux/ipfilter-redhat ip_fil4.1.4/Linux/ipfilter-redhat *** ip_fil4.1.3/Linux/ipfilter-redhat Wed Jun 30 00:39:02 2004 --- ip_fil4.1.4/Linux/ipfilter-redhat Fri Oct 22 22:11:31 2004 *************** *** 25,31 **** } start() { ! /sbin/insmod -s ipfilter echo -n $"Starting IPFilter: " minor=0 --- 25,31 ---- } start() { ! modprobe ipfilter echo -n $"Starting IPFilter: " minor=0 *************** *** 51,57 **** logit $RETVAL ippool "$msg" fi if [ $RETVAL -eq 0 ] ; then ! /sbin/ipmon -Das RETVAL=$? fi if [ $RETVAL -eq 0 ] ; then --- 51,57 ---- logit $RETVAL ippool "$msg" fi if [ $RETVAL -eq 0 ] ; then ! /usr/bin/ipmon -Das RETVAL=$? fi if [ $RETVAL -eq 0 ] ; then diff -cr ip_fil4.1.3/Linux/ipfilter-suse ip_fil4.1.4/Linux/ipfilter-suse *** ip_fil4.1.3/Linux/ipfilter-suse Wed Jun 30 00:39:02 2004 --- ip_fil4.1.4/Linux/ipfilter-suse Fri Oct 22 22:11:32 2004 *************** *** 26,32 **** } start() { ! /sbin/insmod -s ipfilter rc=$? if [ ${rc} -ne 0 ] ; then rc_status -v --- 26,32 ---- } start() { ! modprobe ipfilter rc=$? if [ ${rc} -ne 0 ] ; then rc_status -v *************** *** 57,63 **** logit $rc ippool "$msg" fi if [ $rc -eq 0 ] ; then ! /sbin/ipmon -Das rc=$? fi rc_status -v --- 57,63 ---- logit $rc ippool "$msg" fi if [ $rc -eq 0 ] ; then ! /usr/bin/ipmon -Das rc=$? fi rc_status -v *************** *** 73,79 **** } dostatus() { ! status ipmon rc=$? } --- 73,79 ---- } dostatus() { ! # status ipmon rc=$? } diff -cr ip_fil4.1.3/Linux/ipfilter.spec.dist ip_fil4.1.4/Linux/ipfilter.spec.dist *** ip_fil4.1.3/Linux/ipfilter.spec.dist Sun Jul 18 14:14:47 2004 --- ip_fil4.1.4/Linux/ipfilter.spec.dist Fri Oct 22 22:11:32 2004 *************** *** 12,18 **** %files %defattr(-,root,root) ! /lib/modules/KERNELBUILD/kernel/net/ipv4/ipfilter.o /etc/init.d/ipfilter /etc/sysconfig/ipfilter /sbin/ipf --- 12,18 ---- %files %defattr(-,root,root) ! /lib/modules/KERNELBUILD/kernel/net/ipv4/ipfilter.MODEXT /etc/init.d/ipfilter /etc/sysconfig/ipfilter /sbin/ipf *************** *** 89,94 **** --- 89,95 ---- %post /sbin/chkconfig --add ipfilter /sbin/chkconfig TURNONIPFILTER + /sbin/depmod -A %preun /etc/init.d/ipfilter stop diff -cr ip_fil4.1.3/Linux/mkinit ip_fil4.1.4/Linux/mkinit *** ip_fil4.1.3/Linux/mkinit Wed Jun 30 00:39:02 2004 --- ip_fil4.1.4/Linux/mkinit Fri Oct 22 22:11:32 2004 *************** *** 1,8 **** #!/bin/sh if [ -f /etc/SuSE-release ] ; then ! cp ../ipfilter-suse ipfilter fi if [ -f /etc/redhat-release ] ; then ! cp ../ipfilter-redhat ipfilter fi ! exit 0 --- 1,10 ---- #!/bin/sh if [ -f /etc/SuSE-release ] ; then ! cp ipfilter-suse $1/ipfilter ! exit 0 fi if [ -f /etc/redhat-release ] ; then ! cp ipfilter-redhat $1/ipfilter ! exit 0 fi ! exit 1 diff -cr ip_fil4.1.3/OSF/Makefile ip_fil4.1.4/OSF/Makefile *** ip_fil4.1.3/OSF/Makefile Sun Jul 11 20:43:51 2004 --- ip_fil4.1.4/OSF/Makefile Sun Jan 9 01:29:56 2005 *************** *** 359,365 **** ${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c y.tab.? lex.yy.c ipfs ! ${RM} -f ipsyncm ipsyncs ip_rules.c ip_rules.h ${MAKE} -f Makefile.ipsend ${MFLAGS} clean -(for i in *; do \ --- 359,365 ---- ${RM} -f ipnat_y.c ipnat_y.h ipnat_l.c ipnat_l.h ${RM} -f ipmon_y.c ipmon_y.h ipmon_l.c ipmon_l.h ${RM} -f ipscan ipscan_y.c ipscan_y.h ipscan_l.c y.tab.? lex.yy.c ipfs ! ${RM} -f ipsyncm ipsyncs ip_rules.c ip_rules.h sysconfigtab ${MAKE} -f Makefile.ipsend ${MFLAGS} clean -(for i in *; do \ diff -cr ip_fil4.1.3/OpenBSD-3/3.0-MAKEDEV-diffs ip_fil4.1.4/OpenBSD-3/3.0-MAKEDEV-diffs *** ip_fil4.1.3/OpenBSD-3/3.0-MAKEDEV-diffs Sat Jun 15 02:55:46 2002 --- ip_fil4.1.4/OpenBSD-3/3.0-MAKEDEV-diffs Sun Oct 3 17:05:51 2004 *************** *** 44,50 **** + mknod ipauth c 37 3 + mknod ipsync c 37 4 + mknod ipscan c 37 5 ! + mknod ippool c 37 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 44,50 ---- + mknod ipauth c 37 3 + mknod ipsync c 37 4 + mknod ipscan c 37 5 ! + mknod iplookup c 37 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 122,128 **** + mknod ipauth c 38 3 + mknod ipsync c 38 4 + mknod ipscan c 38 5 ! + mknod ippool c 38 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 122,128 ---- + mknod ipauth c 38 3 + mknod ipsync c 38 4 + mknod ipscan c 38 5 ! + mknod iplookup c 38 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 163,169 **** + mknod ipauth c 37 3 + mknod ipsync c 37 4 + mknod ipscan c 37 5 ! + mknod ippool c 37 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 163,169 ---- + mknod ipauth c 37 3 + mknod ipsync c 37 4 + mknod ipscan c 37 5 ! + mknod iplookup c 37 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 204,210 **** + mknod ipauth c 34 3 + mknod ipsync c 34 4 + mknod ipscan c 34 5 ! + mknod ippool c 34 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 204,210 ---- + mknod ipauth c 34 3 + mknod ipsync c 34 4 + mknod ipscan c 34 5 ! + mknod iplookup c 34 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 246,252 **** + mknod ipauth c 77 3 + mknod ipsync c 77 4 + mknod ipscan c 77 5 ! + mknod ippool c 77 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 246,252 ---- + mknod ipauth c 77 3 + mknod ipsync c 77 4 + mknod ipscan c 77 5 ! + mknod iplookup c 77 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 280,286 **** + mknod ipauth c 38 3 + mknod ipsync c 38 4 + mknod ipscan c 38 5 ! + mknod ippool c 38 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 280,286 ---- + mknod ipauth c 38 3 + mknod ipsync c 38 4 + mknod ipscan c 38 5 ! + mknod iplookup c 38 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 321,327 **** + mknod ipauth c 45 3 + mknod ipsync c 45 4 + mknod ipscan c 45 5 ! + mknod ippool c 45 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 321,327 ---- + mknod ipauth c 45 3 + mknod ipsync c 45 4 + mknod ipscan c 45 5 ! + mknod iplookup c 45 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 361,367 **** + mknod ipauth c 44 3 + mknod ipsync c 44 4 + mknod ipscan c 44 5 ! + mknod ippool c 44 6 + chown root.wheel ipl ipnat ipstate ipauth + ;; --- 361,367 ---- + mknod ipauth c 44 3 + mknod ipsync c 44 4 + mknod ipscan c 44 5 ! + mknod iplookup c 44 6 + chown root.wheel ipl ipnat ipstate ipauth + ;; *************** *** 403,409 **** + mknod ipauth c 41 3 + mknod ipsync c 41 4 + mknod ipscan c 41 5 ! + mknod ippool c 41 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 403,409 ---- + mknod ipauth c 41 3 + mknod ipsync c 41 4 + mknod ipscan c 41 5 ! + mknod iplookup c 41 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 444,450 **** + mknod ipauth c 44 3 + mknod ipsync c 44 4 + mknod ipscan c 44 5 ! + mknod ippool c 44 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 444,450 ---- + mknod ipauth c 44 3 + mknod ipsync c 44 4 + mknod ipscan c 44 5 ! + mknod iplookup c 44 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 488,494 **** + mknod ipauth c 60 3 + mknod ipsync c 60 4 + mknod ipscan c 60 5 ! + mknod ippool c 60 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 488,494 ---- + mknod ipauth c 60 3 + mknod ipsync c 60 4 + mknod ipscan c 60 5 ! + mknod iplookup c 60 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 525,531 **** + M ipauth c 75 3 root.wheel + M ipsync c 75 4 root.wheel + M ipscan c 75 5 root.wheel ! + M ippool c 75 6 root.wheel + ;; cgsix*)M cgsix$U c 67 $U 666;; audio*)M sound$U c 69 $U --- 525,531 ---- + M ipauth c 75 3 root.wheel + M ipsync c 75 4 root.wheel + M ipscan c 75 5 root.wheel ! + M iplookup c 75 6 root.wheel + ;; cgsix*)M cgsix$U c 67 $U 666;; audio*)M sound$U c 69 $U *************** *** 569,575 **** + mknod ipauth c 86 3 + mknod ipsync c 86 4 + mknod ipscan c 86 5 ! + mknod ippool c 86 6 + chown root.wheel ipl ipnat ipstate ipauth ;; --- 569,575 ---- + mknod ipauth c 86 3 + mknod ipsync c 86 4 + mknod ipscan c 86 5 ! + mknod iplookup c 86 6 + chown root.wheel ipl ipnat ipstate ipauth ;; *************** *** 606,612 **** + mknod ipauth c 47 3 ; chmod 600 ipauth + mknod ipsync c 47 4 ; chmod 600 ipsync + mknod ipscan c 47 5 ; chmod 600 ipscan ! + mknod ippool c 47 6 ; chmod 600 ippool ;; fd) --- 606,612 ---- + mknod ipauth c 47 3 ; chmod 600 ipauth + mknod ipsync c 47 4 ; chmod 600 ipsync + mknod ipscan c 47 5 ; chmod 600 ipscan ! + mknod iplookup c 47 6 ; chmod 600 iplookup ;; fd) diff -cr ip_fil4.1.3/OpenBSD-3/3.0-sys-diffs ip_fil4.1.4/OpenBSD-3/3.0-sys-diffs *** ip_fil4.1.3/OpenBSD-3/3.0-sys-diffs Sat Jun 15 02:55:46 2002 --- ip_fil4.1.4/OpenBSD-3/3.0-sys-diffs Sun Jan 9 01:29:30 2005 *************** *** 481,487 **** #option CCITT,LLC,HDLC # X.25 + option IPFILTER # IP packet filter for security + option IPFILTER_LOG # use /dev/ipl to log IPF ! + #option IPFILTER_LOOKUP # use /dev/ippool for IP pools option PPP_BSDCOMP # PPP BSD compression option PPP_DEFLATE #option MROUTING # Multicast router --- 481,487 ---- #option CCITT,LLC,HDLC # X.25 + option IPFILTER # IP packet filter for security + option IPFILTER_LOG # use /dev/ipl to log IPF ! + #option IPFILTER_LOOKUP # use /dev/iplookup for IP pools option PPP_BSDCOMP # PPP BSD compression option PPP_DEFLATE #option MROUTING # Multicast router *************** *** 552,558 **** + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(); + #endif /* Deallocate private resources. */ --- 552,558 ---- + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(ifp); + #endif /* Deallocate private resources. */ diff -cr ip_fil4.1.3/OpenBSD-3/3.1-MAKEDEV-diffs ip_fil4.1.4/OpenBSD-3/3.1-MAKEDEV-diffs *** ip_fil4.1.3/OpenBSD-3/3.1-MAKEDEV-diffs Sat Jun 15 02:55:47 2002 --- ip_fil4.1.4/OpenBSD-3/3.1-MAKEDEV-diffs Sun Oct 3 17:05:52 2004 *************** *** 33,39 **** + __devitem(ipsync, ipsync*, Packet Filter sync)dnl + _mkdev(ipscan, {-ipscan*-}, {-M ipscan c major_ipscan_c 5 600-})dnl + __devitem(ipscan, ipscan*, Packet Filter scan)dnl ! + _mkdev(ippool, {-ippool*-}, {-M ippool c major_ippool_c 6 600-})dnl __devitem(bpf, bpf*, Berkeley Packet Filter)dnl _mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl _mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl --- 33,39 ---- + __devitem(ipsync, ipsync*, Packet Filter sync)dnl + _mkdev(ipscan, {-ipscan*-}, {-M ipscan c major_ipscan_c 5 600-})dnl + __devitem(ipscan, ipscan*, Packet Filter scan)dnl ! + _mkdev(iplookup, {-iplookup*-}, {-M iplookup c major_iplookup_c 6 600-})dnl __devitem(bpf, bpf*, Berkeley Packet Filter)dnl _mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl _mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl *************** *** 52,58 **** + _DEV(ipauth, 44) + _DEV(ipscan, 44) + _DEV(ipsync, 44) ! + _DEV(ippool, 44) _DEV(bpf, 11) _DEV(altq, 53) _DEV(iop, 54) --- 52,58 ---- + _DEV(ipauth, 44) + _DEV(ipscan, 44) + _DEV(ipsync, 44) ! + _DEV(iplookup, 44) _DEV(bpf, 11) _DEV(altq, 53) _DEV(iop, 54) *************** *** 71,77 **** + _DEV(ipauth, 38) + _DEV(ipsync, 38) + _DEV(ipscan, 38) ! + _DEV(ippool, 38) _DEV(ss, 25) _DEV(uk, 36) _DEV(rnd, 35) --- 71,77 ---- + _DEV(ipauth, 38) + _DEV(ipsync, 38) + _DEV(ipscan, 38) ! + _DEV(iplookup, 38) _DEV(ss, 25) _DEV(uk, 36) _DEV(rnd, 35) *************** *** 90,96 **** + _DEV(ipauth, 37) + _DEV(ipsync, 37) + _DEV(ipscan, 37) ! + _DEV(ippool, 37) _DEV(lkm, 24) _DEV(rnd, 32) _DEV(xfs, 51) --- 90,96 ---- + _DEV(ipauth, 37) + _DEV(ipsync, 37) + _DEV(ipscan, 37) ! + _DEV(iplookup, 37) _DEV(lkm, 24) _DEV(rnd, 32) _DEV(xfs, 51) *************** *** 109,115 **** + _DEV(ipauth, 34) + _DEV(ipsync, 34) + _DEV(ipscan, 34) ! + _DEV(ippool, 34) _DEV(lkm, 19) _DEV(altq, 33) _DEV(rnd, 20) --- 109,115 ---- + _DEV(ipauth, 34) + _DEV(ipsync, 34) + _DEV(ipscan, 34) ! + _DEV(iplookup, 34) _DEV(lkm, 19) _DEV(altq, 33) _DEV(rnd, 20) *************** *** 128,134 **** + _DEV(ipauth, 78) + _DEV(ipsync, 78) + _DEV(ipscan, 78) ! + _DEV(ippool, 78) _DEV(bpf, 23) _DEV(speak, 27) _DEV(lkm, 28) --- 128,134 ---- + _DEV(ipauth, 78) + _DEV(ipsync, 78) + _DEV(ipscan, 78) ! + _DEV(iplookup, 78) _DEV(bpf, 23) _DEV(speak, 27) _DEV(lkm, 28) *************** *** 147,153 **** + _DEV(ipauth, 38) + _DEV(ipsync, 38) + _DEV(ipscan, 38) ! + _DEV(ippool, 38) _DEV(altq, 52) _DEV(lkm, 25) _DEV(rnd, 32) --- 147,153 ---- + _DEV(ipauth, 38) + _DEV(ipsync, 38) + _DEV(ipscan, 38) ! + _DEV(iplookup, 38) _DEV(altq, 52) _DEV(lkm, 25) _DEV(rnd, 32) *************** *** 166,172 **** + _DEV(ipauth, 45) + _DEV(ipsync, 45) + _DEV(ipscan, 45) ! + _DEV(ippool, 45) _DEV(cry, 47) _DEV(usbs) _DEV(pci, 71) --- 166,172 ---- + _DEV(ipauth, 45) + _DEV(ipsync, 45) + _DEV(ipscan, 45) ! + _DEV(iplookup, 45) _DEV(cry, 47) _DEV(usbs) _DEV(pci, 71) *************** *** 205,212 **** + mknod ipauth c 44 3 + mknod ipsync c 44 4 + mknod ipscan c 44 5 ! + mknod ippool c 44 6 ! + chown root.wheel ipl ipnat ipstate ipauth ipsync ipscan ippool + ;; tun*) --- 205,212 ---- + mknod ipauth c 44 3 + mknod ipsync c 44 4 + mknod ipscan c 44 5 ! + mknod iplookup c 44 6 ! + chown root.wheel ipl ipnat ipstate ipauth ipsync ipscan iplookup + ;; tun*) *************** *** 246,253 **** + mknod ipauth c 41 3 + mknod ipsync c 41 4 + mknod ipscan c 41 5 ! + mknod ippool c 41 6 ! + chown root.wheel ipl ipnat ipstate ipauth ipsync ipscan ippool + ;; bpf*|tun*) --- 246,253 ---- + mknod ipauth c 41 3 + mknod ipsync c 41 4 + mknod ipscan c 41 5 ! + mknod iplookup c 41 6 ! + chown root.wheel ipl ipnat ipstate ipauth ipsync ipscan iplookup + ;; bpf*|tun*) *************** *** 267,273 **** + _DEV(ipauth, 44) + _DEV(ipsync, 44) + _DEV(ipscan, 44) ! + _DEV(ippool, 44) _DEV(usbs) # dnl --- 267,273 ---- + _DEV(ipauth, 44) + _DEV(ipsync, 44) + _DEV(ipscan, 44) ! + _DEV(iplookup, 44) _DEV(usbs) # dnl *************** *** 286,292 **** + _DEV(ipauth, 60) + _DEV(ipsync, 60) + _DEV(ipscan, 60) ! + _DEV(ippool, 60) _DEV(altq, 125) _DEV(lkm, 112) _DEV(tun, 111) --- 286,292 ---- + _DEV(ipauth, 60) + _DEV(ipsync, 60) + _DEV(ipscan, 60) ! + _DEV(iplookup, 60) _DEV(altq, 125) _DEV(lkm, 112) _DEV(tun, 111) *************** *** 305,311 **** + _DEV(ipauth, 82) + _DEV(ipsync, 82) + _DEV(ipscan, 82) ! + _DEV(ippool, 82) _DEV(altq, 74) _DEV(bpf, 105) _DEV(tun, 111) --- 305,311 ---- + _DEV(ipauth, 82) + _DEV(ipsync, 82) + _DEV(ipscan, 82) ! + _DEV(iplookup, 82) _DEV(altq, 74) _DEV(bpf, 105) _DEV(tun, 111) *************** *** 324,330 **** + _DEV(ipauth, 86) + _DEV(ipsync, 86) + _DEV(ipscan, 86) ! + _DEV(ippool, 86) _DEV(tun, 24) _DEV(rd, 52, 13) _DEV(rnd, 72) --- 324,330 ---- + _DEV(ipauth, 86) + _DEV(ipsync, 86) + _DEV(ipscan, 86) ! + _DEV(iplookup, 86) _DEV(tun, 24) _DEV(rd, 52, 13) _DEV(rnd, 72) *************** *** 343,349 **** + _DEV(ipauth, 47) + _DEV(ipsync, 47) + _DEV(ipscan, 47) ! + _DEV(ippool, 47) _DEV(altq, 75) _DEV(lkm, 28) _DEV(tun, 57) --- 343,349 ---- + _DEV(ipauth, 47) + _DEV(ipsync, 47) + _DEV(ipscan, 47) ! + _DEV(iplookup, 47) _DEV(altq, 75) _DEV(lkm, 28) _DEV(tun, 57) diff -cr ip_fil4.1.3/OpenBSD-3/3.1-sys-diffs ip_fil4.1.4/OpenBSD-3/3.1-sys-diffs *** ip_fil4.1.3/OpenBSD-3/3.1-sys-diffs Sat Jun 15 02:55:47 2002 --- ip_fil4.1.4/OpenBSD-3/3.1-sys-diffs Sun Jan 9 01:29:30 2005 *************** *** 532,538 **** + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(); + #endif /* Deallocate private resources. */ --- 532,538 ---- + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(ifp); + #endif /* Deallocate private resources. */ diff -cr ip_fil4.1.3/OpenBSD-3/3.2-sys-diffs ip_fil4.1.4/OpenBSD-3/3.2-sys-diffs *** ip_fil4.1.3/OpenBSD-3/3.2-sys-diffs Sun Feb 8 04:28:16 2004 --- ip_fil4.1.4/OpenBSD-3/3.2-sys-diffs Sun Jan 9 01:29:30 2005 *************** *** 538,544 **** + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(); + #endif /* --- 538,544 ---- + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(ifp); + #endif /* diff -cr ip_fil4.1.3/OpenBSD-3/3.3-sys-diffs ip_fil4.1.4/OpenBSD-3/3.3-sys-diffs *** ip_fil4.1.3/OpenBSD-3/3.3-sys-diffs Sun Feb 8 04:28:18 2004 --- ip_fil4.1.4/OpenBSD-3/3.3-sys-diffs Sun Jan 9 01:29:31 2005 *************** *** 490,496 **** + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(); + #endif /* --- 490,496 ---- + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(ifp); + #endif /* diff -cr ip_fil4.1.3/OpenBSD-3/3.4-sys-diffs ip_fil4.1.4/OpenBSD-3/3.4-sys-diffs *** ip_fil4.1.3/OpenBSD-3/3.4-sys-diffs Sun Jul 11 20:44:51 2004 --- ip_fil4.1.4/OpenBSD-3/3.4-sys-diffs Sun Jan 9 01:29:31 2005 *************** *** 490,496 **** + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(); + #endif /* --- 490,496 ---- + + #ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(ifp); + #endif /* diff -cr ip_fil4.1.3/OpenBSD-3/3.5-MAKEDEV-diffs ip_fil4.1.4/OpenBSD-3/3.5-MAKEDEV-diffs *** ip_fil4.1.3/OpenBSD-3/3.5-MAKEDEV-diffs Sun Jul 11 20:49:48 2004 --- ip_fil4.1.4/OpenBSD-3/3.5-MAKEDEV-diffs Sun Oct 3 17:05:52 2004 *************** *** 19,25 **** - M ipauth c 44 3 600 - M ipsync c 44 4 600 - M ipscan c 44 5 600 ! - M ippool c 44 6 600 - ;; - pf*) --- 19,25 ---- - M ipauth c 44 3 600 - M ipsync c 44 4 600 - M ipscan c 44 5 600 ! - M iplookup c 44 6 600 - ;; - pf*) diff -cr ip_fil4.1.3/OpenBSD-3/3.5-sys-diffs ip_fil4.1.4/OpenBSD-3/3.5-sys-diffs *** ip_fil4.1.3/OpenBSD-3/3.5-sys-diffs Sun Jul 11 20:49:49 2004 --- ip_fil4.1.4/OpenBSD-3/3.5-sys-diffs Sun Jan 9 01:29:31 2005 *************** *** 371,377 **** + +#ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(); +#endif /* --- 371,377 ---- + +#ifdef IPFILTER + /* XXX More ipf & ipnat cleanup needed. */ ! + frsync(ifp); +#endif /* diff -cr ip_fil4.1.3/OpenBSD-3/README.3_0 ip_fil4.1.4/OpenBSD-3/README.3_0 *** ip_fil4.1.3/OpenBSD-3/README.3_0 Sun Jul 11 20:44:51 2004 --- ip_fil4.1.4/OpenBSD-3/README.3_0 Sun Jan 9 01:41:43 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.3.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.0-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.3 BSD/kupgrade 4. Build a new OpenBSD kernel --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.4.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.0-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.4 BSD/kupgrade 4. Build a new OpenBSD kernel *************** *** 49,55 **** 5. Build and install IPFilter ! cd ip_fil4.1.3 make openbsd make install-bsd OpenBSD-3/makedevs-3.0 --- 49,55 ---- 5. Build and install IPFilter ! cd ip_fil4.1.4 make openbsd make install-bsd OpenBSD-3/makedevs-3.0 *************** *** 57,63 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.0-rc-diffs 7. Reboot --- 57,63 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.0-rc-diffs 7. Reboot diff -cr ip_fil4.1.3/OpenBSD-3/README.3_1 ip_fil4.1.4/OpenBSD-3/README.3_1 *** ip_fil4.1.3/OpenBSD-3/README.3_1 Sun Jul 11 20:44:52 2004 --- ip_fil4.1.4/OpenBSD-3/README.3_1 Sun Jan 9 01:41:44 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.3.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.1-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.3 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.4.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.1-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.4 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.3 make openbsd make install-bsd OpenBSD-3/makedevs-3.1 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.4 make openbsd make install-bsd OpenBSD-3/makedevs-3.1 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.1-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.1-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.1-rc-diffs ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.1-MAKEDEV-diffs ! cd ~/ip_fil4.1.3 ./OpenBSD-3/fixdist-3.0 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.1-rc-diffs ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.1-MAKEDEV-diffs ! cd ~/ip_fil4.1.4 ./OpenBSD-3/fixdist-3.0 diff -cr ip_fil4.1.3/OpenBSD-3/README.3_2 ip_fil4.1.4/OpenBSD-3/README.3_2 *** ip_fil4.1.3/OpenBSD-3/README.3_2 Sun Jul 11 20:44:52 2004 --- ip_fil4.1.4/OpenBSD-3/README.3_2 Sun Jan 9 01:41:44 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.3.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.2-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.3 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.4.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.2-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.4 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.3 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.4 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.2-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.2-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.2-rc-diffs ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.2-MAKEDEV-diffs ! cd ~/ip_fil4.1.3 ./OpenBSD-3/fixdist-3.2 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.2-rc-diffs ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.2-MAKEDEV-diffs ! cd ~/ip_fil4.1.4 ./OpenBSD-3/fixdist-3.2 diff -cr ip_fil4.1.3/OpenBSD-3/README.3_3 ip_fil4.1.4/OpenBSD-3/README.3_3 *** ip_fil4.1.3/OpenBSD-3/README.3_3 Sun Jul 11 20:44:52 2004 --- ip_fil4.1.4/OpenBSD-3/README.3_3 Sun Jan 9 01:41:44 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.3.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.3-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.3 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.4.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.3-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.4 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.3 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.4 make openbsd make install-bsd OpenBSD-3/makedevs-3.2 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.3-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.3-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.3-rc-diffs ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.3-MAKEDEV-diffs ! cd ~/ip_fil4.1.3 ./OpenBSD-3/fixdist-3.2 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.3-rc-diffs ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.3-MAKEDEV-diffs ! cd ~/ip_fil4.1.4 ./OpenBSD-3/fixdist-3.2 diff -cr ip_fil4.1.3/OpenBSD-3/README.3_4 ip_fil4.1.4/OpenBSD-3/README.3_4 *** ip_fil4.1.3/OpenBSD-3/README.3_4 Sun Jul 11 20:44:53 2004 --- ip_fil4.1.4/OpenBSD-3/README.3_4 Sun Jan 9 01:41:44 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.3.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.3 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.4.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.4-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.4 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4.1.3 make openbsd make install-bsd OpenBSD-3/makedevs-3.4 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.4 make openbsd make install-bsd OpenBSD-3/makedevs-3.4 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.4-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-rc-diffs ! patch < ~/ip_fil4.1.3/OpenBSD-3/3.4-MAKEDEV-diffs ! cd ~/ip_fil4.1.3 ./OpenBSD-3/fixdist-3.4 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.4-rc-diffs ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.4-MAKEDEV-diffs ! cd ~/ip_fil4.1.4 ./OpenBSD-3/fixdist-3.4 diff -cr ip_fil4.1.3/OpenBSD-3/README.3_5 ip_fil4.1.4/OpenBSD-3/README.3_5 *** ip_fil4.1.3/OpenBSD-3/README.3_5 Sun Jul 11 20:49:49 2004 --- ip_fil4.1.4/OpenBSD-3/README.3_5 Sun Jan 9 01:41:45 2005 *************** *** 29,41 **** 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4next.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4next/OpenBSD-3/3.5-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4next BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto --- 29,41 ---- 2. Unpack IPFilter and apply the patches to the kernel source cd ~ ! gunzip -c ip_fil4.1.4.tar.gz | tar xpf - cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.5-sys-diffs 3. Add IPFilter to the source code tree: ! cd ~/ip_fil4.1.4 BSD/kupgrade If you want to build a new release with IPFilter, stop here and goto *************** *** 52,58 **** 5. Build and install IPFilter ! cd ip_fil4next make openbsd make install-bsd OpenBSD-3/makedevs-3.5 --- 52,58 ---- 5. Build and install IPFilter ! cd ip_fil4.1.4 make openbsd make install-bsd OpenBSD-3/makedevs-3.5 *************** *** 60,66 **** 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4next/OpenBSD-3/3.5-rc-diffs 7. Reboot --- 60,66 ---- 6. Patch rc scripts in /etc cd /etc ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.5-rc-diffs 7. Reboot *************** *** 79,86 **** Building a Release ================== cd /usr/src ! patch < ~/ip_fil4next/OpenBSD-3/3.5-rc-diffs ! patch < ~/ip_fil4next/OpenBSD-3/3.5-MAKEDEV-diffs ! cd ~/ip_fil4next ./OpenBSD-3/fixdist-3.5 --- 79,86 ---- Building a Release ================== cd /usr/src ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.5-rc-diffs ! patch < ~/ip_fil4.1.4/OpenBSD-3/3.5-MAKEDEV-diffs ! cd ~/ip_fil4.1.4 ./OpenBSD-3/fixdist-3.5 diff -cr ip_fil4.1.3/SunOS5/pkginfo ip_fil4.1.4/SunOS5/pkginfo *** ip_fil4.1.3/SunOS5/pkginfo Sun Jul 18 14:13:45 2004 --- ip_fil4.1.4/SunOS5/pkginfo Sun Jan 9 01:41:45 2005 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=4.1.3 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=4.1.4 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil4.1.3/iplang/iplang_y.y ip_fil4.1.4/iplang/iplang_y.y *** ip_fil4.1.3/iplang/iplang_y.y Tue Mar 23 23:58:38 2004 --- ip_fil4.1.4/iplang/iplang_y.y Fri Dec 10 06:41:10 2004 *************** *** 4,10 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: iplang_y.y,v 2.9.2.1 2004/03/23 12:58:38 darrenr Exp $ */ #include --- 4,10 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: iplang_y.y,v 2.9.2.2 2004/12/09 19:41:10 darrenr Exp $ */ #include *************** *** 765,771 **** while ((c = *s++)) { if (todo) { ! if (isdigit(c)) { todo--; if (c > '7') { fprintf(stderr, "octal with %c!\n", c); --- 765,771 ---- while ((c = *s++)) { if (todo) { ! if (ISDIGIT(c)) { todo--; if (c > '7') { fprintf(stderr, "octal with %c!\n", c); *************** *** 774,780 **** val <<= 3; val |= (c - '0'); } ! if (!isdigit(c) || !todo) { *t++ = (u_char)(val & 0xff); todo = 0; } --- 774,780 ---- val <<= 3; val |= (c - '0'); } ! if (!ISDIGIT(c) || !todo) { *t++ = (u_char)(val & 0xff); todo = 0; } *************** *** 782,788 **** continue; } if (quote) { ! if (isdigit(c)) { todo = 2; if (c > '7') { fprintf(stderr, "octal with %c!\n", c); --- 782,788 ---- continue; } if (quote) { ! if (ISDIGIT(c)) { todo = 2; if (c > '7') { fprintf(stderr, "octal with %c!\n", c); *************** *** 1318,1324 **** sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) ! *t++ = (isprint(*s) ? *s : '.'); s--; } --- 1318,1324 ---- sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) ! *t++ = (ISPRINT(*s) ? *s : '.'); s--; } *************** *** 1336,1342 **** t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) ! *t++ = (isprint(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } --- 1336,1342 ---- t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) ! *t++ = (ISPRINT(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } Common subdirectories: ip_fil4.1.3/ipsd/Celler and ip_fil4.1.4/ipsd/Celler diff -cr ip_fil4.1.3/ipsd/sdlpi.c ip_fil4.1.4/ipsd/sdlpi.c *** ip_fil4.1.3/ipsd/sdlpi.c Sun Jun 10 03:09:25 2001 --- ip_fil4.1.4/ipsd/sdlpi.c Fri Dec 10 06:41:12 2004 *************** *** 158,164 **** (void) sprintf(devname, "/dev/%s", device); s = devname + 5; ! while (*s && !isdigit(*s)) s++; if (!*s) { --- 158,164 ---- (void) sprintf(devname, "/dev/%s", device); s = devname + 5; ! while (*s && !ISDIGIT(*s)) s++; if (!*s) { Common subdirectories: ip_fil4.1.3/ipsend/.OLD and ip_fil4.1.4/ipsend/.OLD diff -cr ip_fil4.1.3/ipsend/44arp.c ip_fil4.1.4/ipsend/44arp.c *** ip_fil4.1.3/ipsend/44arp.c Tue Mar 23 23:58:05 2004 --- ip_fil4.1.4/ipsend/44arp.c Mon Oct 18 01:19:21 2004 *************** *** 76,81 **** --- 76,84 ---- return 0; #endif + if (!addr) + return -1; + mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; *************** *** 103,110 **** rtm = (struct rt_msghdr *)next; sin = (struct sockaddr_inarp *)(rtm + 1); sdl = (struct sockaddr_dl *)(sin + 1); ! if (addr && !bcmp(addr, (char *)&sin->sin_addr, ! sizeof(struct in_addr))) { bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen); return 0; --- 106,113 ---- rtm = (struct rt_msghdr *)next; sin = (struct sockaddr_inarp *)(rtm + 1); sdl = (struct sockaddr_dl *)(sin + 1); ! if (!bcmp(addr, (char *)&sin->sin_addr, ! sizeof(struct in_addr))) { bcopy(LLADDR(sdl), eaddr, sdl->sdl_alen); return 0; diff -cr ip_fil4.1.3/ipsend/ip.c ip_fil4.1.4/ipsend/ip.c *** ip_fil4.1.3/ipsend/ip.c Fri Jan 9 00:34:31 2004 --- ip_fil4.1.4/ipsend/ip.c Tue Oct 19 22:31:48 2004 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; ! static const char rcsid[] = "@(#)$Id: ip.c,v 2.8 2004/01/08 13:34:31 darrenr Exp $"; #endif #include #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; ! static const char rcsid[] = "@(#)$Id: ip.c,v 2.8.2.1 2004/10/19 12:31:48 darrenr Exp $"; #endif #include #include *************** *** 66,72 **** --- 66,74 ---- bcopy((char *)buf, s + sizeof(*eh), len); if (gwip.s_addr == last_gw.s_addr) + { bcopy(last_arp, (char *)A_A eh->ether_dhost, 6); + } else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1) { perror("arp"); *************** *** 109,115 **** --- 111,119 ---- bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); if (last_gw.s_addr && (gwip.s_addr == last_gw.s_addr)) + { bcopy(last_arp, (char *)A_A eh->ether_dhost, 6); + } else if (arp((char *)&gwip, (char *)A_A eh->ether_dhost) == -1) { perror("arp"); *************** *** 132,142 **** } if (ip->ip_src.s_addr != local_ip.s_addr) { ! if (arp((char *)&ip->ip_src, (char *)A_A local_arp) == -1) ! { ! perror("arp"); ! return -2; ! } bcopy(local_arp, (char *)A_A eh->ether_shost,sizeof(last_arp)); local_ip = ip->ip_src; } else --- 136,142 ---- } if (ip->ip_src.s_addr != local_ip.s_addr) { ! (void) arp((char *)&ip->ip_src, (char *)A_A local_arp); bcopy(local_arp, (char *)A_A eh->ether_shost,sizeof(last_arp)); local_ip = ip->ip_src; } else diff -cr ip_fil4.1.3/ipsend/ipsend.c ip_fil4.1.4/ipsend/ipsend.c *** ip_fil4.1.3/ipsend/ipsend.c Tue Mar 23 23:58:05 2004 --- ip_fil4.1.4/ipsend/ipsend.c Sun Nov 14 03:50:10 2004 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.1 2004/03/23 12:58:05 darrenr Exp $"; #endif #include #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.8.2.2 2004/11/13 16:50:10 darrenr Exp $"; #endif #include #include *************** *** 171,177 **** u_short w[6]; } ph; u_32_t temp32; ! u_short cksum, *opts; ph.h.len = htons(len); ph.h.ttl = 0; --- 171,177 ---- u_short w[6]; } ph; u_32_t temp32; ! u_short *opts; ph.h.len = htons(len); ph.h.ttl = 0; diff -cr ip_fil4.1.3/ipsend/sdlpi.c ip_fil4.1.4/ipsend/sdlpi.c *** ip_fil4.1.3/ipsend/sdlpi.c Tue Jan 6 01:17:07 2004 --- ip_fil4.1.4/ipsend/sdlpi.c Fri Dec 10 06:41:13 2004 *************** *** 46,52 **** #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8 2004/01/05 14:17:07 darrenr Exp $"; #endif #define CHUNKSIZE 8192 --- 46,52 ---- #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.8.2.1 2004/12/09 19:41:13 darrenr Exp $"; #endif #define CHUNKSIZE 8192 *************** *** 68,74 **** (void) strncat(devname, device, sizeof(devname) - strlen(devname)); s = devname + 5; ! while (*s && !isdigit(*s)) s++; if (!*s) { --- 68,74 ---- (void) strncat(devname, device, sizeof(devname) - strlen(devname)); s = devname + 5; ! while (*s && !ISDIGIT(*s)) s++; if (!*s) { diff -cr ip_fil4.1.3/l4check/l4check.c ip_fil4.1.4/l4check/l4check.c *** ip_fil4.1.3/l4check/l4check.c Mon Dec 1 13:49:48 2003 --- ip_fil4.1.4/l4check/l4check.c Fri Dec 10 06:41:15 2004 *************** *** 416,425 **** *port++ = '\0'; #ifdef HAVE_INET_ATON ! if (isdigit(*host) && inet_aton(host, &ip)) *ipp = ip.s_addr; #else ! if (isdigit(*host)) *ipp = inet_addr(host); #endif else { --- 416,425 ---- *port++ = '\0'; #ifdef HAVE_INET_ATON ! if (ISDIGIT(*host) && inet_aton(host, &ip)) *ipp = ip.s_addr; #else ! if (ISDIGIT(*host)) *ipp = inet_addr(host); #endif else { *************** *** 432,438 **** } if (port) { ! if (isdigit(*port)) *portp = htons(atoi(port)); else { sp = getservbyname(port, "tcp"); --- 432,438 ---- } if (port) { ! if (ISDIGIT(*port)) *portp = htons(atoi(port)); else { sp = getservbyname(port, "tcp"); *************** *** 525,531 **** /* * Skip leading whitespace */ ! for (line = buf; (c = *line) && isspace(c); line++) ; if (!*line) continue; --- 525,531 ---- /* * Skip leading whitespace */ ! for (line = buf; (c = *line) && ISSPACE(c); line++) ; if (!*line) continue; diff -cr ip_fil4.1.3/lib/addicmp.c ip_fil4.1.4/lib/addicmp.c *** ip_fil4.1.3/lib/addicmp.c Mon Dec 1 13:03:50 2003 --- ip_fil4.1.4/lib/addicmp.c Fri Dec 10 06:41:16 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: addicmp.c,v 1.10 2003/12/01 02:03:50 darrenr Exp $ */ #include --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: addicmp.c,v 1.10.2.1 2004/12/09 19:41:16 darrenr Exp $ */ #include *************** *** 34,40 **** return -1; if (!fp->fr_proto) /* to catch lusers */ fp->fr_proto = IPPROTO_ICMP; ! if (isdigit(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { fprintf(stderr, "%d: Invalid icmp-type (%s) specified\n", --- 34,40 ---- return -1; if (!fp->fr_proto) /* to catch lusers */ fp->fr_proto = IPPROTO_ICMP; ! if (ISDIGIT(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { fprintf(stderr, "%d: Invalid icmp-type (%s) specified\n", *************** *** 68,74 **** if (**cp && strcasecmp("code", **cp)) return 0; (*cp)++; ! if (isdigit(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", --- 68,74 ---- if (**cp && strcasecmp("code", **cp)) return 0; (*cp)++; ! if (ISDIGIT(***cp)) { if (!ratoi(**cp, &i, 0, 255)) { fprintf(stderr, "%d: Invalid icmp code (%s) specified\n", diff -cr ip_fil4.1.3/lib/gethost.c ip_fil4.1.4/lib/gethost.c *** ip_fil4.1.3/lib/gethost.c Tue Aug 19 08:52:05 2003 --- ip_fil4.1.4/lib/gethost.c Sun Oct 3 17:05:15 2004 *************** *** 13,18 **** --- 13,21 ---- return 0; } + if (!strcmp(name, "")) + name = thishost; + h = gethostbyname(name); if (h != NULL) { if ((h->h_addr != NULL) && (h->h_length == sizeof(addr))) { diff -cr ip_fil4.1.3/lib/getportproto.c ip_fil4.1.4/lib/getportproto.c *** ip_fil4.1.3/lib/getportproto.c Tue Apr 20 21:52:40 2004 --- ip_fil4.1.4/lib/getportproto.c Fri Dec 10 06:41:17 2004 *************** *** 8,14 **** struct servent *s; struct protoent *p; ! if (isdigit(*name) && atoi(name) > 0) return htons(atoi(name) & 65535); p = getprotobynumber(proto); --- 8,14 ---- struct servent *s; struct protoent *p; ! if (ISDIGIT(*name) && atoi(name) > 0) return htons(atoi(name) & 65535); p = getprotobynumber(proto); diff -cr ip_fil4.1.3/lib/getproto.c ip_fil4.1.4/lib/getproto.c *** ip_fil4.1.3/lib/getproto.c Sat Jul 12 18:22:16 2003 --- ip_fil4.1.4/lib/getproto.c Fri Dec 10 06:41:18 2004 *************** *** 7,13 **** char *s; for (s = name; *s != '\0'; s++) ! if (!isdigit(*s)) break; if (*s == '\0') return atoi(name); --- 7,13 ---- char *s; for (s = name; *s != '\0'; s++) ! if (!ISDIGIT(*s)) break; if (*s == '\0') return atoi(name); diff -cr ip_fil4.1.3/lib/hexdump.c ip_fil4.1.4/lib/hexdump.c *** ip_fil4.1.3/lib/hexdump.c Thu Jan 22 06:32:50 2004 --- ip_fil4.1.4/lib/hexdump.c Fri Dec 10 06:41:19 2004 *************** *** 18,24 **** if (ascii != 0) { fputc('\t', fpout); for (t = s - 15; t<= s; t++) ! fputc(isprint(*t) ? *t : '.', fpout); } fputc('\n', fpout); } else if (i % 4 == 3) { --- 18,24 ---- if (ascii != 0) { fputc('\t', fpout); for (t = s - 15; t<= s; t++) ! fputc(ISPRINT(*t) ? *t : '.', fpout); } fputc('\n', fpout); } else if (i % 4 == 3) { diff -cr ip_fil4.1.3/lib/hostnum.c ip_fil4.1.4/lib/hostnum.c *** ip_fil4.1.3/lib/hostnum.c Fri Aug 15 00:26:54 2003 --- ip_fil4.1.4/lib/hostnum.c Fri Dec 10 06:41:20 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: hostnum.c,v 1.10 2003/08/14 14:26:54 darrenr Exp $ */ #include --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: hostnum.c,v 1.10.2.1 2004/12/09 19:41:20 darrenr Exp $ */ #include *************** *** 35,41 **** return -1; } #endif ! if (isdigit(*host) && inet_aton(host, &ip)) { *ipa = ip.s_addr; return 0; } --- 35,41 ---- return -1; } #endif ! if (ISDIGIT(*host) && inet_aton(host, &ip)) { *ipa = ip.s_addr; return 0; } diff -cr ip_fil4.1.3/lib/icmpcode.c ip_fil4.1.4/lib/icmpcode.c *** ip_fil4.1.3/lib/icmpcode.c Mon Dec 1 12:59:07 2003 --- ip_fil4.1.4/lib/icmpcode.c Fri Dec 10 06:41:20 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: icmpcode.c,v 1.7 2003/12/01 01:59:07 darrenr Exp $ */ #include --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: icmpcode.c,v 1.7.2.1 2004/12/09 19:41:20 darrenr Exp $ */ #include *************** *** 32,38 **** if ((s = strrchr(str, ')'))) *s = '\0'; ! if (isdigit(*str)) { if (!ratoi(str, &i, 0, 255)) return -1; else --- 32,38 ---- if ((s = strrchr(str, ')'))) *s = '\0'; ! if (ISDIGIT(*str)) { if (!ratoi(str, &i, 0, 255)) return -1; else diff -cr ip_fil4.1.3/lib/inet_addr.c ip_fil4.1.4/lib/inet_addr.c *** ip_fil4.1.3/lib/inet_addr.c Sat Apr 17 09:33:51 2004 --- ip_fil4.1.4/lib/inet_addr.c Fri Dec 10 06:41:20 2004 *************** *** 55,61 **** #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; ! static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.8.2.2 2004/04/16 23:33:51 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include --- 55,61 ---- #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; ! static const char rcsid[] = "@(#)$Id: inet_addr.c,v 1.8.2.3 2004/12/09 19:41:20 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include *************** *** 74,79 **** --- 74,93 ---- int inet_aton __P((const char *, struct in_addr *)); /* + * Because the ctype(3) posix definition, if used "safely" in code everywhere, + * would mean all normal code that walks through strings needed casts. Yuck. + */ + #define ISALNUM(x) isalnum((u_char)(x)) + #define ISALPHA(x) isalpha((u_char)(x)) + #define ISASCII(x) isascii((u_char)(x)) + #define ISDIGIT(x) isdigit((u_char)(x)) + #define ISPRINT(x) isprint((u_char)(x)) + #define ISSPACE(x) isspace((u_char)(x)) + #define ISUPPER(x) isupper((u_char)(x)) + #define ISXDIGIT(x) isxdigit((u_char)(x)) + #define ISLOWER(x) islower((u_char)(x)) + + /* * Check whether "cp" is a valid ascii representation * of an Internet address and convert to a binary address. * Returns 1 if the address is valid, 0 if not. *************** *** 98,104 **** * Values are specified as for C: * 0x=hex, 0=octal, isdigit=decimal. */ ! if (!isdigit(c)) return (0); val = 0; base = 10; if (c == '0') { --- 112,118 ---- * Values are specified as for C: * 0x=hex, 0=octal, isdigit=decimal. */ ! if (!ISDIGIT(c)) return (0); val = 0; base = 10; if (c == '0') { *************** *** 109,120 **** base = 8; } for (;;) { ! if (isascii(c) && isdigit(c)) { val = (val * base) + (c - '0'); c = *++cp; ! } else if (base == 16 && isascii(c) && isxdigit(c)) { val = (val << 4) | ! (c + 10 - (islower(c) ? 'a' : 'A')); c = *++cp; } else break; --- 123,134 ---- base = 8; } for (;;) { ! if (ISASCII(c) && ISDIGIT(c)) { val = (val * base) + (c - '0'); c = *++cp; ! } else if (base == 16 && ISASCII(c) && ISXDIGIT(c)) { val = (val << 4) | ! (c + 10 - (ISLOWER(c) ? 'a' : 'A')); c = *++cp; } else break; *************** *** 136,142 **** /* * Check for trailing characters. */ ! if (c != '\0' && (!isascii(c) || !isspace(c))) return (0); /* * Concoct the address according to --- 150,156 ---- /* * Check for trailing characters. */ ! if (c != '\0' && (!ISASCII(c) || !ISSPACE(c))) return (0); /* * Concoct the address according to diff -cr ip_fil4.1.3/lib/ipft_hx.c ip_fil4.1.4/lib/ipft_hx.c *** ip_fil4.1.3/lib/ipft_hx.c Sun Feb 16 13:32:35 2003 --- ip_fil4.1.4/lib/ipft_hx.c Fri Dec 10 06:41:20 2004 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11 2003/02/16 02:32:35 darrenr Exp $"; #endif #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 1.11.4.1 2004/12/09 19:41:20 darrenr Exp $"; #endif #include *************** *** 111,117 **** if (t < (char *)ip) putchar('\t'); while (t < (char *)ip) { ! if (isprint(*t) && isascii(*t)) putchar(*t); else putchar('.'); --- 111,117 ---- if (t < (char *)ip) putchar('\t'); while (t < (char *)ip) { ! if (ISPRINT(*t) && ISASCII(*t)) putchar(*t); else putchar('.'); *************** *** 133,139 **** char c; while ((c = *src++)) { ! if (isspace(c)) { if (state) { dst++; state = 0; --- 133,139 ---- char c; while ((c = *src++)) { ! if (ISSPACE(c)) { if (state) { dst++; state = 0; *************** *** 141,147 **** continue; } else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')) { ! c = isdigit(c) ? (c - '0') : (toupper(c) - 55); if (state == 0) { *dst = (c << 4); state++; --- 141,147 ---- continue; } else if ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')) { ! c = ISDIGIT(c) ? (c - '0') : (TOUPPER(c) - 55); if (state == 0) { *dst = (c << 4); state++; diff -cr ip_fil4.1.3/lib/ipft_tx.c ip_fil4.1.4/lib/ipft_tx.c *** ip_fil4.1.3/lib/ipft_tx.c Fri Jan 9 00:34:32 2004 --- ip_fil4.1.4/lib/ipft_tx.c Fri Dec 10 06:41:21 2004 *************** *** 3,13 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ipft_tx.c,v 1.15 2004/01/08 13:34:32 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15 2004/01/08 13:34:32 darrenr Exp $"; #endif #include --- 3,13 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ipft_tx.c,v 1.15.2.2 2004/12/09 19:41:21 darrenr Exp $ */ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 1.15.2.2 2004/12/09 19:41:21 darrenr Exp $"; #endif #include *************** *** 54,60 **** *resolved = 0; if (!strcasecmp("any", host)) return 0L; ! if (isdigit(*host)) return inet_addr(host); if (gethost(host, &ipa) == -1) { --- 54,60 ---- *resolved = 0; if (!strcasecmp("any", host)) return 0L; ! if (ISDIGIT(*host)) return inet_addr(host); if (gethost(host, &ipa) == -1) { *************** *** 76,82 **** struct servent *sp, *sp2; u_short p1 = 0; ! if (isdigit(*name)) return (u_short)atoi(name); if (!tx_proto) tx_proto = "tcp/udp"; --- 76,82 ---- struct servent *sp, *sp2; u_short p1 = 0; ! if (ISDIGIT(*name)) return (u_short)atoi(name); if (!tx_proto) tx_proto = "tcp/udp"; *************** *** 200,210 **** return 1; c = **cpp; ! if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) { fprintf(stderr, "bad direction \"%s\"\n", *cpp); return 1; } ! *out = (tolower(c) == 'o') ? 1 : 0; cpp++; if (!*cpp) return 1; --- 200,210 ---- return 1; c = **cpp; ! if (!ISALPHA(c) || (TOLOWER(c) != 'o' && TOLOWER(c) != 'i')) { fprintf(stderr, "bad direction \"%s\"\n", *cpp); return 1; } ! *out = (TOLOWER(c) == 'o') ? 1 : 0; cpp++; if (!*cpp) return 1; *************** *** 236,242 **** tx_proto = "icmp"; } cpp++; ! } else if (isdigit(**cpp) && !index(*cpp, '.')) { ip->ip_p = atoi(*cpp); cpp++; } else --- 236,242 ---- tx_proto = "icmp"; } cpp++; ! } else if (ISDIGIT(**cpp) && !index(*cpp, '.')) { ip->ip_p = atoi(*cpp); cpp++; } else *************** *** 254,259 **** --- 254,263 ---- } *last++ = '\0'; tcp->th_sport = htons(tx_portnum(last)); + if (ip->ip_p == IPPROTO_TCP) { + tcp->th_win = htons(4096); + TCP_OFF_A(tcp, sizeof(*tcp) >> 2); + } } ip->ip_src.s_addr = tx_hostnum(*cpp, &r); cpp++; *************** *** 278,283 **** --- 282,288 ---- extern u_char _tcp_flags[]; char *s, *t; + tcp->th_flags = 0; for (s = *cpp; *s; s++) if ((t = strchr(_tcp_flagset, *s))) tcp->th_flags |= _tcp_flags[t - _tcp_flagset]; *************** *** 285,292 **** cpp++; if (tcp->th_flags == 0) abort(); ! tcp->th_win = htons(4096); ! TCP_OFF_A(tcp, sizeof(*tcp) >> 2); } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; --- 290,297 ---- cpp++; if (tcp->th_flags == 0) abort(); ! if (tcp->th_flags & TH_URG) ! tcp->th_urp = htons(1); } else if (*cpp && ip->ip_p == IPPROTO_ICMP) { extern char *tx_icmptypes[]; char **s, *t; diff -cr ip_fil4.1.3/lib/natparse.c ip_fil4.1.4/lib/natparse.c *** ip_fil4.1.3/lib/natparse.c Mon Dec 1 13:03:32 2003 --- ip_fil4.1.4/lib/natparse.c Fri Dec 10 06:41:21 2004 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.8 2003/12/01 02:03:32 darrenr Exp $"; #endif #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.8.2.1 2004/12/09 19:41:21 darrenr Exp $"; #endif #include *************** *** 55,61 **** *s = '\0'; if ((s = strchr(line, '#'))) *s = '\0'; ! while (*line && isspace(*line)) line++; if (!*line) return NULL; --- 55,61 ---- *s = '\0'; if ((s = strchr(line, '#'))) *s = '\0'; ! while (*line && ISSPACE(*line)) line++; if (!*line) return NULL; *************** *** 223,229 **** return NULL; } ! if (isdigit(**cpp) && (s = strchr(*cpp, '-'))) *s++ = '\0'; else s = NULL; --- 223,229 ---- return NULL; } ! if (ISDIGIT(**cpp) && (s = strchr(*cpp, '-'))) *s++ = '\0'; else s = NULL; diff -cr ip_fil4.1.3/lib/parse.c ip_fil4.1.4/lib/parse.c *** ip_fil4.1.3/lib/parse.c Mon Dec 1 12:58:12 2003 --- ip_fil4.1.4/lib/parse.c Fri Dec 10 06:41:21 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: parse.c,v 1.34 2003/12/01 01:58:12 darrenr Exp $ */ #include #include "ipf.h" --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: parse.c,v 1.34.2.1 2004/12/09 19:41:21 darrenr Exp $ */ #include #include "ipf.h" *************** *** 31,37 **** return NULL; } ! while (*line && isspace(*line)) line++; if (!*line) return NULL; --- 31,37 ---- return NULL; } ! while (*line && ISSPACE(*line)) line++; if (!*line) return NULL; diff -cr ip_fil4.1.3/lib/portnum.c ip_fil4.1.4/lib/portnum.c *** ip_fil4.1.3/lib/portnum.c Sun Jun 10 03:09:24 2001 --- ip_fil4.1.4/lib/portnum.c Fri Dec 10 06:41:22 2004 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * ! * $Id: portnum.c,v 1.6 2001/06/09 17:09:24 darrenr Exp $ */ #include --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * ! * $Id: portnum.c,v 1.6.4.1 2004/12/09 19:41:22 darrenr Exp $ */ #include *************** *** 25,31 **** u_short p1 = 0; int i; ! if (isdigit(*name)) { if (ratoi(name, &i, 0, USHRT_MAX)) { *port = (u_short)i; return 1; --- 25,31 ---- u_short p1 = 0; int i; ! if (ISDIGIT(*name)) { if (ratoi(name, &i, 0, USHRT_MAX)) { *port = (u_short)i; return 1; diff -cr ip_fil4.1.3/lib/ports.c ip_fil4.1.4/lib/ports.c *** ip_fil4.1.3/lib/ports.c Mon Jan 28 17:50:47 2002 --- ip_fil4.1.4/lib/ports.c Fri Dec 10 06:41:22 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ports.c,v 1.9 2002/01/28 06:50:47 darrenr Exp $ */ #include --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ports.c,v 1.9.4.1 2004/12/09 19:41:22 darrenr Exp $ */ #include *************** *** 28,34 **** return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; ! if (isalnum(***seg) && *(*seg + 2)) { if (portnum(**seg, proto, pp, linenum) == 0) return -1; (*seg)++; --- 28,34 ---- return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; ! if (ISALNUM(***seg) && *(*seg + 2)) { if (portnum(**seg, proto, pp, linenum) == 0) return -1; (*seg)++; diff -cr ip_fil4.1.3/lib/printbuf.c ip_fil4.1.4/lib/printbuf.c *** ip_fil4.1.3/lib/printbuf.c Sun Jun 10 03:09:24 2001 --- ip_fil4.1.4/lib/printbuf.c Fri Dec 10 06:41:22 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: printbuf.c,v 1.5 2001/06/09 17:09:24 darrenr Exp $ */ #include --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: printbuf.c,v 1.5.4.1 2004/12/09 19:41:22 darrenr Exp $ */ #include *************** *** 20,26 **** for (s = buf, i = len; i; i--) { c = *s++; ! if (isprint(c)) putchar(c); else printf("\\%03o", c); --- 20,26 ---- for (s = buf, i = len; i; i--) { c = *s++; ! if (ISPRINT(c)) putchar(c); else printf("\\%03o", c); diff -cr ip_fil4.1.3/lib/printfr.c ip_fil4.1.4/lib/printfr.c *** ip_fil4.1.3/lib/printfr.c Tue Apr 20 21:51:33 2004 --- ip_fil4.1.4/lib/printfr.c Mon Nov 1 05:44:42 2004 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: printfr.c,v 1.43.2.4 2004/04/20 11:51:33 darrenr Exp $ */ #include "ipf.h" --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: printfr.c,v 1.43.2.7 2004/10/31 18:44:42 darrenr Exp $ */ #include "ipf.h" *************** *** 171,176 **** --- 171,178 ---- print_toif("dup-to", &fp->fr_dif); if (*fp->fr_tif.fd_ifname) print_toif("to", &fp->fr_tif); + if (*fp->fr_rif.fd_ifname) + print_toif("reply-to", &fp->fr_rif); if (fp->fr_flags & FR_FASTROUTE) printf("fastroute "); *************** *** 364,370 **** if (fp->fr_flags & FR_KEEPSTATE) { printf(" keep state"); ! if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR)) || (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { char *comma = ""; printf(" ("); --- 366,372 ---- if (fp->fr_flags & FR_KEEPSTATE) { printf(" keep state"); ! if ((fp->fr_flags & (FR_STSTRICT|FR_NEWISN|FR_NOICMPERR|FR_STATESYNC)) || (fp->fr_statemax != 0) || (fp->fr_age[0] != 0)) { char *comma = ""; printf(" ("); *************** *** 384,389 **** --- 386,395 ---- printf("%sno-icmp-err", comma); comma = ","; } + if (fp->fr_flags & FR_STATESYNC) { + printf("%ssync", comma); + comma = ","; + } if (fp->fr_age[0] || fp->fr_age[1]) printf("%sage %d/%d", comma, fp->fr_age[0], fp->fr_age[1]); *************** *** 410,417 **** printf(" head %s", fp->fr_grhead); if (*fp->fr_group != '\0') printf(" group %s", fp->fr_group); ! if (fp->fr_logtag != FR_NOLOGTAG) ! printf(" log-tag %u", fp->fr_logtag); if (fp->fr_pps) printf(" pps %d", fp->fr_pps); (void)putchar('\n'); --- 416,435 ---- printf(" head %s", fp->fr_grhead); if (*fp->fr_group != '\0') printf(" group %s", fp->fr_group); ! if (fp->fr_logtag != FR_NOLOGTAG || *fp->fr_nattag.ipt_tag) { ! char *s = ""; ! ! printf(" set-tag("); ! if (fp->fr_logtag != FR_NOLOGTAG) { ! printf("log=%u", fp->fr_logtag); ! s = ", "; ! } ! if (*fp->fr_nattag.ipt_tag) { ! printf("%snat=%-.*s", s, IPFTAG_LEN, ! fp->fr_nattag.ipt_tag); ! } ! printf(")"); ! } if (fp->fr_pps) printf(" pps %d", fp->fr_pps); (void)putchar('\n'); diff -cr ip_fil4.1.3/lib/printnat.c ip_fil4.1.4/lib/printnat.c *** ip_fil4.1.3/lib/printnat.c Tue May 11 11:41:16 2004 --- ip_fil4.1.4/lib/printnat.c Sun Oct 17 16:45:22 2004 *************** *** 11,17 **** #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.4 2004/05/11 01:41:16 darrenr Exp $"; #endif --- 11,17 ---- #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.6 2004/10/17 06:45:22 darrenr Exp $"; #endif *************** *** 87,106 **** printf("%s", inet_ntoa(np->in_out[0].in4)); bits = count4bits(np->in_outmsk); if (bits != -1) ! printf("/%d ", bits); else ! printf("/%s ", inet_ntoa(np->in_out[1].in4)); ! printf("port %d", ntohs(np->in_pmin)); ! if (np->in_pmax != np->in_pmin) ! printf("-%d", ntohs(np->in_pmax)); } printf(" -> %s", inet_ntoa(np->in_in[0].in4)); if (np->in_flags & IPN_SPLIT) printf(",%s", inet_ntoa(np->in_in[1].in4)); ! if ((np->in_flags & IPN_FIXEDDPORT) != 0) ! printf(" port = %d", ntohs(np->in_pnext)); ! else ! printf(" port %d", ntohs(np->in_pnext)); if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) printf(" tcp/udp"); else if ((np->in_flags & IPN_TCP) == IPN_TCP) --- 87,110 ---- printf("%s", inet_ntoa(np->in_out[0].in4)); bits = count4bits(np->in_outmsk); if (bits != -1) ! printf("/%d", bits); else ! printf("/%s", inet_ntoa(np->in_out[1].in4)); ! if (np->in_flags & IPN_TCPUDP) { ! printf(" port %d", ntohs(np->in_pmin)); ! if (np->in_pmax != np->in_pmin) ! printf("-%d", ntohs(np->in_pmax)); ! } } printf(" -> %s", inet_ntoa(np->in_in[0].in4)); if (np->in_flags & IPN_SPLIT) printf(",%s", inet_ntoa(np->in_in[1].in4)); ! if (np->in_flags & IPN_TCPUDP) { ! if ((np->in_flags & IPN_FIXEDDPORT) != 0) ! printf(" port = %d", ntohs(np->in_pnext)); ! else ! printf(" port %d", ntohs(np->in_pnext)); ! } if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) printf(" tcp/udp"); else if ((np->in_flags & IPN_TCP) == IPN_TCP) *************** *** 127,132 **** --- 131,138 ---- if (*np->in_plabel != '\0') printf(" proxy %.*s", (int)sizeof(np->in_plabel), np->in_plabel); + if (np->in_tag.ipt_tag[0] != '\0') + printf(" tag %-.*s", IPFTAG_LEN, np->in_tag.ipt_tag); printf("\n"); if (opts & OPT_DEBUG) printf("\tpmax %u\n", np->in_pmax); diff -cr ip_fil4.1.3/lib/printsbuf.c ip_fil4.1.4/lib/printsbuf.c *** ip_fil4.1.3/lib/printsbuf.c Sun Jul 14 01:13:58 2002 --- ip_fil4.1.4/lib/printsbuf.c Fri Dec 10 06:41:22 2004 *************** *** 12,18 **** int i; for (s = (u_char *)buf, i = ISC_TLEN; i; i--, s++) { ! if (isprint(*s)) putchar(*s); else printf("\\%o", *s); --- 12,18 ---- int i; for (s = (u_char *)buf, i = ISC_TLEN; i; i--, s++) { ! if (ISPRINT(*s)) putchar(*s); else printf("\\%o", *s); diff -cr ip_fil4.1.3/lib/printstate.c ip_fil4.1.4/lib/printstate.c *** ip_fil4.1.3/lib/printstate.c Wed Mar 24 02:34:07 2004 --- ip_fil4.1.4/lib/printstate.c Mon Nov 1 05:46:26 2004 *************** *** 16,21 **** --- 16,22 ---- u_long now; { ipstate_t ips; + synclist_t ipsync; if (kmemcpy((char *)&ips, (u_long)sp, sizeof(ips))) return NULL; *************** *** 54,61 **** || ips.is_p == IPPROTO_ICMPV6 #endif ) ! PRINTF(" id %hu seq %hu type %d\n", ntohs(ips.is_icmp.ici_id), ! ntohs(ips.is_icmp.ici_seq), ips.is_icmp.ici_type); #ifdef USE_QUAD_T PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n", --- 55,62 ---- || ips.is_p == IPPROTO_ICMPV6 #endif ) ! PRINTF(" id %hu seq %hu type %d\n", ips.is_icmp.ici_id, ! ips.is_icmp.ici_seq, ips.is_icmp.ici_type); #ifdef USE_QUAD_T PRINTF("\tforward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n\tbackward: pkts in %qd bytes in %qd pkts out %qd bytes out %qd\n", *************** *** 127,134 **** if (ips.is_pass & FR_KEEPFRAG) PRINTF(" keep frags"); /* a given; no? */ ! if (ips.is_pass & FR_KEEPSTATE) PRINTF(" keep state"); PRINTF("\tIPv%d", ips.is_v); PRINTF("\n"); --- 128,138 ---- if (ips.is_pass & FR_KEEPFRAG) PRINTF(" keep frags"); /* a given; no? */ ! if (ips.is_pass & FR_KEEPSTATE) { PRINTF(" keep state"); + if (ips.is_pass & FR_STATESYNC) + PRINTF(" ( sync )"); + } PRINTF("\tIPv%d", ips.is_v); PRINTF("\n"); *************** *** 160,164 **** --- 164,184 ---- PRINTF("/%p", ips.is_ifp[3]); PRINTF("]\n"); + if (ips.is_sync != NULL) { + + if (kmemcpy((char *)&ipsync, (u_long)ips.is_sync, sizeof(ipsync))) { + + PRINTF("\tSync status: status could not be retrieved\n"); + return NULL; + } + + PRINTF("\tSync status: idx %d num %d v %d pr %d rev %d\n", + ipsync.sl_idx, ipsync.sl_num, ipsync.sl_v, + ipsync.sl_p, ipsync.sl_rev); + + } else { + PRINTF("\tSync status: not synchronized\n"); + } + return ips.is_next; } diff -cr ip_fil4.1.3/lib/v6ionames.c ip_fil4.1.4/lib/v6ionames.c *** ip_fil4.1.3/lib/v6ionames.c Sat Apr 26 14:55:58 2003 --- ip_fil4.1.4/lib/v6ionames.c Mon Jan 3 00:08:49 2005 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: v6ionames.c,v 1.1 2003/04/26 04:55:58 darrenr Exp $ */ #include "ipf.h" --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: v6ionames.c,v 1.1.4.1 2005/01/02 13:08:49 darrenr Exp $ */ #include "ipf.h" *************** *** 12,24 **** struct ipopt_names v6ionames[] ={ { IPPROTO_HOPOPTS, 0x000001, 0, "hopopts" }, ! { IPPROTO_DSTOPTS, 0x000002, 0, "dstopts" }, ! { IPPROTO_ESP, 0x000004, 0, "esp" }, ! { IPPROTO_AH, 0x000008, 0, "ah" }, ! { IPPROTO_ROUTING, 0x000010, 0, "routing" }, ! { IPPROTO_IPV6, 0x000020, 0, "ipv6" }, ! { IPPROTO_FRAGMENT, 0x000040, 0, "frag" }, ! { IPPROTO_NONE, 0x000080, 0, "none" }, { 0, 0, 0, (char *)NULL } }; --- 12,24 ---- struct ipopt_names v6ionames[] ={ { IPPROTO_HOPOPTS, 0x000001, 0, "hopopts" }, ! { IPPROTO_IPV6, 0x000002, 0, "ipv6" }, ! { IPPROTO_ROUTING, 0x000004, 0, "routing" }, ! { IPPROTO_FRAGMENT, 0x000008, 0, "frag" }, ! { IPPROTO_ESP, 0x000010, 0, "esp" }, ! { IPPROTO_AH, 0x000020, 0, "ah" }, ! { IPPROTO_NONE, 0x000040, 0, "none" }, ! { IPPROTO_DSTOPTS, 0x000080, 0, "dstopts" }, { 0, 0, 0, (char *)NULL } }; diff -cr ip_fil4.1.3/lib/var.c ip_fil4.1.4/lib/var.c *** ip_fil4.1.3/lib/var.c Sat Apr 17 09:34:17 2004 --- ip_fil4.1.4/lib/var.c Fri Dec 10 06:41:23 2004 *************** *** 44,52 **** fprintf(stderr, "%d: { without }\n", line); return NULL; } ! } else if (isalpha(*s)) { for (t = s + 1; *t != '\0'; t++) ! if (!isalpha(*t) && !isdigit(*t) && (*t != '_')) break; } else { fprintf(stderr, "%d: variables cannot start with '%c'\n", --- 44,52 ---- fprintf(stderr, "%d: { without }\n", line); return NULL; } ! } else if (ISALPHA(*s)) { for (t = s + 1; *t != '\0'; t++) ! if (!ISALPHA(*t) && !ISDIGIT(*t) && (*t != '_')) break; } else { fprintf(stderr, "%d: variables cannot start with '%c'\n", diff -cr ip_fil4.1.3/man/ipftest.1 ip_fil4.1.4/man/ipftest.1 *** ip_fil4.1.3/man/ipftest.1 Sun Jun 29 00:56:09 2003 --- ip_fil4.1.4/man/ipftest.1 Sun Oct 3 17:04:12 2004 *************** *** 4,22 **** .SH SYNOPSIS .B ipftest [ ! .B \-6bdDNovxX ] [ .B \-F input-format ] [ .B \-I interface ! ] ! .B \-r ! [ ! .B \-i ] .SH DESCRIPTION .PP --- 4,34 ---- .SH SYNOPSIS .B ipftest [ ! .B \-6bdDoRvx ] [ .B \-F input-format ] [ + .B \-i + + ] [ .B \-I interface ! ] [ ! .B \-l ! ] [ ! .B \-N + ] [ + .B \-P + + ] [ + .B \-r + + ] [ + .B \-T + ] .SH DESCRIPTION .PP *************** *** 25,31 **** to test their effectiveness. The hope is that this minimises disruptions in providing a secure IP environment. .PP ! \fBipftest\fP will parse any standard ruleset for use with \fBipf\fP and apply input, returning output as to the result. However, \fBipftest\fP will return one of three values for packets passed through the filter: pass, block or nomatch. This is intended to give the operator a better --- 37,44 ---- to test their effectiveness. The hope is that this minimises disruptions in providing a secure IP environment. .PP ! \fBipftest\fP will parse any standard ruleset for use with \fBipf\fP, ! \fBipnat\fP and/or \fBippool\fP and apply input, returning output as to the result. However, \fBipftest\fP will return one of three values for packets passed through the filter: pass, block or nomatch. This is intended to give the operator a better *************** *** 32,82 **** idea of what is happening with packets passing through their filter ruleset. .PP ! When used without either of \fB\-S\fP, \fB\-T\fP or \fB\-E\fP, ! \fBipftest\fP uses its own text input format to generate "fake" IP packets. ! The format used is as follows: ! .nf ! "in"|"out" "on" if ["tcp"|"udp"|"icmp"] ! srchost[,srcport] dsthost[,destport] [FSRPAU] ! .fi ! .PP ! This allows for a packet going "in" or "out" of an interface (if) to be ! generated, being one of the three main protocols (optionally), and if ! either TCP or UDP, a port parameter is also expected. If TCP is selected, ! it is possible to (optionally) supply TCP flags at the end. Some examples ! are: ! .nf ! # a UDP packet coming in on le0 ! in on le0 udp 10.1.1.1,2210 10.2.1.5,23 ! # an IP packet coming in on le0 from localhost - hmm :) ! in on le0 localhost 10.4.12.1 ! # a TCP packet going out of le0 with the SYN flag set. ! out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S ! .fi .SH OPTIONS .TP ! .B \-v ! Verbose mode. This provides more information about which parts of rule ! matching the input packet passes and fails. .TP - .B \-d - Turn on filter rule debugging. Currently, this only shows you what caused - the rule to not match in the IP header checking (addresses/netmasks, etc). - .TP .B \-b Cause the output to be a brief summary (one-word) of the result of passing the packet through the filter; either "pass", "block" or "nomatch". This is used in the regression testing. .TP ! .BR \-I \0 ! Set the interface name (used in rule matching) to be the name supplied. ! This is useful with the \fB\-P, \-S, \-T\fP and \fB\-E\fP options, where it is ! not otherwise possible to associate a packet with an interface. Normal ! "text packets" can override this setting. .TP .B \-F This option is used to select which input format the input file is in. ! The following formats are available: etherfind, hex, pcap, snoop, tcpdump. .RS .TP .B etherfind --- 45,72 ---- idea of what is happening with packets passing through their filter ruleset. .PP ! At least one of \fB\-N\fP, \fB-P\fP or \fB\-r\fP must be specified. .SH OPTIONS .TP ! .B \-6 ! Use IPv6. .TP .B \-b Cause the output to be a brief summary (one-word) of the result of passing the packet through the filter; either "pass", "block" or "nomatch". This is used in the regression testing. .TP ! .B \-d ! Turn on filter rule debugging. Currently, this only shows you what caused ! the rule to not match in the IP header checking (addresses/netmasks, etc). .TP + .B \-D + Dump internal tables before exiting. + This excludes log messages. + .TP .B \-F This option is used to select which input format the input file is in. ! The following formats are available: etherfind, hex, pcap, snoop, tcpdump,text. .RS .TP .B etherfind *************** *** 121,138 **** tcpdump -nqtt tcpdump -nqte .fi .LP .RE .DT .TP - .B \-X - The input file is composed of text descriptions of IP packets. - .TP .BR \-i \0 Specify the filename from which to take input. Default is stdin. .TP .BR \-r \0 ! Specify the filename from which to read filter rules. .SH SEE ALSO ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS --- 111,187 ---- tcpdump -nqtt tcpdump -nqte .fi + .TP + .B text + The input file is in \fBipftest\fP text input format. + This is the default if no \fB\-F\fP argument is specified. + The format used is as follows: + .nf + "in"|"out" "on" if ["tcp"|"udp"|"icmp"] + srchost[,srcport] dsthost[,destport] [FSRPAU] + .fi + .PP + This allows for a packet going "in" or "out" of an interface (if) to be + generated, being one of the three main protocols (optionally), and if + either TCP or UDP, a port parameter is also expected. If TCP is selected, + it is possible to (optionally) supply TCP flags at the end. Some examples + are: + .nf + # a UDP packet coming in on le0 + in on le0 udp 10.1.1.1,2210 10.2.1.5,23 + # an IP packet coming in on le0 from localhost - hmm :) + in on le0 localhost 10.4.12.1 + # a TCP packet going out of le0 with the SYN flag set. + out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S + .fi .LP .RE .DT .TP .BR \-i \0 Specify the filename from which to take input. Default is stdin. .TP + .BR \-I \0 + Set the interface name (used in rule matching) to be the name supplied. + This is useful where it is + not otherwise possible to associate a packet with an interface. Normal + "text packets" can override this setting. + .TP + .BR \-l \0 + Dump log messages generated during testing to the specified file. + .TP + .BR \-N \0 + Specify the filename from which to read NAT rules in \fBipnat\fP(5) format. + .TP + .B \-o + Save output packets that would have been written to each interface in + a file /tmp/\fIinterface_name\fP in raw format. + .TP + .BR \-P \0 + Read IP pool configuration information in \fBippool\fP(5) format from the + specified file. + .TP .BR \-r \0 ! Specify the filename from which to read filter rules in \fBipf\fP(5) format. ! .TP ! .B \-R ! Don't attempt to convert IP addresses to hostnames. ! .TP ! .BR \-T \0 ! This option simulates the run-time changing of IPFilter kernel variables ! available with the \fB\-T\fP option of \fBipf\fP. ! The optionlist parameter is a comma separated list of tuning ! commands. A tuning command is either "list" (retrieve a list of all variables ! in the kernel, their maximum, minimum and current value), a single variable ! name (retrieve its current value) and a variable name with a following ! assignment to set a new value. See \fBipf\fP(8) for examples. ! .TP ! .B \-v ! Verbose mode. This provides more information about which parts of rule ! matching the input packet passes and fails. ! .TP ! .B \-x ! Print a hex dump of each packet before printing the decoded contents. .SH SEE ALSO ipf(5), ipf(8), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS diff -cr ip_fil4.1.3/test/Makefile ip_fil4.1.4/test/Makefile *** ip_fil4.1.3/test/Makefile Wed Jun 30 21:23:31 2004 --- ip_fil4.1.4/test/Makefile Sun Oct 17 15:49:06 2004 *************** *** 24,32 **** ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ! ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 ! ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 --- 24,32 ---- ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 # Rule parsing tests ! ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 ! ntests: n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 nitests: ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 *************** *** 46,55 **** f15 f16 f17: @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` ! i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 bpf1: @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` ! n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11: @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12: --- 46,55 ---- f15 f16 f17: @/bin/sh ./mtest `awk "/^$@ / { print; } " test.format` ! i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 bpf1: @/bin/sh ./itest `awk "/^$@ / { print; } " test.format` ! n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12: @/bin/sh ./nattest `awk "/^$@ / { print; } " test.format` ni1 ni2 ni3 ni4 ni5 ni7 ni8 ni9 ni10 ni11 ni12: *************** *** 78,85 **** clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 ! /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 ! /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 /bin/rm -f in1 in2 in3 in4 in5 /bin/rm -f p1 p2 p3 ip1 --- 78,85 ---- clean: /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17 ! /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12 i13 i14 i15 ! /bin/rm -f n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12 /bin/rm -f ni1 ni2 ni3 ni4 ni5 ni6 ni7 ni8 ni9 ni10 ni11 ni12 /bin/rm -f in1 in2 in3 in4 in5 /bin/rm -f p1 p2 p3 ip1 Common subdirectories: ip_fil4.1.3/test/expected and ip_fil4.1.4/test/expected Common subdirectories: ip_fil4.1.3/test/input and ip_fil4.1.4/test/input Common subdirectories: ip_fil4.1.3/test/regress and ip_fil4.1.4/test/regress diff -cr ip_fil4.1.3/test/test.format ip_fil4.1.4/test/test.format *** ip_fil4.1.3/test/test.format Tue Jun 29 15:02:12 2004 --- ip_fil4.1.4/test/test.format Sun Oct 17 15:49:05 2004 *************** *** 32,37 **** --- 32,38 ---- i12 text text i13 text text i14 text text + i15 text text in1 text text in2 text text in3 text text *************** *** 53,58 **** --- 54,60 ---- n9 hex hex fr_update_ipid=0 n10 hex hex fr_update_ipid=0 n11 text text + n12 hex hex fr_update_ipid=0 ni1 hex hex fr_update_ipid=1 ni2 hex hex fr_update_ipid=1 ni3 hex hex fr_update_ipid=1 diff -cr ip_fil4.1.3/test/vfycksum.pl ip_fil4.1.4/test/vfycksum.pl *** ip_fil4.1.3/test/vfycksum.pl Tue Jun 15 02:47:58 2004 --- ip_fil4.1.4/test/vfycksum.pl Sun Jan 9 01:30:49 2005 *************** *** 62,68 **** local($base) = $_[0]; local($hl) = $bytes[$base] / 256; return if (($hl >> 4) != 4); ! return if ($bytes[3] & 0x1fff); $hl &= 0xf; $hl <<= 1; --- 62,68 ---- local($base) = $_[0]; local($hl) = $bytes[$base] / 256; return if (($hl >> 4) != 4); ! return if ($bytes[$base + 3] & 0x1fff); $hl &= 0xf; $hl <<= 1; *************** *** 79,92 **** local($thl) = $bytes[$base + $hl + 6] >> 8; $thl &= 0xf0; $thl >>= 2; if ($bytes[$base + 1] > ($cnt - $base) * 2) { ! print " TCP: missing data(1)"; ! return; } elsif (($cnt - $base) * 2 < $hl + 20) { ! print " TCP: missing data(2)"; ! return; } elsif (($cnt - $base) * 2 < $hl + $thl) { ! print " TCP: missing data(3)"; return; } --- 79,105 ---- local($thl) = $bytes[$base + $hl + 6] >> 8; $thl &= 0xf0; $thl >>= 2; + + $x = $bytes[$base + 1]; + $y = ($cnt - $base) * 2; + $z = 0; if ($bytes[$base + 1] > ($cnt - $base) * 2) { ! print "[cnt=$cnt base=$base]"; ! $x = $bytes[$base + 1]; ! $y = ($cnt - $base) * 2; ! $z = 1; } elsif (($cnt - $base) * 2 < $hl + 20) { ! $x = ($cnt - $base) * 2; ! $y = $hl + 20; ! $z = 2; } elsif (($cnt - $base) * 2 < $hl + $thl) { ! $x = ($cnt - $base) * 2; ! $y = $hl + $thl; ! $z = 3; ! } ! ! if ($z) { ! print " TCP: missing data($x $y $z)"; return; } *************** *** 99,105 **** $bytes[$tcpat + 8] = $osum; printf " TCP: (%x) %x != %x", $hs, $osum, $hs2; } else { ! print " TCP: ok"; } } --- 112,118 ---- $bytes[$tcpat + 8] = $osum; printf " TCP: (%x) %x != %x", $hs, $osum, $hs2; } else { ! print " TCP: ok ($x $y)"; } } Only in ip_fil4.1.4/test/expected: i15 diff -cr ip_fil4.1.3/test/expected/i4 ip_fil4.1.4/test/expected/i4 *** ip_fil4.1.3/test/expected/i4 Sat Apr 17 09:29:58 2004 --- ip_fil4.1.4/test/expected/i4 Mon Oct 18 21:36:37 2004 *************** *** 5,7 **** --- 5,8 ---- block in proto udp from any port != 123 to any port < 7 block in proto tcp from any port = 25 to any port > 25 pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3 + pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S/FSRPAU keep state diff -cr ip_fil4.1.3/test/expected/in2 ip_fil4.1.4/test/expected/in2 *** ip_fil4.1.3/test/expected/in2 Fri May 7 00:21:15 2004 --- ip_fil4.1.4/test/expected/in2 Sat Oct 30 18:55:59 2004 *************** *** 1,26 **** rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 icmp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 icmp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/10 ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 icmp frag age 10/10 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp --- 1,67 ---- rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp ! rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag ! rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 ! rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag + rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 + rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20/20 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30/30 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 tag nattagcacheline rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp + rdr le0 0.0.0.0/0 -> 254.220.186.152 ip + rdr le0 0.0.0.0/0 -> 254.220.186.152,254.220.186.152 ip diff -cr ip_fil4.1.3/test/expected/in5 ip_fil4.1.4/test/expected/in5 *** ip_fil4.1.3/test/expected/in5 Sun Nov 10 01:08:26 2002 --- ip_fil4.1.4/test/expected/in5 Sun Oct 17 16:44:49 2004 *************** *** 1,22 **** rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp ! rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp ! rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 ip rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp ! rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin ! rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag ! rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag ! rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/10 ! rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20 ! rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 0 icmp frag age 10/10 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30/30 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40 --- 1,22 ---- rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 tcp ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/10 ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 ip frag age 10/20 ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 icmp frag age 10/10 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20/20 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag age 30/30 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag age 40/40 Only in ip_fil4.1.4/test/expected: n12 diff -cr ip_fil4.1.3/test/expected/ni10 ip_fil4.1.4/test/expected/ni10 *** ip_fil4.1.3/test/expected/ni10 Sat May 22 15:40:41 2004 --- ip_fil4.1.4/test/expected/ni10 Sun Jan 9 01:32:13 2005 *************** *** 1,5 **** 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 ! 4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 113f 0000 0000 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001 ------------------------------- --- 1,5 ---- 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 0000 0000 ff01 afb9 0202 0202 0404 0404 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 ! 4500 0058 0001 0000 ff01 af98 0202 0202 0404 0404 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0404 0404 0202 0202 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28ab 0404 0404 0202 0201 5000 0050 0000 0001 ------------------------------- diff -cr ip_fil4.1.3/test/expected/ni11 ip_fil4.1.4/test/expected/ni11 *** ip_fil4.1.3/test/expected/ni11 Sat May 22 15:40:42 2004 --- ip_fil4.1.4/test/expected/ni11 Sun Jan 9 01:32:14 2005 *************** *** 1,5 **** 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 ! 4500 0058 809a 0000 ff01 2cfd 0303 0303 0404 0404 0303 0735 0000 0000 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 ------------------------------- --- 1,5 ---- 4500 003c 4706 4000 ff06 2aac 0404 0404 0101 0101 5000 9d58 0000 0001 0000 0000 a002 16d0 3ddc 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 0000 0000 ff01 a7b9 0a02 0202 0404 0404 0303 a7fb 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 ! 4500 0058 0001 0000 ff01 a798 0a02 0202 0404 0404 0303 1137 0000 0000 4500 003c 4706 4000 ff06 20aa 0404 0404 0a02 0202 5000 0500 0000 0001 0000 0000 a002 16d0 cc32 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 0fa3 0000 0000 4500 003c 4706 4000 ff06 2aab 0404 0404 0101 0102 5000 9d58 0000 0001 ------------------------------- Only in ip_fil4.1.4/test/input: n12 diff -cr ip_fil4.1.3/test/input/ni10 ip_fil4.1.4/test/input/ni10 *** ip_fil4.1.3/test/input/ni10 Tue May 18 01:56:24 2004 --- ip_fil4.1.4/test/input/ni10 Sun Oct 3 17:00:32 2004 *************** *** 1,8 **** --- 1,10 ---- #v tos len id off ttl p sum src dst # ICMP dest unreachable with 64 bits in payload (in reply to a TCP packet # going out) + # IP 4.4.4.4 2.2.2.2 TCP(20480,80) [in,df0] 45 00 00 3c 47 06 40 00 ff 06 28 aa 04 04 04 04 02 02 02 02 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d8 e2 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 + # IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) [out,df0] 4500 0038 809a 0000 ff01 2d1d 0303 0303 0404 0404 0303 acab 0000 0000 *************** *** 9,17 **** --- 11,21 ---- 4500 003c 4706 4000 ff06 20a2 0404 0404 0606 0606 5000 0050 0000 0001 + # IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) # ICMP dest unreachable with whole packet in payload (40 bytes = 320 bits) [out,df0] 45 00 00 58 80 9a 00 00 ff 01 2c fd 03 03 03 03 04 04 04 04 03 03 11 3f 00 00 00 00 45 00 00 3c 47 06 40 00 ff 06 20 a2 04 04 04 04 06 06 06 06 50 00 00 50 00 00 00 01 00 00 00 00 a0 02 16 d0 d0 da 00 00 02 04 05 b4 04 02 08 0a 00 47 fb b0 00 00 00 00 01 03 03 00 + # IP 3.3.3.3 -> 4.4.4.4 ICMP (IP(4.4.4.4,6.6.6.6) TCP(20480,80)) [out,df0] 4500 0038 809a 0000 ff01 2b1b 0303 0303 0505 0505 0303 acab 0000 0000 Only in ip_fil4.1.4/test/regress: i15 diff -cr ip_fil4.1.3/test/regress/i4 ip_fil4.1.4/test/regress/i4 *** ip_fil4.1.3/test/regress/i4 Sat Apr 17 09:30:00 2004 --- ip_fil4.1.4/test/regress/i4 Mon Oct 18 21:36:38 2004 *************** *** 5,7 **** --- 5,8 ---- block in proto udp from any port != \ntp to any port < echo block in proto tcp from any port = smtp to any port > 25 pass in proto tcp/udp from any port 1 >< 3 to any port 1 <> 3 + pass in log first quick proto tcp from any port > 1023 to any port = 1723 flags S keep state diff -cr ip_fil4.1.3/test/regress/in2 ip_fil4.1.4/test/regress/in2 *** ip_fil4.1.3/test/regress/in2 Fri May 7 00:21:16 2004 --- ip_fil4.1.4/test/regress/in2 Sat Oct 30 18:55:59 2004 *************** *** 1,7 **** rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp ! rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp --- 1,7 ---- rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 tcp rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 udp rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp/udp *************** *** 14,26 **** rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag ! rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 rdr ge0 9.8.7.6/32 -> 1.1.1.1 proxy port 21 ftp/tcp rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp --- 14,67 ---- rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag ! rdr le0 9.8.7.6/32 -> 1.1.1.1 ip frag age 10 rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip mssclamp 1000 + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky mssclamp 1000 + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip tag nattagcacheline + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 0 -> 1.1.1.1 port 0 ip frag age 10/20 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 icmp frag age 10 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp frag age 20 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1 port 80 tcp round-robin frag age 30 sticky mssclamp 1000 tag nattagcacheline + rdr le0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40 sticky mssclamp 1000 tag nattagcacheline rdr ge0 9.8.7.6/32 -> 1.1.1.1 proxy port 21 ftp/tcp rdr ge0 9.8.7.6/32 port 21 -> 1.1.1.1 port 21 tcp proxy ftp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port 5555 tcp rdr le0 9.8.7.6/32 port 1000-2000 -> 1.1.1.1 port = 5555 tcp + rdr le0 0/0 -> test.host.dots + rdr le0 0/0 -> test.host.dots,test.host.dots diff -cr ip_fil4.1.3/test/regress/in5 ip_fil4.1.4/test/regress/in5 *** ip_fil4.1.3/test/regress/in5 Sun Nov 10 01:08:26 2002 --- ip_fil4.1.4/test/regress/in5 Sun Oct 17 16:44:51 2004 *************** *** 5,20 **** rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp ! rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin ! rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag ! rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10 rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag age 10 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20 --- 5,20 ---- rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 udp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp/udp ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 888 icmp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 tcp round-robin frag rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp round-robin frag ! rdr le0 from any to 9.8.7.6/32 -> 1.1.1.1 port 0 ip frag age 10 rdr le0 from any to 9.8.7.6/32 port = 0 -> 1.1.1.1 port 0 ip frag age 10/20 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1 port 888 icmp frag age 10 rdr le0 from any to 9.8.7.6/32 port = 8888 -> 1.1.1.1,1.1.1.2 port 888 tcp frag age 20 Only in ip_fil4.1.4/test/regress: n12 diff -cr ip_fil4.1.3/tools/ipf.c ip_fil4.1.4/tools/ipf.c *** ip_fil4.1.3/tools/ipf.c Sat Apr 17 09:58:25 2004 --- ip_fil4.1.4/tools/ipf.c Thu Dec 16 05:27:17 2004 *************** *** 19,25 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.2 2004/04/16 23:58:25 darrenr Exp $"; #endif #if !defined(__SVR4) && defined(__GNUC__) --- 19,25 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 1.35.2.3 2004/12/15 18:27:17 darrenr Exp $"; #endif #if !defined(__SVR4) && defined(__GNUC__) *************** *** 31,37 **** extern frentry_t *frtop; ! void frsync __P((void)); void zerostats __P((void)); int main __P((int, char *[])); --- 31,37 ---- extern frentry_t *frtop; ! void ipf_frsync __P((void)); void zerostats __P((void)); int main __P((int, char *[])); *************** *** 142,148 **** exit(1); break; case 'y' : ! frsync(); break; case 'z' : opts ^= OPT_ZERORULEST; --- 142,148 ---- exit(1); break; case 'y' : ! ipf_frsync(); break; case 'z' : opts ^= OPT_ZERORULEST; *************** *** 438,444 **** } ! void frsync() { int frsyn = 0; --- 438,444 ---- } ! void ipf_frsync() { int frsyn = 0; diff -cr ip_fil4.1.3/tools/ipf_y.y ip_fil4.1.4/tools/ipf_y.y *** ip_fil4.1.3/tools/ipf_y.y Wed Jul 14 00:08:05 2004 --- ip_fil4.1.4/tools/ipf_y.y Sun Nov 14 00:35:01 2004 *************** *** 50,60 **** static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; static addfunc_t ipfaddfunc = NULL; static struct wordtab ipfwords[95]; static struct wordtab icmpcodewords[17]; static struct wordtab icmptypewords[16]; static struct wordtab ipv4optwords[25]; static struct wordtab ipv4secwords[9]; ! static struct wordtab ipv6optwords[5]; static struct wordtab logwords[33]; %} --- 50,62 ---- static ioctlfunc_t ipfioctl[IPL_LOGSIZE]; static addfunc_t ipfaddfunc = NULL; static struct wordtab ipfwords[95]; + static struct wordtab addrwords[4]; + static struct wordtab maskwords[5]; static struct wordtab icmpcodewords[17]; static struct wordtab icmptypewords[16]; static struct wordtab ipv4optwords[25]; static struct wordtab ipv4secwords[9]; ! static struct wordtab ipv6optwords[8]; static struct wordtab logwords[33]; %} *************** *** 82,88 **** %type portc porteq %type hostname ipv4 ipv4mask ipv4_16 ipv4_24 %type ipv6mask ! %type addr %type servicename name interfacename %type portrange portcomp %type addrlist poollist --- 84,90 ---- %type portc porteq %type hostname ipv4 ipv4mask ipv4_16 ipv4_24 %type ipv6mask ! %type addr ipaddr %type servicename name interfacename %type portrange portcomp %type addrlist poollist *************** *** 117,122 **** --- 119,125 ---- %token IPFY_IPOPTS IPFY_SHORT IPFY_NAT IPFY_BADSRC IPFY_LOWTTL IPFY_FRAG %token IPFY_MBCAST IPFY_BAD IPFY_BADNAT IPFY_OOW IPFY_NEWISN IPFY_NOICMPERR %token IPFY_KEEP IPFY_STATE IPFY_FRAGS IPFY_LIMIT IPFY_STRICT IPFY_AGE + %token IPFY_SYNC IPFY_FRAGBODY %token IPFY_IPOPT_NOP IPFY_IPOPT_RR IPFY_IPOPT_ZSU IPFY_IPOPT_MTUP %token IPFY_IPOPT_MTUR IPFY_IPOPT_ENCODE IPFY_IPOPT_TS IPFY_IPOPT_TR %token IPFY_IPOPT_SEC IPFY_IPOPT_LSRR IPFY_IPOPT_ESEC IPFY_IPOPT_CIPSO *************** *** 393,398 **** --- 396,402 ---- settagin: | IPFY_SETTAG '(' taginlist ')' + ; taginlist: taginspec *************** *** 404,413 **** ; nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ ! $3, 16);); free($3); } | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ ! "%15d", $3);) } ; logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } --- 408,417 ---- ; nattag: IPFY_NAT '=' YY_STR { DOALL(strncpy(fr->fr_nattag.ipt_tag,\ ! $3, IPFTAG_LEN);); free($3); } | IPFY_NAT '=' YY_NUMBER { DOALL(sprintf(fr->fr_nattag.ipt_tag,\ ! "%d", $3 & 0xffffffff);) } ; logtag: IPFY_LOG '=' YY_NUMBER { DOALL(fr->fr_logtag = $3;) } *************** *** 415,420 **** --- 419,425 ---- settagout: | IPFY_SETTAG '(' tagoutlist ')' + ; tagoutlist: tagoutspec *************** *** 576,586 **** DOREM(fr->fr_flx |= FI_TCPUDP; \ fr->fr_mflx |= FI_TCPUDP;) } else { ! DOREM(fr->fr_proto = getproto($1); \ fr->fr_mproto = 0xff;) } free($1); ! } | YY_STR nextstring YY_STR { if (!strcmp($1, "tcp") && !strcmp($3, "udp")) { --- 581,594 ---- DOREM(fr->fr_flx |= FI_TCPUDP; \ fr->fr_mflx |= FI_TCPUDP;) } else { ! int p = getproto($1); ! if (p == -1) ! yyerror("protocol unknown"); ! DOREM(fr->fr_proto = p; \ fr->fr_mproto = 0xff;) } free($1); ! } | YY_STR nextstring YY_STR { if (!strcmp($1, "tcp") && !strcmp($3, "udp")) { *************** *** 606,612 **** --- 614,623 ---- if (fr == NULL) fr = frc; yyexpectaddr = 1; + if (yydebug) + printf("set yyexpectaddr\n"); yycont = &yyexpectaddr; + yysetdict(addrwords); resetaddr(); } ; *************** *** 613,619 **** --- 624,633 ---- to: IPFY_TO { if (fr == NULL) fr = frc; yyexpectaddr = 1; + if (yydebug) + printf("set yyexpectaddr\n"); yycont = &yyexpectaddr; + yysetdict(addrwords); resetaddr(); } ; *************** *** 657,666 **** ; srcobject: ! srcaddr srcport | '!' srcaddr srcport { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } - | fromport ; srcaddr: --- 671,680 ---- ; srcobject: ! { yyresetdict(); } fromport ! | srcaddr srcport | '!' srcaddr srcport { DOALL(fr->fr_flags |= FR_NOTSRCIP;) } ; srcaddr: *************** *** 722,728 **** ; dstobject: ! toport | dstaddr dstport | '!' dstaddr dstport { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } --- 736,742 ---- ; dstobject: ! { yyresetdict(); } toport | dstaddr dstport | '!' dstaddr dstport { DOALL(fr->fr_flags |= FR_NOTDSTIP;) } *************** *** 787,816 **** { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } ; ! addr: IPFY_ANY { bzero(&($$), sizeof($$)); } ! | pool '/' YY_NUMBER { pooled = 1; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupnum = $3; } | pool '=' '(' poollist ')' { pooled = 1; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupnum = makepool($4); } | hash '/' YY_NUMBER { hashed = 1; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupnum = $3; } | hash '=' '(' addrlist ')' { hashed = 1; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupnum = makehash($4); } | hostname { $$.a.in4 = $1; ! $$.m.in4_addr = 0xffffffff; } ! | hostname maskspace ipv4mask { $$.a.in4 = $1; ! $$.m.in4_addr = $3.s_addr; ! $$.a.in4_addr &= $3.s_addr; } | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a)); ! fill6bits(128, (u_32_t *)&$$.m); } ! | YY_IPV6 maskspace ipv6mask { bcopy(&$1, &$$.a, sizeof($$.a)); ! bcopy(&$3, &$$.m, sizeof($$.m)); } ; - maskspace: '/' | IPFY_MASK --- 801,850 ---- { DOREM(fr->fr_dcmp = FR_EQUAL; fr->fr_dport = $3;) } ; ! addr: pool '/' YY_NUMBER { pooled = 1; ! yyexpectaddr = 0; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupnum = $3; } | pool '=' '(' poollist ')' { pooled = 1; + yyexpectaddr = 0; $$.a.iplookuptype = IPLT_POOL; $$.a.iplookupnum = makepool($4); } | hash '/' YY_NUMBER { hashed = 1; + yyexpectaddr = 0; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupnum = $3; } | hash '=' '(' addrlist ')' { hashed = 1; + yyexpectaddr = 0; $$.a.iplookuptype = IPLT_HASH; $$.a.iplookupnum = makehash($4); } + | ipaddr { bcopy(&$1, &$$, sizeof($$)); + yyexpectaddr = 0; } + ; + + ipaddr: IPFY_ANY { bzero(&($$), sizeof($$)); + yyresetdict(); + yyexpectaddr = 0; } | hostname { $$.a.in4 = $1; ! $$.m.in4_addr = 0xffffffff; ! yyexpectaddr = 0; } ! | hostname { yyresetdict(); ! $$.a.in4_addr = $1.s_addr; } ! maskspace { yysetdict(maskwords); } ! ipv4mask { $$.m.in4_addr = $5.s_addr; ! $$.a.in4_addr &= $5.s_addr; ! yyresetdict(); ! yyexpectaddr = 0; } | YY_IPV6 { bcopy(&$1, &$$.a, sizeof($$.a)); ! fill6bits(128, (u_32_t *)&$$.m); ! yyresetdict(); ! yyexpectaddr = 0; } ! | YY_IPV6 { yyresetdict(); ! bcopy(&$1, &$$.a, sizeof($$.a)); } ! maskspace { yysetdict(maskwords); } ! ipv6mask { bcopy(&$5, &$$.m, sizeof($$.m)); ! yyresetdict(); ! yyexpectaddr = 0; } ; maskspace: '/' | IPFY_MASK *************** *** 884,917 **** ; addrlist: ! addr { $$ = newalist(NULL); bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } ! | addrlist ',' addr { $$ = newalist($1); bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } ; ! pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; } ; ! hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; } ; poollist: ! addr { $$ = newalist(NULL); bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } ! | '!' addr { $$ = newalist(NULL); $$->al_not = 1; bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } ! | addrlist ',' addr { $$ = newalist($1); bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } ! | addrlist ',' '!' addr { $$ = newalist($1); $$->al_not = 1; bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); --- 918,951 ---- ; addrlist: ! ipaddr { $$ = newalist(NULL); bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } ! | addrlist ',' ipaddr { $$ = newalist($1); bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } ; ! pool: IPFY_POOL { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } ; ! hash: IPFY_HASH { yyexpectaddr = 0; yycont = NULL; yyresetdict(); } ; poollist: ! ipaddr { $$ = newalist(NULL); bcopy(&($1.a), &($$->al_i6addr), sizeof($1.a)); bcopy(&($1.m), &($$->al_i6mask), sizeof($1.m)); } ! | '!' ipaddr { $$ = newalist(NULL); $$->al_not = 1; bcopy(&($2.a), &($$->al_i6addr), sizeof($2.a)); bcopy(&($2.m), &($$->al_i6mask), sizeof($2.m)); } ! | poollist ',' ipaddr { $$ = newalist($1); bcopy(&($3.a), &($$->al_i6addr), sizeof($3.a)); bcopy(&($3.m), &($$->al_i6mask), sizeof($3.m)); } ! | poollist ',' '!' ipaddr { $$ = newalist($1); $$->al_not = 1; bcopy(&($4.a), &($$->al_i6addr), sizeof($4.a)); *************** *** 997,1005 **** fr->fr_age[1] = $4;) } ; ! keep: | IPFY_KEEP keepstate ! | IPFY_KEEP keepfrag ! | IPFY_KEEP keepstate IPFY_KEEP keepfrag ; keepstate: --- 1031,1038 ---- fr->fr_age[1] = $4;) } ; ! keep: | IPFY_KEEP keepstate keep ! | IPFY_KEEP keepfrag keep ; keepstate: *************** *** 1046,1057 **** fr->fr_flags |= FR_NEWISN;) } | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } ; portnum: ! servicename { $$ = ntohs(getport(frc, $1)); if ($$ == -1) yyerror("service unknown"); free($1); } | YY_NUMBER { $$ = $1; } --- 1079,1093 ---- fr->fr_flags |= FR_NEWISN;) } | IPFY_NOICMPERR { DOALL(fr->fr_flags |= FR_NOICMPERR;) } + + | IPFY_SYNC { DOALL(fr->fr_flags |= FR_STATESYNC;) } ; portnum: ! servicename { $$ = getport(frc, $1); if ($$ == -1) yyerror("service unknown"); + $$ = ntohs($$); free($1); } | YY_NUMBER { $$ = $1; } *************** *** 1096,1101 **** --- 1132,1138 ---- | IPFY_BADSRC { $$ = FI_BADSRC; } | IPFY_LOWTTL { $$ = FI_LOWTTL; } | IPFY_FRAG { $$ = FI_FRAG; } + | IPFY_FRAGBODY { $$ = FI_FRAGBODY; } | IPFY_FRAGS { $$ = FI_FRAG; } | IPFY_MBCAST { $$ = FI_MBCAST; } | IPFY_MULTICAST { $$ = FI_MULTICAST; } *************** *** 1346,1352 **** { "ah", IPFY_AH }, { "all", IPFY_ALL }, { "and", IPFY_AND }, - { "any", IPFY_ANY }, { "auth", IPFY_AUTH }, { "bad", IPFY_BAD }, { "bad-nat", IPFY_BADNAT }, --- 1383,1388 ---- *************** *** 1358,1381 **** #ifdef USE_INET6 { "bpf-v6", IPFY_BPFV6 }, #endif - { "broadcast", IPFY_BROADCAST }, { "call", IPFY_CALL }, { "code", IPFY_ICMPCODE }, { "count", IPFY_COUNT }, - { "dstopts", IPFY_IPV6OPT_DSTOPTS }, { "dup-to", IPFY_DUPTO }, { "eq", YY_CMP_EQ }, { "esp", IPFY_ESP }, { "fastroute", IPFY_FROUTE }, { "first", IPFY_FIRST }, - { "frag", IPFY_FRAG }, { "flags", IPFY_FLAGS }, { "frags", IPFY_FRAGS }, { "from", IPFY_FROM }, { "ge", YY_CMP_GE }, { "group", IPFY_GROUP }, { "gt", YY_CMP_GT }, - { "hash", IPFY_HASH }, { "head", IPFY_HEAD }, { "icmp", IPFY_ICMP }, { "icmp-type", IPFY_ICMPTYPE }, --- 1394,1415 ---- #ifdef USE_INET6 { "bpf-v6", IPFY_BPFV6 }, #endif { "call", IPFY_CALL }, { "code", IPFY_ICMPCODE }, { "count", IPFY_COUNT }, { "dup-to", IPFY_DUPTO }, { "eq", YY_CMP_EQ }, { "esp", IPFY_ESP }, { "fastroute", IPFY_FROUTE }, { "first", IPFY_FIRST }, { "flags", IPFY_FLAGS }, + { "frag", IPFY_FRAG }, + { "frag-body", IPFY_FRAGBODY }, { "frags", IPFY_FRAGS }, { "from", IPFY_FROM }, { "ge", YY_CMP_GE }, { "group", IPFY_GROUP }, { "gt", YY_CMP_GT }, { "head", IPFY_HEAD }, { "icmp", IPFY_ICMP }, { "icmp-type", IPFY_ICMPTYPE }, *************** *** 1397,1404 **** { "nat", IPFY_NAT }, { "ne", YY_CMP_NE }, { "net", IPFY_NETWORK }, - { "netmasked", IPFY_NETMASKED }, - { "network", IPFY_NETWORK }, { "newisn", IPFY_NEWISN }, { "no", IPFY_NO }, { "no-icmp-err", IPFY_NOICMPERR }, --- 1431,1436 ---- *************** *** 1411,1418 **** { "out", IPFY_OUT }, { "out-via", IPFY_OUTVIA }, { "pass", IPFY_PASS }, - { "peer", IPFY_PEER }, - { "pool", IPFY_POOL }, { "port", IPFY_PORT }, { "pps", IPFY_PPS }, { "preauth", IPFY_PREAUTH }, --- 1443,1448 ---- *************** *** 1428,1434 **** --- 1458,1466 ---- { "skip", IPFY_SKIP }, { "short", IPFY_SHORT }, { "state", IPFY_STATE }, + { "state-age", IPFY_AGE }, { "strict", IPFY_STRICT }, + { "sync", IPFY_SYNC }, { "tcp", IPFY_TCP }, { "tcp-udp", IPFY_TCPUDP }, { "tos", IPFY_TOS }, *************** *** 1440,1445 **** --- 1472,1492 ---- { NULL, 0 } }; + static struct wordtab addrwords[4] = { + { "any", IPFY_ANY }, + { "hash", IPFY_HASH }, + { "pool", IPFY_POOL }, + { NULL, 0 } + }; + + static struct wordtab maskwords[5] = { + { "broadcast", IPFY_BROADCAST }, + { "netmasked", IPFY_NETMASKED }, + { "network", IPFY_NETWORK }, + { "peer", IPFY_PEER }, + { NULL, 0 } + }; + static struct wordtab icmptypewords[16] = { { "echo", IPFY_ICMPT_ECHO }, { "echorep", IPFY_ICMPT_ECHOR }, *************** *** 1519,1525 **** { NULL, 0 }, }; ! static struct wordtab ipv6optwords[5] = { { "hopopts", IPFY_IPV6OPT_HOPOPTS }, { "ipv6", IPFY_IPV6OPT_IPV6 }, { "none", IPFY_IPV6OPT_NONE }, --- 1566,1575 ---- { NULL, 0 }, }; ! static struct wordtab ipv6optwords[8] = { ! { "dstopts", IPFY_IPV6OPT_DSTOPTS }, ! { "esp", IPFY_ESP }, ! { "frag", IPFY_FRAG }, { "hopopts", IPFY_IPV6OPT_HOPOPTS }, { "ipv6", IPFY_IPV6OPT_IPV6 }, { "none", IPFY_IPV6OPT_NONE }, diff -cr ip_fil4.1.3/tools/ipfs.c ip_fil4.1.4/tools/ipfs.c *** ip_fil4.1.3/tools/ipfs.c Sun Jun 20 20:23:30 2004 --- ip_fil4.1.4/tools/ipfs.c Sun Oct 3 17:14:12 2004 *************** *** 224,230 **** usage(); break; case 'f' : ! if ((set == 0) && !dirname && !filename) filename = optarg; else usage(); --- 224,230 ---- usage(); break; case 'f' : ! if ((set != 0) && !dirname && !filename) filename = optarg; else usage(); *************** *** 249,255 **** set = 1; break; case 'r' : ! if ((ns >= 0) || dirname || (rw != -1)) usage(); rw = 0; set = 1; --- 249,255 ---- set = 1; break; case 'r' : ! if (dirname || (rw != -1) || (ns == -1)) usage(); rw = 0; set = 1; diff -cr ip_fil4.1.3/tools/ipfstat.c ip_fil4.1.4/tools/ipfstat.c *** ip_fil4.1.3/tools/ipfstat.c Sun Jul 18 14:11:37 2004 --- ip_fil4.1.4/tools/ipfstat.c Fri Dec 10 06:41:26 2004 *************** *** 68,74 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.8 2004/07/18 04:11:37 darrenr Exp $"; #endif #ifdef __hpux --- 68,74 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.9 2004/12/09 19:41:26 darrenr Exp $"; #endif #ifdef __hpux *************** *** 1368,1375 **** if (c == ERR) continue; ! if (isalpha(c) && isupper(c)) ! c = tolower(c); if (c == 'l') { redraw = 1; } else if (c == 'q') { --- 1368,1375 ---- if (c == ERR) continue; ! if (ISALPHA(c) && ISUPPER(c)) ! c = TOLOWER(c); if (c == 'l') { redraw = 1; } else if (c == 'q') { diff -cr ip_fil4.1.3/tools/ipmon.c ip_fil4.1.4/tools/ipmon.c *** ip_fil4.1.3/tools/ipmon.c Sun Jun 20 20:24:24 2004 --- ip_fil4.1.4/tools/ipmon.c Fri Dec 10 06:41:26 2004 *************** *** 76,82 **** #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.6 2004/06/20 10:24:24 darrenr Exp $"; #endif --- 76,82 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.8 2004/12/09 19:41:26 darrenr Exp $"; #endif *************** *** 134,143 **** static char line[2048]; static int opts = 0; - static FILE *newlog = NULL; static char *logfile = NULL; static FILE *binarylog = NULL; - static FILE *newbinarylog = NULL; static char *binarylogfile = NULL; static int donehup = 0; static void usage __P((char *)); --- 134,141 ---- *************** *** 389,405 **** static void handlehup(sig) int sig; { - FILE *fp; - - if (donehup == 1) - return; - signal(SIGHUP, handlehup); - if (logfile && (fp = fopen(logfile, "a"))) - newlog = fp; - if (binarylogfile && (fp = fopen(binarylogfile, "a"))) - newbinarylog = fp; - init_tabs(); donehup = 1; } --- 387,393 ---- *************** *** 666,672 **** sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) ! *t++ = (isprint(*s) ? *s : '.'); s--; } --- 654,660 ---- sprintf((char *)t, " "); t += 8; for (k = 16; k; k--, s++) ! *t++ = (ISPRINT(*s) ? *s : '.'); s--; } *************** *** 684,690 **** t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) ! *t++ = (isprint(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } --- 672,678 ---- t += 7; s -= j & 0xf; for (k = j & 0xf; k; k--, s++) ! *t++ = (ISPRINT(*s) ? *s : '.'); *t++ = '\n'; *t = '\0'; } *************** *** 1019,1025 **** (void) sprintf(t, "%s", ifname); t += strlen(t); # if defined(MENTAT) || defined(linux) ! if (isalpha(*(t - 1))) { sprintf(t, "%d", ipf->fl_unit); t += strlen(t); } --- 1007,1013 ---- (void) sprintf(t, "%s", ifname); t += strlen(t); # if defined(MENTAT) || defined(linux) ! if (ISALPHA(*(t - 1))) { sprintf(t, "%d", ipf->fl_unit); t += strlen(t); } *************** *** 1420,1425 **** --- 1408,1414 ---- { struct stat sb; FILE *log = stdout; + FILE *fp; int fd[3], doread, n, i; int tr, nr, regular[3], c; int fdt[3], devices = 0, make_daemon = 0; *************** *** 1623,1638 **** tr = read_log(fd[i], &n, buf, sizeof(buf)); if (donehup) { ! if (newlog) { fclose(log); ! log = newlog; ! newlog = NULL; } ! if (newbinarylog) { fclose(binarylog); ! binarylog = newbinarylog; ! newbinarylog = NULL; } if (conf_file != NULL) load_config(conf_file); donehup = 0; --- 1612,1626 ---- tr = read_log(fd[i], &n, buf, sizeof(buf)); if (donehup) { ! if (logfile && (fp = fopen(logfile, "a"))) { fclose(log); ! log = fp; } ! if (binarylogfile && (fp = fopen(binarylogfile, "a"))) { fclose(binarylog); ! binarylog = fp; } + init_tabs(); if (conf_file != NULL) load_config(conf_file); donehup = 0; diff -cr ip_fil4.1.3/tools/ipnat_y.y ip_fil4.1.4/tools/ipnat_y.y *** ip_fil4.1.3/tools/ipnat_y.y Sun Jun 20 20:17:30 2004 --- ip_fil4.1.4/tools/ipnat_y.y Tue Dec 21 10:11:24 2004 *************** *** 131,137 **** ; map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions ! { nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; --- 131,138 ---- ; map: mapit ifnames addr IPNY_TLATE rhaddr proxy mapoptions ! { nat->in_v = 4; ! nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; *************** *** 146,152 **** nat_setgroupmap(nat); } | mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions ! { nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; --- 147,154 ---- nat_setgroupmap(nat); } | mapit ifnames addr IPNY_TLATE rhaddr mapport mapoptions ! { nat->in_v = 4; ! nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; *************** *** 161,167 **** nat_setgroupmap(nat); } | mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions ! { nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], --- 163,170 ---- nat_setgroupmap(nat); } | mapit ifnames mapfrom IPNY_TLATE rhaddr proxy mapoptions ! { nat->in_v = 4; ! nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], *************** *** 174,180 **** nat_setgroupmap(nat); } | mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions ! { nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], --- 177,184 ---- nat_setgroupmap(nat); } | mapit ifnames mapfrom IPNY_TLATE rhaddr mapport mapoptions ! { nat->in_v = 4; ! nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], *************** *** 190,196 **** mapblock: mapblockit ifnames addr IPNY_TLATE addr ports mapoptions ! { nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; --- 194,201 ---- mapblock: mapblockit ifnames addr IPNY_TLATE addr ports mapoptions ! { nat->in_v = 4; ! nat->in_inip = $3.a.s_addr; nat->in_inmsk = $3.m.s_addr; nat->in_outip = $5.a.s_addr; nat->in_outmsk = $5.m.s_addr; *************** *** 207,213 **** ; redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions ! { nat->in_outip = $3.a.s_addr; nat->in_outmsk = $3.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], --- 212,219 ---- ; redir: rdrit ifnames addr dport IPNY_TLATE dip nport rdrproto rdroptions ! { nat->in_v = 4; ! nat->in_outip = $3.a.s_addr; nat->in_outmsk = $3.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], *************** *** 221,227 **** setnatproto(IPPROTO_TCP); } | rdrit ifnames rdrfrom IPNY_TLATE dip nport rdrproto rdroptions ! { if ((nat->in_p == 0) && ((nat->in_flags & IPN_TCPUDP) == 0) && (nat->in_pmin != 0 || nat->in_pmax != 0 || --- 227,234 ---- setnatproto(IPPROTO_TCP); } | rdrit ifnames rdrfrom IPNY_TLATE dip nport rdrproto rdroptions ! { nat->in_v = 4; ! if ((nat->in_p == 0) && ((nat->in_flags & IPN_TCPUDP) == 0) && (nat->in_pmin != 0 || nat->in_pmax != 0 || *************** *** 233,239 **** sizeof(nat->in_ifnames[0])); } | rdrit ifnames addr IPNY_TLATE dip rdrproto rdroptions ! { nat->in_outip = $3.a.s_addr; nat->in_outmsk = $3.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], --- 240,247 ---- sizeof(nat->in_ifnames[0])); } | rdrit ifnames addr IPNY_TLATE dip rdrproto rdroptions ! { nat->in_v = 4; ! nat->in_outip = $3.a.s_addr; nat->in_outmsk = $3.m.s_addr; if (nat->in_ifnames[1][0] == '\0') strncpy(nat->in_ifnames[1], *************** *** 281,289 **** ; dip: ! ipv4 { nat->in_inip = $1.s_addr; nat->in_inmsk = 0xffffffff; } ! | ipv4 ',' ipv4 { nat->in_flags |= IPN_SPLIT; nat->in_inip = $1.s_addr; nat->in_inmsk = $3.s_addr; } ; --- 289,297 ---- ; dip: ! hostname { nat->in_inip = $1.s_addr; nat->in_inmsk = 0xffffffff; } ! | hostname ',' hostname { nat->in_flags |= IPN_SPLIT; nat->in_inip = $1.s_addr; nat->in_inmsk = $3.s_addr; } ; *************** *** 491,496 **** --- 499,505 ---- { strncpy(nat->in_plabel, $2, sizeof(nat->in_plabel)); nat->in_dport = nat->in_pnext; + nat->in_dport = htons(nat->in_dport); free($2); } | proxy { if (nat->in_plabel[0] != '\0') { *************** *** 561,566 **** --- 570,576 ---- { "map", IPNY_MAP }, { "map-block", IPNY_MAPBLOCK }, { "mssclamp", IPNY_MSSCLAMP }, + { "netmask", IPNY_MASK }, { "port", IPNY_PORT }, { "portmap", IPNY_PORTMAP }, { "ports", IPNY_PORTS }, *************** *** 571,576 **** --- 581,587 ---- { "sticky", IPNY_STICKY }, { "tag", IPNY_TAG }, { "tcp", IPNY_TCP }, + { "tcpudp", IPNY_TCPUDP }, { "to", IPNY_TO }, { "udp", IPNY_UDP }, { "-", '-' }, *************** *** 688,702 **** nat->in_flags |= IPN_UDP; nat->in_flags &= ~IPN_TCP; break; default : if ((nat->in_redir & NAT_MAPBLK) == 0) { nat->in_pmin = 0; nat->in_pmax = 0; nat->in_pnext = 0; - nat->in_flags &= ~IPN_TCPUDP; } break; } } --- 699,728 ---- nat->in_flags |= IPN_UDP; nat->in_flags &= ~IPN_TCP; break; + case IPPROTO_ICMP : + nat->in_flags &= ~IPN_TCPUDP; + if (!(nat->in_flags & IPN_ICMPQUERY)) { + nat->in_dcmp = 0; + nat->in_scmp = 0; + nat->in_pmin = 0; + nat->in_pmax = 0; + nat->in_pnext = 0; + } + break; default : if ((nat->in_redir & NAT_MAPBLK) == 0) { + nat->in_flags &= ~IPN_TCPUDP; + nat->in_dcmp = 0; + nat->in_scmp = 0; nat->in_pmin = 0; nat->in_pmax = 0; nat->in_pnext = 0; } break; } + + if ((nat->in_flags & (IPN_TCPUDP|IPN_FIXEDDPORT)) == IPN_FIXEDDPORT) + nat->in_flags &= ~IPN_FIXEDDPORT; } diff -cr ip_fil4.1.3/tools/ipscan_y.y ip_fil4.1.4/tools/ipscan_y.y *** ip_fil4.1.3/tools/ipscan_y.y Mon Jul 28 12:26:12 2003 --- ip_fil4.1.4/tools/ipscan_y.y Fri Dec 10 06:41:27 2004 *************** *** 207,213 **** j = k = 0; do { c = *s++; ! if (j && (!isdigit(c) || (c > '7') || (k >= 248))) { *u++ = k, i++; j = k = 0; --- 207,213 ---- j = k = 0; do { c = *s++; ! if (j && (!ISDIGIT(c) || (c > '7') || (k >= 248))) { *u++ = k, i++; j = k = 0; *************** *** 216,222 **** } i++; ! if (isalpha(c) || (c > '7')) { switch (c) { case 'n' : --- 216,222 ---- } i++; ! if (ISALPHA(c) || (c > '7')) { switch (c) { case 'n' : *************** *** 232,238 **** *u++ = c; break; } ! } else if (isdigit(c)) { j = 1; k <<= 3; k |= (c - '0'); --- 232,238 ---- *u++ = c; break; } ! } else if (ISDIGIT(c)) { j = 1; k <<= 3; k |= (c - '0'); diff -cr ip_fil4.1.3/tools/ipsyncm.c ip_fil4.1.4/tools/ipsyncm.c *** ip_fil4.1.3/tools/ipsyncm.c Fri Sep 5 04:40:43 2003 --- ip_fil4.1.4/tools/ipsyncm.c Sun Jan 9 01:31:46 2005 *************** *** 1,3 **** --- 1,12 ---- + /* + * Copyright (C) 1993-2001 by Darren Reed. + * + * See the IPFILTER.LICENCE file for details on licencing. + */ + #if !defined(lint) + static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; + static const char rcsid[] = "@(#)$Id: ipsyncm.c,v 1.4.2.2 2005/01/08 14:31:46 darrenr Exp $"; + #endif #include #include #include *************** *** 12,17 **** --- 21,28 ---- #include #include #include + #include + #include #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" *************** *** 22,48 **** int main __P((int, char *[])); int main(argc, argv) int argc; char *argv[]; { struct sockaddr_in sin; ! char buff[1400], *s; synclogent_t *sl; syncupdent_t *su; ! int nfd, lfd, n; synchdr_t *sh; ! if (argc < 2) exit(1); - - lfd = open(IPSYNC_NAME, O_RDONLY); - if (lfd == -1) { - perror("open"); - exit(1); } bzero((char *)&sin, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(argv[1]); --- 33,88 ---- int main __P((int, char *[])); + int terminate = 0; + void usage(const char *progname) { + fprintf(stderr, "Usage: %s \n", progname); + } + + static void handleterm(int sig) + { + terminate = sig; + } + + + /* should be large enough to hold header + any datatype */ + #define BUFFERLEN 1400 + int main(argc, argv) int argc; char *argv[]; { struct sockaddr_in sin; ! char buff[BUFFERLEN]; synclogent_t *sl; syncupdent_t *su; ! int nfd = -1, lfd = -1, n1, n2, n3, len; ! int inbuf; ! u_32_t magic; synchdr_t *sh; + char *progname; + + progname = strrchr(argv[0], '/'); + if (progname) { + progname++; + } else { + progname = argv[0]; + } + ! if (argc < 2) { ! usage(progname); exit(1); } + #if 0 + signal(SIGHUP, handleterm); + signal(SIGINT, handleterm); + signal(SIGTERM, handleterm); + #endif + + openlog(progname, LOG_PID, LOG_SECURITY); + bzero((char *)&sin, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(argv[1]); *************** *** 51,73 **** else sin.sin_port = htons(43434); ! nfd = socket(AF_INET, SOCK_STREAM, 0); ! if (nfd == -1) { ! perror("socket"); ! exit(1); ! } ! if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { ! perror("connect"); ! exit(1); ! } ! while ((n = read(lfd, buff, sizeof(buff))) > 0) { ! for (s = buff; s < buff + n; ) { ! sh = (synchdr_t *)s; ! printf("(%d) v:%d p:%d", (int)(buff + n - s), sh->sm_v, ! sh->sm_p); if (sh->sm_cmd == SMC_CREATE) printf(" cmd:CREATE"); else if (sh->sm_cmd == SMC_UPDATE) --- 91,166 ---- else sin.sin_port = htons(43434); ! while (1) { ! if (lfd != -1) ! close(lfd); ! if (nfd != -1) ! close(nfd); ! lfd = open(IPSYNC_NAME, O_RDONLY); ! if (lfd == -1) { ! syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); ! goto tryagain; ! } ! ! nfd = socket(AF_INET, SOCK_DGRAM, 0); ! if (nfd == -1) { ! syslog(LOG_ERR, "Socket :%m"); ! goto tryagain; ! } ! ! if (connect(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { ! syslog(LOG_ERR, "Connect: %m"); ! goto tryagain; ! } + syslog(LOG_INFO, "Established connection to %s", + inet_ntoa(sin.sin_addr)); + + inbuf = 0; + while (1) { + + n1 = read(lfd, buff+inbuf, BUFFERLEN-inbuf); + + printf("header : %d bytes read (header = %d bytes)\n", + n1, sizeof(*sh)); + + if (n1 < 0) { + syslog(LOG_ERR, "Read error (header): %m"); + goto tryagain; + } + + if (n1 == 0) { + /* XXX can this happen??? */ + syslog(LOG_ERR, + "Read error (header) : No data"); + sleep(1); + continue; + } + + inbuf += n1; + + moreinbuf: + if (inbuf < sizeof(*sh)) { + continue; /* need more data */ + } + + sh = (synchdr_t *)buff; + len = ntohl(sh->sm_len); + magic = ntohl(sh->sm_magic); + + if (magic != SYNHDRMAGIC) { + syslog(LOG_ERR, + "Invalid header magic %x", magic); + goto tryagain; + } + + #define IPSYNC_DEBUG + #ifdef IPSYNC_DEBUG + printf("v:%d p:%d len:%d magic:%x", sh->sm_v, + sh->sm_p, len, magic); + if (sh->sm_cmd == SMC_CREATE) printf(" cmd:CREATE"); else if (sh->sm_cmd == SMC_UPDATE) *************** *** 83,106 **** printf(" table:Unknown(%d)", sh->sm_table); printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); if (sh->sm_cmd == SMC_CREATE) { ! sl = (synclogent_t *)sh; ! s += sizeof(*sl); } else if (sh->sm_cmd == SMC_UPDATE) { ! su = (syncupdent_t *)sh; ! s += sizeof(*su); } else { printf("Unknown command\n"); } ! } ! if (write(nfd, buff, n) != n) { ! perror("write"); ! exit(1); } } ! close(lfd); ! close(nfd); ! exit(0); } --- 176,251 ---- printf(" table:Unknown(%d)", sh->sm_table); printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); + #endif + + if (inbuf < sizeof(*sh) + len) { + continue; /* need more data */ + goto tryagain; + } + + #ifdef IPSYNC_DEBUG if (sh->sm_cmd == SMC_CREATE) { ! sl = (synclogent_t *)buff; ! } else if (sh->sm_cmd == SMC_UPDATE) { ! su = (syncupdent_t *)buff; ! if (sh->sm_p == IPPROTO_TCP) { ! printf(" TCP Update: age %lu state %d/%d\n", ! su->sup_tcp.stu_age, ! su->sup_tcp.stu_state[0], ! su->sup_tcp.stu_state[1]); ! } } else { printf("Unknown command\n"); } ! #endif ! n2 = sizeof(*sh) + len; ! n3 = write(nfd, buff, n2); ! if (n3 <= 0) { ! syslog(LOG_ERR, "Write error: %m"); ! goto tryagain; ! } ! ! ! if (n3 != n2) { ! syslog(LOG_ERR, "Incomplete write (%d/%d)", ! n3, n2); ! goto tryagain; ! } ! ! /* signal received? */ ! if (terminate) ! break; ! ! /* move buffer to the front,we might need to make ! * this more efficient, by using a rolling pointer ! * over the buffer and only copying it, when ! * we are reaching the end ! */ ! inbuf -= n2; ! if (inbuf) { ! bcopy(buff+n2, buff, inbuf); ! printf("More data in buffer\n"); ! goto moreinbuf; ! } } + if (terminate) + break; + tryagain: + sleep(1); } ! ! ! /* terminate */ ! if (lfd != -1) ! close(lfd); ! if (nfd != -1) ! close(nfd); ! ! syslog(LOG_ERR, "signal %d received, exiting...", terminate); ! ! exit(1); } + diff -cr ip_fil4.1.3/tools/ipsyncs.c ip_fil4.1.4/tools/ipsyncs.c *** ip_fil4.1.3/tools/ipsyncs.c Fri Sep 5 04:40:43 2003 --- ip_fil4.1.4/tools/ipsyncs.c Mon Nov 1 05:46:44 2004 *************** *** 5,11 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5 2003/09/04 18:40:43 darrenr Exp $"; #endif #include #include --- 5,11 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipsyncs.c,v 1.5.2.1 2004/10/31 18:46:44 darrenr Exp $"; #endif #include #include *************** *** 21,46 **** #include #include #include #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" - int main __P((int, char *[])); int main(argc, argv) int argc; char *argv[]; { ! int fd, nfd, lfd, i, n, slen; ! struct sockaddr_in sin, san; ! struct in_addr in; ! char buff[1400]; ! fd = open(IPSYNC_NAME, O_WRONLY); ! if (fd == -1) { ! perror("open"); exit(1); } --- 21,91 ---- #include #include #include + #include + #include + #include #include "netinet/ip_compat.h" #include "netinet/ip_fil.h" + #include "netinet/ip_state.h" + #include "netinet/ip_nat.h" + #include "netinet/ip_sync.h" int main __P((int, char *[])); + int terminate = 0; + void usage(const char *progname) { + fprintf(stderr, + "Usage: %s [remote IP]\n", + progname); + } + + static void handleterm(int sig) + { + terminate = sig; + + } + + #define BUFFERLEN 1400 + int main(argc, argv) int argc; char *argv[]; { ! int nfd = -1 , lfd = -1; ! int n1, n2, n3, magic, len, inbuf; ! struct sockaddr_in sin; ! struct sockaddr_in in; ! char buff[BUFFERLEN]; ! synclogent_t *sl; ! syncupdent_t *su; ! synchdr_t *sh; ! char *progname; ! ! progname = strrchr(argv[0], '/'); ! if (progname) { ! progname++; ! } else { ! progname = argv[0]; ! } ! ! if (argc < 2) { ! usage(progname); ! exit(1); ! } ! #if 0 ! signal(SIGHUP, handleterm); ! signal(SIGINT, handleterm); ! signal(SIGTERM, handleterm); ! #endif ! ! openlog(progname, LOG_PID, LOG_SECURITY); ! ! lfd = open(IPSYNC_NAME, O_WRONLY); ! if (lfd == -1) { ! syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); exit(1); } *************** *** 52,106 **** sin.sin_port = htons(atoi(argv[2])); else sin.sin_port = htons(43434); ! if (argc > 3) ! in.s_addr = inet_addr(argv[3]); else ! in.s_addr = 0; ! lfd = socket(AF_INET, SOCK_STREAM, 0); ! if (lfd == -1) { ! perror("socket"); ! exit(1); ! } ! n = 1; ! setsockopt(lfd, SOL_SOCKET, SO_REUSEADDR, &n, sizeof(n)); ! ! if (bind(lfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { ! perror("bind"); ! exit(1); ! } ! ! listen(lfd, 1); ! ! do { ! slen = sizeof(san); ! nfd = accept(lfd, (struct sockaddr *)&san, &slen); if (nfd == -1) { ! perror("accept"); ! continue; } - n = 1; - setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n, sizeof(n)); ! printf("Connection from %s\n", inet_ntoa(san.sin_addr)); ! if (in.s_addr && (in.s_addr != san.sin_addr.s_addr)) { ! close(nfd); ! continue; } ! while ((n = read(nfd, buff, sizeof(buff))) > 0) { ! i = write(fd, buff, n); ! if (i != n) { ! perror("write"); ! exit(1); } } close(nfd); - } while (1); ! close(lfd); ! exit(0); } --- 97,270 ---- sin.sin_port = htons(atoi(argv[2])); else sin.sin_port = htons(43434); ! if (argc > 3) ! in.sin_addr.s_addr = inet_addr(argv[3]); else ! in.sin_addr.s_addr = 0; ! in.sin_port = 0; ! while(1) { ! ! if (lfd != -1) ! close(lfd); ! if (nfd != -1) ! close(nfd); ! lfd = open(IPSYNC_NAME, O_WRONLY); ! if (lfd == -1) { ! syslog(LOG_ERR, "Opening %s :%m", IPSYNC_NAME); ! goto tryagain; ! } ! ! nfd = socket(AF_INET, SOCK_DGRAM, 0); if (nfd == -1) { ! syslog(LOG_ERR, "Socket :%m"); ! goto tryagain; } ! n1 = 1; ! setsockopt(nfd, SOL_SOCKET, SO_REUSEADDR, &n1, sizeof(n1)); ! if (bind(nfd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { ! syslog(LOG_ERR, "Bind: %m"); ! goto tryagain; } ! syslog(LOG_INFO, "Established connection to %s", ! inet_ntoa(sin.sin_addr)); ! ! inbuf = 0; ! while (1) { ! ! ! /* ! * XXX currently we do not check the source address ! * of a datagram, this can be a security risk ! */ ! n1 = read(nfd, buff+inbuf, BUFFERLEN-inbuf); ! ! printf("header : %d bytes read (header = %d bytes)\n", ! n1, sizeof(*sh)); ! ! if (n1 < 0) { ! syslog(LOG_ERR, "Read error (header): %m"); ! goto tryagain; } + + if (n1 == 0) { + /* XXX can this happen??? */ + syslog(LOG_ERR, + "Read error (header) : No data"); + sleep(1); + continue; + } + + inbuf += n1; + + moreinbuf: + if (inbuf < sizeof(*sh)) { + continue; /* need more data */ + } + + sh = (synchdr_t *)buff; + len = ntohl(sh->sm_len); + magic = ntohl(sh->sm_magic); + + if (magic != SYNHDRMAGIC) { + syslog(LOG_ERR, "Invalid header magic %x", + magic); + goto tryagain; + } + + #define IPSYNC_DEBUG + #ifdef IPSYNC_DEBUG + printf("v:%d p:%d len:%d magic:%x", sh->sm_v, + sh->sm_p, len, magic); + + if (sh->sm_cmd == SMC_CREATE) + printf(" cmd:CREATE"); + else if (sh->sm_cmd == SMC_UPDATE) + printf(" cmd:UPDATE"); + else + printf(" cmd:Unknown(%d)", sh->sm_cmd); + + if (sh->sm_table == SMC_NAT) + printf(" table:NAT"); + else if (sh->sm_table == SMC_STATE) + printf(" table:STATE"); + else + printf(" table:Unknown(%d)", sh->sm_table); + + printf(" num:%d\n", (u_32_t)ntohl(sh->sm_num)); + #endif + + if (inbuf < sizeof(*sh) + len) { + continue; /* need more data */ + goto tryagain; + } + + #ifdef IPSYNC_DEBUG + if (sh->sm_cmd == SMC_CREATE) { + sl = (synclogent_t *)buff; + + } else if (sh->sm_cmd == SMC_UPDATE) { + su = (syncupdent_t *)buff; + if (sh->sm_p == IPPROTO_TCP) { + printf(" TCP Update: age %lu state %d/%d\n", + su->sup_tcp.stu_age, + su->sup_tcp.stu_state[0], + su->sup_tcp.stu_state[1]); + } + } else { + printf("Unknown command\n"); + } + #endif + + n2 = sizeof(*sh) + len; + n3 = write(lfd, buff, n2); + if (n3 <= 0) { + syslog(LOG_ERR, "Write error: %m"); + goto tryagain; + } + + + if (n3 != n2) { + syslog(LOG_ERR, "Incomplete write (%d/%d)", + n3, n2); + goto tryagain; + } + + /* signal received? */ + if (terminate) + break; + + /* move buffer to the front,we might need to make + * this more efficient, by using a rolling pointer + * over the buffer and only copying it, when + * we are reaching the end + */ + inbuf -= n2; + if (inbuf) { + bcopy(buff+n2, buff, inbuf); + printf("More data in buffer\n"); + goto moreinbuf; + } } + + if (terminate) + break; + tryagain: + sleep(1); + } + + + /* terminate */ + if (lfd != -1) + close(lfd); + if (nfd != -1) close(nfd); ! syslog(LOG_ERR, "signal %d received, exiting...", terminate); ! exit(1); } diff -cr ip_fil4.1.3/tools/lexer.c ip_fil4.1.4/tools/lexer.c *** ip_fil4.1.3/tools/lexer.c Wed Jul 14 02:13:46 2004 --- ip_fil4.1.4/tools/lexer.c Fri Dec 10 06:41:27 2004 *************** *** 24,30 **** FILE *yyin; ! #define ishex(c) (isdigit(c) || ((c) >= 'a' && (c) <= 'f') || \ ((c) >= 'A' && (c) <= 'F')) #define TOOLONG -3 --- 24,30 ---- FILE *yyin; ! #define ishex(c) (ISDIGIT(c) || ((c) >= 'a' && (c) <= 'f') || \ ((c) >= 'A' && (c) <= 'F')) #define TOOLONG -3 *************** *** 179,184 **** --- 179,186 ---- } yylast -= yypos; yypos = 0; + lnext = 0; + nokey = 0; goto nextchar; case '\\' : *************** *** 225,237 **** } (void) yygetc(); } else { ! if (!isalpha(n)) { yyunputc(n); break; } do { n = yygetc(); ! } while (isalpha(n) || isdigit(n) || n == '_'); yyunputc(n); } --- 227,239 ---- } (void) yygetc(); } else { ! if (!ISALPHA(n)) { yyunputc(n); break; } do { n = yygetc(); ! } while (ISALPHA(n) || ISDIGIT(n) || n == '_'); yyunputc(n); } *************** *** 300,305 **** --- 302,309 ---- switch (c) { case '-' : + if (yyexpectaddr) + break; if (isbuilding == 1) break; n = yygetc(); *************** *** 326,331 **** --- 330,337 ---- goto done; case '<' : + if (yyexpectaddr) + break; if (isbuilding == 1) { yyunputc(c); goto done; *************** *** 344,349 **** --- 350,357 ---- goto done; case '>' : + if (yyexpectaddr) + break; if (isbuilding == 1) { yyunputc(c); goto done; *************** *** 426,435 **** /* * No negative numbers with leading - sign.. */ ! if (isbuilding == 0 && isdigit(c)) { do { n = yygetc(); ! } while (isdigit(n)); yyunputc(n); rval = YY_NUMBER; goto done; --- 434,443 ---- /* * No negative numbers with leading - sign.. */ ! if (isbuilding == 0 && ISDIGIT(c)) { do { n = yygetc(); ! } while (ISDIGIT(n)); yyunputc(n); rval = YY_NUMBER; goto done; *************** *** 472,478 **** switch (rval) { case YY_NUMBER : ! yylval.num = atoi(yystr); break; case YY_HEX : --- 480,486 ---- switch (rval) { case YY_NUMBER : ! sscanf(yystr, "%u", &yylval.num); break; case YY_HEX :