Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:17:40 --- 2.0.1.3 1997/01/10 00:30:38 *************** *** 5,10 **** --- 5,18 ---- # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # + 3.1.4 10/1/97 - Released + + add command line options -C and -F to ipnat to flush NAT list and table + + ipnat -l loops on output - Neil Readwin (nreadwin@nysales.micrognosis.com) + + NetBSD/FreeBSD kernel malloc changes - Daniel Carosone + 3.1.3 10/1/97 - Released NAT chains not constructed correctly in hash tables - Antony Y.R Lu *************** *** 12,18 **** Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 ! man page update (ipf.5) from Daniel Caresone (dan@geek.com.au) ICMP header checksum update now included in NAT. --- 20,26 ---- Updated INSTALL.NetBSD, INSTALL.FreeBSD and INSTALL.Sol2 ! man page update (ipf.5) from Daniel Carosone (dan@geek.com.au) ICMP header checksum update now included in NAT. Index: ip_fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/01/10 00:29:03 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.2 1997/01/10 00:29:03 darrenr Exp $"; #endif #include *************** *** 120,125 **** --- 120,126 ---- return EBUSY; } ipl_inited = 1; + bzero((char *)nat_table, sizeof(nat_t *) * NAT_SIZE * 2); fr_savep = fr_checkp; fr_checkp = fr_check; fr_saveslowtimo = inetsw[0].pr_slowtimo; Index: ip_fil.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.h,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/01/10 00:28:15 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.0.1.2 1997/01/10 00:28:15 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 52,60 **** #define SIOCFRENB _IOW('r', 72, u_int) #define SIOCFRSYN _IOW('r', 73, u_int) #define SIOCFRZST _IOWR('r', 74, struct friostat) ! #define SIOCFLNAT _IOWR('r', 75, int) ! #define SIOCCNATL _IOWR('r', 76, int) ! #define SIOCZRLST _IOWR('r', 77, struct frentry) #else #define SIOCADAFR _IOW(r, 60, struct frentry) #define SIOCRMAFR _IOW(r, 61, struct frentry) --- 52,58 ---- #define SIOCFRENB _IOW('r', 72, u_int) #define SIOCFRSYN _IOW('r', 73, u_int) #define SIOCFRZST _IOWR('r', 74, struct friostat) ! #define SIOCZRLST _IOWR('r', 75, struct frentry) #else #define SIOCADAFR _IOW(r, 60, struct frentry) #define SIOCRMAFR _IOW(r, 61, struct frentry) *************** *** 71,79 **** #define SIOCFRENB _IOW(r, 72, u_int) #define SIOCFRSYN _IOW(r, 73, u_int) #define SIOCFRZST _IOWR(r, 74, struct friostat) ! #define SIOCFLNAT _IOWR(r, 75, int) ! #define SIOCCNATL _IOWR(r, 76, int) ! #define SIOCZRLST _IOWR(r, 77, struct frentry) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR --- 69,75 ---- #define SIOCFRENB _IOW(r, 72, u_int) #define SIOCFRSYN _IOW(r, 73, u_int) #define SIOCFRZST _IOWR(r, 74, struct friostat) ! #define SIOCZRLST _IOWR(r, 75, struct frentry) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR Index: ip_nat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:21:23 --- 2.0.1.3 1997/01/10 00:28:47 *************** *** 15,26 **** * ADNATS always adds one, and there really isn't any provision for * only using 1 address (the in_space stuff is broke), there isn't any * easy solution) - * 2) There needs to be a way to flush the NATs table completely. Either - * an ioctl, or an easy way of doing it from ipnat.c. */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.2 1997/01/09 15:21:23 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 15,24 ---- * ADNATS always adds one, and there really isn't any provision for * only using 1 address (the in_space stuff is broke), there isn't any * easy solution) */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.3 1997/01/10 00:28:47 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 195,201 **** KFREE(n); break; case SIOCGNATS : ! nat_stats.ns_table = (nat_t ***)nat_table; nat_stats.ns_list = nat_list; nat_stats.ns_inuse = nat_inuse; IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); --- 193,200 ---- KFREE(n); break; case SIOCGNATS : ! nat_stats.ns_table[0] = nat_table[0]; ! nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; nat_stats.ns_inuse = nat_inuse; IWCOPY((char *)&nat_stats, (char *)data, sizeof(nat_stats)); *************** *** 335,340 **** --- 334,341 ---- nat->nat_use = 0; nat->nat_inip = ip->ip_src; nat->nat_outip.s_addr = htonl(in.s_addr); + nat->nat_oip.s_addr = 0; + nat->nat_oport = 0; sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); *************** *** 404,409 **** --- 405,411 ---- } else { nat->nat_inport = 0; nat->nat_outport = 0; + nat->nat_oport = 0; } } *************** *** 456,462 **** nat_t *nat; nat = nat_table[0][ipaddr.s_addr % NAT_SIZE]; - for (; nat; nat = nat->nat_next[0]) if (nat->nat_inip.s_addr == ipaddr.s_addr) { if (nat->nat_inport && (sport != nat->nat_inport)) --- 458,463 ---- *************** *** 508,514 **** { register ipnat_t *np; register u_long ipa; - register u_long sum1; tcphdr_t *tcp = NULL; nat_t *nat; u_short nflags = 0, sport = 0; --- 509,514 ---- *************** *** 606,612 **** { register ipnat_t *np; register struct in_addr in; - register u_long sum1; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; u_short port = 0, nflags = 0; --- 606,611 ---- *************** *** 740,750 **** *natp = nat->nat_next[0]; if (nat->nat_use) nat->nat_use--; - if (!nat->nat_use) { - KFREE(nat); - nat_stats.ns_expire++; - nat_inuse--; - } } else natp = &nat->nat_next[0]; } --- 739,744 ---- *************** *** 755,762 **** nat->nat_age--; if (!nat->nat_use || !nat->nat_age) { *natp = nat->nat_next[1]; - if (nat->nat_use) - nat->nat_use--; if (!nat->nat_use) { KFREE(nat); nat_stats.ns_expire++; --- 749,754 ---- Index: ip_nat.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.h,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:21:25 --- 2.0.1.3 1997/01/10 00:28:16 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.2 1997/01/09 15:21:25 darrenr Exp $ */ #ifndef __IP_NAT_H_ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.3 1997/01/10 00:28:16 darrenr Exp $ */ #ifndef __IP_NAT_H_ *************** *** 23,28 **** --- 23,31 ---- #define SIOCGNATL _IOWR('r', 83, struct natlookup) #define SIOCGFRST _IOR('r', 84, struct ipfrstat) #define SIOCGIPST _IOR('r', 85, struct ips_stat) + #define SIOCFLNAT _IOWR('r', 86, int) + #define SIOCCNATL _IOWR('r', 87, int) + #else #define SIOCADNAT _IOW(r, 80, struct ipnat) #define SIOCRMNAT _IOW(r, 81, struct ipnat) *************** *** 30,35 **** --- 33,40 ---- #define SIOCGNATL _IOWR(r, 83, struct natlookup) #define SIOCGFRST _IOR(r, 84, struct ipfrstat) #define SIOCGIPST _IOR(r, 85, struct ips_stat) + #define SIOCFLNAT _IOWR(r, 86, int) + #define SIOCCNATL _IOWR(r, 87, int) #endif #define NAT_SIZE 367 *************** *** 91,97 **** u_long ns_added; u_long ns_expire; u_long ns_inuse; ! nat_t ***ns_table; ipnat_t *ns_list; } natstat_t; --- 96,102 ---- u_long ns_added; u_long ns_expire; u_long ns_inuse; ! nat_t **ns_table[2]; ipnat_t *ns_list; } natstat_t; *************** *** 100,105 **** --- 105,111 ---- #define IPN_UDP 2 #define IPN_TCPUDP 3 + extern nat_t *nat_table[2][NAT_SIZE]; extern int nat_ioctl(); extern nat_t *nat_lookupoutip(), *nat_lookupinip(), *nat_lookupredir(); extern int ip_natout(), ip_natin(); Index: ip_sfil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_sfil.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/01/10 00:29:04 *************** *** 9,15 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.2 1997/01/10 00:29:04 darrenr Exp $"; #endif #include *************** *** 93,98 **** --- 93,99 ---- int iplattach() { + bzero((char *)nat_table, sizeof(nat_t *) * NAT_SIZE * 2); mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_mutex, "ipf filter mutex", MUTEX_DRIVER, NULL); mutex_init(&ipfs_mutex, "ipf solaris mutex", MUTEX_DRIVER, NULL); Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:24:53 --- 2.0.1.3 1997/01/10 00:30:37 *************** *** 11,16 **** #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.3 - 10/1/97" #endif --- 11,16 ---- #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.4 - 10/1/97" #endif Index: ipnat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipnat.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:44 --- 2.0.1.2 1997/01/10 00:30:07 *************** *** 51,57 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; #endif #if SOLARIS --- 51,57 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.2 1997/01/10 00:30:07 darrenr Exp $"; #endif #if SOLARIS *************** *** 61,67 **** extern char *optarg; extern int kmemcpy(); ! void dostats(), printnat(), parsefile(); void usage(name) --- 61,67 ---- extern char *optarg; extern int kmemcpy(); ! void dostats(), printnat(), parsefile(), flushtable(); void usage(name) *************** *** 79,90 **** char *file = NULL, c; int fd, opts = 1; ! while ((c = getopt(argc, argv, "f:lnrsv")) != -1) switch (c) { case 'f' : file = optarg; break; case 'l' : opts |= 8; break; --- 79,96 ---- char *file = NULL, c; int fd, opts = 1; ! while ((c = getopt(argc, argv, "CFf:lnrsv")) != -1) switch (c) { + case 'C' : + opts |= 64; + break; case 'f' : file = optarg; break; + case 'F' : + opts |= 32; + break; case 'l' : opts |= 8; break; *************** *** 110,115 **** --- 116,123 ---- exit(-1); } + if (opts & 96) + flushtable(fd, opts); if (file) parsefile(fd, file, opts); if (opts & 12) *************** *** 214,226 **** { natstat_t ns; ipnat_t ipn; ! nat_t **nt, *np, nat; int i; if (ioctl(fd, SIOCGNATS, &ns) == -1) { perror("ioctl(SIOCGNATS)"); return; } if (opts & 4) { printf("mapped\tin\t%lu\tout\t%lu\n", ns.ns_mapped[0], ns.ns_mapped[1]); --- 222,235 ---- { natstat_t ns; ipnat_t ipn; ! nat_t **nt[2], *np, nat; int i; if (ioctl(fd, SIOCGNATS, &ns) == -1) { perror("ioctl(SIOCGNATS)"); return; } + if (opts & 4) { printf("mapped\tin\t%lu\tout\t%lu\n", ns.ns_mapped[0], ns.ns_mapped[1]); *************** *** 241,253 **** ns.ns_list = ipn.in_next; } ! nt = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE); ! if (kmemcpy(nt, ns.ns_table, sizeof(*nt) * NAT_SIZE)) { perror("kmemcpy"); return; } for (i = 0; i < NAT_SIZE; i++) ! for (np = nt[i]; np; np = nat.nat_next) { if (kmemcpy(&nat, np, sizeof(nat))) break; printf("%s %hu <- -> ", --- 250,263 ---- ns.ns_list = ipn.in_next; } ! nt[0] = (nat_t **)malloc(sizeof(*nt) * NAT_SIZE); ! if (kmemcpy(nt[0], ns.ns_table[0], sizeof(**nt) * NAT_SIZE)) { perror("kmemcpy"); return; } + for (i = 0; i < NAT_SIZE; i++) ! for (np = nt[0][i]; np; np = nat.nat_next[0]) { if (kmemcpy(&nat, np, sizeof(nat))) break; printf("%s %hu <- -> ", *************** *** 261,266 **** --- 271,277 ---- printf("%s %hu]\n", inet_ntoa(nat.nat_oip), ntohs(nat.nat_oport)); } + free(nt[0]); } } *************** *** 619,622 **** --- 630,656 ---- linenum++; } fclose(stdin); + } + + + void flushtable(fd, opts) + int fd, opts; + { + int n; + + if (opts & 32) { + n = 0; + if (ioctl(fd, SIOCFLNAT, &n) == -1) + perror("ioctl(SIOCFLNAT)"); + else + printf("%d entries flushed from NAT table\n", n); + } + + if (opts & 64) { + n = 0; + if (ioctl(fd, SIOCCNATL, &n) == -1) + perror("ioctl(SIOCCNATL)"); + else + printf("%d entries flushed from NAT list\n", n); + } } Index: man/ipnat.1 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipnat.1,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:53 --- 2.0.1.2 1997/01/10 00:32:27 *************** *** 4,10 **** .SH SYNOPSIS .B ipnat [ ! .B \-lnrsv ] .B \-f <\fIfilename\fP> .SH DESCRIPTION --- 4,10 ---- .SH SYNOPSIS .B ipnat [ ! .B \-lnrsvCF ] .B \-f <\fIfilename\fP> .SH DESCRIPTION *************** *** 18,23 **** --- 18,30 ---- which they appear when given to \fBipnat\fP. .SH OPTIONS .TP + .TP + .B \-C + delete all entries in the current NAT listing (NAT rules) + .TP + .B \-F + delete all active entries in the current NAT table (currently active + NAT mappings) .B \-l Show the list of current NAT table entry mappings. .TP