Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.1.4 retrieving revision 2.0.1.5 diff -c -r2.0.1.4 -r2.0.1.5 *** 2.0.1.4 1997/01/13 10:05:46 --- 2.0.1.5 1997/01/21 10:15:40 *************** *** 5,10 **** --- 5,20 ---- # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # + 3.1.6 21/1/97 - Released + + Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" + + Memory leak introduced in 3.1.3 in NAT lists, clearing of NAT table tried + to free memory twice. + + NAT recalculates IP header checksum based on difference between IP#'s and + port numbers - should be just IP#'s (Solaris2 only) + 3.1.5 13/1/97 - Released fixed setting of NAT timeouts and use different timeouts for concurrent Index: Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/Makefile,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/12 09:58:09 --- 2.0.1.3 1997/01/19 04:49:31 *************** *** 5,11 **** # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # ! # $Id: Makefile,v 2.0.1.2 1997/01/12 09:58:09 darrenr Exp $ # # where to put things. # --- 5,11 ---- # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # ! # $Id: Makefile,v 2.0.1.3 1997/01/19 04:49:31 darrenr Exp $ # # where to put things. # *************** *** 127,136 **** install-bsd: bsd (cd BSD/$(DCPU); $(MAKE) "TOP=../.." install) ! install-SunOS4: solaris (cd SunOS4; $(MAKE) "TOP=.." install) ! install-SunOS5: solaris ! (cd SunOS5; $(MAKE) "TOP=../.." install) # XXX FIXME: bogus to depend on all! install: all ip_fil.h --- 127,136 ---- install-bsd: bsd (cd BSD/$(DCPU); $(MAKE) "TOP=../.." install) ! install-sunos4: solaris (cd SunOS4; $(MAKE) "TOP=.." install) ! install-sunos5: solaris ! (cd SunOS5; $(MAKE) "TOP=.." install) # XXX FIXME: bogus to depend on all! install: all ip_fil.h Index: fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/fil.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/01/21 10:15:42 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fil.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fil.c,v 2.0.1.2 1997/01/21 10:15:42 darrenr Exp $"; #endif #include *************** *** 506,512 **** */ fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; ! frentry_t *fr; int pass, changed; #if !defined(__SVR4) && !defined(__svr4__) && defined(_KERNEL) --- 506,512 ---- */ fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; ! frentry_t *fr = NULL; int pass, changed; #if !defined(__SVR4) && !defined(__svr4__) && defined(_KERNEL) *************** *** 583,588 **** --- 583,589 ---- #endif } } + fr = fin->fin_fr; if ((pass & FR_KEEPFRAG)) { if (fin->fin_fi.fi_fl & FI_FRAG) { *************** *** 600,607 **** frstats[out].fr_ads++; } } - - fr = fin->fin_fr; if (fr && fr->fr_func) pass = (*fr->fr_func)(pass, ip, fin); --- 601,606 ---- Index: ip_fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/10 00:29:03 --- 2.0.1.3 1997/01/21 10:15:43 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.2 1997/01/10 00:29:03 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.3 1997/01/21 10:15:43 darrenr Exp $"; #endif #include *************** *** 761,766 **** --- 761,773 ---- dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway; } ro->ro_rt->rt_use++; + + /* + * For input packets which are being "fastrouted", they won't + * go back through output filtering and miss their chance to get + * NAT'd. + */ + (void) ip_natout(ip, fin->fin_hlen, fin); /* * If small enough for interface, can just send directly. Index: ip_nat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.0.1.4 retrieving revision 2.0.1.6 diff -c -r2.0.1.4 -r2.0.1.6 *** 2.0.1.4 1997/01/12 10:42:56 --- 2.0.1.6 1997/01/21 10:15:44 *************** *** 18,24 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.4 1997/01/12 10:42:56 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 18,24 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.6 1997/01/21 10:15:44 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 74,79 **** --- 74,80 ---- natstat_t nat_stats; #if SOLARIS # ifndef _KERNEL + #define bzero(a,b) memset(a,0,b) #define bcmp(a,b,c) memcpy(a,b,c) #define bcopy(a,b,c) memmove(b,a,c) # else *************** *** 86,106 **** #define FIX_OUTCKSUM(sp,n) { register u_long _sum1; \ register u_short _sumshort; \ _sum1 = (~ntohs(*sp)) & 0xffff; \ ! _sum1 += (n)->nat_sumd; \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ /* Again */ \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ _sumshort = ~(u_short)_sum1; \ ! *sp = htons(_sumshort); } #define FIX_INCKSUM(sp,n) { register u_long _sum1; \ register u_short _sumshort; \ _sum1 = (~ntohs(*sp)) & 0xffff; \ ! _sum1 += ~(n)->nat_sumd & 0xffff; \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ /* Again */ \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ _sumshort = ~(u_short)_sum1; \ ! *sp = htons(_sumshort); } /* --- 87,107 ---- #define FIX_OUTCKSUM(sp,n) { register u_long _sum1; \ register u_short _sumshort; \ _sum1 = (~ntohs(*sp)) & 0xffff; \ ! _sum1 += (n); \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ /* Again */ \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ _sumshort = ~(u_short)_sum1; \ ! *(sp) = htons(_sumshort); } #define FIX_INCKSUM(sp,n) { register u_long _sum1; \ register u_short _sumshort; \ _sum1 = (~ntohs(*sp)) & 0xffff; \ ! _sum1 += ~(n) & 0xffff; \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ /* Again */ \ _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ _sumshort = ~(u_short)_sum1; \ ! *(sp) = htons(_sumshort); } /* *************** *** 243,261 **** nat_t *nat, **natp; int i, j = 0; ! for (natp = &nat_table[0][0], i = NAT_SIZE - 1; i >= 0; i--, natp++) while ((nat = *natp)) { *natp = nat->nat_next[0]; ! KFREE((caddr_t)nat); j++; } - for (natp = &nat_table[1][0], i = NAT_SIZE - 1; i >= 0; i--, natp++) - while ((nat = *natp)) { - *natp = nat->nat_next[1]; - KFREE((caddr_t)nat); - j++; - } return j; } --- 244,260 ---- nat_t *nat, **natp; int i, j = 0; ! for (i = NAT_SIZE - 1; i >= 0; i--) { ! natp = &nat_table[0][i]; while ((nat = *natp)) { *natp = nat->nat_next[0]; ! KFREE(nat); j++; } + } + + bzero((char *)nat_table[1], sizeof(nat_table[1])); return j; } *************** *** 302,307 **** --- 301,308 ---- if (!(nat = (nat_t *)KMALLOC(sizeof(*nat)))) return NULL; + bzero((char *)nat, sizeof(*nat)); + /* * Search the current table for a match. */ *************** *** 333,369 **** if (!port && (flags & IPN_TCPUDP)) port = sport; /* Setup the NAT table */ - nat->nat_use = 0; nat->nat_inip = ip->ip_src; nat->nat_outip.s_addr = htonl(in.s_addr); - nat->nat_oip.s_addr = 0; - nat->nat_oport = 0; sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); - /* Do it twice */ - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(port); - /* Do it twice */ - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - sum2 = (sum2 & 0xffff) + (sum2 >> 16); - - if (sum1 > sum2) - sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ - sumd = sum2 - sum1; - sumd = (sumd & 0xffff) + (sumd >> 16); - nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); - if (flags & IPN_TCPUDP) { nat->nat_inport = sport; nat->nat_outport = port; - } else { - nat->nat_inport = 0; - nat->nat_outport = 0; } } else { --- 334,350 ---- *************** *** 374,382 **** * internal port. */ in.s_addr = ntohl(np->in_inip); ! nport = np->in_pnext; - nat->nat_use = 0; nat->nat_inip.s_addr = htonl(in.s_addr); nat->nat_outip = ip->ip_dst; nat->nat_oip = ip->ip_src; --- 355,363 ---- * internal port. */ in.s_addr = ntohl(np->in_inip); ! if (!(nport = np->in_pnext)) ! nport = dport; nat->nat_inip.s_addr = htonl(in.s_addr); nat->nat_outip = ip->ip_dst; nat->nat_oip = ip->ip_src; *************** *** 384,415 **** sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + (ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport); /* Do it twice */ sum1 = (sum1 & 0xffff) + (sum1 >> 16); sum1 = (sum1 & 0xffff) + (sum1 >> 16); - sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport); - /* Do it twice */ sum2 = (sum2 & 0xffff) + (sum2 >> 16); sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! if (sum2 > sum1) ! sum1--; /* Because ~1 == -2, We really need ~1 == -1 */ ! sumd = (sum1 - sum2); sumd = (sumd & 0xffff) + (sumd >> 16); ! nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); ! ! if (flags & IPN_TCPUDP) { ! nat->nat_inport = nport; ! nat->nat_outport = dport; ! nat->nat_oport = sport; ! } else { ! nat->nat_inport = 0; ! nat->nat_outport = 0; ! nat->nat_oport = 0; ! } ! } in.s_addr = htonl(in.s_addr); natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; --- 365,418 ---- sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + (ntohl(ip->ip_dst.s_addr) >> 16) + ntohs(dport); + sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16) + ntohs(nport); + + if (flags & IPN_TCPUDP) { + nat->nat_inport = nport; + nat->nat_outport = dport; + nat->nat_oport = sport; + } + } + + /* Do it twice */ + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + sum1 = (sum1 & 0xffff) + (sum1 >> 16); + + /* Do it twice */ + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + sum2 = (sum2 & 0xffff) + (sum2 >> 16); + + if (sum1 > sum2) + sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ + sumd = sum2 - sum1; + sumd = (sumd & 0xffff) + (sumd >> 16); + nat->nat_sumd = (sumd & 0xffff) + (sumd >> 16); + + if ((flags & IPN_TCPUDP) && ((sport != port) || (dport != nport))) { + if (direction == NAT_OUTBOUND) + sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + + (ntohl(ip->ip_src.s_addr) >> 16); + else + sum1 = (ntohl(ip->ip_dst.s_addr) & 0xffff) + + (ntohl(ip->ip_dst.s_addr) >> 16); + + sum2 = (in.s_addr & 0xffff) + (in.s_addr >> 16); + /* Do it twice */ sum1 = (sum1 & 0xffff) + (sum1 >> 16); sum1 = (sum1 & 0xffff) + (sum1 >> 16); /* Do it twice */ sum2 = (sum2 & 0xffff) + (sum2 >> 16); sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! if (sum1 > sum2) ! sum2--; /* Because ~1 == -2, We really need ~1 == -1 */ ! sumd = sum2 - sum1; sumd = (sumd & 0xffff) + (sumd >> 16); ! nat->nat_ipsumd = (sumd & 0xffff) + (sumd >> 16); ! } else ! nat->nat_ipsumd = nat->nat_sumd; in.s_addr = htonl(in.s_addr); natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; *************** *** 420,429 **** nat->nat_next[1] = *natp; *natp = nat; nat->nat_use++; - if (flags & IPN_TCP) { - nat->nat_state[0] = 0; - nat->nat_state[1] = 0; - } if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) tcp->th_sport = htons(port); --- 423,428 ---- *************** *** 518,524 **** tcphdr_t *tcp = NULL; nat_t *nat; u_short nflags = 0, sport = 0, *csump = NULL; ! struct ifnet *ifp = fin->fin_ifp; if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) --- 517,531 ---- tcphdr_t *tcp = NULL; nat_t *nat; u_short nflags = 0, sport = 0, *csump = NULL; ! struct ifnet *ifp; ! frentry_t *fr; ! frdest_t *tif; ! ! if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && ! fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) ! ifp = fr->fr_tif.fd_ifp; ! else ! ifp = fin->fin_ifp; if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) *************** *** 565,573 **** * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ ! #if SOLARIS ! FIX_OUTCKSUM(&ip->ip_sum, nat); ! #endif if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 572,579 ---- * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ ! FIX_OUTCKSUM(&ip->ip_sum, nat->nat_ipsumd); ! if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 589,595 **** csump = &ic->icmp_cksum; } if (csump) ! FIX_OUTCKSUM(csump, nat); } nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); --- 595,601 ---- csump = &ic->icmp_cksum; } if (csump) ! FIX_OUTCKSUM(csump, nat->nat_sumd); } nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); *************** *** 661,667 **** * simply computing adjustments. */ #if SOLARIS ! FIX_INCKSUM(&ip->ip_sum, nat); #endif if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 667,673 ---- * simply computing adjustments. */ #if SOLARIS ! FIX_INCKSUM(&ip->ip_sum, nat->nat_ipsumd); #endif if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 684,690 **** csump = &ic->icmp_cksum; } if (csump) ! FIX_INCKSUM(csump, nat); } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); --- 690,696 ---- csump = &ic->icmp_cksum; } if (csump) ! FIX_INCKSUM(csump, nat->nat_sumd); } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); *************** *** 750,759 **** for (i = 0; i < NAT_SIZE; i++) for (natp = &nat_table[1][i]; (nat = *natp); ) { - if (nat->nat_age > 0) - nat->nat_age--; if (!nat->nat_use || !nat->nat_age) { *natp = nat->nat_next[1]; if (!nat->nat_use) { KFREE(nat); nat_stats.ns_expire++; --- 756,765 ---- for (i = 0; i < NAT_SIZE; i++) for (natp = &nat_table[1][i]; (nat = *natp); ) { if (!nat->nat_use || !nat->nat_age) { *natp = nat->nat_next[1]; + if (nat->nat_use) + nat->nat_use--; if (!nat->nat_use) { KFREE(nat); nat_stats.ns_expire++; Index: ip_nat.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.h,v retrieving revision 2.0.1.3 retrieving revision 2.0.1.5 diff -c -r2.0.1.3 -r2.0.1.5 *** 2.0.1.3 1997/01/10 00:28:16 --- 2.0.1.5 1997/01/21 10:15:46 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.3 1997/01/10 00:28:16 darrenr Exp $ */ #ifndef __IP_NAT_H_ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.5 1997/01/21 10:15:46 darrenr Exp $ */ #ifndef __IP_NAT_H_ *************** *** 43,48 **** --- 43,49 ---- struct nat *nat_next[2]; int nat_age; u_long nat_sumd; + u_long nat_ipsumd; struct in_addr nat_inip; struct in_addr nat_outip; struct in_addr nat_oip; /* other ip */ Index: ipft_tx.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipft_tx.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:44 --- 2.0.1.2 1997/01/19 04:52:25 *************** *** 40,46 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipft_tx.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; #endif extern int opts; --- 40,46 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipft_tx.c,v 2.0.1.2 1997/01/19 04:52:25 darrenr Exp $"; #endif extern int opts; *************** *** 66,72 **** * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ ! u_long tx_hostnum(host, resolved) char *host; int *resolved; { --- 66,72 ---- * returns an ip address as a long var as a result of either a DNS lookup or * straight inet_addr() call */ ! static u_long tx_hostnum(host, resolved) char *host; int *resolved; { *************** *** 95,101 **** * find the port number given by the name, either from getservbyname() or * straight atoi() */ ! u_short tx_portnum(name) char *name; { struct servent *sp, *sp2; --- 95,101 ---- * find the port number given by the name, either from getservbyname() or * straight atoi() */ ! static u_short tx_portnum(name) char *name; { struct servent *sp, *sp2; Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.1.4 diff -c -r2.0.1.4 ipl.h *** 2.0.1.4 1997/01/13 10:05:47 --- ipl.h 1997/01/21 10:16:51 *************** *** 11,16 **** #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.5 - 13/01/97" #endif --- 11,16 ---- #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.6 - 21/01/97" #endif Index: ipnat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipnat.c,v retrieving revision 2.0.1.3 retrieving revision 2.0.1.4 diff -c -r2.0.1.3 -r2.0.1.4 *** 2.0.1.3 1997/01/12 09:57:13 --- 2.0.1.4 1997/01/19 04:51:45 *************** *** 51,57 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.3 1997/01/12 09:57:13 darrenr Exp $"; #endif #if SOLARIS --- 51,57 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.4 1997/01/19 04:51:45 darrenr Exp $"; #endif #if SOLARIS *************** *** 181,187 **** printf(" udp"); printf("\n"); if (verbose) ! printf("\t%x %u %x %u", (u_int)np->in_ifp, np->in_space, np->in_flags, np->in_pnext); } else { np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); --- 181,187 ---- printf(" udp"); printf("\n"); if (verbose) ! printf("\t%x %u %x %u\n", (u_int)np->in_ifp, np->in_space, np->in_flags, np->in_pnext); } else { np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); Index: todo =================================================================== RCS file: /devel/CVS/IP-Filter/todo,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:45 --- 2.0.1.2 1997/01/19 04:51:21 *************** *** 1,51 **** ! * fix ipmon reporting interface names (only 2 chars, not upto 4) ! (Bryan Collins - bryan@coombs.anu.edu.au) ! +done ! ! * fix iplbusy stopping unloading ! +done ! ! * check and fix TCP RSTs on FreeBSD/NetBSD/Solaris2-x86 ! +done ! ! * examine state code for bad multi-thread code ! (Craig still has a problem with log_first not working 100%, so it seems) ! ! * "ARCH:sh=uname -m" isn't supported by GNU make. (Reg Clemens - reg@dwf.com) ! ! * find a way to implement testing of IP Filter output ! +done ! ! * implement testing of rule parsing and printing ! +done ! ! * determine whether strange things do happen in the fullness of time and why. ! (reports of various things failing after working, with no changes) ! - always fails to block packets (stops things from working) ! Noel Paul (N.Paul@gu.edu.au), Bryan Collins ! ! * allow for reseting of statistics per rule. ! +done ! ! * do some testing on an Sun ultra to determine the cause of panic's ! +done/fixed ! ! * From Andrew Stesin: ! 2. With "in-kernel" version, "log body" doesn't work for ! me; I discovered the fact too late, when fighting ! with crashes of our firewall. Disabling all "log body" ! clauses in filtering rules cured that mysterious crashes, ! too, firewall is working for weeks just now, as I see. ! Now when I'm just 90% sure I found the source of trouble, ! which tortured me for weeks, probably it's time to ! go check where exactly it lives. ! * invent "pass in log or-block" to block packets when they can't be logged ! +done ! * timeouts for TCP connections which are known and "up" ! +done time permitting: --- 1,12 ---- + * automatically use the interface's IP# for NAT rather than any specific IP# ! * use fr_tcpstate() with NAT code for increased NAT usage security or even ! fr_checkstate() ! * use minor devices for controlling access to alternate parts of IP Filter ! such as filtering, accounting, state, NAT, etc. ! * see if the Solaris2 and dynamic plumb/unplumb problem is solvable time permitting: *************** *** 56,60 **** * modular application proxying * invesitgate making logging better - - * automatically use the interface's IP# for NAT rather than any specific IP# --- 17,19 ---- Index: BSD/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/BSD/Makefile,v retrieving revision 2.0.1.1 diff -c -r2.0.1.1 Makefile *** 2.0.1.1 1997/01/09 15:14:45 --- Makefile 1997/01/21 10:10:14 *************** *** 84,90 **** opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ --- 84,90 ---- opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ Index: SunOS4/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS4/Makefile,v retrieving revision 2.0.1.1 diff -c -r2.0.1.1 Makefile *** 2.0.1.1 1997/01/09 15:14:48 --- Makefile 1997/01/21 10:16:06 *************** *** 93,99 **** opt.o: ../opt.c $(CC) $(DEBUG) $(CFLAGS) -c ../opt.c -o $@ ! ipnat.o: ../ipnat.c ../ip_fil.h ../ipf.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c ../ipnat.c -o $@ ipft_sn.o: ../ipft_sn.c ../ipt.h ../ipf.h ../ip_fil.h ../snoop.h --- 93,99 ---- opt.o: ../opt.c $(CC) $(DEBUG) $(CFLAGS) -c ../opt.c -o $@ ! ipnat.o: ../ipnat.c ../ip_fil.h ../ipf.h ../ip_nat.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c ../ipnat.c -o $@ ipft_sn.o: ../ipft_sn.c ../ipt.h ../ipf.h ../ip_fil.h ../snoop.h Index: SunOS5/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/Makefile,v retrieving revision 2.0.1.1 diff -c -r2.0.1.1 Makefile *** 2.0.1.1 1997/01/09 15:14:49 --- Makefile 1997/01/21 10:16:15 *************** *** 88,94 **** opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(IPL) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/snoop.h --- 88,94 ---- opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h $(CC) $(IPL) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/snoop.h