Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.1.5 retrieving revision 2.0.1.7 diff -c -r2.0.1.5 -r2.0.1.7 *** 2.0.1.5 1997/01/21 10:15:40 --- 2.0.1.7 1997/02/08 06:46:12 *************** *** 5,10 **** --- 5,39 ---- # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # + 3.1.7 8/2/97 - Released + + Macros used for ntohs/htons supplied with gcc don't always work very well + when the assignment is the same variable being converted. + + Filter matching doesn't not match rule which checks tcp flags on packets + which are fragments - David Wilson + + 3.1.7beta 30/1/97 - Released + + Fix up NAT bugs introduced in last major change (now tested), including + nat_delete(), nat_lookupredir(), checksum changes, etc. + + 3.1.7alpha 30/1/97 - Released + + Many changes to NAT code, including contributions from Laurent Joncheray + + + Use "NO_SLEEP" when allocating memory under SunOS. + + Make kernel printf's nicer for BSD/SunOS4 + + Always do a checksum for packets being filtered going out and being + processed by fastroute. + + Leave kernel to play with cdevsw on *BSD systems with LKM's. + + ipnat.1 man page fixes. + 3.1.6 21/1/97 - Released Allow NAT to work on BSD systems in conjunction with "pass .. to ifname" Index: INSTALL.FreeBSD =================================================================== RCS file: /devel/CVS/IP-Filter/INSTALL.FreeBSD,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:20:39 --- 2.0.1.3 1997/02/04 13:57:33 *************** *** 33,39 **** 4. build a new kernel ! 5. create /dev/ipl with "mknod /dev/ipl c 59 0". 6. install and reboot with the new kernel --- 33,39 ---- 4. build a new kernel ! 5. create /dev/ipl with "mknod /dev/ipl c 20 0". 6. install and reboot with the new kernel Index: INSTALL.Sol2 =================================================================== RCS file: /devel/CVS/IP-Filter/INSTALL.Sol2,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:20:41 --- 2.0.1.3 1997/01/30 12:02:53 *************** *** 16,22 **** pkgadd -s '/var/spool/pkg' As part of the postinstall script, it will install loadable kernel module ! as part of Solaris 2 (using add_drv). IP Filter will be installed into /opt/CYBSipf (programs, manual pages and examples) and create a directory /etc/opt/CYBSipf with a null body file --- 16,22 ---- pkgadd -s '/var/spool/pkg' As part of the postinstall script, it will install loadable kernel module ! as part of Solaris 2 (using add_drv) making it available for immeadiate use. IP Filter will be installed into /opt/CYBSipf (programs, manual pages and examples) and create a directory /etc/opt/CYBSipf with a null body file Index: Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/Makefile,v retrieving revision 2.0.1.3 retrieving revision 2.0.1.4 diff -c -r2.0.1.3 -r2.0.1.4 *** 2.0.1.3 1997/01/19 04:49:31 --- 2.0.1.4 1997/02/08 06:39:28 *************** *** 5,11 **** # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # ! # $Id: Makefile,v 2.0.1.3 1997/01/19 04:49:31 darrenr Exp $ # # where to put things. # --- 5,11 ---- # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # ! # $Id: Makefile,v 2.0.1.4 1997/02/08 06:39:28 darrenr Exp $ # # where to put things. # *************** *** 71,81 **** (cd SunOS4; make -f Makefile.ipsend TOP=.. $(MFLAGS); cd ..) sunos5 solaris2: ! (cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc"; cd ..) (cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) sunos5x86 solaris2x86: ! (cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86 -Di386"; cd ..) (cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) bsd netbsd freebsd: --- 71,81 ---- (cd SunOS4; make -f Makefile.ipsend TOP=.. $(MFLAGS); cd ..) sunos5 solaris2: ! (cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Dsparc -D__sparc__"; cd ..) (cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) sunos5x86 solaris2x86: ! (cd SunOS5/$(DCPU); make build TOP=../.. $(MFLAGS) "SOLARIS2=$(SOLARIS2)" "CPU=-Di86pc -Di386 -D__i386__"; cd ..) (cd SunOS5/$(DCPU); make -f Makefile.ipsend TOP=../.. $(MFLAGS); cd ..) bsd netbsd freebsd: Index: fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/fil.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.4 diff -c -r2.0.1.2 -r2.0.1.4 *** 2.0.1.2 1997/01/21 10:15:42 --- 2.0.1.4 1997/02/04 13:59:41 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fil.c,v 2.0.1.2 1997/01/21 10:15:42 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $"; #endif #include *************** *** 434,440 **** if (portcmp) { if (!fr_tcpudpchk(fr, fin)) continue; ! } else if (fr->fr_dcmp || fr->fr_scmp) continue; } else if (fi->fi_p == IPPROTO_ICMP) { if (!off && (fin->fin_dlen > 1)) { --- 434,441 ---- if (portcmp) { if (!fr_tcpudpchk(fr, fin)) continue; ! } else if (fr->fr_dcmp || fr->fr_scmp || fr->fr_tcpf || ! fr->fr_tcpfm) continue; } else if (fi->fi_p == IPPROTO_ICMP) { if (!off && (fin->fin_dlen > 1)) { *************** *** 445,451 **** fr->fr_icmpm, fr->fr_icmp)); continue; } ! } else if (fr->fr_icmpm || fr->fr_tcpfm) continue; } FR_VERBOSE(("*")); --- 446,452 ---- fr->fr_icmpm, fr->fr_icmp)); continue; } ! } else if (fr->fr_icmpm || fr->fr_icmp) continue; } FR_VERBOSE(("*")); *************** *** 609,616 **** --- 610,619 ---- if ((fin->fin_fr = ipacct[1][fr_active]) && (FR_SCANLIST(FR_NOMATCH, ip, fin, m) & FR_ACCOUNT)) frstats[1].fr_acct++; + fin->fin_fr = NULL; changed = ip_natout(ip, hlen, fin); } + fin->fin_fr = fr; MUTEX_EXIT(&ipf_mutex); #ifdef IPFILTER_LOG *************** *** 704,714 **** if ((pass & FR_FASTROUTE) || (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { ! ipfr_fastroute(m, mp, fin, fdp); m = *mp = NULL; } if (mc) ! ipfr_fastroute(mc, mp, fin, &fr->fr_dif); } return (pass & FR_PASS) ? changed : -1; # endif --- 707,717 ---- if ((pass & FR_FASTROUTE) || (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { ! ipfr_fastroute(qif, ip, m, mp, fin, fdp); m = *mp = NULL; } if (mc) ! ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif); } return (pass & FR_PASS) ? changed : -1; # endif Index: fils.c =================================================================== RCS file: /devel/CVS/IP-Filter/fils.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/01/30 10:21:48 *************** *** 42,48 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fils.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX --- 42,48 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fils.c,v 2.0.1.2 1997/01/30 10:21:48 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX *************** *** 248,259 **** set = 1 - set; if (opts & OPT_ACCNT) { i = F_AC; ! if (opts & OPT_OUTQUE) fp = (struct frentry *)fiop->f_acctout[set]; - else if (opts & OPT_INQUE) { - fp = (struct frentry *)fiop->f_acctin[set]; i++; ! } } else if (opts & OPT_OUTQUE) { i = F_OUT; fp = (struct frentry *)fiop->f_fout[set]; --- 248,258 ---- set = 1 - set; if (opts & OPT_ACCNT) { i = F_AC; ! if (opts & OPT_OUTQUE) { fp = (struct frentry *)fiop->f_acctout[set]; i++; ! } else if (opts & OPT_INQUE) ! fp = (struct frentry *)fiop->f_acctin[set]; } else if (opts & OPT_OUTQUE) { i = F_OUT; fp = (struct frentry *)fiop->f_fout[set]; Index: ip_compat.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_compat.h,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.4 diff -c -r2.0.1.2 -r2.0.1.4 *** 2.0.1.2 1997/01/09 15:22:26 --- 2.0.1.4 1997/02/04 14:24:25 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.0.1.2 1997/01/09 15:22:26 darrenr Exp $ */ #ifndef __IP_COMPAT_H_ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.0.1.4 1997/02/04 14:24:25 darrenr Exp $ */ #ifndef __IP_COMPAT_H_ *************** *** 135,140 **** --- 135,141 ---- int (*qf_inp)(); int (*qf_outp)(); mblk_t *qf_m; + int qf_len; char qf_name[8]; /* * in case the ILL has disappeared... *************** *** 150,159 **** # define htons(x) (x) # define htonl(x) (x) # endif ! # define KMALLOC(x) kmem_alloc((x), KM_SLEEP) # define GET_MINOR(x) getminor(x) # else ! # define KMALLOC(x) new_kmem_alloc((x), KMEM_SLEEP) # endif /* __svr4__ */ # endif /* sun && !linux */ # ifndef GET_MINOR --- 151,160 ---- # define htons(x) (x) # define htonl(x) (x) # endif ! # define KMALLOC(x) kmem_alloc((x), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) # else ! # define KMALLOC(x) new_kmem_alloc((x), KMEM_NOSLEEP) # endif /* __svr4__ */ # endif /* sun && !linux */ # ifndef GET_MINOR Index: ip_fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.c,v retrieving revision 2.0.1.3 retrieving revision 2.0.1.5 diff -c -r2.0.1.3 -r2.0.1.5 *** 2.0.1.3 1997/01/21 10:15:43 --- 2.0.1.5 1997/01/29 13:41:45 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.3 1997/01/21 10:15:43 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $"; #endif #include *************** *** 115,121 **** SPLNET(s); if (ipl_inited || (fr_checkp == fr_check)) { ! printf("ipl: already initialized\n"); SPLX(s); return EBUSY; } --- 115,121 ---- SPLNET(s); if (ipl_inited || (fr_checkp == fr_check)) { ! printf("IP Filter: already initialized\n"); SPLX(s); return EBUSY; } *************** *** 137,143 **** SPLNET(s); if (!ipl_inited) { ! printf("ipl: not initialized\n"); SPLX(s); return EBUSY; } --- 137,143 ---- SPLNET(s); if (!ipl_inited) { ! printf("IP Filter: not initialized\n"); SPLX(s); return EBUSY; } *************** *** 627,637 **** for (len -= sizeof(iplci); m && len > 0; m = m->m_next, len -= hlen) { hlen = MIN(len, m->m_len); - #ifdef m_data if (fr_copytolog(mtod(m, char *), hlen)) - #else - if (fr_copytolog(mtod(m, char *), hlen)) - #endif break; } --- 627,633 ---- *************** *** 767,775 **** * go back through output filtering and miss their chance to get * NAT'd. */ ! (void) ip_natout(ip, fin->fin_hlen, fin); ! ! /* * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { --- 763,772 ---- * go back through output filtering and miss their chance to get * NAT'd. */ ! (void) ip_natout(ip, hlen, fin); ! if (fin->fin_out) ! ip->ip_sum = 0; ! /* * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { Index: ip_nat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.0.1.6 retrieving revision 2.0.1.10 diff -c -r2.0.1.6 -r2.0.1.10 *** 2.0.1.6 1997/01/21 10:15:44 --- 2.0.1.10 1997/02/08 06:38:49 *************** *** 6,24 **** * to the original author and the contributors. * * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) - * - * Things still screwed: - * 1) You can't specify a mapping to a class D address. By default, it - * always adds 1 to that address. As a result, when a packet comes back, - * the rule won't be matched. (e.g. outgoing address = 199.165.219.2, - * whereas the rule says outgoing address = 199.165.219.1/32. Because - * ADNATS always adds one, and there really isn't any provision for - * only using 1 address (the in_space stuff is broke), there isn't any - * easy solution) */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.6 1997/01/21 10:15:44 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 6,15 ---- * to the original author and the contributors. * * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 54,59 **** --- 45,57 ---- #include #include #include + + #ifdef RFC1825 + #include + #include + extern struct ifnet vpnif; + #endif + #include #include #include *************** *** 67,73 **** #define MIN(a,b) (((a)<(b))?(a):(b)) #endif ! nat_t *nat_table[2][NAT_SIZE]; ipnat_t *nat_list = NULL; u_long nat_inuse = 0, fr_defnatage = 1200; --- 65,71 ---- #define MIN(a,b) (((a)<(b))?(a):(b)) #endif ! nat_t *nat_table[2][NAT_SIZE], *nat_instances = NULL; ipnat_t *nat_list = NULL; u_long nat_inuse = 0, fr_defnatage = 1200; *************** *** 83,107 **** #endif static int flush_nattable(), clear_natlist(); ! #define FIX_OUTCKSUM(sp,n) { register u_long _sum1; \ ! register u_short _sumshort; \ ! _sum1 = (~ntohs(*sp)) & 0xffff; \ ! _sum1 += (n); \ ! _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ ! /* Again */ \ ! _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ ! _sumshort = ~(u_short)_sum1; \ ! *(sp) = htons(_sumshort); } ! #define FIX_INCKSUM(sp,n) { register u_long _sum1; \ ! register u_short _sumshort; \ ! _sum1 = (~ntohs(*sp)) & 0xffff; \ ! _sum1 += ~(n) & 0xffff; \ ! _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ ! /* Again */ \ ! _sum1 = (_sum1 >> 16) + (_sum1 & 0xffff); \ ! _sumshort = ~(u_short)_sum1; \ ! *(sp) = htons(_sumshort); } /* --- 81,128 ---- #endif static int flush_nattable(), clear_natlist(); + static void nattable_sync(); ! void fix_outcksum(sp, n) ! u_short *sp; ! u_long n; ! { ! register u_short sumshort; ! register u_long sum1; ! ! #ifdef sparc ! sum1 = (~(*sp)) & 0xffff; ! #else ! sum1 = (~ntohs(*sp)) & 0xffff; ! #endif ! sum1 += (n); ! sum1 = (sum1 >> 16) + (sum1 & 0xffff); ! /* Again */ ! sum1 = (sum1 >> 16) + (sum1 & 0xffff); ! sumshort = ~(u_short)sum1; ! *(sp) = htons(sumshort); ! } ! ! ! void fix_incksum(sp, n) ! u_short *sp; ! u_long n; ! { ! register u_short sumshort; ! register u_long sum1; ! ! #ifdef sparc ! sum1 = (~(*sp)) & 0xffff; ! #else ! sum1 = (~ntohs(*sp)) & 0xffff; ! #endif ! sum1 += ~(n) & 0xffff; ! sum1 = (sum1 >> 16) + (sum1 & 0xffff); ! /* Again */ ! sum1 = (sum1 >> 16) + (sum1 & 0xffff); ! sumshort = ~(u_short)sum1; ! *(sp) = htons(sumshort); ! } /* *************** *** 167,172 **** --- 188,194 ---- IRCOPY((char *)data, (char *)n, sizeof(*n)); n->in_ifp = (void *)GETUNIT(n->in_ifname); n->in_next = *np; + n->in_use = 0; n->in_space = ~(0xffffffff & ntohl(n->in_outmsk)); if (n->in_space) /* lose 2: broadcast + network address */ n->in_space -= 2; *************** *** 176,183 **** n->in_nip = ntohl(n->in_outip) + 1; else n->in_nip = ntohl(n->in_outip); ! if (n->in_redir == NAT_MAP) n->in_pnext = ntohs(n->in_pmin); /* Otherwise, these fields are preset */ *np = n; break; --- 198,212 ---- n->in_nip = ntohl(n->in_outip) + 1; else n->in_nip = ntohl(n->in_outip); ! if (n->in_redir == NAT_MAP) { n->in_pnext = ntohs(n->in_pmin); + /* + * Multiply by the number of ports made available. + */ + if (ntohs(n->in_pmax) > ntohs(n->in_pmin)) + n->in_space *= (ntohs(n->in_pmax) - + ntohs(n->in_pmin)); + } /* Otherwise, these fields are preset */ *np = n; break; *************** *** 191,197 **** --- 220,228 ---- break; } *np = n->in_next; + KFREE(n); + nattable_sync(); break; case SIOCGNATS : nat_stats.ns_table[0] = nat_table[0]; *************** *** 203,216 **** case SIOCGNATL : { natlookup_t nl; - nat_t *na; IRCOPY((char *)data, (char *)&nl, sizeof(nl)); ! if ((na = nat_lookupredir(&nl))) { ! nl.nl_inip = na->nat_outip; ! nl.nl_inport = na->nat_outport; IWCOPY((char *)&nl, (char *)data, sizeof(nl)); ! } else error = ESRCH; break; } --- 234,245 ---- case SIOCGNATL : { natlookup_t nl; IRCOPY((char *)data, (char *)&nl, sizeof(nl)); ! ! if (nat_lookupredir(&nl)) IWCOPY((char *)&nl, (char *)data, sizeof(nl)); ! else error = ESRCH; break; } *************** *** 236,265 **** } /* * flush_nattable - clear the NAT table of all mapping entries. */ static int flush_nattable() { ! nat_t *nat, **natp; ! int i, j = 0; ! for (i = NAT_SIZE - 1; i >= 0; i--) { ! natp = &nat_table[0][i]; ! while ((nat = *natp)) { ! *natp = nat->nat_next[0]; ! KFREE(nat); ! j++; ! } } - bzero((char *)nat_table[1], sizeof(nat_table[1])); - return j; } /* * clear_natlist - delete all entries in the active NAT mapping list. */ static int clear_natlist() --- 265,348 ---- } + static void nat_delete(natd) + struct nat *natd; + { + register struct nat **natp, *nat; + + for (natp = natd->nat_hstart[0]; (nat = *natp); + natp = &nat->nat_hnext[0]) + if (nat == natd) { + *natp = nat->nat_hnext[0]; + break; + } + + for (natp = natd->nat_hstart[1]; (nat = *natp); + natp = &nat->nat_hnext[1]) + if (nat == natd) { + *natp = nat->nat_hnext[1]; + break; + } + + if (natd->nat_ptr) { + natd->nat_ptr->in_space++; + natd->nat_ptr->in_use--; + } + KFREE(natd); + nat_inuse--; + } + + /* * flush_nattable - clear the NAT table of all mapping entries. */ static int flush_nattable() { ! register nat_t *nat, **natp; ! register int j = 0; ! ! /* ! * Everything will be deleted, so lets just make it the deletions ! * quicker. ! */ ! bzero((char *)nat_table[0], sizeof(nat_table[0])); ! bzero((char *)nat_table[1], sizeof(nat_table[1])); ! for (natp = &nat_instances; (nat = *natp); ) { ! *natp = nat->nat_next; ! nat_delete(nat); ! j++; } return j; } /* + * I know this is O(N*M), but it can't be avoided. + */ + static void nattable_sync() + { + register nat_t *nat; + register ipnat_t *np; + int i; + + for (i = NAT_SIZE - 1; i >= 0; i--) + for (nat = nat_instances; nat; nat = nat->nat_next) { + for (np = nat_list; np; np = np->in_next) + if (nat->nat_ptr == np) + break; + /* + * XXX - is it better to remove this if ? works the + * same if it is just "nat->nat_ptr = np". + */ + if (!np) + nat->nat_ptr = NULL; + } + } + + + /* * clear_natlist - delete all entries in the active NAT mapping list. */ static int clear_natlist() *************** *** 271,276 **** --- 354,361 ---- *np = n->in_next; KFREE(n); } + + nattable_sync(); return i; } *************** *** 290,296 **** --- 375,383 ---- struct in_addr in; tcphdr_t *tcp = NULL; nat_t *nat, **natp; + u_short nflags; + nflags = flags & np->in_flags; if (flags & IPN_TCPUDP) { tcp = (tcphdr_t *)fin->fin_dp; sport = tcp->th_sport; *************** *** 312,341 **** * record, then create a new port */ do { in.s_addr = np->in_nip; ! if (np->in_flags & IPN_TCPUDP) { port = htons(np->in_pnext++); if (np->in_pnext >= ntohs(np->in_pmax)) { np->in_pnext = ntohs(np->in_pmin); ! if (np->in_outmsk != 0xffffffff) { ! np->in_space--; np->in_nip++; - } } } else if (np->in_outmsk != 0xffffffff) { np->in_space--; np->in_nip++; } if ((np->in_nip & ntohl(np->in_outmsk)) > ntohl(np->in_outip)) np->in_nip = ntohl(np->in_outip) + 1; ! } while (nat_lookupinip(in, sport)); - if (!port && (flags & IPN_TCPUDP)) - port = sport; /* Setup the NAT table */ nat->nat_inip = ip->ip_src; nat->nat_outip.s_addr = htonl(in.s_addr); sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); --- 399,430 ---- * record, then create a new port */ do { + port = 0; in.s_addr = np->in_nip; ! if (nflags & IPN_TCPUDP) { port = htons(np->in_pnext++); if (np->in_pnext >= ntohs(np->in_pmax)) { np->in_pnext = ntohs(np->in_pmin); ! np->in_space--; ! if (np->in_outmsk != 0xffffffff) np->in_nip++; } } else if (np->in_outmsk != 0xffffffff) { np->in_space--; np->in_nip++; } + + if (!port && (flags & IPN_TCPUDP)) + port = sport; if ((np->in_nip & ntohl(np->in_outmsk)) > ntohl(np->in_outip)) np->in_nip = ntohl(np->in_outip) + 1; ! } while (nat_inlookup(flags, ip->ip_dst, dport, in, port)); /* Setup the NAT table */ nat->nat_inip = ip->ip_src; nat->nat_outip.s_addr = htonl(in.s_addr); + nat->nat_oip = ip->ip_dst; sum1 = (ntohl(ip->ip_src.s_addr) & 0xffff) + (ntohl(ip->ip_src.s_addr) >> 16) + ntohs(sport); *************** *** 345,350 **** --- 434,440 ---- if (flags & IPN_TCPUDP) { nat->nat_inport = sport; nat->nat_outport = port; + nat->nat_oport = dport; } } else { *************** *** 415,428 **** nat->nat_ipsumd = nat->nat_sumd; in.s_addr = htonl(in.s_addr); natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; ! nat->nat_next[0] = *natp; *natp = nat; - nat->nat_use++; natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE]; ! nat->nat_next[1] = *natp; *natp = nat; ! nat->nat_use++; if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) tcp->th_sport = htons(port); --- 505,522 ---- nat->nat_ipsumd = nat->nat_sumd; in.s_addr = htonl(in.s_addr); + nat->nat_next = nat_instances; + nat_instances = nat; natp = &nat_table[0][nat->nat_inip.s_addr % NAT_SIZE]; ! nat->nat_hstart[0] = natp; ! nat->nat_hnext[0] = *natp; *natp = nat; natp = &nat_table[1][nat->nat_outip.s_addr % NAT_SIZE]; ! nat->nat_hstart[1] = natp; ! nat->nat_hnext[1] = *natp; *natp = nat; ! nat->nat_ptr = np; ! np->in_use++; if (direction == NAT_OUTBOUND) { if (flags & IPN_TCPUDP) tcp->th_sport = htons(port); *************** *** 440,505 **** * NB: these lookups don't lock access to the list, it assume it has already * been done! */ ! nat_t *nat_lookupredir(np) ! natlookup_t *np; ! { ! nat_t *nat; ! ! nat = nat_table[0][np->nl_inip.s_addr % NAT_SIZE]; ! for (; nat; nat = nat->nat_next[0]) ! if ((nat->nat_inip.s_addr == np->nl_inip.s_addr) && ! (nat->nat_oip.s_addr == np->nl_outip.s_addr) && ! (np->nl_inport == nat->nat_inport) && ! (np->nl_outport == nat->nat_oport)) return nat; return NULL; } ! nat_t *nat_lookupinip(ipaddr, sport) ! struct in_addr ipaddr; ! u_short sport; ! { ! nat_t *nat; ! nat = nat_table[0][ipaddr.s_addr % NAT_SIZE]; ! for (; nat; nat = nat->nat_next[0]) ! if (nat->nat_inip.s_addr == ipaddr.s_addr) { ! if (nat->nat_inport && (sport != nat->nat_inport)) ! continue; return nat; - } return NULL; } ! nat_t *nat_lookupoutip(np, ip, tcp) ! register ipnat_t *np; ! ip_t *ip; ! tcphdr_t *tcp; { - struct in_addr ipaddr; - u_short port = 0; nat_t *nat; ! if (ip->ip_p == IPPROTO_TCP || ip->ip_p == IPPROTO_UDP) ! port = tcp->th_dport; ! ipaddr.s_addr = ip->ip_dst.s_addr; ! nat = nat_table[1][ipaddr.s_addr % NAT_SIZE]; ! ! if (np->in_redir == NAT_MAP) { ! for (; nat; nat = nat->nat_next[1]) ! if (nat->nat_outip.s_addr == ipaddr.s_addr && ! (!nat->nat_outport || (port == nat->nat_outport))) ! return nat; ! } else ! for (; nat; nat = nat->nat_next[1]) ! if (nat->nat_outip.s_addr == ipaddr.s_addr && ! nat->nat_oip.s_addr == ip->ip_src.s_addr && ! port == nat->nat_outport && ! tcp->th_sport == nat->nat_oport) ! return nat; ! return NULL; } --- 534,634 ---- * NB: these lookups don't lock access to the list, it assume it has already * been done! */ ! /* ! * Lookup a nat entry based on the mapped destination ip address/port and ! * real source address/port. We use this lookup when receiving a packet, ! * we're looking for a table entry, based on the destination address. ! * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. ! */ ! nat_t *nat_inlookup(flags, src, sport, mapdst, mapdport) ! register int flags; ! struct in_addr src , mapdst; ! u_short sport, mapdport; ! { ! register nat_t *nat; ! ! flags &= IPN_TCPUDP; ! ! nat = nat_table[1][mapdst.s_addr % NAT_SIZE]; ! for (; nat; nat = nat->nat_hnext[1]) ! if (nat->nat_oip.s_addr == src.s_addr && ! nat->nat_outip.s_addr == mapdst.s_addr && ! (!flags || (nat->nat_oport == sport && ! nat->nat_outport == mapdport))) return nat; return NULL; } ! /* ! * Lookup a nat entry based on the source 'real' ip address/port and ! * destination address/port. We use this lookup when sending a packet out, ! * we're looking for a table entry, based on the source address. ! * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. ! */ ! nat_t *nat_outlookup(flags, src, sport, dst, dport) ! register int flags; ! struct in_addr src , dst; ! u_short sport, dport; ! { ! register nat_t *nat; ! ! flags &= IPN_TCPUDP; ! ! nat = nat_table[0][src.s_addr % NAT_SIZE]; ! for (; nat; nat = nat->nat_hnext[0]) ! if (nat->nat_inip.s_addr == src.s_addr && ! nat->nat_oip.s_addr == dst.s_addr && ! (!flags || (nat->nat_inport == sport && ! nat->nat_oport == dport))) ! return nat; ! return NULL; ! } ! ! /* ! * Lookup a nat entry based on the mapped source ip address/port and ! * real destination address/port. We use this lookup when sending a packet ! * out, we're looking for a table entry, based on the source address. ! */ ! nat_t *nat_lookupmapip(flags, mapsrc, mapsport, dst, dport) ! register int flags; ! struct in_addr mapsrc , dst; ! u_short mapsport, dport; ! { ! register nat_t *nat; ! ! flags &= IPN_TCPUDP; ! ! nat = nat_table[1][mapsrc.s_addr % NAT_SIZE]; ! for (; nat; nat = nat->nat_hnext[0]) ! if (nat->nat_outip.s_addr == mapsrc.s_addr && ! nat->nat_oip.s_addr == dst.s_addr && ! (!flags || (nat->nat_outport == mapsport && ! nat->nat_oport == dport))) return nat; return NULL; } ! /* ! * Lookup the NAT tables to search for a matching redirect ! */ ! nat_t *nat_lookupredir(np) ! register natlookup_t *np; { nat_t *nat; ! /* ! * If nl_inip is non null, this is a lookup based on the real ! * ip address. Else, we use the fake. ! */ ! if ((nat = nat_outlookup(IPN_TCPUDP, np->nl_inip, np->nl_inport, ! np->nl_outip, np->nl_outport))) { ! np->nl_inip = nat->nat_outip; ! np->nl_inport = nat->nat_outport; ! } ! return nat; } *************** *** 516,525 **** register u_long ipa; tcphdr_t *tcp = NULL; nat_t *nat; ! u_short nflags = 0, sport = 0, *csump = NULL; struct ifnet *ifp; frentry_t *fr; - frdest_t *tif; if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) --- 645,653 ---- register u_long ipa; tcphdr_t *tcp = NULL; nat_t *nat; ! u_short nflags = 0, sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; frentry_t *fr; if ((fr = fin->fin_fr) && !(fr->fr_flags & FR_DUP) && fr->fr_tif.fd_ifp && fr->fr_tif.fd_ifp != (void *)-1) *************** *** 532,541 **** nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; ! } ! if (nflags) { ! tcp = (tcphdr_t *)fin->fin_dp; ! sport = tcp->th_sport; } ipa = ip->ip_src.s_addr; --- 660,670 ---- nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; ! if (nflags) { ! tcp = (tcphdr_t *)fin->fin_dp; ! sport = tcp->th_sport; ! dport = tcp->th_dport; ! } } ipa = ip->ip_src.s_addr; *************** *** 545,557 **** if ((np->in_ifp == ifp) && np->in_space && (!np->in_flags || (np->in_flags & nflags)) && ((ipa & np->in_inmsk) == np->in_inip) && ! (np->in_redir == NAT_MAP || ! np->in_pnext == sport)) { /* * If there is no current entry in the nat table for * this IP#, create one for it. */ ! if (!(nat = nat_lookupinip(ip->ip_src, sport))) { if (np->in_redir == NAT_REDIRECT) continue; /* --- 674,687 ---- if ((np->in_ifp == ifp) && np->in_space && (!np->in_flags || (np->in_flags & nflags)) && ((ipa & np->in_inmsk) == np->in_inip) && ! ((np->in_redir == NAT_MAP) || ! (np->in_pnext == sport))) { /* * If there is no current entry in the nat table for * this IP#, create one for it. */ ! if (!(nat = nat_outlookup(nflags, ip->ip_src, sport, ! ip->ip_dst, dport))) { if (np->in_redir == NAT_REDIRECT) continue; /* *************** *** 572,578 **** * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ ! FIX_OUTCKSUM(&ip->ip_sum, nat->nat_ipsumd); if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 702,713 ---- * Fix up checksums, not by recalculating them, but * simply computing adjustments. */ ! #if SOLARIS ! if (np->in_redir == NAT_MAP) ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); ! else ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd); ! #endif if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 594,601 **** csump = &ic->icmp_cksum; } ! if (csump) ! FIX_OUTCKSUM(csump, nat->nat_sumd); } nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); --- 729,742 ---- csump = &ic->icmp_cksum; } ! if (csump) { ! if (np->in_redir == NAT_MAP) ! fix_outcksum(csump, ! nat->nat_sumd); ! else ! fix_incksum(csump, ! nat->nat_sumd); ! } } nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); *************** *** 619,625 **** register struct in_addr in; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; ! u_short port = 0, nflags = 0, *csump = NULL; nat_t *nat; if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 760,766 ---- register struct in_addr in; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; ! u_short sport = 0, dport = 0, nflags = 0, *csump = NULL; nat_t *nat; if (!(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 627,636 **** nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; ! } ! if (nflags) { ! tcp = (tcphdr_t *)((char *)ip + hlen); ! port = tcp->th_dport; } in = ip->ip_dst; --- 768,778 ---- nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) nflags = IPN_UDP; ! if (nflags) { ! tcp = (tcphdr_t *)((char *)ip + hlen); ! dport = tcp->th_dport; ! sport = tcp->th_sport; ! } } in = ip->ip_dst; *************** *** 640,647 **** if ((np->in_ifp == ifp) && (!np->in_flags || (nflags & np->in_flags)) && ((in.s_addr & np->in_outmsk) == np->in_outip) && ! (np->in_redir == NAT_MAP || np->in_pmin == port)) { ! if (!(nat = nat_lookupoutip(np, ip, tcp))) { if (np->in_redir == NAT_MAP) continue; else { --- 782,790 ---- if ((np->in_ifp == ifp) && (!np->in_flags || (nflags & np->in_flags)) && ((in.s_addr & np->in_outmsk) == np->in_outip) && ! (np->in_redir == NAT_MAP || np->in_pmin == dport)) { ! if (!(nat = nat_inlookup(nflags, ip->ip_src, sport, ! ip->ip_dst, dport))) { if (np->in_redir == NAT_MAP) continue; else { *************** *** 651,657 **** * nat_new. Otherwise, if it's just a * mapping, do a continue; */ - nflags &= np->in_flags; if (!(nat = nat_new(np, ip, fin, nflags, NAT_INBOUND))) --- 794,799 ---- *************** *** 667,673 **** * simply computing adjustments. */ #if SOLARIS ! FIX_INCKSUM(&ip->ip_sum, nat->nat_ipsumd); #endif if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 809,818 ---- * simply computing adjustments. */ #if SOLARIS ! if (np->in_redir == NAT_MAP) ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd); ! else ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); #endif if (nflags && !(ip->ip_off & 0x1fff) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 689,696 **** csump = &ic->icmp_cksum; } ! if (csump) ! FIX_INCKSUM(csump, nat->nat_sumd); } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); --- 834,847 ---- csump = &ic->icmp_cksum; } ! if (csump) { ! if (np->in_redir == NAT_MAP) ! fix_incksum(csump, ! nat->nat_sumd); ! else ! fix_outcksum(csump, ! nat->nat_sumd); ! } } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); *************** *** 706,733 **** */ void ip_natunload() { - register struct nat *nat, **natp; - register struct ipnat *ipn, **ipnp; - register int i; - MUTEX_ENTER(&ipf_nat); ! for (i = 0; i < NAT_SIZE; i++) ! for (natp = &nat_table[0][i]; (nat = *natp); ) { ! *natp = nat->nat_next[0]; ! if (!--nat->nat_use) ! KFREE(nat); ! } ! for (i = 0; i < NAT_SIZE; i++) ! for (natp = &nat_table[1][i]; (nat = *natp); ) { ! *natp = nat->nat_next[1]; ! if (!--nat->nat_use) ! KFREE(nat); ! } ! ! for (ipnp = &nat_list; (ipn = *ipnp); ) { ! *ipnp = ipn->in_next; ! KFREE(ipn); ! } MUTEX_EXIT(&ipf_nat); } --- 857,867 ---- */ void ip_natunload() { MUTEX_ENTER(&ipf_nat); ! ! (void) clear_natlist(); ! (void) flush_nattable(); ! MUTEX_EXIT(&ipf_nat); } *************** *** 739,772 **** void ip_natexpire() { register struct nat *nat, **natp; - register int i; MUTEX_ENTER(&ipf_nat); ! for (i = 0; i < NAT_SIZE; i++) ! for (natp = &nat_table[0][i]; (nat = *natp); ) { ! if (nat->nat_age > 0) ! nat->nat_age--; ! if (!nat->nat_use || !nat->nat_age) { ! *natp = nat->nat_next[0]; ! if (nat->nat_use) ! nat->nat_use--; ! } else ! natp = &nat->nat_next[0]; ! } ! ! for (i = 0; i < NAT_SIZE; i++) ! for (natp = &nat_table[1][i]; (nat = *natp); ) { ! if (!nat->nat_use || !nat->nat_age) { ! *natp = nat->nat_next[1]; ! if (nat->nat_use) ! nat->nat_use--; ! if (!nat->nat_use) { ! KFREE(nat); ! nat_stats.ns_expire++; ! nat_inuse--; ! } ! } else ! natp = &nat->nat_next[1]; ! } MUTEX_EXIT(&ipf_nat); } --- 873,886 ---- void ip_natexpire() { register struct nat *nat, **natp; MUTEX_ENTER(&ipf_nat); ! for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) { ! if (--nat->nat_age) ! continue; ! *natp = nat->nat_next; ! nat_delete(nat); ! nat_stats.ns_expire++; ! } MUTEX_EXIT(&ipf_nat); } Index: ip_nat.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.h,v retrieving revision 2.0.1.5 retrieving revision 2.0.1.7 diff -c -r2.0.1.5 -r2.0.1.7 *** 2.0.1.5 1997/01/21 10:15:46 --- 2.0.1.7 1997/01/30 12:39:41 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.5 1997/01/21 10:15:46 darrenr Exp $ */ #ifndef __IP_NAT_H_ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.7 1997/01/30 12:39:41 darrenr Exp $ */ #ifndef __IP_NAT_H_ *************** *** 40,46 **** #define NAT_SIZE 367 typedef struct nat { - struct nat *nat_next[2]; int nat_age; u_long nat_sumd; u_long nat_ipsumd; --- 40,45 ---- *************** *** 52,63 **** u_short nat_outport; u_short nat_use; u_char nat_state[2]; } nat_t; typedef struct ipnat { struct ipnat *in_next; void *in_ifp; ! int in_space; struct in_addr in_nextip; u_short in_pnext; u_short in_flags; --- 51,67 ---- u_short nat_outport; u_short nat_use; u_char nat_state[2]; + struct ipnat *nat_ptr; + struct nat *nat_next; + struct nat *nat_hnext[2]; + struct nat **nat_hstart[2]; } nat_t; typedef struct ipnat { struct ipnat *in_next; void *in_ifp; ! u_int in_space; ! u_int in_use; struct in_addr in_nextip; u_short in_pnext; u_short in_flags; *************** *** 108,114 **** extern nat_t *nat_table[2][NAT_SIZE]; extern int nat_ioctl(); ! extern nat_t *nat_lookupoutip(), *nat_lookupinip(), *nat_lookupredir(); extern int ip_natout(), ip_natin(); extern void ip_natunload(), ip_natexpire(); #endif /* __IP_NAT_H__ */ --- 112,118 ---- extern nat_t *nat_table[2][NAT_SIZE]; extern int nat_ioctl(); ! extern nat_t *nat_outlookup(), *nat_inlookup(), *nat_lookupredir(); extern int ip_natout(), ip_natin(); extern void ip_natunload(), ip_natexpire(); #endif /* __IP_NAT_H__ */ Index: ip_sfil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_sfil.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/10 00:29:04 --- 2.0.1.3 1997/02/04 14:49:15 *************** *** 9,15 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.2 1997/01/10 00:29:04 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_sfil.c,v 2.0.1.3 1997/02/04 14:49:15 darrenr Exp $"; #endif #include *************** *** 180,186 **** cred_t *cp; int *rp; { - frentry_t fr; int error = 0; switch (cmd) { --- 180,185 ---- *************** *** 323,330 **** register frentry_t **ftail; frentry_t fr; frdest_t *fdp; ! u32 dst; ! int error = 0, in, msk; ill_t *ill; ipif_t *ipif; ire_t *ire; --- 322,328 ---- register frentry_t **ftail; frentry_t fr; frdest_t *fdp; ! int error = 0, in; ill_t *ill; ipif_t *ipif; ire_t *ire; *************** *** 550,556 **** mblk_t *m; { struct ipl_ci iplci; - register size_t tail = 0; register int len, mlen, hlen; register u_char *s = (u_char *)ip; ill_t *il = fin->fin_ifp; --- 548,553 ---- Index: ipf.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipf.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/02/04 14:37:46 *************** *** 36,46 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ipf.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif #if SOLARIS ! void frsync(); #endif void zerostats(); --- 36,46 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ipf.c,v 2.0.1.2 1997/02/04 14:37:46 darrenr Exp $"; #endif #if SOLARIS ! void frsync(), blockunknown(); #endif void zerostats(); *************** *** 405,411 **** #if SOLARIS ! blockunknown() { int flag; --- 405,411 ---- #if SOLARIS ! void blockunknown() { int flag; Index: ipft_hx.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipft_hx.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/02/04 13:57:56 *************** *** 38,44 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; ! static char rcsid[] = "$Id: ipft_hx.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif extern int opts; --- 38,44 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; ! static char rcsid[] = "$Id: ipft_hx.c,v 2.0.1.2 1997/02/04 13:57:56 darrenr Exp $"; #endif extern int opts; *************** *** 96,103 **** return (char *)ip - buf; *s = '\0'; } - if ((s = index(line, '\r'))) - *s = '\0'; if ((s = index(line, '#'))) *s = '\0'; if (!*line) --- 96,101 ---- Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.1.5 retrieving revision 2.0.1.8 diff -c -r2.0.1.5 -r2.0.1.8 *** 2.0.1.5 1997/01/22 09:26:51 --- 2.0.1.8 1997/02/08 06:46:11 *************** *** 11,16 **** #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.6 - 21/01/97" #endif --- 11,16 ---- #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.7 - 8/2/97" #endif Index: ipmon.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipmon.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:44 --- 2.0.1.2 1997/02/04 14:49:19 *************** *** 41,47 **** #include #if !defined(lint) && defined(LIBC_SCCS) ! static char rcsid[] = "$Id: ipmon.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; #endif #include "ip_fil.h" --- 41,47 ---- #include #if !defined(lint) && defined(LIBC_SCCS) ! static char rcsid[] = "$Id: ipmon.c,v 2.0.1.2 1997/02/04 14:49:19 darrenr Exp $"; #endif #include "ip_fil.h" *************** *** 73,78 **** --- 73,81 ---- #define OPT_VERBOSE 0x08 #define OPT_HEXHDR 0x10 + #ifndef LOGFAC + #define LOGFAC LOG_LOCAL0 + #endif void printiplci(icp) struct ipl_ci *icp; Index: ipnat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipnat.c,v retrieving revision 2.0.1.4 retrieving revision 2.0.1.7 diff -c -r2.0.1.4 -r2.0.1.7 *** 2.0.1.4 1997/01/19 04:51:45 --- 2.0.1.7 1997/01/30 12:02:32 *************** *** 51,57 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.4 1997/01/19 04:51:45 darrenr Exp $"; #endif #if SOLARIS --- 51,57 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.7 1997/01/30 12:02:32 darrenr Exp $"; #endif #if SOLARIS *************** *** 63,73 **** void dostats(), printnat(), parsefile(), flushtable(); void usage(name) char *name; { ! fprintf(stderr, "%s: [-lnrsv] [-f filename]\n", name); exit(1); } --- 63,81 ---- void dostats(), printnat(), parsefile(), flushtable(); + #define OPT_REM 1 + #define OPT_NODO 2 + #define OPT_STAT 4 + #define OPT_LIST 8 + #define OPT_VERBOSE 16 + #define OPT_FLUSH 32 + #define OPT_CLEAR 64 + void usage(name) char *name; { ! fprintf(stderr, "%s: [-CFlnrsv] [-f filename]\n", name); exit(1); } *************** *** 83,126 **** switch (c) { case 'C' : ! opts |= 64; break; case 'f' : file = optarg; break; case 'F' : ! opts |= 32; break; case 'l' : ! opts |= 8; break; case 'n' : ! opts |= 2; break; case 'r' : ! opts &= ~1; break; case 's' : ! opts |= 4; break; case 'v' : ! opts |= 16; break; default : usage(argv[0]); } ! if (((fd = open(IPL_NAME, O_RDWR)) == -1) && ((fd = open(IPL_NAME, O_RDONLY)) == -1)) { perror("open"); exit(-1); } ! if (opts & 96) flushtable(fd, opts); if (file) parsefile(fd, file, opts); ! if (opts & 12) dostats(fd, opts); return 0; } --- 91,134 ---- switch (c) { case 'C' : ! opts |= OPT_CLEAR; break; case 'f' : file = optarg; break; case 'F' : ! opts |= OPT_FLUSH; break; case 'l' : ! opts |= OPT_LIST; break; case 'n' : ! opts |= OPT_NODO; break; case 'r' : ! opts &= ~OPT_REM; break; case 's' : ! opts |= OPT_STAT; break; case 'v' : ! opts |= OPT_VERBOSE; break; default : usage(argv[0]); } ! if (!(opts & OPT_NODO) && ((fd = open(IPL_NAME, O_RDWR)) == -1) && ((fd = open(IPL_NAME, O_RDONLY)) == -1)) { perror("open"); exit(-1); } ! if (opts & (OPT_FLUSH|OPT_CLEAR)) flushtable(fd, opts); if (file) parsefile(fd, file, opts); ! if (opts & (OPT_LIST|OPT_STAT)) dostats(fd, opts); return 0; } *************** *** 155,163 **** } ! void printnat(np, verbose) ipnat_t *np; int verbose; { int bits; --- 163,172 ---- } ! void printnat(np, verbose, ptr) ipnat_t *np; int verbose; + void *ptr; { int bits; *************** *** 181,188 **** printf(" udp"); printf("\n"); if (verbose) ! printf("\t%x %u %x %u\n", (u_int)np->in_ifp, ! np->in_space, np->in_flags, np->in_pnext); } else { np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); --- 190,198 ---- printf(" udp"); printf("\n"); if (verbose) ! printf("\t%x %u %x %u %x %d\n", (u_int)np->in_ifp, ! np->in_space, np->in_flags, np->in_pnext, np, ! np->in_use); } else { np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); printf("map %s %s/", np->in_ifname, inet_ntoa(np->in_in[0])); *************** *** 197,203 **** printf("%d ", bits); else printf("%s", inet_ntoa(np->in_out[1])); ! if (np->in_port[0] || np->in_port[1]) { printf(" portmap"); if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) printf(" tcp/udp"); --- 207,213 ---- printf("%d ", bits); else printf("%s", inet_ntoa(np->in_out[1])); ! if (np->in_pmin || np->in_pmax) { printf(" portmap"); if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP) printf(" tcp/udp"); *************** *** 205,212 **** printf(" tcp"); else if (np->in_flags & IPN_UDP) printf(" udp"); ! printf(" %d:%d", ntohs(np->in_port[0]), ! ntohs(np->in_port[1])); } printf("\n"); if (verbose) --- 215,222 ---- printf(" tcp"); else if (np->in_flags & IPN_UDP) printf(" udp"); ! printf(" %d:%d", ntohs(np->in_pmin), ! ntohs(np->in_pmax)); } printf("\n"); if (verbose) *************** *** 217,252 **** } void dostats(fd, opts) int fd, opts; { natstat_t ns; ipnat_t ipn; nat_t **nt[2], *np, nat; ! int i; ! if (ioctl(fd, SIOCGNATS, &ns) == -1) { perror("ioctl(SIOCGNATS)"); return; } ! if (opts & 4) { printf("mapped\tin\t%lu\tout\t%lu\n", ns.ns_mapped[0], ns.ns_mapped[1]); printf("added\t%lu\texpired\t%lu\n", ns.ns_added, ns.ns_expire); printf("inuse\t%lu\n", ns.ns_inuse); ! if (opts & 16) printf("table %#x list %#x\n", (u_int)ns.ns_table, (u_int)ns.ns_list); } ! if (opts & 8) { while (ns.ns_list) { if (kmemcpy(&ipn, ns.ns_list, sizeof(ipn))) { perror("kmemcpy"); break; } ! printnat(&ipn, opts & 16); ns.ns_list = ipn.in_next; } --- 227,280 ---- } + /* + * Get a nat filter type given its kernel address. + */ + char *getnattype(ipnat) + ipnat_t *ipnat; + { + ipnat_t ipnatbuff; + + if (ipnat && kmemcpy(&ipnatbuff, ipnat, sizeof(ipnatbuff))) + return "???"; + + return (ipnatbuff.in_redir == NAT_MAP) ? "MAP" : "RDR"; + } + + void dostats(fd, opts) int fd, opts; { natstat_t ns; ipnat_t ipn; nat_t **nt[2], *np, nat; ! int i = 0; ! ! bzero((char *)&ns, sizeof(ns)); ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCGNATS, &ns) == -1) { perror("ioctl(SIOCGNATS)"); return; } ! if (opts & OPT_STAT) { printf("mapped\tin\t%lu\tout\t%lu\n", ns.ns_mapped[0], ns.ns_mapped[1]); printf("added\t%lu\texpired\t%lu\n", ns.ns_added, ns.ns_expire); printf("inuse\t%lu\n", ns.ns_inuse); ! if (opts & OPT_VERBOSE) printf("table %#x list %#x\n", (u_int)ns.ns_table, (u_int)ns.ns_list); } ! if (opts & OPT_LIST) { ! printf("List of active MAP/Redirect filters:\n"); while (ns.ns_list) { if (kmemcpy(&ipn, ns.ns_list, sizeof(ipn))) { perror("kmemcpy"); break; } ! printnat(&ipn, opts & OPT_VERBOSE, (void *)ns.ns_list); ns.ns_list = ipn.in_next; } *************** *** 256,275 **** return; } for (i = 0; i < NAT_SIZE; i++) ! for (np = nt[0][i]; np; np = nat.nat_next[0]) { if (kmemcpy(&nat, np, sizeof(nat))) break; ! printf("%s %hu <- -> ", inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport)); ! printf("%s %hu %d %hu %lx [", inet_ntoa(nat.nat_outip), ! ntohs(nat.nat_outport), ! nat.nat_age, nat.nat_use, ! nat.nat_sumd); ! printf("%s %hu]\n", inet_ntoa(nat.nat_oip), ntohs(nat.nat_oport)); } free(nt[0]); } --- 284,311 ---- return; } + printf("\nList of active sessions:\n"); + for (i = 0; i < NAT_SIZE; i++) ! for (np = nt[0][i]; np; np = nat.nat_hnext[0]) { if (kmemcpy(&nat, np, sizeof(nat))) break; ! ! printf("%s %-15s %-5hu <- ->", ! getnattype(nat.nat_ptr), inet_ntoa(nat.nat_inip), ntohs(nat.nat_inport)); ! printf(" %-15s %-5hu", inet_ntoa(nat.nat_outip), ! ntohs(nat.nat_outport)); ! printf(" [%s %hu]", inet_ntoa(nat.nat_oip), ntohs(nat.nat_oport)); + printf(" %d %hu %lx", nat.nat_age, + nat.nat_use, nat.nat_sumd); + #if SOLARIS + printf(" %lx", nat.nat_ipsumd); + #endif + putchar('\n'); } free(nt[0]); } *************** *** 618,627 **** if (*line) fprintf(stderr, "%d: syntax error in \"%s\"\n", linenum, line); ! } else if (!(opts & 2)) { ! if ((opts &16) && np) ! printnat(np, opts & 16); ! if (opts & 1) { if (ioctl(fd, SIOCADNAT, np) == -1) perror("ioctl(SIOCADNAT)"); } else if (ioctl(fd, SIOCRMNAT, np) == -1) --- 654,663 ---- if (*line) fprintf(stderr, "%d: syntax error in \"%s\"\n", linenum, line); ! } else if (!(opts & OPT_NODO)) { ! if ((opts & OPT_VERBOSE) && np) ! printnat(np, opts & OPT_VERBOSE, NULL); ! if (opts & OPT_REM) { if (ioctl(fd, SIOCADNAT, np) == -1) perror("ioctl(SIOCADNAT)"); } else if (ioctl(fd, SIOCRMNAT, np) == -1) *************** *** 636,654 **** void flushtable(fd, opts) int fd, opts; { ! int n; ! if (opts & 32) { n = 0; ! if (ioctl(fd, SIOCFLNAT, &n) == -1) perror("ioctl(SIOCFLNAT)"); else printf("%d entries flushed from NAT table\n", n); } ! if (opts & 64) { n = 0; ! if (ioctl(fd, SIOCCNATL, &n) == -1) perror("ioctl(SIOCCNATL)"); else printf("%d entries flushed from NAT list\n", n); --- 672,690 ---- void flushtable(fd, opts) int fd, opts; { ! int n = 0; ! if (opts & OPT_FLUSH) { n = 0; ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCFLNAT, &n) == -1) perror("ioctl(SIOCFLNAT)"); else printf("%d entries flushed from NAT table\n", n); } ! if (opts & OPT_CLEAR) { n = 0; ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCCNATL, &n) == -1) perror("ioctl(SIOCCNATL)"); else printf("%d entries flushed from NAT list\n", n); Index: mln_ipl.c =================================================================== RCS file: /devel/CVS/IP-Filter/mln_ipl.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/12 10:43:41 --- 2.0.1.3 1997/01/29 13:39:32 *************** *** 143,165 **** if (cdevsw[i].d_open == lkmenodev || cdevsw[i].d_open == iplopen) break; ! if (i == nchrdev) return ENODEV; ipl_major = i; - if (cdevsw[i].d_open != iplopen) { - bcopy(&cdevsw[i], &args->lkm_olddev.cdev, - sizeof(struct cdevsw)); - bcopy(&cdevsw[i], &cdev_sav, sizeof(struct cdevsw)); - bcopy(args->lkm_dev.cdev, &cdevsw[i], - sizeof(struct cdevsw)); - } args->lkm_offset = i; /* slot in cdevsw[] */ return ipl_load(); case LKM_E_UNLOAD : ! bcopy(&args->lkm_olddev.cdev, &cdevsw[ipl_major], ! sizeof(struct cdevsw)); ! bcopy(&cdev_sav, &cdevsw[ipl_major], sizeof(struct cdevsw)); return ipl_unload(); case LKM_E_STAT : break; --- 143,159 ---- if (cdevsw[i].d_open == lkmenodev || cdevsw[i].d_open == iplopen) break; ! if (i == nchrdev) { ! printf("IP Filter: No free cdevsw slots\n"); return ENODEV; + } ipl_major = i; args->lkm_offset = i; /* slot in cdevsw[] */ + printf("IP Filter: loaded into slot %d\n", ipl_major); return ipl_load(); case LKM_E_UNLOAD : ! printf("IP Filter: unloaded from slot %d\n", ipl_major); return ipl_unload(); case LKM_E_STAT : break; Index: solaris.c =================================================================== RCS file: /devel/CVS/IP-Filter/solaris.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.4 diff -c -r2.0.1.2 -r2.0.1.4 *** 2.0.1.2 1997/01/09 15:23:10 --- 2.0.1.4 1997/02/08 06:38:30 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "$Id: solaris.c,v 2.0.1.2 1997/01/09 15:23:10 darrenr Exp $"; #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "$Id: solaris.c,v 2.0.1.4 1997/02/08 06:38:30 darrenr Exp $"; #include #include *************** *** 105,111 **** int _init() { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipf_init()"); #endif return mod_install(&modlink1); } --- 105,111 ---- int _init() { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipf_init()"); #endif return mod_install(&modlink1); } *************** *** 114,120 **** int _fini(void) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipf_fini()"); #endif return mod_remove(&modlink1); } --- 114,120 ---- int _fini(void) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipf_fini()"); #endif return mod_remove(&modlink1); } *************** *** 123,129 **** int _info(struct modinfo *modinfop) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipf_info(%x)", modinfop); #endif return mod_info(&modlink1, modinfop); } --- 123,129 ---- int _info(struct modinfo *modinfop) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipf_info(%x)", modinfop); #endif return mod_info(&modlink1, modinfop); } *************** *** 132,138 **** static int ipl_probe(dev_info_t *dip) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipl_probe(%x)", dip); #endif return DDI_PROBE_SUCCESS; } --- 132,138 ---- static int ipl_probe(dev_info_t *dip) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipl_probe(%x)", dip); #endif return DDI_PROBE_SUCCESS; } *************** *** 141,147 **** static int ipl_identify(dev_info_t *dip) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipl_identify(%x)", dip); #endif if (strcmp(ddi_get_name(dip), "ipf") == 0) return (DDI_IDENTIFIED); --- 141,147 ---- static int ipl_identify(dev_info_t *dip) { #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipl_identify(%x)", dip); #endif if (strcmp(ddi_get_name(dip), "ipf") == 0) return (DDI_IDENTIFIED); *************** *** 154,166 **** int instance; #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipl_attach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_ATTACH: instance = ddi_get_instance(dip); #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "attach ipf instace %d", instance); #endif if (ddi_create_minor_node(dip, "ipf", S_IFCHR, instance, DDI_PSEUDO, 0) == DDI_FAILURE) { --- 154,166 ---- int instance; #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipl_attach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_ATTACH: instance = ddi_get_instance(dip); #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: attach ipf instace %d", instance); #endif if (ddi_create_minor_node(dip, "ipf", S_IFCHR, instance, DDI_PSEUDO, 0) == DDI_FAILURE) { *************** *** 174,180 **** */ iplattach(); solattach(); ! cmn_err(CE_CONT, "IP Filter attaching complete.\n"); return (DDI_SUCCESS); default: return (DDI_FAILURE); --- 174,180 ---- */ iplattach(); solattach(); ! cmn_err(CE_CONT, "IP Filter: attaching complete.\n"); return (DDI_SUCCESS); default: return (DDI_FAILURE); *************** *** 197,203 **** int instance; #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipl_detach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_DETACH: --- 197,203 ---- int instance; #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipl_detach(%x,%x)", dip, cmd); #endif switch (cmd) { case DDI_DETACH: *************** *** 212,218 **** ddi_remove_minor_node(dip, NULL); sync(); if (!soldetach()) { ! cmn_err(CE_CONT, "IP Filter detached\n"); return (DDI_SUCCESS); } default: --- 212,218 ---- ddi_remove_minor_node(dip, NULL); sync(); if (!soldetach()) { ! cmn_err(CE_CONT, "IP Filter: detached\n"); return (DDI_SUCCESS); } default: *************** *** 229,235 **** int error = DDI_FAILURE; #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "ipl_getinfo(%x,%x)", dip, infocmd); #endif switch (infocmd) { case DDI_INFO_DEVT2DEVINFO: --- 229,235 ---- int error = DDI_FAILURE; #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "IP Filter: ipl_getinfo(%x,%x)", dip, infocmd); #endif switch (infocmd) { case DDI_INFO_DEVT2DEVINFO: *************** *** 336,341 **** --- 336,344 ---- mblk_t *m, *mp1, *mt = *mp; register ip_t *ip; int iphlen, hlen, len, err, mlen, off, synced = 0; + #ifndef sparc + u_short __iplen, __ipoff; + #endif tryagain: /* * If there is only M_DATA for a packet going out, then any header *************** *** 395,404 **** return (fr_flags & FF_BLOCKNONIP) ? -1 : 0; } - #ifndef sparc - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - #endif hlen = iphlen = ip->ip_hl << 2; /* --- 398,403 ---- *************** *** 432,439 **** ip = (ip_t *)lbuf; } ! if ((iphlen < sizeof(ip_t)) || (iphlen > ip->ip_len) || ! (mlen < ip->ip_len)) { /* * Bad IP packet or not enough data/data length mismatches */ --- 431,445 ---- ip = (ip_t *)lbuf; } ! #ifndef sparc ! __iplen = ip->ip_len; ! ip->ip_len = ntohs(__iplen); ! __ipoff = ip->ip_off; ! ip->ip_off = ntohs(__ipoff); ! #endif ! ! if ((iphlen < sizeof(ip_t)) || (iphlen > (u_short)ip->ip_len) || ! (mlen < (u_short)ip->ip_len)) { /* * Bad IP packet or not enough data/data length mismatches */ *************** *** 443,456 **** } qif->qf_m = m; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, q, mp); /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. */ #ifndef sparc ! ip->ip_len = htons(ip->ip_len); ! ip->ip_off = htons(ip->ip_off); #endif if (err == 1) { if (*mp && (ip == (ip_t *)lbuf)) { --- 449,465 ---- } qif->qf_m = m; + qif->qf_len = len; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, q, mp); /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. */ #ifndef sparc ! if (*mp) { ! ip->ip_len = __iplen; ! ip->ip_off = __ipoff; ! } #endif if (err == 1) { if (*mp && (ip == (ip_t *)lbuf)) { *************** *** 493,504 **** synced = 1; goto again; } ! cmn_err(CE_WARN, "dropped: fr_qin(%x,%x): type %x qif %x", q, mb, MTYPE(mb), qif); cmn_err(CE_CONT, "info %x next %x ptr %x fsrv %x bsrv %x\n", q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv, q->q_nbsrv); ! cmn_err(CE_CONT, "info: putp %x srvp %x info %x\n", q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp, q->q_qinfo->qi_infop); frstats[0].fr_drop++; --- 502,514 ---- synced = 1; goto again; } ! cmn_err(CE_WARN, ! "IP Filter: dropped: fr_qin(%x,%x): type %x qif %x", q, mb, MTYPE(mb), qif); cmn_err(CE_CONT, "info %x next %x ptr %x fsrv %x bsrv %x\n", q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv, q->q_nbsrv); ! cmn_err(CE_CONT, "IP Filter: info: putp %x srvp %x info %x\n", q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp, q->q_qinfo->qi_infop); frstats[0].fr_drop++; *************** *** 525,531 **** if (pnext) return (*pnext)(q, mb); ! cmn_err(CE_WARN, "inp NULL: qif %x %s q %x info %x", qif, qif->qf_name, q, q->q_qinfo); freemsg(mb); } --- 535,541 ---- if (pnext) return (*pnext)(q, mb); ! cmn_err(CE_WARN, "IP Filter: inp NULL: qif %x %s q %x info %x", qif, qif->qf_name, q, q->q_qinfo); freemsg(mb); } *************** *** 562,573 **** synced = 1; goto again; } ! cmn_err(CE_WARN, "dropped: fr_qout(%x,%x): type %x: qif %x", q, mb, MTYPE(mb), qif); cmn_err(CE_CONT, "info %x next %x ptr %x fsrv %x bsrv %x\n", q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv, q->q_nbsrv); ! cmn_err(CE_CONT, "info: putp %x srvp %x info %x\n", q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp, q->q_qinfo->qi_infop); if (q->q_nfsrv) --- 572,584 ---- synced = 1; goto again; } ! cmn_err(CE_WARN, ! "IP Filter: dropped: fr_qout(%x,%x): type %x: qif %x", q, mb, MTYPE(mb), qif); cmn_err(CE_CONT, "info %x next %x ptr %x fsrv %x bsrv %x\n", q->q_qinfo, q->q_next, q->q_ptr, q->q_nfsrv, q->q_nbsrv); ! cmn_err(CE_CONT, "IP Filter: info: putp %x srvp %x info %x\n", q->q_qinfo->qi_putp, q->q_qinfo->qi_srvp, q->q_qinfo->qi_infop); if (q->q_nfsrv) *************** *** 602,608 **** if (pnext) return (*pnext)(q, mb); ! cmn_err(CE_WARN, "outp NULL: qif %x %s q %x info %x", qif, qif->qf_name, q, q->q_qinfo); freemsg(mb); } --- 613,619 ---- if (pnext) return (*pnext)(q, mb); ! cmn_err(CE_WARN, "IP Filter: outp NULL: qif %x %s q %x info %x", qif, qif->qf_name, q, q->q_qinfo); freemsg(mb); } *************** *** 642,648 **** continue; } #ifdef IPFDEBUG ! cmn_err(CE_NOTE, "il %x iptr %x optr %x iput %x oput %x %x/%x", il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp, out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo); #endif --- 653,660 ---- continue; } #ifdef IPFDEBUG ! cmn_err(CE_NOTE, ! "IP Filter: il %x ipt %x opt %x ipu %x opu %x i %x/%x", il, in->q_ptr, out->q_ptr, in->q_qinfo->qi_putp, out->q_qinfo->qi_putp, out->q_qinfo, in->q_qinfo); #endif *************** *** 656,662 **** } if (!qf2) { #ifdef IPFDEBUG ! cmn_err(CE_WARN, "rq:%s put %x qi %x", il->ill_name, in->q_qinfo->qi_putp, in->q_qinfo); #endif --- 668,675 ---- } if (!qf2) { #ifdef IPFDEBUG ! cmn_err(CE_WARN, ! "IP Filter: rq:%s put %x qi %x", il->ill_name, in->q_qinfo->qi_putp, in->q_qinfo); #endif *************** *** 675,681 **** } if (!qf2) { #ifdef IPFDEBUG ! cmn_err(CE_WARN, "wq:%s put %x qi %x", il->ill_name, out->q_qinfo->qi_putp, out->q_qinfo); #endif --- 688,695 ---- } if (!qf2) { #ifdef IPFDEBUG ! cmn_err(CE_WARN, ! "IP Filter: wq:%s put %x qi %x", il->ill_name, out->q_qinfo->qi_putp, out->q_qinfo); #endif *************** *** 700,710 **** in->q_qinfo->qi_putp = fr_qin; out->q_qinfo->qi_putp = fr_qout; mutex_exit(&ipfs_mutex); ! cmn_err(CE_CONT, "IP Filter attached to interface [%s,%d]\n", qif->qf_name, il->ill_ppa); } if (!qif_head) { ! cmn_err(CE_CONT, "ipf not attached to any interfaces\n"); return -1; } return 0; --- 714,724 ---- in->q_qinfo->qi_putp = fr_qin; out->q_qinfo->qi_putp = fr_qout; mutex_exit(&ipfs_mutex); ! cmn_err(CE_CONT, "IP Filter: attach to [%s,%d]\n", qif->qf_name, il->ill_ppa); } if (!qif_head) { ! cmn_err(CE_CONT, "IP Filter: not attached to any interfaces\n"); return -1; } return 0; *************** *** 737,743 **** qp = &qif->qf_next; continue; } ! cmn_err(CE_CONT, "IP Filter detaching [%s]\n", qif->qf_name); *qp = qif->qf_next; /* --- 751,757 ---- qp = &qif->qf_next; continue; } ! cmn_err(CE_CONT, "IP Filter: detaching [%s]\n", qif->qf_name); *qp = qif->qf_next; /* *************** *** 788,794 **** qp = &qif->qf_next; continue; } ! cmn_err(CE_CONT, "IP Filter removing [%s]\n", qif->qf_name); *qp = qif->qf_next; KFREE(qif); } --- 802,808 ---- qp = &qif->qf_next; continue; } ! cmn_err(CE_CONT, "IP Filter: removing [%s]\n", qif->qf_name); *qp = qif->qf_next; KFREE(qif); } *************** *** 801,807 **** if (il) { in = il->ill_rq; out = il->ill_wq->q_next; ! printf("IP Filter detaching [%s,%d]\n", qif->qf_name, il->ill_ppa); in->q_qinfo->qi_putp = qif->qf_inp; /* --- 815,821 ---- if (il) { in = il->ill_rq; out = il->ill_wq->q_next; ! printf("IP Filter: detaching [%s,%d]\n", qif->qf_name, il->ill_ppa); in->q_qinfo->qi_putp = qif->qf_inp; /* *************** *** 845,851 **** } ! int ipfr_fastroute(mb, mpp, fin, fdp) mblk_t *mb, **mpp; fr_info_t *fin; frdest_t *fdp; --- 859,867 ---- } ! int ipfr_fastroute(qf, ip, mb, mpp, fin, fdp) ! qif_t *qf; ! ip_t *ip; mblk_t *mb, **mpp; fr_info_t *fin; frdest_t *fdp; *************** *** 856,861 **** --- 872,905 ---- int hlen = 0; u_char *s; queue_t *q = NULL; + + #ifndef sparc + u_short __iplen, __ipoff; + + /* + * If this is a duplicate mblk then we want ip to point at that + * data, not the original, if and only if it is already pointing at + * the current mblk data. + */ + if (ip == (ip_t *)qf->qf_m->b_rptr && qf->qf_m != mb) + ip = (ip_t *)mb->b_rptr; + /* + * In fr_precheck(), we modify ip_len and ip_off in an aligned data + * area. However, we only need to change it back if we didn't copy + * the IP header data out. + */ + + __iplen = (u_short)ip->ip_len, + __ipoff = (u_short)ip->ip_off; + + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); + #endif + + if (ip != (ip_t *)mb->b_rptr) { + copyin_mblk(mb, 0, ip, qf->qf_len); + frstats[fin->fin_out].fr_pull[1]++; + } /* * If there is another M_PROTO, we don't want it Index: BSD/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/BSD/Makefile,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.3 diff -c -r2.0.1.1 -r2.0.1.3 *** 2.0.1.1 1997/01/09 15:14:45 --- 2.0.1.3 1997/01/30 12:40:12 *************** *** 84,90 **** opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ --- 84,90 ---- opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h \ *************** *** 131,137 **** $(TOP)/ip_fil.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ! ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ vnode_if.h: $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src --- 131,137 ---- $(TOP)/ip_fil.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/ip_state.c -o $@ ! ip_fil.o: $(TOP)/$(IPFILC) $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_nat.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c $(TOP)/$(IPFILC) -o $@ vnode_if.h: $(VNODESHDIR)/vnode_if.sh $(VNODESHDIR)/vnode_if.src Index: SunOS4/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS4/Makefile,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.3 diff -c -r2.0.1.1 -r2.0.1.3 *** 2.0.1.1 1997/01/09 15:14:48 --- 2.0.1.3 1997/01/30 12:40:14 *************** *** 93,99 **** opt.o: ../opt.c $(CC) $(DEBUG) $(CFLAGS) -c ../opt.c -o $@ ! ipnat.o: ../ipnat.c ../ip_fil.h ../ipf.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c ../ipnat.c -o $@ ipft_sn.o: ../ipft_sn.c ../ipt.h ../ipf.h ../ip_fil.h ../snoop.h --- 93,99 ---- opt.o: ../opt.c $(CC) $(DEBUG) $(CFLAGS) -c ../opt.c -o $@ ! ipnat.o: ../ipnat.c ../ip_fil.h ../ipf.h ../ip_nat.h $(CC) $(IPL) $(DEBUG) $(CFLAGS) -c ../ipnat.c -o $@ ipft_sn.o: ../ipft_sn.c ../ipt.h ../ipf.h ../ip_fil.h ../snoop.h *************** *** 136,142 **** ip_state_u.o: ../ip_state.c ../ip_state.h ../ip_compat.h $(CC) $(DEBUG) $(CFLAGS) -c ../ip_state.c -o $@ ! ip_fil.o: ../$(IPFILC) ../ip_fil.h ../ip_compat.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c ../$(IPFILC) -o $@ ip_input.o: ../ip_input.c ../ip_fil.h --- 136,142 ---- ip_state_u.o: ../ip_state.c ../ip_state.h ../ip_compat.h $(CC) $(DEBUG) $(CFLAGS) -c ../ip_state.c -o $@ ! ip_fil.o: ../$(IPFILC) ../ip_fil.h ../ip_compat.h ../ip_nat.h $(CC) $(DEBUG) $(CFLAGS) $(DFLAGS) -c ../$(IPFILC) -o $@ ip_input.o: ../ip_input.c ../ip_fil.h Index: SunOS5/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/Makefile,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.3 diff -c -r2.0.1.1 -r2.0.1.3 *** 2.0.1.1 1997/01/09 15:14:49 --- 2.0.1.3 1997/02/08 06:37:47 *************** *** 20,26 **** PKGBIN=$(PKGDIR)/bin # TOP=.. ! CPU=`uname -m` CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl --- 20,26 ---- PKGBIN=$(PKGDIR)/bin # TOP=.. ! CPU=`uname -m` -D__`uname -m`__ CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl *************** *** 88,94 **** opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(IPL) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/snoop.h --- 88,94 ---- opt.o: $(TOP)/opt.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) -c $(TOP)/opt.c -o $@ ! ipnat.o: $(TOP)/ipnat.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(TOP)/ip_nat.h $(CC) $(IPL) $(CFLAGS) -c $(TOP)/ipnat.c -o $@ ipft_sn.o: $(TOP)/ipft_sn.c $(TOP)/ipt.h $(TOP)/ipf.h $(TOP)/ip_fil.h $(TOP)/snoop.h Index: SunOS5/ipfboot =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/ipfboot,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:49 --- 2.0.1.2 1997/01/22 12:50:51 *************** *** 10,16 **** fi modload /usr/kernel/drv/ipf ipf -f /etc/opt/CYBSipf/ipf.conf ! # ipmon -sN ;; stop) if [ x$id != x ] ; then --- 10,16 ---- fi modload /usr/kernel/drv/ipf ipf -f /etc/opt/CYBSipf/ipf.conf ! # ipmon -sN & ;; stop) if [ x$id != x ] ; then Index: SunOS5/pkginfo =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/pkginfo,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.3 diff -c -r2.0.1.1 -r2.0.1.3 *** 2.0.1.1 1997/01/09 15:14:49 --- 2.0.1.3 1997/02/08 06:46:16 *************** *** 5,11 **** PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.1,REV=2beta CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource --- 5,11 ---- PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.1,REV=7 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource Index: man/ipnat.1 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipnat.1,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/10 00:32:27 --- 2.0.1.3 1997/01/22 09:31:31 *************** *** 18,30 **** which they appear when given to \fBipnat\fP. .SH OPTIONS .TP - .TP .B \-C delete all entries in the current NAT listing (NAT rules) .TP .B \-F delete all active entries in the current NAT table (currently active NAT mappings) .B \-l Show the list of current NAT table entry mappings. .TP --- 18,30 ---- which they appear when given to \fBipnat\fP. .SH OPTIONS .TP .B \-C delete all entries in the current NAT listing (NAT rules) .TP .B \-F delete all active entries in the current NAT table (currently active NAT mappings) + .TP .B \-l Show the list of current NAT table entry mappings. .TP