Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.1.7 retrieving revision 2.0.1.9 diff -c -r2.0.1.7 -r2.0.1.9 *** 2.0.1.7 1997/02/08 06:46:12 --- 2.0.1.9 1997/02/19 13:32:38 *************** *** 5,10 **** --- 5,24 ---- # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # + 3.1.8 18/2/97 - Released + + Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and + compiling warnings about reuse of m0. + + prevent use of return-rst and return-icmp with rules blocking packets going + out, preventing panics in certain situations. + + loop forms in frag cache table - Yury Pshenychny + + should use SPLNET/SPLX around expire routines in NAT/frag/state code. + + redeclared malloc in 44arp.c - + 3.1.7 8/2/97 - Released Macros used for ntohs/htons supplied with gcc don't always work very well Index: Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/Makefile,v retrieving revision 2.0.1.4 retrieving revision 2.0.1.5 diff -c -r2.0.1.4 -r2.0.1.5 *** 2.0.1.4 1997/02/08 06:39:28 --- 2.0.1.5 1997/02/16 06:17:04 *************** *** 5,11 **** # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # ! # $Id: Makefile,v 2.0.1.4 1997/02/08 06:39:28 darrenr Exp $ # # where to put things. # --- 5,11 ---- # and is not changed in any way. The author accepts no responsibility # for the use of this software. I hate legaleese, don't you ? # ! # $Id: Makefile,v 2.0.1.5 1997/02/16 06:17:04 darrenr Exp $ # # where to put things. # *************** *** 35,41 **** # results: pass, block and nomatch. This is the sort of "block unless # explicitly allowed" type #define switch. # ! POLICY=-DNOMATCH=FR_PASS # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ "CC=$(CC)" 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ --- 35,41 ---- # results: pass, block and nomatch. This is the sort of "block unless # explicitly allowed" type #define switch. # ! POLICY=-DIPF_DEFAULT_PASS=FR_PASS # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ "CC=$(CC)" 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ Index: fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/fil.c,v retrieving revision 2.0.1.4 retrieving revision 2.0.1.7 diff -c -r2.0.1.4 -r2.0.1.7 *** 2.0.1.4 1997/02/04 13:59:41 --- 2.0.1.7 1997/02/18 10:53:47 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $"; #endif #include *************** *** 97,106 **** # endif #endif struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; ! int fr_flags = 0, fr_active = 0; fr_info_t frcache[2]; --- 97,115 ---- # endif #endif + #ifndef IPF_LOGGING + #define IPF_LOGGING 0 + #endif + #ifdef IPF_DEFAULT_PASS + #define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH) + #else + #define IPF_NOMATCH (FR_NOMATCH) + #endif + struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}}; struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } }, *ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } }; ! int fr_flags = IPF_LOGGING, fr_active = 0; fr_info_t frcache[2]; *************** *** 573,588 **** frstats[out].fr_chit++; pass = fin->fin_fr->fr_flags; } else { ! pass = FR_NOMATCH; if ((fin->fin_fr = ipfilter[out][fr_active])) ! pass = FR_SCANLIST(FR_NOMATCH, ip, fin, m); bcopy((char *)fin, (char *)fc, FI_CSIZE); ! if (pass & FR_NOMATCH) { frstats[out].fr_nom++; - #ifdef NOMATCH - pass |= NOMATCH; - #endif - } } fr = fin->fin_fr; --- 582,593 ---- frstats[out].fr_chit++; pass = fin->fin_fr->fr_flags; } else { ! pass = IPF_NOMATCH; if ((fin->fin_fr = ipfilter[out][fr_active])) ! pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m); bcopy((char *)fin, (char *)fc, FI_CSIZE); ! if (pass & FR_NOMATCH) frstats[out].fr_nom++; } fr = fin->fin_fr; *************** *** 651,684 **** /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? */ #ifdef _KERNEL ! if (pass & FR_RETICMP) { # if SOLARIS ! ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, ! qif, ip->ip_src); # else ! ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, ! ifp, ip->ip_src); ! m = NULL; /* freed by icmp_error() */ # endif ! frstats[0].fr_ret++; ! } else if ((pass & FR_RETRST) && ! !(fin->fin_fi.fi_fl & FI_SHORT)) { ! if (SEND_RESET(ip, qif, q) == 0) ! frstats[1].fr_ret++; ! } #else ! if (pass & FR_RETICMP) { ! verbose("- ICMP unreachable sent\n"); ! frstats[0].fr_ret++; ! } else if ((pass & FR_RETRST) && ! !(fin->fin_fi.fi_fl & FI_SHORT)) { ! verbose("- TCP RST sent\n"); ! frstats[1].fr_ret++; ! } #endif } #ifdef _KERNEL # if !SOLARIS --- 656,695 ---- /* * Should we return an ICMP packet to indicate error * status passing through the packet filter ? + * WARNING: ICMP error packets AND TCP RST packets should + * ONLY be sent in repsonse to incoming packets. Sending them + * in response to outbound packets can result in a panic on + * some operating systems. */ + if (!out) { #ifdef _KERNEL ! if (pass & FR_RETICMP) { # if SOLARIS ! ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode, ! qif, ip->ip_src); # else ! ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode, ! ifp, ip->ip_src); ! m = *mp = NULL; /* freed by icmp_error() */ # endif ! frstats[0].fr_ret++; ! } else if ((pass & FR_RETRST) && ! !(fin->fin_fi.fi_fl & FI_SHORT)) { ! if (SEND_RESET(ip, qif, q) == 0) ! frstats[1].fr_ret++; ! } #else ! if (pass & FR_RETICMP) { ! verbose("- ICMP unreachable sent\n"); ! frstats[0].fr_ret++; ! } else if ((pass & FR_RETRST) && ! !(fin->fin_fi.fi_fl & FI_SHORT)) { ! verbose("- TCP RST sent\n"); ! frstats[1].fr_ret++; ! } #endif + } } #ifdef _KERNEL # if !SOLARIS *************** *** 691,697 **** (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { ipfr_fastroute(m, fin, fdp); m = *mp = NULL; - pass = 0; } if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); --- 702,707 ---- Index: ip_fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.c,v retrieving revision 2.0.1.5 retrieving revision 2.0.1.7 diff -c -r2.0.1.5 -r2.0.1.7 *** 2.0.1.5 1997/01/29 13:41:45 --- 2.0.1.7 1997/02/19 12:45:02 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $"; #endif #include *************** *** 70,76 **** #endif /* IPFILTER_LOG */ static void frflush(); static int frrequest(); ! static int (*fr_savep)(); #if _BSDI_VERSION >= 199501 # include --- 70,76 ---- #endif /* IPFILTER_LOG */ static void frflush(); static int frrequest(); ! static int (*fr_savep)() = NULL; #if _BSDI_VERSION >= 199501 # include *************** *** 732,737 **** --- 732,740 ---- dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; + #ifdef __bsdi__ + dst->sin_len = sizeof(*dst); + #endif #if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__) # ifdef RTF_CLONING rtalloc_ign(ro, RTF_CLONING); *************** *** 780,786 **** #if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); - #else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); #endif --- 783,788 ---- Index: ip_frag.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_frag.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:43 --- 2.0.1.2 1997/02/16 06:17:35 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 127,133 **** fr->ipfr_ttl = fr_ipfrttl; fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG); fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3); - *fp = fr; ipfr_stats.ifs_new++; ipfr_inuse++; MUTEX_EXIT(&ipf_frag); --- 127,132 ---- Index: ip_nat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.0.1.10 retrieving revision 2.0.1.11 diff -c -r2.0.1.10 -r2.0.1.11 *** 2.0.1.10 1997/02/08 06:38:49 --- 2.0.1.11 1997/02/16 06:26:47 *************** *** 9,15 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 9,15 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 155,166 **** { register ipnat_t *nat, *n = NULL, **np = NULL; ipnat_t natd; ! int error = 0, ret; /* * For add/delete, look to see if the NAT entry is already present */ MUTEX_ENTER(&ipf_nat); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; --- 155,167 ---- { register ipnat_t *nat, *n = NULL, **np = NULL; ipnat_t natd; ! int error = 0, ret, s; /* * For add/delete, look to see if the NAT entry is already present */ MUTEX_ENTER(&ipf_nat); + SPLNET(s); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) { IRCOPY(data, (char *)&natd, sizeof(natd)); nat = &natd; *************** *** 260,265 **** --- 261,267 ---- IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; } + SPLX(s); MUTEX_EXIT(&ipf_nat); return error; } *************** *** 857,867 **** */ void ip_natunload() { ! MUTEX_ENTER(&ipf_nat); (void) clear_natlist(); (void) flush_nattable(); ! MUTEX_EXIT(&ipf_nat); } --- 859,871 ---- */ void ip_natunload() { ! int s; + MUTEX_ENTER(&ipf_nat); + SPLNET(s); (void) clear_natlist(); (void) flush_nattable(); ! SPLX(s) MUTEX_EXIT(&ipf_nat); } *************** *** 873,886 **** void ip_natexpire() { register struct nat *nat, **natp; MUTEX_ENTER(&ipf_nat); ! for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) { ! if (--nat->nat_age) continue; *natp = nat->nat_next; nat_delete(nat); nat_stats.ns_expire++; } MUTEX_EXIT(&ipf_nat); } --- 877,895 ---- void ip_natexpire() { register struct nat *nat, **natp; + int s; MUTEX_ENTER(&ipf_nat); ! SPLNET(s); ! for (natp = &nat_instances; (nat = *natp); ) { ! if (--nat->nat_age) { ! natp = &nat->nat_next; continue; + } *natp = nat->nat_next; nat_delete(nat); nat_stats.ns_expire++; } + SPLX(s); MUTEX_EXIT(&ipf_nat); } Index: ip_state.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_state.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/09 15:22:45 --- 2.0.1.3 1997/02/16 06:18:36 *************** *** 7,13 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_state.c,v 2.0.1.2 1997/01/09 15:22:45 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 7,13 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 411,423 **** --- 411,426 ---- { register int i; register ipstate_t *is, **isp; + int s; MUTEX_ENTER(&ipf_state); + SPLNET(s); for (i = 0; i < IPSTATE_SIZE; i++) for (isp = &ips_table[i]; (is = *isp); ) { *isp = is->is_next; KFREE(is); } + SPLX(s); MUTEX_EXIT(&ipf_state); } *************** *** 430,437 **** --- 433,442 ---- { register int i; register ipstate_t *is, **isp; + int s; MUTEX_ENTER(&ipf_state); + SPLNET(s); for (i = 0; i < IPSTATE_SIZE; i++) for (isp = &ips_table[i]; (is = *isp); ) if (is->is_age && !--is->is_age) { *************** *** 444,449 **** --- 449,455 ---- ips_num--; } else isp = &is->is_next; + SPLX(s); MUTEX_EXIT(&ipf_state); } Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.1.8 retrieving revision 2.0.1.9 diff -c -r2.0.1.8 -r2.0.1.9 *** 2.0.1.8 1997/02/08 06:46:11 --- 2.0.1.9 1997/02/19 13:32:39 *************** *** 11,16 **** #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.7 - 8/2/97" #endif --- 11,16 ---- #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.8 - 8/2/97" #endif Index: ipnat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipnat.c,v retrieving revision 2.0.1.7 retrieving revision 2.0.1.8 diff -c -r2.0.1.7 -r2.0.1.8 *** 2.0.1.7 1997/01/30 12:02:32 --- 2.0.1.8 1997/02/16 21:23:40 *************** *** 51,57 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.7 1997/01/30 12:02:32 darrenr Exp $"; #endif #if SOLARIS --- 51,57 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipnat.c,v 2.0.1.8 1997/02/16 21:23:40 darrenr Exp $"; #endif #if SOLARIS *************** *** 190,196 **** printf(" udp"); printf("\n"); if (verbose) ! printf("\t%x %u %x %u %x %d\n", (u_int)np->in_ifp, np->in_space, np->in_flags, np->in_pnext, np, np->in_use); } else { --- 190,196 ---- printf(" udp"); printf("\n"); if (verbose) ! printf("\t%p %u %x %u %x %d\n", (u_int)np->in_ifp, np->in_space, np->in_flags, np->in_pnext, np, np->in_use); } else { *************** *** 220,226 **** } printf("\n"); if (verbose) ! printf("\t%x %u %s %d %x\n", (u_int)np->in_ifp, np->in_space, inet_ntoa(np->in_nextip), np->in_pnext, np->in_flags); } --- 220,226 ---- } printf("\n"); if (verbose) ! printf("\t%p %u %s %d %x\n", (u_int)np->in_ifp, np->in_space, inet_ntoa(np->in_nextip), np->in_pnext, np->in_flags); } *************** *** 264,270 **** ns.ns_added, ns.ns_expire); printf("inuse\t%lu\n", ns.ns_inuse); if (opts & OPT_VERBOSE) ! printf("table %#x list %#x\n", (u_int)ns.ns_table, (u_int)ns.ns_list); } if (opts & OPT_LIST) { --- 264,270 ---- ns.ns_added, ns.ns_expire); printf("inuse\t%lu\n", ns.ns_inuse); if (opts & OPT_VERBOSE) ! printf("table %p list %p\n", (u_int)ns.ns_table, (u_int)ns.ns_list); } if (opts & OPT_LIST) { *************** *** 384,390 **** struct netent *np; *resolved = 0; ! if (!strcasecmp("any",host)) return 0L; if (isdigit(*host)) return inet_addr(host); --- 384,390 ---- struct netent *np; *resolved = 0; ! if (!strcasecmp("any", host)) return 0L; if (isdigit(*host)) return inet_addr(host); Index: parse.c =================================================================== RCS file: /devel/CVS/IP-Filter/parse.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:44 --- 2.0.1.2 1997/02/17 13:59:44 *************** *** 33,39 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: parse.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 33,39 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: parse.c,v 2.0.1.2 1997/02/17 13:59:44 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 143,151 **** } cpp++; ! if (!strcasecmp("in", *cpp)) fil.fr_flags |= FR_INQUE; ! else if (!strcasecmp("out", *cpp)) fil.fr_flags |= FR_OUTQUE; else { (void)fprintf(stderr, --- 143,160 ---- } cpp++; ! if (!strcasecmp("in", *cpp)) { fil.fr_flags |= FR_INQUE; ! if (fil.fr_flags & FR_RETICMP) { ! (void)fprintf(stderr, ! "Can only use return-icmp with 'in'\n"); ! return NULL; ! } else if (fil.fr_flags & FR_RETRST) { ! (void)fprintf(stderr, ! "Can only use return-rst with 'in'\n"); ! return NULL; ! } ! } else if (!strcasecmp("out", *cpp)) fil.fr_flags |= FR_OUTQUE; else { (void)fprintf(stderr, Index: 4bsd/ip_input.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/4bsd/ip_input.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:45 --- 2.0.1.2 1997/02/18 10:58:41 *************** *** 15,21 **** * We need to save the IP options in case a protocol wants to respond *************** *** 225,231 **** ! --- 233,251 ---- m_adj(m, ip->ip_len - m->m_pkthdr.len); } --- 15,21 ---- * We need to save the IP options in case a protocol wants to respond *************** *** 225,231 **** ! --- 233,252 ---- m_adj(m, ip->ip_len - m->m_pkthdr.len); } *************** *** 24,34 **** + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ ! + { ! + struct mbuf *m0 = m; ! + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) ! + goto next; ! + ip = mtod(m = m0, struct ip *); + } + #endif + /* --- 24,35 ---- + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ ! + if (fr_checkp) { ! + struct mbuf *m1 = m; ! + ! + if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) ! + goto next; ! + ip = mtod(m = m1, struct ip *); + } + #endif + /* Index: 4bsd/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/4bsd/ip_output.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.3 diff -c -r2.0.1.1 -r2.0.1.3 *** 2.0.1.1 1997/01/09 15:14:45 --- 2.0.1.3 1997/02/18 10:58:42 *************** *** 15,38 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 284,303 ---- } else m->m_flags &= ~M_BCAST; + #if defined(IPFILTER) || defined(IPFILTER_LKM) - + { - + struct mbuf *m0 = m; + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) ! + { ! + error = EHOSTUNREACH; ! + goto done; ! + } ! + ip = mtod(m = m0, struct ip *); + } + #endif - sendit: /* * If small enough for interface, can just send directly. --- 15,38 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 284,305 ---- } else m->m_flags &= ~M_BCAST; + sendit: + #if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp) { ! + struct mbuf *m1 = m; ! + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) ! + goto done; ! + ip = mtod(m = m1, struct ip *); + } + #endif /* * If small enough for interface, can just send directly. Index: BSDOS/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/BSDOS/ip_output.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:46 --- 2.0.1.2 1997/02/17 15:54:19 *************** *** 21,36 **** + #if defined(IPFILTER) + { ! + struct mbuf *m0 = m; + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) + { + error = EHOSTUNREACH; + goto done; + } ! + ip = mtod(m = m0, struct ip *); + } + #endif sendit: --- 21,36 ---- + #if defined(IPFILTER) + { ! + struct mbuf *m1 = m; + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) + { + error = EHOSTUNREACH; + goto done; + } ! + ip = mtod(m = m1, struct ip *); + } + #endif sendit: Index: FWTK/Index =================================================================== RCS file: Index diff -N Index *** /dev/null Thu Feb 20 00:32:44 1997 --- /usr/tmp/aaaa18734 Thu Feb 20 00:32:58 1997 *************** *** 0 **** --- 1,3 ---- + README - Readme for ftp-gw.diff and fwtkp + README.ipfilter - README for fwtk_transparent.diff + fwtk_transparent.diff - patches for 2.0beta Index: FWTK/README.ipfilter =================================================================== RCS file: README.ipfilter diff -N README.ipfilter *** /dev/null Thu Feb 20 00:32:44 1997 --- /usr/tmp/baaa18734 Thu Feb 20 00:32:59 1997 *************** *** 0 **** --- 1,20 ---- + + there was a patch for fwtk with ip_filter 3.1.5 from James B. Croall + (thanx for his work) which I put onto fwtk 2.0beta. + + Now, if you decide to do transparent proxying with ip-filter you + have to put -DUSE_IP_FILTER to COPTS in Makefile.config. + With Solaris 2.x you have to correctly replace the path to your + ip_filter sources. (lib/hnam.c needs ip_nat.h) + + I also patched plug-gw to be configured to accept not only one + destination with the parameter "-all-destinations" in netperm-table. + Perhaps this is a security hole... + + The patched fwtk worked fine for me with linux (kernel 2.0.28 and ipfadm 2.1) + and Solaris 2.5 (ip_filter 3.1.5). + + If you try to enhance the transparent proxy features for other + architectures, see lib/hnam.c (getdsthost). + + Michael Kutzner, Michael.Kutzner@paderlinx.de Index: FWTK/fwtk_transparent.diff =================================================================== RCS file: fwtk_transparent.diff diff -N fwtk_transparent.diff *** /dev/null Thu Feb 20 00:32:44 1997 --- /usr/tmp/caaa18734 Thu Feb 20 00:32:59 1997 *************** *** 0 **** --- 1,1025 ---- + diff -cr ../TIS.orig/fwtk/Makefile.config.linux fwtk/Makefile.config.linux + *** ../TIS.orig/fwtk/Makefile.config.linux Sat Sep 7 05:58:21 1996 + --- fwtk/Makefile.config.linux Sun Feb 2 05:48:01 1997 + *************** + *** 13,19 **** + + + # Your C compiler (eg, "cc" or "gcc") + ! CC= cc + + + # program to use for installation -- this may or may not preserve + --- 13,19 ---- + + + # Your C compiler (eg, "cc" or "gcc") + ! CC= gcc + + + # program to use for installation -- this may or may not preserve + *************** + *** 24,37 **** + + # Defines for your operating system + # + ! DEFINES=-DLINUX + #DEFINES=-DSYSV -DSOLARIS + + # Options for your compiler (eg, "-g" for debugging, "-O" for + # optimizing, or "-g -O" for both under GCC) + #COPT= -g -traditional $(DEFINES) + ! COPT= -g $(DEFINES) + ! #COPT= -O $(DEFINES) + + # Version of "make" you want to use + #MAKE= gnumake + --- 24,37 ---- + + # Defines for your operating system + # + ! DEFINES=-DLINUX -DUSE_IP_FILTER + #DEFINES=-DSYSV -DSOLARIS + + # Options for your compiler (eg, "-g" for debugging, "-O" for + # optimizing, or "-g -O" for both under GCC) + #COPT= -g -traditional $(DEFINES) + ! #COPT= -g $(DEFINES) + ! COPT= -O $(DEFINES) + + # Version of "make" you want to use + #MAKE= gnumake + *************** + *** 44,50 **** + + + # Destination directory for installation of binaries + ! DEST= /usr/local/etc + + + # Destination directory for installation of man pages + --- 44,50 ---- + + + # Destination directory for installation of binaries + ! DEST= /usr/local/sbin + + + # Destination directory for installation of man pages + *************** + *** 72,78 **** + # or -Bstatic for static binaries under SunOS 4.1.x) + #LDFL= -Bstatic + #LDFL= + ! LDFL= -g + + + # Location of the fwtk sources [For #include by any external tools needing it] + --- 72,79 ---- + # or -Bstatic for static binaries under SunOS 4.1.x) + #LDFL= -Bstatic + #LDFL= + ! #LDFL= -g + ! LDFL= -O + + + # Location of the fwtk sources [For #include by any external tools needing it] + *************** + *** 81,87 **** + + + # Location of X libraries for X-gw + ! XLIBDIR=/usr/X11/lib + #XLIBDIR=/usr/local/X11R5/lib + + # X Libraries + --- 82,88 ---- + + + # Location of X libraries for X-gw + ! XLIBDIR=/usr/X11R6/lib + #XLIBDIR=/usr/local/X11R5/lib + + # X Libraries + *************** + *** 96,102 **** + #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11 + + # Location of X include files + ! XINCLUDE=/usr/X11/include + #XINCLUDE=/usr/local/X11R5/include + + # Objects to include in libfwall for SYSV + --- 97,103 ---- + #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11 + + # Location of X include files + ! XINCLUDE=/usr/X11R6/include + #XINCLUDE=/usr/local/X11R5/include + + # Objects to include in libfwall for SYSV + diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris + *** ../TIS.orig/fwtk/Makefile.config.solaris Sat Sep 7 06:14:13 1996 + --- fwtk/Makefile.config.solaris Sun Feb 2 06:09:19 1997 + *************** + *** 11,30 **** + # + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $" + + + # Your C compiler (eg, "cc" or "gcc") + ! CC= cc + + + # program to use for installation -- this may or may not preserve + # old versions (or whatever). assumes that it takes parameters: + # copy source dest + ! CP= cp + + + # Defines for your operating system + # + ! DEFINES=-DSYSV -DSOLARIS + + #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname \ + -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ + --- 11,34 ---- + # + # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $" + + + # + + # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c) + + # + + IPFPATH=/src/unpacked/firewall/ip_fil3.1.5 + + # Your C compiler (eg, "cc" or "gcc") + ! CC= gcc + + + # program to use for installation -- this may or may not preserve + # old versions (or whatever). assumes that it takes parameters: + # copy source dest + ! CP= /usr/ucb/install -c -s + + + # Defines for your operating system + # + ! DEFINES=-DSYSV -DSOLARIS -DUSE_IP_FILTER -I$(IPFPATH) + + #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname \ + -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \ + *************** + *** 45,52 **** + + + # Your ranlib utility (use "touch" if you don't have ranlib) + ! RANLIB= ranlib + ! #RANLIB= touch + + + # Destination directory for installation of binaries + --- 49,56 ---- + + + # Your ranlib utility (use "touch" if you don't have ranlib) + ! # RANLIB= ranlib + ! RANLIB= touch + + + # Destination directory for installation of binaries + diff -cr ../TIS.orig/fwtk/firewall.h fwtk/firewall.h + *** ../TIS.orig/fwtk/firewall.h Sun Sep 8 05:55:26 1996 + --- fwtk/firewall.h Sun Feb 2 05:23:33 1997 + *************** + *** 47,53 **** + system. + */ + #ifndef PERMFILE + ! #define PERMFILE "/usr/local/etc/netperm-table" + #endif + + /* + --- 47,53 ---- + system. + */ + #ifndef PERMFILE + ! #define PERMFILE "/etc/fwtk/netperm-table" + #endif + + /* + *************** + *** 67,73 **** + + /* Choose a system logging facility for the firewall toolkit. */ + #ifndef LFAC + ! #define LFAC LOG_DAEMON + #endif + + + --- 67,73 ---- + + /* Choose a system logging facility for the firewall toolkit. */ + #ifndef LFAC + ! #define LFAC LOG_LOCAL5 + #endif + + + *************** + *** 215,220 **** + #define PERM_ALLOW 01 + #define PERM_DENY 02 + + ! + #define _INCL_FWALL_H + #endif + --- 215,222 ---- + #define PERM_ALLOW 01 + #define PERM_DENY 02 + + ! #ifdef USE_IP_FILTER + ! extern char *getdsthost(int, int*); + ! #endif + #define _INCL_FWALL_H + #endif + diff -cr ../TIS.orig/fwtk/ftp-gw/ftp-gw.c fwtk/ftp-gw/ftp-gw.c + *** ../TIS.orig/fwtk/ftp-gw/ftp-gw.c Fri Sep 6 18:55:05 1996 + --- fwtk/ftp-gw/ftp-gw.c Sat Feb 1 06:49:13 1997 + *************** + *** 50,55 **** + --- 50,59 ---- + #ifndef FTPPORT + #define FTPPORT 21 + #endif + + #ifdef USE_IP_FILTER + + static int do_transparent=0; + + static int connectdest(); + + #endif + + static Cfg *confp; + static char **validests = (char **)0; + *************** + *** 170,175 **** + --- 174,182 ---- + char xuf[1024]; + char huf[128]; + char *passuser = (char *)0; /* passed user as av */ + + #ifdef USE_IP_FILTER + + char *psychic, *hotline; + + #endif + + #ifndef LOG_DAEMON + openlog("ftp-gw",LOG_PID); + *************** + *** 313,320 **** + } + } else + timeout = 60*60; + + - + /* display a welcome file or message */ + if(passuser == (char *)0) { + if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { + --- 320,330 ---- + } + } else + timeout = 60*60; + + #ifdef USE_IP_FILTER + + psychic=getdsthost(0,NULL); + + if(psychic) { do_transparent++; } + + #endif + + /* display a welcome file or message */ + if(passuser == (char *)0) { + if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { + *************** + *** 322,327 **** + --- 332,345 ---- + syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); + exit(1); + } + + #ifdef USE_IP_FILTER + + if(do_transparent) { + + if(sayfile2(0,cf->argv[0],220)) { + + syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]); + + exit(1); + + } + + } else + + #endif /* USE_IP_FILTER */ + if(sayfile(0,cf->argv[0],220)) { + syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]); + exit(1); + *************** + *** 332,338 **** + if(authallflg) + if(say(0,"220-Proxy first requires authentication")) + exit(1); + ! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR); + if(say(0,xuf)) + exit(1); + } + --- 350,361 ---- + if(authallflg) + if(say(0,"220-Proxy first requires authentication")) + exit(1); + ! #ifdef USE_IP_FILTER + ! if(do_transparent) + ! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR); + ! else + ! #endif + ! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR); + if(say(0,xuf)) + exit(1); + } + *************** + *** 352,358 **** + if(cmd_user(2,fakav,"user internal")) + exit(1); + } + ! + /* main loop */ + while(1) { + FD_ZERO(&rdy); + --- 375,386 ---- + if(cmd_user(2,fakav,"user internal")) + exit(1); + } + ! #ifdef USE_IP_FILTER + ! if(do_transparent) { + ! connectdest(psychic,21); + ! } + ! #endif + ! + /* main loop */ + while(1) { + FD_ZERO(&rdy); + *************** + *** 676,681 **** + --- 704,719 ---- + return(sayn(0,noad,sizeof(noad)-1)); + } + + + #ifdef USE_IP_FILTER + + if(do_transparent) { + + if((rfd==(-1)) && (x=connectdest(dest,port))) return x; + + sprintf(buf,"USER %s",user); + + if(say(rfd,buf)) return(1); + + x=getresp(rfd,buf,sizeof(buf),1); + + if(sendsaved(0,x)) return(1); + + return(say(0,buf)); + + } + + #endif + if(*dest == '\0') + dest = "localhost"; + + *************** + *** 717,723 **** + char ebuf[512]; + + strcpy(ebuf,buf); + ! sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } + --- 755,766 ---- + char ebuf[512]; + + strcpy(ebuf,buf); + ! #ifdef USE_IP_FILTER + ! if(do_transparent) { + ! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf); + ! } else + ! #endif + ! sprintf(buf,"521 %s: %s",dest,ebuf); + rfd = -1; + return(say(0,buf)); + } + *************** + *** 1874,1876 **** + --- 1917,2036 ---- + dup(nread); + } + #endif + + + + #ifdef USE_IP_FILTER + + static int connectdest(dest, port) + + char *dest; + + short port; + + { + + char buf[1024], mbuf[512]; + + int msg_int, x; + + + + if(*dest == '\0') + + dest = "localhost"; + + + + if(validests != (char **)0) { + + char **xp; + + int x; + + + + for(xp = validests; *xp != (char *)0; xp++) { + + if(**xp == '!' && hostmatch(*xp + 1,dest)) { + + return(baddest(0,dest)); + + } else { + + if(hostmatch(*xp,dest)) + + break; + + } + + } + + if(*xp == (char *)0) + + return(baddest(0,dest)); + + } + + + + /* Extended permissions processing goes in here for destination */ + + if(extendperm) { + + msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0); + + if(msg_int == 1) { + + sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest); + + syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser); + + say(0,mbuf); + + return(1); + + } else { + + if(msg_int == -1) { + + sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest); + + say(0,mbuf); + + return(1); + + } + + } + + } + + + + syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest); + + + + if((rfd = conn_server(dest,port,0,buf)) < 0) { + + char ebuf[512]; + + + + strcpy(ebuf,buf); + + sprintf(buf,"521 %s: %s",dest,ebuf); + + rfd = -1; + + return(say(0,buf)); + + } + + if(!do_transparent) { + + sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest); + + saveline(buf); + + } + + + + /* we are now connected and need to try the autologin thing */ + + x = getresp(rfd,buf,sizeof(buf),1); + + if(x / 100 != COMPLETE) { + + sendsaved(0,-1); + + return(say(0,buf)); + + } + + saveline(buf); + + + + sendsaved(0,-1); + + return 0; + + } + + + + + + /* ok, so i'm in a hurry. english paper due RSN. */ + + sayfile2(fd,fn,code) + + int fd; + + char *fn; + + int code; + + { + + FILE *f; + + char buf[BUFSIZ]; + + char yuf[BUFSIZ]; + + char *c; + + int x; + + int saidsomething = 0; + + + + if((f = fopen(fn,"r")) == (FILE *)0) + + return(1); + + while(fgets(buf,sizeof(buf),f) != (char *)0) { + + if((c = index(buf,'\n')) != (char *)0) + + *c = '\0'; + + x = fgetc(f); + + if(feof(f)) + + sprintf(yuf,"%3.3d-%s",code,buf); + + else { + + sprintf(yuf,"%3.3d-%s",code,buf); + + ungetc(x,f); + + } + + if(say(fd,yuf)) { + + fclose(f); + + return(1); + + } + + saidsomething++; + + } + + fclose(f); + + if (!saidsomething) { + + syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code); + + sprintf(yuf, "%3.3d The file to display is empty",code); + + if(say(fd,yuf)) { + + fclose(f); + + return(1); + + } + + } + + return(0); + + } + + + + #endif /* USE_IP_FILTER */ + diff -cr ../TIS.orig/fwtk/http-gw/http-gw.c fwtk/http-gw/http-gw.c + *** ../TIS.orig/fwtk/http-gw/http-gw.c Mon Sep 9 20:40:53 1996 + --- fwtk/http-gw/http-gw.c Sun Feb 2 06:41:18 1997 + *************** + *** 27,32 **** + --- 27,35 ---- + static char http_buffer[8192]; + static char reason[8192]; + static int checkBrowserType = 1; + + #ifdef USE_IP_FILTER + + static int do_transparent=0; + + #endif + + static void do_logging() + { char *proto = "GOPHER"; + *************** + *** 422,427 **** + --- 425,441 ---- + /*(NOT A SPECIAL FORM)*/ + + if((rem_type & TYPE_LOCAL)== 0){ + + #ifdef USE_IP_FILTER + + char *psychic=getdsthost(sockfd,&def_port); + + if(psychic) { + + if(strlen(psychic)<=MAXHOSTNAMELEN) { + + do_transparent++; + + strncpy(def_httpd,psychic,strlen(psychic)); + + strncpy(def_server,psychic,strlen(psychic)); + + } + + } + + + + #endif /* USE_IP_FILTER */ + /* See if it can be forwarded */ + + if( can_forward(buf)){ + *************** + *** 1513,1518 **** + --- 1527,1537 ---- + parse_vec[0], + parse_vec[1], + ourname, ourport); + + } + + #ifdef USE_IP_FILTER + + else if(do_transparent) { + + sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]); + + #endif /* USE_IP_FILTER */ + }else{ + sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u", + parse_vec[0], parse_vec[2], + diff -cr ../TIS.orig/fwtk/lib/hnam.c fwtk/lib/hnam.c + *** ../TIS.orig/fwtk/lib/hnam.c Sat Nov 5 00:30:19 1994 + --- fwtk/lib/hnam.c Sat Feb 1 08:17:46 1997 + *************** + *** 20,25 **** + --- 20,37 ---- + + extern char *inet_ntoa(); + + + #if defined(USE_IP_FILTER) + + #include + + #ifndef LINUX + + #include "ip_nat.h" + + #endif + + #if defined(SOLARIS) + + #include + + #include + + #include + + #include + + #endif + + #endif /* IP_FILTER */ + + #include "firewall.h" + + *************** + *** 45,47 **** + --- 57,158 ---- + bcopy(hp->h_addr,&sin.sin_addr,hp->h_length); + return(inet_ntoa(sin.sin_addr)); + } + + + + + + + + #ifdef USE_IP_FILTER + + char *getdsthost(fd, ptr) + + int fd; + + int *ptr; + + { + + struct sockaddr_in sin; + + struct hostent *hp; + + int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0; + + static char buf[255], hostbuf[255]; + + #if defined(__FreeBSD__) || defined(SOLARIS) + + struct sockaddr_in rsin; + + struct natlookup natlookup; + + int natfd; + + #endif + + + + #ifdef linux + + /* This should also work for UDP. Unfortunately, it doesn't. + + Maybe when the Linux UDP proxy code gets a little cleaner. + + */ + + if(!(err=getsockname(0,&sin,&sl))) { + + if(ptr) *ptr=ntohs(sin.sin_port); + + sprintf(buf,"%s",inet_ntoa(sin.sin_addr)); + + gethostname(hostbuf,254); + + hp=gethostbyname(hostbuf); + + while(hp->h_addr_list[i]) { + + bzero(&sin,&sl); + + memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++])); + + if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++; + + } + + if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); } + + else { return(buf); } + + } + + #endif + + + + #if defined(__FreeBSD__) + + /* The basis for this block of code is Darren Reed's + + patches to the TIS ftwk's ftp-gw. + + */ + + bzero((char*)&sin,sizeof(sin)); + + bzero((char*)&rsin,sizeof(rsin)); + + if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) { + + return NULL; + + } + + sl=sizeof(rsin); + + if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) { + + return NULL; + + } + + natlookup.nl_inport=sin.sin_port; + + natlookup.nl_outport=rsin.sin_port; + + natlookup.nl_inip=sin.sin_addr; + + natlookup.nl_outip=rsin.sin_addr; + + if((natfd=open("/dev/ipl",O_RDONLY))<0) { + + return(NULL); + + } + + if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) { + + return(NULL); + + } + + close(natfd); + + if(ptr) *ptr=ntohs(natlookup.nl_inport); + + sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip)); + + #endif + + + + #if defined(SOLARIS) /* for Solaris */ + + /* The basis for this block of code is Darren Reed's + + * patches to the TIS ftwk's ftp-gw. + + * modified for Solaris from Michael Kutzner, Michael.Kutzner@paderlinx.de + + */ + + memset((char*)&sin, 0, sizeof(sin)); + + memset((char*)&rsin, 0, sizeof(rsin)); + + + + if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) { + + return NULL; + + } + + sl=sizeof(rsin); + + if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) { + + return NULL; + + } + + natlookup.nl_inport=sin.sin_port; + + natlookup.nl_outport=rsin.sin_port; + + natlookup.nl_inip=sin.sin_addr; + + natlookup.nl_outip=rsin.sin_addr; + + if( (natfd=open("/dev/ipl",O_RDONLY)) < 0) { + + return(NULL); + + } + + if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) { + + return(NULL); + + } + + close(natfd); + + if(ptr) *ptr=ntohs(natlookup.nl_inport); + + sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip)); + + #endif + + + + /* No transparent proxy support */ + + return(NULL); + + } + + #endif /* USE_IP_FILTER */ + diff -cr ../TIS.orig/fwtk/plug-gw/plug-gw.c fwtk/plug-gw/plug-gw.c + *** ../TIS.orig/fwtk/plug-gw/plug-gw.c Thu Sep 5 21:36:33 1996 + --- fwtk/plug-gw/plug-gw.c Sun Feb 2 04:50:40 1997 + *************** + *** 38,44 **** + static int timeout = PROXY_TIMEOUT; + static char **validdests = (char **)0; + static Cfg *confp; + ! + main(ac,av) + int ac; + char *av[]; + --- 38,46 ---- + static int timeout = PROXY_TIMEOUT; + static char **validdests = (char **)0; + static Cfg *confp; + ! #ifdef USE_IP_FILTER + ! static int do_transparent=0; + ! #endif + main(ac,av) + int ac; + char *av[]; + *************** + *** 189,201 **** + static char buf[1024 * 4]; + void (*op)(); + char *dhost = NULL; + char hostport[1024 * 4]; + char *ptr; + int state = 0; + int ssl_plug = 0; + ! + struct timeval timo; + + if(c->flags & PERM_DENY) { + if (p == -1) + syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr); + --- 191,215 ---- + static char buf[1024 * 4]; + void (*op)(); + char *dhost = NULL; + + char *transhost = NULL; + char hostport[1024 * 4]; + char *ptr; + int state = 0; + int ssl_plug = 0; + ! #ifdef USE_IP_FILTER + ! int pport; + ! #endif + struct timeval timo; + + + #ifdef USE_IP_FILTER + + /* Transparent plug-gw is probably a bad idea, but hey .. */ + + transhost=getdsthost(0,&pport); + + if(transhost) { + + do_transparent++; + + portid=pport; + + } + + #endif + + + if(c->flags & PERM_DENY) { + if (p == -1) + syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr); + *************** + *** 223,229 **** + privport = 1; + continue; + } + ! + if (!strcmp(av[x], "-port")) { + if (++x >= ac) { + syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln); + --- 237,248 ---- + privport = 1; + continue; + } + ! #ifdef USE_IP_FILTER + ! if (!strcmp(av[x],"-all-destinations")) { + ! dhost = transhost; + ! continue; + ! } + ! #endif + if (!strcmp(av[x], "-port")) { + if (++x >= ac) { + syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln); + diff -cr ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c fwtk/rlogin-gw/rlogin-gw.c + *** ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c Fri Sep 6 18:56:33 1996 + --- fwtk/rlogin-gw/rlogin-gw.c Sun Feb 2 06:26:04 1997 + *************** + *** 40,46 **** + + extern char *maphostname(); + + ! + static int cmd_quit(); + static int cmd_help(); + static int cmd_connect(); + --- 40,48 ---- + + extern char *maphostname(); + + ! #ifdef USE_IP_FILTER + ! static int do_transparent=0; + ! #endif + static int cmd_quit(); + static int cmd_help(); + static int cmd_connect(); + *************** + *** 120,125 **** + --- 122,130 ---- + static char *tokav[56]; + int tokac; + struct timeval timo; + + #ifdef USE_IP_FILTER + + char *psychic; + + #endif + + #ifndef LOG_NDELAY + openlog("rlogin-gw",LOG_PID); + *************** + *** 186,192 **** + } + + + ! + if((cf = cfg_get("directory",confp)) != (Cfg *)0) { + if(cf->argc != 1) { + syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln); + --- 191,204 ---- + } + + + ! #ifdef USE_IP_FILTER + ! psychic=getdsthost(0,NULL); + ! if(psychic) { + ! do_transparent++; + ! strncpy(dest,psychic,511); + ! dest[511]='\0'; + ! } + ! #endif /* USE_IP_FILTER */ + if((cf = cfg_get("directory",confp)) != (Cfg *)0) { + if(cf->argc != 1) { + syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln); + *************** + *** 260,269 **** + } + + /* if present a host name, chop and save username and hostname */ + - dest[0] = '\0'; + if((p = index(rusername,'@')) != (char *)0) { + char *namp; + + *p++ = '\0'; + if(*p == '\0') + p = "localhost"; + --- 272,281 ---- + } + + /* if present a host name, chop and save username and hostname */ + if((p = index(rusername,'@')) != (char *)0) { + char *namp; + + + dest[0] = '\0'; + *p++ = '\0'; + if(*p == '\0') + p = "localhost"; + *************** + *** 532,539 **** + --- 544,557 ---- + sprintf(ebuf,"Trying %s@%s...",rusername,namp); + else + sprintf(ebuf,"Trying %s...",namp); + + #ifdef USE_IP_FILTER + + if(!do_transparent) { + + #endif + if(say(0,ebuf)) + return(1); + + #ifdef USE_IP_FILTER + + } + + #endif + } else + syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]); + if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) { + diff -cr ../TIS.orig/fwtk/tn-gw/tn-gw.c fwtk/tn-gw/tn-gw.c + *** ../TIS.orig/fwtk/tn-gw/tn-gw.c Fri Sep 6 18:55:48 1996 + --- fwtk/tn-gw/tn-gw.c Sun Feb 2 06:06:33 1997 + *************** + *** 97,102 **** + --- 97,106 ---- + static int timeout = PROXY_TIMEOUT; + static char timed_out_msg[] = "\r\nConnection closed due to inactivity"; + + + #ifdef USE_IP_FILTER + + static int do_transparent=0; + + #endif + + + typedef struct { + char *name; + char *hmsg; + *************** + *** 140,145 **** + --- 144,153 ---- + char tokbuf[BSIZ]; + char *tokav[56]; + int tokac; + + #ifdef USE_IP_FILTER + + int port; + + char *psychic; + + #endif + + #ifndef LOG_DAEMON + openlog("tn-gw",LOG_PID); + *************** + *** 307,313 **** + exit(1); + } + } + ! + while (argc > 1) { + argc--; + argv++; + --- 315,349 ---- + exit(1); + } + } + ! #ifdef USE_IP_FILTER + ! psychic=getdsthost(0,&port); + ! if(psychic) { + ! if((strlen(psychic) + 10) < 510) { + ! do_transparent++; + ! if(port) + ! sprintf(dest,"%s:%d",psychic,port); + ! else + ! sprintf(dest,"%s",psychic); + ! + ! + ! if(!welcomedone) + ! if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) { + ! if(cf->argc != 1) { + ! syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln); + ! exit(1); + ! } + ! if(sayfile(0,cf->argv[0])) { + ! syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]); + ! exit(1); + ! } + ! welcomedone = 1; + ! } + ! + ! + ! } + ! } + ! + ! #endif /* USE_IP_FILTER */ + while (argc > 1) { + argc--; + argv++; + *************** + *** 870,877 **** + + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp); + sprintf(ebuf,"Trying %s port %d...",namp,port); + ! if(say(0,ebuf)) + ! return(1); + } else + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]); + + --- 906,920 ---- + + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp); + sprintf(ebuf,"Trying %s port %d...",namp,port); + ! #ifdef USE_IP_FILTER + ! if(!do_transparent) { + ! sprintf(ebuf,"Trying %s port %d...",namp,port); + ! #endif + ! if(say(0,ebuf)) + ! return(1); + ! #ifdef USE_IP_FILTER + ! } + ! #endif + } else + syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]); + + *************** + *** 903,910 **** + + syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]); + strncpy(dest,av[1], 511); + ! sprintf(buf, "Connected to %s.", dest); + say(0, buf); + return(2); + } + + --- 946,959 ---- + + syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]); + strncpy(dest,av[1], 511); + ! #ifdef USE_IP_FILTER + ! if(!do_transparent) { + ! sprintf(buf, "Connected to %s.", dest); + ! say(0, buf); + ! } + ! #else + say(0, buf); + + #endif + return(2); + } + + diff -cr ../TIS.orig/fwtk/x-gw/socket.c fwtk/x-gw/socket.c + *** ../TIS.orig/fwtk/x-gw/socket.c Sat Sep 7 05:16:35 1996 + --- fwtk/x-gw/socket.c Sun Feb 2 05:26:44 1997 + *************** + *** 212,218 **** + case AF_UNIX: un_name = (struct sockaddr_un *)addr; + len = sizeof(un_name->sun_family) + + sizeof(un_name->sun_path) + ! #ifdef SCM_RIGHTS /* 4.3BSD Reno and later */ + + sizeof(un_name->sun_len) + 1 + #endif + ; + --- 212,218 ---- + case AF_UNIX: un_name = (struct sockaddr_un *)addr; + len = sizeof(un_name->sun_family) + + sizeof(un_name->sun_path) + ! #if defined(SCM_RIGHTS) && !defined(LINUX)/* 4.3BSD Reno and later */ + + sizeof(un_name->sun_len) + 1 + #endif + ; + Only in fwtk/x-gw: socket.c.bak Index: FreeBSD/ip_input.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/FreeBSD/ip_input.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:47 --- 2.0.1.2 1997/02/18 10:54:20 *************** *** 1,5 **** ! *** ip_input.c.orig Wed Sep 6 20:31:35 1995 ! --- ip_input.c Sun Apr 21 12:12:53 1996 *************** *** 93,98 **** --- 93,102 ---- --- 1,5 ---- ! *** /sys/netinet/ip_input.c.orig Thu Oct 24 22:27:27 1996 ! --- /sys/netinet/ip_input.c Tue Feb 18 21:18:19 1997 *************** *** 93,98 **** --- 93,102 ---- *************** *** 14,20 **** struct ipstat ipstat; struct ipq ipq; *************** ! *** 197,204 **** } ip = mtod(m, struct ip *); } --- 14,20 ---- struct ipstat ipstat; struct ipq ipq; *************** ! *** 219,226 **** } ip = mtod(m, struct ip *); } *************** *** 23,29 **** ipstat.ips_badsum++; goto bad; } ! --- 201,207 ---- } ip = mtod(m, struct ip *); } --- 23,29 ---- ipstat.ips_badsum++; goto bad; } ! --- 223,229 ---- } ip = mtod(m, struct ip *); } *************** *** 32,70 **** goto bad; } *************** ! *** 246,251 **** ! --- 249,266 ---- ! goto next; ! } + #if defined(IPFILTER) || defined(IPFILTER_LKM) - + { - + struct mbuf *m0 = m; + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) ! + goto next; ! + ip = mtod(m = m0, struct ip *); ! + } + #endif /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an *************** ! *** 507,512 **** ! --- 523,530 ---- ! * if they are completely covered, dequeue them. ! */ ! while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) { ! + struct mbuf *m0; ! + ! i = (ip->ip_off + ip->ip_len) - q->ip_off; ! if (i < q->ip_len) { ! q->ip_len -= i; ! *************** ! *** 514,522 **** m_adj(dtom(q), i); break; } --- 32,60 ---- goto bad; } *************** ! *** 267,272 **** ! --- 270,288 ---- ! goto next; ! } + #if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ ! + if (fr_checkp) { ! + struct mbuf *m1 = m; ! + ! + if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) ! + goto next; ! + ip = mtod(m = m1, struct ip *); ! + } + #endif /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an *************** ! *** 526,534 **** m_adj(dtom(q), i); break; } *************** *** 74,80 **** } insert: ! --- 532,541 ---- m_adj(dtom(q), i); break; } --- 64,70 ---- } insert: ! --- 542,551 ---- m_adj(dtom(q), i); break; } Index: FreeBSD/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/FreeBSD/ip_output.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.4 diff -c -r2.0.1.1 -r2.0.1.4 *** 2.0.1.1 1997/01/09 15:14:47 --- 2.0.1.4 1997/02/18 10:54:21 *************** *** 1,5 **** ! *** /sys/netinet/ip_output.c.orig Wed Sep 6 20:31:40 1995 ! --- /sys/netinet/ip_output.c Sat Aug 10 01:09:23 1996 *************** *** 65,70 **** --- 65,74 ---- --- 1,5 ---- ! *** /sys/netinet/ip_output.c.orig Thu Oct 24 22:27:28 1996 ! --- /sys/netinet/ip_output.c Tue Feb 18 21:38:23 1997 *************** *** 65,70 **** --- 65,74 ---- *************** *** 14,38 **** /* * IP output. The packet in mbuf chain m contains a skeletal IP *************** ! *** 312,317 **** ! --- 316,335 ---- ! } else m->m_flags &= ~M_BCAST; + #if defined(IPFILTER) || defined(IPFILTER_LKM) - + { - + struct mbuf *m0 = m; + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) ! + { ! + error = EHOSTUNREACH; ! + goto done; ! + } ! + ip = mtod(m = m0, struct ip *); ! + } + #endif - sendit: /* ! * If small enough for interface, can just send directly. --- 14,38 ---- /* * IP output. The packet in mbuf chain m contains a skeletal IP *************** ! *** 330,335 **** ! --- 334,353 ---- m->m_flags &= ~M_BCAST; + sendit: + #if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp) { ! + struct mbuf *m1 = m; ! + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) ! + goto done; ! + ip = mtod(m = m1, struct ip *); ! + } + #endif /* ! * Check with the firewall... ! */ Index: NetBSD/ip_input.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/NetBSD/ip_input.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:47 --- 2.0.1.2 1997/02/18 10:54:24 *************** *** 1,10 **** ! *** ip_input.c.orig Sun Apr 23 17:17:05 1995 ! --- ip_input.c Sun Apr 23 17:30:03 1995 *************** *** 80,85 **** --- 80,89 ---- int ipqmaxlen = IFQ_MAXLEN; ! struct in_ifaddr *in_ifaddr; /* first inet address */ struct ifqueue ipintrq; + #if defined(IPFILTER_LKM) || defined(IPFILTER) + int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf *)); --- 1,10 ---- ! *** /sys/netinet/ip_input.c.orig Sat Oct 14 12:51:10 1995 ! --- /sys/netinet/ip_input.c Tue Feb 18 21:32:33 1997 *************** *** 80,85 **** --- 80,89 ---- int ipqmaxlen = IFQ_MAXLEN; ! struct in_ifaddrhead in_ifaddr; struct ifqueue ipintrq; + #if defined(IPFILTER_LKM) || defined(IPFILTER) + int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf *)); *************** *** 14,37 **** /* * We need to save the IP options in case a protocol wants to respond *************** ! *** 225,231 **** ! --- 233,251 ---- m_adj(m, ip->ip_len - m->m_pkthdr.len); } + #if defined(IPFILTER) || defined(IPFILTER_LKM) ! /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ ! + { ! + struct mbuf *m0 = m; ! + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) ! + goto next; ! + ip = mtod(m = m0, struct ip *); + } + #endif ! + /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an - * error was detected (causing an icmp message --- 14,37 ---- /* * We need to save the IP options in case a protocol wants to respond *************** ! *** 216,221 **** ! --- 220,238 ---- m_adj(m, ip->ip_len - m->m_pkthdr.len); } + #if defined(IPFILTER) || defined(IPFILTER_LKM) ! + /* + * Check if we want to allow this packet to be processed. + * Consider it to be bad if not. + */ ! + if (fr_checkp) { ! + struct mbuf *m1 = m; ! + ! + if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1) ! + goto next; ! + ip = mtod(m = m1, struct ip *); + } + #endif ! /* * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an Index: NetBSD/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/NetBSD/ip_output.c.diffs,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.3 diff -c -r2.0.1.1 -r2.0.1.3 *** 2.0.1.1 1997/01/09 15:14:47 --- 2.0.1.3 1997/02/18 10:54:25 *************** *** 1,5 **** ! *** ip_output.c.orig Sun Apr 23 17:17:05 1995 ! --- ip_output.c Sun Apr 23 17:32:11 1995 *************** *** 60,65 **** --- 60,69 ---- --- 1,5 ---- ! *** /sys/netinet/ip_output.c.orig Sat Oct 14 12:51:15 1995 ! --- /sys/netinet/ip_output.c Tue Feb 18 21:36:10 1997 *************** *** 60,65 **** --- 60,69 ---- *************** *** 15,38 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 284,303 ---- ! } else m->m_flags &= ~M_BCAST; + #if defined(IPFILTER) || defined(IPFILTER_LKM) - + { - + struct mbuf *m0 = m; + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) ! + { ! + error = EHOSTUNREACH; ! + goto done; ! + } ! + ip = mtod(m = m0, struct ip *); + } + #endif - sendit: /* * If small enough for interface, can just send directly. --- 15,38 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 281,300 ---- m->m_flags &= ~M_BCAST; + sendit: + #if defined(IPFILTER) || defined(IPFILTER_LKM) + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp) { ! + struct mbuf *m1 = m; ! + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) ! + goto done; ! + ip = mtod(m = m1, struct ip *); + } + #endif /* * If small enough for interface, can just send directly. + */ Index: SunOS4/ip_input.c =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS4/ip_input.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:49 --- 2.0.1.2 1997/02/18 10:54:10 *************** *** 231,239 **** */ #if defined(IPFILTER_LKM) || defined(IPFILTER) if (fr_checkp) { ! if ((*fr_checkp)(ip, hlen, ifp, 0, &m)) goto next; ! ip = mtod(m, struct ip *); } #endif --- 231,241 ---- */ #if defined(IPFILTER_LKM) || defined(IPFILTER) if (fr_checkp) { ! struct mbuf *m1 = m; ! ! if ((*fr_checkp)(ip, hlen, ifp, 0, &m1) || !m1) goto next; ! ip = mtod(m = m1, struct ip *); } #endif Index: SunOS4/ip_output.c =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS4/ip_output.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:49 --- 2.0.1.2 1997/02/18 10:54:11 *************** *** 315,325 **** */ #if defined(IPFILTER_LKM) || defined(IPFILTER) if (fr_checkp) { ! if ((*fr_checkp)(ip, hlen, ifp, 1, &m)) { error = EHOSTUNREACH; goto done; ! } ! ip = mtod(m, struct ip *); } #endif --- 315,327 ---- */ #if defined(IPFILTER_LKM) || defined(IPFILTER) if (fr_checkp) { ! struct mbuf *m1 = m; ! ! if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) error = EHOSTUNREACH; + if (error || !m1) goto done; ! ip = mtod(m = m1, struct ip *); } #endif Index: SunOS5/pkginfo =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/pkginfo,v retrieving revision 2.0.1.3 retrieving revision 2.0.1.4 diff -c -r2.0.1.3 -r2.0.1.4 *** 2.0.1.3 1997/02/08 06:46:16 --- 2.0.1.4 1997/02/19 13:32:43 *************** *** 5,11 **** PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.1,REV=7 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource --- 5,11 ---- PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.1,REV=8 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource Index: ipsend/44arp.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipsend/44arp.c,v retrieving revision 2.0.1.1 retrieving revision 2.0.1.2 diff -c -r2.0.1.1 -r2.0.1.2 *** 2.0.1.1 1997/01/09 15:14:51 --- 2.0.1.2 1997/02/16 06:18:55 *************** *** 52,58 **** { int mib[6]; size_t needed; ! char *malloc(), *lim, *buf, *next; struct rt_msghdr *rtm; struct sockaddr_inarp *sin; struct sockaddr_dl *sdl; --- 52,58 ---- { int mib[6]; size_t needed; ! char *lim, *buf, *next; struct rt_msghdr *rtm; struct sockaddr_inarp *sin; struct sockaddr_dl *sdl;