Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.1.8 retrieving revision 2.0.1.10 diff -c -r2.0.1.8 -r2.0.1.10 *** 2.0.1.8 1997/02/17 14:07:05 --- 2.0.1.10 1997/03/08 03:23:24 *************** *** 5,10 **** --- 5,30 ---- # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # + 3.1.9 8/3/97 - Released + + fixed incorrect lookup of active NAT entries. + + patch for ip_deq() wrong for pre 2.1.6 FreeBSD. + fyeung@fyeung8.netific.com (Francis Yeung) + + check for out with return-rst/return-icmp at wrong place - Erkki Ritoniemi + (erkki@vlsi.fi) + + text_readip returns the interface pointer pointing to text on stack - + Neil Readwin + + fix from Pradeep Krishnan for printout rules "with not opt sec". + + 3.1.8 18/2/97 - Released + + Diffs for ip_output.c and ip_input.c updated to fix bug with fastroute and + compiling warnings about reuse of m0. + prevent use of return-rst and return-icmp with rules blocking packets going out, preventing panics in certain situations. Index: ip_nat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.0.1.11 retrieving revision 2.0.1.12 diff -c -r2.0.1.11 -r2.0.1.12 *** 2.0.1.11 1997/02/16 06:26:47 --- 2.0.1.12 1997/03/07 10:06:30 *************** *** 9,15 **** */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 9,15 ---- */ #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.12 1997/03/07 10:06:30 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 391,396 **** --- 391,397 ---- return NULL; bzero((char *)nat, sizeof(*nat)); + nat->nat_flags = flags; /* * Search the current table for a match. *************** *** 555,562 **** for (; nat; nat = nat->nat_hnext[1]) if (nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && ! (!flags || (nat->nat_oport == sport && ! nat->nat_outport == mapdport))) return nat; return NULL; } --- 556,564 ---- for (; nat; nat = nat->nat_hnext[1]) if (nat->nat_oip.s_addr == src.s_addr && nat->nat_outip.s_addr == mapdst.s_addr && ! ((flags == nat->nat_flags) || (flags && ! (nat->nat_oport == sport && ! nat->nat_outport == mapdport)))) return nat; return NULL; } *************** *** 581,588 **** for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && ! (!flags || (nat->nat_inport == sport && ! nat->nat_oport == dport))) return nat; return NULL; } --- 583,590 ---- for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_inip.s_addr == src.s_addr && nat->nat_oip.s_addr == dst.s_addr && ! ((flags == nat->nat_flags) || (flags && ! (nat->nat_inport == sport && nat->nat_oport == dport)))) return nat; return NULL; } *************** *** 606,613 **** for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_outip.s_addr == mapsrc.s_addr && nat->nat_oip.s_addr == dst.s_addr && ! (!flags || (nat->nat_outport == mapsport && ! nat->nat_oport == dport))) return nat; return NULL; } --- 608,616 ---- for (; nat; nat = nat->nat_hnext[0]) if (nat->nat_outip.s_addr == mapsrc.s_addr && nat->nat_oip.s_addr == dst.s_addr && ! ((flags == nat->nat_flags) || (flags && ! (nat->nat_outport == mapsport && ! nat->nat_oport == dport)))) return nat; return NULL; } Index: ip_nat.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.h,v retrieving revision 2.0.1.7 retrieving revision 2.0.1.8 diff -c -r2.0.1.7 -r2.0.1.8 *** 2.0.1.7 1997/01/30 12:39:41 --- 2.0.1.8 1997/03/07 10:06:32 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.7 1997/01/30 12:39:41 darrenr Exp $ */ #ifndef __IP_NAT_H_ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.0.1.8 1997/03/07 10:06:32 darrenr Exp $ */ #ifndef __IP_NAT_H_ *************** *** 41,46 **** --- 41,47 ---- typedef struct nat { int nat_age; + int nat_flags; u_long nat_sumd; u_long nat_ipsumd; struct in_addr nat_inip; Index: ipft_tx.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipft_tx.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/19 04:52:25 --- 2.0.1.3 1997/02/20 09:47:47 *************** *** 40,46 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipft_tx.c,v 2.0.1.2 1997/01/19 04:52:25 darrenr Exp $"; #endif extern int opts; --- 40,46 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; ! static char rcsid[] = "$Id: ipft_tx.c,v 2.0.1.3 1997/02/20 09:47:47 darrenr Exp $"; #endif extern int opts; *************** *** 211,216 **** --- 211,218 ---- char *cps[20], **cpp, c, ipopts[68]; int i, r; + if (*ifn) + free(*ifn); bzero((char *)ip, MAX(sizeof(*tcp), sizeof(*ic)) + sizeof(*ip)); bzero((char *)tcp, sizeof(*tcp)); bzero((char *)ic, sizeof(*ic)); *************** *** 236,242 **** cpp++; if (!*cpp) return 1; ! *ifn = *cpp++; } c = **cpp; --- 238,244 ---- cpp++; if (!*cpp) return 1; ! *ifn = strdup(*cpp++); } c = **cpp; Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.1.8 retrieving revision 2.0.1.10 diff -c -r2.0.1.8 -r2.0.1.10 *** 2.0.1.8 1997/02/08 06:46:11 --- 2.0.1.10 1997/03/08 03:23:25 *************** *** 11,16 **** #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.7 - 8/2/97" #endif --- 11,16 ---- #ifndef __IPL_H_ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.1.9 - 8/3/97" #endif Index: parse.c =================================================================== RCS file: /devel/CVS/IP-Filter/parse.c,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/02/17 13:59:44 --- 2.0.1.3 1997/02/20 20:54:55 *************** *** 33,39 **** #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: parse.c,v 2.0.1.2 1997/02/17 13:59:44 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 33,39 ---- #if !defined(lint) && defined(LIBC_SCCS) static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static char rcsid[] = "$Id: parse.c,v 2.0.1.3 1997/02/20 20:54:55 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 143,150 **** } cpp++; ! if (!strcasecmp("in", *cpp)) { fil.fr_flags |= FR_INQUE; if (fil.fr_flags & FR_RETICMP) { (void)fprintf(stderr, "Can only use return-icmp with 'in'\n"); --- 143,152 ---- } cpp++; ! if (!strcasecmp("in", *cpp)) fil.fr_flags |= FR_INQUE; + else if (!strcasecmp("out", *cpp)) { + fil.fr_flags |= FR_OUTQUE; if (fil.fr_flags & FR_RETICMP) { (void)fprintf(stderr, "Can only use return-icmp with 'in'\n"); *************** *** 154,162 **** "Can only use return-rst with 'in'\n"); return NULL; } ! } else if (!strcasecmp("out", *cpp)) ! fil.fr_flags |= FR_OUTQUE; ! else { (void)fprintf(stderr, "missing 'in'/'out' keyword (%s)\n", *cpp); return NULL; --- 156,162 ---- "Can only use return-rst with 'in'\n"); return NULL; } ! } else { (void)fprintf(stderr, "missing 'in'/'out' keyword (%s)\n", *cpp); return NULL; *************** *** 870,875 **** --- 870,878 ---- (!secmsk && !secbits)) { printf("%s%s", s, io->on_name); s = ","; + if (io->on_value == + IPOPT_SECURITY) + io++; } else io++; } Index: todo =================================================================== RCS file: /devel/CVS/IP-Filter/todo,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/01/19 04:51:21 --- 2.0.1.3 1997/03/07 10:06:50 *************** *** 17,19 **** --- 17,25 ---- * modular application proxying * invesitgate making logging better + + * add reverse nat (similar to rdr) to map addresses going in both directions + (this might just be some changes to rdr). In 1:1 relationships maybe make + it an option. + + * rate limiting Index: FreeBSD/ip_input.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/FreeBSD/ip_input.c.diffs,v retrieving revision 2.0.1.2 retrieving revision 2.0.1.3 diff -c -r2.0.1.2 -r2.0.1.3 *** 2.0.1.2 1997/02/18 10:54:20 --- 2.0.1.3 1997/03/08 02:03:13 *************** *** 54,59 **** --- 54,70 ---- * Process options and, if not destined for us, * ship it on. ip_dooptions returns 1 when an *************** + *** 527,532 **** + --- 533,540 ---- + * if they are completely covered, dequeue them. + */ + while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off) { + + struct mbuf *m0; + + + i = (ip->ip_off + ip->ip_len) - q->ip_off; + if (i < q->ip_len) { + q->ip_len -= i; + *************** *** 526,534 **** m_adj(dtom(q), i); break; Index: SunOS5/pkginfo =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/pkginfo,v retrieving revision 2.0.1.3 retrieving revision 2.0.1.5 diff -c -r2.0.1.3 -r2.0.1.5 *** 2.0.1.3 1997/02/08 06:46:16 --- 2.0.1.5 1997/03/08 03:23:28 *************** *** 5,11 **** PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.1,REV=7 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource --- 5,11 ---- PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.1,REV=9 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource