Index: .cvsignore =================================================================== RCS file: /devel/CVS/IP-Filter/.cvsignore,v retrieving revision 2.0.2.6 retrieving revision 2.0.2.6.2.1 diff -c -r2.0.2.6 -r2.0.2.6.2.1 *** 2.0.2.6 1997/09/25 13:53:43 --- 2.0.2.6.2.1 1997/11/28 07:27:23 *************** *** 10,12 **** --- 10,13 ---- import bak streams + cvs.diff Index: HISTORY =================================================================== RCS file: /devel/CVS/IP-Filter/HISTORY,v retrieving revision 2.0.2.47.2.1 retrieving revision 2.0.2.47.2.5 diff -c -r2.0.2.47.2.1 -r2.0.2.47.2.5 *** 2.0.2.47.2.1 1997/11/12 12:01:40 --- 2.0.2.47.2.5 1997/11/28 07:28:13 *************** *** 5,10 **** --- 5,42 ---- # Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the # loan of a machine to work on a Solaris 2.x port of this software. # + 3.2.2 28/11/97 - Released + + change packet matching to return actual error, if bad packet, to facilitate + ECONNRESET for TCP. + + allow ip:netmask in grammar too now - Guido + + assume IRIX has u_int32_t in sys/types.h (needed for R10000) + + rewrite parts of command line options for ipmon + + fix TCP urgent packet & offset testing and add LAND attack test for iptest + + fix grammar error in yacc grammar for iplang + + redirect (rdr) destination port bytes-wapped when it shouldn't be. + + general: fr_check now returns error code, such as EHOSTUNREACH or + ECONNRESET (attempt to make ECONNRESET work for locally outbound + packets). + + linux: enable return-rst, need to filter tcp retransmits which are sent + separately from normal packets + + memory leak plugged in ip_proxy.c + + BSDI compatibility patches from Guido + + tcp checksum fix - Marc Boucher + + recursive mutex and ioctl param fix - Marc Boucher + 3.2.1 12/11/97 - Released port to BSD/OS 3.0 Index: INSTALL.Sol2 =================================================================== RCS file: /devel/CVS/IP-Filter/INSTALL.Sol2,v retrieving revision 2.0.2.3 retrieving revision 2.0.2.3.2.1 diff -c -r2.0.2.3 -r2.0.2.3.2.1 *** 2.0.2.3 1997/10/19 15:49:37 --- 2.0.2.3.2.1 1997/11/20 12:44:52 *************** *** 11,19 **** make package ! If you wish to then install it using `pkgadd', run the following command: ! ! pkgadd -s '/var/spool/pkg' As part of the postinstall script, it will install loadable kernel module as part of Solaris 2 (using add_drv) making it available for immeadiate use. --- 11,19 ---- make package ! This will build the package into SunOS5//root, copy that to ! /var/spool/pkg as a package and then start the installation using ! pkgadd. As part of the postinstall script, it will install loadable kernel module as part of Solaris 2 (using add_drv) making it available for immeadiate use. Index: Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/Makefile,v retrieving revision 2.0.2.26.2.1 retrieving revision 2.0.2.26.2.5 diff -c -r2.0.2.26.2.1 -r2.0.2.26.2.5 *** 2.0.2.26.2.1 1997/11/12 10:40:21 --- 2.0.2.26.2.5 1997/11/27 09:32:38 *************** *** 5,11 **** # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.0.2.26.2.1 1997/11/12 10:40:21 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin --- 5,11 ---- # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.0.2.26.2.5 1997/11/27 09:32:38 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin *************** *** 13,18 **** --- 13,19 ---- #To test prototyping #CC=gcc -Wstrict-prototypes -Wmissing-prototypes -Werror CC=gcc + #CC=cc -Dconst= DEBUG=-g CFLAGS=-I$$(TOP) CPU=`uname -m` *************** *** 65,70 **** --- 66,72 ---- @echo "bsd - compile for generic 4.4BSD systems" @echo "bsdi - compile for BSD/OS" @echo "irix - compile for SGI IRIX" + @echo "linux - compile for Linux 2.0.31+" @echo "" tests: *************** *** 118,125 **** bsdi bsdos: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" ! (cd BSD/$(CPUDIR); make build "TOP=../.." $(MFLAGS) LKM= ; cd ..) ! (cd BSD/$(CPUDIR); make -f Makefile.ipsend "TOP=../.." $(MFLAGS); cd ..) irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" --- 120,127 ---- bsdi bsdos: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" ! (cd BSD/$(CPUDIR); make build "CC=$(CC)" "TOP=../.." $(MFLAGS) LKM= ; cd ..) ! (cd BSD/$(CPUDIR); make -f Makefile.ipsend "CC=$(CC)" "TOP=../.." $(MFLAGS); cd ..) irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" Index: fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/fil.c,v retrieving revision 2.0.2.41.2.3 retrieving revision 2.0.2.41.2.8 diff -c -r2.0.2.41.2.3 -r2.0.2.41.2.8 *** 2.0.2.41.2.3 1997/11/12 10:44:22 --- 2.0.2.41.2.8 1997/11/24 10:02:00 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.0.2.41.2.8 1997/11/24 10:02:00 darrenr Exp $"; #endif #include *************** *** 73,79 **** second; } # define FR_VERBOSE(verb_pr) verbose verb_pr # define FR_DEBUG(verb_pr) debug verb_pr ! # define SEND_RESET(ip, qif, if) send_reset(ip, if) # define IPLLOG(a, c, d, e) ipllog() # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # if SOLARIS --- 73,79 ---- second; } # define FR_VERBOSE(verb_pr) verbose verb_pr # define FR_DEBUG(verb_pr) debug verb_pr ! # define SEND_RESET(ip, qif, if, m) send_reset(ip, if) # define IPLLOG(a, c, d, e) ipllog() # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # if SOLARIS *************** *** 98,104 **** icmp_error(ip, t, c, if, src) # else /* SOLARIS */ # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) ! # define SEND_RESET(ip, qif, if) send_reset((struct tcpiphdr *)ip) # ifdef __sgi # define ICMP_ERROR(b, ip, t, c, if, src) \ icmp_error(b, t, c, if, src, if) --- 98,109 ---- icmp_error(ip, t, c, if, src) # else /* SOLARIS */ # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) ! # ifdef linux ! # define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip,\ ! ifp) ! # else ! # define SEND_RESET(ip, qif, if) send_reset((tcpiphdr_t *)ip) ! # endif # ifdef __sgi # define ICMP_ERROR(b, ip, t, c, if, src) \ icmp_error(b, t, c, if, src, if) *************** *** 553,559 **** fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; ! int pass, changed, apass; #if !SOLARIS || !defined(_KERNEL) register mb_t *m = *mp; #endif --- 558,564 ---- fr_info_t frinfo, *fc; register fr_info_t *fin = &frinfo; frentry_t *fr = NULL; ! int pass, changed, apass, error = EHOSTUNREACH; #if !SOLARIS || !defined(_KERNEL) register mb_t *m = *mp; #endif *************** *** 767,776 **** # else # ifndef linux mc = m_copy(m, 0, M_COPYALL); # endif # endif #endif - if (pass & FR_PASS) frstats[out].fr_pass++; else if (pass & FR_BLOCK) { --- 772,782 ---- # else # ifndef linux mc = m_copy(m, 0, M_COPYALL); + # else + ; # endif # endif #endif if (pass & FR_PASS) frstats[out].fr_pass++; else if (pass & FR_BLOCK) { *************** *** 811,816 **** --- 817,825 ---- frstats[1].fr_ret++; } #endif + } else { + if (pass & FR_RETRST) + error = ECONNRESET; } } *************** *** 842,849 **** m_copyback(m, 0, up, hbuf); # endif # endif /* !linux */ ! return (pass & FR_PASS) ? 0 : -1; ! # else /* !SOLARIS */ if (fr) { frdest_t *fdp = &fr->fr_tif; --- 851,858 ---- m_copyback(m, 0, up, hbuf); # endif # endif /* !linux */ ! return (pass & FR_PASS) ? 0 : error; ! # else /* !SOLARIS */ if (fr) { frdest_t *fdp = &fr->fr_tif; *************** *** 855,861 **** if (mc) ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif); } ! return (pass & FR_PASS) ? changed : -1; # endif /* !SOLARIS */ #else /* _KERNEL */ if (pass & FR_NOMATCH) --- 864,870 ---- if (mc) ipfr_fastroute(qif, ip, mc, mp, fin, &fr->fr_dif); } ! return (pass & FR_PASS) ? changed : error; # endif /* !SOLARIS */ #else /* _KERNEL */ if (pass & FR_NOMATCH) *************** *** 872,877 **** --- 881,887 ---- /* * ipf_cksum * addr should be 16bit aligned and len is in bytes. + * length is in bytes */ u_short ipf_cksum(addr, len) register u_short *addr; *************** *** 900,909 **** * and the TCP header. We also assume that data blocks aren't allocated in * odd sizes. */ ! u_short fr_tcpsum(m, ip, tcp) mb_t *m; ip_t *ip; tcphdr_t *tcp; { union { u_char c[2]; --- 910,920 ---- * and the TCP header. We also assume that data blocks aren't allocated in * odd sizes. */ ! u_short fr_tcpsum(m, ip, tcp, len) mb_t *m; ip_t *ip; tcphdr_t *tcp; + int len; { union { u_char c[2]; *************** *** 911,917 **** } bytes; u_long sum; u_short *sp; - int len; # if SOLARIS || defined(__sgi) int add, hlen; # endif --- 922,927 ---- *************** *** 926,932 **** /* * Add up IP Header portion */ - len = ip->ip_len - (ip->ip_hl << 2); bytes.c[0] = 0; bytes.c[1] = IPPROTO_TCP; sum = bytes.s; --- 936,941 ---- *************** *** 994,1006 **** goto nodata; while (len > 0) { #if SOLARIS ! if ((caddr_t)sp >= (caddr_t)m->b_wptr) { m = m->b_cont; PANIC((!m),("fr_tcpsum: not enough data")); sp = (u_short *)m->b_rptr; } #else ! if (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { m = m->m_next; PANIC((!m),("fr_tcpsum: not enough data")); --- 1003,1015 ---- goto nodata; while (len > 0) { #if SOLARIS ! while ((caddr_t)sp >= (caddr_t)m->b_wptr) { m = m->b_cont; PANIC((!m),("fr_tcpsum: not enough data")); sp = (u_short *)m->b_rptr; } #else ! while (((caddr_t)sp - mtod(m, caddr_t)) >= m->m_len) { m = m->m_next; PANIC((!m),("fr_tcpsum: not enough data")); *************** *** 1009,1015 **** #endif /* SOLARIS */ if (len < 2) break; ! sum += *sp++; len -= 2; } if (len) { --- 1018,1028 ---- #endif /* SOLARIS */ if (len < 2) break; ! if((u_long)sp & 1) { ! bcopy((char *)sp++, (char *)&bytes.s, sizeof(bytes.s)); ! sum += bytes.s; ! } else ! sum += *sp++; len -= 2; } if (len) { *************** *** 1059,1065 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.0.2.41.2.3 1997/11/12 10:44:22 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1072,1078 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.0.2.41.2.8 1997/11/24 10:02:00 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 1258,1268 **** } ! void frflush(unit, data) int unit; ! caddr_t data; { ! int flags = *(int *)data, flushed = 0, set = fr_active; bzero((char *)frcache, sizeof(frcache[0]) * 2); --- 1271,1281 ---- } ! void frflush(unit, result) int unit; ! int *result; { ! int flags = *result, flushed = 0, set = fr_active; bzero((char *)frcache, sizeof(frcache[0]) * 2); *************** *** 1286,1290 **** } } ! *(int *)data = flushed; } --- 1299,1303 ---- } } ! *result = flushed; } Index: fils.c =================================================================== RCS file: /devel/CVS/IP-Filter/fils.c,v retrieving revision 2.0.2.25.2.1 retrieving revision 2.0.2.25.2.2 diff -c -r2.0.2.25.2.1 -r2.0.2.25.2.2 *** 2.0.2.25.2.1 1997/11/06 21:21:19 --- 2.0.2.25.2.2 1997/11/20 12:41:04 *************** *** 46,52 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.1 1997/11/06 21:21:19 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX --- 46,52 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.0.2.25.2.2 1997/11/20 12:41:04 darrenr Exp $"; #endif #ifdef _PATH_UNIX #define VMUNIX _PATH_UNIX *************** *** 258,264 **** fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", fp->f_froute[0], fp->f_froute[1]); ! PRINTF("TCP cksum fails in:\t%lu\tout%lu\n", fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); PRINTF("Packet log flags set: (%#x)\n", frf); --- 258,264 ---- fp->f_st[1].fr_pull[0], fp->f_st[1].fr_pull[1]); PRINTF("Fastroute successes:\t%lu\tfailures:\t%lu\n", fp->f_froute[0], fp->f_froute[1]); ! PRINTF("TCP cksum fails(in):\t%lu\t(out):\t%lu\n", fp->f_st[0].fr_tcpbad, fp->f_st[1].fr_tcpbad); PRINTF("Packet log flags set: (%#x)\n", frf); Index: ip_compat.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_compat.h,v retrieving revision 2.0.2.31.2.4 retrieving revision 2.0.2.31.2.7 diff -c -r2.0.2.31.2.4 -r2.0.2.31.2.7 *** 2.0.2.31.2.4 1997/11/12 10:48:43 --- 2.0.2.31.2.7 1997/11/27 09:33:09 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.0.2.31.2.4 1997/11/12 10:48:43 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.0.2.31.2.7 1997/11/27 09:33:09 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 53,66 **** #ifdef __sgi # ifdef IPFILTER_LKM # define IPL_PRFX ipl ! # define IPL_EXTERN(ep) ipl##ep # else # define IPL_PRFX ipfilter ! # define IPL_EXTERN(ep) ipfilter##ep # endif #else ! # define IPL_PRFX ipl ! # define IPL_EXTERN(ep) ipl##ep #endif #ifdef linux --- 53,71 ---- #ifdef __sgi # ifdef IPFILTER_LKM # define IPL_PRFX ipl ! # define IPL_EXTERN(ep) ipl/**/ep # else # define IPL_PRFX ipfilter ! # define IPL_EXTERN(ep) ipfilter/**/ep # endif #else ! # ifdef __STDC__ ! # define IPL_PRFX ipl ! # define IPL_EXTERN(ep) ipl##ep ! # else ! # define IPL_PRFX ipl ! # define IPL_EXTERN(ep) ipl/**/ep ! # endif #endif #ifdef linux *************** *** 110,116 **** /* * These operating systems already take care of the problem for us. */ ! #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) typedef u_int32_t u_32_t; #else /* --- 115,122 ---- /* * These operating systems already take care of the problem for us. */ ! #if defined(__NetBSD__) || defined(__OpenBSD__) || defined(__FreeBSD__) || \ ! defined(__sgi) typedef u_int32_t u_32_t; #else /* *************** *** 689,694 **** --- 695,701 ---- typedef struct ip ip_t; typedef struct ether_header ether_header_t; #endif /* linux */ + typedef struct tcpiphdr tcpiphdr_t; #if defined(hpux) || defined(linux) struct ether_addr { Index: ip_fil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.c,v retrieving revision 2.0.2.44.2.2 retrieving revision 2.0.2.44.2.5 diff -c -r2.0.2.44.2.2 -r2.0.2.44.2.5 *** 2.0.2.44.2.2 1997/11/12 10:49:25 --- 2.0.2.44.2.5 1997/11/24 10:02:02 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.2 1997/11/12 10:49:25 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.0.2.44.2.5 1997/11/24 10:02:02 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 275,281 **** fr_checkp = fr_savep; inetsw[0].pr_slowtimo = fr_saveslowtimo; ! frflush(IPL_LOGIPF, (caddr_t)&i); ipl_inited = 0; # ifdef NETBSD_PF --- 275,281 ---- fr_checkp = fr_savep; inetsw[0].pr_slowtimo = fr_saveslowtimo; ! frflush(IPL_LOGIPF, &i); ipl_inited = 0; # ifdef NETBSD_PF *************** *** 339,345 **** ) #endif dev_t dev; ! #if defined(__NetBSD__) || defined(__OpenBSD__) u_long cmd; #else int cmd; --- 339,345 ---- ) #endif dev_t dev; ! #if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) u_long cmd; #else int cmd; *************** *** 351,357 **** #if defined(_KERNEL) && !SOLARIS int s; #endif ! int error = 0, unit = 0; #ifdef _KERNEL unit = GET_MINOR(dev); --- 351,357 ---- #if defined(_KERNEL) && !SOLARIS int s; #endif ! int error = 0, unit = 0, tmp; #ifdef _KERNEL unit = GET_MINOR(dev); *************** *** 460,467 **** case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; ! else ! frflush(unit, data); break; #ifdef IPFILTER_LOG case SIOCIPFFB : --- 460,470 ---- case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; ! else { ! IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); ! frflush(unit, &tmp); ! IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); ! } break; #ifdef IPFILTER_LOG case SIOCIPFFB : *************** *** 786,792 **** struct tcpiphdr *tp; struct tcphdr *tcp; struct mbuf *m; ! int tlen = 0; ip_t *ip; # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) struct route ro; --- 789,795 ---- struct tcpiphdr *tp; struct tcphdr *tcp; struct mbuf *m; ! int tlen = 0, err; ip_t *ip; # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) struct route ro; *************** *** 837,852 **** # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) bzero((char *)&ro, sizeof(ro)); ! (void) ip_output(m, (struct mbuf *)0, &ro, 0, 0); if (ro.ro_rt) RTFREE(ro.ro_rt); # else /* * extra 0 in case of multicast */ ! (void) ip_output(m, (struct mbuf *)0, 0, 0, 0); # endif ! return 0; } --- 840,855 ---- # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000) bzero((char *)&ro, sizeof(ro)); ! err = ip_output(m, (struct mbuf *)0, &ro, 0, 0); if (ro.ro_rt) RTFREE(ro.ro_rt); # else /* * extra 0 in case of multicast */ ! err = ip_output(m, (struct mbuf *)0, 0, 0, 0); # endif ! return err; } Index: ip_fil.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_fil.h,v retrieving revision 2.0.2.39.2.4 retrieving revision 2.0.2.39.2.9 diff -c -r2.0.2.39.2.4 -r2.0.2.39.2.9 *** 2.0.2.39.2.4 1997/11/12 10:50:02 --- 2.0.2.39.2.9 1997/11/24 10:02:03 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.0.2.39.2.4 1997/11/12 10:50:02 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.0.2.39.2.9 1997/11/24 10:02:03 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 381,387 **** extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *)); # define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) ! # if defined(__NetBSD__) || defined(__OpenBSD__) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); # else extern int iplioctl __P((dev_t, int, caddr_t, int)); --- 381,387 ---- extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *)); # define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) ! # if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); # else extern int iplioctl __P((dev_t, int, caddr_t, int)); *************** *** 423,429 **** # else /* SOLARIS */ extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); ! extern int send_reset __P((struct tcpiphdr *)); extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); extern size_t mbufchainlen __P((mb_t *)); # ifdef __sgi --- 423,433 ---- # else /* SOLARIS */ extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); ! # ifdef linux ! extern int send_reset __P((tcpiphdr_t *, struct ifnet *)); ! # else ! extern int send_reset __P((tcpiphdr_t *)); ! # endif extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); extern size_t mbufchainlen __P((mb_t *)); # ifdef __sgi *************** *** 442,448 **** # endif # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ (NetBSD >= 199511) ! # ifdef __NetBSD__ extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); --- 446,452 ---- # endif # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ (NetBSD >= 199511) ! # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); *************** *** 491,502 **** #endif extern int ipldetach __P((void)); ! extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); #define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); extern u_short ipf_cksum __P((u_short *, int)); extern int fr_copytolog __P((int, char *, int)); ! extern void frflush __P((int, caddr_t)); extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int)); extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***)); extern void fr_delgroup __P((u_short, u_32_t, int, int)); --- 495,506 ---- #endif extern int ipldetach __P((void)); ! extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int)); #define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); extern u_short ipf_cksum __P((u_short *, int)); extern int fr_copytolog __P((int, char *, int)); ! extern void frflush __P((int, int *)); extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int)); extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***)); extern void fr_delgroup __P((u_short, u_32_t, int, int)); Index: ip_lfil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_lfil.c,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.4 diff -c -r2.0.2.1 -r2.0.2.1.2.4 *** 2.0.2.1 1997/11/12 10:36:27 --- 2.0.2.1.2.4 1997/11/24 10:02:05 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1 1997/11/12 10:36:27 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.0.2.1.2.4 1997/11/24 10:02:05 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 49,54 **** --- 49,57 ---- #include "netinet/ip_frag.h" #include "netinet/ip_state.h" #include "netinet/ip_auth.h" + #ifdef _KERNEL + #include + #endif #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) #endif *************** *** 143,149 **** } fr_checkp = fr_savep; ! frflush(IPL_LOGIPF, (caddr_t)&i); ipl_inited = 0; ipfr_unload(); --- 146,152 ---- } fr_checkp = fr_savep; ! frflush(IPL_LOGIPF, &i); ipl_inited = 0; ipfr_unload(); *************** *** 197,203 **** int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) { #endif ! int error = 0, unit = 0; #ifdef _KERNEL unit = GET_MINOR(inode->i_rdev); --- 200,206 ---- int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) { #endif ! int error = 0, unit = 0, tmp; #ifdef _KERNEL unit = GET_MINOR(inode->i_rdev); *************** *** 305,312 **** case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; ! else ! frflush(unit, data); break; #ifdef IPFILTER_LOG case SIOCIPFFB : --- 308,318 ---- case SIOCIPFFL : if (!(mode & FWRITE)) error = EPERM; ! else { ! IRCOPY(data, (caddr_t)&tmp, sizeof(tmp)); ! frflush(unit, &tmp); ! IWCOPY((caddr_t)&tmp, data, sizeof(tmp)); ! } break; #ifdef IPFILTER_LOG case SIOCIPFFB : *************** *** 577,630 **** * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ ! int send_reset(ti) struct tcpiphdr *ti; { ! #if notyet ! struct tcpiphdr *tp; tcphdr_t *tcp; - seq_t seq; int tlen = 0; ip_t *ip; mb_t *m; if (ti->ti_flags & TH_RST) return -1; /* feedback loop */ ! m = alloc_skb(MAX_HEADER + sizeof(*ti), GFP_ATOMIC); if (m == NULL) return -1; if (ti->ti_flags & TH_SYN) tlen = 1; - m->m_len = sizeof (struct tcpiphdr); - bzero(mtod(m, char *), sizeof(struct tcpiphdr)); - ip = mtod(m, ip_t *); - tp = mtod(m, struct tcpiphdr *); - tcp = (tcphdr_t *)((char *)ip + sizeof(struct ip)); ! ip->ip_src.s_addr = ti->ti_dst.s_addr; ! ip->ip_dst.s_addr = ti->ti_src.s_addr; tcp->th_dport = ti->ti_sport; tcp->th_sport = ti->ti_dport; ! seq = ntohl(ti->ti_seq); ! tcp->th_ack = htonl(seq + tlen); tcp->th_off = sizeof(tcphdr_t) >> 2; tcp->th_flags = TH_RST|TH_ACK; tp->ti_pr = ((ip_t *)ti)->ip_p; ! tp->ti_len = htons(sizeof(struct tcphdr)); ! tcp->th_sum = in_cksum(m, sizeof(struct tcpiphdr)); ! ip->ip_tos = ((ip_t *)ti)->ip_tos; ip->ip_p = ((ip_t *)ti)->ip_p; ! ip->ip_len = sizeof (struct tcpiphdr); ! ip->ip_ttl = 255; ! ! /* ! * extra 0 in case of multicast ! */ ! (void) ip_output(m, (mb_t *)0, 0, 0, 0); ! return 0; ! #endif } --- 583,638 ---- * send_reset - this could conceivably be a call to tcp_respond(), but that * requires a large amount of setting up and isn't any more efficient. */ ! int send_reset(ti, ifp) struct tcpiphdr *ti; + struct ifnet *ifp; { ! tcpiphdr_t *tp; tcphdr_t *tcp; int tlen = 0; ip_t *ip; mb_t *m; if (ti->ti_flags & TH_RST) return -1; /* feedback loop */ ! ! m = alloc_skb(sizeof(tcpiphdr_t), GFP_ATOMIC); if (m == NULL) return -1; if (ti->ti_flags & TH_SYN) tlen = 1; ! m->dev = ifp; ! m->csum = 0; ! tp = ip = mtod(m, ip_t *); ! m->h.iph = ip; ! m->ip_hdr = NULL; ! m->m_len = sizeof(tcpiphdr_t); ! tcp = (tcphdr_t *)((char *)ip + sizeof(ip_t)); ! bzero((char *)ip, sizeof(tcpiphdr_t)); ! ! tp->ti_src.s_addr = ti->ti_dst.s_addr; ! tp->ti_dst.s_addr = ti->ti_src.s_addr; tcp->th_dport = ti->ti_sport; tcp->th_sport = ti->ti_dport; ! tcp->th_ack = htonl(ntohl(ti->ti_seq) + tlen); tcp->th_off = sizeof(tcphdr_t) >> 2; tcp->th_flags = TH_RST|TH_ACK; tp->ti_pr = ((ip_t *)ti)->ip_p; ! tp->ti_len = htons(sizeof(tcphdr_t)); ! tcp->th_sum = fr_tcpsum(m, ip, tcp, sizeof(tcpiphdr_t)); ! ! ip->ip_v = IPVERSION; ! ip->ip_hl = sizeof(ip_t) >> 2; ip->ip_tos = ((ip_t *)ti)->ip_tos; ip->ip_p = ((ip_t *)ti)->ip_p; ! ip->ip_id = ((ip_t *)ti)->ip_id; ! ip->ip_len = htons(sizeof(tcpiphdr_t)); ! ip->ip_ttl = 127; ! ip->ip_sum = 0; ! ip->ip_sum = ipf_cksum((u_short *)ip, sizeof(ip_t)); ! return ip_forward(m, NULL, IPFWD_NOTTLDEC, ip->ip_dst.s_addr); } Index: ip_log.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_log.c,v retrieving revision 2.0.2.13.2.2 retrieving revision 2.0.2.13.2.3 diff -c -r2.0.2.13.2.2 -r2.0.2.13.2.3 *** 2.0.2.13.2.2 1997/11/12 10:52:21 --- 2.0.2.13.2.3 1997/11/20 12:41:40 *************** *** 5,21 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.0.2.13.2.2 1997/11/12 10:52:21 darrenr Exp $ */ #ifdef IPFILTER_LOG # ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) # endif # ifdef __FreeBSD__ - # if defined(KERNEL) && !defined(_KERNEL) - # define _KERNEL - # endif # if defined(_KERNEL) && !defined(IPFILTER_LKM) # include # else --- 5,21 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.0.2.13.2.3 1997/11/20 12:41:40 darrenr Exp $ */ #ifdef IPFILTER_LOG # ifndef SOLARIS # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) # endif + # if defined(KERNEL) && !defined(_KERNEL) + # define _KERNEL + # endif # ifdef __FreeBSD__ # if defined(_KERNEL) && !defined(IPFILTER_LKM) # include # else Index: ip_nat.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_nat.c,v retrieving revision 2.0.2.44.2.3 retrieving revision 2.0.2.44.2.6 diff -c -r2.0.2.44.2.3 -r2.0.2.44.2.6 *** 2.0.2.44.2.3 1997/11/12 10:53:29 --- 2.0.2.44.2.6 1997/11/24 11:35:13 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.3 1997/11/12 10:53:29 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.6 1997/11/24 11:35:13 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 317,322 **** --- 317,323 ---- break; } ret = nat_flushtable(); + (void) ap_unload(); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case SIOCCNATL : *************** *** 513,528 **** /* * Create a new NAT table entry. */ - #ifdef __STDC__ - nat_t *nat_new(ipnat_t *np, ip_t *ip, fr_info_t *fin, u_short flags, int direction) - #else nat_t *nat_new(np, ip, fin, flags, direction) ipnat_t *np; ip_t *ip; fr_info_t *fin; u_short flags; int direction; - #endif { register u_long sum1, sum2, sumd; u_short port = 0, sport = 0, dport = 0, nport = 0; --- 514,525 ---- *************** *** 609,615 **** * internal port. */ in.s_addr = ntohl(np->in_inip); ! if (!(nport = htons(np->in_pnext))) nport = dport; nat->nat_inip.s_addr = htonl(in.s_addr); --- 606,612 ---- * internal port. */ in.s_addr = ntohl(np->in_inip); ! if (!(nport = np->in_pnext)) nport = dport; nat->nat_inip.s_addr = htonl(in.s_addr); *************** *** 1083,1089 **** (void) ap_check(ip, tcp, fin, nat); nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); ! return 1; } MUTEX_EXIT(&ipf_nat); return 0; --- 1080,1086 ---- (void) ap_check(ip, tcp, fin, nat); nat_stats.ns_mapped[1]++; MUTEX_EXIT(&ipf_nat); ! return -2; } MUTEX_EXIT(&ipf_nat); return 0; *************** *** 1212,1218 **** } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); ! return 1; } MUTEX_EXIT(&ipf_nat); return 0; --- 1209,1215 ---- } nat_stats.ns_mapped[0]++; MUTEX_EXIT(&ipf_nat); ! return -2; } MUTEX_EXIT(&ipf_nat); return 0; *************** *** 1257,1262 **** --- 1254,1262 ---- nat_delete(nat); nat_stats.ns_expire++; } + + ap_expire(); + MUTEX_EXIT(&ipf_nat); SPL_X(s); } Index: ip_proxy.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_proxy.c,v retrieving revision 2.0.2.11.2.2 retrieving revision 2.0.2.11.2.6 diff -c -r2.0.2.11.2.2 -r2.0.2.11.2.6 *** 2.0.2.11.2.2 1997/11/12 10:54:11 --- 2.0.2.11.2.6 1997/11/28 00:41:25 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.2 1997/11/12 10:54:11 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.0.2.11.2.6 1997/11/28 00:41:25 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 226,232 **** * don't do anything with this packet. */ if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp, ! ip, tcp)) { frstats[fin->fin_out].fr_tcpbad++; return -1; } --- 226,232 ---- * don't do anything with this packet. */ if (tcp->th_sum != fr_tcpsum(*(mb_t **)fin->fin_mp, ! ip, tcp, ip->ip_len)) { frstats[fin->fin_out].fr_tcpbad++; return -1; } *************** *** 246,252 **** aps, nat); } if (err == 2) { ! tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); err = 0; } return err; --- 246,253 ---- aps, nat); } if (err == 2) { ! tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, ! tcp, ip->ip_len); err = 0; } return err; *************** *** 296,300 **** --- 297,319 ---- while ((aps = ap_sess_tab[i])) { ap_sess_tab[i] = aps->aps_next; aps_free(aps); + } + } + + + void ap_expire() + { + ap_session_t *aps, **apsp; + int i; + + for (i = 0; i < AP_SESS_SIZE; i++) + for (apsp = &ap_sess_tab[i]; (aps = *apsp); ) { + aps->aps_tout--; + if (!aps->aps_tout) { + ap_sess_tab[i] = aps->aps_next; + aps_free(aps); + *apsp = aps->aps_next; + } else + apsp = &aps->aps_next; } } Index: ip_proxy.h =================================================================== RCS file: /devel/CVS/IP-Filter/ip_proxy.h,v retrieving revision 2.0.2.10 retrieving revision 2.0.2.10.2.1 diff -c -r2.0.2.10 -r2.0.2.10.2.1 *** 2.0.2.10 1997/10/19 15:39:23 --- 2.0.2.10.2.1 1997/11/27 09:33:27 *************** *** 5,11 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.0.2.10 1997/10/19 15:39:23 darrenr Exp $ */ #ifndef __IP_PROXY_H__ --- 5,11 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.0.2.10.2.1 1997/11/27 09:33:27 darrenr Exp $ */ #ifndef __IP_PROXY_H__ *************** *** 88,92 **** --- 88,93 ---- extern void aps_free __P((ap_session_t *)); extern int ap_check __P((ip_t *, tcphdr_t *, fr_info_t *, struct nat *)); extern aproxy_t *ap_match __P((u_char, char *)); + extern void ap_expire __P((void)); #endif /* __IP_PROXY_H__ */ Index: ip_sfil.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_sfil.c,v retrieving revision 2.0.2.25.2.3 retrieving revision 2.0.2.25.2.4 diff -c -r2.0.2.25.2.3 -r2.0.2.25.2.4 *** 2.0.2.25.2.3 1997/11/12 10:54:35 --- 2.0.2.25.2.4 1997/11/24 10:02:07 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.3 1997/11/12 10:54:35 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.4 1997/11/24 10:02:07 darrenr Exp $"; #endif #include *************** *** 76,82 **** ipflog_clear(i); untimeout(ipfr_timer_id); i = FR_INQUE|FR_OUTQUE; ! frflush(IPL_LOGIPF, (caddr_t)&i); ipfr_unload(); fr_stateunload(); ip_natunload(); --- 76,82 ---- ipflog_clear(i); untimeout(ipfr_timer_id); i = FR_INQUE|FR_OUTQUE; ! frflush(IPL_LOGIPF, &i); ipfr_unload(); fr_stateunload(); ip_natunload(); *************** *** 250,258 **** case SIOCIPFFL : if (!(mode & FWRITE)) return EPERM; mutex_enter(&ipf_mutex); ! frflush(unit, (caddr_t)data); mutex_exit(&ipf_mutex); break; #ifdef IPFILTER_LOG case SIOCIPFFB : --- 250,260 ---- case SIOCIPFFL : if (!(mode & FWRITE)) return EPERM; + IWCOPY((caddr_t)data, (caddr_t)&tmp, sizeof(tmp)); mutex_enter(&ipf_mutex); ! frflush(unit, &tmp); mutex_exit(&ipf_mutex); + IWCOPY((caddr_t)&tmp, (caddr_t)data, sizeof(tmp)); break; #ifdef IPFILTER_LOG case SIOCIPFFB : Index: ip_state.c =================================================================== RCS file: /devel/CVS/IP-Filter/ip_state.c,v retrieving revision 2.0.2.24.2.3 retrieving revision 2.0.2.24.2.4 diff -c -r2.0.2.24.2.3 -r2.0.2.24.2.4 *** 2.0.2.24.2.3 1997/11/12 10:55:34 --- 2.0.2.24.2.4 1997/11/19 11:44:09 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.3 1997/11/12 10:55:34 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.4 1997/11/19 11:44:09 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) *************** *** 179,187 **** case SIOCIPFFL : IRCOPY(data, (caddr_t)&arg, sizeof(arg)); if (arg == 0 || arg == 1) { - MUTEX_ENTER(&ipf_state); ret = fr_state_flush(arg); - MUTEX_EXIT(&ipf_state); IWCOPY((caddr_t)&ret, data, sizeof(ret)); } else error = EINVAL; --- 179,185 ---- Index: ipl.h =================================================================== RCS file: /devel/CVS/IP-Filter/ipl.h,v retrieving revision 2.0.2.23.2.1 retrieving revision 2.0.2.23.2.2 diff -c -r2.0.2.23.2.1 -r2.0.2.23.2.2 *** 2.0.2.23.2.1 1997/11/12 12:01:43 --- 2.0.2.23.2.2 1997/11/28 07:28:22 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.1" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.2" #endif Index: ipmon.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipmon.c,v retrieving revision 2.0.2.29.2.3 retrieving revision 2.0.2.29.2.4 diff -c -r2.0.2.29.2.3 -r2.0.2.29.2.4 *** 2.0.2.29.2.3 1997/11/12 10:57:25 --- 2.0.2.29.2.4 1997/11/28 06:14:46 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.3 1997/11/12 10:57:25 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1997 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.0.2.29.2.4 1997/11/28 06:14:46 darrenr Exp $"; #endif #include *************** *** 106,114 **** #define OPT_VERBOSE 0x008 #define OPT_HEXHDR 0x010 #define OPT_TAIL 0x020 - #define OPT_ALL 0x040 #define OPT_NAT 0x080 #define OPT_STATE 0x100 #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 --- 106,116 ---- #define OPT_VERBOSE 0x008 #define OPT_HEXHDR 0x010 #define OPT_TAIL 0x020 #define OPT_NAT 0x080 #define OPT_STATE 0x100 + #define OPT_FILTER 0x200 + #define OPT_PORTNUM 0x400 + #define OPT_ALL (OPT_NAT|OPT_STATE|OPT_FILTER) #ifndef LOGFAC #define LOGFAC LOG_LOCAL0 *************** *** 156,162 **** struct servent *serv; (void) sprintf(pname, "%hu", htons(port)); ! if (!res) return pname; serv = getservbyport((int)port, proto); if (!serv) --- 158,164 ---- struct servent *serv; (void) sprintf(pname, "%hu", htons(port)); ! if (!res || (opts & OPT_PORTNUM)) return pname; serv = getservbyport((int)port, proto); if (!serv) *************** *** 598,604 **** int fd, flushed = 0; if ((fd = open(file, O_RDWR)) == -1) { ! (void) fprintf(stderr, "%s: open: %s", file, STRERROR(errno)); exit(-1); } --- 600,606 ---- int fd, flushed = 0; if ((fd = open(file, O_RDWR)) == -1) { ! (void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno)); exit(-1); } *************** *** 620,669 **** } int main(argc, argv) int argc; char *argv[]; { struct stat sb; FILE *log = stdout; ! int fd[3], doread, n, i, nfd = 1; ! int tr, nr, regular, c; ! int fdt[3]; ! char buf[512], *iplfile = IPL_NAME; extern int optind; extern char *optarg; fd[0] = fd[1] = fd[2] = -1; ! fdt[0] = IPL_LOGIPF; ! fdt[1] = IPL_LOGNAT; ! fdt[2] = IPL_LOGSTATE; ! while ((c = getopt(argc, argv, "?af:FhnNsStvxX")) != -1) switch (c) { case 'a' : opts |= OPT_ALL; - nfd = 3; break; ! case 'f' : ! iplfile = optarg; break; case 'F' : ! if (!(opts & OPT_ALL)) ! flushlogs(iplfile, log); ! else { ! flushlogs(IPL_NAME, log); ! flushlogs(IPL_NAT, log); ! flushlogs(IPL_STATE, log); ! } break; case 'n' : opts |= OPT_RESOLVE; break; case 'N' : opts |= OPT_NAT; ! fdt[0] = IPL_LOGNAT; ! iplfile = IPL_NAT; break; case 's' : openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC); --- 622,715 ---- } + static void logopts(turnon, options) + int turnon; + char *options; + { + int flags = 0; + char *s; + + for (s = options; *s; s++) + { + switch (*s) + { + case 'N' : + flags |= OPT_NAT; + break; + case 'S' : + flags |= OPT_STATE; + break; + case 'I' : + flags |= OPT_FILTER; + break; + default : + fprintf(stderr, "Unknown log option %c\n", *s); + exit(1); + } + } + + if (turnon) + opts |= flags; + else + opts &= ~(flags); + } + + int main(argc, argv) int argc; char *argv[]; { struct stat sb; FILE *log = stdout; ! int fd[3], doread, n, i; ! int tr, nr, regular[3], c; ! int fdt[3], devices = 0; ! char buf[512], *iplfile[3]; extern int optind; extern char *optarg; fd[0] = fd[1] = fd[2] = -1; ! fdt[0] = fdt[1] = fdt[2] = -1; ! iplfile[0] = IPL_NAME; ! iplfile[1] = IPNAT_NAME; ! iplfile[2] = IPSTATE_NAME; ! while ((c = getopt(argc, argv, "?af:FhI:nN:o:O:sS:tvxX")) != -1) switch (c) { case 'a' : opts |= OPT_ALL; break; ! case 'f' : case 'I' : ! opts |= OPT_FILTER; ! fdt[0] = IPL_LOGIPF; ! iplfile[0] = optarg; break; case 'F' : ! flushlogs(iplfile[0], log); ! flushlogs(iplfile[1], log); ! flushlogs(iplfile[2], log); break; case 'n' : opts |= OPT_RESOLVE; break; case 'N' : opts |= OPT_NAT; ! fdt[1] = IPL_LOGNAT; ! iplfile[1] = optarg; ! break; ! case 'o' : case 'O' : ! logopts(c == 'o', optarg); ! fdt[0] = fdt[1] = fdt[2] = -1; ! if (opts & OPT_FILTER) ! fdt[0] = IPL_LOGIPF; ! if (opts & OPT_NAT) ! fdt[1] = IPL_LOGNAT; ! if (opts & OPT_STATE) ! fdt[2] = IPL_LOGSTATE; ! break; ! case 'p' : ! opts |= OPT_PORTNUM; break; case 's' : openlog(argv[0], LOG_NDELAY|LOG_PID, LOGFAC); *************** *** 671,678 **** break; case 'S' : opts |= OPT_STATE; ! fdt[0] = IPL_LOGSTATE; ! iplfile = IPL_STATE; break; case 't' : opts |= OPT_TAIL; --- 717,724 ---- break; case 'S' : opts |= OPT_STATE; ! fdt[2] = IPL_LOGSTATE; ! iplfile[2] = optarg; break; case 't' : opts |= OPT_TAIL; *************** *** 692,713 **** usage(argv[0]); } ! if ((fd[0] == -1) && (fd[0] = open(iplfile, O_RDONLY)) == -1) { ! (void) fprintf(stderr, "%s: open: %s", iplfile, ! STRERROR(errno)); ! exit(-1); ! } ! if ((opts & OPT_ALL)) { ! if ((fd[1] = open(IPL_NAT, O_RDONLY)) == -1) { ! (void) fprintf(stderr, "%s: open: %s", IPL_NAT, ! STRERROR(errno)); ! exit(-1); ! } ! if ((fd[2] = open(IPL_STATE, O_RDONLY)) == -1) { ! (void) fprintf(stderr, "%s: open: %s", IPL_STATE, ! STRERROR(errno)); ! exit(-1); } } --- 738,769 ---- usage(argv[0]); } ! /* ! * Default action is to only open the filter log file. ! */ ! if ((fdt[0] == -1) && (fdt[1] == -1) && (fdt[2] == -1)) ! fdt[0] = IPL_LOGIPF; ! ! for (i = 0; i < 3; i++) { ! if (fdt[i] == -1) ! continue; ! if (!strcmp(iplfile[i], "-")) ! fd[i] = 0; ! else { ! if ((fd[i] = open(iplfile[i], O_RDONLY)) == -1) { ! (void) fprintf(stderr, ! "%s: open: %s\n", iplfile[i], ! STRERROR(errno)); ! exit(-1); ! } ! if (fstat(fd[i], &sb) == -1) { ! (void) fprintf(stderr, "%d: fstat: %s\n",fd[i], ! STRERROR(errno)); ! exit(-1); ! } ! if (!(regular[i] = !S_ISCHR(sb.st_mode))) ! devices++; } } *************** *** 715,741 **** log = argv[optind] ? fopen(argv[optind], "a") : stdout; if (log == NULL) { ! (void) fprintf(stderr, "%s: fopen: %s", argv[optind], STRERROR(errno)); exit(-1); } setvbuf(log, NULL, _IONBF, 0); } - if (stat(iplfile, &sb) == -1) { - (void) fprintf(stderr, "%s: stat: %s", iplfile, - STRERROR(errno)); - exit(-1); - } - - regular = !S_ISCHR(sb.st_mode); - for (doread = 1; doread; ) { nr = 0; ! for (i = 0; i < nfd; i++) { tr = 0; ! if (!regular) { if (ioctl(fd[i], FIONREAD, &tr) == -1) { perror("ioctl(FIONREAD)"); exit(-1); --- 771,791 ---- log = argv[optind] ? fopen(argv[optind], "a") : stdout; if (log == NULL) { ! (void) fprintf(stderr, "%s: fopen: %s\n", argv[optind], STRERROR(errno)); exit(-1); } setvbuf(log, NULL, _IONBF, 0); } for (doread = 1; doread; ) { nr = 0; ! for (i = 0; i < 3; i++) { tr = 0; ! if (fdt[i] == -1) ! continue; ! if (!regular[i]) { if (ioctl(fd[i], FIONREAD, &tr) == -1) { perror("ioctl(FIONREAD)"); exit(-1); *************** *** 745,751 **** if (!tr && !(opts & OPT_TAIL)) doread = 0; } ! if (!tr && nfd != 1) continue; nr += tr; --- 795,801 ---- if (!tr && !(opts & OPT_TAIL)) doread = 0; } ! if (!tr) continue; nr += tr; *************** *** 777,783 **** break; } } ! if (!nr && ((opts & OPT_TAIL) || !regular)) sleep(1); } exit(0); --- 827,833 ---- break; } } ! if (!nr && ((opts & OPT_TAIL) || devices)) sleep(1); } exit(0); Index: parse.c =================================================================== RCS file: /devel/CVS/IP-Filter/parse.c,v retrieving revision 2.0.2.18 retrieving revision 2.0.2.18.2.1 diff -c -r2.0.2.18 -r2.0.2.18.2.1 *** 2.0.2.18 1997/10/19 15:39:29 --- 2.0.2.18.2.1 1997/11/20 12:43:49 *************** *** 35,41 **** #if !defined(lint) static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18 1997/10/19 15:39:29 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 35,41 ---- #if !defined(lint) static const char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.0.2.18.2.1 1997/11/20 12:43:49 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 475,481 **** /* * lazy users... */ ! if (!fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) { (void)fprintf(stderr, "no protocol given for TCP/UDP comparisons\n"); return NULL; --- 475,482 ---- /* * lazy users... */ ! if (!fil.fr_proto && !(fil.fr_ip.fi_fl & FI_TCPUDP) && ! (fil.fr_dcmp || fil.fr_scmp || fil.fr_tcpf)) { (void)fprintf(stderr, "no protocol given for TCP/UDP comparisons\n"); return NULL; *************** *** 541,547 **** /* * is it possibly hostname/num ? */ ! if ((s = index(**seg, '/'))) { *s++ = '\0'; if (!isdigit(*s)) return -1; --- 542,548 ---- /* * is it possibly hostname/num ? */ ! if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) { *s++ = '\0'; if (!isdigit(*s)) return -1; Index: solaris.c =================================================================== RCS file: /devel/CVS/IP-Filter/solaris.c,v retrieving revision 2.0.2.22.2.1 retrieving revision 2.0.2.22.2.2 diff -c -r2.0.2.22.2.1 -r2.0.2.22.2.2 *** 2.0.2.22.2.1 1997/11/08 04:55:57 --- 2.0.2.22.2.2 1997/11/24 06:15:52 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.1 1997/11/08 04:55:57 darrenr Exp $"; #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.2 1997/11/24 06:15:52 darrenr Exp $"; #include #include *************** *** 525,531 **** ip->ip_off = htons(__ipoff); } #endif ! if (err == 1) { if (*mp && (ip == (ip_t *)lbuf)) { copyin_mblk(m, 0, len, (char *)lbuf); frstats[out].fr_pull[1]++; --- 525,531 ---- ip->ip_off = htons(__ipoff); } #endif ! if (err == -2) { if (*mp && (ip == (ip_t *)lbuf)) { copyin_mblk(m, 0, len, (char *)lbuf); frstats[out].fr_pull[1]++; Index: todo =================================================================== RCS file: /devel/CVS/IP-Filter/todo,v retrieving revision 2.0.2.10.2.2 retrieving revision 2.0.2.10.2.5 diff -c -r2.0.2.10.2.2 -r2.0.2.10.2.5 *** 2.0.2.10.2.2 1997/11/12 10:58:51 --- 2.0.2.10.2.5 1997/11/27 09:32:27 *************** *** 23,25 **** --- 23,36 ---- * allow multiple ip addresses in a source route list for ipsend * complete Linux port to implement all the IP Filter features + return-rst done, to/dup-to/fastroute remain - ip_forward() problems :-( + + * add switches to ipmon for better selective control over which logs are + read/not read + done + + * add a flag to automate src spoofing + + * ipfsync() should change IP#'s in current mappings as well as what's + in rules. + Index: 4bsd/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/4bsd/ip_output.c.diffs,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/02/23 10:38:25 --- 2.0.2.2.2.1 1997/11/24 06:24:12 *************** *** 15,21 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 284,305 ---- } else m->m_flags &= ~M_BCAST; --- 15,21 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 284,303 ---- } else m->m_flags &= ~M_BCAST; *************** *** 27,35 **** + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } --- 27,33 ---- + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } Index: BSD/Makefile.ipsend =================================================================== RCS file: /devel/CVS/IP-Filter/BSD/Makefile.ipsend,v retrieving revision 2.0.2.5.2.1 retrieving revision 2.0.2.5.2.2 diff -c -r2.0.2.5.2.1 -r2.0.2.5.2.2 *** 2.0.2.5.2.1 1997/11/05 11:03:24 --- 2.0.2.5.2.2 1997/11/28 05:47:28 *************** *** 16,25 **** all build bsd-bpf : ipsend ipresend iptest y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) .c.o: $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ --- 16,25 ---- all build bsd-bpf : ipsend ipresend iptest y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) ../BSD/$(CPUDIR)/$@ $(MFLAGS) 'DESTDIR=../BSD/$(CPUDIR)' ) .c.o: $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ Index: BSDOS/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/BSDOS/ip_output.c.diffs,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/02/23 10:38:30 --- 2.0.2.2.2.1 1997/11/24 06:24:25 *************** *** 15,21 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 276,281 **** ! --- 280,299 ---- } else m->m_flags &= ~M_BCAST; --- 15,21 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 276,281 **** ! --- 280,296 ---- } else m->m_flags &= ~M_BCAST; *************** *** 25,35 **** + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + { ! + error = EHOSTUNREACH; + goto done; - + } + ip = mtod(m = m1, struct ip *); + } + #endif --- 25,32 ---- + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)) + goto done; + ip = mtod(m = m1, struct ip *); + } + #endif Index: BSDOS3/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/BSDOS3/ip_output.c.diffs,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/11/05 11:10:12 --- 2.0.2.1.2.1 1997/11/24 06:24:27 *************** *** 15,21 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 313,318 **** ! --- 317,333 ---- } else mtu = ifp->if_mtu; --- 15,21 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 313,318 **** ! --- 317,331 ---- } else mtu = ifp->if_mtu; *************** *** 23,31 **** + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } --- 23,29 ---- + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } Index: FreeBSD/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/FreeBSD/ip_output.c.diffs,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/02/23 10:38:41 --- 2.0.2.2.2.1 1997/11/24 06:24:29 *************** *** 15,21 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 330,335 **** ! --- 334,353 ---- m->m_flags &= ~M_BCAST; sendit: --- 15,21 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 330,335 **** ! --- 334,351 ---- m->m_flags &= ~M_BCAST; sendit: *************** *** 26,34 **** + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } --- 26,32 ---- + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } Index: FreeBSD-2.2/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/FreeBSD-2.2/ip_output.c.diffs,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/05/24 07:50:19 --- 2.0.2.2.2.1 1997/11/24 06:24:31 *************** *** 32,38 **** __P((int, struct ip_moptions **, struct mbuf *)); *************** *** 338,343 **** ! --- 342,358 ---- * - Wrap: fake packet's addr/port * - Encapsulate: put it in another IP and send out. */ --- 32,38 ---- __P((int, struct ip_moptions **, struct mbuf *)); *************** *** 338,343 **** ! --- 342,356 ---- * - Wrap: fake packet's addr/port * - Encapsulate: put it in another IP and send out. */ *************** *** 40,48 **** + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } --- 40,46 ---- + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } Index: Linux/Makefile.ipsend =================================================================== RCS file: /devel/CVS/IP-Filter/Linux/Makefile.ipsend,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/11/12 10:29:27 --- 2.0.2.1.2.1 1997/11/24 10:20:07 *************** *** 18,27 **** all build bsd-bpf : ipsend ipresend iptest y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) $(MFLAGS) "LINUX=$(INC) $(LINUXK)" 'DESTDIR=../Linux/$(CPUDIR)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) $(MFLAGS) "LINUX=$(INC) $(LINUXK)" 'DESTDIR=../Linux/$(CPUDIR)' ) .c.o: $(CC) $(DEBUG) $(CFLAGS) $(INC) $(LINUXK) -c $< -o $@ --- 18,27 ---- all build bsd-bpf : ipsend ipresend iptest y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) ../Linux/$(CPUDIR)/y.tab.o $(MFLAGS) "LINUX=$(INC) $(LINUXK)" 'DESTDIR=../Linux/$(CPUDIR)' ) lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) ../Linux/$(CPUDIR)/lex.yy.o $(MFLAGS) "LINUX=$(INC) $(LINUXK)" 'DESTDIR=../Linux/$(CPUDIR)' ) .c.o: $(CC) $(DEBUG) $(CFLAGS) $(INC) $(LINUXK) -c $< -o $@ Index: Linux/ip_forward.c.diff =================================================================== RCS file: /devel/CVS/IP-Filter/Linux/ip_forward.c.diff,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/11/12 10:29:28 --- 2.0.2.1.2.1 1997/11/24 06:24:33 *************** *** 23,29 **** } #endif + #ifdef CONFIG_FIREWALL_IPFILTER ! + if (fr_checkp && (*fr_checkp)(iph, skb->dev, 1, &skb)) + return -1; + #endif --- 23,29 ---- } #endif + #ifdef CONFIG_FIREWALL_IPFILTER ! + if (fr_checkp && ((*fr_checkp)(iph, dev2, 1, &skb) || !skb)) + return -1; + #endif *************** *** 36,42 **** #endif } + #ifdef CONFIG_FIREWALL_IPFILTER ! + if (fr_checkp && (*fr_checkp)(iph, skb2->dev, 1, &skb2)) + { + if (skb != skb2) + kfree_skb(skb2,FREE_WRITE); --- 36,42 ---- #endif } + #ifdef CONFIG_FIREWALL_IPFILTER ! + if (fr_checkp && ((*fr_checkp)(iph, skb2->dev, 1, &skb2) || !skb)) + { + if (skb != skb2) + kfree_skb(skb2,FREE_WRITE); Index: Linux/ip_input.c.diff =================================================================== RCS file: /devel/CVS/IP-Filter/Linux/ip_input.c.diff,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.2 diff -c -r2.0.2.1 -r2.0.2.1.2.2 *** 2.0.2.1 1997/11/12 10:29:28 --- 2.0.2.1.2.2 1997/11/24 09:58:51 *************** *** 1,5 **** ! *** ip_input.c.dist Wed Nov 12 18:53:12 1997 ! --- ip_input.c Wed Nov 12 19:43:02 1997 *************** *** 175,180 **** --- 175,187 ---- --- 1,5 ---- ! *** /usr/src/linux/net/ipv4/ip_input.c.dist Wed Nov 12 18:53:12 1997 ! --- /usr/src/linux/net/ipv4/ip_input.c Mon Nov 24 20:39:50 1997 *************** *** 175,180 **** --- 175,187 ---- *************** *** 28,34 **** if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport))dev, iph, &rport))dev, 0, &skb)) + { ! + kfree_skb(skb, FREE_WRITE); + return 0; + } #endif --- 36,43 ---- + #ifdef CONFIG_FIREWALL_IPFILTER + if (fr_checkp && (*fr_checkp)(iph, skb->dev, 0, &skb)) + { ! + if (skb) ! + kfree_skb(skb, FREE_WRITE); + return 0; + } #endif Index: Linux/ip_output.c.diff =================================================================== RCS file: /devel/CVS/IP-Filter/Linux/ip_output.c.diff,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.2 diff -c -r2.0.2.1 -r2.0.2.1.2.2 *** 2.0.2.1 1997/11/12 10:29:28 --- 2.0.2.1.2.2 1997/11/24 09:58:52 *************** *** 1,5 **** ! *** ip_output.c.dist Wed Nov 12 18:53:27 1997 ! --- ip_output.c Wed Nov 12 19:44:48 1997 *************** *** 76,81 **** --- 76,88 ---- --- 1,5 ---- ! *** /usr/src/linux/net/ipv4/ip_output.c.dist Wed Nov 12 18:53:27 1997 ! --- /usr/src/linux/net/ipv4/ip_output.c Mon Nov 24 20:40:11 1997 *************** *** 76,81 **** --- 76,88 ---- *************** *** 47,60 **** { *************** *** 974,979 **** ! --- 992,1004 ---- * Account for the fragment. */ + #ifdef CONFIG_FIREWALL_IPFILTER + if (!offset && fr_checkp && (*fr_checkp)(iph, skb->dev,1,&skb)) + { ! + kfree_skb(skb, FREE_WRITE); + return -EPERM; + } + #endif --- 47,61 ---- { *************** *** 974,979 **** ! --- 992,1005 ---- * Account for the fragment. */ + #ifdef CONFIG_FIREWALL_IPFILTER + if (!offset && fr_checkp && (*fr_checkp)(iph, skb->dev,1,&skb)) + { ! + if (skb) ! + kfree_skb(skb, FREE_WRITE); + return -EPERM; + } + #endif Index: Linux/minstall =================================================================== RCS file: /devel/CVS/IP-Filter/Linux/minstall,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/11/12 10:29:28 --- 2.0.2.1.2.1 1997/11/22 12:50:20 *************** *** 18,25 **** echo "Patching netsyms.c, Config.in" cat Linux/netsyms.c.diff Linux/Config.in.diff | (cd /usr/src/linux/net; patch) ! echo "Patching ip_input.c, ip_output.c and ip_forward.c" ! cat Linux/ip_{in,out}put.c.diff Linux/ip_forward.c.diff | \ (cd /usr/src/linux/net/ipv4; patch) echo "You now need to reconfigure your kernel and enable IP Filter as a" --- 18,25 ---- echo "Patching netsyms.c, Config.in" cat Linux/netsyms.c.diff Linux/Config.in.diff | (cd /usr/src/linux/net; patch) ! echo "Patching ip_input.c, ip_output.c, ip_forward.c and tcp_output.c" ! cat Linux/{ip_{{in,out}put,forward},tcp_output}.c.diff | \ (cd /usr/src/linux/net/ipv4; patch) echo "You now need to reconfigure your kernel and enable IP Filter as a" Index: Linux/tcp_output.c.diff =================================================================== RCS file: /devel/CVS/IP-Filter/Linux/tcp_output.c.diff,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/11/22 12:48:50 --- 2.0.2.1.2.1 1997/11/24 06:24:35 *************** *** 25,31 **** + #ifdef CONFIG_FIREWALL_IPFILTER + /* eww, TCP output separate from IP output. */ ! + if (fr_checkp && (*fr_checkp)(iph, skb->dev, 1, &skb)) + break; + #endif /* --- 25,31 ---- + #ifdef CONFIG_FIREWALL_IPFILTER + /* eww, TCP output separate from IP output. */ ! + if (fr_checkp && ((*fr_checkp)(iph, skb->dev, 1, &skb) || !skb)) + break; + #endif /* Index: NetBSD/ip_output.c.diffs =================================================================== RCS file: /devel/CVS/IP-Filter/NetBSD/ip_output.c.diffs,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/02/23 10:38:51 --- 2.0.2.2.2.1 1997/11/24 06:24:37 *************** *** 15,21 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 281,300 ---- m->m_flags &= ~M_BCAST; sendit: --- 15,21 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 277,282 **** ! --- 281,298 ---- m->m_flags &= ~M_BCAST; sendit: *************** *** 26,34 **** + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! + error = EHOSTUNREACH; ! + if (error || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } --- 26,32 ---- + if (fr_checkp) { + struct mbuf *m1 = m; + ! + if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) + goto done; + ip = mtod(m = m1, struct ip *); + } Index: NetBSD-1.2/ip_output.c-PATCH =================================================================== RCS file: /devel/CVS/IP-Filter/NetBSD-1.2/ip_output.c-PATCH,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/01/12 08:47:17 --- 2.0.2.1.2.1 1997/11/24 06:24:40 *************** *** 15,21 **** * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 293,298 **** ! --- 297,316 ---- } else m->m_flags &= ~M_BCAST; --- 15,21 ---- * IP output. The packet in mbuf chain m contains a skeletal IP *************** *** 293,298 **** ! --- 297,315 ---- } else m->m_flags &= ~M_BCAST; *************** *** 25,33 **** + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) + { - + error = EHOSTUNREACH; + goto done; + } else + ip = mtod(m = m0, struct ip *); --- 25,32 ---- + /* + * looks like most checking has been done now...do a filter check + */ ! + if (fr_checkp && (error = (*fr_checkp)(ip, hlen, ifp, 1, &m0)) || !m0) + { + goto done; + } else + ip = mtod(m = m0, struct ip *); Index: SunOS4/ip_output.c =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS4/ip_output.c,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/02/23 10:39:04 --- 2.0.2.2.2.1 1997/11/24 06:24:42 *************** *** 317,325 **** if (fr_checkp) { struct mbuf *m1 = m; ! if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) ! error = EHOSTUNREACH; ! if (error || !m1) goto done; ip = mtod(m = m1, struct ip *); } --- 317,323 ---- if (fr_checkp) { struct mbuf *m1 = m; ! if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1) goto done; ip = mtod(m = m1, struct ip *); } Index: SunOS5/Makefile =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/Makefile,v retrieving revision 2.0.2.13 retrieving revision 2.0.2.13.2.1 diff -c -r2.0.2.13 -r2.0.2.13.2.1 *** 2.0.2.13 1997/09/28 07:13:03 --- 2.0.2.13.2.1 1997/11/20 12:40:29 *************** *** 13,19 **** # # For SunOS 5.x # ! PKGDIR=root/opt/CYBSipf PKGMAN=$(PKGDIR)/man PKGBIN=$(PKGDIR)/bin # --- 13,19 ---- # # For SunOS 5.x # ! PKGDIR=$(ROOT)/opt/CYBSipf PKGMAN=$(PKGDIR)/man PKGBIN=$(PKGDIR)/bin # *************** *** 24,29 **** --- 24,31 ---- LIBS=-lsocket -lnsl -lelf DEF=-D_KERNEL -DSUNDDI -D$(DCPU) -D__$(DCPU)__ $(CPU) ATON=-DNEED_INET_ATON + ROOT=$(DCPU)/root + ROOTINC=$(ROOT)/usr/include # MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \ 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \ *************** *** 171,177 **** clean: ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon ipnat ipf.exe ${RM} -f ipnat.5 ipnat.4 ipnat.1 ipfilter.5 ! find root -name CVS -prune -o -type f -print | xargs /bin/rm -f make -f Makefile.ipsend clean -(for i in *; do \ if [ -d $${i} -a -f $${i}/Makefile ] ; then \ --- 173,180 ---- clean: ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon ipnat ipf.exe ${RM} -f ipnat.5 ipnat.4 ipnat.1 ipfilter.5 ! ${RM} -f prototype pkginfo postinstall copyright ! find $(ROOT) -name CVS -prune -o -type f -print | xargs /bin/rm -f make -f Makefile.ipsend clean -(for i in *; do \ if [ -d $${i} -a -f $${i}/Makefile ] ; then \ *************** *** 186,205 **** echo "Can only build package and install if root"; \ exit 1; \ fi ! mkdir -p $(PKGBIN) root/sbin root/usr/kernel/drv root/etc/init.d ! mkdir -p root/usr/include/netinet $(PKGDIR)/examples mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8 -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipftest $(PKGBIN)/ipftest -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipmon $(PKGBIN)/ipmon -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipsend $(PKGBIN)/ipsend -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipresend $(PKGBIN)/ipresend -$(INSTALL) -c -g root -m 755 -o root $(TOP)/mkfilters $(PKGBIN)/mkfilters ! -$(INSTALL) -c -g root -m 755 -o root $(DCPU)/ipf root/usr/kernel/drv/ipf ! -$(INSTALL) -c -g root -m 644 -o root ipf.conf root/usr/kernel/drv ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipnat root/sbin/ipnat ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipf.exe root/sbin/ipf ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipfstat root/sbin/ipfstat ! -$(INSTALL) -c -g root -m 755 -o root ipfboot root/etc/init.d -cp $(TOP)/man/*.[0-9] . -$(INSTALL) -g root -m 444 -o root ipf.8 $(PKGMAN)/man8 -$(INSTALL) -g root -m 444 -o root ipnat.1 $(PKGMAN)/man1 --- 189,208 ---- echo "Can only build package and install if root"; \ exit 1; \ fi ! mkdir -p $(PKGBIN) $(ROOT)/sbin $(ROOT)/usr/kernel/drv $(ROOT)/etc/init.d ! mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8 -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipftest $(PKGBIN)/ipftest -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipmon $(PKGBIN)/ipmon -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipsend $(PKGBIN)/ipsend -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipresend $(PKGBIN)/ipresend -$(INSTALL) -c -g root -m 755 -o root $(TOP)/mkfilters $(PKGBIN)/mkfilters ! -$(INSTALL) -c -g root -m 755 -o root $(DCPU)/ipf $(ROOT)/usr/kernel/drv/ipf ! -$(INSTALL) -c -g root -m 644 -o root ipf.conf $(ROOT)/usr/kernel/drv ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipnat $(ROOT)/sbin/ipnat ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipf.exe $(ROOT)/sbin/ipf ! -$(INSTALL) -c -s -g root -m 755 -o root $(DCPU)/ipfstat $(ROOT)/sbin/ipfstat ! -$(INSTALL) -c -g root -m 755 -o root ipfboot $(ROOT)/etc/init.d -cp $(TOP)/man/*.[0-9] . -$(INSTALL) -g root -m 444 -o root ipf.8 $(PKGMAN)/man8 -$(INSTALL) -g root -m 444 -o root ipnat.1 $(PKGMAN)/man1 *************** *** 217,229 **** -cp $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_state.h . -cp $(TOP)/ip_nat.h $(TOP)/ip_frag.h $(TOP)/ip_proxy.h . -cp $(TOP)/ip_auth.h . ! -$(INSTALL) -g root -m 644 -o root ip_fil.h root/usr/include/netinet ! -$(INSTALL) -g root -m 644 -o root ip_compat.h root/usr/include/netinet ! -$(INSTALL) -g root -m 644 -o root ip_state.h root/usr/include/netinet ! -$(INSTALL) -g root -m 644 -o root ip_nat.h root/usr/include/netinet ! -$(INSTALL) -g root -m 644 -o root ip_frag.h root/usr/include/netinet ! -$(INSTALL) -g root -m 644 -o root ip_proxy.h root/usr/include/netinet ! -$(INSTALL) -g root -m 644 -o root ip_auth.h root/usr/include/netinet ! pkgmk -o -pkgadd -d /var/spool/pkg --- 220,233 ---- -cp $(TOP)/ip_fil.h $(TOP)/ip_compat.h $(TOP)/ip_state.h . -cp $(TOP)/ip_nat.h $(TOP)/ip_frag.h $(TOP)/ip_proxy.h . -cp $(TOP)/ip_auth.h . ! -$(INSTALL) -g root -m 644 -o root ip_fil.h $(ROOTINC)/netinet ! -$(INSTALL) -g root -m 644 -o root ip_compat.h $(ROOTINC)/netinet ! -$(INSTALL) -g root -m 644 -o root ip_state.h $(ROOTINC)/netinet ! -$(INSTALL) -g root -m 644 -o root ip_nat.h $(ROOTINC)/netinet ! -$(INSTALL) -g root -m 644 -o root ip_frag.h $(ROOTINC)/netinet ! -$(INSTALL) -g root -m 644 -o root ip_proxy.h $(ROOTINC)/netinet ! -$(INSTALL) -g root -m 644 -o root ip_auth.h $(ROOTINC)/netinet ! (cd $(DCPU); ln -s ../prototype ../pkginfo ../copyright ../postinstall .) ! (cd $(DCPU); pkgmk -o) -pkgadd -d /var/spool/pkg Index: SunOS5/pkginfo =================================================================== RCS file: /devel/CVS/IP-Filter/SunOS5/pkginfo,v retrieving revision 2.0.2.22.2.1 retrieving revision 2.0.2.22.2.2 diff -c -r2.0.2.22.2.1 -r2.0.2.22.2.2 *** 2.0.2.22.2.1 1997/11/12 12:04:24 --- 2.0.2.22.2.2 1997/11/28 07:28:24 *************** *** 5,11 **** PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=1 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource --- 5,11 ---- PKG=CYBSipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=2 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Cybersource Index: iplang/iplang_y.y =================================================================== RCS file: /devel/CVS/IP-Filter/iplang/iplang_y.y,v retrieving revision 2.0.2.18.2.2 retrieving revision 2.0.2.18.2.4 diff -c -r2.0.2.18.2.2 -r2.0.2.18.2.4 *** 2.0.2.18.2.2 1997/11/05 11:04:19 --- 2.0.2.18.2.4 1997/11/27 09:04:57 *************** *** 6,12 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: iplang_y.y,v 2.0.2.18.2.2 1997/11/05 11:04:19 darrenr Exp $ */ #include --- 6,12 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: iplang_y.y,v 2.0.2.18.2.4 1997/11/27 09:04:57 darrenr Exp $ */ #include *************** *** 320,326 **** ; tcpheader: ! tcpbody tcpheader | bodyline ; --- 320,327 ---- ; tcpheader: ! tcpbody ! | tcpbody tcpheader | bodyline ; *************** *** 600,627 **** struct ether_addr * ether_aton(s) char *s; - { - static struct ether_addr n; - u_int i[6]; - - if (sscanf(s, " %x:%x:%x:%x:%x:%x ", &i[0], &i[1], - &i[2], &i[3], &i[4], &i[5]) == 6) { - n.ether_addr_octet[0] = (u_char)i[0]; - n.ether_addr_octet[1] = (u_char)i[1]; - n.ether_addr_octet[2] = (u_char)i[2]; - n.ether_addr_octet[3] = (u_char)i[3]; - n.ether_addr_octet[4] = (u_char)i[4]; - n.ether_addr_octet[5] = (u_char)i[5]; - return &n; - } - return NULL; - } - #endif - - #ifdef bsdi - struct ether_addr * - ether_aton(s) - char *s; { static struct ether_addr n; u_int i[6]; --- 601,606 ---- Index: ipsend/ip.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipsend/ip.c,v retrieving revision 2.0.2.11 retrieving revision 2.0.2.11.2.2 diff -c -r2.0.2.11 -r2.0.2.11.2.2 *** 2.0.2.11 1997/10/23 11:42:44 --- 2.0.2.11.2.2 1997/11/28 03:36:47 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; ! static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11 1997/10/23 11:42:44 darrenr Exp $"; #endif #include #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; ! static const char rcsid[] = "@(#)$Id: ip.c,v 2.0.2.11.2.2 1997/11/28 03:36:47 darrenr Exp $"; #endif #include #include *************** *** 96,102 **** static u_short id = 0; ether_header_t *eh; ip_t ipsv; ! int err; if (!ipbuf) ipbuf = (char *)malloc(65536); --- 96,102 ---- static u_short id = 0; ether_header_t *eh; ip_t ipsv; ! int err, iplen; if (!ipbuf) ipbuf = (char *)malloc(65536); *************** *** 115,121 **** bcopy((char *)ip, (char *)&ipsv, sizeof(*ip)); last_gw.s_addr = gwip.s_addr; ! ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); if (!(frag & 2)) { if (!ip->ip_v) --- 115,122 ---- bcopy((char *)ip, (char *)&ipsv, sizeof(*ip)); last_gw.s_addr = gwip.s_addr; ! iplen = ip->ip_len; ! ip->ip_len = htons(iplen); ip->ip_off = htons(ip->ip_off); if (!(frag & 2)) { if (!ip->ip_v) *************** *** 126,138 **** ip->ip_ttl = 60; } ! if (!frag || (sizeof(*eh) + ntohs(ip->ip_len) < mtu)) { ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); ! bcopy((char *)ip, ipbuf + sizeof(*eh), ntohs(ip->ip_len)); ! err = sendip(nfd, ipbuf, sizeof(*eh) + ntohs(ip->ip_len)); } else { --- 127,139 ---- ip->ip_ttl = 60; } ! if (!frag || (sizeof(*eh) + iplen < mtu)) { ip->ip_sum = 0; ip->ip_sum = chksum((u_short *)ip, ip->ip_hl << 2); ! bcopy((char *)ip, ipbuf + sizeof(*eh), iplen); ! err = sendip(nfd, ipbuf, sizeof(*eh) + iplen); } else { *************** *** 144,150 **** ether_header_t eth; char optcpy[48], ol; char *s; ! int i, iplen, sent = 0, ts, hlen, olen; hlen = ip->ip_hl << 2; if (mtu < (hlen + 8)) { --- 145,151 ---- ether_header_t eth; char optcpy[48], ol; char *s; ! int i, sent = 0, ts, hlen, olen; hlen = ip->ip_hl << 2; if (mtu < (hlen + 8)) { *************** *** 235,277 **** { static tcp_seq iss = 2; struct tcpiphdr *ti; ! int thlen, i; ! u_long lbuf[20]; ! ti = (struct tcpiphdr *)lbuf; bzero((char *)ti, sizeof(*ti)); - thlen = sizeof(tcphdr_t); ip->ip_p = IPPROTO_TCP; ti->ti_pr = ip->ip_p; ti->ti_src = ip->ip_src; ti->ti_dst = ip->ip_dst; ! bcopy((char *)ip + (ip->ip_hl << 2), ! (char *)&ti->ti_sport, sizeof(tcphdr_t)); if (!ti->ti_win) ti->ti_win = htons(4096); ! if (!ti->ti_seq) ! ti->ti_seq = htonl(iss); ! iss += 64; ! if ((ti->ti_flags == TH_SYN) && !ip->ip_off) ! { ! ip = (ip_t *)realloc((char *)ip, ntohs(ip->ip_len) + 4); ! i = sizeof(struct tcpiphdr) / sizeof(long); lbuf[i] = htonl(0x020405b4); ! bcopy((char *)(lbuf + i), (char*)ip + ntohs(ip->ip_len), ! sizeof(u_long)); thlen += 4; } ! if (!ti->ti_off) ! ti->ti_off = thlen >> 2; ti->ti_len = htons(thlen); ! ip->ip_len = (ip->ip_hl << 2) + thlen; ti->ti_sum = 0; ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); ! bcopy((char *)&ti->ti_sport, ! (char *)ip + (ip->ip_hl << 2), thlen); return send_ip(nfd, mtu, ip, gwip, 1); } --- 236,279 ---- { static tcp_seq iss = 2; struct tcpiphdr *ti; ! tcphdr_t *t; ! int thlen, i, iplen, hlen; ! u_32_t lbuf[20]; ! ! iplen = ip->ip_len; ! hlen = ip->ip_hl << 2; ! t = (tcphdr_t *)((char *)ip + hlen); ti = (struct tcpiphdr *)lbuf; + thlen = t->th_off << 2; + if (!thlen) + thlen = sizeof(tcphdr_t); bzero((char *)ti, sizeof(*ti)); ip->ip_p = IPPROTO_TCP; ti->ti_pr = ip->ip_p; ti->ti_src = ip->ip_src; ti->ti_dst = ip->ip_dst; ! bcopy((char *)ip + hlen, (char *)&ti->ti_sport, thlen); if (!ti->ti_win) ti->ti_win = htons(4096); ! iss += 63; ! i = sizeof(struct tcpiphdr) / sizeof(long); ! ! if ((ti->ti_flags == TH_SYN) && !ip->ip_off && ! (lbuf[i] != htonl(0x020405b4))) { lbuf[i] = htonl(0x020405b4); ! bcopy((char *)ip + hlen + thlen, (char *)ip + hlen + thlen + 4, ! iplen - thlen - hlen); thlen += 4; } ! ti->ti_off = thlen >> 2; ti->ti_len = htons(thlen); ! ip->ip_len = hlen + thlen; ti->ti_sum = 0; ti->ti_sum = chksum((u_short *)ti, thlen + sizeof(ip_t)); ! bcopy((char *)&ti->ti_sport, (char *)ip + hlen, thlen); return send_ip(nfd, mtu, ip, gwip, 1); } Index: ipsend/iptest.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipsend/iptest.c,v retrieving revision 2.0.2.8 retrieving revision 2.0.2.8.2.1 diff -c -r2.0.2.8 -r2.0.2.8.2.1 *** 2.0.2.8 1997/10/12 09:48:39 --- 2.0.2.8.2.1 1997/11/28 03:36:18 *************** *** 12,18 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8 1997/10/12 09:48:39 darrenr Exp $"; #endif #include #include --- 12,18 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: iptest.c,v 2.0.2.8.2.1 1997/11/28 03:36:18 darrenr Exp $"; #endif #include #include *************** *** 146,152 **** usage(name); } ! if (argc - optind < 2 && !tests) usage(name); dst = argv[optind++]; --- 146,152 ---- usage(name); } ! if ((argc <= optind) || !argv[optind]) usage(name); dst = argv[optind++]; *************** *** 209,214 **** --- 209,221 ---- ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); break; default : + ip_test1(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test2(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test3(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test4(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test5(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test6(dev, mtu, (ip_t *)ti, gwip, pointtest); + ip_test7(dev, mtu, (ip_t *)ti, gwip, pointtest); break; } return 0; Index: ipsend/iptests.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipsend/iptests.c,v retrieving revision 2.0.2.13 retrieving revision 2.0.2.13.2.1 diff -c -r2.0.2.13 -r2.0.2.13.2.1 *** 2.0.2.13 1997/10/23 11:42:45 --- 2.0.2.13.2.1 1997/11/28 03:37:10 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13 1997/10/23 11:42:45 darrenr Exp $"; #endif #include #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: iptests.c,v 2.0.2.13.2.1 1997/11/28 03:37:10 darrenr Exp $"; #endif #include #include *************** *** 892,897 **** --- 892,898 ---- t->th_sum = 0; t->th_seq = 1; t->th_ack = 0; + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); nfd = initdevice(dev, t->th_sport, 1); if (!ptest || (ptest == 1)) { *************** *** 1021,1029 **** PAUSE(); } ! #if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && !defined(__sgi) { ! struct tcpcb *t, tcb; struct tcpiphdr ti; struct sockaddr_in sin; int fd, slen; --- 1022,1031 ---- PAUSE(); } ! #if !defined(linux) && !defined(__SVR4) && !defined(__svr4__) && \ ! !defined(__sgi) { ! struct tcpcb *tcbp, tcb; struct tcpiphdr ti; struct sockaddr_in sin; int fd, slen; *************** *** 1032,1041 **** --- 1034,1046 ---- for (i = 1; i < 63; i++) { fd = socket(AF_INET, SOCK_STREAM, 0); + bzero((char *)&sin, sizeof(sin)); sin.sin_addr.s_addr = ip->ip_dst.s_addr; sin.sin_port = htons(i); + sin.sin_family = AF_INET; if (!connect(fd, (struct sockaddr *)&sin, sizeof(sin))) break; + close(fd); } if (i == 63) { *************** *** 1046,1060 **** } bcopy((char *)ip, (char *)&ti, sizeof(*ip)); ! ti.ti_dport = i; slen = sizeof(sin); if (!getsockname(fd, (struct sockaddr *)&sin, &slen)) ! ti.ti_sport = sin.sin_port; ! if (!(t = find_tcp(fd, &ti))) { printf("Can't find PCB\n"); goto skip_five_and_six; } ! KMCPY(&tcb, t, sizeof(tcb)); ti.ti_win = tcb.rcv_adv; ti.ti_seq = tcb.snd_nxt - 1; ti.ti_ack = tcb.rcv_nxt; --- 1051,1065 ---- } bcopy((char *)ip, (char *)&ti, sizeof(*ip)); ! t->th_dport = htons(i); slen = sizeof(sin); if (!getsockname(fd, (struct sockaddr *)&sin, &slen)) ! t->th_sport = sin.sin_port; ! if (!(tcbp = find_tcp(fd, &ti))) { printf("Can't find PCB\n"); goto skip_five_and_six; } ! KMCPY(&tcb, tcbp, sizeof(tcb)); ti.ti_win = tcb.rcv_adv; ti.ti_seq = tcb.snd_nxt - 1; ti.ti_ack = tcb.rcv_nxt; *************** *** 1063,1089 **** /* * Test 5: urp */ ! printf("5.1 TCP Urgent pointer\n"); ! ti.ti_urp = 1; (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); ! ti.ti_urp = 0x7fff; (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); ! ti.ti_urp = 0x8000; (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); ! ti.ti_urp = 0xffff; (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); } if (!ptest || (ptest == 6)) { /* * Test 6: data offset, off = 0, off is inside, off is outside */ ! printf("6.1 TCP off = 0-15, len = 40\n"); ! for (i = 0; i < 16; i++) { ti.ti_off = ntohs(i); (void) send_tcp(nfd, mtu, ip, gwip); printf("%d\r", i); --- 1068,1103 ---- /* * Test 5: urp */ ! t->th_flags = TH_ACK|TH_URG; ! printf("5.5.1 TCP Urgent pointer, sport %hu dport %hu\n", ! ntohs(t->th_sport), ntohs(t->th_dport)); ! t->th_urp = htons(1); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); ! ! t->th_seq = tcb.snd_nxt; ! ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t) + 1; ! t->th_urp = htons(0x7fff); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); ! t->th_urp = htons(0x8000); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); ! t->th_urp = htons(0xffff); (void) send_tcp(nfd, mtu, ip, gwip); PAUSE(); + t->th_urp = htons(0); + t->th_flags &= ~TH_URG; + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); } if (!ptest || (ptest == 6)) { /* * Test 6: data offset, off = 0, off is inside, off is outside */ ! t->th_flags = TH_ACK; ! printf("5.6.1 TCP off = 1-15, len = 40\n"); ! for (i = 1; i < 16; i++) { ti.ti_off = ntohs(i); (void) send_tcp(nfd, mtu, ip, gwip); printf("%d\r", i); *************** *** 1091,1096 **** --- 1105,1111 ---- PAUSE(); } putchar('\n'); + ip->ip_len = sizeof(ip_t) + sizeof(tcphdr_t); } (void) close(fd); *************** *** 1099,1107 **** #endif t->th_seq = 1; t->th_ack = 1; if (!ptest || (ptest == 7)) { - t->th_off = 0; t->th_flags = TH_SYN; /* * Test 7: sport = 0, sport = 1, sport = 32767 --- 1114,1122 ---- #endif t->th_seq = 1; t->th_ack = 1; + t->th_off = 0; if (!ptest || (ptest == 7)) { t->th_flags = TH_SYN; /* * Test 7: sport = 0, sport = 1, sport = 32767 *************** *** 1140,1145 **** --- 1155,1161 ---- if (!ptest || (ptest == 8)) { t->th_sport = 1; + t->th_flags = TH_SYN; /* * Test 8: dport = 0, dport = 1, dport = 32767 * dport = 32768, dport = 65535 *************** *** 1174,1179 **** --- 1190,1209 ---- fflush(stdout); PAUSE(); } + + /* LAND attack - self connect, so make src & dst ip/port the same */ + if (!ptest || (ptest == 9)) { + printf("5.9 TCP LAND attack. sport = 25, dport = 25\n"); + /* chose SMTP port 25 */ + t->th_sport = htons(25); + t->th_dport = htons(25); + t->th_flags = TH_SYN; + ip->ip_src = ip->ip_dst; + (void) send_tcp(nfd, mtu, ip, gwip); + fflush(stdout); + PAUSE(); + } + /* TCP options header checking */ /* 0 length options, etc */ } *************** *** 1208,1213 **** --- 1238,1246 ---- u->uh_dport = htons(u->uh_dport); u->uh_ulen = 7168; + printf("6. Exhaustive mbuf test.\n"); + printf(" Send 7k packet in 768 & 128 byte fragments, 128 times.\n"); + printf(" Total of around 8,900 packets\n"); for (i = 0; i < 128; i++) { /* * First send the entire packet in 768 byte chunks. Index: ipsend/sock.c =================================================================== RCS file: /devel/CVS/IP-Filter/ipsend/sock.c,v retrieving revision 2.0.2.9 retrieving revision 2.0.2.9.2.1 diff -c -r2.0.2.9 -r2.0.2.9.2.1 *** 2.0.2.9 1997/09/28 07:13:37 --- 2.0.2.9.2.1 1997/11/28 03:36:01 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9 1997/09/28 07:13:37 darrenr Exp $"; #endif #include #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: sock.c,v 2.0.2.9.2.1 1997/11/28 03:36:01 darrenr Exp $"; #endif #include #include *************** *** 253,259 **** mib[2] = KERN_PROC_PID; mib[3] = pid; ! n = 1; if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1) { perror("sysctl"); --- 253,259 ---- mib[2] = KERN_PROC_PID; mib[3] = pid; ! n = sizeof(kp); if (sysctl(mib, 4, &kp, &n, NULL, 0) == -1) { perror("sysctl"); Index: man/ipf.4 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipf.4,v retrieving revision 2.0.2.4 retrieving revision 2.0.2.4.2.1 diff -c -r2.0.2.4 -r2.0.2.4.2.1 *** 2.0.2.4 1997/09/10 13:09:09 --- 2.0.2.4.2.1 1997/11/28 07:25:04 *************** *** 201,204 **** }; .fi .SH SEE ALSO ! ipfstat(1), ipf(1), ipf(5) --- 201,204 ---- }; .fi .SH SEE ALSO ! ipfstat(8), ipf(8), ipf(5) Index: man/ipf.5 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipf.5,v retrieving revision 2.0.2.6 retrieving revision 2.0.2.6.2.2 diff -c -r2.0.2.6 -r2.0.2.6.2.2 *** 2.0.2.6 1997/09/09 14:26:00 --- 2.0.2.6.2.2 1997/11/28 07:26:00 *************** *** 481,484 **** .br /etc/hosts .SH SEE ALSO ! ipf(1), ipftest(1), mkfilters(1) --- 481,484 ---- .br /etc/hosts .SH SEE ALSO ! ipf(8), ipftest(1), mkfilters(1), ipmon(8) Index: man/ipf.8 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipf.8,v retrieving revision 2.0.2.4 retrieving revision 2.0.2.4.2.2 diff -c -r2.0.2.4 -r2.0.2.4.2.2 *** 2.0.2.4 1997/10/29 13:01:43 --- 2.0.2.4.2.2 1997/11/28 07:25:05 *************** *** 10,16 **** ] [ .B \-F ! ] .B \-f <\fIfilename\fP> --- 10,16 ---- ] [ .B \-F ! ] .B \-f <\fIfilename\fP> *************** *** 43,55 **** .B \-E Enable the filter (if disabled). Not effective for loadable kernel versions. .TP ! .BR \-F \0 This option specifies which filter list to flush. The parameter should either be "i" (input), "o" (output) or "a" (remove all filter rules). Either a single letter or an entire word starting with the appropriate letter maybe used. This option maybe before, or after, any other with the order on the command line being that used to execute options. .TP .BR \-f \0 This option specifies which files \fBipf\fP should use to get input from for modifying the packet filter rule --- 43,63 ---- .B \-E Enable the filter (if disabled). Not effective for loadable kernel versions. .TP ! .BR \-F \0 This option specifies which filter list to flush. The parameter should either be "i" (input), "o" (output) or "a" (remove all filter rules). Either a single letter or an entire word starting with the appropriate letter maybe used. This option maybe before, or after, any other with the order on the command line being that used to execute options. .TP + .BR \-F \0 + To flush entries from the state table, the \fB-F\fP option is used in + conjuction with either "s" (removes state information about any non-fully + established connections) or "S" (deletes the entire state table). Only + one of the two options may be given. A fully established connection + will show up in \fBipfstat -s\fP output as 4/4, with deviations either + way indicating it is not fully established any more. + .TP .BR \-f \0 This option specifies which files \fBipf\fP should use to get input from for modifying the packet filter rule *************** *** 99,105 **** affect fragment or state statistics). .DT .SH SEE ALSO ! ipfstat(1), ipftest(1), ipf(5), mkfilters(1) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually --- 107,113 ---- affect fragment or state statistics). .DT .SH SEE ALSO ! ipfstat(8), ipftest(1), ipf(5), mkfilters(1) .SH DIAGNOSTICS .PP Needs to be run as root for the packet filtering lists to actually Index: man/ipfilter.5 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipfilter.5,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/04/30 15:08:55 --- 2.0.2.2.2.1 1997/11/28 07:25:06 *************** *** 4,7 **** .SH DESCRIPTION .PP .SH SEE ALSO ! ipf(1), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1) --- 4,7 ---- .SH DESCRIPTION .PP .SH SEE ALSO ! ipf(8), ipf(1), ipf(5), ipnat(1), ipnat(5), mkfilters(1) Index: man/ipfstat.8 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipfstat.8,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/09/09 14:26:01 --- 2.0.2.2.2.1 1997/11/28 07:25:06 *************** *** 71,76 **** .br /vmunix .SH SEE ALSO ! ipf(1) .SH BUGS none known. --- 71,76 ---- .br /vmunix .SH SEE ALSO ! ipf(8) .SH BUGS none known. Index: man/ipftest.1 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipftest.1,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/01/12 08:48:10 --- 2.0.2.1.2.1 1997/11/28 07:25:07 *************** *** 121,127 **** Specify the filename from which to read filter rules. .SH FILES .SH SEE ALSO ! ipf(1), ipf(5), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. --- 121,127 ---- Specify the filename from which to read filter rules. .SH FILES .SH SEE ALSO ! ipf(8), ipf(5), snoop(1m), tcpdump(8), etherfind(8c) .SH BUGS Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. Index: man/ipmon.8 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipmon.8,v retrieving revision 2.0.2.3 retrieving revision 2.0.2.3.2.1 diff -c -r2.0.2.3 -r2.0.2.3.2.1 *** 2.0.2.3 1997/09/09 14:26:03 --- 2.0.2.3.2.1 1997/11/28 07:25:07 *************** *** 4,10 **** .SH SYNOPSIS .B ipmon [ ! .B \-aFhnNsStvxX ] [ .B "\-f " ] [ --- 4,18 ---- .SH SYNOPSIS .B ipmon [ ! .B \-aFhnstvxX ! ] [ ! .B "\-o [NSI]" ! ] [ ! .B "\-O [NSI]" ! ] [ ! .B "\-N " ! ] [ ! .B "\-S " ] [ .B "\-f " ] [ *************** *** 27,48 **** are displayed to the same output 'device' (stderr or syslog). .TP .B "\-f " ! specify an alternative device/file from which to read the log information. .TP .B \-F Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. .TP ! .B \-N ! Treat the logfile as being composed of NAT log records. .TP .B \-s Packet information read in will be sent through syslogd rather than saved to a file. The following levels are used: .IP .B LOG_INFO \- packets logged using the "log" keyword as the action rather --- 35,74 ---- are displayed to the same output 'device' (stderr or syslog). .TP .B "\-f " ! specify an alternative device/file from which to read the log information ! for normal IP Filter log records. .TP .B \-F Flush the current packet log buffer. The number of bytes flushed is displayed, even should the result be zero. .TP + .B "\-N " + Set the logfile to be opened for reading NAT log records from to . + .TP .B \-n IP addresses and port numbers will be mapped, where possible, back into hostnames and service names. .TP ! .B "\-N " ! Set the logfile to be opened for reading NAT log records from to . ! .TP ! .B \-o ! Specify which log files to actually read data from. N - NAT logfile, ! S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is ! equivalent to using \fB-o NSI\fP. ! .TP ! .B \-O ! Specify which log files you do not wish to read from. This is most sensibly ! used with the \fB-a\fP. Letters available as paramters to this are the same ! as for \fB-o\fP. .TP .B \-s Packet information read in will be sent through syslogd rather than saved to a file. The following levels are used: + .TP + .B "\-S " + Set the logfile to be opened for reading state log records from to . + .TP .IP .B LOG_INFO \- packets logged using the "log" keyword as the action rather *************** *** 76,80 **** .SH FILES /dev/ipl .SH SEE ALSO ! ipf(1), ipfstat(1) .SH BUGS --- 102,106 ---- .SH FILES /dev/ipl .SH SEE ALSO ! ipf(8), ipfstat(8) .SH BUGS Index: man/ipnat.1 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipnat.1,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/02/23 10:39:41 --- 2.0.2.2.2.1 1997/11/28 07:25:08 *************** *** 42,45 **** Turn verbose mode on. Displays information relating to rule processing. .DT .SH SEE ALSO ! ipfstat(1), ipftest(1), ipf(1), ipnat(5) --- 42,45 ---- Turn verbose mode on. Displays information relating to rule processing. .DT .SH SEE ALSO ! ipfstat(1), ipftest(8), ipf(8), ipnat(5) Index: man/ipnat.4 =================================================================== RCS file: /devel/CVS/IP-Filter/man/ipnat.4,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/09/10 13:09:10 --- 2.0.2.2.2.1 1997/11/28 07:25:08 *************** *** 88,91 **** It would be nice if there were more flexibility when adding and deleting filter rules. .SH SEE ALSO ! ipfstat(1), ipf(1), ipf(4), ipnat(5) --- 88,91 ---- It would be nice if there were more flexibility when adding and deleting filter rules. .SH SEE ALSO ! ipfstat(8), ipf(8), ipf(4), ipnat(5) Index: man/mkfilters.1 =================================================================== RCS file: /devel/CVS/IP-Filter/man/mkfilters.1,v retrieving revision 2.0.2.1 retrieving revision 2.0.2.1.2.1 diff -c -r2.0.2.1 -r2.0.2.1.2.1 *** 2.0.2.1 1997/04/30 15:16:50 --- 2.0.2.1.2.1 1997/11/28 07:25:09 *************** *** 9,13 **** use with \fBipfilter\fP by parsing the output of \fBifconfig\fP. .DT .SH SEE ALSO ! ipf(1), ipf(5), ipfilter(5), ifconfig(8) ! --- 9,12 ---- use with \fBipfilter\fP by parsing the output of \fBifconfig\fP. .DT .SH SEE ALSO ! ipf(8), ipf(5), ipfilter(5), ifconfig(8) Index: samples/proxy.c =================================================================== RCS file: /devel/CVS/IP-Filter/samples/proxy.c,v retrieving revision 2.0.2.2 retrieving revision 2.0.2.2.2.1 diff -c -r2.0.2.2 -r2.0.2.2.2.1 *** 2.0.2.2 1997/10/05 07:52:25 --- 2.0.2.2.2.1 1997/11/24 12:13:21 *************** *** 97,103 **** * Log it */ syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d", ! inet_ntoa(natlook.nl_realip), natlook.nl_realport); printf("connect to %s,%d\n", inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport)); --- 97,103 ---- * Log it */ syslog(LOG_DAEMON|LOG_INFO, "connect to %s,%d", ! inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport)); printf("connect to %s,%d\n", inet_ntoa(natlook.nl_realip), ntohs(natlook.nl_realport));