diff -cr ip_fil3.2.8/HISTORY ip_fil3.2.9/HISTORY *** ip_fil3.2.8/HISTORY Mon Jun 8 02:32:07 1998 --- ip_fil3.2.9/HISTORY Mon Jun 22 22:21:58 1998 *************** *** 11,16 **** --- 11,26 ---- # Thanks also to all those who have contributed patches and other code, # and especially those who have found the time to port IP Filter to new # platforms. + 3.2.9 22/06/98 - Released + + fix byte order for ICMP packets generated on Solaris + + fix some locking problems. + + fix malloc bug in NAT (introduced in 3.2.8). + + patch from guido for state connections that get fragmented + 3.2.8 08/06/98 - Released use readers/writers locks in Solaris2 in place of some mutexes. diff -cr ip_fil3.2.8/SunOS5/Makefile ip_fil3.2.9/SunOS5/Makefile *** ip_fil3.2.8/SunOS5/Makefile Mon Jun 8 02:28:35 1998 --- ip_fil3.2.9/SunOS5/Makefile Sat Jun 13 23:41:31 1998 *************** *** 231,236 **** --- 231,237 ---- -$(INSTALL) ip_auth.h $(ROOTINC)/netinet -(cd $(CPUDIR); ln -s ../prototype ../pkginfo ../copyright ../postinstall .) (cd $(CPUDIR); pkgmk -o -d $(TMP)) + touch $(CPUDIR)/ipf.pkg pkgtrans -s ${TMP} $(CPUDIR)/ipf.pkg ipf /bin/rm -f ipf.pkg ln -s $(CPUDIR)/ipf.pkg ipf.pkg diff -cr ip_fil3.2.8/SunOS5/pkginfo ip_fil3.2.9/SunOS5/pkginfo *** ip_fil3.2.8/SunOS5/pkginfo Mon Jun 8 02:32:45 1998 --- ip_fil3.2.9/SunOS5/pkginfo Sun Jun 14 23:25:16 1998 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=8 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.2,REV=9 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.2.8/ip_auth.c ip_fil3.2.9/ip_auth.c *** ip_fil3.2.8/ip_auth.c Sun Jun 7 00:36:16 1998 --- ip_fil3.2.9/ip_auth.c Sat Jun 13 23:40:49 1998 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.4 1998/06/06 14:36:16 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.0.2.21.2.5 1998/06/13 13:40:49 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) *************** *** 291,298 **** --- 291,300 ---- if (!fae) error = ESRCH; else { + WRITE_ENTER(&ipf_auth); *faep = fae->fae_next; *frptr = fr->fr_next; + RWLOCK_EXIT(&ipf_auth); KFREE(fae); } } else { *************** *** 300,305 **** --- 302,308 ---- if (fae != NULL) { IRCOPY((char *)data, (char *)&fae->fae_fr, sizeof(fae->fae_fr)); + WRITE_ENTER(&ipf_auth); if (!fae->fae_age) fae->fae_age = fr_defaultauthage; fae->fae_fr.fr_hits = 0; *************** *** 307,312 **** --- 310,316 ---- *frptr = &fae->fae_fr; fae->fae_next = *faep; *faep = fae; + RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; } diff -cr ip_fil3.2.8/ip_nat.c ip_fil3.2.9/ip_nat.c *** ip_fil3.2.8/ip_nat.c Mon Jun 8 16:58:32 1998 --- ip_fil3.2.9/ip_nat.c Sat Jun 13 23:42:47 1998 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.12 1998/06/08 06:58:32 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.0.2.44.2.13 1998/06/13 13:42:47 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 204,210 **** caddr_t data; int mode; { ! register ipnat_t *nat, *n = NULL, **np = NULL; ipnat_t natd; int error = 0, ret; #if defined(_KERNEL) && !SOLARIS --- 204,210 ---- caddr_t data; int mode; { ! register ipnat_t *nat, *nt, *n = NULL, **np = NULL; ipnat_t natd; int error = 0, ret; #if defined(_KERNEL) && !SOLARIS *************** *** 212,218 **** #endif nat = NULL; /* XXX gcc -Wuninitialized */ ! KMALLOC(n, ipnat_t *, sizeof(*n)); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) IRCOPY(data, (char *)&natd, sizeof(natd)); --- 212,218 ---- #endif nat = NULL; /* XXX gcc -Wuninitialized */ ! KMALLOC(nt, ipnat_t *, sizeof(*nt)); if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) IRCOPY(data, (char *)&natd, sizeof(natd)); *************** *** 242,247 **** --- 242,249 ---- error = EEXIST; break; } + n = nt; + nt = NULL; if (n == NULL) { error = ENOMEM; break; *************** *** 325,330 **** --- 327,333 ---- } ret = nat_flushtable(); (void) ap_unload(); + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case SIOCCNATL : *************** *** 333,343 **** break; } ret = nat_clearlist(); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case FIONREAD : - MUTEX_DOWNGRADE(&ipf_nat); #ifdef IPFILTER_LOG IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, sizeof(iplused[IPL_LOGNAT])); #endif --- 336,347 ---- break; } ret = nat_clearlist(); + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&ret, data, sizeof(ret)); break; case FIONREAD : #ifdef IPFILTER_LOG + MUTEX_DOWNGRADE(&ipf_nat); IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, sizeof(iplused[IPL_LOGNAT])); #endif *************** *** 345,352 **** } RWLOCK_EXIT(&ipf_nat); SPL_X(s); ! if (n) ! KFREE(n); return error; } --- 349,356 ---- } RWLOCK_EXIT(&ipf_nat); SPL_X(s); ! if (nt) ! KFREE(nt); return error; } diff -cr ip_fil3.2.8/ip_sfil.c ip_fil3.2.9/ip_sfil.c *** ip_fil3.2.8/ip_sfil.c Mon Jun 8 17:08:06 1998 --- ip_fil3.2.9/ip_sfil.c Mon Jun 22 22:20:26 1998 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.8 1998/06/08 07:08:06 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.0.2.25.2.10 1998/06/22 12:20:26 darrenr Exp $"; #endif #include *************** *** 117,129 **** mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL); rw_init(&ipf_solaris, "ipf filter load/unload mutex", RW_DRIVER, NULL); ! rw_init(&ipf_mutex, "ipf filter mutex", RW_DRIVER, NULL); rw_init(&ipfs_mutex, "ipf solaris mutex", RW_DRIVER, NULL); ! rw_init(&ipf_frag, "ipf fragment mutex", RW_DRIVER, NULL); ! rw_init(&ipf_state, "ipf IP state mutex", RW_DRIVER, NULL); ! rw_init(&ipf_nat, "ipf IP NAT mutex", RW_DRIVER, NULL); ! rw_init(&ipf_natfrag, "ipf IP NAT-Frag mutex", RW_DRIVER, NULL); ! rw_init(&ipf_auth, "ipf IP User-Auth mutex", RW_DRIVER, NULL); cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL); cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL); ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); --- 117,129 ---- mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL); rw_init(&ipf_solaris, "ipf filter load/unload mutex", RW_DRIVER, NULL); ! rw_init(&ipf_mutex, "ipf filter rwlock", RW_DRIVER, NULL); rw_init(&ipfs_mutex, "ipf solaris mutex", RW_DRIVER, NULL); ! rw_init(&ipf_frag, "ipf fragment rwlock", RW_DRIVER, NULL); ! rw_init(&ipf_state, "ipf IP state rwlock", RW_DRIVER, NULL); ! rw_init(&ipf_nat, "ipf IP NAT rwlock", RW_DRIVER, NULL); ! rw_init(&ipf_natfrag, "ipf IP NAT-Frag rwlock", RW_DRIVER, NULL); ! rw_init(&ipf_auth, "ipf IP User-Auth rwlock", RW_DRIVER, NULL); cv_init(&iplwait, "ipl condvar", CV_DRIVER, NULL); cv_init(&ipfauthwait, "ipf auth condvar", CV_DRIVER, NULL); ipfr_timer_id = timeout(ipfr_slowtimer, NULL, drv_usectohz(500000)); *************** *** 219,236 **** case SIOCZRLST : if (!(mode & FWRITE)) return EPERM; - rw_enter(&ipf_mutex, RW_WRITER); error = frrequest(unit, cmd, (caddr_t)data, fr_active); - rw_exit(&ipf_mutex); break; case SIOCINIFR : case SIOCRMIFR : case SIOCADIFR : if (!(mode & FWRITE)) return EPERM; - rw_enter(&ipf_mutex, RW_WRITER); error = frrequest(unit, cmd, (caddr_t)data, 1 - fr_active); - rw_exit(&ipf_mutex); break; case SIOCSWAPA : if (!(mode & FWRITE)) --- 219,232 ---- *************** *** 365,380 **** fp = &fr; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); /* * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ if (fp->fr_grhead && ! fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) ! return EEXIST; if (fp->fr_group && ! !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) ! return ESRCH; in = (fp->fr_flags & FR_INQUE) ? 0 : 1; --- 361,381 ---- fp = &fr; IRCOPY(data, (caddr_t)fp, sizeof(*fp)); + rw_enter(&ipf_mutex, RW_WRITER); /* * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ if (fp->fr_grhead && ! fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) { ! error = EEXIST; ! goto out; ! } if (fp->fr_group && ! !fr_findgroup(fp->fr_group, fp->fr_flags, unit, set, NULL)) { ! error = ESRCH; ! goto out; ! } in = (fp->fr_flags & FR_INQUE) ? 0 : 1; *************** *** 384,395 **** ftail = fprev = &ipacct[in][set]; else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE)) ftail = fprev = &ipfilter[in][set]; ! else ! return ESRCH; if ((group = fp->fr_group)) { ! if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set, NULL))) ! return ESRCH; ftail = fprev = fg->fg_start; } --- 385,400 ---- ftail = fprev = &ipacct[in][set]; else if (fp->fr_flags & (FR_OUTQUE|FR_INQUE)) ftail = fprev = &ipfilter[in][set]; ! else { ! error = ESRCH; ! goto out; ! } if ((group = fp->fr_group)) { ! if (!(fg = fr_findgroup(group, fp->fr_flags, unit, set,NULL))){ ! error = ESRCH; ! goto out; ! } ftail = fprev = fg->fg_start; } *************** *** 455,466 **** * If zero'ing statistics, copy current to caller and zero. */ if (req == SIOCZRLST) { ! if (!f) ! return ESRCH; IWCOPY((caddr_t)f, data, sizeof(*f)); f->fr_hits = 0; f->fr_bytes = 0; ! return 0; } if (!f) { --- 460,474 ---- * If zero'ing statistics, copy current to caller and zero. */ if (req == SIOCZRLST) { ! if (!f) { ! error = ESRCH; ! goto out; ! } ! rw_downgrade(&ipf_mutex); IWCOPY((caddr_t)f, data, sizeof(*f)); f->fr_hits = 0; f->fr_bytes = 0; ! goto out; } if (!f) { *************** *** 478,489 **** if (!f) error = ESRCH; else { ! if (f->fr_ref > 1) ! return EBUSY; if (fg && fg->fg_head) fg->fg_head->fr_ref--; ! if (unit == IPL_LOGAUTH) ! return fr_auth_ioctl(data, req, f, ftail); if (f->fr_grhead) fr_delgroup(f->fr_grhead, fp->fr_flags, unit, set); --- 486,501 ---- if (!f) error = ESRCH; else { ! if (f->fr_ref > 1) { ! error = EBUSY; ! goto out; ! } if (fg && fg->fg_head) fg->fg_head->fr_ref--; ! if (unit == IPL_LOGAUTH) { ! error = fr_auth_ioctl(data, req, f, ftail); ! goto out; ! } if (f->fr_grhead) fr_delgroup(f->fr_grhead, fp->fr_flags, unit, set); *************** *** 492,502 **** KFREE(f); } } else { ! if (f) error = EEXIST; ! else { ! if (unit == IPL_LOGAUTH) ! return fr_auth_ioctl(data, req, f, ftail); KMALLOC(f, frentry_t *, sizeof(*f)); if (f != NULL) { if (fg && fg->fg_head) --- 504,516 ---- KFREE(f); } } else { ! if (f) { error = EEXIST; ! } else { ! if (unit == IPL_LOGAUTH) { ! error = fr_auth_ioctl(data, req, f, ftail); ! goto out; ! } KMALLOC(f, frentry_t *, sizeof(*f)); if (f != NULL) { if (fg && fg->fg_head) *************** *** 515,520 **** --- 529,536 ---- error = ENOMEM; } } + out: + rw_exit(&ipf_mutex); return (error); } *************** *** 532,538 **** #ifdef IPFDEBUG cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred); #endif ! if (!(otype & OTYP_CHR)) return ENXIO; min = (2 < min || min < 0) ? ENXIO : 0; return min; --- 548,554 ---- #ifdef IPFDEBUG cmn_err(CE_CONT, "iplopen(%x,%x,%x,%x)\n", devp, flags, otype, cred); #endif ! if (!fr_running || !(otype & OTYP_CHR)) return ENXIO; min = (2 < min || min < 0) ? ENXIO : 0; return min; *************** *** 663,668 **** --- 679,693 ---- bcopy((char *)ip, (char *)&icmp->icmp_ip, sizeof(*ip)); bcopy((char *)ip + (ip->ip_hl << 2), (char *)&icmp->icmp_ip + sizeof(*ip), 8); /* 64 bits */ + #ifndef sparc + ip = &icmp->icmp_ip; + { + u_short __iplen, __ipoff; + + ip->ip_len = htons(__iplen); + ip->ip_off = htons(__ipoff); + } + #endif icmp->icmp_cksum = ipf_cksum((u_short *)icmp, sizeof(*icmp) + 8); ip_wput(qif->qf_ill->ill_wq, mb); return 0; diff -cr ip_fil3.2.8/ip_state.c ip_fil3.2.9/ip_state.c *** ip_fil3.2.8/ip_state.c Mon Jun 8 02:27:12 1998 --- ip_fil3.2.9/ip_state.c Sat Jun 13 02:31:29 1998 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.17 1998/06/07 16:27:12 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.0.2.24.2.18 1998/06/12 16:31:29 darrenr Exp $"; #endif #if !defined(_KERNEL) && !defined(KERNEL) && !defined(__KERNEL__) *************** *** 553,558 **** --- 553,561 ---- continue; pass = is->is_pass; RWLOCK_EXIT(&ipf_state); + if (fin->fin_fi.fi_fl & FI_FRAG) + ipfr_newfrag(ip, fin, + pass ^ FR_KEEPSTATE); WRITE_ENTER(&ipf_state); is->is_age = fr_icmptimeout; is->is_bytes += ip->ip_len; *************** *** 587,592 **** --- 590,598 ---- KFREE(is); } #endif + if (fin->fin_fi.fi_fl & FI_FRAG) + ipfr_newfrag(ip, fin, + pass ^ FR_KEEPSTATE); return pass; } } *************** *** 616,621 **** --- 622,630 ---- is->is_pkts++; MUTEX_EXIT(&ipf_rw); RWLOCK_EXIT(&ipf_state); + if (fin->fin_fi.fi_fl & FI_FRAG) + ipfr_newfrag(ip, fin, + pass ^ FR_KEEPSTATE); return pass; } RWLOCK_EXIT(&ipf_state); diff -cr ip_fil3.2.8/ipl.h ip_fil3.2.9/ipl.h *** ip_fil3.2.8/ipl.h Mon Jun 8 02:32:09 1998 --- ip_fil3.2.9/ipl.h Sun Jun 14 23:25:12 1998 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.8" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter v3.2.9" #endif diff -cr ip_fil3.2.8/solaris.c ip_fil3.2.9/solaris.c *** ip_fil3.2.8/solaris.c Mon Jun 8 16:58:54 1998 --- ip_fil3.2.9/solaris.c Mon Jun 22 22:20:56 1998 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.7 1998/06/08 06:58:54 darrenr Exp $"; #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.0.2.22.2.8 1998/06/22 12:20:56 darrenr Exp $"; #include #include *************** *** 1173,1179 **** #ifndef sparc u_short __iplen, __ipoff; ! /* * If this is a duplicate mblk then we want ip to point at that * data, not the original, if and only if it is already pointing at --- 1173,1179 ---- #ifndef sparc u_short __iplen, __ipoff; ! #endif /* * If this is a duplicate mblk then we want ip to point at that * data, not the original, if and only if it is already pointing at *************** *** 1186,1192 **** * area. However, we only need to change it back if we didn't copy * the IP header data out. */ ! __iplen = (u_short)ip->ip_len, __ipoff = (u_short)ip->ip_off; --- 1186,1192 ---- * area. However, we only need to change it back if we didn't copy * the IP header data out. */ ! #ifndef sparc __iplen = (u_short)ip->ip_len, __ipoff = (u_short)ip->ip_off;