diff -cr ip_fil3.3.17/HISTORY ip_fil3.3.18/HISTORY *** ip_fil3.3.17/HISTORY Sat Jul 8 12:52:15 2000 --- ip_fil3.3.18/HISTORY Tue Aug 8 01:10:26 2000 *************** *** 20,25 **** --- 20,37 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.18 08/08/2000 - Released + + fix up command checking in the ftp proxy + + fix getting the version from the kernel for solaris + + fix icmp state checking bug + + print out better information for ICMP packets in ipmon + + open ipfilter device read only if we know we can + 3.3.17 08/07/2000 - Released increase default state table sizes diff -cr ip_fil3.3.17/SunOS5/pkginfo ip_fil3.3.18/SunOS5/pkginfo *** ip_fil3.3.17/SunOS5/pkginfo Sat Jul 8 12:52:17 2000 --- ip_fil3.3.18/SunOS5/pkginfo Tue Aug 8 01:10:27 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.17 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.18 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.17/ip_ftp_pxy.c ip_fil3.3.18/ip_ftp_pxy.c *** ip_fil3.3.17/ip_ftp_pxy.c Sat Jul 8 12:55:04 2000 --- ip_fil3.3.18/ip_ftp_pxy.c Mon Aug 7 23:03:20 2000 *************** *** 7,16 **** #endif #define isdigit(x) ((x) >= '0' && (x) <= '9') ! #define isupper(x) ((unsigned)((x) - 'A') <= 'Z' - 'A') ! #define islower(x) ((unsigned)((x) - 'a') <= 'z' - 'a') #define isalpha(x) (isupper(x) || islower(x)) ! #define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'Z') #define IPF_FTP_PROXY --- 7,16 ---- #endif #define isdigit(x) ((x) >= '0' && (x) <= '9') ! #define isupper(x) (((unsigned)(x) >= 'A') && ((unsigned)(x) <= 'Z')) ! #define islower(x) (((unsigned)(x) >= 'a') && ((unsigned)(x) <= 'z')) #define isalpha(x) (isupper(x) || islower(x)) ! #define toupper(x) (isupper(x) ? (x) : (x) - 'a' + 'A') #define IPF_FTP_PROXY *************** *** 76,99 **** } else return -1; } else if (isalpha(c)) { - c = *s++; cbuf[0] = toupper(c); i--; if (isalpha(c)) { - c = *s++; cbuf[1] = toupper(c); i--; if (isalpha(c)) { - c = *s++; cbuf[2] = toupper(c); i--; if (isalpha(c)) { - c = *s++; cbuf[3] = toupper(c); i--; if (c != ' ') return -1; - cbuf[4] = '\0'; } else return -1; } else --- 76,99 ---- } else return -1; } else if (isalpha(c)) { cbuf[0] = toupper(c); + c = *s++; i--; if (isalpha(c)) { cbuf[1] = toupper(c); + c = *s++; i--; if (isalpha(c)) { cbuf[2] = toupper(c); + c = *s++; i--; if (isalpha(c)) { cbuf[3] = toupper(c); + c = *s++; + cbuf[4] = c; i--; if (c != ' ') return -1; } else return -1; } else *************** *** 202,208 **** if (dlen > 0) m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif ! if (dlen == 0) return 0; bzero(cmd, sizeof(cmd)); portbuf[sizeof(portbuf) - 1] = '\0'; --- 202,208 ---- if (dlen > 0) m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif ! if (dlen <= 0) return 0; bzero(cmd, sizeof(cmd)); portbuf[sizeof(portbuf) - 1] = '\0'; *************** *** 429,435 **** if (dlen > 0) m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif ! if (dlen == 0) return 0; bzero(cmd, sizeof(cmd)); portbuf[sizeof(portbuf) - 1] = '\0'; --- 429,435 ---- if (dlen > 0) m_copydata(m, off, MIN(sizeof(portbuf), dlen), portbuf); #endif ! if (dlen <= 0) return 0; bzero(cmd, sizeof(cmd)); portbuf[sizeof(portbuf) - 1] = '\0'; diff -cr ip_fil3.3.17/ip_nat.c ip_fil3.3.18/ip_nat.c *** ip_fil3.3.17/ip_nat.c Sun Jun 25 17:15:04 2000 --- ip_fil3.3.18/ip_nat.c Wed Aug 9 02:11:05 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.19 2000/06/25 07:15:04 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.21 2000/08/08 16:00:33 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 412,418 **** * mapping range. In all cases, the range is inclusive of * the start and ending IP addresses. * If to a CIDR address, lose 2: broadcast + network address ! * (so subtract 1) * If to a range, add one. * If to a single IP address, set to 1. */ --- 412,418 ---- * mapping range. In all cases, the range is inclusive of * the start and ending IP addresses. * If to a CIDR address, lose 2: broadcast + network address ! * (so subtract 1) * If to a range, add one. * If to a single IP address, set to 1. */ *************** *** 1009,1018 **** ip_t *ip; fr_info_t *fin; { - icmphdr_t *icmp; tcphdr_t *tcp = NULL; ip_t *oip; ! int flags = 0, type; if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) return NULL; --- 1009,1018 ---- ip_t *ip; fr_info_t *fin; { tcphdr_t *tcp = NULL; + icmphdr_t *icmp; ip_t *oip; ! int flags = 0, type, minlen; if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) return NULL; *************** *** 1034,1046 **** return NULL; oip = (ip_t *)((char *)fin->fin_dp + 8); ! if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) return NULL; if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; if (flags & IPN_TCPUDP) { tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, --- 1034,1076 ---- return NULL; oip = (ip_t *)((char *)fin->fin_dp + 8); ! minlen = (oip->ip_hl << 2); ! if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) ! return NULL; ! /* ! * Is the buffer big enough for all of it ? It's the size of the IP ! * header claimed in the encapsulated part which is of concern. It ! * may be too big to be in this buffer but not so big that it's ! * outside the ICMP packet, leading to TCP deref's causing problems. ! * This is possible because we don't know how big oip_hl is when we ! * do the pullup early in fr_check() and thus can't gaurantee it is ! * all here now. ! */ ! #ifdef _KERNEL ! { ! mb_t *m; ! ! # if SOLARIS ! m = fin->fin_qfm; ! if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > (char *)m->b_wptr) ! return NULL; ! # else ! m = *(mb_t **)fin->fin_mp; ! if ((char *)oip + fin->fin_dlen - ICMPERR_ICMPHLEN > ! (char *)ip + m->m_len) return NULL; + # endif + } + #endif + if (oip->ip_p == IPPROTO_TCP) flags = IPN_TCP; else if (oip->ip_p == IPPROTO_UDP) flags = IPN_UDP; if (flags & IPN_TCPUDP) { + minlen += 8; /* + 64bits of data to get ports */ + if (ip->ip_len < ICMPERR_MINPKTLEN + minlen) + return NULL; tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2)); return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, *************** *** 1119,1125 **** if ((flags & IPN_TCPUDP) != 0) { tcphdr_t *tcp; ! /* XXX - what if this is bogus hl and we go off the end ? */ tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); if (nat->nat_dir == NAT_OUTBOUND) { --- 1149,1158 ---- if ((flags & IPN_TCPUDP) != 0) { tcphdr_t *tcp; ! /* ! * XXX - what if this is bogus hl and we go off the end ? ! * In this case, nat_icmpinlookup() will have returned NULL. ! */ tcp = (tcphdr_t *)((((char *)oip) + (oip->ip_hl << 2))); if (nat->nat_dir == NAT_OUTBOUND) { diff -cr ip_fil3.3.17/ip_sfil.c ip_fil3.3.18/ip_sfil.c *** ip_fil3.3.17/ip_sfil.c Mon May 22 16:57:52 2000 --- ip_fil3.3.18/ip_sfil.c Fri Aug 4 00:22:52 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.8 2000/05/22 06:57:52 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.9 2000/08/03 14:22:52 darrenr Exp $"; #endif #include *************** *** 283,289 **** fio.f_logging = 0; #endif fio.f_defpass = fr_pass; ! strncpy(fio.f_version, fio.f_version, sizeof(fio.f_version)); RWLOCK_EXIT(&ipf_mutex); IWCOPY((caddr_t)&fio, (caddr_t)data, sizeof(fio)); --- 283,289 ---- fio.f_logging = 0; #endif fio.f_defpass = fr_pass; ! strncpy(fio.f_version, ipfilter_version, sizeof(fio.f_version)); RWLOCK_EXIT(&ipf_mutex); IWCOPY((caddr_t)&fio, (caddr_t)data, sizeof(fio)); diff -cr ip_fil3.3.17/ip_state.c ip_fil3.3.18/ip_state.c *** ip_fil3.3.17/ip_state.c Mon May 22 16:57:53 2000 --- ip_fil3.3.18/ip_state.c Wed Aug 9 02:11:06 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.25 2000/05/22 06:57:53 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.28 2000/08/08 16:00:35 darrenr Exp $"; #endif #include *************** *** 150,156 **** * flush state tables. two actions currently defined: * which == 0 : flush all state table entries * which == 1 : flush TCP connections which have started to close but are ! * stuck for some reason. */ static int fr_state_flush(which) int which; --- 150,156 ---- * flush state tables. two actions currently defined: * which == 0 : flush all state table entries * which == 1 : flush TCP connections which have started to close but are ! * stuck for some reason. */ static int fr_state_flush(which) int which; *************** *** 677,688 **** register u_char pr; struct icmp *ic; u_short savelen; fr_info_t ofin; tcphdr_t *tcp; ! icmphdr_t *icmp; frentry_t *fr; ip_t *oip; - int type; u_int hv; /* --- 677,688 ---- register u_char pr; struct icmp *ic; u_short savelen; + icmphdr_t *icmp; fr_info_t ofin; tcphdr_t *tcp; ! int type, len; frentry_t *fr; ip_t *oip; u_int hv; /* *************** *** 706,711 **** --- 706,743 ---- if (ip->ip_len < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2)) return NULL; + /* + * Sanity Checks. + */ + len = fin->fin_dlen - ICMPERR_ICMPHLEN; + if ((len <= 0) || ((oip->ip_hl << 2) > len)) + return NULL; + + /* + * Is the buffer big enough for all of it ? It's the size of the IP + * header claimed in the encapsulated part which is of concern. It + * may be too big to be in this buffer but not so big that it's + * outside the ICMP packet, leading to TCP deref's causing problems. + * This is possible because we don't know how big oip_hl is when we + * do the pullup early in fr_check() and thus can't gaurantee it is + * all here now. + */ + #ifdef _KERNEL + { + mb_t *m; + + # if SOLARIS + m = fin->fin_qfm; + if ((char *)oip + len > (char *)m->b_wptr) + return NULL; + # else + m = *(mb_t **)fin->fin_mp; + if ((char *)oip + len > (char *)ip + m->m_len) + return NULL; + # endif + } + #endif + if (oip->ip_p == IPPROTO_ICMP) { icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2)); *************** *** 736,744 **** } hv %= fr_statesize; ! oip->ip_len = ntohs(oip->ip_len); fr_makefrip(oip->ip_hl << 2, oip, &ofin); ! oip->ip_len = htons(oip->ip_len); ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ --- 768,777 ---- } hv %= fr_statesize; ! savelen = oip->ip_len; ! oip->ip_len = len; fr_makefrip(oip->ip_hl << 2, oip, &ofin); ! oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; ofin.fin_mp = NULL; /* if dereferenced, panic XXX */ *************** *** 793,799 **** * order. Any change we make must be undone afterwards. */ savelen = oip->ip_len; ! oip->ip_len = ip->ip_len - (ip->ip_hl << 2) - ICMPERR_ICMPHLEN; fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; --- 826,832 ---- * order. Any change we make must be undone afterwards. */ savelen = oip->ip_len; ! oip->ip_len = len; fr_makefrip(oip->ip_hl << 2, oip, &ofin); oip->ip_len = savelen; ofin.fin_ifp = fin->fin_ifp; *************** *** 897,903 **** --- 930,944 ---- case IPPROTO_TCP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; + register int i; + i = tcp->th_flags; + /* + * Just plain ignore RST flag set with either FIN or SYN. + */ + if ((i & TH_RST) && + ((i & (TH_FIN|TH_SYN|TH_RST)) != TH_RST)) + break; tryagain = 0; retry_tcp: hvm = hv % fr_statesize; diff -cr ip_fil3.3.17/ipl.h ip_fil3.3.18/ipl.h *** ip_fil3.3.17/ipl.h Sat Jul 8 12:52:16 2000 --- ip_fil3.3.18/ipl.h Tue Aug 8 01:10:26 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.17" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.18" #endif diff -cr ip_fil3.3.17/iplang/iplang_y.y ip_fil3.3.18/iplang/iplang_y.y *** ip_fil3.3.17/iplang/iplang_y.y Sun Nov 21 22:05:09 1999 --- ip_fil3.3.18/iplang/iplang_y.y Mon Aug 7 23:04:13 2000 *************** *** 6,12 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: iplang_y.y,v 2.1.2.1 1999/11/21 11:05:09 darrenr Exp $ */ #include --- 6,12 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: iplang_y.y,v 2.1.2.2 2000/08/07 13:04:13 darrenr Exp $ */ #include *************** *** 48,54 **** #include "ipf.h" #include "iplang.h" ! #ifndef __NetBSD__ extern struct ether_addr *ether_aton __P((char *)); #endif --- 48,55 ---- #include "ipf.h" #include "iplang.h" ! #if !defined(__NetBSD__) && (!defined(__FreeBSD_version) && \ ! __FreeBSD_version < 400020) extern struct ether_addr *ether_aton __P((char *)); #endif diff -cr ip_fil3.3.17/ipmon.c ip_fil3.3.18/ipmon.c *** ip_fil3.3.17/ipmon.c Thu Feb 17 01:40:39 2000 --- ip_fil3.3.18/ipmon.c Mon Aug 7 23:04:51 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.5 2000/02/16 14:40:39 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.6 2000/08/07 13:04:51 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 552,561 **** { tcphdr_t *tp; struct icmp *ic; struct tm *tm; char *t, *proto; u_short hl, p; ! int i, lvl, res, len; ip_t *ipc, *ip; iplog_t *ipl; ipflog_t *ipf; --- 552,562 ---- { tcphdr_t *tp; struct icmp *ic; + struct icmp *icmphdr; struct tm *tm; char *t, *proto; u_short hl, p; ! int i, lvl, res, len, ipoff; ip_t *ipc, *ip; iplog_t *ipl; ipflog_t *ipf; *************** *** 686,704 **** ic->icmp_type == ICMP_REDIRECT || ic->icmp_type == ICMP_TIMXCEED) { ipc = &ic->icmp_ip; ! tp = (tcphdr_t *)((char *)ipc + hl); ! proto = getproto(ipc->ip_p); ! t += strlen(t); ! (void) sprintf(t, " for %s,%s -", ! hostname(res, ipc->ip_src), ! portname(res, proto, (u_int)tp->th_sport)); ! t += strlen(t); ! (void) sprintf(t, " %s,%s PR %s len %hu %hu", ! hostname(res, ipc->ip_dst), ! portname(res, proto, (u_int)tp->th_dport), ! proto, ipc->ip_hl << 2, ipc->ip_len); } } else { (void) sprintf(t, "%s -> ", hostname(res, ip->ip_src)); --- 687,743 ---- ic->icmp_type == ICMP_REDIRECT || ic->icmp_type == ICMP_TIMXCEED) { ipc = &ic->icmp_ip; ! i = ntohs(ipc->ip_len); ! ipoff = ntohs(ipc->ip_off); proto = getproto(ipc->ip_p); ! if (!(ipoff & IP_OFFMASK) && ! ((ipc->ip_p == IPPROTO_TCP) || ! (ipc->ip_p == IPPROTO_UDP))) { ! tp = (tcphdr_t *)((char *)ipc + hl); ! ! t += strlen(t); ! (void) sprintf(t, " for %s,%s -", ! hostname(res, ipc->ip_src), ! portname(res, proto, ! (u_int)tp->th_sport)); ! t += strlen(t); ! (void) sprintf(t, " %s,%s PR %s len %hu %hu", ! hostname(res, ipc->ip_dst), ! portname(res, proto, ! (u_int)tp->th_dport), ! proto, ipc->ip_hl << 2, ipc->ip_len); ! } else if ((ipc->ip_p == IPPROTO_ICMP) && ! !(ipoff & IP_OFFMASK)) { ! icmphdr = (icmphdr_t *)((char *)ipc + hl); ! ! t += strlen(t); ! (void) sprintf(t, " for %s -", ! hostname(res, ipc->ip_src)); ! t += strlen(t); ! (void) sprintf(t, ! " %s PR icmp len %hu %hu icmp %d/%d", ! hostname(res, ipc->ip_dst), ! ipc->ip_hl << 2, i, ! icmphdr->icmp_type, icmphdr->icmp_code); ! } else { ! ! t += strlen(t); ! (void) sprintf(t, " for %s -", ! hostname(res, ipc->ip_src)); ! t += strlen(t); ! (void) sprintf(t, " %s PR %s len %hu (%hu)", ! hostname(res, ipc->ip_dst), ! proto, ipc->ip_hl << 2, ipc->ip_len); ! t += strlen(t); ! if (ipc->ip_off & IP_OFFMASK) { ! (void) sprintf(t, " frag %s%s%hu@%hu", ! ipoff & IP_MF ? "+" : "", ! ipoff & IP_DF ? "-" : "", ! i - (ipc->ip_hl << 2), ! (ipoff & IP_OFFMASK) << 3); ! } ! } } } else { (void) sprintf(t, "%s -> ", hostname(res, ip->ip_src)); diff -cr ip_fil3.3.17/ipnat.c ip_fil3.3.18/ipnat.c *** ip_fil3.3.17/ipnat.c Sat Dec 4 13:09:30 1999 --- ip_fil3.3.18/ipnat.c Thu Jul 27 23:07:07 2000 *************** *** 56,62 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.1.2.2 1999/12/04 02:09:30 darrenr Exp $"; #endif --- 56,62 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.1.2.3 2000/07/27 13:07:07 darrenr Exp $"; #endif *************** *** 115,121 **** char *argv[]; { char *file = NULL; ! int fd = -1, opts = 0, c; while ((c = getopt(argc, argv, "CFf:hlnrsv")) != -1) switch (c) --- 115,121 ---- char *argv[]; { char *file = NULL; ! int fd = -1, opts = 0, c, mode = O_RDWR; while ((c = getopt(argc, argv, "CFf:hlnrsv")) != -1) switch (c) *************** *** 134,148 **** --- 134,151 ---- break; case 'l' : opts |= OPT_LIST; + mode = O_RDONLY; break; case 'n' : opts |= OPT_NODO; + mode = O_RDONLY; break; case 'r' : opts |= OPT_REM; break; case 's' : opts |= OPT_STAT; + mode = O_RDONLY; break; case 'v' : opts |= OPT_VERBOSE; *************** *** 151,157 **** usage(argv[0]); } ! if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, O_RDWR)) == -1) && ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, STRERROR(errno)); --- 154,160 ---- usage(argv[0]); } ! if (!(opts & OPT_NODO) && ((fd = open(IPL_NAT, mode)) == -1) && ((fd = open(IPL_NAT, O_RDONLY)) == -1)) { (void) fprintf(stderr, "%s: open: %s\n", IPL_NAT, STRERROR(errno)); diff -cr ip_fil3.3.17/ipsend/ipsend.1 ip_fil3.3.18/ipsend/ipsend.1 *** ip_fil3.3.17/ipsend/ipsend.1 Sun Aug 1 20:57:25 1999 --- ip_fil3.3.18/ipsend/ipsend.1 Thu Jul 27 23:04:11 2000 *************** *** 96,102 **** .B \-U Set the protocol to UDP. .TP ! .BR \-d enable verbose mode. .DT .SH SEE ALSO --- 96,102 ---- .B \-U Set the protocol to UDP. .TP ! .BR \-v enable verbose mode. .DT .SH SEE ALSO diff -cr ip_fil3.3.17/ipsend/ipsend.5 ip_fil3.3.18/ipsend/ipsend.5 *** ip_fil3.3.17/ipsend/ipsend.5 Sun Aug 1 20:57:25 1999 --- ip_fil3.3.18/ipsend/ipsend.5 Mon Aug 7 23:04:37 2000 *************** *** 323,329 **** .SH "ICMP TYPES" .TP .B echorep ! Eecho Reply. .TP .B "unreach [ unreachable-code ]" Generic Unreachable error. This is used to indicate that an error has --- 323,329 ---- .SH "ICMP TYPES" .TP .B echorep ! Echo Reply. .TP .B "unreach [ unreachable-code ]" Generic Unreachable error. This is used to indicate that an error has