diff -cr ip_fil3.3.19/HISTORY ip_fil3.3.20/HISTORY *** ip_fil3.3.19/HISTORY Tue Oct 24 23:21:52 2000 --- ip_fil3.3.20/HISTORY Sat Oct 28 09:59:22 2000 *************** *** 20,25 **** --- 20,32 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.20 28/10/2000 - Released + + fix introduced bug with ICMP packets being rejected when valid + + fix bug with proxy's that don't set fin_dlen correctly when calling + fr_addstate() + 3.3.19 24/10/2000 - Released don't access ICMP data fields that aren't there diff -cr ip_fil3.3.19/SunOS5/pkginfo ip_fil3.3.20/SunOS5/pkginfo *** ip_fil3.3.19/SunOS5/pkginfo Tue Oct 24 23:07:46 2000 --- ip_fil3.3.20/SunOS5/pkginfo Sat Oct 28 09:59:25 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.19 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.20 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.19/fil.c ip_fil3.3.20/fil.c *** ip_fil3.3.19/fil.c Tue Oct 24 22:57:39 2000 --- ip_fil3.3.20/fil.c Sat Oct 28 10:04:32 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.23 2000/10/24 11:57:39 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.25 2000/10/27 23:04:32 darrenr Exp $"; #endif #include *************** *** 224,254 **** int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; ! if (fin->fin_dlen > 1) fin->fin_data[0] = *(u_short *)tcp; ! if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || ! (off && off < sizeof(struct icmp))) { ! fi->fi_fl |= FI_SHORT; ! if (fin->fin_dlen < 2) ! break; ! } ! icmp = (icmphdr_t *)tcp; ! if (!off && (icmp->icmp_type == ICMP_ECHOREPLY || ! icmp->icmp_type == ICMP_ECHO)) ! minicmpsz = ICMP_MINLEN; ! ! if (!off && (icmp->icmp_type == ICMP_TSTAMP || ! icmp->icmp_type == ICMP_TSTAMPREPLY)) ! minicmpsz = 20; ! /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ ! ! if (!off && (icmp->icmp_type == ICMP_MASKREQ || ! icmp->icmp_type == ICMP_MASKREPLY)) ! minicmpsz = 12; ! /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ break; } --- 224,252 ---- int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; ! if (!off && (fin->fin_dlen > 1)) { fin->fin_data[0] = *(u_short *)tcp; ! icmp = (icmphdr_t *)tcp; ! if (icmp->icmp_type == ICMP_ECHOREPLY || ! icmp->icmp_type == ICMP_ECHO) ! minicmpsz = ICMP_MINLEN; ! ! if (icmp->icmp_type == ICMP_TSTAMP || ! icmp->icmp_type == ICMP_TSTAMPREPLY) ! minicmpsz = 20; ! /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + 3*timestamp(3*4) */ ! ! if (icmp->icmp_type == ICMP_MASKREQ || ! icmp->icmp_type == ICMP_MASKREPLY) ! minicmpsz = 12; ! /* type(1) + code(1) + cksum(2) + id(2) + seq(2) + mask(4) */ ! } ! if ((!(ip->ip_len >= hlen + minicmpsz) && !off) || ! (off && off < sizeof(struct icmp))) ! fi->fi_fl |= FI_SHORT; break; } *************** *** 1193,1199 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.23 2000/10/24 11:57:39 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1191,1197 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.25 2000/10/27 23:04:32 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff -cr ip_fil3.3.19/ip_fil.c ip_fil3.3.20/ip_fil.c *** ip_fil3.3.19/ip_fil.c Fri Aug 25 23:10:53 2000 --- ip_fil3.3.20/ip_fil.c Sat Oct 28 10:22:18 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.23 2000/08/25 13:10:53 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.25 2000/10/27 23:22:18 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 916,922 **** tcp2->th_ack += tlen; tcp2->th_ack = htonl(tcp2->th_ack); tcp2->th_off = sizeof(*tcp2) >> 2; ! tcp2->th_flags = TH_RST|TH_ACK; ip->ip_p = IPPROTO_TCP; ip->ip_len = htons(sizeof(struct tcphdr)); tcp2->th_sum = in_cksum(m, sizeof(*ip) + sizeof(*tcp2)); --- 916,925 ---- tcp2->th_ack += tlen; tcp2->th_ack = htonl(tcp2->th_ack); tcp2->th_off = sizeof(*tcp2) >> 2; ! if (tcp->th_flags & TH_ACK) ! tcp2->th_flags = TH_RST; ! else ! tcp2->th_flags = TH_RST|TH_ACK; ip->ip_p = IPPROTO_TCP; ip->ip_len = htons(sizeof(struct tcphdr)); tcp2->th_sum = in_cksum(m, sizeof(*ip) + sizeof(*tcp2)); *************** *** 958,963 **** --- 961,967 ---- struct icmp *icmp; struct mbuf *m; ip_t *nip; + void *ifp; int code; if ((oip->ip_p == IPPROTO_ICMP) && !(fin->fin_fi.fi_fl & FI_SHORT)) *************** *** 972,977 **** --- 976,982 ---- return 0; } + ifp = fin->fin_ifp; code = fin->fin_icode; # if (BSD < 199306) || defined(__sgi) m = m_get(M_DONTWAIT, MT_HEADER); *************** *** 998,1004 **** nip->ip_tos = oip->ip_tos; nip->ip_len = sizeof(*nip) + sizeof(*icmp) + 8; if (dst.s_addr == 0) { ! if (fr_ifpaddr(fin->fin_ifp, &dst) == -1) return -1; } nip->ip_src = dst; --- 1003,1009 ---- nip->ip_tos = oip->ip_tos; nip->ip_len = sizeof(*nip) + sizeof(*icmp) + 8; if (dst.s_addr == 0) { ! if (fr_ifpaddr(ifp, &dst) == -1) return -1; } nip->ip_src = dst; *************** *** 1010,1016 **** # ifdef icmp_nextmtu if (type == ICMP_UNREACH && fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) ! icmp->icmp_nextmtu = htons(((struct ifnet *) ifp)->if_mtu); # endif bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip)); --- 1015,1021 ---- # ifdef icmp_nextmtu if (type == ICMP_UNREACH && fin->fin_icode == ICMP_UNREACH_NEEDFRAG && ifp) ! icmp->icmp_nextmtu = htons(((struct ifnet *)ifp)->if_mtu); # endif bcopy((char *)oip, (char *)&icmp->icmp_ip, sizeof(*oip)); diff -cr ip_fil3.3.19/ip_ftp_pxy.c ip_fil3.3.20/ip_ftp_pxy.c *** ip_fil3.3.19/ip_ftp_pxy.c Mon Aug 7 23:03:20 2000 --- ip_fil3.3.20/ip_ftp_pxy.c Sat Oct 28 09:57:36 2000 *************** *** 368,373 **** --- 368,374 ---- tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[0] = ntohs(sp); fi.fin_data[1] = 0; + fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; swip = ip->ip_src; ip->ip_src = nat->nat_inip; *************** *** 590,595 **** --- 591,597 ---- tcp2->th_dport = htons(fi.fin_data[0]); fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; + fi.fin_dlen = sizeof(*tcp2); swip = ip->ip_src; swip2 = ip->ip_dst; ip->ip_dst = ip->ip_src; diff -cr ip_fil3.3.19/ip_raudio_pxy.c ip_fil3.3.20/ip_raudio_pxy.c *** ip_fil3.3.19/ip_raudio_pxy.c Thu Mar 16 00:58:54 2000 --- ip_fil3.3.20/ip_raudio_pxy.c Sat Oct 28 09:57:38 2000 *************** *** 261,266 **** --- 261,267 ---- bzero((char *)tcp2, sizeof(*tcp2)); fi.fin_dp = (char *)tcp2; fi.fin_fr = &raudiofr; + fi.fin_dlen = sizeof(*tcp2); tcp2->th_win = htons(8192); if (((rap->rap_mode & RAP_M_UDP_ROBUST) == RAP_M_UDP_ROBUST) && diff -cr ip_fil3.3.19/ip_rcmd_pxy.c ip_fil3.3.20/ip_rcmd_pxy.c *** ip_fil3.3.19/ip_rcmd_pxy.c Wed Sep 22 23:47:06 1999 --- ip_fil3.3.20/ip_rcmd_pxy.c Sat Oct 28 09:57:39 2000 *************** *** 131,136 **** --- 131,137 ---- fi.fin_data[0] = ntohs(sp); fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; + fi.fin_dlen = sizeof(*tcp2); swip = ip->ip_src; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, diff -cr ip_fil3.3.19/ip_sfil.c ip_fil3.3.20/ip_sfil.c *** ip_fil3.3.19/ip_sfil.c Fri Aug 4 00:22:52 2000 --- ip_fil3.3.20/ip_sfil.c Wed Oct 25 22:50:58 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.9 2000/08/03 14:22:52 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.10 2000/10/25 11:50:58 darrenr Exp $"; #endif #include *************** *** 655,661 **** tcp2->th_ack = htonl(ntohl(tcp->th_seq) + tlen); tcp2->th_seq = tcp->th_ack; tcp2->th_off = sizeof(struct tcphdr) >> 2; ! tcp2->th_flags = TH_RST|TH_ACK; /* * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum * computation that is done by their put routine. --- 655,664 ---- tcp2->th_ack = htonl(ntohl(tcp->th_seq) + tlen); tcp2->th_seq = tcp->th_ack; tcp2->th_off = sizeof(struct tcphdr) >> 2; ! if (tcp->th_flags & TH_ACK) ! tcp2->th_flags = TH_RST; ! else ! tcp2->th_flags = TH_RST|TH_ACK; /* * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum * computation that is done by their put routine. *************** *** 705,713 **** { struct icmp *icmp; mblk_t *mb; ip_t *nip; int code; - u_short sz; sz = sizeof(*nip) + sizeof(*icmp) + 8; code = fin->fin_icode; --- 708,717 ---- { struct icmp *icmp; mblk_t *mb; + u_short sz; ip_t *nip; + ill_t *il; int code; sz = sizeof(*nip) + sizeof(*icmp) + 8; code = fin->fin_icode; *************** *** 747,752 **** --- 751,762 ---- icmp->icmp_type = type; icmp->icmp_code = code; icmp->icmp_cksum = 0; + #ifdef icmp_nextmtu + if (type == ICMP_UNREACH && (il = ((qif_t *)fin->fin_qif)->qf_ill) && + fin->fin_icode == ICMP_UNREACH_NEEDFRAG) + icmp->icmp_nextmtu = htons(il->ill_max_frag); + #endif + bcopy((char *)ip, (char *)&icmp->icmp_ip, sizeof(*ip)); bcopy((char *)ip + (ip->ip_hl << 2), (char *)&icmp->icmp_ip + sizeof(*ip), 8); /* 64 bits */ diff -cr ip_fil3.3.19/ipl.h ip_fil3.3.20/ipl.h *** ip_fil3.3.19/ipl.h Tue Oct 24 23:07:47 2000 --- ip_fil3.3.20/ipl.h Sat Oct 28 09:59:24 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.19" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.20" #endif diff -cr ip_fil3.3.19/rules/BASIC.NAT ip_fil3.3.20/rules/BASIC.NAT *** ip_fil3.3.19/rules/BASIC.NAT Sat Aug 7 01:25:50 1999 --- ip_fil3.3.20/rules/BASIC.NAT Wed Oct 25 22:49:42 2000 *************** *** 8,13 **** --- 8,19 ---- # # If we have only 1 valid IP address from our ISP, then we do this: # + # To make ftp work, using the internal ftp proxy, use: + # + map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp + # + # For normal TCP/UDP and other IP protocols + # map ppp0 w.x.y.z/24 -> a.b.c.d/32 portmap tcp/udp 40000:60000 map ppp0 w.x.y.z/24 -> a.b.c.d/32 # *************** *** 38,45 **** #map ppp0 w.x.y.q/32 -> a.b.c.J/32 #map ppp0 w.x.y.p/32 -> a.b.c.K/32 portmap tcp/udp 40000:60000 #map ppp0 w.x.y.p/32 -> a.b.c.K/32 - # - # To make ftp work, using the internal ftp proxy, use: - # - map ppp0 w.x.y.z/24 -> a.b.c.d/32 proxy port ftp ftp/tcp - # --- 44,46 ----