diff -cr ip_fil3.3.6/HISTORY ip_fil3.3.7/HISTORY *** ip_fil3.3.6/HISTORY Tue Dec 28 16:35:38 1999 --- ip_fil3.3.7/HISTORY Tue Jan 25 01:25:32 2000 *************** *** 8,14 **** # # Thanks to Tel.Net Media for allowing me to maintain and further develop # IP Filter as part of my job and supplying Sun equipment for testing the ! # move to 64bits. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. --- 8,14 ---- # # Thanks to Tel.Net Media for allowing me to maintain and further develop # IP Filter as part of my job and supplying Sun equipment for testing the ! # move to 64bits and Gigabit Ethernet. # # Thanks to BSDI for providing object files for BSD/OS 3.1 and the means # to further support development of IP Filter under BSDI. *************** *** 20,25 **** --- 20,55 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.7 25/01/2000 - Released + + sync on state information as well as NAT information when required + + record nat protocol in all nat log records + + don't reuse the IP# from an active NAT session if the IP# in the rule + has changed dynamically. + + lookup the protocol for NAT log information in ipmon and pass that to + portname. + + fix the bug with changing the outbound interface of a packet where it + would lead to a panic. + + use fr_running instead of ipl_inited. (sysctl name change on freebsd) + + return EIO if someone attempts an ioctl on state/nat if ipfilter is not + enabled. + + fix rule insertion bug + + make state flushing clean anything that's not fully established (4/4) + + call fr_state_flush() after we've released ipf_state so we don't generate + a recursive mutex acquisition panic + + fix parsing of icmp code after return-icmp/return-icmp-as-dest and add + some patches to enhance parsing strength + 3.3.6 28/12/1999 - Released add in missing rwlock release in fr_checkicmpmatchingstate() and fix check diff -cr ip_fil3.3.6/SunOS5/Makefile ip_fil3.3.7/SunOS5/Makefile *** ip_fil3.3.6/SunOS5/Makefile Sat Dec 4 13:11:19 1999 --- ip_fil3.3.7/SunOS5/Makefile Tue Jan 25 01:25:34 2000 *************** *** 20,25 **** --- 20,26 ---- TOP=.. TMP=/tmp CPUDIR=`uname -p`-`uname -r` + BITS=`optisa sparcv9 >/dev/null 2>&1; if [ $$? -eq 0 ] ; then echo "64"; else echo "32"; fi` CC=gcc -Wall DEBUG=-g LIBS=-lsocket -lnsl -lelf *************** *** 184,195 **** if [ `basename \`pwd\`` != SunOS5 ] ; then \ ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon ipnat ipf.exe; \ ${RM} -f ipnat.5 ipnat.4 ipnat.1 ipfilter.5; \ ! ${RM} -f prototype pkginfo postinstall copyright; \ fi /bin/rm -rf */root ipf.pkg make -f Makefile.ipsend clean -(for i in *; do \ ! if [ -d $${i} -a -f $${i}/Makefile ] ; then \ cd $${i}; (make clean); cd ..; \ rm $${i}/Makefile $${i}/Makefile.ipsend; \ rmdir $${i}; \ --- 185,196 ---- if [ `basename \`pwd\`` != SunOS5 ] ; then \ ${RM} -f core *.o ipt fils ipf ipfstat ipftest ipmon ipnat ipf.exe; \ ${RM} -f ipnat.5 ipnat.4 ipnat.1 ipfilter.5; \ ! ${RM} -f prototype pkginfo postinstall postremove copyright; \ fi /bin/rm -rf */root ipf.pkg make -f Makefile.ipsend clean -(for i in *; do \ ! if [ -d $${i} -a -h $${i}/Makefile ] ; then \ cd $${i}; (make clean); cd ..; \ rm $${i}/Makefile $${i}/Makefile.ipsend; \ rmdir $${i}; \ *************** *** 236,242 **** -$(INSTALL) ip_proxy.h $(ROOTINC)/netinet -$(INSTALL) ip_auth.h $(ROOTINC)/netinet -(cd $(CPUDIR); optisa sparcv9 >/dev/null 2>&1; if [ $$? -eq 0 ] ; then ln -s ../prototype64 prototype; else ln -s ../prototype .; fi) ! -(cd $(CPUDIR); ln -s ../pkginfo ../copyright ../postinstall ../postremove .) (cd $(CPUDIR); pkgmk -o -d $(TMP)) touch $(CPUDIR)/ipf.pkg pkgtrans -s ${TMP} $(CPUDIR)/ipf.pkg ipf --- 237,244 ---- -$(INSTALL) ip_proxy.h $(ROOTINC)/netinet -$(INSTALL) ip_auth.h $(ROOTINC)/netinet -(cd $(CPUDIR); optisa sparcv9 >/dev/null 2>&1; if [ $$? -eq 0 ] ; then ln -s ../prototype64 prototype; else ln -s ../prototype .; fi) ! -(cd $(CPUDIR); ln -s ../copyright ../postinstall ../postremove .) ! -(cd $(CPUDIR); cat ../pkginfo | sed -e "s/ARCH=.*/ARCH=`uname -p` (${BITS}-bit)/" > pkginfo) (cd $(CPUDIR); pkgmk -o -d $(TMP)) touch $(CPUDIR)/ipf.pkg pkgtrans -s ${TMP} $(CPUDIR)/ipf.pkg ipf diff -cr ip_fil3.3.6/SunOS5/pkginfo ip_fil3.3.7/SunOS5/pkginfo *** ip_fil3.3.6/SunOS5/pkginfo Tue Dec 28 16:35:16 1999 --- ip_fil3.3.7/SunOS5/pkginfo Tue Jan 25 01:25:34 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.6 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.7 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.3.6/fil.c ip_fil3.3.7/fil.c *** ip_fil3.3.6/fil.c Tue Dec 7 23:53:40 1999 --- ip_fil3.3.7/fil.c Sun Jan 16 21:11:02 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.3.2.15 2000/01/16 10:11:02 darrenr Exp $"; #endif #include *************** *** 1178,1184 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.14 1999/12/07 12:53:40 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1178,1184 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.3.2.15 2000/01/16 10:11:02 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 1579,1585 **** --- 1579,1588 ---- # else for (ifp = ifnet; ifp; ifp = ifp->if_next) # endif + { ip_natsync(ifp); + ip_statesync(ifp); + } # endif WRITE_ENTER(&ipf_mutex); diff -cr ip_fil3.3.6/ip_auth.c ip_fil3.3.7/ip_auth.c *** ip_fil3.3.6/ip_auth.c Tue Sep 28 21:44:04 1999 --- ip_fil3.3.7/ip_auth.c Sun Jan 16 21:12:14 2000 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.1 1999/09/28 11:44:04 darrenr Exp $"; #endif #include --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.1.2.2 2000/01/16 10:12:14 darrenr Exp $"; #endif #include *************** *** 396,402 **** # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ ! # if _BSDI_VERSION >= 199802 error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); # else --- 396,402 ---- # if SOLARIS error = fr_qout(fr_auth[i].fra_q, m); # else /* SOLARIS */ ! # if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); # else diff -cr ip_fil3.3.6/ip_fil.c ip_fil3.3.7/ip_fil.c *** ip_fil3.3.6/ip_fil.c Sat Dec 11 16:31:08 1999 --- ip_fil3.3.7/ip_fil.c Sun Jan 16 21:12:42 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.14 1999/12/11 05:31:08 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 126,132 **** # endif #endif - int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; --- 126,131 ---- *************** *** 230,236 **** # endif SPL_NET(s); ! if (ipl_inited || (fr_checkp == fr_check)) { printf("IP Filter: already initialized\n"); SPL_X(s); return EBUSY; --- 229,235 ---- # endif SPL_NET(s); ! if (fr_running || (fr_checkp == fr_check)) { printf("IP Filter: already initialized\n"); SPL_X(s); return EBUSY; *************** *** 258,264 **** } # endif - ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); fr_savep = fr_checkp; fr_checkp = fr_check; --- 257,262 ---- *************** *** 286,291 **** --- 284,290 ---- timeout(ipfr_slowtimer, NULL, hz/2); # endif #endif + fr_running = 1; return 0; } *************** *** 310,316 **** # endif #endif SPL_NET(s); ! if (!ipl_inited) { printf("IP Filter: not initialized\n"); SPL_X(s); --- 309,315 ---- # endif #endif SPL_NET(s); ! if (!fr_running) { printf("IP Filter: not initialized\n"); SPL_X(s); *************** *** 319,325 **** fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); ! ipl_inited = 0; # ifdef NETBSD_PF pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); --- 318,324 ---- fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); ! fr_running = 0; # ifdef NETBSD_PF pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); *************** *** 412,422 **** --- 411,425 ---- SPL_NET(s); if (unit == IPL_LOGNAT) { + if (!fr_running) + return EIO; error = nat_ioctl(data, cmd, mode); SPL_X(s); return error; } if (unit == IPL_LOGSTATE) { + if (!fr_running) + return EIO; error = fr_state_ioctl(data, cmd, mode); SPL_X(s); return error; *************** *** 437,451 **** error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); ! if (enable) { error = iplattach(); ! if (error == 0) ! fr_running = 1; ! } else { error = ipldetach(); - if (error == 0) - fr_running = 0; - } } break; } --- 440,449 ---- error = EPERM; else { IRCOPY(data, (caddr_t)&enable, sizeof(enable)); ! if (enable) error = iplattach(); ! else error = ipldetach(); } break; } *************** *** 702,714 **** } if (!f) { ! if (req != SIOCINAFR || req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { ! if (fp->fr_hits) while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; f = NULL; } } --- 700,714 ---- } if (!f) { ! if (req != SIOCINAFR && req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { ! if (fp->fr_hits) { ! ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; + } f = NULL; } } *************** *** 944,950 **** --- 944,954 ---- # if _BSDI_VERSION >= 199802 return ip_output(m, (struct mbuf *)0, &ro, 0, 0, NULL); # else + # if defined(__OpenBSD__) + return ip_output(m, (struct mbuf *)0, 0, 0, 0, NULL); + # else return ip_output(m, (struct mbuf *)0, 0, 0, 0); + # endif # endif # endif } diff -cr ip_fil3.3.6/ip_lfil.c ip_fil3.3.7/ip_lfil.c *** ip_fil3.3.6/ip_lfil.c Thu Aug 5 03:29:57 1999 --- ip_fil3.3.7/ip_lfil.c Sun Jan 16 21:13:02 2000 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.1 1999/08/04 17:29:57 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.1.2.1 2000/01/16 10:13:02 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 63,69 **** static int nifs = 0; #endif ! int ipl_inited = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; --- 63,69 ---- static int nifs = 0; #endif ! int fr_running = 0; int ipl_unreach = ICMP_UNREACH_FILTER; u_long ipl_frouteok[2] = {0, 0}; *************** *** 98,109 **** char *defpass; int s; ! if (ipl_inited || (fr_checkp == fr_precheck)) { printk("IP Filter: already initialized\n"); return EBUSY; } ! ipl_inited = 1; bzero((char *)frcache, sizeof(frcache)); bzero((char *)nat_table, sizeof(nat_table)); fr_savep = fr_checkp; --- 98,109 ---- char *defpass; int s; ! if (fr_running || (fr_checkp == fr_precheck)) { printk("IP Filter: already initialized\n"); return EBUSY; } ! fr_running = 1; bzero((char *)frcache, sizeof(frcache)); bzero((char *)nat_table, sizeof(nat_table)); fr_savep = fr_checkp; *************** *** 138,144 **** { int s, i = FR_INQUE|FR_OUTQUE; ! if (!ipl_inited) { printk("IP Filter: not initialized\n"); return 0; --- 138,144 ---- { int s, i = FR_INQUE|FR_OUTQUE; ! if (!fr_running) { printk("IP Filter: not initialized\n"); return 0; *************** *** 146,152 **** fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); ! ipl_inited = 0; ipfr_unload(); ip_natunload(); --- 146,152 ---- fr_checkp = fr_savep; i = frflush(IPL_LOGIPF, i); ! fr_running = 0; ipfr_unload(); ip_natunload(); diff -cr ip_fil3.3.6/ip_nat.c ip_fil3.3.7/ip_nat.c *** ip_fil3.3.6/ip_nat.c Sat Dec 18 00:05:40 1999 --- ip_fil3.3.7/ip_nat.c Mon Jan 24 23:43:40 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.11 1999/12/17 13:05:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.2.2.12 2000/01/24 12:43:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 726,737 **** port = 0; in.s_addr = np->in_nip; if (l == 0) { natl = nat_maplookup(fin->fin_ifp, flags, ip->ip_src, ip->ip_dst); if (natl != NULL) { in = natl->nat_outip; #ifndef sparc ! in.s_addr = ntohl(in.s_addr); #endif } } --- 726,747 ---- port = 0; in.s_addr = np->in_nip; if (l == 0) { + /* + * Check to see if there is an existing NAT + * setup for this IP address pair. + */ natl = nat_maplookup(fin->fin_ifp, flags, ip->ip_src, ip->ip_dst); if (natl != NULL) { in = natl->nat_outip; + if ((in.s_addr & np->in_outmsk) != + np->in_outip) + in.s_addr = 0; + else #ifndef sparc ! in.s_addr = ntohl(in.s_addr); ! #else ! ; #endif } } *************** *** 1766,1771 **** --- 1776,1782 ---- natl.nl_origport = nat->nat_oport; natl.nl_inport = nat->nat_inport; natl.nl_outport = nat->nat_outport; + natl.nl_p = nat->nat_p; natl.nl_type = type; natl.nl_rule = -1; #ifndef LARGE_NAT diff -cr ip_fil3.3.6/ip_nat.h ip_fil3.3.7/ip_nat.h *** ip_fil3.3.6/ip_nat.h Sun Nov 28 22:01:51 1999 --- ip_fil3.3.7/ip_nat.h Mon Jan 24 23:44:24 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.1.2.2 1999/11/28 11:01:51 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.1.2.3 2000/01/24 12:44:24 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 186,191 **** --- 186,192 ---- int nl_rule; U_QUAD_T nl_pkts; U_QUAD_T nl_bytes; + u_char nl_p; } natlog_t; diff -cr ip_fil3.3.6/ip_sfil.c ip_fil3.3.7/ip_sfil.c *** ip_fil3.3.6/ip_sfil.c Sat Dec 11 16:31:10 1999 --- ip_fil3.3.7/ip_sfil.c Sun Jan 16 21:12:44 2000 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.5 1999/12/11 05:31:10 darrenr Exp $"; #endif #include --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.1.2.6 2000/01/16 10:12:44 darrenr Exp $"; #endif #include *************** *** 498,510 **** } if (!f) { ! if (req != SIOCINAFR || req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { ! if (fp->fr_hits) while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; f = NULL; } } --- 498,512 ---- } if (!f) { ! if (req != SIOCINAFR && req != SIOCINIFR) while ((f = *ftail)) ftail = &f->fr_next; else { ! if (fp->fr_hits) { ! ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; + } f = NULL; } } diff -cr ip_fil3.3.6/ip_state.c ip_fil3.3.7/ip_state.c *** ip_fil3.3.6/ip_state.c Tue Dec 28 16:24:58 1999 --- ip_fil3.3.7/ip_state.c Sun Jan 16 21:15:12 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.16 1999/12/28 05:24:58 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.17 2000/01/16 10:15:12 darrenr Exp $"; #endif #include *************** *** 174,184 **** delete = 1; break; case 1 : ! if ((is->is_p == IPPROTO_TCP) && ! (((is->is_state[0] <= TCPS_ESTABLISHED) && ! (is->is_state[1] > TCPS_ESTABLISHED)) || ! ((is->is_state[1] <= TCPS_ESTABLISHED) && ! (is->is_state[0] > TCPS_ESTABLISHED)))) delete = 1; break; } --- 174,183 ---- delete = 1; break; case 1 : ! if (is->is_p != IPPROTO_TCP) ! break; ! if ((is->is_state[0] != TCPS_ESTABLISHED) || ! (is->is_state[1] != TCPS_ESTABLISHED)) delete = 1; break; } *************** *** 1038,1049 **** ips_num--; } else isp = &is->is_next; if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } - RWLOCK_EXIT(&ipf_state); - SPL_X(s); } --- 1037,1048 ---- ips_num--; } else isp = &is->is_next; + RWLOCK_EXIT(&ipf_state); + SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } } *************** *** 1180,1182 **** --- 1179,1199 ---- (void) ipllog(IPL_LOGSTATE, NULL, items, sizes, types, 1); } #endif + + + void ip_statesync(ifp) + void *ifp; + { + register ipstate_t *is; + register int i; + + WRITE_ENTER(&ipf_state); + for (i = fr_statesize - 1; i >= 0; i--) + for (is = ips_table[i]; is != NULL; is = is->is_next) { + if (is->is_ifpin == ifp) + is->is_ifpin = NULL; + if (is->is_ifpout == ifp) + is->is_ifpout = NULL; + } + RWLOCK_EXIT(&ipf_state); + } diff -cr ip_fil3.3.6/ip_state.h ip_fil3.3.7/ip_state.h *** ip_fil3.3.6/ip_state.h Thu Aug 5 03:30:00 1999 --- ip_fil3.3.7/ip_state.h Tue Jan 25 00:13:52 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.1 1999/08/04 17:30:00 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 151,156 **** --- 151,157 ---- extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, u_int)); extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); + extern void ip_statesync __P((void *)); extern void fr_timeoutstate __P((void)); extern void fr_tcp_age __P((u_long *, u_char *, ip_t *, fr_info_t *, int)); extern void fr_stateunload __P((void)); diff -cr ip_fil3.3.6/ipl.h ip_fil3.3.7/ipl.h *** ip_fil3.3.6/ipl.h Tue Dec 28 16:35:15 1999 --- ip_fil3.3.7/ipl.h Tue Jan 25 01:25:33 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.6" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.7" #endif diff -cr ip_fil3.3.6/ipmon.c ip_fil3.3.7/ipmon.c *** ip_fil3.3.6/ipmon.c Sun Nov 28 15:05:28 1999 --- ip_fil3.3.7/ipmon.c Mon Jan 24 23:45:25 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.3 1999/11/28 04:05:28 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-1998 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.3.2.4 2000/01/24 12:45:25 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 361,366 **** --- 361,367 ---- char *t = line; struct tm *tm; int res, i, len; + char *proto; nl = (struct natlog *)((char *)ipl + sizeof(*ipl)); res = (opts & OPT_RESOLVE) ? 1 : 0; *************** *** 387,400 **** sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); (void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip), ! portname(res, NULL, (u_int)nl->nl_inport)); t += strlen(t); (void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip), ! portname(res, NULL, (u_int)nl->nl_outport)); t += strlen(t); (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), ! portname(res, NULL, (u_int)nl->nl_origport)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T --- 388,403 ---- sprintf(t, "Type: %d ", nl->nl_type); t += strlen(t); + proto = getproto(nl->nl_p); + (void) sprintf(t, "%s,%s <- -> ", hostname(res, nl->nl_inip), ! portname(res, proto, (u_int)nl->nl_inport)); t += strlen(t); (void) sprintf(t, "%s,%s ", hostname(res, nl->nl_outip), ! portname(res, proto, (u_int)nl->nl_outport)); t += strlen(t); (void) sprintf(t, "[%s,%s]", hostname(res, nl->nl_origip), ! portname(res, proto, (u_int)nl->nl_origport)); t += strlen(t); if (nl->nl_type == NL_EXPIRE) { #ifdef USE_QUAD_T diff -cr ip_fil3.3.6/ipt.c ip_fil3.3.7/ipt.c *** ip_fil3.3.6/ipt.c Thu Aug 5 03:30:08 1999 --- ip_fil3.3.7/ipt.c Tue Jan 25 01:49:44 2000 *************** *** 55,61 **** #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.1 1999/08/04 17:30:08 darrenr Exp $"; #endif extern char *optarg; --- 55,61 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.1.2.1 2000/01/24 14:49:11 darrenr Exp $"; #endif extern char *optarg; *************** *** 64,69 **** --- 64,70 ---- extern struct ifnet *get_unit __P((char *)); extern void init_ifp __P((void)); extern ipnat_t *natparse __P((char *, int)); + extern int fr_running; int opts = 0; int main __P((int, char *[])); *************** *** 134,139 **** --- 135,141 ---- nat_init(); fr_stateinit(); initparse(); + fr_running = 1; if (rules) { char line[513], *s; diff -cr ip_fil3.3.6/mlf_ipl.c ip_fil3.3.7/mlf_ipl.c *** ip_fil3.3.6/mlf_ipl.c Sun Aug 1 20:56:51 1999 --- ip_fil3.3.7/mlf_ipl.c Sun Jan 16 21:16:23 2000 *************** *** 111,118 **** &fr_ipfrttl, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW, &ipl_unreach, 0, ""); ! SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_inited, CTLFLAG_RD, ! &ipl_inited, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RD, &fr_authsize, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, --- 111,118 ---- &fr_ipfrttl, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, ipl_unreach, CTLFLAG_RW, &ipl_unreach, 0, ""); ! SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, ! &fr_running, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authsize, CTLFLAG_RD, &fr_authsize, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, diff -cr ip_fil3.3.6/parse.c ip_fil3.3.7/parse.c *** ip_fil3.3.6/parse.c Tue Dec 28 17:06:58 1999 --- ip_fil3.3.7/parse.c Sat Jan 8 01:43:07 2000 *************** *** 41,47 **** #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.5 1999/12/28 06:06:58 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; --- 41,47 ---- #if !defined(lint) static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.7 2000/01/07 14:43:07 darrenr Exp $"; #endif extern struct ipopt_names ionames[], secclass[]; *************** *** 127,142 **** if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; ! if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19)) fil.fr_flags |= FR_FAKEICMP; ! else if (!strncasecmp(*(cpp+1), "return-icmp", 11)) fil.fr_flags |= FR_RETICMP; if (fil.fr_flags & FR_RETICMP) { cpp++; ! i = 11; ! if ((strlen(*cpp) > i) && (*(*cpp + i) != '(')) ! i = 19; ! if (*(*cpp + i) == '(') { i++; j = icmpcode(*cpp + i); if (j == -1) { --- 127,151 ---- if (!strcasecmp("block", *cpp)) { fil.fr_flags |= FR_BLOCK; ! if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19) && ! (i = 19)) fil.fr_flags |= FR_FAKEICMP; ! else if (!strncasecmp(*(cpp+1), "return-icmp", 11) && (i = 11)) fil.fr_flags |= FR_RETICMP; if (fil.fr_flags & FR_RETICMP) { cpp++; ! if (strlen(*cpp) == i) { ! if (*(cpp + 1) && **(cpp +1) == '(') { ! cpp++; ! i = 0; ! } else ! i = -1; ! } ! ! /* ! * The ICMP code is not required to follow in ()'s ! */ ! if ((i >= 0) && (*(*cpp + i) == '(')) { i++; j = icmpcode(*cpp + i); if (j == -1) { *************** *** 183,189 **** fac = 0; pri = 0; ! cpp++; s = index(*cpp, '.'); if (s) { *s++ = '\0'; --- 192,202 ---- fac = 0; pri = 0; ! if (!*++cpp) { ! fprintf(stderr, "%d: %s\n", linenum, ! "missing identifier after level"); ! return NULL; ! } s = index(*cpp, '.'); if (s) { *s++ = '\0'; *************** *** 217,223 **** fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); return NULL; } ! cpp++; if (!strcasecmp("in", *cpp)) fil.fr_flags |= FR_INQUE; --- 230,239 ---- fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); return NULL; } ! if (!*++cpp) { ! fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum); ! return NULL; ! } if (!strcasecmp("in", *cpp)) fil.fr_flags |= FR_INQUE; *************** *** 234,246 **** linenum); return NULL; } - } else { - fprintf(stderr, "%d: missing 'in'/'out' keyword (%s)\n", - linenum, *cpp); - return NULL; } ! if (!*++cpp) return NULL; if (!strcasecmp("log", *cpp)) { if (!*++cpp) { --- 250,260 ---- linenum); return NULL; } } ! if (!*++cpp) { ! fprintf(stderr, "%d: missing source specification\n", linenum); return NULL; + } if (!strcasecmp("log", *cpp)) { if (!*++cpp) { *************** *** 252,266 **** fil.fr_flags |= FR_LOGP; else if (fil.fr_flags & FR_BLOCK) fil.fr_flags |= FR_LOGB; ! if (!strcasecmp(*cpp, "body")) { fil.fr_flags |= FR_LOGBODY; cpp++; } ! if (!strcasecmp(*cpp, "first")) { fil.fr_flags |= FR_LOGFIRST; cpp++; } ! if (!strcasecmp(*cpp, "or-block")) { if (!(fil.fr_flags & FR_PASS)) { fprintf(stderr, "%d: or-block must be used with pass\n", --- 266,280 ---- fil.fr_flags |= FR_LOGP; else if (fil.fr_flags & FR_BLOCK) fil.fr_flags |= FR_LOGB; ! if (*cpp && !strcasecmp(*cpp, "body")) { fil.fr_flags |= FR_LOGBODY; cpp++; } ! if (*cpp && !strcasecmp(*cpp, "first")) { fil.fr_flags |= FR_LOGFIRST; cpp++; } ! if (*cpp && !strcasecmp(*cpp, "or-block")) { if (!(fil.fr_flags & FR_PASS)) { fprintf(stderr, "%d: or-block must be used with pass\n", *************** *** 270,282 **** fil.fr_flags |= FR_LOGORBLOCK; cpp++; } ! if (!strcasecmp(*cpp, "level")) { int fac, pri; char *s; fac = 0; pri = 0; ! cpp++; s = index(*cpp, '.'); if (s) { *s++ = '\0'; --- 284,300 ---- fil.fr_flags |= FR_LOGORBLOCK; cpp++; } ! if (*cpp && !strcasecmp(*cpp, "level")) { int fac, pri; char *s; fac = 0; pri = 0; ! if (!*++cpp) { ! fprintf(stderr, "%d: %s\n", linenum, ! "missing identifier after level"); ! return NULL; ! } s = index(*cpp, '.'); if (s) { *s++ = '\0'; *************** *** 305,311 **** } } ! if (!strcasecmp("quick", *cpp)) { cpp++; fil.fr_flags |= FR_QUICK; } --- 323,329 ---- } } ! if (*cpp && !strcasecmp("quick", *cpp)) { cpp++; fil.fr_flags |= FR_QUICK; } *************** *** 337,348 **** return NULL; cpp++; } ! if (!strcasecmp(*cpp, "to") && *(cpp + 1)) { cpp++; if (to_interface(&fil.fr_tif, *cpp, linenum)) return NULL; cpp++; ! } else if (!strcasecmp(*cpp, "fastroute")) { if (!(fil.fr_flags & FR_INQUE)) { fprintf(stderr, "can only use %s with 'in'\n", --- 355,366 ---- return NULL; cpp++; } ! if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) { cpp++; if (to_interface(&fil.fr_tif, *cpp, linenum)) return NULL; cpp++; ! } else if (*cpp && !strcasecmp(*cpp, "fastroute")) { if (!(fil.fr_flags & FR_INQUE)) { fprintf(stderr, "can only use %s with 'in'\n", diff -cr ip_fil3.3.6/solaris.c ip_fil3.3.7/solaris.c *** ip_fil3.3.6/solaris.c Sat Dec 4 14:33:59 1999 --- ip_fil3.3.7/solaris.c Mon Jan 24 23:46:17 2000 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.1.2.11 1999/12/04 03:33:59 darrenr Exp $" #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.1.2.13 2000/01/24 12:46:17 darrenr Exp $" #include #include *************** *** 1327,1334 **** /* * Resync. any NAT `connections' using this interface and its IP #. */ ! for (il = ill_g_head; il; il = il->ill_next) ip_natsync((void *)il); return 0; } --- 1327,1336 ---- /* * Resync. any NAT `connections' using this interface and its IP #. */ ! for (il = ill_g_head; il; il = il->ill_next) { ip_natsync((void *)il); + ip_statesync((void *)il); + } return 0; } *************** *** 1442,1450 **** --- 1444,1456 ---- * If there is another M_PROTO, we don't want it */ if (*mpp != mb) { + mp = *mpp; + (void) unlinkb(mp); + mp = (*mpp)->b_cont; (*mpp)->b_cont = NULL; (*mpp)->b_prev = NULL; freemsg(*mpp); + *mpp = mp; } ir = (ire_t *)fdp->fd_ifp; *************** *** 1537,1542 **** --- 1543,1549 ---- mb = mp2; } } + *mpp = mb; if (ir->ire_stq) q = ir->ire_stq; *************** *** 1544,1549 **** --- 1551,1557 ---- q = WR(ir->ire_rfq); if (q) { mb->b_prev = NULL; + mb->b_queue = q; RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); #if SOLARIS2 >= 6