diff -c -r ip_fil3.3.8/HISTORY ip_fil3.3.9/HISTORY *** ip_fil3.3.8/HISTORY Tue Feb 1 07:57:37 2000 --- ip_fil3.3.9/HISTORY Tue Feb 15 19:35:07 2000 *************** *** 20,25 **** --- 20,48 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.3.9 15/02/2000 - Released + + fix scheduling of bad locking in fr_addstate() used when we attach onto + a filter rule. + + fix up ip_statesync() with storing interface names in ipstate_t + + fix fr_running for LKM's - Eugene Polovnikov + + junk using pullupmsg() for solaris - it's next to useless for what we + need to do here anyway - and implement what we require. + + don't call fr_delstate() in fr_checkstate(), when compiled for a user + program, early but when we're finished with it (got fr & pass) + + ipnat(5) fix from Guido + + on solaris2, copy message and use that with filter if there is another + copy if it being used (db_ref > 1). bad for performance, but better + than causing a crash. + + patch for solaris8-fcs compile from Casper Dik + 3.3.8 01/02/2000 - Released fix state handling of SYN packets. diff -c -r ip_fil3.3.8/SunOS5/pkginfo ip_fil3.3.9/SunOS5/pkginfo *** ip_fil3.3.8/SunOS5/pkginfo Tue Feb 1 07:57:40 2000 --- ip_fil3.3.9/SunOS5/pkginfo Tue Feb 15 19:32:12 2000 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.8 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=sparc,i386 ! VERSION=3.3.9 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -c -r ip_fil3.3.8/ip_compat.h ip_fil3.3.9/ip_compat.h *** ip_fil3.3.8/ip_compat.h Fri Nov 19 00:55:26 1999 --- ip_fil3.3.9/ip_compat.h Tue Feb 15 19:02:43 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.1.2.3 1999/11/18 13:55:26 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.1.2.5 2000/02/15 08:02:43 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 90,108 **** # ifndef KERNEL # define _KERNEL # undef RES_INIT # include # include # include # undef _KERNEL # else /* _KERNEL */ # include # include # include # endif /* _KERNEL */ # if SOLARIS2 >= 8 ! # include ! # include ! # define ipif_local_addr ipif_lcl_addr # endif #else # if !defined(__sgi) --- 90,114 ---- # ifndef KERNEL # define _KERNEL # undef RES_INIT + # if SOLARIS2 >= 8 + # include + # endif # include # include # include # undef _KERNEL # else /* _KERNEL */ + # if SOLARIS2 >= 8 + # include + # endif # include # include # include # endif /* _KERNEL */ # if SOLARIS2 >= 8 ! # define ipif_local_addr ipif_lcl_addr ! /* Only defined in private include file */ ! # define V4_PART_OF_V6(v6) v6.s6_addr32[3] # endif #else # if !defined(__sgi) *************** *** 285,290 **** --- 291,297 ---- } qif_t; extern ill_t *get_unit __P((char *)); # define GETUNIT(n) get_unit((n)) + # define IFNAME(x) ((ill_t *)x)->ill_name # else /* SOLARIS */ # if defined(__sgi) # define hz HZ *************** *** 331,340 **** --- 338,354 ---- # if !SOLARIS # include # define GETUNIT(n) ifunit((n), IFNAMSIZ) + # define IFNAME(x) ((struct ifnet *)x)->if_name # endif # else # ifndef linux # define GETUNIT(n) ifunit((n)) + # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ + (defined(OpenBSD) && (OpenBSD >= 199603)) + # define IFNAME(x) ((struct ifnet *)x)->if_xname + # else + # define IFNAME(x) ((struct ifnet *)x)->if_name + # endif # endif # endif /* sun */ diff -c -r ip_fil3.3.8/ip_fil.c ip_fil3.3.9/ip_fil.c *** ip_fil3.3.8/ip_fil.c Sun Jan 16 21:12:42 2000 --- ip_fil3.3.9/ip_fil.c Thu Feb 10 12:47:28 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.4.2.17 2000/02/10 01:47:28 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 157,167 **** struct sockaddr *, struct rtentry *)); # endif #endif - #if defined(IPFILTER_LKM) - int fr_running = 1; - #else int fr_running = 0; - #endif #if (__FreeBSD_version >= 300000) && defined(_KERNEL) struct callout_handle ipfr_slowtimer_ch; --- 157,163 ---- *************** *** 260,265 **** --- 256,262 ---- bzero((char *)frcache, sizeof(frcache)); fr_savep = fr_checkp; fr_checkp = fr_check; + fr_running = 1; SPL_X(s); if (fr_pass & FR_PASS) *************** *** 284,290 **** timeout(ipfr_slowtimer, NULL, hz/2); # endif #endif - fr_running = 1; return 0; } --- 281,286 ---- diff -c -r ip_fil3.3.8/ip_state.c ip_fil3.3.9/ip_state.c *** ip_fil3.3.8/ip_state.c Thu Jan 27 19:51:30 2000 --- ip_fil3.3.9/ip_state.c Tue Feb 15 19:04:01 2000 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.18 2000/01/27 08:51:30 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.3.2.21 2000/02/15 08:04:01 darrenr Exp $"; #endif #include *************** *** 370,383 **** } bcopy((char *)&ips, (char *)is, sizeof(*is)); hv %= fr_statesize; - RW_UPGRADE(&ipf_mutex); is->is_rule = fin->fin_fr; if (is->is_rule != NULL) { ! is->is_rule->fr_ref++; pass = is->is_rule->fr_flags; } else pass = fr_flags; - MUTEX_DOWNGRADE(&ipf_mutex); WRITE_ENTER(&ipf_state); is->is_rout = pass & FR_OUTQUE ? 1 : 0; --- 370,381 ---- } bcopy((char *)&ips, (char *)is, sizeof(*is)); hv %= fr_statesize; is->is_rule = fin->fin_fr; if (is->is_rule != NULL) { ! ATOMIC_INC(is->is_rule->fr_ref); pass = is->is_rule->fr_flags; } else pass = fr_flags; WRITE_ENTER(&ipf_state); is->is_rout = pass & FR_OUTQUE ? 1 : 0; *************** *** 398,403 **** --- 396,405 ---- is->is_flags = fin->fin_fi.fi_fl & FI_CMP; is->is_flags |= FI_CMP << 4; is->is_flags |= flags & (FI_W_DPORT|FI_W_SPORT); + #ifdef _KERNEL + strncpy(is->is_ifname[fin->fin_out], IFNAME(fin->fin_ifp), IFNAMSIZ); + #endif + is->is_ifname[1 - fin->fin_out][0] = '\0'; /* * add into table. */ *************** *** 651,656 **** --- 653,664 ---- is->is_ifpout = ifp; } } + #ifdef _KERNEL + if (ret >= 0) { + strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), + sizeof(is->is_ifname[1])); + } + #endif return 1; } *************** *** 900,906 **** isp = &ips_table[hvm]; if (ips_table[hvm] == NULL) ips_stats.iss_inuse--; - fr_delstate(is); ips_num--; } #endif --- 908,913 ---- *************** *** 963,968 **** --- 970,979 ---- fr = is->is_rule; fin->fin_fr = fr; pass = is->is_pass; + #ifndef _KERNEL + if (tcp->th_flags & TCP_CLOSE) + fr_delstate(is); + #endif RWLOCK_EXIT(&ipf_state); if (fin->fin_fi.fi_fl & FI_FRAG) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); *************** *** 1192,1201 **** WRITE_ENTER(&ipf_state); for (i = fr_statesize - 1; i >= 0; i--) for (is = ips_table[i]; is != NULL; is = is->is_next) { ! if (is->is_ifpin == ifp) ! is->is_ifpin = NULL; ! if (is->is_ifpout == ifp) ! is->is_ifpout = NULL; } RWLOCK_EXIT(&ipf_state); } --- 1203,1218 ---- WRITE_ENTER(&ipf_state); for (i = fr_statesize - 1; i >= 0; i--) for (is = ips_table[i]; is != NULL; is = is->is_next) { ! if (is->is_ifpin == ifp) { ! is->is_ifpin = GETUNIT(is->is_ifname[0]); ! if (!is->is_ifpin) ! is->is_ifpin = (void *)-1; ! } ! if (is->is_ifpout == ifp) { ! is->is_ifpout = GETUNIT(is->is_ifname[1]); ! if (!is->is_ifpout) ! is->is_ifpout = (void *)-1; ! } } RWLOCK_EXIT(&ipf_state); } diff -c -r ip_fil3.3.8/ip_state.h ip_fil3.3.9/ip_state.h *** ip_fil3.3.8/ip_state.h Tue Jan 25 00:13:52 2000 --- ip_fil3.3.9/ip_state.h Tue Feb 15 19:04:03 2000 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.1.2.2 2000/01/24 13:13:52 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.1.2.3 2000/02/15 08:04:03 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 69,74 **** --- 69,75 ---- tcpstate_t is_ts; udpstate_t is_us; } is_ps; + char is_ifname[2][IFNAMSIZ]; } ipstate_t; #define is_icmp is_ps.is_ics diff -c -r ip_fil3.3.8/ipl.h ip_fil3.3.9/ipl.h *** ip_fil3.3.8/ipl.h Tue Feb 1 07:57:39 2000 --- ip_fil3.3.9/ipl.h Tue Feb 15 19:32:12 2000 *************** *** 11,16 **** #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.8" #endif --- 11,16 ---- #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.3.9" #endif diff -c -r ip_fil3.3.8/man/ipnat.5 ip_fil3.3.9/man/ipnat.5 *** ip_fil3.3.8/man/ipnat.5 Fri Oct 15 23:40:56 1999 --- ip_fil3.3.9/man/ipnat.5 Mon Feb 7 23:37:15 2000 *************** *** 40,46 **** port number. Either TCP or UDP or both can be selected by each rule, with a range of port numbers to remap into given as \fBport-number:port-number\fP. .SH COMMANDS ! There are found commands recognised by IP Filter's NAT code: .TP .B map that is used for mapping one address or network to another in an unregulated --- 40,46 ---- port number. Either TCP or UDP or both can be selected by each rule, with a range of port numbers to remap into given as \fBport-number:port-number\fP. .SH COMMANDS ! There are four commands recognised by IP Filter's NAT code: .TP .B map that is used for mapping one address or network to another in an unregulated diff -c -r ip_fil3.3.8/solaris.c ip_fil3.3.9/solaris.c *** ip_fil3.3.8/solaris.c Wed Jan 26 02:32:03 2000 --- ip_fil3.3.9/solaris.c Tue Feb 15 19:04:34 2000 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.1.2.14 2000/01/25 15:32:03 darrenr Exp $" #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.1.2.17 2000/02/15 08:04:34 darrenr Exp $" #include #include *************** *** 611,629 **** * Ok, the IP header isn't on a 32bit aligned address so junk it. */ if (((u_int)ip & 0x3) || (len < sizeof(*ip))) { /* ! * We have link layer header and IP header in the same mbuf, ! * problem being that a pullup without adjusting b_rptr will ! * bring us back here again as it's likely that the start of ! * the databuffer (b_datab->db_base) is already aligned. Hmm, ! * should we pull it all up (length of -1 to pullupmsg) if we ! * can, now ? */ fixalign: ! if (!pullupmsg(m, sizeof(ip_t))) { frstats[out].fr_pull[1]++; return -1; } frstats[out].fr_pull[0]++; synced = 1; off = 0; --- 611,643 ---- * Ok, the IP header isn't on a 32bit aligned address so junk it. */ if (((u_int)ip & 0x3) || (len < sizeof(*ip))) { + mblk_t *m2; + u_char *s; + /* ! * Junk using pullupmsg - it's next to useless. */ fixalign: ! len = msgdsize(m); ! m2 = allocb(len, BPRI_HI); ! if (m2 == NULL) { frstats[out].fr_pull[1]++; return -1; } + + m2->b_wptr = m2->b_rptr + len; + s = (u_char *)ip; + for (bp = m2->b_rptr; m; bp += len) { + len = m->b_wptr - s; + bcopy(m->b_rptr, bp, len); + m = m->b_cont; + if (m) + s = m->b_rptr; + } + *mp = m2; + MTYPE(m2) = M_DATA; + freemsg(mt); + frstats[out].fr_pull[0]++; synced = 1; off = 0; *************** *** 752,757 **** --- 766,779 ---- return 0; } + if (mb->b_datap->db_ref > 1) { + mblk_t *m1; + + m1 = copymsg(mb); + freemsg(mb); + mb = m1; + } + READ_ENTER(&ipf_solaris); again: if (fr_running <= 0) { *************** *** 842,847 **** --- 864,877 ---- mb->b_prev = NULL; freemsg(mb); return 0; + } + + if (mb->b_datap->db_ref > 1) { + mblk_t *m1; + + m1 = copymsg(mb); + freemsg(mb); + mb = m1; } READ_ENTER(&ipf_solaris);