diff -cr ip_fil3.4.17/HISTORY ip_fil3.4.18/HISTORY *** ip_fil3.4.17/HISTORY Fri Apr 6 21:20:18 2001 --- ip_fil3.4.18/HISTORY Tue Jun 5 21:33:32 2001 *************** *** 22,27 **** --- 22,79 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.18 05/06/2001 - Released + + fix up parsing of "from ! host" where '!' is separate + + disable hardware checksums for NetBSD + + put ipftest temporary files in . rather than /tmp + + modify ftp proxy to be more intelligent about moving between states + and recognise new authentication commands + + allow state/nat table sizes to be externally influenced + + print out host mapping table for NAT with ipnat -l + + fix handling of hardware checksum'ing on Solaris + + fixup makefiles for Solaris + + update regression tests + + fix surrender of SPL's for failure cases + + include patches for OpenBSD's new timeout mechanism + + default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it + ICMP_UNREACH_FILTER + + fix up handling of packets matching auth rules and interaction with state + + add -q command line option to ipfstat on Solaris to list bound interfaces + + add command line option to ipfstat/ipnat to select different core image + + don't use ncurses on Solaris for STATETOP + + fix includes to get FreeBSD version + + do not byte swap ip_id + + fix handling success for packets matching the auth rule + + don't double-count short packets + + add ICMP router discovery message size recognition + + fix packet length calculation for IPv6 + + set CPUDIR when for install-sunos5 make target + + SUNWspro -xF causes Solaris 2.5.1 kernel to crash + 3.4.17 06/04/2001 - Released fix fragment#0 handling bug where they could get in via cache information diff -cr ip_fil3.4.17/LICENCE ip_fil3.4.18/LICENCE *** ip_fil3.4.17/LICENCE Tue Mar 14 09:10:18 2000 --- ip_fil3.4.18/LICENCE Sun May 27 03:00:46 2001 *************** *** 1,5 **** /* ! * Copyright (C) 1993-2000 by Darren Reed. * * The author accepts no responsibility for the use of this software and * provides it on an ``as is'' basis without express or implied warranty. --- 1,5 ---- /* ! * Copyright (C) 1993-2001 by Darren Reed. * * The author accepts no responsibility for the use of this software and * provides it on an ``as is'' basis without express or implied warranty. *************** *** 12,16 **** * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * ! * I hate legaleese, don't you ? */ --- 12,16 ---- * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * ! * I hate legalese, don't you ? */ diff -cr ip_fil3.4.17/Makefile ip_fil3.4.18/Makefile *** ip_fil3.4.17/Makefile Sun Dec 17 23:43:15 2000 --- ip_fil3.4.18/Makefile Sun May 27 02:59:11 2001 *************** *** 5,11 **** # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.11.2.6 2000/12/17 12:43:15 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin --- 5,11 ---- # provided that this notice is preserved and due credit is given # to the original author and the contributors. # ! # $Id: Makefile,v 2.11.2.7 2001/05/26 16:59:11 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin *************** *** 19,24 **** --- 19,25 ---- CFLAGS=-I$$(TOP) CPU=`uname -m` CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m` + IPFILKERN=`/bin/ls -1tr /usr/src/sys/compile | grep -v .bak | tail -1` # # To enable this to work as a Loadable Kernel Module... # *************** *** 262,268 **** (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) install-sunos5: solaris ! (cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install) install-irix: irix (cd IRIX; smake install "CPU=$(CPU) TOP=.." $(DEST) $(MFLAGS)) --- 263,269 ---- (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) install-sunos5: solaris ! (cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install) install-irix: irix (cd IRIX; smake install "CPU=$(CPU) TOP=.." $(DEST) $(MFLAGS)) Only in ip_fil3.4.18/OpenBSD: mknewipf.sh diff -cr ip_fil3.4.17/SunOS5/Makefile ip_fil3.4.18/SunOS5/Makefile *** ip_fil3.4.17/SunOS5/Makefile Mon Nov 27 04:14:02 2000 --- ip_fil3.4.18/SunOS5/Makefile Fri Jun 1 23:07:46 2001 *************** *** 75,81 **** sunos5 solaris2 build: $(OBJ) $(OBJ)/ipf.exe $(OBJ)/ipfstat $(OBJ)/ipftest \ $(OBJ)/ipmon $(OBJ)/ipnat $(OBJ)/ipf $(OBJ)/ipfs ! pkg: ipf.pkg $(OBJ)/ipfstat: $(FILS) $(CC) $(DEBUG) $(CFLAGS) $(FILS) -o $@ $(LIBS) $(STATETOP_LIB) --- 75,87 ---- sunos5 solaris2 build: $(OBJ) $(OBJ)/ipf.exe $(OBJ)/ipfstat $(OBJ)/ipftest \ $(OBJ)/ipmon $(OBJ)/ipnat $(OBJ)/ipf $(OBJ)/ipfs ! pkg: ! if [ "$(CPUDIR)" = "" ] ; then \ ! $$x="`uname -p`-`uname -r`"; \ ! $(MAKE) "CPUDIR=$$x" $$x/ipf.pkg; \ ! else \ ! $(MAKE) "CPUDIR=$(CPUDIR)" $(CPUDIR)/ipf.pkg; \ ! fi $(OBJ)/ipfstat: $(FILS) $(CC) $(DEBUG) $(CFLAGS) $(FILS) -o $@ $(LIBS) $(STATETOP_LIB) *************** *** 105,111 **** $(CC) $(DEBUG) $(CFLAGS) $(OBJ)/ipfs.o -o $@ $(LIBS) tests: ! (cd test; make ) $(OBJ)/fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ --- 111,117 ---- $(CC) $(DEBUG) $(CFLAGS) $(OBJ)/ipfs.o -o $@ $(LIBS) tests: ! (cd test; $(MAKE) ) $(OBJ)/fils.o: $(TOP)/fils.c $(TOP)/ip_fil.h $(TOP)/ipf.h $(CC) $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \ *************** *** 231,237 **** ${RM} -f prototype pkginfo postinstall postremove copyright; \ ${RM} -f y.tab.? lex.yy.c; \ fi ! /bin/rm -rf */root ipf.pkg* sparcv7 sparcv9 make -f Makefile.ipsend clean -(for i in *; do \ if [ -d $${i} -a -h $${i}/Makefile ] ; then \ --- 237,243 ---- ${RM} -f prototype pkginfo postinstall postremove copyright; \ ${RM} -f y.tab.? lex.yy.c; \ fi ! /bin/rm -rf */root $(CPUDIR)/ipf.pkg* sparcv7 sparcv9 make -f Makefile.ipsend clean -(for i in *; do \ if [ -d $${i} -a -h $${i}/Makefile ] ; then \ *************** *** 241,263 **** fi \ done) ! ipf.pkg: ipf.pkg.common if [ -d $(CPUDIR)/sparcv7 ]; then \ ! $(MAKE) PROTO=prototype32 PKG=ipf OBJ=sparcv7 BITS=32 \ ! ipf.pkg.bin; \ ! $(MAKE) PROTO=prototype64 PKG=ipfx OBJ=sparcv9 BITS=64 \ ! ipf.pkg.bin; \ else \ ! $(MAKE) OBJ=. BITS=${BITS} ipf.pkg.bin;\ fi touch $(CPUDIR)/ipf.pkg pkgtrans -s $(TMP) $(CPUDIR)/ipf.pkg `ls $(TMP)` - /bin/rm -f ipf.pkg - ln -s $(CPUDIR)/ipf.pkg ipf.pkg rm -rf $(TMP)/ipf* ! ipf.pkg.common: mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples $(ROOT)/usr/kernel/drv mkdir -p $(ROOT)/etc/init.d $(TMP) mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8 --- 247,267 ---- fi \ done) ! $(CPUDIR)/ipf.pkg: $(CPUDIR)/ipf.pkg.common if [ -d $(CPUDIR)/sparcv7 ]; then \ ! $(MAKE) CPUDIR=$(CPUDIR) PROTO=prototype32 PKG=ipf OBJ=sparcv7 \ ! BITS=32 $(CPUDIR)/ipf.pkg.bin; \ ! $(MAKE) CPUDIR=$(CPUDIR) PROTO=prototype64 PKG=ipfx OBJ=sparcv9 \ ! BITS=64 $(CPUDIR)/ipf.pkg.bin; \ else \ ! $(MAKE) CPUDIR=$(CPUDIR) OBJ=. BITS=${BITS} $(CPUDIR)/ipf.pkg.bin;\ fi touch $(CPUDIR)/ipf.pkg pkgtrans -s $(TMP) $(CPUDIR)/ipf.pkg `ls $(TMP)` rm -rf $(TMP)/ipf* ! $(CPUDIR)/ipf.pkg.common: mkdir -p $(ROOTINC)/netinet $(PKGDIR)/examples $(ROOT)/usr/kernel/drv mkdir -p $(ROOT)/etc/init.d $(TMP) mkdir -p $(PKGMAN)/man1 $(PKGMAN)/man4 $(PKGMAN)/man5 $(PKGMAN)/man8 *************** *** 294,300 **** # For 64 bit Solaris, we build 32 and 64 bit packages, but the 64 bit package # is smaller and only contains the 64 bit specific and not the common stuff. # ! ipf.pkg.bin: mkdir -p $(PKGBIN) $(ROOT)/$(SBINDEST) $(ROOT)/usr/kernel/drv/$(OBJ) -$(INSTALL) -c -s $(OBJDIR)/ipftest $(PKGBIN)/ipftest -$(INSTALL) -c -s $(OBJDIR)/ipmon $(PKGBIN)/ipmon --- 298,304 ---- # For 64 bit Solaris, we build 32 and 64 bit packages, but the 64 bit package # is smaller and only contains the 64 bit specific and not the common stuff. # ! $(CPUDIR)/ipf.pkg.bin: mkdir -p $(PKGBIN) $(ROOT)/$(SBINDEST) $(ROOT)/usr/kernel/drv/$(OBJ) -$(INSTALL) -c -s $(OBJDIR)/ipftest $(PKGBIN)/ipftest -$(INSTALL) -c -s $(OBJDIR)/ipmon $(PKGBIN)/ipmon *************** *** 317,327 **** (cd $(CPUDIR); pkgmk -a `uname -p` -o -d $(TMP)) ! package install: ipf.pkg @if [ `id|sed -e 's/^.[^(]*(\([^)]*\)).*/\1/'` != root ] ; then \ echo "Can only install if root"; \ exit 1; \ fi # Must add ipfx before ipf or driver attach fails. ! -[ -d $(CPUDIR)/sparcv9 ] && pkgadd -d ipf.pkg ipfx ! -pkgadd -d ipf.pkg ipf --- 321,340 ---- (cd $(CPUDIR); pkgmk -a `uname -p` -o -d $(TMP)) ! package install: ! if [ "$(CPUDIR)" = "" ] ; then \ ! $$x="`uname -p`-`uname -r`"; \ ! $(MAKE) "CPUDIR=$$x" $@; \ ! else \ ! $(MAKE) "CPUDIR=$(CPUDIR)" make$@; \ ! fi ! ! makepackage makeinstall: $(CPUDIR)/ipf.pkg @if [ `id|sed -e 's/^.[^(]*(\([^)]*\)).*/\1/'` != root ] ; then \ echo "Can only install if root"; \ exit 1; \ fi # Must add ipfx before ipf or driver attach fails. ! -[ -d $(CPUDIR)/sparcv9 ] && pkgadd -d $(CPUDIR)/ipf.pkg ipfx ! -pkgadd -d $(CPUDIR)/ipf.pkg ipf ! diff -cr ip_fil3.4.17/SunOS5/Makefile.ipsend ip_fil3.4.18/SunOS5/Makefile.ipsend *** ip_fil3.4.17/SunOS5/Makefile.ipsend Thu Oct 26 22:39:07 2000 --- ip_fil3.4.18/SunOS5/Makefile.ipsend Sat May 19 00:26:04 2001 *************** *** 18,27 **** $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ $(OBJ)/y.tab.o: $(TOP)/iplang/iplang_y.y ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)/$(OBJ)' 'CFLAGS=$(CFLAGS)' 'OBJ=') $(OBJ)/lex.yy.o: $(TOP)/iplang/iplang_l.l ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)/$(OBJ)' 'CFLAGS=$(CFLAGS)' 'OBJ=') $(OBJ)/ipsend: $(OBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll --- 18,35 ---- $(CC) $(DEBUG) $(CFLAGS) -c $< -o $@ $(OBJ)/y.tab.o: $(TOP)/iplang/iplang_y.y ! if [ "x$$OBJ" != "x" ] ; then \ ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)/$(OBJ)' 'CFLAGS=$(CFLAGS)' 'OBJ=') ; \ ! else \ ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)' 'CFLAGS=$(CFLAGS)' 'OBJ=') ; \ ! fi $(OBJ)/lex.yy.o: $(TOP)/iplang/iplang_l.l ! if [ "x$$OBJ" != "x" ] ; then \ ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)/$(OBJ)' 'CFLAGS=$(CFLAGS)' 'OBJ='); \ ! else \ ! (cd $(TOP)/iplang; $(MAKE) ../SunOS5/$(CPUDIR)/$@ 'DESTDIR=../SunOS5/$(CPUDIR)' 'CFLAGS=$(CFLAGS)' 'OBJ=') ; \ ! fi $(OBJ)/ipsend: $(OBJS) $(UNIXOBJS) $(CC) $(DEBUG) $(OBJS) $(UNIXOBJS) -o $@ $(LIBS) -ll diff -cr ip_fil3.4.17/SunOS5/ipfboot ip_fil3.4.18/SunOS5/ipfboot *** ip_fil3.4.17/SunOS5/ipfboot Sun Nov 12 22:51:50 2000 --- ip_fil3.4.18/SunOS5/ipfboot Sat May 19 00:25:42 2001 *************** *** 41,46 **** --- 41,47 ---- ipf -s fi fi + ipf -y if [ -r ${IP6FILCONF} ]; then ipf -IFa -6f ${IP6FILCONF} if [ $? != 0 ]; then diff -cr ip_fil3.4.17/SunOS5/pkginfo ip_fil3.4.18/SunOS5/pkginfo *** ip_fil3.4.17/SunOS5/pkginfo Fri Apr 6 22:21:46 2001 --- ip_fil3.4.18/SunOS5/pkginfo Tue Jun 5 21:33:32 2001 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.17 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.18 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -cr ip_fil3.4.17/buildsunos ip_fil3.4.18/buildsunos *** ip_fil3.4.17/buildsunos Wed Apr 4 01:47:06 2001 --- ip_fil3.4.18/buildsunos Sat May 19 00:19:38 2001 *************** *** 3,9 **** echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.9 2001/04/03 15:47:06 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then --- 3,9 ---- echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.10 2001/05/18 14:19:38 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then *************** *** 58,65 **** XARCH64="-m64 -mcmodel=medlow" ;; *) # Sun C ! XARCH32="-Xa -xF -xildoff" ! XARCH64="$XARCH32 -xarch=v9 -xchip=ultra -dalign -xcode=abs32" ;; esac --- 58,65 ---- XARCH64="-m64 -mcmodel=medlow" ;; *) # Sun C ! XARCH32="-Xa -xildoff" ! XARCH64="$XARCH32 -xchip=ultra -dalign -xcode=abs32 -xarch=v9" ;; esac diff -cr ip_fil3.4.17/etc/services ip_fil3.4.18/etc/services *** ip_fil3.4.17/etc/services Thu Aug 5 03:30:50 1999 --- ip_fil3.4.18/etc/services Sat May 19 00:25:17 2001 *************** *** 2360,2365 **** --- 2360,2366 ---- dpserveadmin 7021/tcp # DP Serve Admin dpserveadmin 7021/udp # DP Serve Admin arcp 7070/tcp # ARCP + raudio 7070/tcp # Real Audio arcp 7070/udp # ARCP clutild 7174/tcp # Clutild clutild 7174/udp # Clutild diff -cr ip_fil3.4.17/fil.c ip_fil3.4.18/fil.c *** ip_fil3.4.17/fil.c Wed Apr 4 01:46:41 2001 --- ip_fil3.4.18/fil.c Sat May 19 00:20:04 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.31 2001/04/03 15:46:41 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.34 2001/05/18 14:20:04 darrenr Exp $"; #endif #include *************** *** 115,126 **** # if SOLARIS || defined(__sgi) extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; extern kmutex_t ipf_rw; - # endif - # if SOLARIS - # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \ - ip, qif) - # else /* SOLARIS */ - # define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # endif /* SOLARIS || __sgi */ #endif /* _KERNEL */ --- 115,120 ---- *************** *** 258,265 **** fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); fi->fi_tos = 0; fi->fi_fl = 0; ! plen = ntohs(ip6->ip6_plen) + sizeof(*ip6); fin->fin_dlen = plen; } #endif else --- 252,260 ---- fin->fin_id = (u_short)(ip6->ip6_flow & 0xffff); fi->fi_tos = 0; fi->fi_fl = 0; ! plen = ntohs(ip6->ip6_plen); fin->fin_dlen = plen; + plen += sizeof(*ip6); } #endif else *************** *** 315,339 **** icmp = (icmphdr_t *)tcp; ! if (icmp->icmp_type == ICMP_ECHOREPLY || ! icmp->icmp_type == ICMP_ECHO) minicmpsz = ICMP_MINLEN; ! /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + * 3*timestamp(3*4) */ ! else if (icmp->icmp_type == ICMP_TSTAMP || ! icmp->icmp_type == ICMP_TSTAMPREPLY) minicmpsz = 20; ! /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + * mask(4) */ ! else if (icmp->icmp_type == ICMP_MASKREQ || ! icmp->icmp_type == ICMP_MASKREPLY) minicmpsz = 12; } if ((!(plen >= hlen + minicmpsz) && !off) || --- 310,343 ---- icmp = (icmphdr_t *)tcp; ! switch (icmp->icmp_type) ! { ! case ICMP_ECHOREPLY : ! case ICMP_ECHO : ! /* Router discovery messages - RFC 1256 */ ! case ICMP_ROUTERADVERT : ! case ICMP_ROUTERSOLICIT : minicmpsz = ICMP_MINLEN; ! break; /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + * 3*timestamp(3*4) */ ! case ICMP_TSTAMP : ! case ICMP_TSTAMPREPLY : minicmpsz = 20; ! break; /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + * mask(4) */ ! case ICMP_MASKREQ : ! case ICMP_MASKREPLY : minicmpsz = 12; + break; + default : + break; + } } if ((!(plen >= hlen + minicmpsz) && !off) || *************** *** 893,905 **** # endif #endif /* _KERNEL */ - /* - * Be careful here: ip_id is in network byte order when called - * from ip_output() - */ - if ((out) && (v == 4)) - ip->ip_id = ntohs(ip->ip_id); - changed = 0; fin->fin_ifp = ifp; fin->fin_v = v; --- 897,902 ---- *************** *** 950,958 **** READ_ENTER(&ipf_mutex); - if (fin->fin_fi.fi_fl & FI_SHORT) - ATOMIC_INCL(frstats[out].fr_short); - /* * Check auth now. This, combined with the check below to see if apass * is 0 is to ensure that we don't count the packet twice, which can --- 947,952 ---- *************** *** 1012,1033 **** ATOMIC_INCL(frstats[out].fr_nom); } } - fr = fin->fin_fr; } else pass = apass; /* * If we fail to add a packet to the authorization queue, * then we drop the packet later. However, if it was added * then pretend we've dropped it already. */ ! if ((pass & FR_AUTH)) ! if (fr_newauth((mb_t *)m, fin, ip) != 0) #ifdef _KERNEL m = *mp = NULL; #else ; #endif if (pass & FR_PREAUTH) { READ_ENTER(&ipf_auth); --- 1006,1031 ---- ATOMIC_INCL(frstats[out].fr_nom); } } } else pass = apass; + fr = fin->fin_fr; /* * If we fail to add a packet to the authorization queue, * then we drop the packet later. However, if it was added * then pretend we've dropped it already. */ ! if ((pass & FR_AUTH)) { ! if (fr_newauth((mb_t *)m, fin, ip) != 0) { #ifdef _KERNEL m = *mp = NULL; #else ; #endif + error = 0; + } else + error = ENOSPC; + } if (pass & FR_PREAUTH) { READ_ENTER(&ipf_auth); *************** *** 1120,1128 **** } #endif /* IPFILTER_LOG */ - if ((out) && (v == 4)) - ip->ip_id = htons(ip->ip_id); - #ifdef _KERNEL /* * Only allow FR_DUP to work if a rule matched - it makes no sense to --- 1118,1123 ---- *************** *** 1213,1220 **** if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); } ! if (!(pass & FR_PASS) && m) m_freem(m); # ifdef __sgi else if (changed && up && m) m_copyback(m, 0, up, hbuf); --- 1208,1218 ---- if (mc) ipfr_fastroute(mc, fin, &fr->fr_dif); } ! ! if (!(pass & FR_PASS) && m) { m_freem(m); + m = *mp = NULL; + } # ifdef __sgi else if (changed && up && m) m_copyback(m, 0, up, hbuf); *************** *** 1233,1239 **** ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); } # endif /* !SOLARIS */ ! return (pass & (FR_PASS|FR_AUTH)) ? 0 : error; #else /* _KERNEL */ if (pass & FR_NOMATCH) return 1; --- 1231,1237 ---- ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); } # endif /* !SOLARIS */ ! return (pass & FR_PASS) ? 0 : error; #else /* _KERNEL */ if (pass & FR_NOMATCH) return 1; *************** *** 1462,1468 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.31 2001/04/03 15:46:41 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1460,1466 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.34 2001/05/18 14:20:04 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 1911,1917 **** ip_statesync(ifp); } ip_natsync((struct ifnet *)-1); ! # endif WRITE_ENTER(&ipf_mutex); frsynclist(ipacct[0][fr_active]); --- 1909,1915 ---- ip_statesync(ifp); } ip_natsync((struct ifnet *)-1); ! # endif /* !SOLARIS */ WRITE_ENTER(&ipf_mutex); frsynclist(ipacct[0][fr_active]); diff -cr ip_fil3.4.17/fils.c ip_fil3.4.18/fils.c *** ip_fil3.4.17/fils.c Sat Dec 2 11:13:56 2000 --- ip_fil3.4.18/fils.c Fri Jun 1 22:52:08 2001 *************** *** 5,12 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ ! #ifdef __FreeBSD__ ! # include #endif #include #include --- 5,18 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. */ ! #ifdef __FreeBSD__ ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif #endif #include #include *************** *** 25,34 **** #include #include #include - #ifdef STATETOP - #include - #include - #endif #include #include #include --- 31,36 ---- *************** *** 56,63 **** #include "netinet/ip_state.h" #include "netinet/ip_auth.h" #ifdef STATETOP ! #include "netinet/ipl.h" ! #endif #include "kmem.h" #if defined(__NetBSD__) || (__OpenBSD__) # include --- 58,74 ---- #include "netinet/ip_state.h" #include "netinet/ip_auth.h" #ifdef STATETOP ! # include "netinet/ipl.h" ! # include ! # if SOLARIS ! # ifdef ERR ! # undef ERR ! # endif ! # include ! # else /* SOLARIS */ ! # include ! # endif /* SOLARIS */ ! #endif /* STATETOP */ #include "kmem.h" #if defined(__NetBSD__) || (__OpenBSD__) # include *************** *** 65,71 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $"; #endif extern char *optarg; --- 76,82 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.11 2001/06/01 12:52:08 darrenr Exp $"; #endif extern char *optarg; *************** *** 128,133 **** --- 139,147 ---- static int sort_bytes __P((const void *, const void *)); static int sort_ttl __P((const void *, const void *)); #endif + #if SOLARIS + void showqiflist __P((char *)); + #endif static char *hostname(v, ip) int v; *************** *** 160,166 **** #else fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d ]\n", name); #endif ! fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d ]\n", name); exit(1); } --- 174,184 ---- #else fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d ]\n", name); #endif ! fprintf(stderr, "\t\t[-M corefile]"); ! #if SOLARIS ! fprintf(stderr, " [-N symbol-list]"); ! #endif ! fprintf(stderr, "\n %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d ]\n", name); exit(1); } *************** *** 177,184 **** ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; ! char *name = NULL, *device = IPL_NAME; ! int c, fd; struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ --- 195,205 ---- ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; ! char *name = NULL, *device = IPL_NAME, *memf = NULL; ! #if SOLARIS ! char *kern = NULL; ! #endif ! int c, fd, myoptind; struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ *************** *** 190,202 **** saddr.s_addr = INADDR_ANY; /* default any source addr */ daddr.s_addr = INADDR_ANY; /* default any dest addr */ ! if (openkmem() == -1) exit(-1); (void)setuid(getuid()); (void)setgid(getgid()); ! while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:P:S:T:")) != -1) { switch (c) { --- 211,260 ---- saddr.s_addr = INADDR_ANY; /* default any source addr */ daddr.s_addr = INADDR_ANY; /* default any dest addr */ ! /* ! * Parse these two arguments now lest there be any buffer overflows ! * in the parsing of the rest. ! */ ! myoptind = optind; ! #if SOLARIS ! while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1) ! #else ! while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1) ! #endif ! switch (c) ! { ! case 'M' : ! memf = optarg; ! break; ! #if SOLARIS ! case 'N' : ! kern = optarg; ! break; ! #endif ! } ! optind = myoptind; ! ! #if SOLARIS ! if (kern != NULL || memf != NULL) ! #else ! if (memf != NULL) ! #endif ! { ! (void)setuid(getuid()); ! (void)setgid(getgid()); ! } ! ! if (openkmem(memf) == -1) exit(-1); (void)setuid(getuid()); (void)setgid(getgid()); ! #if SOLARIS ! while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1) ! #else ! while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1) ! #endif { switch (c) { *************** *** 207,214 **** #endif case 'a' : opts |= OPT_ACCNT|OPT_SHOWLIST; ! break; ! case 'A' : device = IPAUTH_NAME; opts |= OPT_AUTHSTATS; break; --- 265,271 ---- #endif case 'a' : opts |= OPT_ACCNT|OPT_SHOWLIST; ! break; case 'A' : device = IPAUTH_NAME; opts |= OPT_AUTHSTATS; break; *************** *** 239,244 **** --- 296,305 ---- case 'l' : opts |= OPT_SHOWLIST; break; + case 'M' : + break; + case 'N' : + break; case 'n' : opts |= OPT_SHOWLINENO; break; *************** *** 255,260 **** --- 316,330 ---- exit(-2); } break; + case 'q' : + #if SOLARIS + showqiflist(kern); + exit(0); + #else + fprintf(stderr, "option 'q' not supported\n"); + exit(1); + #endif + break; case 's' : opts |= OPT_IPSTATES; break; *************** *** 660,665 **** --- 730,774 ---- } } + + #if SOLARIS + void showqiflist(kern) + char *kern; + { + struct nlist qifnlist[2] = { + { "qif_head" }, + { NULL } + }; + qif_t qif, *qf; + + if (kern == NULL) + kern = "/dev/ksyms"; + + if (nlist(kern, qifnlist) == -1) { + fprintf(stderr, "nlist error\n"); + return; + } + + printf("List of interfaces bound by IPFilter:\n"); + if (kmemcpy((char *)&qf, (u_long)qifnlist[0].n_value, sizeof(qf))) + return; + while (qf) { + if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif))) + break; + printf("\tName: %-8s Header Length: %2d SAP: %s (%04x)\n", + qif.qf_name, qif.qf_hl, + #ifdef IP6_DL_SAP + (qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4" + #else + "IPv4" + #endif + , qif.qf_sap); + qf = qif.qf_next; + } + } + #endif + + #ifdef STATETOP static void topipstates(fd, saddr, daddr, sport, dport, protocol, refreshtime, topclosed) *************** *** 681,687 **** struct timeval selecttimeout; struct protoent *proto; fd_set readfd; ! char c = '\0'; time_t t; /* open state device */ --- 790,796 ---- struct timeval selecttimeout; struct protoent *proto; fd_set readfd; ! int c = 0; time_t t; /* open state device */ *************** *** 800,806 **** winx = 0; move(winx,0); sprintf(str1, "%s - state top", IPL_VERSION); ! for(j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) printw(" "); printw("%s", str1); attroff(A_BOLD); --- 909,915 ---- winx = 0; move(winx,0); sprintf(str1, "%s - state top", IPL_VERSION); ! for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) printw(" "); printw("%s", str1); attroff(A_BOLD); *************** *** 873,879 **** if (reverse) tp += tsentry; ! for(i = 0; i <= tsentry; i++) { /* print src/dest and port */ if ((tp->st_p == IPPROTO_TCP) || (tp->st_p == IPPROTO_UDP)) { --- 982,990 ---- if (reverse) tp += tsentry; ! if (tsentry > maxy - 6) ! tsentry = maxy - 6; ! for (i = 0; i <= tsentry; i++) { /* print src/dest and port */ if ((tp->st_p == IPPROTO_TCP) || (tp->st_p == IPPROTO_UDP)) { diff -cr ip_fil3.4.17/ip_auth.c ip_fil3.4.18/ip_auth.c *** ip_fil3.4.17/ip_auth.c Wed Apr 4 01:48:12 2001 --- ip_fil3.4.18/ip_auth.c Sat Apr 21 13:00:33 2001 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.8 2001/04/03 15:48:12 darrenr Exp $"; #endif #include --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.9 2001/04/21 03:00:33 darrenr Exp $"; #endif #include *************** *** 77,83 **** #endif #include #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */ ! extern struct ifqueue ipintrq; /* ip packet input queue */ #else # ifndef linux # if __FreeBSD_version >= 300000 --- 77,83 ---- #endif #include #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */ ! extern struct ifqueue ipintrq; /* ip packet input queue */ #else # ifndef linux # if __FreeBSD_version >= 300000 *************** *** 110,116 **** #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) ! extern KRWLOCK_T ipf_auth; extern kmutex_t ipf_authmx; # if SOLARIS extern kcondvar_t ipfauthwait; --- 110,116 ---- #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) ! extern KRWLOCK_T ipf_auth, ipf_mutex; extern kmutex_t ipf_authmx; # if SOLARIS extern kcondvar_t ipfauthwait; *************** *** 129,135 **** mb_t *fr_authpkts[FR_NUMAUTH]; static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0; static frauthent_t *fae_list = NULL; ! frentry_t *ipauth = NULL; /* --- 129,136 ---- mb_t *fr_authpkts[FR_NUMAUTH]; static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0; static frauthent_t *fae_list = NULL; ! frentry_t *ipauth = NULL, ! *fr_authlist = NULL; /* *************** *** 142,151 **** fr_info_t *fin; { u_short id = ip->ip_id; u_32_t pass; int i; ! if (fr_auth_lock) return 0; READ_ENTER(&ipf_auth); --- 143,154 ---- fr_info_t *fin; { u_short id = ip->ip_id; + frentry_t *fr; + frauth_t *fra; u_32_t pass; int i; ! if (fr_auth_lock || !fr_authused) return 0; READ_ENTER(&ipf_auth); *************** *** 155,178 **** * case the same packet gets sent again and it hasn't yet been * auth'd. */ ! if ((fr_auth[i].fra_index == -2) && ! (id == fr_auth[i].fra_info.fin_id) && ! !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) { /* * Avoid feedback loop. */ ! if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH)) pass = FR_BLOCK; RWLOCK_EXIT(&ipf_auth); WRITE_ENTER(&ipf_auth); fr_authstats.fas_hits++; ! fr_auth[i].fra_index = -1; fr_authused--; if (i == fr_authstart) { ! while (fr_auth[i].fra_index == -1) { i++; ! if (i == FR_NUMAUTH) i = 0; fr_authstart = i; if (i == fr_authend) break; --- 158,211 ---- * case the same packet gets sent again and it hasn't yet been * auth'd. */ ! fra = fr_auth + i; ! if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && ! !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { /* * Avoid feedback loop. */ ! if (!(pass = fra->fra_pass) || (pass & FR_AUTH)) pass = FR_BLOCK; + /* + * Create a dummy rule for the stateful checking to + * use and return. Zero out any values we don't + * trust from userland! + */ + if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && + (fin->fin_fi.fi_fl & FI_FRAG))) { + KMALLOC(fr, frentry_t *); + if (fr) { + bcopy((char *)fra->fra_info.fin_fr, + fr, sizeof(*fr)); + fr->fr_grp = NULL; + fr->fr_ifa = fin->fin_ifp; + fr->fr_func = NULL; + fr->fr_ref = 1; + fr->fr_flags = pass; + #if BSD >= 199306 + fr->fr_oifa = NULL; + #endif + } + } else + fr = fra->fra_info.fin_fr; + fin->fin_fr = fr; RWLOCK_EXIT(&ipf_auth); WRITE_ENTER(&ipf_auth); + if (fr && fr != fra->fra_info.fin_fr) { + fr->fr_next = fr_authlist; + fr_authlist = fr; + } fr_authstats.fas_hits++; ! fra->fra_index = -1; fr_authused--; if (i == fr_authstart) { ! while (fra->fra_index == -1) { i++; ! fra++; ! if (i == FR_NUMAUTH) { i = 0; + fra = fr_auth; + } fr_authstart = i; if (i == fr_authend) break; *************** *** 208,213 **** --- 241,247 ---- #if defined(_KERNEL) && SOLARIS qif_t *qif = fin->fin_qif; #endif + frauth_t *fra; int i; if (fr_auth_lock) *************** *** 219,225 **** RWLOCK_EXIT(&ipf_auth); return 0; } else { ! if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) { fr_authstats.fas_nospace++; RWLOCK_EXIT(&ipf_auth); return 0; --- 253,259 ---- RWLOCK_EXIT(&ipf_auth); return 0; } else { ! if (fr_authused == FR_NUMAUTH) { fr_authstats.fas_nospace++; RWLOCK_EXIT(&ipf_auth); return 0; *************** *** 232,241 **** if (fr_authend == FR_NUMAUTH) fr_authend = 0; RWLOCK_EXIT(&ipf_auth); ! fr_auth[i].fra_index = i; ! fr_auth[i].fra_pass = 0; ! fr_auth[i].fra_age = fr_defaultauthage; ! bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin)); #if SOLARIS && defined(_KERNEL) # if !defined(sparc) /* --- 266,276 ---- if (fr_authend == FR_NUMAUTH) fr_authend = 0; RWLOCK_EXIT(&ipf_auth); ! fra = fr_auth + i; ! fra->fra_index = i; ! fra->fra_pass = 0; ! fra->fra_age = fr_defaultauthage; ! bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); #if SOLARIS && defined(_KERNEL) # if !defined(sparc) /* *************** *** 254,262 **** # endif m->b_rptr -= qif->qf_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; ! fr_auth[i].fra_q = qif->qf_q; cv_signal(&ipfauthwait); #else fr_authpkts[i] = m; WAKEUP(&fr_authnext); #endif --- 289,303 ---- # endif m->b_rptr -= qif->qf_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; ! fra->fra_q = qif->qf_q; cv_signal(&ipfauthwait); #else + # if defined(BSD) && !defined(sparc) && (BSD >= 199306) + if (!fin->fin_out) { + HTONS(ip->ip_len); + HTONS(ip->ip_off); + } + # endif fr_authpkts[i] = m; WAKEUP(&fr_authnext); #endif *************** *** 276,283 **** mb_t *m; #if defined(_KERNEL) && !SOLARIS struct ifqueue *ifq; #endif ! frauth_t auth, *au = &auth; frauthent_t *fae, **faep; int i, error = 0; --- 317,325 ---- mb_t *m; #if defined(_KERNEL) && !SOLARIS struct ifqueue *ifq; + int s; #endif ! frauth_t auth, *au = &auth, *fra; frauthent_t *fae, **faep; int i, error = 0; *************** *** 308,315 **** --- 350,359 ---- error = ESRCH; else { WRITE_ENTER(&ipf_auth); + SPL_NET(s); *faep = fae->fae_next; *frptr = fr->fr_next; + SPL_X(s); RWLOCK_EXIT(&ipf_auth); KFREE(fae); } *************** *** 319,324 **** --- 363,369 ---- bcopy((char *)fr, (char *)&fae->fae_fr, sizeof(*fr)); WRITE_ENTER(&ipf_auth); + SPL_NET(s); fae->fae_age = fr_defaultauthage; fae->fae_fr.fr_hits = 0; fae->fae_fr.fr_next = *frptr; *************** *** 326,331 **** --- 371,377 ---- fae->fae_next = *faep; *faep = fae; ipauth = &fae_list->fae_fr; + SPL_X(s); RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; *************** *** 349,357 **** --- 395,405 ---- if (error) break; WRITE_ENTER(&ipf_auth); + SPL_NET(s); fr_authnext++; if (fr_authnext == FR_NUMAUTH) fr_authnext = 0; + SPL_X(s); RWLOCK_EXIT(&ipf_auth); return 0; } *************** *** 364,377 **** } mutex_exit(&ipf_authmx); # else - # ifdef linux - interruptible_sleep_on(&ipfauthwait); - if (current->signal & ~current->blocked) - error = -EINTR; - # else error = SLEEP(&fr_authnext, "fr_authnext"); # endif - # endif #endif RWLOCK_EXIT(&ipf_auth); if (!error) --- 412,419 ---- *************** *** 382,424 **** if (error) return error; WRITE_ENTER(&ipf_auth); i = au->fra_index; if ((i < 0) || (i > FR_NUMAUTH) || ! (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) { RWLOCK_EXIT(&ipf_auth); return EINVAL; } m = fr_authpkts[i]; ! fr_auth[i].fra_index = -2; ! fr_auth[i].fra_pass = au->fra_pass; fr_authpkts[i] = NULL; - #ifdef _KERNEL RWLOCK_EXIT(&ipf_auth); ! # ifndef linux if (m && au->fra_info.fin_out) { ! # if SOLARIS ! error = fr_qout(fr_auth[i].fra_q, m); ! # else /* SOLARIS */ struct route ro; bzero((char *)&ro, sizeof(ro)); ! # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ defined(__OpenBSD__) error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); ! # else error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL); ! # endif ! if (ro.ro_rt) RTFREE(ro.ro_rt); ! # endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; else fr_authstats.fas_sendok++; } else if (m) { # if SOLARIS ! error = fr_qin(fr_auth[i].fra_q, m); # else /* SOLARIS */ ifq = &ipintrq; if (IF_QFULL(ifq)) { --- 424,469 ---- if (error) return error; WRITE_ENTER(&ipf_auth); + SPL_NET(s); i = au->fra_index; + fra = fr_auth + i; if ((i < 0) || (i > FR_NUMAUTH) || ! (fra->fra_info.fin_id != au->fra_info.fin_id)) { ! SPL_X(s); RWLOCK_EXIT(&ipf_auth); return EINVAL; } m = fr_authpkts[i]; ! fra->fra_index = -2; ! fra->fra_pass = au->fra_pass; fr_authpkts[i] = NULL; RWLOCK_EXIT(&ipf_auth); ! #ifdef _KERNEL if (m && au->fra_info.fin_out) { ! # if SOLARIS ! error = fr_qout(fra->fra_q, m); ! # else /* SOLARIS */ struct route ro; bzero((char *)&ro, sizeof(ro)); ! # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ defined(__OpenBSD__) error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); ! # else error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL); ! # endif ! if (ro.ro_rt) { RTFREE(ro.ro_rt); ! } ! # endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; else fr_authstats.fas_sendok++; } else if (m) { # if SOLARIS ! error = fr_qin(fra->fra_q, m); # else /* SOLARIS */ ifq = &ipintrq; if (IF_QFULL(ifq)) { *************** *** 436,442 **** fr_authstats.fas_queok++; } else error = EINVAL; - # endif # if SOLARIS if (error) error = EINVAL; --- 481,486 ---- *************** *** 447,456 **** */ if (error == ENOBUFS) { fr_authused--; ! fr_auth[i].fra_index = -1; ! fr_auth[i].fra_pass = 0; if (i == fr_authstart) { ! while (fr_auth[i].fra_index == -1) { i++; if (i == FR_NUMAUTH) i = 0; --- 491,500 ---- */ if (error == ENOBUFS) { fr_authused--; ! fra->fra_index = -1; ! fra->fra_pass = 0; if (i == fr_authstart) { ! while (fra->fra_index == -1) { i++; if (i == FR_NUMAUTH) i = 0; *************** *** 466,471 **** --- 510,516 ---- } # endif #endif /* _KERNEL */ + SPL_X(s); break; default : error = EINVAL; *************** *** 483,488 **** --- 528,534 ---- { register int i; register frauthent_t *fae, **faep; + frentry_t *fr, **frp; mb_t *m; WRITE_ENTER(&ipf_auth); *************** *** 501,506 **** --- 547,572 ---- } ipauth = NULL; RWLOCK_EXIT(&ipf_auth); + + if (fr_authlist) { + /* + * We *MuST* reget ipf_auth because otherwise we won't get the + * locks in the right order and risk deadlock. + * We need ipf_mutex here to prevent a rule from using it + * inside fr_check(). + */ + WRITE_ENTER(&ipf_mutex); + WRITE_ENTER(&ipf_auth); + for (frp = &fr_authlist; (fr = *frp); ) { + if (fr->fr_ref == 1) { + *frp = fr->fr_next; + KFREE(fr); + } else + frp = &fr->fr_next; + } + RWLOCK_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_mutex); + } } *************** *** 513,518 **** --- 579,585 ---- register int i; register frauth_t *fra; register frauthent_t *fae, **faep; + register frentry_t *fr, **frp; mb_t *m; #if !SOLARIS int s; *************** *** 542,547 **** --- 609,622 ---- faep = &fae->fae_next; } ipauth = &fae_list->fae_fr; + + for (frp = &fr_authlist; (fr = *frp); ) { + if (fr->fr_ref == 1) { + *frp = fr->fr_next; + KFREE(fr); + } else + frp = &fr->fr_next; + } RWLOCK_EXIT(&ipf_auth); SPL_X(s); } diff -cr ip_fil3.4.17/ip_compat.h ip_fil3.4.18/ip_compat.h *** ip_fil3.4.17/ip_compat.h Wed Apr 4 00:13:35 2001 --- ip_fil3.4.18/ip_compat.h Sat May 19 00:21:06 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.11 2001/04/03 14:13:35 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.14 2001/05/18 14:21:06 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 119,128 **** # define V4_PART_OF_V6(v6) v6.s6_addr32[3] # endif # endif ! #else # if !defined(__sgi) typedef int minor_t; ! #endif #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) --- 119,152 ---- # define V4_PART_OF_V6(v6) v6.s6_addr32[3] # endif # endif ! ! typedef struct qif { ! struct qif *qf_next; ! ill_t *qf_ill; ! kmutex_t qf_lock; ! void *qf_iptr; ! void *qf_optr; ! queue_t *qf_in; ! queue_t *qf_out; ! struct qinit *qf_wqinfo; ! struct qinit *qf_rqinfo; ! struct qinit qf_wqinit; ! struct qinit qf_rqinit; ! mblk_t *qf_m; /* These three fields are for passing data up from */ ! queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ ! size_t qf_off; ! size_t qf_len; /* this field is used for in ipfr_fastroute */ ! char qf_name[8]; ! /* ! * in case the ILL has disappeared... ! */ ! size_t qf_hl; /* header length */ ! int qf_sap; ! } qif_t; ! #else /* SOLARIS */ # if !defined(__sgi) typedef int minor_t; ! # endif #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) *************** *** 264,273 **** #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # ifdef IPFILTER_LKM ! # include # define ACTUALLY_LKM_NOT_KERNEL # else ! # include # endif # if __FreeBSD__ < 3 # include --- 288,313 ---- #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # ifdef IPFILTER_LKM ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # else ! # include ! # endif ! # endif # define ACTUALLY_LKM_NOT_KERNEL # else ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # else ! # include ! # endif ! # endif # endif # if __FreeBSD__ < 3 # include *************** *** 325,330 **** --- 365,371 ---- # define ATOMIC_DEC32(x) atomic_add_32((uint32_t*)&(x), -1) # define ATOMIC_DEC16(x) atomic_add_16((uint16_t*)&(x), -1) # else + # define IRE_CACHE IRE_ROUTE # define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \ mutex_exit(&ipf_rw); } # define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \ *************** *** 374,402 **** # define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) # define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) - typedef struct qif { - struct qif *qf_next; - ill_t *qf_ill; - kmutex_t qf_lock; - void *qf_iptr; - void *qf_optr; - queue_t *qf_in; - queue_t *qf_out; - struct qinit *qf_wqinfo; - struct qinit *qf_rqinfo; - struct qinit qf_wqinit; - struct qinit qf_rqinit; - mblk_t *qf_m; /* These three fields are for passing data up from */ - queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ - size_t qf_off; - size_t qf_len; /* this field is used for in ipfr_fastroute */ - char qf_name[8]; - /* - * in case the ILL has disappeared... - */ - size_t qf_hl; /* header length */ - int qf_sap; - } qif_t; extern ill_t *get_unit __P((char *, int)); # define GETUNIT(n, v) get_unit(n, v) # define IFNAME(x) ((ill_t *)x)->ill_name --- 415,420 ---- diff -cr ip_fil3.4.17/ip_fil.c ip_fil3.4.18/ip_fil.c *** ip_fil3.4.17/ip_fil.c Wed Apr 4 00:13:37 2001 --- ip_fil3.4.18/ip_fil.c Fri Jun 1 23:09:43 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.19 2001/04/03 14:13:37 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.28 2001/06/01 13:09:43 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 131,137 **** --- 131,141 ---- # endif #endif + #ifdef ICMP_UNREACH_FILTER_PROHIB + int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB; + #else int ipl_unreach = ICMP_UNREACH_FILTER; + #endif u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); *************** *** 171,176 **** --- 175,184 ---- # include struct callout ipfr_slowtimer_ch; #endif + #if defined(__OpenBSD__) + # include + struct timeout ipfr_slowtimer_ch; + #endif #if defined(__sgi) && defined(_KERNEL) toid_t ipfr_slowtimer_ch; #endif *************** *** 329,338 **** callout_init(&ipfr_slowtimer_ch); callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL); # else ! # if (__FreeBSD_version >= 300000) || defined(__sgi) ! ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); # else timeout(ipfr_slowtimer, NULL, hz/2); # endif # endif #endif --- 337,351 ---- callout_init(&ipfr_slowtimer_ch); callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL); # else ! # if defined(__OpenBSD__) ! timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL); ! timeout_add(&ipfr_slowtimer_ch, hz/2); # else + # if (__FreeBSD_version >= 300000) || defined(__sgi) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); + # else timeout(ipfr_slowtimer, NULL, hz/2); + # endif # endif # endif #endif *************** *** 361,368 **** # ifdef __sgi untimeout(ipfr_slowtimer_ch); # else untimeout(ipfr_slowtimer, NULL); ! # endif # endif /* FreeBSD */ # endif /* NetBSD */ #endif --- 374,385 ---- # ifdef __sgi untimeout(ipfr_slowtimer_ch); # else + # if defined(__OpenBSD__) + timeout_del(&ipfr_slowtimer_ch); + # else untimeout(ipfr_slowtimer, NULL); ! # endif /* OpenBSD */ ! # endif /* __sgi */ # endif /* FreeBSD */ # endif /* NetBSD */ #endif *************** *** 384,399 **** # if __NetBSD_Version__ >= 104200000 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); ! if (error) return error; # else pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif # ifdef USE_INET6 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); ! if (error) return error; # endif # endif --- 401,420 ---- # if __NetBSD_Version__ >= 104200000 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); ! if (error) { ! SPL_X(s); return error; + } # else pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif # ifdef USE_INET6 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); ! if (error) { ! SPL_X(s); return error; + } # endif # endif *************** *** 497,504 **** } if (unit == IPL_LOGAUTH) { if (!fr_running) ! return EIO; ! error = fr_auth_ioctl(data, cmd, NULL, NULL); SPL_X(s); return error; } --- 518,526 ---- } if (unit == IPL_LOGAUTH) { if (!fr_running) ! error = EIO; ! else ! error = fr_auth_ioctl(data, cmd, NULL, NULL); SPL_X(s); return error; } *************** *** 572,578 **** fr_getstat(&fio); error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); if (error) ! return EFAULT; break; } case SIOCFRZST : --- 594,600 ---- fr_getstat(&fio); error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); if (error) ! error = EFAULT; break; } case SIOCFRZST : *************** *** 615,621 **** error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); if (error) ! return EFAULT; break; case SIOCAUTHW : case SIOCAUTHR : --- 637,643 ---- error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); if (error) ! error = EFAULT; break; case SIOCAUTHW : case SIOCAUTHR : *************** *** 1087,1092 **** --- 1109,1115 ---- int dst; { int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code; + u_short shlen, slen, soff; struct in_addr dst4; struct icmp *icmp; struct mbuf *m; *************** *** 1228,1233 **** --- 1251,1261 ---- } else #endif { + slen = oip->ip_len; + oip->ip_len = htons(oip->ip_len); + soff = oip->ip_off; + oip->ip_off = htons(ip->ip_off); + ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = oip->ip_src.s_addr; *************** *** 1241,1247 **** --- 1269,1286 ---- ip->ip_len = iclen; ip->ip_p = IPPROTO_ICMP; } + + shlen = fin->fin_hlen; + fin->fin_hlen = hlen; err = send_ip(oip, fin, m); + fin->fin_hlen = shlen; + #ifdef USE_INET6 + if (fin->fin_v == 4) + #endif + { + oip->ip_len = slen; + oip->ip_off = soff; + } return err; } *************** *** 1293,1298 **** --- 1332,1344 ---- hlen = fin->fin_hlen; ip = mtod(m0, struct ip *); + #if defined(__NetBSD__) && defined(M_CSUM_IPv4) + /* + * Clear any in-bound checksum flags for this packet. + */ + m0->m_pkthdr.csuminfo = 0; + #endif /* __NetBSD__ && M_CSUM_IPv4 */ + #ifdef USE_INET6 if (ip->ip_v == 6) { /* *************** *** 1326,1333 **** if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } else if (fdp) ! dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; # if BSD >= 199306 dst->sin_len = sizeof(*dst); --- 1372,1384 ---- if ((ifp != NULL) && (fdp == &fr->fr_tif)) return -1; dst->sin_addr = ip->ip_dst; ! } else if (fdp) { ! if (fdp->fd_ip.s_addr) { ! dst->sin_addr = fdp->fd_ip; ! ip->ip_dst = fdp->fd_ip; ! } else ! dst->sin_addr = ip->ip_dst; ! } # if BSD >= 199306 dst->sin_len = sizeof(*dst); *************** *** 1382,1412 **** * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { ! # if BSD >= 199306 int i = 0; - # ifdef MCLISREFERENCED if ((m->m_flags & M_EXT) && MCLISREFERENCED(m)) - # else - if (m->m_flags & M_EXT) - # endif i = 1; # endif # ifndef sparc ip->ip_id = htons(ip->ip_id); ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); # endif if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); # if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); if (i) { ip->ip_id = ntohs(ip->ip_id); ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); } # else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); # endif --- 1433,1470 ---- * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { ! # if defined(MCLISREFERENCED) && !defined(sparc) int i = 0; if ((m->m_flags & M_EXT) && MCLISREFERENCED(m)) i = 1; # endif # ifndef sparc + # if !(_BSDI_VERSION >= 199510) ip->ip_id = htons(ip->ip_id); + # endif ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); # endif + # if defined(__NetBSD__) && defined(M_CSUM_IPv4) + if (ifp->if_capabilities & IFCAP_CSUM_IPv4) + m->m_pkthdr.csuminfo |= M_CSUM_IPv4; + else if (ip->ip_sum == 0) + ip->ip_sum = in_cksum(m, hlen); + # else if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); + # endif /* __NetBSD__ && M_CSUM_IPv4 */ # if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); + # if defined(MCLISREFERENCED) && !defined(sparc) if (i) { ip->ip_id = ntohs(ip->ip_id); ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); } + # endif # else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); # endif *************** *** 1514,1521 **** else ipl_frouteok[1]++; ! if (ro->ro_rt) RTFREE(ro->ro_rt); return 0; bad: if (error == EMSGSIZE) { --- 1572,1580 ---- else ipl_frouteok[1]++; ! if (ro->ro_rt) { RTFREE(ro->ro_rt); + } return 0; bad: if (error == EMSGSIZE) { *************** *** 1594,1602 **** # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) ! sprintf(fname, "/tmp/%s", ifp->if_xname); # else ! sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); # endif fd = open(fname, O_WRONLY|O_APPEND); if (fd == -1) { --- 1653,1661 ---- # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) ! sprintf(fname, "%s", ifp->if_xname); # else ! sprintf(fname, "%s%d", ifp->if_name, ifp->if_unit); # endif fd = open(fname, O_WRONLY|O_APPEND); if (fd == -1) { *************** *** 1613,1619 **** char *name; int v; { ! struct ifnet *ifp, **ifa; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { --- 1672,1678 ---- char *name; int v; { ! struct ifnet *ifp, **ifa, **old_ifneta; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { *************** *** 1642,1651 **** --- 1701,1712 ---- } nifs = 1; } else { + old_ifneta = ifneta; nifs++; ifneta = (struct ifnet **)realloc(ifneta, (nifs + 1) * sizeof(*ifa)); if (!ifneta) { + free(old_ifneta); nifs = 0; return NULL; } diff -cr ip_fil3.4.17/ip_fil.h ip_fil3.4.18/ip_fil.h *** ip_fil3.4.17/ip_fil.h Wed Mar 21 00:18:05 2001 --- ip_fil3.4.18/ip_fil.h Thu May 24 22:34:25 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.5 2001/03/20 13:18:05 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.7 2001/05/24 12:34:25 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 152,158 **** u_short fin_off; } fr_info_t; ! #define fin_v fin_fi.fi_v /* * Size for compares on fr_info structures --- 152,160 ---- u_short fin_off; } fr_info_t; ! #define fin_v fin_fi.fi_v ! #define fin_saddr fin_fi.fi_saddr ! #define fin_daddr fin_fi.fi_daddr /* * Size for compares on fr_info structures *************** *** 435,440 **** --- 437,444 ---- #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPLLOGSIZE 8192 + + #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */ /* * Device filenames for reading log information. Use ipf on Solaris2 because diff -cr ip_fil3.4.17/ip_frag.c ip_fil3.4.18/ip_frag.c *** ip_fil3.4.17/ip_frag.c Fri Apr 6 22:31:20 2001 --- ip_fil3.4.18/ip_frag.c Sat May 19 00:21:48 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.8 2001/04/06 12:31:20 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.11 2001/05/18 14:21:48 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) *************** *** 81,87 **** # ifndef IPFILTER_LKM # include # include ! # endif extern struct callout_handle ipfr_slowtimer_ch; # endif #endif --- 81,87 ---- # ifndef IPFILTER_LKM # include # include ! # endif extern struct callout_handle ipfr_slowtimer_ch; # endif #endif *************** *** 89,94 **** --- 89,98 ---- # include extern struct callout ipfr_slowtimer_ch; #endif + #if defined(__OpenBSD__) + # include + extern struct timeout ipfr_slowtimer_ch; + #endif static ipfr_t *ipfr_heads[IPFT_SIZE]; *************** *** 163,168 **** --- 167,176 ---- idx *= 127; idx %= IPFT_SIZE; + frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY; + frag.ipfr_secmsk = fin->fin_fi.fi_secmsk; + frag.ipfr_auth = fin->fin_fi.fi_auth; + /* * first, make sure it isn't already there... */ *************** *** 225,231 **** WRITE_ENTER(&ipf_frag); ipf = ipfr_new(ip, fin, pass, ipfr_heads); RWLOCK_EXIT(&ipf_frag); ! return ipf ? 0 : -1; } --- 233,244 ---- WRITE_ENTER(&ipf_frag); ipf = ipfr_new(ip, fin, pass, ipfr_heads); RWLOCK_EXIT(&ipf_frag); ! if (ipf == NULL) { ! ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr); ! return -1; ! } ! ATOMIC_INCL(frstats[fin->fin_out].fr_nfr); ! return 0; } *************** *** 284,289 **** --- 297,306 ---- idx *= 127; idx %= IPFT_SIZE; + frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY; + frag.ipfr_secmsk = fin->fin_fi.fi_secmsk; + frag.ipfr_auth = fin->fin_fi.fi_auth; + /* * check the table, careful to only compare the right amount of data */ *************** *** 565,571 **** --- 582,592 ---- # if (__FreeBSD_version >= 300000) ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); # else + # if defined(__OpenBSD_) + timeout_add(&ipfr_slowtimer_ch, hz/2, ipfr_slowtimer, NULL); + # else timeout(ipfr_slowtimer, NULL, hz/2); + # endif # endif # if (BSD < 199306) && !defined(__sgi) return 0; diff -cr ip_fil3.4.17/ip_frag.h ip_fil3.4.18/ip_frag.h *** ip_fil3.4.17/ip_frag.h Fri Apr 6 22:31:20 2001 --- ip_fil3.4.18/ip_frag.h Sat Apr 21 12:56:42 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.3 2001/04/06 12:31:20 darrenr Exp $ */ #ifndef __IP_FRAG_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.4 2001/04/21 02:56:42 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 20,25 **** --- 20,28 ---- struct in_addr ipfr_src; struct in_addr ipfr_dst; void *ipfr_ifp; + u_32_t ipfr_optmsk; + u_short ipfr_secmsk; + u_short ipfr_auth; u_short ipfr_id; u_char ipfr_p; u_char ipfr_tos; diff -cr ip_fil3.4.17/ip_ftp_pxy.c ip_fil3.4.18/ip_ftp_pxy.c *** ip_fil3.4.17/ip_ftp_pxy.c Thu Jan 18 00:30:52 2001 --- ip_fil3.4.18/ip_ftp_pxy.c Sat Jun 2 03:44:05 2001 *************** *** 2,8 **** * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.21 2001/01/17 13:30:52 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 2,8 ---- * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.24 2001/06/01 17:44:05 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 22,27 **** --- 22,43 ---- #define IPF_MAX227LEN 51 #define IPF_FTPBUFSZ 96 /* This *MUST* be >= 53! */ + #define FTPXY_GO 0 + #define FTPXY_INIT 1 + #define FTPXY_USER_1 2 + #define FTPXY_USOK_1 3 + #define FTPXY_PASS_1 4 + #define FTPXY_PAOK_1 5 + #define FTPXY_AUTH_1 6 + #define FTPXY_AUOK_1 7 + #define FTPXY_ADAT_1 8 + #define FTPXY_ADOK_1 9 + #define FTPXY_ACCT_1 10 + #define FTPXY_ACOK_1 11 + #define FTPXY_USER_2 12 + #define FTPXY_USOK_2 13 + #define FTPXY_PASS_2 14 + #define FTPXY_PAOK_2 15 int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_complete __P((char *, size_t)); *************** *** 75,80 **** --- 91,97 ---- f = &ftp->ftp_side[1]; f->ftps_rptr = f->ftps_buf; f->ftps_wptr = f->ftps_buf; + ftp->ftp_passok = FTPXY_INIT; return 0; } *************** *** 215,221 **** sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(&ip->ip_sum, sum2); #endif ip->ip_len += inc; } --- 232,238 ---- sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(fin, &ip->ip_sum, sum2); #endif ip->ip_len += inc; } *************** *** 255,260 **** --- 272,278 ---- fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; fi.fin_fr = &natfr; + fi.fin_out = 1; swip = ip->ip_src; fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; ip->ip_src = nat->nat_inip; *************** *** 297,307 **** } cmd[i] = '\0'; ! if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5)) ! ftp->ftp_passok = 1; ! else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5)) ! ftp->ftp_passok = 3; ! else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) { inc = ippr_ftp_port(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !ippr_ftp_pasvonly && --- 315,340 ---- } cmd[i] = '\0'; ! if (!strncmp(cmd, "USER ", 5) || !strncmp(cmd, "XAUT ", 5)) { ! if (ftp->ftp_passok == FTPXY_ADOK_1 || ! ftp->ftp_passok == FTPXY_AUOK_1) ! ftp->ftp_passok = FTPXY_USER_2; ! else ! ftp->ftp_passok = FTPXY_USER_1; ! } else if (!strncmp(cmd, "AUTH ", 5)) ! ftp->ftp_passok = FTPXY_AUTH_1; ! else if (!strncmp(cmd, "PASS ", 5)) { ! if (ftp->ftp_passok == FTPXY_USOK_1) ! ftp->ftp_passok = FTPXY_PASS_1; ! else if (ftp->ftp_passok == FTPXY_USOK_2) ! ftp->ftp_passok = FTPXY_PASS_2; ! } else if ((ftp->ftp_passok == FTPXY_AUOK_1) && ! !strncmp(cmd, "ADAT ", 5)) ! ftp->ftp_passok = FTPXY_ADAT_1; ! else if ((ftp->ftp_passok == FTPXY_PAOK_2) && ! !strncmp(cmd, "ACCT ", 5)) ! ftp->ftp_passok = FTPXY_ACCT_1; ! else if ((ftp->ftp_passok == FTPXY_GO) && !ippr_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) { inc = ippr_ftp_port(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !ippr_ftp_pasvonly && *************** *** 337,343 **** */ if (dlen < IPF_MIN227LEN) return 0; ! else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25)) return 0; tcp = (tcphdr_t *)fin->fin_dp; --- 370,376 ---- */ if (dlen < IPF_MIN227LEN) return 0; ! else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", 24)) return 0; tcp = (tcphdr_t *)fin->fin_dp; *************** *** 373,378 **** --- 406,413 ---- if (*s == ')') s++; + if (*s == '.') + s++; if (*s == '\n') s--; /* *************** *** 445,451 **** sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(&ip->ip_sum, sum2); #endif /* SOLARIS || defined(__sgi) */ ip->ip_len += inc; } --- 480,486 ---- sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); ! fix_outcksum(fin, &ip->ip_sum, sum2); #endif /* SOLARIS || defined(__sgi) */ ip->ip_len += inc; } *************** *** 475,480 **** --- 510,516 ---- fi.fin_data[0] = 0; fi.fin_dp = (char *)tcp2; fi.fin_fr = &natfr; + fi.fin_out = 0; swip = ip->ip_src; swip2 = ip->ip_dst; fi.fin_fi.fi_daddr = ip->ip_src.s_addr; *************** *** 511,527 **** rptr = f->ftps_rptr; wptr = f->ftps_wptr; ! if ((ftp->ftp_passok == 1) && !strncmp(rptr, "331", 3)) ! ftp->ftp_passok = 2; ! else if (((ftp->ftp_passok == 3) || (ftp->ftp_passok == 1)) && ! !strncmp(rptr, "230", 3)) { ! ftp->ftp_passok = 4; ! } else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "530", 3)) ! ftp->ftp_passok = 0; ! else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) { ! inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } while ((*rptr++ != '\n') && (rptr < wptr)) ; --- 547,580 ---- rptr = f->ftps_rptr; wptr = f->ftps_wptr; ! if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) ! return inc; ! if (ftp->ftp_passok == FTPXY_GO) { ! if (!strncmp(rptr, "227 ", 4)) ! inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + } else if (*rptr == '5' || *rptr == '4') + ftp->ftp_passok = FTPXY_INIT; + else if (*rptr == '3') { + if (ftp->ftp_passok == FTPXY_ACCT_1) + ftp->ftp_passok = FTPXY_GO; + else + ftp->ftp_passok++; + } else if (*rptr == '2') { + switch (ftp->ftp_passok) + { + case FTPXY_USER_1 : + case FTPXY_USER_2 : + case FTPXY_PASS_1 : + case FTPXY_PASS_2 : + case FTPXY_ACCT_1 : + ftp->ftp_passok = FTPXY_GO; + break; + default : + ftp->ftp_passok += 3; + break; + } } while ((*rptr++ != '\n') && (rptr < wptr)) ; diff -cr ip_fil3.4.17/ip_log.c ip_fil3.4.18/ip_log.c *** ip_fil3.4.17/ip_log.c Wed Apr 4 01:45:49 2001 --- ip_fil3.4.18/ip_log.c Sun Apr 15 16:46:33 2001 *************** *** 5,11 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.5.2.3 2001/04/03 15:45:49 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) --- 5,11 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_log.c,v 2.5.2.4 2001/04/15 06:46:33 darrenr Exp $ */ #include #if defined(KERNEL) && !defined(_KERNEL) *************** *** 21,27 **** # endif # else # ifdef KLD_MODULE ! # include # endif # endif #endif --- 21,33 ---- # endif # else # ifdef KLD_MODULE ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif # endif # endif #endif diff -cr ip_fil3.4.17/ip_nat.c ip_fil3.4.18/ip_nat.c *** ip_fil3.4.17/ip_nat.c Sat Apr 7 00:09:05 2001 --- ip_fil3.4.18/ip_nat.c Tue Jun 5 21:29:27 2001 *************** *** 9,15 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.35 2001/04/06 14:07:40 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 9,15 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.40 2001/06/05 11:29:27 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 91,96 **** --- 91,97 ---- #ifndef linux # include + # include #endif #include #include *************** *** 301,307 **** } ! void fix_outcksum(sp, n) u_short *sp; u_32_t n; { --- 302,309 ---- } ! void fix_outcksum(fin, sp, n) ! fr_info_t *fin; u_short *sp; u_32_t n; { *************** *** 310,321 **** if (!n) return; - #if SOLARIS2 >= 6 else if (n & NAT_HW_CKSUM) { *sp = n & 0xffff; return; } - #endif sum1 = (~ntohs(*sp)) & 0xffff; sum1 += (n); sum1 = (sum1 >> 16) + (sum1 & 0xffff); --- 312,324 ---- if (!n) return; else if (n & NAT_HW_CKSUM) { + n &= 0xffff; + n += fin->fin_dlen; + n = (n & 0xffff) + (n >> 16); *sp = n & 0xffff; return; } sum1 = (~ntohs(*sp)) & 0xffff; sum1 += (n); sum1 = (sum1 >> 16) + (sum1 & 0xffff); *************** *** 326,332 **** } ! void fix_incksum(sp, n) u_short *sp; u_32_t n; { --- 329,336 ---- } ! void fix_incksum(fin, sp, n) ! fr_info_t *fin; u_short *sp; u_32_t n; { *************** *** 335,346 **** if (!n) return; - #if SOLARIS2 >= 6 else if (n & NAT_HW_CKSUM) { *sp = n & 0xffff; return; } - #endif #ifdef sparc sum1 = (~(*sp)) & 0xffff; #else --- 339,351 ---- if (!n) return; else if (n & NAT_HW_CKSUM) { + n &= 0xffff; + n += fin->fin_dlen; + n = (n & 0xffff) + (n >> 16); *sp = n & 0xffff; return; } #ifdef sparc sum1 = (~(*sp)) & 0xffff; #else *************** *** 625,633 **** --- 630,640 ---- nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; + nat_stats.ns_maptable = maptable; nat_stats.ns_nattab_sz = ipf_nattable_sz; nat_stats.ns_rultab_sz = ipf_natrules_sz; nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz; + nat_stats.ns_hostmap_sz = ipf_hostmap_sz; nat_stats.ns_instances = nat_instances; nat_stats.ns_apslist = ap_sess_list; error = IWCOPYPTR((char *)&nat_stats, (char *)data, *************** *** 1395,1408 **** CALC_SUMD(sum1, sum2, sumd); nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) ! if ((flags == IPN_TCP) && dohwcksum && (qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) { if (direction == NAT_OUTBOUND) sum1 = LONG_SUM(ntohl(in.s_addr)); else sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); sum1 += LONG_SUM(ntohl(ip->ip_dst.s_addr)); ! sum1 += 30; sum1 = (sum1 & 0xffff) + (sum1 >> 16); nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff); } else --- 1402,1415 ---- CALC_SUMD(sum1, sum2, sumd); nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) ! if ((flags & IPN_TCPUDP) && dohwcksum && (qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) { if (direction == NAT_OUTBOUND) sum1 = LONG_SUM(ntohl(in.s_addr)); else sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); sum1 += LONG_SUM(ntohl(ip->ip_dst.s_addr)); ! sum1 += IPPROTO_TCP; sum1 = (sum1 & 0xffff) + (sum1 >> 16); nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff); } else *************** *** 1878,1890 **** sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); if (nat->nat_dir == NAT_OUTBOUND) { ! fix_outcksum(&icmp->icmp_cksum, sumd2); } else { ! fix_incksum(&icmp->icmp_cksum, sumd2); } } } ! nat->nat_age = fr_defnaticmpage; return nat; } --- 1885,1898 ---- sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); if (nat->nat_dir == NAT_OUTBOUND) { ! fix_outcksum(fin, &icmp->icmp_cksum, sumd2); } else { ! fix_incksum(fin, &icmp->icmp_cksum, sumd2); } } } ! if (oip->ip_p == IPPROTO_ICMP) ! nat->nat_age = fr_defnaticmpage; return nat; } *************** *** 2168,2180 **** register u_32_t ipa; tcphdr_t *tcp = NULL; u_short sport = 0, dport = 0, *csump = NULL; struct ifnet *ifp; - int natadd = 1; frentry_t *fr; - u_int nflags = 0, hv, msk; u_32_t iph; nat_t *nat; - int i; if (nat_list == NULL || (fr_nat_lock)) return 0; --- 2176,2187 ---- register u_32_t ipa; tcphdr_t *tcp = NULL; u_short sport = 0, dport = 0, *csump = NULL; + int natadd = 1, i, icmpset = 1; + u_int nflags = 0, hv, msk; struct ifnet *ifp; frentry_t *fr; u_32_t iph; nat_t *nat; if (nat_list == NULL || (fr_nat_lock)) return 0; *************** *** 2203,2209 **** if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND))) ! ; else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; --- 2210,2216 ---- if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND))) ! icmpset = 1; else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; *************** *** 2238,2245 **** hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz); for (np = nat_rules[hv]; np; np = np->in_mnext) { ! if ((np->in_ifp && (np->in_ifp != ifp)) || ! !np->in_space) continue; if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags)) --- 2245,2251 ---- hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz); for (np = nat_rules[hv]; np; np = np->in_mnext) { ! if (np->in_ifp && (np->in_ifp != ifp)) continue; if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags)) *************** *** 2283,2290 **** */ if (nat) { np = nat->nat_ptr; ! if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && ! np && (np->in_flags & IPN_FRAG)) ipfr_nat_newfrag(ip, fin, 0, nat); MUTEX_ENTER(&nat->nat_lock); nat->nat_age = fr_defnatage; --- 2289,2295 ---- */ if (nat) { np = nat->nat_ptr; ! if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && np) ipfr_nat_newfrag(ip, fin, 0, nat); MUTEX_ENTER(&nat->nat_lock); nat->nat_age = fr_defnatage; *************** *** 2304,2319 **** CALC_SUMD(s1, s2, sumd); if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(&ip->ip_sum, sumd); else ! fix_outcksum(&ip->ip_sum, sumd); } #if SOLARIS || defined(__sgi) else { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); else ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd); } #endif ip->ip_src = nat->nat_outip; --- 2309,2324 ---- CALC_SUMD(s1, s2, sumd); if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(fin, &ip->ip_sum, sumd); else ! fix_outcksum(fin, &ip->ip_sum, sumd); } #if SOLARIS || defined(__sgi) else { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd); else ! fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd); } #endif ip->ip_src = nat->nat_outip; *************** *** 2352,2365 **** if (udp->uh_sum) csump = &udp->uh_sum; } else if (ip->ip_p == IPPROTO_ICMP) { ! nat->nat_age = fr_defnaticmpage; } if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(csump, nat->nat_sumd[1]); else ! fix_incksum(csump, nat->nat_sumd[1]); } } --- 2357,2371 ---- if (udp->uh_sum) csump = &udp->uh_sum; } else if (ip->ip_p == IPPROTO_ICMP) { ! if (!icmpset) ! nat->nat_age = fr_defnaticmpage; } if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_outcksum(fin, csump, nat->nat_sumd[1]); else ! fix_incksum(fin, csump, nat->nat_sumd[1]); } } *************** *** 2390,2402 **** register struct in_addr src; register struct in_addr in; register ipnat_t *np; u_int nflags = 0, natadd = 1, hv, msk; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; ! u_short sport = 0, dport = 0, *csump = NULL; nat_t *nat; u_32_t iph; - int i; if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock)) return 0; --- 2396,2408 ---- register struct in_addr src; register struct in_addr in; register ipnat_t *np; + u_short sport = 0, dport = 0, *csump = NULL; u_int nflags = 0, natadd = 1, hv, msk; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; ! int i, icmpset = 0; nat_t *nat; u_32_t iph; if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock)) return 0; *************** *** 2421,2427 **** if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND))) ! ; else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; --- 2427,2433 ---- if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND))) ! icmpset = 1; else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; *************** *** 2489,2496 **** if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; ! if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && ! np && (np->in_flags & IPN_FRAG)) ipfr_nat_newfrag(ip, fin, 0, nat); if ((np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { --- 2495,2501 ---- if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; ! if (natadd && (fin->fin_fi.fi_fl & FI_FRAG) && np) ipfr_nat_newfrag(ip, fin, 0, nat); if ((np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { *************** *** 2517,2525 **** */ #if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(&ip->ip_sum, nat->nat_ipsumd); else ! fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); #endif if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { --- 2522,2530 ---- */ #if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd); else ! fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd); #endif if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { *************** *** 2555,2568 **** if (udp->uh_sum) csump = &udp->uh_sum; } else if (ip->ip_p == IPPROTO_ICMP) { ! nat->nat_age = fr_defnaticmpage; } if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(csump, nat->nat_sumd[0]); else ! fix_outcksum(csump, nat->nat_sumd[0]); } } ATOMIC_INCL(nat_stats.ns_mapped[0]); --- 2560,2574 ---- if (udp->uh_sum) csump = &udp->uh_sum; } else if (ip->ip_p == IPPROTO_ICMP) { ! if (!icmpset) ! nat->nat_age = fr_defnaticmpage; } if (csump) { if (nat->nat_dir == NAT_OUTBOUND) ! fix_incksum(fin, csump, nat->nat_sumd[0]); else ! fix_outcksum(fin, csump, nat->nat_sumd[0]); } } ATOMIC_INCL(nat_stats.ns_mapped[0]); diff -cr ip_fil3.4.17/ip_nat.h ip_fil3.4.18/ip_nat.h *** ip_fil3.4.17/ip_nat.h Fri Apr 6 23:48:45 2001 --- ip_fil3.4.18/ip_nat.h Thu May 31 20:25:38 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.15 2001/04/06 13:47:35 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.19 2001/05/31 10:25:38 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 35,44 **** * appropriate sizes. The figures below were used for * a setup with 1000-2000 networks to NAT. */ ! #define NAT_SIZE 127 ! #define RDR_SIZE 127 ! #define HOSTMAP_SIZE 127 ! #define NAT_TABLE_SZ 127 #ifdef LARGE_NAT #undef NAT_SIZE #undef RDR_SIZE --- 35,52 ---- * appropriate sizes. The figures below were used for * a setup with 1000-2000 networks to NAT. */ ! #ifndef NAT_SIZE ! # define NAT_SIZE 127 ! #endif ! #ifndef RDR_SIZE ! # define RDR_SIZE 127 ! #endif ! #ifndef HOSTMAP_SIZE ! # define HOSTMAP_SIZE 127 ! #endif ! #ifndef NAT_TABLE_SZ ! # define NAT_TABLE_SZ 127 ! #endif #ifdef LARGE_NAT #undef NAT_SIZE #undef RDR_SIZE *************** *** 201,211 **** --- 209,221 ---- u_long ns_memfail; u_long ns_badnat; nat_t **ns_table[2]; + hostmap_t **ns_maptable; ipnat_t *ns_list; void *ns_apslist; u_int ns_nattab_sz; u_int ns_rultab_sz; u_int ns_rdrtab_sz; + u_int ns_hostmap_sz; nat_t *ns_instances; u_int ns_wilds; } natstat_t; *************** *** 220,226 **** #define IPN_AUTOPORTMAP 0x010 #define IPN_IPRANGE 0x020 #define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\ ! IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST) #define IPN_FILTER 0x040 #define IPN_SPLIT 0x080 #define IPN_ROUNDR 0x100 --- 230,236 ---- #define IPN_AUTOPORTMAP 0x010 #define IPN_IPRANGE 0x020 #define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\ ! IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_FRAG) #define IPN_FILTER 0x040 #define IPN_SPLIT 0x080 #define IPN_ROUNDR 0x100 *************** *** 301,308 **** extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_int)); ! extern void fix_incksum __P((u_short *, u_32_t)); ! extern void fix_outcksum __P((u_short *, u_32_t)); extern void fix_datacksum __P((u_short *, u_32_t)); #endif /* __IP_NAT_H__ */ --- 311,318 ---- extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_int)); ! extern void fix_incksum __P((fr_info_t *, u_short *, u_32_t)); ! extern void fix_outcksum __P((fr_info_t *, u_short *, u_32_t)); extern void fix_datacksum __P((u_short *, u_32_t)); #endif /* __IP_NAT_H__ */ diff -cr ip_fil3.4.17/ip_proxy.c ip_fil3.4.18/ip_proxy.c *** ip_fil3.4.17/ip_proxy.c Sat May 6 22:30:50 2000 --- ip_fil3.4.18/ip_proxy.c Fri Jun 1 23:07:04 2001 *************** *** 6,12 **** * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) --- 6,12 ---- * to the original author and the contributors. */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.4 2001/06/01 13:07:04 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) *************** *** 216,224 **** fr_info_t *fin; nat_t *nat; { ap_session_t *aps; aproxy_t *apr; - tcphdr_t *tcp = NULL; u_32_t sum; short rv; int err; --- 216,228 ---- fr_info_t *fin; nat_t *nat; { + #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) + mb_t *m = fin->fin_qfm; + int dosum = 1; + #endif + tcphdr_t *tcp = NULL; ap_session_t *aps; aproxy_t *apr; u_32_t sum; short rv; int err; *************** *** 234,241 **** * verify that the checksum is correct. If not, then * don't do anything with this packet. */ ! #if SOLARIS && defined(_KERNEL) ! sum = fr_tcpsum(fin->fin_qfm, ip, tcp); #else sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif --- 238,250 ---- * verify that the checksum is correct. If not, then * don't do anything with this packet. */ ! #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) ! if (dohwcksum && (m->b_ick_flag == ICK_VALID)) { ! sum = tcp->th_sum; ! dosum = 0; ! } ! if (dosum) ! sum = fr_tcpsum(fin->fin_qfm, ip, tcp); #else sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif *************** *** 261,268 **** if (tcp != NULL) { err = appr_fixseqack(fin, ip, aps, APR_INC(err)); ! #if SOLARIS && defined(_KERNEL) ! tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); #else tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif --- 270,278 ---- if (tcp != NULL) { err = appr_fixseqack(fin, ip, aps, APR_INC(err)); ! #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) ! if (dosum) ! tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); #else tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif diff -cr ip_fil3.4.17/ip_proxy.h ip_fil3.4.18/ip_proxy.h *** ip_fil3.4.17/ip_proxy.h Sat Dec 2 11:15:03 2000 --- ip_fil3.4.18/ip_proxy.h Thu May 24 22:44:17 2001 *************** *** 5,11 **** * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $ */ #ifndef __IP_PROXY_H__ --- 5,11 ---- * provided that this notice is preserved and due credit is given * to the original author and the contributors. * ! * $Id: ip_proxy.h,v 2.8.2.5 2001/05/24 12:44:17 darrenr Exp $ */ #ifndef __IP_PROXY_H__ *************** *** 102,108 **** } ftpside_t; typedef struct ftpinfo { ! u_int ftp_passok; ftpside_t ftp_side[2]; } ftpinfo_t; --- 102,108 ---- } ftpside_t; typedef struct ftpinfo { ! int ftp_passok; ftpside_t ftp_side[2]; } ftpinfo_t; diff -cr ip_fil3.4.17/ip_raudio_pxy.c ip_fil3.4.18/ip_raudio_pxy.c *** ip_fil3.4.17/ip_raudio_pxy.c Wed Apr 4 01:45:15 2001 --- ip_fil3.4.18/ip_raudio_pxy.c Sat May 19 00:23:39 2001 *************** *** 1,5 **** /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.4 2001/04/03 15:45:15 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 1,5 ---- /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.5 2001/05/18 14:23:39 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 280,285 **** --- 280,286 ---- tcp2->th_dport = htons(dp); fi.fin_data[0] = dp; fi.fin_data[1] = sp; + fi.fin_out = 0; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_UDP | (sp ? 0 : FI_W_SPORT), NAT_OUTBOUND); if (ipn != NULL) { *************** *** 294,299 **** --- 295,301 ---- tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[0] = sp; fi.fin_data[1] = 0; + fi.fin_out = 1; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_UDP|FI_W_DPORT, NAT_OUTBOUND); if (ipn != NULL) { diff -cr ip_fil3.4.17/ip_state.c ip_fil3.4.18/ip_state.c *** ip_fil3.4.17/ip_state.c Fri Apr 6 22:31:21 2001 --- ip_fil3.4.18/ip_state.c Tue Jun 5 21:31:53 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.30 2001/04/06 12:31:21 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.33 2001/06/05 11:31:53 darrenr Exp $"; #endif #include *************** *** 243,248 **** --- 243,249 ---- if (error) return EFAULT; + WRITE_ENTER(&ipf_state); for (sp = ips_list; sp; sp = sp->is_next) if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) && !bcmp((char *)&sp->is_src, (char *)&st.is_src, *************** *** 251,257 **** sizeof(st.is_dst)) && !bcmp((char *)&sp->is_ps, (char *)&st.is_ps, sizeof(st.is_ps))) { - WRITE_ENTER(&ipf_state); #ifdef IPFILTER_LOG ipstate_log(sp, ISL_REMOVE); #endif --- 252,257 ---- *************** *** 259,264 **** --- 259,265 ---- RWLOCK_EXIT(&ipf_state); return 0; } + RWLOCK_EXIT(&ipf_state); return ESRCH; } *************** *** 719,724 **** --- 720,727 ---- * Find difference between last checked packet and this packet. */ source = IP6EQ(fin->fin_fi.fi_src, is->is_src); + if (source && (ntohs(is->is_sport) != fin->fin_data[0])) + source = 0; fdata = &is->is_tcp.ts_data[!source]; tdata = &is->is_tcp.ts_data[source]; seq = ntohl(tcp->th_seq); *************** *** 811,817 **** u_short sp, dp; void *ifp; ! rev = fin->fin_rev = IP6NEQ(is->is_dst, dst); ifp = fin->fin_ifp; out = fin->fin_out; --- 814,820 ---- u_short sp, dp; void *ifp; ! rev = IP6NEQ(is->is_dst, dst); ifp = fin->fin_ifp; out = fin->fin_out; *************** *** 819,824 **** --- 822,829 ---- flags = is->is_flags; sp = tcp->th_sport; dp = tcp->th_dport; + if (!rev && (sp != is->is_sport)) + rev = 1; } else { flags = is->is_flags & FI_WILDA; sp = 0; *************** *** 936,941 **** --- 941,947 ---- sizeof(is->is_ifname[1])); } #endif + fin->fin_rev = rev; return 1; } *************** *** 1307,1313 **** if (!fr_tcpstate(is, fin, ip, tcp)) { continue; } ! } if ((pr == IPPROTO_UDP)) { if (fin->fin_rev) is->is_age = fr_udpacktimeout; else --- 1313,1319 ---- if (!fr_tcpstate(is, fin, ip, tcp)) { continue; } ! } else if ((pr == IPPROTO_UDP)) { if (fin->fin_rev) is->is_age = fr_udpacktimeout; else *************** *** 1430,1436 **** ips_stats.iss_inuse = 0; ips_num = 0; RWLOCK_EXIT(&ipf_state); ! KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); ips_table = NULL; } --- 1436,1443 ---- ips_stats.iss_inuse = 0; ips_num = 0; RWLOCK_EXIT(&ipf_state); ! if (ips_table) ! KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); ips_table = NULL; } diff -cr ip_fil3.4.17/ip_state.h ip_fil3.4.18/ip_state.h *** ip_fil3.4.17/ip_state.h Wed Aug 23 21:01:31 2000 --- ip_fil3.4.18/ip_state.h Thu May 31 20:20:12 2001 *************** *** 6,12 **** * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.13.2.2 2000/08/23 11:01:31 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 6,12 ---- * to the original author and the contributors. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.13.2.3 2001/05/31 10:20:12 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 17,24 **** # define SIOCDELST _IOW(r, 61, struct ipstate *) #endif ! #define IPSTATE_SIZE 5737 ! #define IPSTATE_MAX 4013 /* Maximum number of states held */ #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ (((s1) == (d2)) && ((d1) == (s2)))) --- 17,28 ---- # define SIOCDELST _IOW(r, 61, struct ipstate *) #endif ! #ifndef IPSTATE_SIZE ! # define IPSTATE_SIZE 5737 ! #endif ! #ifndef IPSTATE_MAX ! # define IPSTATE_MAX 4013 /* Maximum number of states held */ ! #endif #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ (((s1) == (d2)) && ((d1) == (s2)))) diff -cr ip_fil3.4.17/ipf.c ip_fil3.4.18/ipf.c *** ip_fil3.4.17/ipf.c Wed Oct 25 21:37:11 2000 --- ip_fil3.4.18/ipf.c Thu May 31 20:21:19 2001 *************** *** 6,12 **** * to the original author and the contributors. */ #ifdef __FreeBSD__ ! # include #endif #include #include --- 6,18 ---- * to the original author and the contributors. */ #ifdef __FreeBSD__ ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif #endif #include #include *************** *** 43,49 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.5 2000/10/25 10:37:11 darrenr Exp $"; #endif #if SOLARIS --- 49,55 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.7 2001/05/31 10:21:19 darrenr Exp $"; #endif #if SOLARIS *************** *** 74,86 **** static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; static void usage __P((void)); ! static void showversion __P((void)); static int get_flags __P((void)); static void usage() { ! fprintf(stderr, "usage: ipf [-6AdDEInoPrsUvVyzZ] %s %s %s\n", "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } --- 80,98 ---- static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; static void usage __P((void)); ! static int showversion __P((void)); static int get_flags __P((void)); + #if SOLARIS + # define OPTS "6AdDEf:F:Il:noPrsUvVyzZ" + #else + # define OPTS "6AdDEf:F:Il:noPrsvVyzZ" + #endif + static void usage() { ! fprintf(stderr, "usage: ipf %s %s %s %s\n", OPTS, "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } *************** *** 92,102 **** { int c; ! while ((c = getopt(argc, argv, "6AdDEf:F:Il:noPrsUvVyzZ")) != -1) { switch (c) { - case '?' : - usage(); #ifdef USE_INET6 case '6' : use_inet6 = 1; --- 104,112 ---- { int c; ! while ((c = getopt(argc, argv, OPTS)) != -1) { switch (c) { #ifdef USE_INET6 case '6' : use_inet6 = 1; *************** *** 146,156 **** break; #endif case 'v' : ! opts |= OPT_VERBOSE; break; case 'V' : ! showversion(); ! break; case 'y' : frsync(); break; --- 156,166 ---- break; #endif case 'v' : ! opts += OPT_VERBOSE; break; case 'V' : ! if (showversion()) ! exit(1); case 'y' : frsync(); break; *************** *** 160,165 **** --- 170,178 ---- case 'Z' : zerostats(); break; + default : + usage(); + break; } } *************** *** 553,559 **** #endif ! static void showversion() { struct friostat fio; struct friostat *fiop=&fio; --- 566,572 ---- #endif ! static int showversion() { struct friostat fio; struct friostat *fiop=&fio; *************** *** 565,577 **** if ((vfd = open(ipfname, O_RDONLY)) == -1) { perror("open device"); ! return; } if (ioctl(vfd, SIOCGETFS, &fiop)) { perror("ioctl(SIOCGETFS)"); close(vfd); ! return; } close(vfd); flags = get_flags(); --- 578,590 ---- if ((vfd = open(ipfname, O_RDONLY)) == -1) { perror("open device"); ! return 1; } if (ioctl(vfd, SIOCGETFS, &fiop)) { perror("ioctl(SIOCGETFS)"); close(vfd); ! return 1; } close(vfd); flags = get_flags(); *************** *** 610,613 **** --- 623,628 ---- s = "nomatch -> block"; printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); printf("Active list: %d\n", fio.f_active); + + return 0; } diff -cr ip_fil3.4.17/ipfs.c ip_fil3.4.18/ipfs.c *** ip_fil3.4.17/ipfs.c Wed Apr 4 00:14:09 2001 --- ip_fil3.4.18/ipfs.c Sun Apr 15 16:46:33 2001 *************** *** 6,12 **** * to the original author and the contributors. */ #ifdef __FreeBSD__ ! # include #endif #include #include --- 6,18 ---- * to the original author and the contributors. */ #ifdef __FreeBSD__ ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif #endif #include #include *************** *** 41,47 **** #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.5 2001/04/03 14:14:09 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR --- 47,53 ---- #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.6 2001/04/15 06:46:33 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR diff -cr ip_fil3.4.17/ipft_pc.c ip_fil3.4.18/ipft_pc.c *** ip_fil3.4.17/ipft_pc.c Tue Mar 14 09:10:24 2000 --- ip_fil3.4.18/ipft_pc.c Thu May 31 20:21:45 2001 *************** *** 33,39 **** #include "ipt.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; #endif struct llc { --- 33,39 ---- #include "ipt.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.1 2001/05/31 10:21:45 darrenr Exp $"; #endif struct llc { *************** *** 46,52 **** * While many of these maybe the same, some do have different header formats * which make this useful. */ ! #define DLT_MAX 10 static struct llc llcs[DLT_MAX+1] = { { 0, 0, 0 }, /* DLT_NULL */ --- 46,52 ---- * While many of these maybe the same, some do have different header formats * which make this useful. */ ! #define DLT_MAX 14 static struct llc llcs[DLT_MAX+1] = { { 0, 0, 0 }, /* DLT_NULL */ *************** *** 59,65 **** { 0, 0, 0 }, /* DLT_ARCNET */ { 0, 0, 0 }, /* DLT_SLIP */ { 0, 0, 0 }, /* DLT_PPP */ ! { 0, 0, 0 } /* DLT_FDDI */ }; static int pcap_open __P((char *)); --- 59,68 ---- { 0, 0, 0 }, /* DLT_ARCNET */ { 0, 0, 0 }, /* DLT_SLIP */ { 0, 0, 0 }, /* DLT_PPP */ ! { 0, 0, 0 }, /* DLT_FDDI */ ! { 0, 0, 0 }, /* DLT_ATMRFC1483 */ ! { 0, 0, 0 }, /* DLT_LOOP */ ! { 0, 0, 0 } /* DLT_ENC */ }; static int pcap_open __P((char *)); *************** *** 114,120 **** swap_hdr(&ph); } ! if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type > DLT_MAX) { (void) close(fd); return -2; } --- 117,123 ---- swap_hdr(&ph); } ! if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) { (void) close(fd); return -2; } diff -cr ip_fil3.4.17/ipl.h ip_fil3.4.18/ipl.h *** ip_fil3.4.17/ipl.h Fri Apr 6 22:21:28 2001 --- ip_fil3.4.18/ipl.h Tue Jun 5 21:33:32 2001 *************** *** 6,17 **** * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.19 2001/04/06 12:21:28 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.17" #endif --- 6,17 ---- * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.20 2001/06/05 11:33:32 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.18" #endif diff -cr ip_fil3.4.17/ipmon.c ip_fil3.4.18/ipmon.c *** ip_fil3.4.17/ipmon.c Wed Apr 4 00:14:10 2001 --- ip_fil3.4.18/ipmon.c Thu May 31 20:21:58 2001 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.9 2001/04/03 14:14:10 darrenr Exp $"; #endif #ifndef SOLARIS --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.10 2001/05/31 10:21:58 darrenr Exp $"; #endif #ifndef SOLARIS *************** *** 1010,1015 **** --- 1010,1016 ---- openlog(s, LOG_NDELAY|LOG_PID, LOGFAC); s = NULL; opts |= OPT_SYSLOG; + log = NULL; break; case 'S' : opts |= OPT_STATE; diff -cr ip_fil3.4.17/ipnat.c ip_fil3.4.18/ipnat.c *** ip_fil3.4.17/ipnat.c Sat Dec 2 11:15:04 2000 --- ip_fil3.4.18/ipnat.c Thu May 31 20:29:33 2001 *************** *** 57,63 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $"; #endif --- 57,63 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.7 2001/05/31 10:29:33 darrenr Exp $"; #endif *************** *** 110,119 **** int argc; char *argv[]; { - char *file = NULL; int fd = -1, opts = 0, c, mode = O_RDWR; ! while ((c = getopt(argc, argv, "CdFf:hlnrsv")) != -1) switch (c) { case 'C' : --- 110,119 ---- int argc; char *argv[]; { int fd = -1, opts = 0, c, mode = O_RDWR; + char *file = NULL, *core = NULL; ! while ((c = getopt(argc, argv, "CdFf:hlM:nrsv")) != -1) switch (c) { case 'C' : *************** *** 135,140 **** --- 135,143 ---- opts |= OPT_LIST; mode = O_RDONLY; break; + case 'M' : + core = optarg; + break; case 'n' : opts |= OPT_NODO; mode = O_RDONLY; *************** *** 153,158 **** --- 156,168 ---- usage(argv[0]); } + if (core != NULL) { + if (openkmem(core) == -1) + exit(1); + (void) setgid(getgid()); + (void) setuid(getuid()); + } + gethostname(thishost, sizeof(thishost)); thishost[sizeof(thishost) - 1] = '\0'; *************** *** 292,300 **** --- 302,312 ---- void dostats(fd, opts) int fd, opts; { + hostmap_t hm, *hmp, **maptable; natstat_t ns, *nsp = &ns; nat_t **nt[2], *np, nat; ipnat_t ipn; + u_int hv; bzero((char *)&ns, sizeof(ns)); *************** *** 379,384 **** --- 391,428 ---- printaps(nat.nat_aps, opts); } + if (opts & OPT_VERBOSE) { + printf("\nList of active host mappings:\n"); + + maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) * + ns.ns_hostmap_sz); + if (kmemcpy((char *)maptable, (u_long)ns.ns_maptable, + sizeof(hostmap_t *) * ns.ns_hostmap_sz)) { + perror("kmemcpy (maptable)"); + return; + } + + for (hv = 0; hv < ns.ns_hostmap_sz; hv++) { + hmp = maptable[hv]; + + while(hmp) { + + if (kmemcpy((char *)&hm, (u_long)hmp, + sizeof(hostmap_t))) { + perror("kmemcpy (hostmap)"); + return; + } + + printf("%s -> ", + inet_ntoa(hm.hm_realip)); + printf("%s ", inet_ntoa(hm.hm_mapip)); + printf("(use = %d hv = %u)\n", + hm.hm_ref, hv); + hmp = hm.hm_next; + } + } + free(maptable); + } free(nt[0]); } } diff -cr ip_fil3.4.17/ipt.c ip_fil3.4.18/ipt.c *** ip_fil3.4.17/ipt.c Tue Mar 14 09:10:25 2000 --- ip_fil3.4.18/ipt.c Sun Apr 15 16:46:33 2001 *************** *** 6,12 **** * to the original author and the contributors. */ #ifdef __FreeBSD__ ! # include #endif #include #include --- 6,18 ---- * to the original author and the contributors. */ #ifdef __FreeBSD__ ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif #endif #include #include *************** *** 55,61 **** #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6 2000/03/13 22:10:25 darrenr Exp $"; #endif extern char *optarg; --- 61,67 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.1 2001/04/15 06:46:33 darrenr Exp $"; #endif extern char *optarg; diff -cr ip_fil3.4.17/kmem.c ip_fil3.4.18/kmem.c *** ip_fil3.4.17/kmem.c Tue Mar 14 09:10:25 2000 --- ip_fil3.4.18/kmem.c Thu May 31 20:24:08 2001 *************** *** 20,33 **** #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $"; #endif static int kmemfd = -1; ! int openkmem() { ! if ((kmemfd = open(KMEM,O_RDONLY)) == -1) { perror("kmeminit:open"); return -1; --- 20,37 ---- #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.1 2001/05/31 10:24:08 darrenr Exp $"; #endif static int kmemfd = -1; ! int openkmem(core) ! char *core; { ! if (core == NULL) ! core = KMEM; ! ! if ((kmemfd = open(core, O_RDONLY)) == -1) { perror("kmeminit:open"); return -1; *************** *** 45,51 **** if (!n) return 0; if (kmemfd == -1) ! if (openkmem() == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { --- 49,55 ---- if (!n) return 0; if (kmemfd == -1) ! if (openkmem(NULL) == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { *************** *** 76,82 **** if (!n) return 0; if (kmemfd == -1) ! if (openkmem() == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { --- 80,86 ---- if (!n) return 0; if (kmemfd == -1) ! if (openkmem(NULL) == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { diff -cr ip_fil3.4.17/kmem.h ip_fil3.4.18/kmem.h *** ip_fil3.4.17/kmem.h Tue Mar 14 09:10:25 2000 --- ip_fil3.4.18/kmem.h Thu May 31 20:24:08 2001 *************** *** 4,10 **** * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. ! * $Id: kmem.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $ */ #ifndef __KMEM_H__ --- 4,10 ---- * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. ! * $Id: kmem.h,v 2.2.2.1 2001/05/31 10:24:08 darrenr Exp $ */ #ifndef __KMEM_H__ *************** *** 17,23 **** # define __P(x) () # endif #endif ! extern int openkmem __P((void)); extern int kmemcpy __P((char *, long, int)); extern int kstrncpy __P((char *, long, int)); --- 17,23 ---- # define __P(x) () # endif #endif ! extern int openkmem __P((char *)); extern int kmemcpy __P((char *, long, int)); extern int kstrncpy __P((char *, long, int)); diff -cr ip_fil3.4.17/man/ipl.4 ip_fil3.4.18/man/ipl.4 *** ip_fil3.4.17/man/ipl.4 Thu Aug 5 03:31:21 1999 --- ip_fil3.4.18/man/ipl.4 Thu May 31 20:24:29 2001 *************** *** 76,79 **** .SH BUGS Packet headers are dropped when the internal buffer (static size) fills. .SH FILES ! /dev/ipl0 --- 76,79 ---- .SH BUGS Packet headers are dropped when the internal buffer (static size) fills. .SH FILES ! /dev/ipl diff -cr ip_fil3.4.17/mlf_ipl.c ip_fil3.4.18/mlf_ipl.c *** ip_fil3.4.17/mlf_ipl.c Mon Nov 27 21:44:46 2000 --- ip_fil3.4.18/mlf_ipl.c Sun May 27 03:00:01 2001 *************** *** 13,24 **** #include ! #if defined(__FreeBSD__) && (__FreeBSD__ > 1) # ifdef IPFILTER_LKM ! # include # define ACTUALLY_LKM_NOT_KERNEL # else ! # include # endif #endif #include --- 13,36 ---- #include ! #if defined(__FreeBSD__) # ifdef IPFILTER_LKM ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif # define ACTUALLY_LKM_NOT_KERNEL # else ! # ifndef __FreeBSD_cc_version ! # include ! # else ! # if __FreeBSD_cc_version < 430000 ! # include ! # endif ! # endif # endif #endif #include *************** *** 53,71 **** #if (__FreeBSD_version >= 300000) # include #endif - #if (__FreeBSD_version >= 199511) #include #include #include #include #include #include #include #include ! #endif ! #if (__FreeBSD__ > 1) ! # include ! #endif #include #include "netinet/ipl.h" #include "netinet/ip_compat.h" --- 65,80 ---- #if (__FreeBSD_version >= 300000) # include #endif #include #include #include #include #include + #include #include #include #include ! #include #include #include "netinet/ipl.h" #include "netinet/ip_compat.h" *************** *** 392,398 **** # endif } # endif /* IPFILTER_LKM */ ! static ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) { --- 401,407 ---- # endif } # endif /* IPFILTER_LKM */ ! static int ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) { diff -cr ip_fil3.4.17/parse.c ip_fil3.4.18/parse.c *** ip_fil3.4.17/parse.c Sat Dec 2 11:13:18 2000 --- ip_fil3.4.18/parse.c Tue Jun 5 18:09:36 2001 *************** *** 394,400 **** linenum); return NULL; } ! if (**cpp == '!') { fil.fr_flags |= FR_NOTSRCIP; (*cpp)++; } --- 394,408 ---- linenum); return NULL; } ! if (!strcmp(*cpp, "!")) { ! fil.fr_flags |= FR_NOTSRCIP; ! if (!*++cpp) { ! fprintf(stderr, ! "%d: missing host after from\n", ! linenum); ! return NULL; ! } ! } else if (**cpp == '!') { fil.fr_flags |= FR_NOTSRCIP; (*cpp)++; } *************** *** 424,430 **** return NULL; } ch = 0; ! if (**cpp == '!') { fil.fr_flags |= FR_NOTDSTIP; (*cpp)++; } --- 432,446 ---- return NULL; } ch = 0; ! if (!strcmp(*cpp, "!")) { ! fil.fr_flags |= FR_NOTDSTIP; ! if (!*++cpp) { ! fprintf(stderr, ! "%d: missing host after from\n", ! linenum); ! return NULL; ! } ! } else if (**cpp == '!') { fil.fr_flags |= FR_NOTDSTIP; (*cpp)++; } diff -cr ip_fil3.4.17/solaris.c ip_fil3.4.18/solaris.c *** ip_fil3.4.17/solaris.c Fri Apr 6 21:19:36 2001 --- ip_fil3.4.18/solaris.c Sun May 27 03:00:25 2001 *************** *** 6,12 **** * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.15.2.13 2001/04/06 11:19:36 darrenr Exp $" #include #include --- 6,12 ---- * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ ! #pragma ident "@(#)$Id: solaris.c,v 2.15.2.16 2001/05/26 17:00:25 darrenr Exp $" #include #include *************** *** 147,153 **** static size_t hdrsizes[57][2] = { { 0, 0 }, { IFT_OTHER, 0 }, ! { IFT_1822, 0 }, { IFT_HDH1822, 0 }, { IFT_X25DDN, 0 }, { IFT_X25, 0 }, --- 147,153 ---- static size_t hdrsizes[57][2] = { { 0, 0 }, { IFT_OTHER, 0 }, ! { IFT_1822, 14 }, /* 14 for ire0 ?? */ { IFT_HDH1822, 0 }, { IFT_X25DDN, 0 }, { IFT_X25, 0 }, *************** *** 275,282 **** { qif_t *qif = arg; ! if ((ire->ire_type == IRE_CACHE) && (ire->ire_ipif != NULL) && ! (ire->ire_ipif->ipif_ill == qif->qf_ill)) { #if SOLARIS2 >= 8 mblk_t *m = ire->ire_fp_mp; #else --- 275,288 ---- { qif_t *qif = arg; ! if ((ire->ire_type == IRE_CACHE) && ! #if SOLARIS2 >= 6 ! (ire->ire_ipif != NULL) && ! (ire->ire_ipif->ipif_ill == qif->qf_ill) ! #else ! (ire_to_ill(ire) == qif->qf_ill) ! #endif ! ) { #if SOLARIS2 >= 8 mblk_t *m = ire->ire_fp_mp; #else *************** *** 543,549 **** register mblk_t *m, *mt = *mp; register ip_t *ip; size_t hlen, len, off, off2, mlen, iphlen, plen, woff; ! int err, synced = 0, sap, p, realigned = 0; u_char *bp; #if SOLARIS2 >= 8 ip6_t *ip6; --- 549,555 ---- register mblk_t *m, *mt = *mp; register ip_t *ip; size_t hlen, len, off, off2, mlen, iphlen, plen, woff; ! int err, synced = 0, sap, p, realigned = 0, multi = 0; u_char *bp; #if SOLARIS2 >= 8 ip6_t *ip6; *************** *** 569,576 **** bp = (u_char *)ALIGN32(mt->b_rptr); if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) { dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; ! if (dl->dl_primitive != DL_UNITDATA_IND && ! dl->dl_primitive != DL_UNITDATA_REQ) { ip = (ip_t *)dl; if ((ip->ip_v == IPVERSION) && (ip->ip_hl == (sizeof(*ip) >> 2)) && --- 575,583 ---- bp = (u_char *)ALIGN32(mt->b_rptr); if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) { dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; ! if (dl->dl_primitive == DL_UNITDATA_IND) { ! multi = dl->dl_group_address; ! } else if (dl->dl_primitive != DL_UNITDATA_REQ) { ip = (ip_t *)dl; if ((ip->ip_v == IPVERSION) && (ip->ip_hl == (sizeof(*ip) >> 2)) && *************** *** 687,697 **** fixalign: if (off) m->b_rptr -= off; ! #ifdef sparc ! c = (*(u_char *)ip & 0xf0) >> 4; ! #else ! c = (*(u_char *)ip & 0xf); ! #endif if (c != 4 #if SOLARIS2 >= 8 && c != 6 --- 694,701 ---- fixalign: if (off) m->b_rptr -= off; ! c = *(u_char *)ip; ! c >>= 4; if (c != 4 #if SOLARIS2 >= 8 && c != 6 *************** *** 715,721 **** } MTYPE(m2) = M_DATA; ! m2->b_rptr += off2; m2->b_wptr = m2->b_rptr + len; m1 = m; s = (u_char *)m->b_rptr; --- 719,726 ---- } MTYPE(m2) = M_DATA; ! if (m->b_rptr != (u_char *)ip) ! m2->b_rptr += off2; m2->b_wptr = m2->b_rptr + len; m1 = m; s = (u_char *)m->b_rptr; *************** *** 948,953 **** --- 953,959 ---- if (fr_running <= 0) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 956,968 **** mblk_t *m1; m1 = copymsg(mb); - mb->b_prev = NULL; - freemsg(mb); - mb = m1; if (!m1) { ! frstats[1].fr_drop++; return 0; } frstats[0].fr_copy++; } --- 962,980 ---- mblk_t *m1; m1 = copymsg(mb); if (!m1) { ! frstats[0].fr_drop++; ! mb->b_next = NULL; ! mb->b_prev = NULL; ! freemsg(mb); return 0; } + m1->b_next = mb->b_next; + mb->b_next = NULL; + m1->b_prev = mb->b_prev; + mb->b_prev = NULL; + freemsg(mb); + mb = m1; frstats[0].fr_copy++; } *************** *** 971,976 **** --- 983,989 ---- if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 1015,1020 **** --- 1028,1034 ---- frstats[0].fr_drop++; RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 1043,1048 **** --- 1057,1063 ---- } if (mb) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); } return 0; *************** *** 1058,1078 **** if (fr_running <= 0) { mb->b_prev = NULL; freemsg(mb); return 0; } ! if (mb->b_datap->db_ref > 1) { mblk_t *m1; m1 = copymsg(mb); - mb->b_prev = NULL; - freemsg(mb); - mb = m1; if (!m1) { frstats[1].fr_drop++; return 0; } frstats[1].fr_copy++; } --- 1073,1106 ---- if (fr_running <= 0) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } ! #if SOLARIS2 >= 6 ! if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) && ! (mb->b_datap->db_ref > 1)) ! #else ! if (mb->b_datap->db_ref > 1) ! #endif ! { mblk_t *m1; m1 = copymsg(mb); if (!m1) { frstats[1].fr_drop++; + mb->b_next = NULL; + mb->b_prev = NULL; + freemsg(mb); return 0; } + m1->b_next = mb->b_next; + mb->b_next = NULL; + m1->b_prev = mb->b_prev; + mb->b_prev = NULL; + freemsg(mb); + mb = m1; frstats[1].fr_copy++; } *************** *** 1081,1086 **** --- 1109,1115 ---- if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 1097,1103 **** synced = 1; goto again; } ! /* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */ RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); } --- 1126,1132 ---- synced = 1; goto again; } ! /* fr_donotip(1, NULL, q, mb, mb, NULL, 0); */ RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); } *************** *** 1135,1140 **** --- 1164,1170 ---- frstats[1].fr_drop++; RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 1163,1168 **** --- 1193,1199 ---- } if (mb) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); } return 0; *************** *** 1191,1196 **** --- 1222,1228 ---- if (fr_running <= 0) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 1202,1207 **** --- 1234,1240 ---- if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } *************** *** 1760,1765 **** --- 1793,1799 ---- mp = (*mpp)->b_cont; (*mpp)->b_cont = NULL; (*mpp)->b_prev = NULL; + (*mpp)->b_next = NULL; freemsg(*mpp); *mpp = mp; } *************** *** 1897,1902 **** --- 1931,1937 ---- q = WR(ir->ire_rfq); if (q) { mb->b_prev = NULL; + mb->b_next = NULL; mb->b_queue = q; RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); *************** *** 1923,1928 **** --- 1958,1964 ---- } bad_fastroute: mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); ipl_frouteok[1]++; return -1; diff -cr ip_fil3.4.17/test/Makefile ip_fil3.4.18/test/Makefile *** ip_fil3.4.17/test/Makefile Sun Jun 11 02:20:28 2000 --- ip_fil3.4.18/test/Makefile Sun Apr 15 16:45:03 2001 *************** *** 15,21 **** -mkdir -p results # Filtering tests ! ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 --- 15,21 ---- -mkdir -p results # Filtering tests ! ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 *************** *** 28,34 **** f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14: @/bin/sh ./dotest $@ ! f12: @/bin/sh ./hextest $@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: --- 28,34 ---- f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14: @/bin/sh ./dotest $@ ! f12 f13: @/bin/sh ./hextest $@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: Only in ip_fil3.4.18/test/expected: f13 diff -cr ip_fil3.4.17/test/expected/i7 ip_fil3.4.18/test/expected/i7 *** ip_fil3.4.17/test/expected/i7 Fri Jan 12 01:06:50 2001 --- ip_fil3.4.18/test/expected/i7 Sun Apr 8 14:50:19 2001 *************** *** 1,4 **** pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA ! block in on lo0(!) proto tcp from any to any flags A/0xbf pass in on lo0(!) proto tcp from any to any flags /SPA ! block in on lo0(!) proto tcp from any to any flags 0x80/A --- 1,4 ---- pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA ! block in on lo0(!) proto tcp from any to any flags A/FSRPAUC pass in on lo0(!) proto tcp from any to any flags /SPA ! block in on lo0(!) proto tcp from any to any flags C/A diff -cr ip_fil3.4.17/test/input/f13 ip_fil3.4.18/test/input/f13 *** ip_fil3.4.17/test/input/f13 Fri Jan 10 02:14:56 1997 --- ip_fil3.4.18/test/input/f13 Sun Apr 15 16:45:04 2001 *************** *** 33,38 **** --- 33,42 ---- 45 00 001c 0008 2000 3f 11 0000 01010101 02010101 0035003500040000 + # 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short) + 45 00 0018 0008 2000 3f 11 0000 01010101 02010101 + 00350036 + # 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 45 00 001c 0008 0001 3f 11 0000 01010101 02010101 0000000000000000