diff -crN ip_fil3.4.31/HISTORY ip_fil3.4.32/HISTORY *** ip_fil3.4.31/HISTORY Sat Dec 7 13:40:05 2002 --- ip_fil3.4.32/HISTORY Wed Jun 18 23:18:09 2003 *************** *** 22,27 **** --- 22,59 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 3.4.32 18/6/2003 - Released + + fix up the behaviour of ipfs + + make parsing errors in ipf/ipnat return an error rather than return + indicating success. + + window scaling patch + + make ipfstat work as a set{g,u}id thing - gave up privs before opening + /dev/ipl + + checksum adjustment corrections for ICMP & NAT + + attempt to always get an mbuf full of data through pullup if possible + + Fix bug with NAT and fragments causing system to crash + + Add patches for OpenBSD 3.3 + + stop LKM locking up the machine on modern NetBSD(?) + + allow timeouts in NAT rules to over-ride fr_defnatage if LARGE_NAT is defined + + Locking patches for IRIX 6.5 from SGI. + + fix bug in synchronising state sessions where all interfaces were invalidated + + fix bug in openbsd 3.2 bridge diffs + + fix bug parsing port comparisons in proxy rules + 3.4.31 7/12/2002 - Released Solaris 10 compatibility diff -crN ip_fil3.4.31/INSTALL.Sol2 ip_fil3.4.32/INSTALL.Sol2 *** ip_fil3.4.31/INSTALL.Sol2 Tue Mar 14 11:36:30 2000 --- ip_fil3.4.32/INSTALL.Sol2 Wed Jan 22 02:59:43 2003 *************** *** 17,23 **** installation using pkgadd. As part of the postinstall script, it will install loadable kernel module ! as part of Solaris 2 (using add_drv) making it available for immeadiate use. IP Filter will be installed into /opt/ipf (programs, manual pages and examples) and create a directory /etc/opt/ipf with a null body file --- 17,23 ---- installation using pkgadd. As part of the postinstall script, it will install loadable kernel module ! as part of Solaris 2 (using add_drv) making it available for immediate use. IP Filter will be installed into /opt/ipf (programs, manual pages and examples) and create a directory /etc/opt/ipf with a null body file diff -crN ip_fil3.4.31/Makefile ip_fil3.4.32/Makefile *** ip_fil3.4.31/Makefile Mon Dec 2 15:22:56 2002 --- ip_fil3.4.32/Makefile Thu Jun 26 20:14:51 2003 *************** *** 3,9 **** # # See the IPFILTER.LICENCE file for details on licencing. # ! # $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin --- 3,9 ---- # # See the IPFILTER.LICENCE file for details on licencing. # ! # $Id: Makefile,v 2.11.2.16 2003/06/26 10:14:51 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin *************** *** 288,290 **** --- 288,314 ---- exit 1; \ fi -@echo make ok + + test-solaris test-sunos4 test-sunos5: solaris + (cd test && make clean && make) + + test-freebsd: freebsd + (cd test && make clean && make) + + test-freebsd22: freebsd22 + (cd test && make clean && make) + + test-freebsd3: freebsd3 + (cd test && make clean && make) + + test-freebsd4: freebsd4 + (cd test && make clean && make) + + test-netbsd: netbsd + (cd test && make clean && make) + + test-openbsd: openbsd + (cd test && make clean && make) + + test-irix: irix + (cd test && make clean && make) diff -crN ip_fil3.4.31/OpenBSD-3/3.2-sys-diffs ip_fil3.4.32/OpenBSD-3/3.2-sys-diffs *** ip_fil3.4.31/OpenBSD-3/3.2-sys-diffs Tue Dec 3 00:58:51 2002 --- ip_fil3.4.32/OpenBSD-3/3.2-sys-diffs Wed Dec 11 09:45:43 2002 *************** *** 628,633 **** --- 628,671 ---- if (mc == NULL) continue; *************** + *** 2220,2226 **** + * We don't need to do loop detection, the + * bridge will do that for us. + */ + ! #if NFP > 0 + switch (af) { + #ifdef INET + case AF_INET: + --- 2224,2236 ---- + * We don't need to do loop detection, the + * bridge will do that for us. + */ + ! #if defined(IPFILTER) || defined(IPFILTER_LKM) + ! if (dir == BRIDGE_OUT && fr_checkp && + ! ((*fr_checkp)(ip, hlen, &encif[0].sc_if, + ! dir, &m) || !m)) + ! return 1; + ! #endif + ! #if NPF > 0 + switch (af) { + #ifdef INET + case AF_INET: + *************** + *** 2244,2249 **** + --- 2254,2265 ---- + if (m == NULL) + return (1); + #endif /* NPF */ + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_IN && fr_checkp && + + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, + + dir, &m) || !m)) + + return 1; + + #endif + #ifdef INET + if (af == AF_INET) { + ip = mtod(m, struct ip *); + *************** *** 2262,2268 **** } #endif /* IPSEC */ *************** *** 636,642 **** /* * Filter IP packets by peeking into the ethernet frame. This violates * the ISO model, but allows us to act as a IP filter at the data link ! --- 2266,2272 ---- } #endif /* IPSEC */ --- 674,680 ---- /* * Filter IP packets by peeking into the ethernet frame. This violates * the ISO model, but allows us to act as a IP filter at the data link ! --- 2278,2284 ---- } #endif /* IPSEC */ *************** *** 645,662 **** * Filter IP packets by peeking into the ethernet frame. This violates * the ISO model, but allows us to act as a IP filter at the data link *************** ! *** 2377,2382 **** ! --- 2381,2390 ---- m->m_pkthdr.rcvif = ifp; ! if (pf_test(dir, ifp, &m) != PF_PASS) goto dropit; + #if defined(IPFILTER) || defined(IPFILTER_LKM) ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m)) ! + goto dropit; + #endif ! if (m == NULL) goto dropit; #endif /* NPF */ *************** *** 2460,2466 **** m_freem(m); --- 683,752 ---- * Filter IP packets by peeking into the ethernet frame. This violates * the ISO model, but allows us to act as a IP filter at the data link *************** ! *** 2372,2377 **** ! --- 2388,2401 ---- ! return (NULL); ! #endif /* IPSEC */ ! ! + #if defined(IPFILTER) || defined(IPFILTER_LKM) ! + if (dir == BRIDGE_OUT) { ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m)) ! + goto dropit; ! + if (m == NULL) ! + goto dropit; ! + } ! + #endif ! #if NPF > 0 ! /* Finally, we get to filter the packet! */ m->m_pkthdr.rcvif = ifp; ! *************** ! *** 2380,2385 **** ! --- 2404,2417 ---- ! if (m == NULL) goto dropit; + #endif /* NPF */ + #if defined(IPFILTER) || defined(IPFILTER_LKM) ! + if (dir == BRIDGE_IN) { ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m)) ! + goto dropit; ! + if (m == NULL) ! + goto dropit; ! + } + #endif ! ! /* Rebuild the IP header */ ! if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) ! *************** ! *** 2423,2434 **** ! --- 2455,2482 ---- ! return (NULL); ! #endif /* IPSEC */ ! ! + #if defined(IPFILTER) || defined(IPFILTER_LKM) ! + if (dir == BRIDGE_OUT) { ! + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m)) ! + goto dropit; ! + if (m == NULL) ! + return (NULL); ! + } ! + #endif ! #if NPF > 0 ! if (pf_test6(dir, ifp, &m) != PF_PASS) goto dropit; + if (m == NULL) + return (NULL); #endif /* NPF */ + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_IN) { + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, dir, &m)) + + goto dropit; + + if (m == NULL) + + return (NULL); + + } + + #endif + + break; + } *************** *** 2460,2466 **** m_freem(m); *************** *** 666,672 **** void bridge_fragment(sc, ifp, eh, m) ! --- 2468,2474 ---- m_freem(m); return (NULL); } --- 756,762 ---- void bridge_fragment(sc, ifp, eh, m) ! --- 2508,2514 ---- m_freem(m); return (NULL); } diff -crN ip_fil3.4.31/OpenBSD-3/3.3-MAKEDEV-diffs ip_fil3.4.32/OpenBSD-3/3.3-MAKEDEV-diffs *** ip_fil3.4.31/OpenBSD-3/3.3-MAKEDEV-diffs Thu Jan 1 10:00:00 1970 --- ip_fil3.4.32/OpenBSD-3/3.3-MAKEDEV-diffs Wed Jun 18 22:58:34 2003 *************** *** 0 **** --- 1,797 ---- + Index: etc/MAKEDEV.mi + =================================================================== + RCS file: /cvs/src/etc/MAKEDEV.mi,v + retrieving revision 1.57 + diff -c -r1.57 MAKEDEV.mi + *** etc/MAKEDEV.mi 16 Mar 2003 13:15:53 -0000 1.57 + --- etc/MAKEDEV.mi 8 Jun 2003 07:40:20 -0000 + *************** + *** 152,157 **** + --- 152,161 ---- + target(all, pctr)dnl + target(all, pctr0)dnl + target(all, pf)dnl + + target(all, ipl)dnl + + target(all, ipnat)dnl + + target(all, ipstate)dnl + + target(all, ipauth)dnl + twrget(all, cry, crypto)dnl + target(all, apm)dnl + twrget(all, tth, ttyh, 0, 1)dnl + *************** + *** 558,563 **** + --- 562,575 ---- + _mkdev(cry, crypto, {-M crypto c major_cry_c-} 0)dnl + __devitem(pf, pf*, Packet Filter)dnl + _mkdev(pf, {-pf*-}, {-M pf c major_pf_c 0 600-})dnl + + __devitem(ipl, ipl*, Packet Filter log)dnl + + _mkdev(ipl, {-ipl*-}, {-M ipl c major_ipl_c 0 600-})dnl + + __devitem(ipnat, ipnat*, Packet Filter NAT)dnl + + _mkdev(ipnat, {-ipnat*-}, {-M ipnat c major_ipnat_c 1 600-})dnl + + __devitem(ipstate, ipstate*, Packet Filter state)dnl + + _mkdev(ipstate, {-ipstate*-}, {-M ipstate c major_ipstate_c 2 600-})dnl + + __devitem(ipauth, ipauth*, Packet Filter auth)dnl + + _mkdev(ipauth, {-ipauth*-}, {-M ipauth c major_ipauth_c 3 600-})dnl + __devitem(bpf, bpf*, Berkeley Packet Filter)dnl + _mkdev(bpf, {-bpf*-}, {-M bpf$U c major_bpf_c $U 600-}, 600)dnl + _mkdev(tun, {-tun*-}, {-M tun$U c major_tun_c $U 600-}, 600)dnl + Index: etc/etc.alpha/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.alpha/MAKEDEV,v + retrieving revision 1.95 + diff -c -r1.95 MAKEDEV + *** etc/etc.alpha/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.95 + --- etc/etc.alpha/MAKEDEV 8 Jun 2003 07:40:24 -0000 + *************** + *** 71,76 **** + --- 71,77 ---- + # utty* Serial ports + # Special purpose devices: + # ch* SCSI media changer + + # ipl IP Filter + # pf* Packet Filter + # bpf* Berkeley Packet Filter + # iop* I2O controller device + *************** + *** 330,335 **** + --- 331,343 ---- + M bpf$U c 11 $U 600 + ;; + + + ipl) + + M ipl c 44 0 600 + + M ipnat c 44 1 600 + + M ipstate c 44 2 600 + + M ipauth c 44 2 600 + + ;; + + + pf*) + M pf c 35 0 600 + ;; + *************** + *** 494,499 **** + --- 502,508 ---- + R tty00 tty01 tty02 tty03 ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 + R ttyc6 ttyc7 ttyB0 ttyB1 ttyB2 ttyB3 ttyB4 ttyB5 pf systrace + R wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 fd + + R ipl + ;; + + wd*|sd*|raid*|ccd*) + Index: etc/etc.alpha/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.alpha/MAKEDEV.md,v + retrieving revision 1.15 + diff -c -r1.15 MAKEDEV.md + *** etc/etc.alpha/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.15 + --- etc/etc.alpha/MAKEDEV.md 8 Jun 2003 07:40:25 -0000 + *************** + *** 66,71 **** + --- 66,75 ---- + _TITLE(spec) + _DEV(ch, 14) + _DEV(pf, 35) + + _DEV(ipl, 44) + + _DEV(ipnat, 44) + + _DEV(ipstate, 44) + + _DEV(ipauth, 44) + _DEV(bpf, 11) + _DEV(iop, 54) + _DEV(pci, 52) + Index: etc/etc.hp300/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.hp300/MAKEDEV,v + retrieving revision 1.63 + diff -c -r1.63 MAKEDEV + *** etc/etc.hp300/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.63 + --- etc/etc.hp300/MAKEDEV 8 Jun 2003 07:40:25 -0000 + *************** + *** 61,66 **** + --- 61,67 ---- + # ite* terminal emulator interface to HP300 graphics devices + # hil HP300 HIL input devices + # bpf* Berkeley Packet Filter + + # ipl IP Filter + # tun* network tunnel driver + # pf* Packet Filter + # lkm loadable kernel modules interface + *************** + *** 316,321 **** + --- 317,329 ---- + M lkm c 24 0 640 _lkm + ;; + + + ipl) + + M ipl c 37 0 600 + + M ipnat c 37 1 600 + + M ipstate c 37 2 600 + + M ipauth c 37 3 600 + + ;; + + + pf*) + M pf c 33 0 600 + ;; + *************** + *** 395,400 **** + --- 403,409 ---- + R sd2 sd3 sd4 rd0 tun0 tun1 tun2 tun3 bpf0 bpf1 bpf2 bpf3 bpf4 + R bpf5 bpf6 bpf7 bpf8 bpf9 pty0 pty1 pty2 xfs0 local ppi0 + R apci0 random lkm pf systrace std fd + + R ipl + ;; + + sd*|hd*|ccd*) + Index: etc/etc.hp300/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.hp300/MAKEDEV.md,v + retrieving revision 1.12 + diff -c -r1.12 MAKEDEV.md + *** etc/etc.hp300/MAKEDEV.md 25 Dec 2002 20:20:20 -0000 1.12 + --- etc/etc.hp300/MAKEDEV.md 8 Jun 2003 07:40:26 -0000 + *************** + *** 84,89 **** + --- 84,93 ---- + _DEV(bpf, 22) + _DEV(tun, 23) + _DEV(pf, 33) + + _DEV(ipl, 37) + + _DEV(ipnat, 37) + + _DEV(ipstate, 37) + + _DEV(ipauth, 37) + _DEV(lkm, 24) + _DEV(rnd, 32) + _DEV(xfs, 51) + Index: etc/etc.hppa/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.hppa/MAKEDEV,v + retrieving revision 1.34 + diff -c -r1.34 MAKEDEV + *** etc/etc.hppa/MAKEDEV 5 Feb 2003 20:18:36 -0000 1.34 + --- etc/etc.hppa/MAKEDEV 8 Jun 2003 07:40:26 -0000 + *************** + *** 62,67 **** + --- 62,68 ---- + # Special purpose devices: + # fd makes fd/* for the fdescfs + # bpf* Berkeley Packet Filter + + # ipl IP Filter + # tun* network tunnel driver + # pf* Packet Filter + # lkm loadable kernel modules interface + *************** + *** 266,271 **** + --- 267,279 ---- + M lkm c 19 0 640 _lkm + ;; + + + ipl) + + M ipl c 38 0 600 + + M ipnat c 38 1 600 + + M ipstate c 38 2 600 + + M ipauth c 38 3 600 + + ;; + + + pf*) + M pf c 21 0 600 + ;; + *************** + *** 412,417 **** + --- 420,426 ---- + R xfs0 ss0 ss1 ch0 ses0 wscons audio0 uk0 random lpa0 lpa1 + R lpa2 lpt0 lpt1 lpt2 lkm tty00 tty01 tty02 tty03 crypto pf + R systrace std st0 st1 fd + + R ipl + ;; + + sd*|ccd*) + Index: etc/etc.hppa/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.hppa/MAKEDEV.md,v + retrieving revision 1.13 + diff -c -r1.13 MAKEDEV.md + *** etc/etc.hppa/MAKEDEV.md 5 Feb 2003 20:17:38 -0000 1.13 + --- etc/etc.hppa/MAKEDEV.md 8 Jun 2003 07:40:26 -0000 + *************** + *** 58,63 **** + --- 58,67 ---- + _DEV(bpf, 17) + _DEV(tun, 18) + _DEV(pf, 21) + + _DEV(ipl, 38) + + _DEV(ipnat, 38) + + _DEV(ipstate, 38) + + _DEV(ipauth, 38) + _DEV(lkm, 19) + _DEV(rnd, 20) + _DEV(xfs, 31) + Index: etc/etc.i386/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.i386/MAKEDEV,v + retrieving revision 1.139 + diff -c -r1.139 MAKEDEV + *** etc/etc.i386/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.139 + --- etc/etc.i386/MAKEDEV 8 Jun 2003 07:40:27 -0000 + *************** + *** 79,84 **** + --- 79,85 ---- + # Special purpose devices: + # fd makes fd/* for the fdescfs + # crypto hardware crypto access driver + + # ipl IP Filter + # pf* Packet Filter + # bpf* Berkeley Packet Filter + # speaker pc speaker + *************** + *** 373,378 **** + --- 374,386 ---- + M bpf$U c 23 $U 600 + ;; + + + ipl) + + M ipl c 81 0 600 + + M ipnat c 81 1 600 + + M ipstate c 81 2 600 + + M ipauth c 81 3 600 + + ;; + + + pf*) + M pf c 73 0 600 + ;; + *************** + *** 569,574 **** + --- 577,583 ---- + R tty03 ttyc0 ttyc1 ttyc2 ttyc3 ttyc4 ttyc5 ttyc6 ttyc7 apm + R crypto pf pctr systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2 + R raid3 std st0 st1 fd mcd0 + + R ipl + ;; + + wd*|sd*|raid*|ccd*) + Index: etc/etc.i386/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.i386/MAKEDEV.md,v + retrieving revision 1.16 + diff -c -r1.16 MAKEDEV.md + *** etc/etc.i386/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.16 + --- etc/etc.i386/MAKEDEV.md 8 Jun 2003 07:40:27 -0000 + *************** + *** 74,79 **** + --- 74,83 ---- + _DEV(fdesc, 22) + _DEV(cry, 70) + _DEV(pf, 73) + + _DEV(ipl, 81) + + _DEV(ipnat, 81) + + _DEV(ipstate, 81) + + _DEV(ipauth, 81) + _DEV(bpf, 23) + _DEV(speak, 27) + _DEV(lkm, 28) + Index: etc/etc.mac68k/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.mac68k/MAKEDEV,v + retrieving revision 1.65 + diff -c -r1.65 MAKEDEV + *** etc/etc.mac68k/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.65 + --- etc/etc.mac68k/MAKEDEV 8 Jun 2003 07:40:29 -0000 + *************** + *** 56,61 **** + --- 56,62 ---- + # CyberVision 64 (grf5) + # Special purpose devices: + # bpf* Berkeley Packet Filter + + # ipl IP Filter + # tun* network tunnel driver + # pf* Packet Filter + # lkm loadable kernel modules interface + *************** + *** 277,282 **** + --- 278,290 ---- + M lkm c 25 0 640 _lkm + ;; + + + ipl) + + M ipl c 38 0 600 + + M ipnat c 38 1 600 + + M ipstate c 38 2 600 + + M ipauth c 38 3 600 + + ;; + + + pf*) + M pf c 35 0 600 + ;; + *************** + *** 355,360 **** + --- 363,369 ---- + R xfs0 ss0 ss1 ch0 vnd0 vnd1 vnd2 vnd3 sd0 sd1 sd2 sd3 sd4 + R local grf0 grf1 grf2 grf3 adb asc0 uk0 random lkm ttye0 + R tty00 tty01 pf systrace std st0 st1 fd + + R ipl + ;; + + sd*|ccd*) + Index: etc/etc.mac68k/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.mac68k/MAKEDEV.md,v + retrieving revision 1.10 + diff -c -r1.10 MAKEDEV.md + *** etc/etc.mac68k/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.10 + --- etc/etc.mac68k/MAKEDEV.md 8 Jun 2003 07:40:29 -0000 + *************** + *** 50,55 **** + --- 50,59 ---- + _DEV(bpf, 22) + _DEV(tun, 24) + _DEV(pf, 35) + + _DEV(ipl, 38) + + _DEV(ipnat, 38) + + _DEV(ipstate, 38) + + _DEV(ipauth, 38) + _DEV(lkm, 25) + _DEV(rnd, 32) + _DEV(uk, 34) + Index: etc/etc.macppc/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.macppc/MAKEDEV,v + retrieving revision 1.37 + diff -c -r1.37 MAKEDEV + *** etc/etc.macppc/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.37 + --- etc/etc.macppc/MAKEDEV 8 Jun 2003 07:40:30 -0000 + *************** + *** 72,77 **** + --- 72,78 ---- + # audio* audio device + # apm power management device + # bpf* Berkeley Packet Filter + + # ipl IP Filter + # tun* network tunnel driver + # lkm loadable kernel modules interface + # *random inkernel random data source + *************** + *** 256,261 **** + --- 257,269 ---- + M crypto c 47 0 + ;; + + + ipl) + + M ipl c 45 0 600 + + M ipnat c 45 1 600 + + M ipstate c 45 2 600 + + M ipauth c 45 3 600 + + ;; + + + pf*) + M pf c 39 0 600 + ;; + *************** + *** 456,461 **** + --- 464,470 ---- + R local wscons pci iop0 iop1 usbs tuner0 radio0 audio0 uk0 + R random lkm tty00 tty01 tty02 tty03 apm crypto pf systrace + R wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 fd + + R ipl + ;; + + wd*|sd*|raid*|ccd*) + Index: etc/etc.macppc/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.macppc/MAKEDEV.md,v + retrieving revision 1.10 + diff -c -r1.10 MAKEDEV.md + *** etc/etc.macppc/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.10 + --- etc/etc.macppc/MAKEDEV.md 8 Jun 2003 07:40:30 -0000 + *************** + *** 74,79 **** + --- 74,83 ---- + _DEV(xfs, 51) + _DEV(iop, 73) + _DEV(pf, 39) + + _DEV(ipl, 45) + + _DEV(ipnat, 45) + + _DEV(ipstate, 45) + + _DEV(ipauth, 45) + _DEV(cry, 47) + _DEV(usbs) + _DEV(pci, 71) + Index: etc/etc.mvme68k/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.mvme68k/MAKEDEV,v + retrieving revision 1.51 + diff -c -r1.51 MAKEDEV + *** etc/etc.mvme68k/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.51 + --- etc/etc.mvme68k/MAKEDEV 8 Jun 2003 07:40:30 -0000 + *************** + *** 60,65 **** + --- 60,66 ---- + # fd makes fd/* for the fdescfs + # bpf* Berkeley Packet Filter + # tun* network tunnel driver + + # ipl IP Packet Filter + # pf* Packet Filter + # lkm loadable kernel modules interface + # *random inkernel random data source + *************** + *** 253,258 **** + --- 254,266 ---- + M bpf$U c 22 $U 600 + ;; + + + ipl) + + M ipl c 44 0 600 + + M ipnat c 44 1 600 + + M ipstate c 44 2 600 + + M ipauth c 44 3 600 + + ;; + + + fd) + RMlist="mkdir -p fd;$RMlist" n=0 + while [ $n -lt 64 ];do M fd/$n c 21 $n;n=$(($n+1));done + *************** + *** 389,394 **** + --- 397,403 ---- + R tun3 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 pty0 + R pty1 pty2 xfs0 ss0 ss1 vmel0 vmes0 flash0 nvram0 sram0 uk0 + R random lkm pf systrace std st0 st1 fd + + R ipl + ;; + + sd*|ccd*) + Index: etc/etc.mvme68k/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.mvme68k/MAKEDEV.md,v + retrieving revision 1.7 + diff -c -r1.7 MAKEDEV.md + *** etc/etc.mvme68k/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.7 + --- etc/etc.mvme68k/MAKEDEV.md 8 Jun 2003 07:40:31 -0000 + *************** + *** 175,177 **** + --- 175,186 ---- + _std(1, 2, 43, 3, 6) + ;; + + + ipl) + + rm -f ipl ipnat ipstate ipauth + + mknod ipl c 44 0 + + mknod ipnat c 44 1 + + mknod ipstate c 44 2 + + mknod ipauth c 44 3 + + chown root.wheel ipl ipnat ipstate ipauth + + ;; + + + Index: etc/etc.mvme88k/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.mvme88k/MAKEDEV,v + retrieving revision 1.28 + diff -c -r1.28 MAKEDEV + *** etc/etc.mvme88k/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.28 + --- etc/etc.mvme88k/MAKEDEV 8 Jun 2003 07:40:31 -0000 + *************** + *** 55,60 **** + --- 55,61 ---- + # fd makes fd/* for the fdescfs + # bpf* Berkeley Packet Filter + # tun* network tunnel driver + + # ipl IP Packet Filter + # pf* Packet Filter + # lkm loadable kernel modules interface + # *random inkernel random data source + *************** + *** 243,248 **** + --- 244,256 ---- + M bpf$U c 22 $U 600 + ;; + + + ipl) + + M ipl c 41 0 600 + + M ipnat c 41 1 600 + + M ipstate c 41 2 600 + + M ipauth c 41 3 600 + + ;; + + + fd) + RMlist="mkdir -p fd;$RMlist" n=0 + while [ $n -lt 64 ];do M fd/$n c 21 $n;n=$(($n+1));done + *************** + *** 345,350 **** + --- 353,359 ---- + R tun2 tun3 bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 + R pty0 pty1 pty2 xfs0 vmel0 vmes0 nvram0 sram0 random lkm pf + R systrace std st0 st1 fd + + R ipl + ;; + + sd*|ccd*) + Index: etc/etc.mvme88k/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.mvme88k/MAKEDEV.md,v + retrieving revision 1.6 + diff -c -r1.6 MAKEDEV.md + *** etc/etc.mvme88k/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.6 + --- etc/etc.mvme88k/MAKEDEV.md 8 Jun 2003 07:40:32 -0000 + *************** + *** 144,146 **** + --- 144,155 ---- + _std(1, 2, 43, 3, 6) + ;; + + + ipl) + + rm -f ipl ipnat ipstate ipauth + + mknod ipl c 41 0 + + mknod ipnat c 41 1 + + mknod ipstate c 41 2 + + mknod ipauth c 41 3 + + chown root.wheel ipl ipnat ipstate ipauth + + ;; + + + Index: etc/etc.mvmeppc/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.mvmeppc/MAKEDEV,v + retrieving revision 1.10 + diff -c -r1.10 MAKEDEV + *** etc/etc.mvmeppc/MAKEDEV 6 Jan 2003 05:57:39 -0000 1.10 + --- etc/etc.mvmeppc/MAKEDEV 8 Jun 2003 07:40:34 -0000 + *************** + *** 73,78 **** + --- 73,79 ---- + # audio* audio + # ch* SCSI media changer + # bpf* Berkeley Packet Filter + + # ipl IP Filter + # tun* network tunnel driver + # lkm loadable kernel modules interface + # *random inkernal random data source + *************** + *** 156,162 **** + sh $this ttyC0 ttyCcfg + sh $this tty00 tty01 tty02 tty03 pty0 pty1 + sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 + ! sh $this pf tun0 tun1 tun2 tun3 + sh $this audio0 + sh $this random uk0 uk1 ss0 ss1 + sh $this wscons + --- 157,163 ---- + sh $this ttyC0 ttyCcfg + sh $this tty00 tty01 tty02 tty03 pty0 pty1 + sh $this bpf0 bpf1 bpf2 bpf3 bpf4 bpf5 bpf6 bpf7 bpf8 bpf9 + ! sh $this ipl pf tun0 tun1 tun2 tun3 + sh $this audio0 + sh $this random uk0 uk1 ss0 ss1 + sh $this wscons + *************** + *** 522,527 **** + --- 523,538 ---- + rm -f bpf${unit} + mknod bpf${unit} c 22 ${unit} + chown root.wheel bpf${unit} + + ;; + + + + ipl) + + rm -f ipl ipnat ipstate ipauth + + mknod ipl c 44 0 + + mknod ipnat c 44 1 + + mknod ipstate c 44 2 + + mknod ipauth c 44 3 + + chown root.wheel ipl ipnat ipstate ipauth + + chmod 600 ipl ipnat ipstate ipauth + ;; + + pf) + Index: etc/etc.sparc/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.sparc/MAKEDEV,v + retrieving revision 1.106 + diff -c -r1.106 MAKEDEV + *** etc/etc.sparc/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.106 + --- etc/etc.sparc/MAKEDEV 8 Jun 2003 07:40:34 -0000 + *************** + *** 67,72 **** + --- 67,73 ---- + # audio* audio device + # openprom + # bpf* Berkeley Packet Filter + + # ipl IP Filter + # pf* Packet Filter + # lkm loadable kernel modules interface + # tun* network tunnel driver + *************** + *** 288,293 **** + --- 289,301 ---- + M lkm c 112 0 640 _lkm + ;; + + + ipl) + + M ipl c 60 0 600 + + M ipnat c 60 1 600 + + M ipstate c 60 2 600 + + M ipauth c 60 3 600 + + ;; + + + pf*) + M pf c 59 0 600 + ;; + *************** + *** 474,479 **** + --- 482,488 ---- + R fd0F fd0G fd0H xfs0 ss0 ss1 ch0 ses0 cuaa cuab cuac cuad + R ttya ttyb ttyc ttyd wscons audio0 uk0 random lkm pf systrace + R xd0 xd1 xd2 xd3 raid0 raid1 raid2 raid3 std st0 st1 fd + + R ipl + ;; + + xd*|xy*|sd*|raid*|ccd*) + Index: etc/etc.sparc/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.sparc/MAKEDEV.md,v + retrieving revision 1.16 + diff -c -r1.16 MAKEDEV.md + *** etc/etc.sparc/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.16 + --- etc/etc.sparc/MAKEDEV.md 8 Jun 2003 07:40:34 -0000 + *************** + *** 92,97 **** + --- 92,101 ---- + _DEV(oppr) + _DEV(bpf, 105) + _DEV(pf, 59) + + _DEV(ipl, 60) + + _DEV(ipnat, 60) + + _DEV(ipstate, 60) + + _DEV(ipauth, 60) + _DEV(lkm, 112) + _DEV(tun, 111) + _DEV(rnd, 119) + Index: etc/etc.sparc64/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.sparc64/MAKEDEV,v + retrieving revision 1.78 + diff -c -r1.78 MAKEDEV + *** etc/etc.sparc64/MAKEDEV 6 Jan 2003 17:19:59 -0000 1.78 + --- etc/etc.sparc64/MAKEDEV 8 Jun 2003 07:40:35 -0000 + *************** + *** 84,89 **** + --- 84,90 ---- + # ss* SCSI scanners + # uk* SCSI Unknown device + # audio* audio device + + # ipl IP Filter + # pf* Packet Filter + # bpf* Berkeley Packet Filter + # tun* network tunnel driver + *************** + *** 317,322 **** + --- 318,330 ---- + M bpf$U c 105 $U 600 + ;; + + + ipl) + + M ipl c 82 0 600 + + M ipnat c 82 1 600 + + M ipstate c 82 2 600 + + M ipauth c 82 3 600 + + ;; + + + pf*) + M pf c 73 0 600 + ;; + *************** + *** 561,567 **** + R ccd3 wscons pci usbs audio0 uk0 random lpa0 lpa1 lpa2 lpt0 + R lpt1 lpt2 lkm tty00 tty01 tty02 tty03 ttyh0 ttyh1 crypto pf + R systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 + ! R fd + ;; + + wd*|sd*|raid*|ccd*) + --- 569,575 ---- + R ccd3 wscons pci usbs audio0 uk0 random lpa0 lpa1 lpa2 lpt0 + R lpt1 lpt2 lkm tty00 tty01 tty02 tty03 ttyh0 ttyh1 crypto pf + R systrace wd0 wd1 wd2 wd3 raid0 raid1 raid2 raid3 std st0 st1 + ! R ipl fd + ;; + + wd*|sd*|raid*|ccd*) + Index: etc/etc.sparc64/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.sparc64/MAKEDEV.md,v + retrieving revision 1.25 + diff -c -r1.25 MAKEDEV.md + *** etc/etc.sparc64/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.25 + --- etc/etc.sparc64/MAKEDEV.md 8 Jun 2003 07:40:36 -0000 + *************** + *** 104,109 **** + --- 104,113 ---- + _DEV(uk, 60) + _DEV(au, 69) + _DEV(pf, 73) + + _DEV(ipl, 82) + + _DEV(ipstate, 82) + + _DEV(ipnat, 82) + + _DEV(ipauth, 82) + _DEV(bpf, 105) + _DEV(tun, 111) + _DEV(lkm, 112) + Index: etc/etc.vax/MAKEDEV + =================================================================== + RCS file: /cvs/src/etc/etc.vax/MAKEDEV,v + retrieving revision 1.50 + diff -c -r1.50 MAKEDEV + *** etc/etc.vax/MAKEDEV 6 Jan 2003 05:57:40 -0000 1.50 + --- etc/etc.vax/MAKEDEV 8 Jun 2003 07:40:37 -0000 + *************** + *** 56,61 **** + --- 56,62 ---- + # qv* qvss (microvax) display + # lkm loadable kernel modules + # bpf* berkeley packet filter + + # ipl IP Filter + # tun* network tunnel device + # ss* SCSI scanner + # uk* SCSI unknown + *************** + *** 78,83 **** + --- 79,85 ---- + sh $0 dz0 dl0 dhu0 rx0 rx1 raid0 raid1 raid2 raid3 + sh $0 ttyg0 ttyg1 ttyg2 ttyg3 + sh $0 crl std-extra systrace + + sh $0 ipl + ;; + + floppy) + *************** + *** 615,620 **** + --- 617,632 ---- + mknod bpf$unit c 56 $unit + chmod 600 bpf$unit + chown root.wheel bpf$unit + + ;; + + + + ipl) + + rm -f ipl ipnat ipstate ipauth + + mknod ipl c 47 0 + + mknod ipnat c 47 1 + + mknod ipstate c 47 2 + + mknod ipauth c 47 3 + + chown root.wheel ipl ipnat ipstate ipauth + + chmod 600 ipl ipnat ipstate ipauth + ;; + + qd*) + Index: etc/etc.vax/MAKEDEV.md + =================================================================== + RCS file: /cvs/src/etc/etc.vax/MAKEDEV.md,v + retrieving revision 1.12 + diff -c -r1.12 MAKEDEV.md + *** etc/etc.vax/MAKEDEV.md 5 Dec 2002 04:30:21 -0000 1.12 + --- etc/etc.vax/MAKEDEV.md 8 Jun 2003 07:40:37 -0000 + *************** + *** 151,156 **** + --- 151,160 ---- + _DEV(oppr) + _DEV(bpf, 56) + _DEV(pf, 42) + + _DEV(ipl, 47) + + _DEV(ipstate, 47) + + _DEV(ipnat, 47) + + _DEV(ipauth, 47) + _DEV(lkm, 28) + _DEV(tun, 57) + _DEV(rnd, 67) diff -crN ip_fil3.4.31/OpenBSD-3/3.3-rc-diffs ip_fil3.4.32/OpenBSD-3/3.3-rc-diffs *** ip_fil3.4.31/OpenBSD-3/3.3-rc-diffs Thu Jan 1 10:00:00 1970 --- ip_fil3.4.32/OpenBSD-3/3.3-rc-diffs Wed Jun 11 22:23:11 2003 *************** *** 0 **** --- 1,91 ---- + diff -c tmp/etc/netstart etc/netstart + *** tmp/etc/netstart 16 Feb 2003 23:25:40 -0000 1.86 + --- etc/netstart 8 Jun 2003 07:40:21 -0000 + *************** + *** 181,186 **** + --- 181,196 ---- + domainname `cat /etc/defaultdomain` + fi + + + # Configure the IP filter before configuring network interfaces + + if [ X"${ipfilter}" = X"YES" -a -f "${ipfilter_rules}" ]; then + + echo 'configuring IP filter' + + ipf -Fa -f ${ipfilter_rules} + + ipfresync="ipf -y" + + else + + ipfilter=NO + + ipfresync=NO + + fi + + + # Set the address for the loopback interface. + # It will also initialize IPv6 address for lo0 (::1 and others). + ifconfig lo0 inet localhost + *************** + *** 337,339 **** + --- 347,362 ---- + + bridgestart $if + done + + + + # Configure NAT after configuring network interfaces + + if [ "${ipnat}" = "YES" -a "${ipfilter}" = "YES" -a -f "${ipnat_rules}" ]; then + + echo 'configuring NAT' + + ipnat -CF -f ${ipnat_rules} + + else + + ipnat=NO + + fi + + + + # Interfaces have come up so we should do an ipf -y if we're using IP filter. + + if [ "${ipfresync}" != "NO" ]; then + + ${ipfresync} + + fi + diff -c tmp/etc/rc etc/rc + *** tmp/etc/rc 23 Mar 2003 18:45:34 -0000 1.225 + --- etc/rc 8 Jun 2003 07:40:22 -0000 + *************** + *** 220,225 **** + --- 220,229 ---- + echo 'starting named'; named $named_flags + fi + + + if [ X"${ipfilter}" = X"YES" -a X"${ipmon_flags}" != X"NO" ]; then + + echo 'starting ipmon'; ipmon ${ipmon_flags} + + fi + + + # $isakmpd_flags is imported from /etc/rc.conf; + # If $isakmpd_flags == NO or /etc/isakmpd/isakmpd.policy doesn't exist, then + # isakmpd isn't run. + diff -c tmp/etc/rc.conf etc/rc.conf + *** tmp/etc/rc.conf 10 Mar 2003 01:05:28 -0000 1.86 + --- etc/rc.conf 8 Jun 2003 07:40:24 -0000 + *************** + *** 52,58 **** + lockd=NO + gated=NO + amd=NO + ! pf=NO # Packet filter / NAT + portmap=NO # Note: inetd(8) rpc services need portmap too + inetd=YES # almost always needed + check_quotas=YES # NO may be desirable in some YP environments + --- 52,60 ---- + lockd=NO + gated=NO + amd=NO + ! ipfilter=NO # To enable ipfilter, set to YES + ! ipnat=NO # for "YES", ipfilter must also be "YES" + ! pf=NO # Enable pf(4) Packet filter / NAT + portmap=NO # Note: inetd(8) rpc services need portmap too + inetd=YES # almost always needed + check_quotas=YES # NO may be desirable in some YP environments + *************** + *** 76,81 **** + --- 78,86 ---- + nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver + amd_dir=/tmp_mnt # AMD's mount directory + amd_master=/etc/amd/master # AMD 'master' map + + ipfilter_rules=/etc/ipf.rules # Rules for IP packet filtering with IP Filter + + ipnat_rules=/etc/ipnat.rules # Rules for Network Address Translation + + ipmon_flags=-Ds # To disable logging, use ipmon_flags=NO + syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log" + pf_rules=/etc/pf.conf # Packet filter rules file + pflogd_flags= # add more flags, ie. "-s 256" diff -crN ip_fil3.4.31/OpenBSD-3/3.3-sys-diffs ip_fil3.4.32/OpenBSD-3/3.3-sys-diffs *** ip_fil3.4.31/OpenBSD-3/3.3-sys-diffs Thu Jan 1 10:00:00 1970 --- ip_fil3.4.32/OpenBSD-3/3.3-sys-diffs Mon Jun 23 10:11:39 2003 *************** *** 0 **** --- 1,1015 ---- + diff -cr sys/arch/alpha/alpha/conf.c sys.ipf/arch/alpha/alpha/conf.c + *** sys/arch/alpha/alpha/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/alpha/alpha/conf.c Thu May 1 15:38:04 2003 + *************** + *** 107,112 **** + --- 107,117 ---- + #include "lpt.h" + cdev_decl(lpt); + cdev_decl(prom); /* XXX XXX XXX */ + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + cdev_decl(wd); + cdev_decl(fd); + #include "cy.h" + *************** + *** 177,183 **** + cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */ + cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */ + cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */ + ! cdev_notdef(), /* 44 */ + cdev_usb_init(NUSB,usb), /* 45: USB controller */ + cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */ + cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */ + --- 182,188 ---- + cdev_midi_init(NMIDI,midi), /* 41: MIDI I/O */ + cdev_midi_init(NSEQUENCER,sequencer), /* 42: sequencer I/O */ + cdev_disk_init(NRAID,raid), /* 43: RAIDframe disk driver */ + ! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter log */ + cdev_usb_init(NUSB,usb), /* 45: USB controller */ + cdev_usbdev_init(NUHID,uhid), /* 46: USB generic HID */ + cdev_ulpt_init(NULPT,ulpt), /* 47: USB printer */ + diff -cr sys/arch/hp300/hp300/conf.c sys.ipf/arch/hp300/hp300/conf.c + *** sys/arch/hp300/hp300/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/hp300/hp300/conf.c Thu May 1 15:38:23 2003 + *************** + *** 126,131 **** + --- 126,137 ---- + cdev_decl(xfs_dev); + #endif + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 169,175 **** + cdev_disk_init(NRD,rd), /* 34: RAM disk */ + cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */ + cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */ + ! cdev_notdef(), /* 37 */ + cdev_notdef(), /* 38 */ + cdev_notdef(), /* 39 */ + cdev_notdef(), /* 40 */ + --- 175,181 ---- + cdev_disk_init(NRD,rd), /* 34: RAM disk */ + cdev_tty_init(NAPCI,apci), /* 35: Apollo APCI UARTs */ + cdev_ksyms_init(NKSYMS,ksyms), /* 36: Kernel symbols device */ + ! cdev_pf_init(NIPF,ipl), /* 37: packet filter */ + cdev_notdef(), /* 38 */ + cdev_notdef(), /* 39 */ + cdev_notdef(), /* 40 */ + diff -cr sys/arch/hppa/hppa/conf.c sys.ipf/arch/hppa/hppa/conf.c + *** sys/arch/hppa/hppa/conf.c Sat Feb 8 23:34:27 2003 + --- sys.ipf/arch/hppa/hppa/conf.c Thu May 1 15:38:24 2003 + *************** + *** 111,116 **** + --- 111,122 ---- + #include "com.h" + cdev_decl(com); + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 161,166 **** + --- 167,173 ---- + cdev_audio_init(NAUDIO,audio), /* 35: /dev/audio */ + cdev_crypto_init(NCRYPTO,crypto), /* 36: /dev/crypto */ + cdev_ses_init(NSES,ses), /* 37: SCSI SES/SAF-TE */ + + cdev_gen_ipf(NIPF,ipl), /* 38: ip filtering */ + cdev_lkm_dummy(), + cdev_lkm_dummy(), + cdev_lkm_dummy(), + diff -cr sys/arch/i386/i386/conf.c sys.ipf/arch/i386/i386/conf.c + *** sys/arch/i386/i386/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/i386/i386/conf.c Thu May 1 15:38:24 2003 + *************** + *** 188,193 **** + --- 188,199 ---- + #include "radio.h" + #include "gpr.h" + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + /* XXX -- this needs to be supported by config(8)! */ + #if (NCOM > 0) && (NPCCOM > 0) + #error com and pccom are mutually exclusive. Sorry. + *************** + *** 311,317 **** + cdev_usbdev_init(NUSCANNER,uscanner), /* 77: USB scanners */ + cdev_systrace_init(NSYSTRACE,systrace), /* 78: system call tracing */ + cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */ + ! cdev_ch_init(NGPR,gpr) /* 80: GPR400 SmartCard reader */ + }; + int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]); + + --- 317,325 ---- + cdev_usbdev_init(NUSCANNER,uscanner), /* 77: USB scanners */ + cdev_systrace_init(NSYSTRACE,systrace), /* 78: system call tracing */ + cdev_oci_init(NBIO,bio), /* 79: ioctl tunnel */ + ! cdev_ch_init(NGPR,gpr), /* 80: GPR400 SmartCard reader */ + ! cdev_gen_ipf(NIPF,ipl) /* 81: ip filtering */ + ! + }; + int nchrdev = sizeof(cdevsw) / sizeof(cdevsw[0]); + + diff -cr sys/arch/mac68k/mac68k/conf.c sys.ipf/arch/mac68k/mac68k/conf.c + *** sys/arch/mac68k/mac68k/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/mac68k/mac68k/conf.c Thu May 1 15:38:24 2003 + *************** + *** 108,113 **** + --- 108,119 ---- + cdev_decl(xfs_dev); + #endif + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 152,158 **** + cdev_pf_init(NPF,pf), /* 35: packet filter */ + cdev_audio_init(NASC,asc), /* 36: ASC audio device */ + cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */ + ! cdev_notdef(), /* 38 */ + cdev_notdef(), /* 39 */ + cdev_notdef(), /* 40 */ + cdev_notdef(), /* 41 */ + --- 158,164 ---- + cdev_pf_init(NPF,pf), /* 35: packet filter */ + cdev_audio_init(NASC,asc), /* 36: ASC audio device */ + cdev_ksyms_init(NKSYMS,ksyms), /* 37: Kernel symbols device */ + ! cdev_gen_ipf(NIPF,ipl), /* 38: IP filter log */ + cdev_notdef(), /* 39 */ + cdev_notdef(), /* 40 */ + cdev_notdef(), /* 41 */ + diff -cr sys/arch/macppc/macppc/conf.c sys.ipf/arch/macppc/macppc/conf.c + *** sys/arch/macppc/macppc/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/macppc/macppc/conf.c Thu May 1 15:38:24 2003 + *************** + *** 105,110 **** + --- 105,116 ---- + + #include "tun.h" + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #ifdef XFS + #include + cdev_decl(xfs_dev); + *************** + *** 191,197 **** + cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */ + ! cdev_notdef(), /* 45 */ + cdev_notdef(), /* 46 */ + cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */ + cdev_notdef(), /* 48 */ + --- 197,203 ---- + cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + cdev_audio_init(NAUDIO,audio), /* 44: generic audio I/O */ + ! cdev_gen_ipf(NIPF,ipl), /* 45: IP filter */ + cdev_notdef(), /* 46 */ + cdev_crypto_init(NCRYPTO,crypto), /* 47: /dev/crypto */ + cdev_notdef(), /* 48 */ + diff -cr sys/arch/mvme68k/mvme68k/conf.c sys.ipf/arch/mvme68k/mvme68k/conf.c + *** sys/arch/mvme68k/mvme68k/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/mvme68k/mvme68k/conf.c Thu May 1 15:38:24 2003 + *************** + *** 158,163 **** + --- 158,169 ---- + #include "bpfilter.h" + #include "tun.h" + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 212,218 **** + cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ + cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + ! cdev_lkm_dummy(), /* 44 */ + cdev_lkm_dummy(), /* 45 */ + cdev_lkm_dummy(), /* 46 */ + cdev_lkm_dummy(), /* 47 */ + --- 218,224 ---- + cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ + cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + ! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */ + cdev_lkm_dummy(), /* 45 */ + cdev_lkm_dummy(), /* 46 */ + cdev_lkm_dummy(), /* 47 */ + diff -cr sys/arch/mvme88k/mvme88k/conf.c sys.ipf/arch/mvme88k/mvme88k/conf.c + *** sys/arch/mvme88k/mvme88k/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/mvme88k/mvme88k/conf.c Thu May 1 15:38:25 2003 + *************** + *** 101,106 **** + --- 101,112 ---- + cdev_decl(lptwo); + #endif /* notyet */ + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 187,193 **** + cdev_lkm_dummy(), /* 38 */ + cdev_pf_init(NPF,pf), /* 39: packet filter */ + cdev_random_init(1,random), /* 40: random data source */ + ! cdev_notdef(), /* 41 */ + cdev_notdef(), /* 42 */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + cdev_notdef(), /* 44 */ + --- 193,199 ---- + cdev_lkm_dummy(), /* 38 */ + cdev_pf_init(NPF,pf), /* 39: packet filter */ + cdev_random_init(1,random), /* 40: random data source */ + ! cdev_gen_ipf(NIPF,ipl), /* 41: IP filter */ + cdev_notdef(), /* 42 */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + cdev_notdef(), /* 44 */ + diff -cr sys/arch/mvmeppc/mvmeppc/conf.c sys.ipf/arch/mvmeppc/mvmeppc/conf.c + *** sys/arch/mvmeppc/mvmeppc/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/mvmeppc/mvmeppc/conf.c Thu May 1 15:38:25 2003 + *************** + *** 114,119 **** + --- 114,125 ---- + + #include "ksyms.h" + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 167,173 **** + cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ + cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + ! cdev_notdef(), /* 44 */ + cdev_notdef(), /* 45 */ + cdev_notdef(), /* 46 */ + cdev_notdef(), /* 47 */ + --- 173,179 ---- + cdev_uk_init(NUK,uk), /* 41: unknown SCSI */ + cdev_ss_init(NSS,ss), /* 42: SCSI scanner */ + cdev_ksyms_init(NKSYMS,ksyms), /* 43: Kernel symbols device */ + ! cdev_gen_ipf(NIPF,ipl), /* 44: IP filter */ + cdev_notdef(), /* 45 */ + cdev_notdef(), /* 46 */ + cdev_notdef(), /* 47 */ + diff -cr sys/arch/sparc/sparc/conf.c sys.ipf/arch/sparc/sparc/conf.c + *** sys/arch/sparc/sparc/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/sparc/sparc/conf.c Thu May 1 15:38:25 2003 + *************** + *** 126,131 **** + --- 126,137 ---- + }; + int nblkdev = sizeof(bdevsw) / sizeof(bdevsw[0]); + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 196,202 **** + cdev_notdef(), /* 57 */ + cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */ + cdev_pf_init(NPF,pf), /* 59: packet filter */ + ! cdev_notdef(), /* 60 */ + cdev_notdef(), /* 61 */ + cdev_notdef(), /* 62 */ + cdev_notdef(), /* 63 */ + --- 202,208 ---- + cdev_notdef(), /* 57 */ + cdev_disk_init(NCD,cd), /* 58: SCSI CD-ROM */ + cdev_pf_init(NPF,pf), /* 59: packet filter */ + ! cdev_gen_ipf(NIPF,ipl), /* 60: ip filtering log */ + cdev_notdef(), /* 61 */ + cdev_notdef(), /* 62 */ + cdev_notdef(), /* 63 */ + diff -cr sys/arch/sparc64/sparc64/conf.c sys.ipf/arch/sparc64/sparc64/conf.c + *** sys/arch/sparc64/sparc64/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/sparc64/sparc64/conf.c Thu May 1 15:38:25 2003 + *************** + *** 114,119 **** + --- 114,125 ---- + #include "ucom.h" + #include "uscanner.h" + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #ifdef XFS + *************** + *** 250,256 **** + cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */ + cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */ + cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */ + ! cdev_notdef(), /* 82 */ + cdev_notdef(), /* 83 */ + cdev_notdef(), /* 84 */ + cdev_notdef(), /* 85 */ + --- 256,262 ---- + cdev_mouse_init(NWSKBD, wskbd), /* 79: keyboards */ + cdev_mouse_init(NWSMOUSE, wsmouse), /* 80: mice */ + cdev_mouse_init(NWSMUX, wsmux), /* 81: ws multiplexor */ + ! cdev_gen_ipf(NIPF,ipl), /* 82: IP filter */ + cdev_notdef(), /* 83 */ + cdev_notdef(), /* 84 */ + cdev_notdef(), /* 85 */ + diff -cr sys/arch/vax/vax/conf.c sys.ipf/arch/vax/vax/conf.c + *** sys/arch/vax/vax/conf.c Thu Dec 5 13:49:55 2002 + --- sys.ipf/arch/vax/vax/conf.c Thu May 1 15:38:28 2003 + *************** + *** 357,362 **** + --- 357,368 ---- + #include "wskbd.h" + #include "wsmouse.h" + + + #ifdef IPFILTER + + #define NIPF 1 + + #else + + #define NIPF 0 + + #endif + + + #include "pf.h" + + #include "systrace.h" + *************** + *** 410,416 **** + cdev_notdef(), /* 44 was Datakit */ + cdev_notdef(), /* 45 was Datakit */ + cdev_notdef(), /* 46 was Datakit */ + ! cdev_notdef(), /* 47 */ + cdev_notdef(), /* 48 */ + cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */ + cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */ + --- 416,422 ---- + cdev_notdef(), /* 44 was Datakit */ + cdev_notdef(), /* 45 was Datakit */ + cdev_notdef(), /* 46 was Datakit */ + ! cdev_gen_ipf(NIPF,ipl), /* 47: IP filter */ + cdev_notdef(), /* 48 */ + cdev_systrace_init(NSYSTRACE,systrace), /* 49: system call tracing */ + cdev_ksyms_init(NKSYMS,ksyms), /* 50: Kernel symbols device */ + diff -cr sys/conf/GENERIC sys.ipf/conf/GENERIC + *** sys/conf/GENERIC Sat Mar 1 10:44:46 2003 + --- sys.ipf/conf/GENERIC Thu May 1 15:38:28 2003 + *************** + *** 72,77 **** + --- 72,79 ---- + #option EON # OSI tunneling over IP + #option NETATALK # AppleTalk + #option CCITT,LLC,HDLC # X.25 + + option IPFILTER # IP packet filter for security + + option IPFILTER_LOG # use /dev/ipl to log IPF + option PPP_BSDCOMP # PPP BSD compression + option PPP_DEFLATE + #option MROUTING # Multicast router + diff -cr sys/conf/files sys.ipf/conf/files + *** sys/conf/files Thu Feb 27 07:25:49 2003 + --- sys.ipf/conf/files Thu May 1 15:38:28 2003 + *************** + *** 678,683 **** + --- 678,691 ---- + file netinet/tcp_usrreq.c inet + file netinet/udp_usrreq.c inet + file netinet/ip_gre.c inet + + file netinet/ip_fil.c ipfilter + + file netinet/fil.c ipfilter + + file netinet/ip_nat.c ipfilter + + file netinet/ip_frag.c ipfilter + + file netinet/ip_state.c ipfilter + + file netinet/ip_proxy.c ipfilter + + file netinet/ip_auth.c ipfilter + + file netinet/ip_log.c ipfilter + file netinet/ip_ipsp.c (inet | inet6) & (ipsec | tcp_signature) + file netinet/ip_spd.c (inet | inet6) & (ipsec | tcp_signature) + file netinet/ip_ipip.c inet | inet6 + diff -cr sys/net/bridgestp.c sys.ipf/net/bridgestp.c + *** sys/net/bridgestp.c Wed Dec 11 00:22:55 2002 + --- sys.ipf/net/bridgestp.c Thu May 1 15:38:29 2003 + *************** + *** 63,68 **** + --- 63,73 ---- + #include + #include + #include + + + + #ifdef IPFILTER + + #include + + #include + + #endif + #endif + + #if NBPFILTER > 0 + diff -cr sys/net/if.c sys.ipf/net/if.c + *** sys/net/if.c Wed Sep 11 15:38:47 2002 + --- sys.ipf/net/if.c Thu May 1 15:38:29 2003 + *************** + *** 101,106 **** + --- 101,112 ---- + #include + #endif + + + #ifdef IPFILTER + + #include + + #include + + #include + + #endif + + + #if NBPFILTER > 0 + #include + #endif + *************** + *** 468,473 **** + --- 474,484 ---- + + /* Remove the interface from the list of all interfaces. */ + TAILQ_REMOVE(&ifnet, ifp, if_list); + + + + #ifdef IPFILTER + + /* XXX More ipf & ipnat cleanup needed. */ + + frsync(); + + #endif + + /* + * Deallocate private resources. + diff -cr sys/net/if_bridge.c sys.ipf/net/if_bridge.c + *** sys/net/if_bridge.c 11 Mar 2003 16:06:25 -0000 + --- sys.ipf/net/if_bridge.c 18 Jun 2003 13:01:48 -0000 + *************** + *** 71,76 **** + --- 71,80 ---- + #include + + #include + + #if (defined(IPFILTER) || defined(IPFILTER_LKM)) + + #include + + #include + + #endif + #endif + + #ifdef INET6 + *************** + *** 159,165 **** + int bridge_flushrule(struct bridge_iflist *); + int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *); + u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *); + ! #if NPF > 0 + struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, + struct ether_header *, struct mbuf *m); + #endif + --- 163,169 ---- + int bridge_flushrule(struct bridge_iflist *); + int bridge_brlconf(struct bridge_softc *, struct ifbrlconf *); + u_int8_t bridge_filterrule(struct brl_head *, struct ether_header *); + ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) + struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, + struct ether_header *, struct mbuf *m); + #endif + *************** + *** 1175,1181 **** + m_freem(m); + return; + } + ! #if NPF > 0 + m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m); + if (m == NULL) + return; + --- 1179,1185 ---- + m_freem(m); + return; + } + ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) + m = bridge_filter(sc, BRIDGE_IN, src_if, &eh, m); + if (m == NULL) + return; + *************** + *** 1218,1224 **** + m_freem(m); + return; + } + ! #if NPF > 0 + m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m); + if (m == NULL) + return; + --- 1222,1228 ---- + m_freem(m); + return; + } + ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) + m = bridge_filter(sc, BRIDGE_OUT, dst_if, &eh, m); + if (m == NULL) + return; + *************** + *** 1472,1478 **** + mc = m1; + } + + ! #if NPF > 0 + mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc); + if (mc == NULL) + continue; + --- 1476,1482 ---- + mc = m1; + } + + ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) + mc = bridge_filter(sc, BRIDGE_OUT, dst_if, eh, mc); + if (mc == NULL) + continue; + *************** + *** 2260,2265 **** + --- 2264,2275 ---- + * We don't need to do loop detection, the + * bridge will do that for us. + */ + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_OUT && fr_checkp && + + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, + + 1, &m) || !m)) + + return 1; + + #endif + #if NPF > 0 + switch (af) { + #ifdef INET + *************** + *** 2284,2289 **** + --- 2294,2305 ---- + if (m == NULL) + return (1); + #endif /* NPF */ + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_IN && fr_checkp && + + ((*fr_checkp)(ip, hlen, &encif[0].sc_if, + + 0, &m) || !m)) + + return 1; + + #endif + #ifdef INET + if (af == AF_INET) { + ip = mtod(m, struct ip *); + *************** + *** 2302,2308 **** + } + #endif /* IPSEC */ + + ! #if NPF > 0 + /* + * Filter IP packets by peeking into the ethernet frame. This violates + * the ISO model, but allows us to act as a IP filter at the data link + --- 2318,2324 ---- + } + #endif /* IPSEC */ + + ! #if (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) + /* + * Filter IP packets by peeking into the ethernet frame. This violates + * the ISO model, but allows us to act as a IP filter at the data link + *************** + *** 2412,2425 **** + return (NULL); + #endif /* IPSEC */ + + ! #if NPF > 0 + /* Finally, we get to filter the packet! */ + m->m_pkthdr.rcvif = ifp; + if (pf_test(dir, ifp, &m) != PF_PASS) + goto dropit; + if (m == NULL) + goto dropit; + #endif /* NPF */ + + /* Rebuild the IP header */ + if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) + --- 2428,2459 ---- + return (NULL); + #endif /* IPSEC */ + + ! #if defined(IPFILTER) || defined(IPFILTER_LKM) || (NPF > 0) + /* Finally, we get to filter the packet! */ + m->m_pkthdr.rcvif = ifp; + + #endif + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_OUT) { + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m)) + + goto dropit; + + if (m == NULL) + + goto dropit; + + } + + #endif + + #if NPF > 0 + if (pf_test(dir, ifp, &m) != PF_PASS) + goto dropit; + if (m == NULL) + goto dropit; + #endif /* NPF */ + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_IN) { + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) + + goto dropit; + + if (m == NULL) + + goto dropit; + + } + + #endif + + /* Rebuild the IP header */ + if (m->m_len < hlen && ((m = m_pullup(m, hlen)) == NULL)) + *************** + *** 2463,2474 **** + --- 2497,2524 ---- + return (NULL); + #endif /* IPSEC */ + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_OUT) { + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m)) + + goto dropit; + + if (m == NULL) + + return (NULL); + + } + + #endif + #if NPF > 0 + if (pf_test6(dir, ifp, &m) != PF_PASS) + goto dropit; + if (m == NULL) + return (NULL); + #endif /* NPF */ + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (dir == BRIDGE_IN) { + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 0, &m)) + + goto dropit; + + if (m == NULL) + + return (NULL); + + } + + #endif + + break; + } + *************** + *** 2500,2506 **** + m_freem(m); + return (NULL); + } + ! #endif /* NPF > 0 */ + + void + bridge_fragment(sc, ifp, eh, m) + --- 2550,2556 ---- + m_freem(m); + return (NULL); + } + ! #endif /* (NPF > 0) || (defined(IPFILTER) || defined(IPFILTER_LKM)) */ + + void + bridge_fragment(sc, ifp, eh, m) + diff -cr sys/netinet/in_proto.c sys.ipf/netinet/in_proto.c + *** sys/netinet/in_proto.c Mon Jun 10 02:26:10 2002 + --- sys.ipf/netinet/in_proto.c Thu May 1 15:38:29 2003 + *************** + *** 163,168 **** + --- 163,173 ---- + #include + #endif /* MROUTING */ + + + #ifdef IPFILTER + + void iplinit __P((void)); + + #define ip_init iplinit + + #endif + + + #ifdef INET6 + #include + #endif /* INET6 */ + diff -cr sys/netinet/ip_input.c sys.ipf/netinet/ip_input.c + *** sys/netinet/ip_input.c Thu Feb 13 01:41:07 2003 + --- sys.ipf/netinet/ip_input.c Thu May 1 15:42:00 2003 + *************** + *** 151,156 **** + --- 151,160 ---- + struct in_ifaddrhead in_ifaddr; + struct ifqueue ipintrq; + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + + #endif + + + int ipq_locked; + static __inline int ipq_lock_try(void); + static __inline void ipq_unlock(void); + *************** + *** 404,409 **** + --- 408,430 ---- + ip = mtod(m, struct ip *); + hlen = ip->ip_hl << 2; + pfrdr = (pfrdr != ip->ip_dst.s_addr); + + #endif + + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + /* + + * Check if we want to allow this packet to be processed. + + * Consider it to be bad if not. + + */ + + { + + struct mbuf *m0 = m; + + if (fr_checkp && (*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m0)) { + + return; + + } + + if (m0 == 0) { /* in case of 'fastroute' */ + + return; + + } + + ip = mtod(m = m0, struct ip *); + + } + #endif + + /* + diff -cr sys/netinet/ip_output.c sys.ipf/netinet/ip_output.c + *** sys/netinet/ip_output.c Sat Mar 15 06:08:02 2003 + --- sys.ipf/netinet/ip_output.c Thu May 1 15:38:30 2003 + *************** + *** 86,91 **** + --- 86,95 ---- + static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *); + static void ip_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in *); + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + + #endif + + + /* + * IP output. The packet in mbuf chain m contains a skeletal IP + * header (with len, off, ttl, proto, tos, src, dst). + *************** + *** 559,564 **** + --- 563,592 ---- + if (sproto != 0) { + s = splnet(); + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + if (fr_checkp) { + + /* + + * Ok, it's time for a simple round-trip to the IPF/NAT + + * code with the enc0 interface. + + */ + + struct mbuf *m1 = m; + + void *ifp = (void *)&encif[0].sc_if; + + + + if ((*fr_checkp)(ip, hlen, ifp, 1, &m1)) { + + error = EHOSTUNREACH; + + splx(s); + + goto done; + + } + + if (m1 == 0) { /* in case of 'fastroute' */ + + error = 0; + + splx(s); + + goto done; + + } + + ip = mtod(m = m1, struct ip *); + + hlen = ip->ip_hl << 2; + + } + + #endif /* IPFILTER */ + + + /* + * Packet filter + */ + *************** + *** 661,666 **** + --- 689,713 ---- + m->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */ + } + } + + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + /* + + * looks like most checking has been done now...do a filter check + + */ + + { + + struct mbuf *m1 = m; + + + + if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m1)) { + + error = EHOSTUNREACH; + + goto done; + + } + + if (m1 == 0) { /* in case of 'fastroute' */ + + error = 0; + + goto done; + + } + + ip = mtod(m = m1, struct ip *); + + } + + #endif + + /* + * Packet filter + diff -cr sys/netinet6/ip6_input.c sys.ipf/netinet6/ip6_input.c + *** sys/netinet6/ip6_input.c Tue Jan 7 20:00:34 2003 + --- sys.ipf/netinet6/ip6_input.c Thu May 1 15:38:30 2003 + *************** + *** 134,139 **** + --- 134,143 ---- + static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); + #endif + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + + #endif + + + /* + * IP6 initialization: fill in IP6 protocol switch table. + * All protocols not implemented in kernel go to raw IP6 protocol handler. + *************** + *** 251,256 **** + --- 255,280 ---- + in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr); + goto bad; + } + + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + /* + + * Check if we want to allow this packet to be processed. + + * Consider it to be bad if not. + + */ + + if (fr_checkp != NULL) { + + struct mbuf *m0 = m; + + + + if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), + + m->m_pkthdr.rcvif, 0, &m0)) { + + return; + + } + + m = m0; + + if (m == 0) { /* in case of 'fastroute' */ + + return; + + } + + ip6 = mtod(m, struct ip6_hdr *); + + } + + #endif + + #if NPF > 0 + /* + diff -cr sys/netinet6/ip6_output.c sys.ipf/netinet6/ip6_output.c + *** sys/netinet6/ip6_output.c Fri Nov 1 05:02:27 2002 + --- sys.ipf/netinet6/ip6_output.c Thu May 1 15:38:30 2003 + *************** + *** 120,132 **** + + static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *); + static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *); + static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **); + static int ip6_copyexthdr(struct mbuf **, caddr_t, int); + static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int, + struct ip6_frag **); + static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t); + static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *); + ! static int ip6_getpmtu(struct route_in6 *, struct route_in6 *, + struct ifnet *, struct in6_addr *, u_long *); + + /* + --- 120,135 ---- + + static int ip6_pcbopts(struct ip6_pktopts **, struct mbuf *, struct socket *); + static int ip6_setmoptions(int, struct ip6_moptions **, struct mbuf *); + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + extern int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **)); + + #endif + static int ip6_getmoptions(int, struct ip6_moptions *, struct mbuf **); + static int ip6_copyexthdr(struct mbuf **, caddr_t, int); + static int ip6_insertfraghdr(struct mbuf *, struct mbuf *, int, + struct ip6_frag **); + static int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t); + static int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *); + ! int ip6_getpmtu(struct route_in6 *, struct route_in6 *, + struct ifnet *, struct in6_addr *, u_long *); + + /* + *************** + *** 796,801 **** + --- 799,823 ---- + goto done; + ip6 = mtod(m, struct ip6_hdr *); + #endif + + + + #if defined(IPFILTER) || defined(IPFILTER_LKM) + + /* + + * looks like most checking has been done now...do a filter check + + */ + + if (fr_checkp != NULL) { + + struct mbuf *m1 = m; + + if ((*fr_checkp)((struct ip *)ip6, sizeof(*ip6), ifp, 1, &m1)) { + + error = EHOSTUNREACH; + + goto done; + + } + + m = m1; + + if (m1 == 0) { /* in case of 'fastroute' */ + + error = 0; + + goto done; + + } + + ip6 = mtod(m, struct ip6_hdr *); + + } + + #endif + + /* + * Send the packet to the outgoing interface. + *************** + *** 1120,1126 **** + return (0); + } + + ! static int + ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup) + struct route_in6 *ro_pmtu, *ro; + struct ifnet *ifp; + --- 1142,1148 ---- + return (0); + } + + ! int + ip6_getpmtu(ro_pmtu, ro, ifp, dst, mtup) + struct route_in6 *ro_pmtu, *ro; + struct ifnet *ifp; + diff -cr sys/sys/conf.h sys.ipf/sys/conf.h + *** sys/sys/conf.h Sat Nov 9 06:00:37 2002 + --- sys.ipf/sys/conf.h Thu May 1 15:38:30 2003 + *************** + *** 362,367 **** + --- 362,374 ---- + (dev_type_ioctl((*))) enodev, (dev_type_stop((*))) nullop, \ + 0, (dev_type_select((*))) enodev, (dev_type_mmap((*))) enodev } + + + /* open, close, read, ioctl */ + + #define cdev_gen_ipf(c, n) { \ + + dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \ + + (dev_type_write((*))) enodev, dev_init(c,n,ioctl), \ + + (dev_type_stop((*))) enodev, 0, (dev_type_select((*))) enodev, \ + + (dev_type_mmap((*))) enodev } + + + /* open, close, read, write, ioctl, select, nokqfilter */ + #define cdev_xfs_init(c, n) { \ + dev_init(c,n,open), dev_init(c,n,close), dev_init(c,n,read), \ + *************** + *** 571,576 **** + --- 578,584 ---- + + cdev_decl(bpf); + + + cdev_decl(ipl); + cdev_decl(pf); + + cdev_decl(tun); diff -crN ip_fil3.4.31/OpenBSD-3/README.3_3 ip_fil3.4.32/OpenBSD-3/README.3_3 *** ip_fil3.4.31/OpenBSD-3/README.3_3 Thu Jan 1 10:00:00 1970 --- ip_fil3.4.32/OpenBSD-3/README.3_3 Thu Jun 26 20:15:56 2003 *************** *** 0 **** --- 1,86 ---- + + Installing IPFilter into OpenBSD 3.3 Kernel + =========================================== + The installation of IPFilter should be as easy as following the steps + below. In cases where "i386" is mentioned, if you are working on a + different platform, substitute that name there and it should work equally + as well. The patches include enabling IPFilter for IPv4 filtering, IPv6 + filtering and bridge filtering. + + The commands given below are intended as guides rather than exact matches + on what needs to be typed. In many cases, paths to files or directories + may bear little resemblence to what is presented below. + + You may encounter difficulties with step 7 if you have made changes to the + rc files which cause "patch" to not be able to work out how to apply the + changes correctly. + + If the below steps are followed with no problems then it should be safe to + perform step 8 and reboot with the new kernel. Of course if you are not + using GENERIC then substitute GENERIC for your kernel name. If your kernel + config file includes the "GENERIC" one then you will not need to add explicit + options for IPFilter. + + 1. Extract your source tree into /usr/src, creating /usr/src/sys. + + cd /usr/src + gunzip -c sys.tar.gz | tar xpf - + + 2. Unpack IPFilter and apply the patches to the kernel source + + cd ~ + gunzip -c ip_fil3.4.32.tar.gz | tar xpf - + cd /usr/src + patch < ~/ip_fil3.4.32/OpenBSD-3/3.3-sys-diffs + + 3. Add IPFilter to the source code tree: + + cd ~/ip_fil3.4.32 + BSD/kupgrade + + If you want to build a new release with IPFilter, stop here and goto + the section below titled "Building a Release". + + 4. Build a new OpenBSD kernel + + /bin/rm -rf /sys/arch/i386/compile/GENERIC + cd /sys/arch/i386/conf + config GENERIC + cd ../compile/GENERIC + make depend && make + cp bsd /bsd + + 5. Build and install IPFilter + + cd ip_fil3.4.32 + make openbsd + make install-bsd + OpenBSD-3/makedevs-3.2 + + 6. Patch rc scripts in /etc + + cd /etc + patch < ~/ip_fil3.4.32/OpenBSD-3/3.3-rc-diffs + + 7. Reboot + + + IPFilter device files + ===================== + Patches to include making IPFilter devices can be found in the file + 3.3-MAKEDEV-diffs. These diffs are generally only of interested if + you are going to be building a distribution for others and want the + correct MAKEDEV scripts to be built. You may also wish to use this + to patch /dev/MAKEDEV on your machine to be correct. Pre-fab'd MAKEDEV + scripts (or individual patches) for each architecture are not provided. + You will need to have extracted "./etc" from src.tar.gz to use these + patches. + + Building a Release + ================== + cd /usr/src + patch < ~/ip_fil3.4.32/OpenBSD-3/3.3-rc-diffs + patch < ~/ip_fil3.4.32/OpenBSD-3/3.3-MAKEDEV-diffs + cd ~/ip_fil3.4.32 + ./OpenBSD-3/fixdist-3.2 + diff -crN ip_fil3.4.31/SunOS5/pkginfo ip_fil3.4.32/SunOS5/pkginfo *** ip_fil3.4.31/SunOS5/pkginfo Sat Dec 7 13:40:05 2002 --- ip_fil3.4.32/SunOS5/pkginfo Wed Jun 18 23:06:27 2003 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.31 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=3.4.32 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -crN ip_fil3.4.31/buildsunos ip_fil3.4.32/buildsunos *** ip_fil3.4.31/buildsunos Wed Jun 5 00:37:54 2002 --- ip_fil3.4.32/buildsunos Mon Mar 31 21:48:05 2003 *************** *** 5,11 **** echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.13 2002/06/04 14:37:54 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then --- 5,11 ---- echo "Do NOT run this script directly, do 'make solaris'!" exit 1 fi ! # $Id: buildsunos,v 2.5.2.14 2003/03/31 11:48:05 darrenr Exp $ : rev=`uname -r | sed -e 's/^\([^\.]*\)\..*/\1/'` if [ -d /usr/ccs/bin ] ; then *************** *** 58,64 **** *gcc*) # gcc case `uname -p` in sparc) ! XARCH32="-m32" ;; *) XARCH32="" --- 58,67 ---- *gcc*) # gcc case `uname -p` in sparc) ! gcc -m32 -E /dev/null >/dev/null 2>&1 ! if [ $? -eq 0 ] ; then ! XARCH32="-m32" ! fi ;; *) XARCH32="" diff -crN ip_fil3.4.31/common.c ip_fil3.4.32/common.c *** ip_fil3.4.31/common.c Fri Dec 6 22:40:20 2002 --- ip_fil3.4.32/common.c Tue Apr 15 03:26:02 2003 *************** *** 263,269 **** return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; ! if (isalnum(***seg) && *(*seg + 2)) { if (portnum(**seg, pp, linenum) == 0) return -1; (*seg)++; --- 263,281 ---- return 0; if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) { (*seg)++; ! if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) ! comp = FR_EQUAL; ! else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) ! comp = FR_NEQUAL; ! else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt")) ! comp = FR_LESST; ! else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt")) ! comp = FR_GREATERT; ! else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le")) ! comp = FR_LESSTE; ! else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) ! comp = FR_GREATERTE; ! else if (isalnum(***seg) && *(*seg + 2)) { if (portnum(**seg, pp, linenum) == 0) return -1; (*seg)++; *************** *** 285,303 **** } if (portnum(**seg, tp, linenum) == 0) return -1; ! } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq")) ! comp = FR_EQUAL; ! else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne")) ! comp = FR_NEQUAL; ! else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt")) ! comp = FR_LESST; ! else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt")) ! comp = FR_GREATERT; ! else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le")) ! comp = FR_LESSTE; ! else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge")) ! comp = FR_GREATERTE; ! else { fprintf(stderr, "%d: unknown comparator (%s)\n", linenum, **seg); return -1; --- 297,303 ---- } if (portnum(**seg, tp, linenum) == 0) return -1; ! } else { fprintf(stderr, "%d: unknown comparator (%s)\n", linenum, **seg); return -1; diff -crN ip_fil3.4.31/fil.c ip_fil3.4.32/fil.c *** ip_fil3.4.31/fil.c Sat Dec 7 00:28:05 2002 --- ip_fil3.4.32/fil.c Tue Jun 10 23:25:51 2003 *************** *** 97,103 **** #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $"; #endif #ifndef _KERNEL --- 97,103 ---- #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.72 2003/06/10 13:25:51 darrenr Exp $"; #endif #ifndef _KERNEL *************** *** 144,149 **** --- 144,152 ---- static int frflushlist __P((int, minor_t, int *, frentry_t **)); #ifdef _KERNEL static void frsynclist __P((frentry_t *)); + # ifndef __sgi + static void *ipf_pullup __P((mb_t *, fr_info_t *, int)); + # endif #endif *************** *** 192,204 **** * compact the IP header into a structure which contains just the info. * which is useful for comparing IP headers with. */ ! void fr_makefrip(hlen, ip, fin) int hlen; ip_t *ip; fr_info_t *fin; { u_short optmsk = 0, secmsk = 0, auth = 0; int i, mv, ol, off, p, plen, v; fr_ip_t *fi = &fin->fin_fi; struct optlist *op; u_char *s, opt; --- 195,214 ---- * compact the IP header into a structure which contains just the info. * which is useful for comparing IP headers with. */ ! int fr_makefrip(hlen, ip, fin) int hlen; ip_t *ip; fr_info_t *fin; { u_short optmsk = 0, secmsk = 0, auth = 0; int i, mv, ol, off, p, plen, v; + #if defined(_KERNEL) + # if SOLARIS + mb_t *m = fin->fin_qfm; + # else + mb_t *m = fin->fin_mp ? *fin->fin_mp : NULL; + # endif + #endif fr_ip_t *fi = &fin->fin_fi; struct optlist *op; u_char *s, opt; *************** *** 256,262 **** } #endif else ! return; fin->fin_off = off; fin->fin_plen = plen; --- 266,272 ---- } #endif else ! return -1; fin->fin_off = off; fin->fin_plen = plen; *************** *** 264,269 **** --- 274,288 ---- fin->fin_misc = 0; off <<= 3; + /* + * For both ICMPV6 & ICMP, we attempt to pullup the entire packet into + * a single buffer for recognised error return packets. Why? Because + * the entire data section of the ICMP payload is considered to be of + * significance and maybe required in NAT/state processing, so rather + * than be careful later, attempt to get it all in one buffeer first. + * For TCP we just make sure the _entire_ TCP header is in the first + * buffer for convienience. + */ switch (p) { #ifdef USE_INET6 *************** *** 272,278 **** int minicmpsz = sizeof(struct icmp6_hdr); struct icmp6_hdr *icmp6; ! if (fin->fin_dlen > 1) { fin->fin_data[0] = *(u_short *)tcp; icmp6 = (struct icmp6_hdr *)tcp; --- 291,297 ---- int minicmpsz = sizeof(struct icmp6_hdr); struct icmp6_hdr *icmp6; ! if (!(fin->fin_fl & FI_SHORT) && (fin->fin_dlen > 1)) { fin->fin_data[0] = *(u_short *)tcp; icmp6 = (struct icmp6_hdr *)tcp; *************** *** 287,292 **** --- 306,318 ---- case ICMP6_PACKET_TOO_BIG : case ICMP6_TIME_EXCEEDED : case ICMP6_PARAM_PROB : + # if defined(KERNEL) && !defined(__sgi) + if ((m != NULL) && (M_BLEN(m) < plen)) { + ip = ipf_pullup(m, fin, plen); + if (ip == NULL) + return -1; + } + # endif /* KERNEL && !__sgi */ minicmpsz = ICMP6ERR_IPICMPHLEN; break; default : *************** *** 294,315 **** } } ! if (!(plen >= minicmpsz)) fi->fi_fl |= FI_SHORT; break; } ! #endif case IPPROTO_ICMP : { int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; ! if (!off && (fin->fin_dlen > 1)) { fin->fin_data[0] = *(u_short *)tcp; icmp = (icmphdr_t *)tcp; switch (icmp->icmp_type) { case ICMP_ECHOREPLY : --- 320,346 ---- } } ! if (!(fin->fin_dlen >= minicmpsz)) fi->fi_fl |= FI_SHORT; break; } ! #endif /* USE_INET6 */ ! case IPPROTO_ICMP : { int minicmpsz = sizeof(struct icmp); icmphdr_t *icmp; ! if (!off && (fin->fin_dlen > 1) && !(fin->fin_fl & FI_SHORT)) { fin->fin_data[0] = *(u_short *)tcp; icmp = (icmphdr_t *)tcp; + /* + * Minimum ICMP packet is type(1) code(1) cksum(2) + * plus 4 bytes following, totalling 8 bytes. + */ switch (icmp->icmp_type) { case ICMP_ECHOREPLY : *************** *** 325,331 **** */ case ICMP_TSTAMP : case ICMP_TSTAMPREPLY : ! minicmpsz = 20; break; /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + --- 356,362 ---- */ case ICMP_TSTAMP : case ICMP_TSTAMPREPLY : ! minicmpsz = ICMP_MINLEN + 12; break; /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + *************** *** 333,341 **** */ case ICMP_MASKREQ : case ICMP_MASKREPLY : ! minicmpsz = 12; break; default : break; } } --- 364,390 ---- */ case ICMP_MASKREQ : case ICMP_MASKREPLY : ! minicmpsz = ICMP_MINLEN + 4; ! break; ! /* ! * type(1) + code(1) + cksum(2) + arg(4) ip(20+) ! */ ! case ICMP_UNREACH : ! case ICMP_SOURCEQUENCH : ! case ICMP_REDIRECT : ! case ICMP_TIMXCEED : ! case ICMP_PARAMPROB : ! #if defined(KERNEL) && !defined(__sgi) ! if ((m != NULL) && (M_BLEN(m) < plen)) { ! ip = ipf_pullup(m, fin, plen); ! if (ip == NULL) ! return -1; ! } ! #endif /* KERNEL && !__sgi */ ! minicmpsz = ICMPERR_MINPKTLEN - sizeof(ip_t); break; default : + minicmpsz = ICMP_MINLEN; break; } } *************** *** 343,351 **** if ((!(plen >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; - break; } case IPPROTO_TCP : fi->fi_fl |= FI_TCPUDP; #ifdef USE_INET6 --- 392,400 ---- if ((!(plen >= hlen + minicmpsz) && !off) || (off && off < sizeof(struct icmp))) fi->fi_fl |= FI_SHORT; break; } + case IPPROTO_TCP : fi->fi_fl |= FI_TCPUDP; #ifdef USE_INET6 *************** *** 359,364 **** --- 408,426 ---- (off && off < sizeof(struct tcphdr))) fi->fi_fl |= FI_SHORT; } + + #if defined(KERNEL) && !defined(__sgi) + if (!off && !(fi->fi_fl & FI_SHORT)) { + int tlen = hlen + (tcp->th_off << 2); + + if ((m != NULL) && (M_BLEN(m) < tlen)) { + ip = ipf_pullup(m, fin, tlen); + if (ip == NULL) + return -1; + } + } + #endif /* _KERNEL && !_sgi */ + if (!(fi->fi_fl & FI_SHORT) && !off) fin->fin_tcpf = tcp->th_flags; goto getports; *************** *** 403,409 **** fi->fi_optmsk = 0; fi->fi_secmsk = 0; fi->fi_auth = 0; ! return; } #endif --- 465,471 ---- fi->fi_optmsk = 0; fi->fi_secmsk = 0; fi->fi_auth = 0; ! return 0; } #endif *************** *** 460,465 **** --- 522,528 ---- fi->fi_optmsk = optmsk; fi->fi_secmsk = secmsk; fi->fi_auth = auth; + return 0; } *************** *** 853,859 **** } # endif /* CSUM_DELAY_DATA */ ! # ifdef USE_INET6 if (v == 6) { len = ntohs(((ip6_t*)ip)->ip6_plen); if (!len) --- 916,922 ---- } # endif /* CSUM_DELAY_DATA */ ! # ifdef USE_INET6 if (v == 6) { len = ntohs(((ip6_t*)ip)->ip6_plen); if (!len) *************** *** 861,877 **** len += sizeof(ip6_t); p = ((ip6_t *)ip)->ip6_nxt; } else ! # endif { p = ip->ip_p; len = ip->ip_len; } if ((p == IPPROTO_TCP || p == IPPROTO_UDP || (v == 4 && p == IPPROTO_ICMP) ! # ifdef USE_INET6 || (v == 6 && p == IPPROTO_ICMPV6) ! # endif )) { int plen = 0; --- 924,943 ---- len += sizeof(ip6_t); p = ((ip6_t *)ip)->ip6_nxt; } else ! # endif { p = ip->ip_p; len = ip->ip_len; } + fin->fin_mp = mp; + fin->fin_out = out; + if ((p == IPPROTO_TCP || p == IPPROTO_UDP || (v == 4 && p == IPPROTO_ICMP) ! # ifdef USE_INET6 || (v == 6 && p == IPPROTO_ICMPV6) ! # endif )) { int plen = 0; *************** *** 891,897 **** case IPPROTO_ESP: plen = 8; break; ! # ifdef USE_INET6 case IPPROTO_ICMPV6 : /* * XXX does not take intermediate header --- 957,963 ---- case IPPROTO_ESP: plen = 8; break; ! # ifdef USE_INET6 case IPPROTO_ICMPV6 : /* * XXX does not take intermediate header *************** *** 899,906 **** */ plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t); break; ! # endif } up = MIN(hlen + plen, len); if (up > m->m_len) { --- 965,974 ---- */ plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t); break; ! # endif } + if ((plen > 0) && (len < hlen + plen)) + fin->fin_fl |= FI_SHORT; up = MIN(hlen + plen, len); if (up > m->m_len) { *************** *** 915,928 **** ip = (ip_t *)hbuf; # else /* __ sgi */ # ifndef linux ! if ((*mp = m_pullup(m, up)) == 0) { ! ATOMIC_INCL(frstats[out].fr_pull[1]); return -1; ! } else { ! ATOMIC_INCL(frstats[out].fr_pull[0]); ! m = *mp; ! ip = mtod(m, ip_t *); ! } # endif /* !linux */ # endif /* __sgi */ } else --- 983,1016 ---- ip = (ip_t *)hbuf; # else /* __ sgi */ # ifndef linux ! /* ! * Having determined that we need to pullup some data, ! * try to bring as much of the packet up into a single ! * buffer with the first pullup. This hopefully means ! * less need for doing futher pullups. Not needed for ! * Solaris because fr_precheck() does it anyway. ! * ! * The main potential for trouble here is if MLEN/MHLEN ! * become quite small, lets say < 64 bytes...but if ! * that did happen, BSD networking as a whole would be ! * slow/inefficient. ! */ ! # ifdef MHLEN ! /* ! * Assume that M_PKTHDR is set and just work with what ! * is left rather than check.. Should not make any ! * real difference, anyway. ! */ ! if ((MHLEN > up) && (len > up)) ! up = MIN(len, MHLEN); ! # else ! if ((MLEN > up) && (len > up)) ! up = MIN(len, MLEN); ! # endif ! ip = ipf_pullup(m, fin, up); ! if (ip == NULL) return -1; ! m = *mp; # endif /* !linux */ # endif /* __sgi */ } else *************** *** 938,951 **** fin->fin_qfm = m; fin->fin_qif = qif; # endif #endif /* _KERNEL */ changed = 0; - fin->fin_ifp = ifp; fin->fin_v = v; ! fin->fin_out = out; ! fin->fin_mp = mp; ! fr_makefrip(hlen, ip, fin); #ifdef _KERNEL # ifdef USE_INET6 --- 1026,1041 ---- fin->fin_qfm = m; fin->fin_qif = qif; # endif + #else + fin->fin_mp = mp; + fin->fin_out = out; #endif /* _KERNEL */ changed = 0; fin->fin_v = v; ! fin->fin_ifp = ifp; ! if (fr_makefrip(hlen, ip, fin) == -1) ! return -1; #ifdef _KERNEL # ifdef USE_INET6 *************** *** 1387,1396 **** /* * Both sum and sum2 are partial sums, so combine them together. */ ! sum = (sum & 0xffff) + (sum >> 16); ! sum = ~sum & 0xffff; ! sum2 += sum; ! sum2 = (sum2 & 0xffff) + (sum2 >> 16); # else /* defined(BSD) || defined(sun) */ { union { --- 1477,1486 ---- /* * Both sum and sum2 are partial sums, so combine them together. */ ! sum += ~sum2 & 0xffff; ! while (sum > 0xffff) ! sum = (sum & 0xffff) + (sum >> 16); ! sum2 = ~sum & 0xffff; # else /* defined(BSD) || defined(sun) */ { union { *************** *** 1531,1537 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 1621,1627 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.35.2.72 2003/06/10 13:25:51 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 1984,1989 **** --- 2074,2082 ---- (defined(__FreeBSD_version) && (__FreeBSD_version >= 300000)) # if (NetBSD >= 199905) || defined(__OpenBSD__) for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_list.tqe_next) + # elif defined(__FreeBSD_version) && (__FreeBSD_version >= 500043) + IFNET_RLOCK(); + TAILQ_FOREACH(ifp, &ifnet, if_link); # else for (ifp = ifnet.tqh_first; ifp; ifp = ifp->if_link.tqe_next) # endif *************** *** 1995,2000 **** --- 2088,2096 ---- ip_statesync(ifp); } ip_natsync((struct ifnet *)-1); + # if defined(__FreeBSD_version) && (__FreeBSD_version >= 500043) + IFNET_RUNLOCK(); + # endif # endif /* !SOLARIS */ WRITE_ENTER(&ipf_mutex); *************** *** 2223,2225 **** --- 2319,2351 ---- return ip->ip_len; } #endif + + + #if defined(_KERNEL) && !defined(__sgi) + void *ipf_pullup(m, fin, len) + mb_t *m; + fr_info_t *fin; + int len; + { + int out = fin->fin_out; + + if ((m != NULL) && (M_BLEN(m) < len)) { + # if SOLARIS + if (!pullupmsg(m, len)) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ATOMIC_INCL(frstats[out].fr_pull[0]); + # else + m = m_pullup(m, len); + *fin->fin_mp = m; + if (m == NULL) { + ATOMIC_INCL(frstats[out].fr_pull[1]); + return NULL; + } + ATOMIC_INCL(frstats[out].fr_pull[0]); + # endif /* SOLARIS */ + } + return MTOD(m, void *); + } + #endif /* _KERNEL */ diff -crN ip_fil3.4.31/fils.c ip_fil3.4.32/fils.c *** ip_fil3.4.31/fils.c Fri Dec 6 22:40:20 2002 --- ip_fil3.4.32/fils.c Sat Jun 7 21:37:03 2003 *************** *** 99,105 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.40 2002/12/06 11:40:20 darrenr Exp $"; #endif extern char *optarg; --- 99,105 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.41 2003/06/07 11:37:03 darrenr Exp $"; #endif extern char *optarg; *************** *** 117,122 **** --- 117,124 ---- int opts = 0; int use_inet6 = 0; int live_kernel = 1; + int state_fd = -1; + int ipf_fd = -1; #ifdef STATETOP #define STSTRSIZE 80 *************** *** 236,241 **** --- 238,254 ---- } optind = myoptind; + if (live_kernel == 1) { + if ((state_fd = open(IPL_STATE, O_RDONLY)) == -1) { + perror("open"); + exit(-1); + } + if ((ipf_fd = open(device, O_RDONLY)) == -1) { + perror("open"); + exit(-1); + } + } + if (kern != NULL || memf != NULL) { (void)setuid(getuid()); *************** *** 404,435 **** fr_authstat_t **frauthstpp; u_32_t *frfp; { - int fd; - - if ((fd = open(device, O_RDONLY)) < 0) { - perror("open"); - exit(-1); - } ! if (!(opts & OPT_AUTHSTATS) && ioctl(fd, SIOCGETFS, fiopp) == -1) { perror("ioctl(ipf:SIOCGETFS)"); exit(-1); } if ((opts & OPT_IPSTATES)) { ! int sfd = open(IPL_STATE, O_RDONLY); ! ! if (sfd == -1) { ! perror("open"); ! exit(-1); ! } ! if ((ioctl(sfd, SIOCGETFS, ipsstpp) == -1)) { perror("ioctl(state:SIOCGETFS)"); exit(-1); } - close(sfd); } ! if ((opts & OPT_FRSTATES) && (ioctl(fd, SIOCGFRST, ifrstpp) == -1)) { perror("ioctl(SIOCGFRST)"); exit(-1); } --- 417,436 ---- fr_authstat_t **frauthstpp; u_32_t *frfp; { ! if (!(opts & OPT_AUTHSTATS) && ioctl(ipf_fd, SIOCGETFS, fiopp) == -1) { perror("ioctl(ipf:SIOCGETFS)"); exit(-1); } if ((opts & OPT_IPSTATES)) { ! if ((ioctl(state_fd, SIOCGETFS, ipsstpp) == -1)) { perror("ioctl(state:SIOCGETFS)"); exit(-1); } } ! if ((opts & OPT_FRSTATES) && ! (ioctl(ipf_fd, SIOCGFRST, ifrstpp) == -1)) { perror("ioctl(SIOCGFRST)"); exit(-1); } *************** *** 438,452 **** PRINTF("opts %#x name %s\n", opts, device); if ((opts & OPT_AUTHSTATS) && ! (ioctl(fd, SIOCATHST, frauthstpp) == -1)) { perror("ioctl(SIOCATHST)"); exit(-1); } ! if (ioctl(fd, SIOCGETFF, frfp) == -1) perror("ioctl(SIOCGETFF)"); ! return fd; } --- 439,453 ---- PRINTF("opts %#x name %s\n", opts, device); if ((opts & OPT_AUTHSTATS) && ! (ioctl(ipf_fd, SIOCATHST, frauthstpp) == -1)) { perror("ioctl(SIOCATHST)"); exit(-1); } ! if (ioctl(ipf_fd, SIOCGETFF, frfp) == -1) perror("ioctl(SIOCGETFF)"); ! return ipf_fd; } *************** *** 926,932 **** { char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; ! int i, j, sfd, winx, tsentry, maxx, maxy, redraw = 0; ipstate_t *istab[IPSTATE_SIZE], ips; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; --- 927,933 ---- { char str1[STSTRSIZE], str2[STSTRSIZE], str3[STSTRSIZE], str4[STSTRSIZE]; int maxtsentries = 0, reverse = 0, sorting = STSORT_DEFAULT; ! int i, j, winx, tsentry, maxx, maxy, redraw = 0; ipstate_t *istab[IPSTATE_SIZE], ips; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; *************** *** 941,952 **** fd_set readfd; #endif - /* open state device */ - if ((sfd = open(IPL_STATE, O_RDONLY)) == -1) { - perror("open"); - exit(-1); - } - /* init ncurses stuff */ initscr(); cbreak(); --- 942,947 ---- *************** *** 961,967 **** /* get state table */ bzero((char *)&ipsst, sizeof(&ipsst)); ! if ((ioctl(sfd, SIOCGETFS, &ipsstp) == -1)) { perror("ioctl(SIOCGETFS)"); exit(-1); } --- 956,962 ---- /* get state table */ bzero((char *)&ipsst, sizeof(&ipsst)); ! if ((ioctl(state_fd, SIOCGETFS, &ipsstp) == -1)) { perror("ioctl(SIOCGETFS)"); exit(-1); } *************** *** 1245,1252 **** } } } /* while */ - - close(sfd); printw("\n"); nocbreak(); --- 1240,1245 ---- diff -crN ip_fil3.4.31/ip_auth.c ip_fil3.4.32/ip_auth.c *** ip_fil3.4.31/ip_auth.c Fri Dec 6 22:40:21 2002 --- ip_fil3.4.32/ip_auth.c Fri May 16 01:34:09 2003 *************** *** 104,110 **** #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $"; #endif --- 104,110 ---- #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.25 2003/05/15 15:34:09 darrenr Exp $"; #endif *************** *** 418,424 **** bzero((char *)&ro, sizeof(ro)); # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ ! defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); # else --- 418,425 ---- bzero((char *)&ro, sizeof(ro)); # if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ ! defined(__OpenBSD__) || (defined(IRIX) && (IRIX >= 605)) || \ ! (__FreeBSD_version >= 470102) error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); # else diff -crN ip_fil3.4.31/ip_compat.h ip_fil3.4.32/ip_compat.h *** ip_fil3.4.31/ip_compat.h Sat Oct 26 16:24:42 2002 --- ip_fil3.4.32/ip_compat.h Sun Jun 22 02:20:36 2003 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.47 2002/10/26 06:24:42 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 ! * $Id: ip_compat.h,v 2.26.2.49 2003/06/21 16:20:36 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ *************** *** 163,168 **** --- 163,169 ---- # define V4_PART_OF_V6(v6) v6.s6_addr32[3] # endif # endif + # define M_BLEN(m) ((m)->b_wptr - (m)->b_rptr) typedef struct qif { struct qif *qf_next; *************** *** 523,528 **** --- 524,530 ---- # ifndef linux # define FREE_MB_T(m) m_freem(m) # define MTOD(m,t) mtod(m,t) + # define M_BLEN(m) (m)->m_len # define IRCOPY(a,b,c) (bcopy((a), (b), (c)), 0) # define IWCOPY(a,b,c) (bcopy((a), (b), (c)), 0) # define IRCOPYPTR ircopyptr *************** *** 1206,1213 **** #define ICMPERR_MINPKTLEN (20 + 8 + 20) #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) #define ICMP6_MINLEN 8 ! #define ICMP6ERR_MINPKTLEN (40 + 8) ! #define ICMP6ERR_IPICMPHLEN (40 + 8 + 40) #ifndef ICMP6_DST_UNREACH # define ICMP6_DST_UNREACH 1 --- 1208,1215 ---- #define ICMPERR_MINPKTLEN (20 + 8 + 20) #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) #define ICMP6_MINLEN 8 ! #define ICMP6ERR_IPICMPHLEN (40 + 8) ! #define ICMP6ERR_MINPKTLEN (40 + 8 + 40) #ifndef ICMP6_DST_UNREACH # define ICMP6_DST_UNREACH 1 diff -crN ip_fil3.4.31/ip_fil.c ip_fil3.4.32/ip_fil.c *** ip_fil3.4.31/ip_fil.c Fri Dec 6 22:45:45 2002 --- ip_fil3.4.32/ip_fil.c Thu Jun 26 20:14:17 2003 *************** *** 124,130 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.64 2002/12/06 11:45:45 darrenr Exp $"; #endif --- 124,130 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.70 2003/06/26 10:14:17 darrenr Exp $"; #endif *************** *** 651,657 **** int error = 0, unit = 0, tmp; #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 2) && (mode & FWRITE)) return EPERM; #endif #ifdef _KERNEL --- 651,657 ---- int error = 0, unit = 0, tmp; #if (BSD >= 199306) && defined(_KERNEL) ! if ((securelevel >= 3) && (mode & FWRITE)) return EPERM; #endif #ifdef _KERNEL *************** *** 1020,1027 **** while ((f = *ftail)) ftail = &f->fr_next; else { if (fp->fr_hits) { - ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; } --- 1020,1027 ---- while ((f = *ftail)) ftail = &f->fr_next; else { + ftail = fprev; if (fp->fr_hits) { while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; } *************** *** 1319,1327 **** m->m_pkthdr.rcvif = NULL; # endif ! fr_makefrip(hlen, ip, &frn); ! ! error = ipfr_fastroute(m, mp, &frn, NULL); return error; } --- 1319,1328 ---- m->m_pkthdr.rcvif = NULL; # endif ! if (fr_makefrip(hlen, ip, &frn) == 0) ! error = ipfr_fastroute(m, mp, &frn, NULL); ! else ! error = EINVAL; return error; } *************** *** 1628,1634 **** /* * Route packet. */ ! #if defined(__sgi) && (IRIX >= 605) ROUTE_RDLOCK(); #endif bzero((caddr_t)ro, sizeof (*ro)); --- 1629,1635 ---- /* * Route packet. */ ! #if (defined(IRIX) && (IRIX >= 605)) ROUTE_RDLOCK(); #endif bzero((caddr_t)ro, sizeof (*ro)); *************** *** 1647,1654 **** * check that we're going in the correct direction. */ if ((fr != NULL) && (fin->fin_rev != 0)) { ! if ((ifp != NULL) && (fdp == &fr->fr_tif)) return 0; } else if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; --- 1648,1659 ---- * check that we're going in the correct direction. */ if ((fr != NULL) && (fin->fin_rev != 0)) { ! if ((ifp != NULL) && (fdp == &fr->fr_tif)) { ! # if (defined(IRIX) && (IRIX >= 605)) ! ROUTE_UNLOCK(); ! # endif return 0; + } } else if (fdp != NULL) { if (fdp->fd_ip.s_addr != 0) dst->sin_addr = fdp->fd_ip; *************** *** 1668,1680 **** rtalloc(ro); # endif - #if defined(__sgi) && (IRIX > 602) - ROUTE_UNLOCK(); - #endif - if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; goto bad; } } --- 1673,1684 ---- rtalloc(ro); # endif if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; + # if (defined(IRIX) && (IRIX >= 605)) + ROUTE_UNLOCK(); + # endif goto bad; } } *************** *** 1687,1697 **** error = EHOSTUNREACH; else error = ENETUNREACH; goto bad; } if (ro->ro_rt->rt_flags & RTF_GATEWAY) { ! #if BSD >= 199306 dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway; #else dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway; --- 1691,1704 ---- error = EHOSTUNREACH; else error = ENETUNREACH; + # if (defined(IRIX) && (IRIX >= 605)) + ROUTE_UNLOCK(); + # endif goto bad; } if (ro->ro_rt->rt_flags & RTF_GATEWAY) { ! #if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605)) dst = (struct sockaddr_in *)ro->ro_rt->rt_gateway; #else dst = (struct sockaddr_in *)&ro->ro_rt->rt_gateway; *************** *** 1699,1704 **** --- 1706,1715 ---- } ro->ro_rt->rt_use++; + #if (defined(IRIX) && (IRIX > 602)) + ROUTE_UNLOCK(); + #endif + /* * For input packets which are being "fastrouted", they won't * go back through output filtering and miss their chance to get *************** *** 1748,1755 **** --- 1759,1772 ---- ip->ip_sum = in_cksum(m, hlen); # endif /* __NetBSD__ && M_CSUM_IPv4 */ # if (BSD >= 199306) || (defined(IRIX) && (IRIX >= 605)) + # ifdef IRIX + IFNET_UPPERLOCK(ifp); + # endif error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); + # ifdef IRIX + IFNET_UPPERUNLOCK(ifp); + # endif # else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); # endif *************** *** 1947,1963 **** u_long mtu; int error; - ifp = NULL; ro = &ip6route; fr = fin->fin_fr; bzero((caddr_t)ro, sizeof(*ro)); dst6 = (struct sockaddr_in6 *)&ro->ro_dst; dst6->sin6_family = AF_INET6; dst6->sin6_len = sizeof(struct sockaddr_in6); ! dst6->sin6_addr = fin->fin_fi.fi_src.in6; if (fdp != NULL) ifp = fdp->fd_ifp; if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) --- 1964,1981 ---- u_long mtu; int error; ro = &ip6route; fr = fin->fin_fr; bzero((caddr_t)ro, sizeof(*ro)); dst6 = (struct sockaddr_in6 *)&ro->ro_dst; dst6->sin6_family = AF_INET6; dst6->sin6_len = sizeof(struct sockaddr_in6); ! dst6->sin6_addr = fin->fin_fi.fi_dst.in6; if (fdp != NULL) ifp = fdp->fd_ifp; + else + ifp = fin->fin_ifp; if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) diff -crN ip_fil3.4.31/ip_fil.h ip_fil3.4.32/ip_fil.h *** ip_fil3.4.31/ip_fil.h Wed Oct 2 01:23:37 2002 --- ip_fil3.4.32/ip_fil.h Sat Jun 7 21:56:02 2003 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.34 2002/10/01 15:23:37 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.29.2.35 2003/06/07 11:56:02 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 151,157 **** u_short fin_dlen; /* length of data portion of packet */ u_short fin_id; /* IP packet id field */ u_int fin_misc; ! void *fin_mp; /* pointer to pointer to mbuf */ #if SOLARIS void *fin_qfm; /* pointer to mblk where pkt starts */ void *fin_qif; --- 151,157 ---- u_short fin_dlen; /* length of data portion of packet */ u_short fin_id; /* IP packet id field */ u_int fin_misc; ! mb_t **fin_mp; /* pointer to pointer to mbuf */ #if SOLARIS void *fin_qfm; /* pointer to mblk where pkt starts */ void *fin_qif; *************** *** 628,634 **** extern void fr_getstat __P((struct friostat *)); extern int fr_ifpaddr __P((int, void *, struct in_addr *)); extern int fr_lock __P((caddr_t, int *)); ! extern void fr_makefrip __P((int, ip_t *, fr_info_t *)); extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *)); extern int fr_tcpudpchk __P((frtuc_t *, fr_info_t *)); --- 628,634 ---- extern void fr_getstat __P((struct friostat *)); extern int fr_ifpaddr __P((int, void *, struct in_addr *)); extern int fr_lock __P((caddr_t, int *)); ! extern int fr_makefrip __P((int, ip_t *, fr_info_t *)); extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *)); extern int fr_tcpudpchk __P((frtuc_t *, fr_info_t *)); diff -crN ip_fil3.4.31/ip_frag.c ip_fil3.4.32/ip_frag.c *** ip_fil3.4.31/ip_frag.c Fri Dec 6 22:40:21 2002 --- ip_fil3.4.32/ip_frag.c Thu Jun 12 08:28:15 2003 *************** *** 90,96 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.25 2002/12/06 11:40:21 darrenr Exp $"; #endif --- 90,96 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.28 2003/06/11 22:28:15 darrenr Exp $"; #endif *************** *** 195,201 **** /* ! * Instert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. * Set the ttl to the default. */ --- 195,201 ---- /* ! * Insert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. * Set the ttl to the default. */ *************** *** 423,429 **** /* * forget any references to this external object. */ ! void ipfr_forget(nat) void *nat; { ipfr_t *fr; --- 423,448 ---- /* * forget any references to this external object. */ ! void ipfr_forget(ptr) ! void *ptr; ! { ! ipfr_t *fr; ! int idx; ! ! WRITE_ENTER(&ipf_frag); ! for (idx = IPFT_SIZE - 1; idx >= 0; idx--) ! for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next) ! if (fr->ipfr_data == ptr) ! fr->ipfr_data = NULL; ! ! RWLOCK_EXIT(&ipf_frag); ! } ! ! ! /* ! * forget any references to this external object. ! */ ! void ipfr_forgetnat(nat) void *nat; { ipfr_t *fr; *************** *** 431,437 **** WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) ! for (fr = ipfr_heads[idx]; fr; fr = fr->ipfr_next) if (fr->ipfr_data == nat) fr->ipfr_data = NULL; --- 450,456 ---- WRITE_ENTER(&ipf_natfrag); for (idx = IPFT_SIZE - 1; idx >= 0; idx--) ! for (fr = ipfr_nattab[idx]; fr; fr = fr->ipfr_next) if (fr->ipfr_data == nat) fr->ipfr_data = NULL; diff -crN ip_fil3.4.31/ip_frag.h ip_fil3.4.32/ip_frag.h *** ip_fil3.4.31/ip_frag.h Sun Jul 7 00:17:51 2002 --- ip_fil3.4.32/ip_frag.h Thu Jun 12 08:28:16 2003 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp $ */ #ifndef __IP_FRAG_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 ! * $Id: ip_frag.h,v 2.4.2.8 2003/06/11 22:28:16 darrenr Exp $ */ #ifndef __IP_FRAG_H__ *************** *** 53,58 **** --- 53,59 ---- extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_forget __P((void *)); + extern void ipfr_forgetnat __P((void *)); extern void ipfr_unload __P((void)); extern void ipfr_fragexpire __P((void)); diff -crN ip_fil3.4.31/ip_ftp_pxy.c ip_fil3.4.32/ip_ftp_pxy.c *** ip_fil3.4.31/ip_ftp_pxy.c Tue Nov 26 08:42:35 2002 --- ip_fil3.4.32/ip_ftp_pxy.c Sat Jun 7 21:56:02 2003 *************** *** 2,8 **** * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.42 2002/11/25 21:42:35 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 2,8 ---- * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * ! * $Id: ip_ftp_pxy.c,v 2.7.2.44 2003/06/07 11:56:02 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 121,127 **** int inc, off; nat_t *ipn; mb_t *m; ! #if SOLARIS mb_t *m1; #endif --- 121,127 ---- int inc, off; nat_t *ipn; mb_t *m; ! #if SOLARIS && defined(_KERNEL) mb_t *m1; #endif *************** *** 221,227 **** } #if !defined(_KERNEL) ! m = *((mb_t **)fin->fin_mp); bcopy(newbuf, (char *)m + off, nlen); #else # if SOLARIS --- 221,227 ---- } #if !defined(_KERNEL) ! m = *fin->fin_mp; bcopy(newbuf, (char *)m + off, nlen); #else # if SOLARIS *************** *** 251,257 **** } copyin_mblk(m, off, nlen, newbuf); # else ! m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ --- 251,257 ---- } copyin_mblk(m, off, nlen, newbuf); # else ! m = *fin->fin_mp; if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ *************** *** 542,548 **** return 0; #if !defined(_KERNEL) ! m = *((mb_t **)fin->fin_mp); m_copyback(m, off, nlen, newbuf); #else # if SOLARIS --- 542,548 ---- return 0; #if !defined(_KERNEL) ! m = *fin->fin_mp; m_copyback(m, off, nlen, newbuf); #else # if SOLARIS *************** *** 569,575 **** } /*copyin_mblk(m, off, nlen, newbuf);*/ # else /* SOLARIS */ ! m = *((mb_t **)fin->fin_mp); if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ --- 569,575 ---- } /*copyin_mblk(m, off, nlen, newbuf);*/ # else /* SOLARIS */ ! m = *fin->fin_mp; if (inc < 0) m_adj(m, inc); /* the mbuf chain will be extended if necessary by m_copyback() */ *************** *** 875,881 **** #if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else ! m = *((mb_t **)fin->fin_mp); #endif #ifndef _KERNEL --- 875,881 ---- #if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else ! m = *fin->fin_mp; #endif #ifndef _KERNEL diff -crN ip_fil3.4.31/ip_nat.c ip_fil3.4.32/ip_nat.c *** ip_fil3.4.31/ip_nat.c Fri Dec 6 22:40:21 2002 --- ip_fil3.4.32/ip_nat.c Fri Jun 13 02:18:29 2003 *************** *** 109,115 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.74 2002/12/06 11:40:21 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, --- 109,115 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.78 2003/06/12 16:18:29 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, *************** *** 778,783 **** --- 778,785 ---- if ((aps != NULL) && (aps->aps_data != 0)) { ng.ng_sz += sizeof(ap_session_t); ng.ng_sz += aps->aps_psiz; + if (aps->aps_psiz > 4) /* XXX - sizeof(ipn_data) */ + ng.ng_sz -= 4; } error = IWCOPY((caddr_t)&ng, data, sizeof(ng)); *************** *** 793,798 **** --- 795,801 ---- nat_save_t ipn, *ipnp, *ipnn = NULL; register nat_t *n, *nat; ap_session_t *aps; + size_t dsz; int error; error = IRCOPY(data, (caddr_t)&ipnp, sizeof(ipnp)); *************** *** 824,830 **** } ipn.ipn_next = nat->nat_next; - ipn.ipn_dsize = 0; bcopy((char *)nat, (char *)&ipn.ipn_nat, sizeof(ipn.ipn_nat)); ipn.ipn_nat.nat_data = NULL; --- 827,832 ---- *************** *** 838,847 **** sizeof(ipn.ipn_rule)); if ((aps = nat->nat_aps)) { ! ipn.ipn_dsize = sizeof(*aps); if (aps->aps_data) ! ipn.ipn_dsize += aps->aps_psiz; ! KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize); if (ipnn == NULL) return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); --- 840,852 ---- sizeof(ipn.ipn_rule)); if ((aps = nat->nat_aps)) { ! dsz = sizeof(*aps); if (aps->aps_data) ! dsz += aps->aps_psiz; ! ipn.ipn_dsize = dsz; ! if (dsz > sizeof(ipn.ipn_data)) ! dsz -= sizeof(ipn.ipn_data); ! KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + dsz); if (ipnn == NULL) return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); *************** *** 850,863 **** if (aps->aps_data) { bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps), aps->aps_psiz); - ipnn->ipn_dsize += aps->aps_psiz; } error = IWCOPY((caddr_t)ipnn, ipnp, ! sizeof(ipn) + ipn.ipn_dsize); if (error) error = EFAULT; ! KFREES(ipnn, sizeof(*ipnn) + ipn.ipn_dsize); } else { error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn)); if (error) error = EFAULT; --- 855,868 ---- if (aps->aps_data) { bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps), aps->aps_psiz); } error = IWCOPY((caddr_t)ipnn, ipnp, ! sizeof(ipn) + dsz); if (error) error = EFAULT; ! KFREES(ipnn, sizeof(*ipnn) + dsz); } else { + ipn.ipn_dsize = 0; error = IWCOPY((caddr_t)&ipn, ipnp, sizeof(ipn)); if (error) error = EFAULT; *************** *** 885,896 **** return EFAULT; nat = NULL; if (ipn.ipn_dsize) { ! KMALLOCS(ipnn, nat_save_t *, sizeof(ipn) + ipn.ipn_dsize); if (ipnn == NULL) return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); ! error = IRCOPY((caddr_t)ipnp, (caddr_t)ipn.ipn_data, ! ipn.ipn_dsize); if (error) { error = EFAULT; goto junkput; --- 890,901 ---- return EFAULT; nat = NULL; if (ipn.ipn_dsize) { ! KMALLOCS(ipnn, nat_save_t *, sizeof(*ipnn) + ipn.ipn_dsize); if (ipnn == NULL) return ENOMEM; bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn)); ! error = IRCOPY((caddr_t)ipnp + offsetof(nat_save_t, ipn_data), ! (caddr_t)ipnn->ipn_data, ipn.ipn_dsize); if (error) { error = EFAULT; goto junkput; *************** *** 1065,1071 **** * If there's a fragment table entry too for this nat entry, then * dereference that as well. */ ! ipfr_forget((void *)natd); aps_free(natd->nat_aps); nat_stats.ns_inuse--; KFREE(natd); --- 1070,1076 ---- * If there's a fragment table entry too for this nat entry, then * dereference that as well. */ ! ipfr_forgetnat((void *)natd); aps_free(natd->nat_aps); nat_stats.ns_inuse--; KFREE(natd); *************** *** 1754,1759 **** --- 1759,1766 ---- * offending IP packet (oip), not to its ICMP response (icmp) */ fix_datacksum(&oip->ip_sum, sumd); + /* Fix icmp cksum : IP Addr + Cksum */ + sumd2 = (sumd << 1); /* * Fix UDP pseudo header checksum to compensate for the *************** *** 1773,1779 **** * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 = sumd; } /* --- 1780,1786 ---- * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 += sumd; } /* *************** *** 1793,1799 **** * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 = sumd; } } else { --- 1800,1806 ---- * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 += sumd; } } else { *************** *** 1815,1820 **** --- 1822,1829 ---- * offending IP packet (oip), not to its ICMP response (icmp) */ fix_datacksum(&oip->ip_sum, sumd); + /* Fix icmp cksum : IP Addr + Cksum */ + sumd2 = (sumd << 1); /* XXX FV : without having looked at Solaris source code, it seems unlikely * that SOLARIS would compensate this in the kernel (a body of an IP packet *************** *** 1840,1846 **** * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 = sumd; } /* --- 1849,1855 ---- * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 += sumd; } /* *************** *** 1860,1866 **** * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 = sumd; } #endif } --- 1869,1875 ---- * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); ! sumd2 += sumd; } #endif } *************** *** 2510,2516 **** if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT ! else if (nat->nat_age > fr_defnatage) nat->nat_age = fr_defnatage; #endif /* --- 2519,2526 ---- if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT ! else if ((!np || !np->in_age[1]) && ! (nat->nat_age > fr_defnatage)) nat->nat_age = fr_defnatage; #endif /* *************** *** 2731,2737 **** if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT ! else if (nat->nat_age > fr_defnatage) nat->nat_age = fr_defnatage; #endif /* --- 2741,2748 ---- if (nat->nat_age < fr_defnaticmpage) nat->nat_age = fr_defnaticmpage; #ifdef LARGE_NAT ! else if ((!np || !np->in_age[0]) && ! (nat->nat_age > fr_defnatage)) nat->nat_age = fr_defnatage; #endif /* *************** *** 2983,2989 **** if (&cp[1] >= ep) break; advance = cp[1]; ! if (&cp[advance] >= ep) break; switch (opt) { case TCPOPT_MAXSEG: --- 2994,3000 ---- if (&cp[1] >= ep) break; advance = cp[1]; ! if (&cp[advance] > ep) break; switch (opt) { case TCPOPT_MAXSEG: diff -crN ip_fil3.4.31/ip_nat.h ip_fil3.4.32/ip_nat.h *** ip_fil3.4.31/ip_nat.h Mon Nov 4 00:06:21 2002 --- ip_fil3.4.32/ip_nat.h Mon Mar 31 21:52:05 2003 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.28 2002/11/03 13:06:21 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.17.2.29 2003/03/31 11:52:05 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 34,59 **** * a setup with 1000-2000 networks to NAT. */ #ifndef NAT_SIZE ! # define NAT_SIZE 127 #endif #ifndef RDR_SIZE ! # define RDR_SIZE 127 #endif #ifndef HOSTMAP_SIZE ! # define HOSTMAP_SIZE 127 #endif #ifndef NAT_TABLE_SZ ! # define NAT_TABLE_SZ 127 ! #endif ! #ifdef LARGE_NAT ! #undef NAT_SIZE ! #undef RDR_SIZE ! #undef NAT_TABLE_SZ ! #undef HOSTMAP_SIZE 127 ! #define NAT_SIZE 2047 ! #define RDR_SIZE 2047 ! #define NAT_TABLE_SZ 16383 ! #define HOSTMAP_SIZE 8191 #endif #ifndef APR_LABELLEN #define APR_LABELLEN 16 --- 34,65 ---- * a setup with 1000-2000 networks to NAT. */ #ifndef NAT_SIZE ! # ifdef LARGE_NAT ! # define NAT_SIZE 2047 ! # else ! # define NAT_SIZE 127 ! # endif #endif #ifndef RDR_SIZE ! # ifdef LARGE_NAT ! # define RDR_SIZE 2047 ! # else ! # define RDR_SIZE 127 ! # endif #endif #ifndef HOSTMAP_SIZE ! # ifdef LARGE_NAT ! # define HOSTMAP_SIZE 2047 ! # else ! # define HOSTMAP_SIZE 8191 ! # endif #endif #ifndef NAT_TABLE_SZ ! # ifdef LARGE_NAT ! # define NAT_TABLE_SZ 2047 ! # else ! # define NAT_TABLE_SZ 16383 ! # endif #endif #ifndef APR_LABELLEN #define APR_LABELLEN 16 diff -crN ip_fil3.4.31/ip_raudio_pxy.c ip_fil3.4.32/ip_raudio_pxy.c *** ip_fil3.4.31/ip_raudio_pxy.c Sun Jan 13 15:58:29 2002 --- ip_fil3.4.32/ip_raudio_pxy.c Sat Apr 26 15:59:39 2003 *************** *** 1,5 **** /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.8 2002/01/13 04:58:29 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; --- 1,5 ---- /* ! * $Id: ip_raudio_pxy.c,v 1.7.2.9 2003/04/26 05:59:39 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; *************** *** 66,74 **** tcphdr_t *tcp; int len = 0; mb_t *m; - #if SOLARIS - mb_t *m1; - #endif /* * If we've already processed the start messages, then nothing left --- 66,71 ---- *************** *** 181,189 **** nat_t *ipn; u_char swp; mb_t *m; - #if SOLARIS - mb_t *m1; - #endif /* * Wait until we've seen the end of the start messages and even then --- 178,183 ---- diff -crN ip_fil3.4.31/ip_rcmd_pxy.c ip_fil3.4.32/ip_rcmd_pxy.c *** ip_fil3.4.31/ip_rcmd_pxy.c Wed Oct 2 01:24:59 2002 --- ip_fil3.4.32/ip_rcmd_pxy.c Sat Apr 26 15:59:39 2003 *************** *** 1,5 **** /* ! * $Id: ip_rcmd_pxy.c,v 1.4.2.6 2002/10/01 15:24:59 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT --- 1,5 ---- /* ! * $Id: ip_rcmd_pxy.c,v 1.4.2.7 2003/04/26 05:59:39 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT *************** *** 88,96 **** u_short sp; nat_t *ipn; mb_t *m; - #if SOLARIS - mb_t *m1; - #endif tcp = (tcphdr_t *)fin->fin_dp; --- 88,93 ---- diff -crN ip_fil3.4.31/ip_sfil.c ip_fil3.4.32/ip_sfil.c *** ip_fil3.4.31/ip_sfil.c Fri Dec 6 22:42:22 2002 --- ip_fil3.4.32/ip_sfil.c Fri Jun 13 02:03:14 2003 *************** *** 7,13 **** */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.24 2002/12/06 11:42:22 darrenr Exp $"; #endif #include --- 7,13 ---- */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.27 2003/06/12 16:03:14 darrenr Exp $"; #endif #include *************** *** 623,630 **** while ((f = *ftail)) ftail = &f->fr_next; else { if (fp->fr_hits) { - ftail = fprev; while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; } --- 623,630 ---- while ((f = *ftail)) ftail = &f->fr_next; else { + ftail = fprev; if (fp->fr_hits) { while (--fp->fr_hits && (f = *ftail)) ftail = &f->fr_next; } *************** *** 785,799 **** tcp2->th_sport = tcp->th_dport; if (tcp->th_flags & TH_ACK) { tcp2->th_seq = tcp->th_ack; ! tcp2->th_flags = TH_RST|TH_ACK; } else { tcp2->th_ack = ntohl(tcp->th_seq); tcp2->th_ack += tlen; tcp2->th_ack = htonl(tcp2->th_ack); ! tcp2->th_flags = TH_RST; } tcp2->th_off = sizeof(struct tcphdr) >> 2; - tcp2->th_flags = TH_RST|TH_ACK; /* * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum --- 785,798 ---- tcp2->th_sport = tcp->th_dport; if (tcp->th_flags & TH_ACK) { tcp2->th_seq = tcp->th_ack; ! tcp2->th_flags = TH_RST; } else { tcp2->th_ack = ntohl(tcp->th_seq); tcp2->th_ack += tlen; tcp2->th_ack = htonl(tcp2->th_ack); ! tcp2->th_flags = TH_RST|TH_ACK; } tcp2->th_off = sizeof(struct tcphdr) >> 2; /* * This is to get around a bug in the Solaris 2.4/2.5 TCP checksum diff -crN ip_fil3.4.31/ip_state.c ip_fil3.4.32/ip_state.c *** ip_fil3.4.31/ip_state.c Fri Dec 6 22:40:24 2002 --- ip_fil3.4.32/ip_state.c Sat Jun 7 21:55:55 2003 *************** *** 93,99 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.77 2002/12/06 11:40:24 darrenr Exp $"; #endif #ifndef MIN --- 93,99 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.84 2003/06/07 11:55:55 darrenr Exp $"; #endif #ifndef MIN *************** *** 921,927 **** fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; ! win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { --- 921,928 ---- fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; ! if (!(tcp->th_flags & TH_SYN)) ! win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { *************** *** 955,968 **** (SEQ_GE(seq, fdata->td_end - maxwin)) && /* XXX what about big packets */ #define MAXACKWINDOW 66000 ! (ackskew >= -MAXACKWINDOW) && ! (ackskew <= MAXACKWINDOW)) { ! /* if ackskew < 0 then this should be due to fragented * packets. There is no way to know the length of the * total packet in advance. * We do know the total length from the fragment cache though. * Note however that there might be more sessions with ! * exactly the same source and destination paramters in the * state cache (and source and destination is the only stuff * that is saved in the fragment cache). Note further that * some TCP connections in the state cache are hashed with --- 956,970 ---- (SEQ_GE(seq, fdata->td_end - maxwin)) && /* XXX what about big packets */ #define MAXACKWINDOW 66000 ! (-ackskew <= (MAXACKWINDOW << tdata->td_wscale)) && ! ( ackskew <= (MAXACKWINDOW << tdata->td_wscale))) { ! ! /* if ackskew < 0 then this should be due to fragmented * packets. There is no way to know the length of the * total packet in advance. * We do know the total length from the fragment cache though. * Note however that there might be more sessions with ! * exactly the same source and destination parameters in the * state cache (and source and destination is the only stuff * that is saved in the fragment cache). Note further that * some TCP connections in the state cache are hashed with *************** *** 1224,1230 **** * may be too big to be in this buffer but not so big that it's * outside the ICMP packet, leading to TCP deref's causing problems. * This is possible because we don't know how big oip_hl is when we ! * do the pullup early in fr_check() and thus can't gaurantee it is * all here now. */ #ifdef _KERNEL --- 1226,1232 ---- * may be too big to be in this buffer but not so big that it's * outside the ICMP packet, leading to TCP deref's causing problems. * This is possible because we don't know how big oip_hl is when we ! * do the pullup early in fr_check() and thus can't guarantee it is * all here now. */ #ifdef _KERNEL *************** *** 1253,1260 **** --- 1255,1266 ---- bzero((char *)&ofin, sizeof(ofin)); ofin.fin_ifp = fin->fin_ifp; ofin.fin_out = !fin->fin_out; + ofin.fin_mp = NULL; ofin.fin_v = 4; fr = NULL; + #if SOLARIS + ofin.fin_qfm = NULL; + #endif switch (oip->ip_p) { *************** *** 1262,1268 **** icmp = (icmphdr_t *)((char *)oip + ohlen); /* ! * a ICMP error can only be generated as a result of an * ICMP query, not as the response on an ICMP error * * XXX theoretically ICMP_ECHOREP and the other reply's are --- 1268,1274 ---- icmp = (icmphdr_t *)((char *)oip + ohlen); /* ! * an ICMP error can only be generated as a result of an * ICMP query, not as the response on an ICMP error * * XXX theoretically ICMP_ECHOREP and the other reply's are *************** *** 1675,1682 **** for (is = ips_list; is; is = is->is_next) { for (i = 0; i < 4; i++) { if (is->is_ifp[i] == ifp) { ! is->is_ifpin = GETUNIT(is->is_ifname[i], ! is->is_v); if (!is->is_ifp[i]) is->is_ifp[i] = (void *)-1; } --- 1681,1688 ---- for (is = ips_list; is; is = is->is_next) { for (i = 0; i < 4; i++) { if (is->is_ifp[i] == ifp) { ! is->is_ifp[i] = GETUNIT(is->is_ifname[i], ! is->is_v); if (!is->is_ifp[i]) is->is_ifp[i] = (void *)-1; } *************** *** 1843,1859 **** state[dir] = TCPS_SYN_SENT; newage = fr_tcptimeout; } /* * The next piece of code makes it possible to get * already established connections into the state table * after a restart or reload of the filter rules; this * does not work when a strict 'flags S keep state' is ! * used for tcp connections of course */ ! if (!fsm && (flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { /* we saw an A, guess 'dir' is in ESTABLISHED mode */ ! if (state[1 - dir] == TCPS_CLOSED || ! state[1 - dir] == TCPS_ESTABLISHED) { state[dir] = TCPS_ESTABLISHED; newage = fr_tcpidletimeout; } --- 1849,1889 ---- state[dir] = TCPS_SYN_SENT; newage = fr_tcptimeout; } + + /* + * It is apparently possible that a hosts sends two syncs + * before the remote party is able to respond with a SA. In + * such a case the remote server sometimes ACK's the second + * sync, and then responds with a SA. The following code + * is used to prevent this ack from being blocked. + * + * We do not reset the timeout here to fr_tcptimeout because + * a connection connect timeout does not renew after every + * packet that is sent. We need to set newage to something + * to indicate the packet has passed the check for its flags + * being valid in the TCP FSM. + */ + else if ((ostate == TCPS_SYN_SENT) && + ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK)) { + newage = *age; + } + /* * The next piece of code makes it possible to get * already established connections into the state table * after a restart or reload of the filter rules; this * does not work when a strict 'flags S keep state' is ! * used for tcp connections of course, however, use a ! * lower time-out so the state disappears quickly if ! * the other side does not pick it up. */ ! else if (!fsm && ! (flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) { /* we saw an A, guess 'dir' is in ESTABLISHED mode */ ! if (ostate == TCPS_CLOSED) { ! state[dir] = TCPS_ESTABLISHED; ! newage = fr_tcptimeout; ! } else if (ostate == TCPS_ESTABLISHED) { state[dir] = TCPS_ESTABLISHED; newage = fr_tcpidletimeout; } *************** *** 2134,2145 **** bzero((char *)&ofin, sizeof(ofin)); ofin.fin_out = !fin->fin_out; ofin.fin_ifp = fin->fin_ifp; ofin.fin_v = 6; if (oip->ip6_nxt == IPPROTO_ICMPV6) { oic = (struct icmp6_hdr *)(oip + 1); /* ! * a ICMP error can only be generated as a result of an * ICMP query, not as the response on an ICMP error * * XXX theoretically ICMP_ECHOREP and the other reply's are --- 2164,2179 ---- bzero((char *)&ofin, sizeof(ofin)); ofin.fin_out = !fin->fin_out; ofin.fin_ifp = fin->fin_ifp; + ofin.fin_mp = NULL; ofin.fin_v = 6; + #if SOLARIS + ofin.fin_qfm = NULL; + #endif if (oip->ip6_nxt == IPPROTO_ICMPV6) { oic = (struct icmp6_hdr *)(oip + 1); /* ! * an ICMP error can only be generated as a result of an * ICMP query, not as the response on an ICMP error * * XXX theoretically ICMP_ECHOREP and the other reply's are *************** *** 2208,2215 **** hv += sport; hv %= fr_statesize; /* ! * we make an fin entry to be able to feed it to ! * matchsrcdst note that not all fields are encessary * but this is the cleanest way. Note further we fill * in fin_mp such that if someone uses it we'll get * a kernel panic. fr_matchsrcdst does not use this. --- 2242,2249 ---- hv += sport; hv %= fr_statesize; /* ! * We make a fin entry to be able to feed it to ! * matchsrcdst. Note that not all fields are necessary * but this is the cleanest way. Note further we fill * in fin_mp such that if someone uses it we'll get * a kernel panic. fr_matchsrcdst does not use this. diff -crN ip_fil3.4.31/ipf.c ip_fil3.4.32/ipf.c *** ip_fil3.4.31/ipf.c Fri Dec 6 22:41:13 2002 --- ip_fil3.4.32/ipf.c Mon Jun 23 10:41:12 2003 *************** *** 50,56 **** #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.19 2002/12/06 11:41:13 darrenr Exp $"; #endif #if SOLARIS --- 50,56 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.22 2003/06/23 00:41:12 darrenr Exp $"; #endif #if SOLARIS *************** *** 61,66 **** --- 61,67 ---- #endif extern char *optarg; + extern int optind; void frsync __P((void)); void zerostats __P((void)); *************** *** 72,86 **** static int fd = -1; static void procfile __P((char *, char *)), flushfilter __P((char *)); ! static void set_state __P((u_int)), showstats __P((friostat_t *)); static void packetlogon __P((char *)), swapactive __P((void)); static int opendevice __P((char *)); static void closedevice __P((void)); static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; ! static void usage __P((void)); static int showversion __P((void)); ! static int get_flags __P((void)); #if SOLARIS --- 73,88 ---- static int fd = -1; static void procfile __P((char *, char *)), flushfilter __P((char *)); ! static int set_state __P((u_int)); ! static void showstats __P((friostat_t *)); static void packetlogon __P((char *)), swapactive __P((void)); static int opendevice __P((char *)); static void closedevice __P((void)); static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; ! static void usage __P((char *)); static int showversion __P((void)); ! static int get_flags __P((int *)); #if SOLARIS *************** *** 89,97 **** # define OPTS "6AdDEf:F:Il:noPrsvVyzZ" #endif ! static void usage() { ! fprintf(stderr, "usage: ipf [-%s] %s %s %s\n", OPTS, "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } --- 91,100 ---- # define OPTS "6AdDEf:F:Il:noPrsvVyzZ" #endif ! static void usage(name) ! char *name; { ! fprintf(stderr, "usage: %s [-%s] %s %s %s\n", name, OPTS, "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } *************** *** 103,108 **** --- 106,114 ---- { int c; + if (argc < 2) + usage(argv[0]); + while ((c = getopt(argc, argv, OPTS)) != -1) { switch (c) { *************** *** 113,122 **** opts &= ~OPT_INACTIVE; break; case 'E' : ! set_state((u_int)1); break; case 'D' : ! set_state((u_int)0); break; case 'd' : opts |= OPT_DEBUG; --- 119,130 ---- opts &= ~OPT_INACTIVE; break; case 'E' : ! if (set_state((u_int)1)) ! exit(1); break; case 'D' : ! if (set_state((u_int)0)) ! exit(1); break; case 'd' : opts |= OPT_DEBUG; *************** *** 168,179 **** case 'Z' : zerostats(); break; default : ! usage(); break; } } if (fd != -1) (void) close(fd); --- 176,191 ---- case 'Z' : zerostats(); break; + case '?' : default : ! usage(argv[0]); break; } } + if (optind < 2) + usage(argv[0]); + if (fd != -1) (void) close(fd); *************** *** 186,238 **** char *ipfdev; { if (opts & OPT_DONOTHING) ! return -2; if (!ipfdev) ipfdev = ipfname; ! if (!(opts & OPT_DONOTHING) && fd == -1) ! if ((fd = open(ipfdev, O_RDWR)) == -1) ! if ((fd = open(ipfdev, O_RDONLY)) == -1) { ! perror("open device"); ! if (errno == ENODEV) ! fprintf(stderr, "IPFilter enabled?\n"); ! } ! return fd; } static void closedevice() { ! close(fd); fd = -1; } ! static int get_flags() { - int i; ! if ((opendevice(ipfname) != -2) && (ioctl(fd, SIOCGETFF, &i) == -1)) { ! perror("SIOCGETFF"); return 0; } ! return i; } ! static void set_state(enable) u_int enable; { ! if (opendevice(ipfname) != -2) ! if (ioctl(fd, SIOCFRENB, &enable) == -1) { ! if (errno == EBUSY) ! fprintf(stderr, ! "IP Filter: already initialized\n"); ! else ! perror("SIOCFRENB"); } ! return; } static void procfile(name, file) --- 198,279 ---- char *ipfdev; { if (opts & OPT_DONOTHING) ! return 0; if (!ipfdev) ipfdev = ipfname; ! /* ! * shouldn't we really be testing for fd < 0 here and below? ! */ ! ! if (fd != -1) ! return 0; ! ! if ((fd = open(ipfdev, O_RDWR)) == -1) { ! if ((fd = open(ipfdev, O_RDONLY)) == -1) { ! perror("open device"); ! if (errno == ENODEV) ! fprintf(stderr, "IPFilter enabled?\n"); ! return -1; ! } ! } ! ! return 0; } static void closedevice() { ! if (fd != -1) ! close(fd); fd = -1; } ! /* ! * Return codes: ! * 0 Success ! * !0 Failure (and an error message has already been printed) ! */ ! static int get_flags(i) ! int *i; { ! if (opts & OPT_DONOTHING) return 0; + + if (opendevice(ipfname) < 0) + return -1; + + if (ioctl(fd, SIOCGETFF, i) == -1) { + perror("SIOCGETFF"); + return -1; } ! return 0; } ! static int set_state(enable) u_int enable; { ! if (opts & OPT_DONOTHING) ! return 0; ! ! if (opendevice(ipfname)) ! return -1; ! ! if (ioctl(fd, SIOCFRENB, &enable) == -1) { ! if (errno == EBUSY) ! /* Not really an error */ ! fprintf(stderr, ! "IP Filter: already initialized\n"); ! else { ! perror("SIOCFRENB"); ! return -1; } ! } ! return 0; } static void procfile(name, file) *************** *** 243,250 **** struct frentry *fr; u_int add, del; int linenum = 0; ! (void) opendevice(ipfname); if (opts & OPT_INACTIVE) { add = SIOCADIFR; --- 284,293 ---- struct frentry *fr; u_int add, del; int linenum = 0; + int parsestatus; ! if (opendevice(ipfname) == -1) ! exit(1); if (opts & OPT_INACTIVE) { add = SIOCADIFR; *************** *** 284,292 **** if (opts & OPT_VERBOSE) (void)fprintf(stderr, "[%s]\n", line); ! fr = parse(line, linenum); (void)fflush(stdout); if (fr) { if (opts & OPT_ZERORULEST) add = SIOCZRLST; --- 327,344 ---- if (opts & OPT_VERBOSE) (void)fprintf(stderr, "[%s]\n", line); ! parsestatus = 1; ! fr = parse(line, linenum, &parsestatus); (void)fflush(stdout); + if (parsestatus != 0) { + fprintf(stderr, "%s: %s: %s error (%d), quitting\n", + name, file, + ((parsestatus < 0)? "parse": "internal"), + parsestatus); + exit(1); + } + if (fr) { if (opts & OPT_ZERORULEST) add = SIOCZRLST; *************** *** 311,316 **** --- 363,369 ---- if (ioctl(fd, add, &fr) == -1) { fprintf(stderr, "%d:", linenum); perror("ioctl(SIOCZRLST)"); + exit(1); } else { #ifdef USE_QUAD_T printf("hits %qd bytes %qd ", *************** *** 327,337 **** --- 380,392 ---- if (ioctl(fd, del, &fr) == -1) { fprintf(stderr, "%d:", linenum); perror("ioctl(delete rule)"); + exit(1); } } else if (!(opts & OPT_DONOTHING)) { if (ioctl(fd, add, &fr) == -1) { fprintf(stderr, "%d:", linenum); perror("ioctl(add/insert rule)"); + exit(1); } } } *************** *** 346,352 **** /* * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. ! * Returns NULL if error occured, EOF encounterd or input line is too long. */ static char *getline(str, size, file, linenum) register char *str; --- 401,407 ---- /* * Similar to fgets(3) but can handle '\\' and NL is converted to NUL. ! * Returns NULL if error occurred, EOF encounterd or input line is too long. */ static char *getline(str, size, file, linenum) register char *str; *************** *** 360,366 **** do { for (p = str, s = size;; p += (len - 1), s -= (len - 1)) { /* ! * if an error occured, EOF was encounterd, or there * was no room to put NUL, return NULL. */ if (fgets(p, s, file) == NULL) --- 415,421 ---- do { for (p = str, s = size;; p += (len - 1), s -= (len - 1)) { /* ! * if an error occurred, EOF was encounterd, or there * was no room to put NUL, return NULL. */ if (fgets(p, s, file) == NULL) *************** *** 391,397 **** { int flag; ! flag = get_flags(); if (flag != 0) { if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); --- 446,454 ---- { int flag; ! if (get_flags(&flag)) ! exit(1); ! if (flag != 0) { if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); *************** *** 415,425 **** printf("set log flag: block\n"); } ! if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0)) ! perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { ! flag = get_flags(); printf("log flag is now %#x\n", flag); } } --- 472,498 ---- printf("set log flag: block\n"); } ! if (opendevice(ipfname) == -1) { ! exit(1); ! } ! ! if (!(opts & OPT_DONOTHING)) { ! if (ioctl(fd, SIOCSETFF, &flag) != 0) { ! perror("ioctl(SIOCSETFF)"); ! exit(1); ! } ! } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { ! /* ! * Even though the ioctls above succeeded, it ! * is possible that a calling script/program ! * relies on the following verbose mode string. ! * Thus, we still take an error exit if get_flags ! * fails here. ! */ ! if (get_flags(&flag)) ! exit(1); printf("log flag is now %#x\n", flag); } } *************** *** 430,437 **** { int fl = 0, rem; ! if (!arg || !*arg) ! return; if (!strcmp(arg, "s") || !strcmp(arg, "S")) { if (*arg == 'S') fl = 0; --- 503,513 ---- { int fl = 0, rem; ! if (!arg || !*arg) { ! fprintf(stderr, "-F: no filter specified\n"); ! exit(1); ! } ! if (!strcmp(arg, "s") || !strcmp(arg, "S")) { if (*arg == 'S') fl = 0; *************** *** 440,452 **** rem = fl; closedevice(); ! if (opendevice(IPL_STATE) != -2) { if (use_inet6) { ! if (ioctl(fd, SIOCIPFL6, &fl) == -1) perror("ioctl(SIOCIPFL6)"); } else { ! if (ioctl(fd, SIOCIPFFL, &fl) == -1) perror("ioctl(SIOCIPFFL)"); } } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { --- 516,537 ---- rem = fl; closedevice(); ! ! if (opendevice(IPL_STATE) == -1) { ! exit(1); ! } ! ! if (!(opts & OPT_DONOTHING)) { if (use_inet6) { ! if (ioctl(fd, SIOCIPFL6, &fl) == -1) { perror("ioctl(SIOCIPFL6)"); + exit(1); + } } else { ! if (ioctl(fd, SIOCIPFFL, &fl) == -1) { perror("ioctl(SIOCIPFFL)"); + exit(1); + } } } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { *************** *** 465,477 **** fl |= (opts & FR_INACTIVE); rem = fl; ! if (opendevice(ipfname) != -2) { if (use_inet6) { ! if (ioctl(fd, SIOCIPFL6, &fl) == -1) perror("ioctl(SIOCIPFL6)"); } else { ! if (ioctl(fd, SIOCIPFFL, &fl) == -1) perror("ioctl(SIOCIPFFL)"); } } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { --- 550,570 ---- fl |= (opts & FR_INACTIVE); rem = fl; ! if (opendevice(ipfname) == -1) { ! exit(1); ! } ! ! if (!(opts & OPT_DONOTHING)) { if (use_inet6) { ! if (ioctl(fd, SIOCIPFL6, &fl) == -1) { perror("ioctl(SIOCIPFL6)"); + exit(1); + } } else { ! if (ioctl(fd, SIOCIPFFL, &fl) == -1) { perror("ioctl(SIOCIPFFL)"); + exit(1); + } } } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { *************** *** 487,496 **** { int in = 2; ! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1) ! perror("ioctl(SIOCSWAPA)"); ! else ! printf("Set %d now inactive\n", in); } --- 580,597 ---- { int in = 2; ! if (opendevice(ipfname) == -1) { ! exit(1); ! } ! ! ! if (!(opts & OPT_DONOTHING)) { ! if (ioctl(fd, SIOCSWAPA, &in) == -1) { ! perror("ioctl(SIOCSWAPA)"); ! exit(1); ! } ! } ! printf("Set %d now inactive\n", in); } *************** *** 498,507 **** { int frsyn = 0; ! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1) ! perror("SIOCFRSYN"); ! else ! printf("filter sync'd\n"); } --- 599,614 ---- { int frsyn = 0; ! if (opendevice(ipfname) == -1) ! exit(1); ! ! if (!(opts & OPT_DONOTHING)) { ! if (ioctl(fd, SIOCFRSYN, &frsyn) == -1) { ! perror("SIOCFRSYN"); ! exit(1); ! } ! } ! printf("filter sync'd\n"); } *************** *** 510,516 **** friostat_t fio; friostat_t *fiop = &fio; ! if (opendevice(ipfname) != -2) { if (ioctl(fd, SIOCFRZST, &fiop) == -1) { perror("ioctl(SIOCFRZST)"); exit(-1); --- 617,626 ---- friostat_t fio; friostat_t *fiop = &fio; ! if (opendevice(ipfname) == -1) ! exit(1); ! ! if (!(opts & OPT_DONOTHING)) { if (ioctl(fd, SIOCFRZST, &fiop) == -1) { perror("ioctl(SIOCFRZST)"); exit(-1); *************** *** 522,528 **** /* ! * read the kernel stats for packets blocked and passed */ static void showstats(fp) friostat_t *fp; --- 632,638 ---- /* ! * Read the kernel stats for packets blocked and passed */ static void showstats(fp) friostat_t *fp; *************** *** 559,574 **** u_32_t flag; if (opendevice(ipfname) == -1) ! return; - flag = get_flags(); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); flag ^= FF_BLOCKNONIP; ! if (opendevice(ipfname) != -2 && ioctl(fd, SIOCSETFF, &flag)) ! perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { if (ioctl(fd, SIOCGETFF, &flag)) --- 669,691 ---- u_32_t flag; if (opendevice(ipfname) == -1) ! exit(1); ! ! if (get_flags(&flag)) ! exit(1); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) printf("log flag is currently %#x\n", flag); flag ^= FF_BLOCKNONIP; ! if (opendevice(ipfname) == -1) ! exit(1); ! ! if (!(opts & OPT_DONOTHING)) { ! if (ioctl(fd, SIOCSETFF, &flag)) ! perror("ioctl(SIOCSETFF)"); ! } if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { if (ioctl(fd, SIOCGETFF, &flag)) *************** *** 580,585 **** --- 697,705 ---- #endif + /* + * nonzero return value means caller should exit with error + */ static int showversion() { struct friostat fio; *************** *** 601,611 **** return 1; } close(vfd); - flags = get_flags(); printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), (int)sizeof(fio.f_version), fio.f_version); printf("Running: %s\n", fio.f_running ? "yes" : "no"); printf("Log Flags: %#x = ", flags); s = ""; if (flags & FF_LOGPASS) { --- 721,734 ---- return 1; } close(vfd); printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version), (int)sizeof(fio.f_version), fio.f_version); printf("Running: %s\n", fio.f_running ? "yes" : "no"); + + if (get_flags(&flags)) { + return 1; + } printf("Log Flags: %#x = ", flags); s = ""; if (flags & FF_LOGPASS) { diff -crN ip_fil3.4.31/ipf.h ip_fil3.4.32/ipf.h *** ip_fil3.4.31/ipf.h Thu Jan 3 19:00:12 2002 --- ip_fil3.4.32/ipf.h Fri May 16 03:45:33 2003 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.9.2.6 2002/01/03 08:00:12 darrenr Exp $ */ #ifndef __IPF_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.9.2.7 2003/05/15 17:45:33 darrenr Exp $ */ #ifndef __IPF_H__ *************** *** 62,68 **** extern char *strdup __P((char *)); #endif ! extern struct frentry *parse __P((char *, int)); extern void printfr __P((struct frentry *)); extern void binprint __P((struct frentry *)), initparse __P((void)); --- 62,68 ---- extern char *strdup __P((char *)); #endif ! extern struct frentry *parse __P((char *, int, int *)); extern void printfr __P((struct frentry *)); extern void binprint __P((struct frentry *)), initparse __P((void)); diff -crN ip_fil3.4.31/ipfs.c ip_fil3.4.32/ipfs.c *** ip_fil3.4.31/ipfs.c Thu Sep 26 22:25:19 2002 --- ip_fil3.4.32/ipfs.c Sat May 31 12:12:21 2003 *************** *** 45,51 **** #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.12 2002/09/26 12:25:19 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR --- 45,51 ---- #include "ipf.h" #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.15 2003/05/31 02:12:21 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR *************** *** 63,68 **** --- 63,69 ---- #endif extern char *optarg; + extern int optind; int main __P((int, char *[])); void usage __P((void)); *************** *** 80,101 **** char *concat __P((char *, char *)); int opts = 0; void usage() { fprintf(stderr, "\ ! usage: ipfs [-nv] -l\n\ ! usage: ipfs [-nv] -u\n\ ! usage: ipfs [-nv] [-d ] -R\n\ ! usage: ipfs [-nv] [-d ] -W\n\ ! usage: ipfs [-nv] -N [-f | -d ] -r\n\ ! usage: ipfs [-nv] -S [-f | -d ] -r\n\ ! usage: ipfs [-nv] -N [-f | -d ] -w\n\ ! usage: ipfs [-nv] -S [-f | -d ] -w\n\ ! usage: ipfs [-nv] -N [-f | -d ] -i ,\n\ ! usage: ipfs [-nv] -S [-f | -d ] -i ,\n\ ! "); exit(1); } --- 81,104 ---- char *concat __P((char *, char *)); int opts = 0; + char *progname; void usage() { fprintf(stderr, "\ ! usage: %s [-nv] -l\n\ ! usage: %s [-nv] -u\n\ ! usage: %s [-nv] [-d ] -R\n\ ! usage: %s [-nv] [-d ] -W\n\ ! usage: %s [-nv] -N [-f | -d ] -r\n\ ! usage: %s [-nv] -S [-f | -d ] -r\n\ ! usage: %s [-nv] -N [-f | -d ] -w\n\ ! usage: %s [-nv] -S [-f | -d ] -w\n\ ! usage: %s [-nv] -N [-f | -d ] -i ,\n\ ! usage: %s [-nv] -S [-f | -d ] -i ,\n\ ! ", progname, progname, progname, progname, progname, progname, ! progname, progname, progname, progname); exit(1); } *************** *** 214,219 **** --- 217,224 ---- int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0; char *dirname = NULL, *filename = NULL, *ifs = NULL; + progname = argv[0]; + while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1) switch (c) { *************** *** 287,296 **** --- 292,305 ---- rw = 3; set = 1; break; + case '?' : default : usage(); } + if (optind < 2) + usage(); + if (filename == NULL) { if (ns == 0) { if (dirname == NULL) *************** *** 560,568 **** int fd; char *file; { ! nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL, *ipnp; int nfd = -1, i; nat_t *nat; if (!file) file = IPF_NATFILE; --- 569,579 ---- int fd; char *file; { ! nat_save_t ipn, *in, *ipnhead = NULL, *in1, *ipntail = NULL; int nfd = -1, i; nat_t *nat; + char *s; + int n; if (!file) file = IPF_NATFILE; *************** *** 575,581 **** } bzero((char *)&ipn, sizeof(ipn)); - ipnp = &ipn; /* * 1. Read all state information in. --- 586,591 ---- *************** *** 597,626 **** } if (ipn.ipn_dsize > 0) { ! char *s = ipnp->ipn_data; ! int n = ipnp->ipn_dsize; ! n -= sizeof(ipnp->ipn_data); in = malloc(sizeof(*in) + n); if (!in) break; ! s += sizeof(ipnp->ipn_data); ! i = read(nfd, s, n); ! if (i == 0) ! break; ! if (i != n) { ! fprintf(stderr, "incomplete read: %d != %d\n", ! i, n); ! close(nfd); ! return 1; } } else in = (nat_save_t *)malloc(sizeof(*in)); ! bcopy((char *)ipnp, (char *)in, sizeof(ipn)); /* ! * Check to see if this is the first state entry that will * reference a particular rule and if so, flag it as such * else just adjust the rule pointer to become a pointer to * the other. We do this so we have a means later for tracking --- 607,641 ---- } if (ipn.ipn_dsize > 0) { ! n = ipn.ipn_dsize; ! if (n > sizeof(ipn.ipn_data)) ! n -= sizeof(ipn.ipn_data); ! else ! n = 0; in = malloc(sizeof(*in) + n); if (!in) break; ! if (n > 0) { ! s = in->ipn_data + sizeof(in->ipn_data); ! i = read(nfd, s, n); ! if (i == 0) ! break; ! if (i != n) { ! fprintf(stderr, ! "incomplete read: %d != %d\n", ! i, n); ! close(nfd); ! return 1; ! } } } else in = (nat_save_t *)malloc(sizeof(*in)); ! bcopy((char *)&ipn, (char *)in, sizeof(ipn)); /* ! * Check to see if this is the first NAT entry that will * reference a particular rule and if so, flag it as such * else just adjust the rule pointer to become a pointer to * the other. We do this so we have a means later for tracking *************** *** 650,655 **** --- 665,671 ---- } while (1); close(nfd); + nfd = -1; for (in = ipnhead; in; in = in->ipn_next) { if (opts & OPT_VERBOSE) *************** *** 758,763 **** --- 774,780 ---- dirname = IPF_SAVEDIR; if (chdir(dirname)) { + fprintf(stderr, "IPF_SAVEDIR=%s: ", dirname); perror("chdir(IPF_SAVEDIR)"); return 1; } diff -crN ip_fil3.4.31/ipft_ef.c ip_fil3.4.32/ipft_ef.c *** ip_fil3.4.31/ipft_ef.c Fri Dec 6 22:40:25 2002 --- ip_fil3.4.32/ipft_ef.c Mon May 19 22:02:35 2003 *************** *** 52,58 **** #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.4 2002/12/06 11:40:25 darrenr Exp $"; #endif static int etherf_open __P((char *)); --- 52,58 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.5 2003/05/19 12:02:35 darrenr Exp $"; #endif static int etherf_open __P((char *)); *************** *** 108,116 **** bzero(&pkt, sizeof(pkt)); ! if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, sprt, dprt) != 6) ! if (sscanf(lbuf, "%s %s %s %s %s %s %s", time, len, prot, src, dst, sprt, dprt) != 7) return -1; --- 108,116 ---- bzero(&pkt, sizeof(pkt)); ! if (sscanf(lbuf, "%7s %7s %15s %15s %15s %15s", len, prot, src, dst, sprt, dprt) != 6) ! if (sscanf(lbuf, "%7s %7s %7s %15s %15s %15s %15s", time, len, prot, src, dst, sprt, dprt) != 7) return -1; diff -crN ip_fil3.4.31/ipft_td.c ip_fil3.4.32/ipft_td.c *** ip_fil3.4.31/ipft_td.c Fri Dec 6 22:40:26 2002 --- ip_fil3.4.32/ipft_td.c Sat May 31 12:13:04 2003 *************** *** 61,67 **** #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.4 2002/12/06 11:40:26 darrenr Exp $"; #endif static int tcpd_open __P((char *)); --- 61,67 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.6 2003/05/31 02:13:04 darrenr Exp $"; #endif static int tcpd_open __P((char *)); *************** *** 131,142 **** bzero(&pkt, sizeof(pkt)); ! if ((n = sscanf(lbuf, "%s > %s: %s", src, dst, misc)) != 3) ! if ((n = sscanf(lbuf, "%s %s > %s: %s", time, src, dst, misc)) != 4) ! if ((n = sscanf(lbuf, "%s %s: %s > %s: %s", link1, link2, src, dst, misc)) != 5) { ! n = sscanf(lbuf, "%s %s %s: %s > %s: %s", time, link1, link2, src, dst, misc); if (n != 6) return -1; --- 131,143 ---- bzero(&pkt, sizeof(pkt)); ! if ((n = sscanf(lbuf, "%31s > %31s: %255s", src, dst, misc)) != 3) ! if ((n = sscanf(lbuf, "%31s %31s > %31s: %255s", time, src, dst, misc)) != 4) ! if ((n = sscanf(lbuf, "%31s %31s: %31s > %31s: %255s", link1, link2, src, dst, misc)) != 5) { ! n = sscanf(lbuf, ! "%31s %31s %31s: %31s > %31s: %255s", time, link1, link2, src, dst, misc); if (n != 6) return -1; diff -crN ip_fil3.4.31/ipl.h ip_fil3.4.32/ipl.h *** ip_fil3.4.31/ipl.h Sat Dec 7 13:40:05 2002 --- ip_fil3.4.32/ipl.h Wed Jun 18 23:05:58 2003 *************** *** 4,15 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.38 2002/12/07 02:40:05 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.31" #endif --- 4,15 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.15.2.39 2003/06/18 13:05:58 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v3.4.32" #endif diff -crN ip_fil3.4.31/ipnat.c ip_fil3.4.32/ipnat.c *** ip_fil3.4.31/ipnat.c Fri Dec 6 22:40:26 2002 --- ip_fil3.4.32/ipnat.c Fri Jun 6 00:00:28 2003 *************** *** 60,66 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.22 2002/12/06 11:40:26 darrenr Exp $"; #endif --- 60,66 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.25 2003/06/05 14:00:28 darrenr Exp $"; #endif *************** *** 71,97 **** char thishost[MAXHOSTNAMELEN]; extern char *optarg; extern ipnat_t *natparse __P((char *, int)); extern void natparsefile __P((int, char *, int)); extern void printnat __P((ipnat_t *, int)); extern void printactivenat __P((nat_t *, int)); extern void printhostmap __P((hostmap_t *, u_int)); extern char *getsumd __P((u_32_t)); ! void dostats __P((natstat_t *, int)), flushtable __P((int, int)); void usage __P((char *)); int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); void printaps __P((ap_session_t *, int)); ! void showhostmap __P((natstat_t *nsp)); ! void natstat_dead __P((natstat_t *, char *)); void usage(name) char *name; { ! fprintf(stderr, "%s: [-CFhlnrsv] [-f filename]\n", name); exit(1); } --- 71,101 ---- char thishost[MAXHOSTNAMELEN]; extern char *optarg; + extern int optind; + #if 0 extern ipnat_t *natparse __P((char *, int)); + #endif extern void natparsefile __P((int, char *, int)); extern void printnat __P((ipnat_t *, int)); extern void printactivenat __P((nat_t *, int)); extern void printhostmap __P((hostmap_t *, u_int)); extern char *getsumd __P((u_32_t)); ! static int dostats __P((natstat_t *, int)); ! static int flushtable __P((int, int)); void usage __P((char *)); int countbits __P((u_32_t)); char *getnattype __P((ipnat_t *)); int main __P((int, char*[])); void printaps __P((ap_session_t *, int)); ! static int showhostmap __P((natstat_t *nsp)); ! static int natstat_dead __P((natstat_t *, char *)); void usage(name) char *name; { ! fprintf(stderr, "Usage: %s [-CFhlnrsv] [-f filename]\n", name); exit(1); } *************** *** 153,162 **** --- 157,170 ---- case 'v' : opts |= OPT_VERBOSE; break; + case '?' : default : usage(argv[0]); } + if (optind < 2) + usage(argv[0]); + if ((kernel != NULL) || (core != NULL)) { (void) setgid(getgid()); (void) setuid(getuid()); *************** *** 189,215 **** if (openkmem(kernel, core) == -1) exit(1); ! natstat_dead(nsp, kernel); ! if (opts & (OPT_LIST|OPT_STAT)) ! dostats(nsp, opts); exit(0); } if (opts & (OPT_FLUSH|OPT_CLEAR)) ! flushtable(fd, opts); ! if (file) natparsefile(fd, file, opts); if (opts & (OPT_LIST|OPT_STAT)) ! dostats(nsp, opts); return 0; } /* ! * Read nat statistic information in using a symbol table and memory file * rather than doing ioctl's. */ ! void natstat_dead(nsp, kernel) natstat_t *nsp; char *kernel; { --- 197,232 ---- if (openkmem(kernel, core) == -1) exit(1); ! if (natstat_dead(nsp, kernel)) ! exit(1); ! if (opts & (OPT_LIST|OPT_STAT)) { ! if (dostats(nsp, opts)) ! exit(1); ! } exit(0); } if (opts & (OPT_FLUSH|OPT_CLEAR)) ! if (flushtable(fd, opts)) ! exit(1); ! if (file) { ! /* NB natparsefile exits with nonzero in case of error */ natparsefile(fd, file, opts); + } if (opts & (OPT_LIST|OPT_STAT)) ! if (dostats(nsp, opts)) ! exit(1); ! ! /* TBD why not exit(0)? */ return 0; } /* ! * Read NAT statistic information in using a symbol table and memory file * rather than doing ioctl's. */ ! static int natstat_dead(nsp, kernel) natstat_t *nsp; char *kernel; { *************** *** 229,240 **** if (nlist(kernel, nat_nlist) == -1) { fprintf(stderr, "nlist error\n"); ! return; } /* * Normally the ioctl copies all of these values into the structure ! * for us, before returning it to useland, so here we must copy each * one in individually. */ kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables)); --- 246,257 ---- if (nlist(kernel, nat_nlist) == -1) { fprintf(stderr, "nlist error\n"); ! return -1; } /* * Normally the ioctl copies all of these values into the structure ! * for us, before returning it to userland, so here we must copy each * one in individually. */ kmemcpy((char *)&tables, nat_nlist[0].n_value, sizeof(tables)); *************** *** 257,274 **** sizeof(nsp->ns_instances)); kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value, sizeof(nsp->ns_apslist)); } /* * Display NAT statistics. */ ! void dostats(nsp, opts) natstat_t *nsp; int opts; { nat_t **nt[2], *np, nat; ipnat_t ipn; /* * Show statistics ? --- 274,294 ---- sizeof(nsp->ns_instances)); kmemcpy((char *)&nsp->ns_apslist, nat_nlist[8].n_value, sizeof(nsp->ns_apslist)); + + return 0; } /* * Display NAT statistics. */ ! static int dostats(nsp, opts) natstat_t *nsp; int opts; { nat_t **nt[2], *np, nat; ipnat_t ipn; + int rc = 0; /* * Show statistics ? *************** *** 297,302 **** --- 317,323 ---- if (kmemcpy((char *)&ipn, (long)nsp->ns_list, sizeof(ipn))) { perror("kmemcpy"); + rc = -1; break; } if (opts & OPT_HITS) *************** *** 309,336 **** if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0], sizeof(**nt) * NAT_SIZE)) { perror("kmemcpy"); ! return; } printf("\nList of active sessions:\n"); for (np = nsp->ns_instances; np; np = nat.nat_next) { ! if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) break; printactivenat(&nat, opts); } ! if (opts & OPT_VERBOSE) ! showhostmap(nsp); free(nt[0]); } } /* ! * display the active host mapping table. */ ! void showhostmap(nsp) natstat_t *nsp; { hostmap_t hm, *hmp, **maptable; --- 330,369 ---- if (kmemcpy((char *)nt[0], (long)nsp->ns_table[0], sizeof(**nt) * NAT_SIZE)) { perror("kmemcpy"); ! rc = -1; ! } ! if (rc) { ! free(nt[0]); ! return rc; } printf("\nList of active sessions:\n"); for (np = nsp->ns_instances; np; np = nat.nat_next) { ! if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) { ! /* TBD Is this an error? If so, return -1 */ break; + } printactivenat(&nat, opts); } ! if (opts & OPT_VERBOSE) { ! if (showhostmap(nsp)) { ! free(nt[0]); ! return -1; ! } ! } ! free(nt[0]); } + return 0; } /* ! * Display the active host mapping table. */ ! static int showhostmap(nsp) natstat_t *nsp; { hostmap_t hm, *hmp, **maptable; *************** *** 343,349 **** if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable, sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) { perror("kmemcpy (maptable)"); ! return; } for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) { --- 376,383 ---- if (kmemcpy((char *)maptable, (u_long)nsp->ns_maptable, sizeof(hostmap_t *) * nsp->ns_hostmap_sz)) { perror("kmemcpy (maptable)"); ! free(maptable); ! return -1; } for (hv = 0; hv < nsp->ns_hostmap_sz; hv++) { *************** *** 352,358 **** while (hmp) { if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) { perror("kmemcpy (hostmap)"); ! return; } printhostmap(&hm, hv); --- 386,393 ---- while (hmp) { if (kmemcpy((char *)&hm, (u_long)hmp, sizeof(hm))) { perror("kmemcpy (hostmap)"); ! free(maptable); ! return -1; } printhostmap(&hm, hv); *************** *** 360,365 **** --- 395,401 ---- } } free(maptable); + return 0; } *************** *** 367,390 **** * Issue an ioctl to flush either the NAT rules table or the active mapping * table or both. */ ! void flushtable(fd, opts) int fd, opts; { int n = 0; if (opts & OPT_FLUSH) { n = 0; ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) perror("ioctl(SIOCFLNAT)"); ! else printf("%d entries flushed from NAT table\n", n); } if (opts & OPT_CLEAR) { n = 1; ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) perror("ioctl(SIOCCNATL)"); ! else printf("%d entries flushed from NAT list\n", n); } } --- 403,433 ---- * Issue an ioctl to flush either the NAT rules table or the active mapping * table or both. */ ! static int flushtable(fd, opts) int fd, opts; { int n = 0; + int rc = 0; if (opts & OPT_FLUSH) { n = 0; ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) { perror("ioctl(SIOCFLNAT)"); ! rc = -1; ! } else { printf("%d entries flushed from NAT table\n", n); + } } if (opts & OPT_CLEAR) { n = 1; ! if (!(opts & OPT_NODO) && ioctl(fd, SIOCIPFFL, &n) == -1) { perror("ioctl(SIOCCNATL)"); ! rc = -1; ! } else { printf("%d entries flushed from NAT list\n", n); + } } + + return rc; } diff -crN ip_fil3.4.31/ipsend/ipsend.1 ip_fil3.4.32/ipsend/ipsend.1 *** ip_fil3.4.31/ipsend/ipsend.1 Thu Jul 27 23:04:05 2000 --- ip_fil3.4.32/ipsend/ipsend.1 Sun Dec 22 15:13:49 2002 *************** *** 51,57 **** .TP .BR \-f \0 The \fI-f\fP allows the IP offset field in the IP header to be set to an ! arbitrary value, which can be specified in decimal or hexidecimal. .TP .BR \-g \0 Specify the hostname of the gateway through which to route packets. This --- 51,57 ---- .TP .BR \-f \0 The \fI-f\fP allows the IP offset field in the IP header to be set to an ! arbitrary value, which can be specified in decimal or hexadecimal. .TP .BR \-g \0 Specify the hostname of the gateway through which to route packets. This diff -crN ip_fil3.4.31/ipt.c ip_fil3.4.32/ipt.c *** ip_fil3.4.31/ipt.c Fri Dec 6 22:40:26 2002 --- ip_fil3.4.32/ipt.c Fri May 16 03:45:34 2003 *************** *** 64,70 **** #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.24 2002/12/06 11:40:26 darrenr Exp $"; #endif extern char *optarg; --- 64,70 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.25 2003/05/15 17:45:34 darrenr Exp $"; #endif extern char *optarg; *************** *** 72,78 **** extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *, int)); extern void init_ifp __P((void)); ! extern ipnat_t *natparse __P((char *, int)); extern int fr_running; int opts = 0; --- 72,78 ---- extern struct ipread snoop, etherf, tcpd, pcap, iptext, iphex; extern struct ifnet *get_unit __P((char *, int)); extern void init_ifp __P((void)); ! extern ipnat_t *natparse __P((char *, int, int *)); extern int fr_running; int opts = 0; *************** *** 310,315 **** --- 310,316 ---- int linenum, i; void *fr; FILE *fp; + int parsestatus; if (!strcmp(file, "-")) fp = stdin; *************** *** 346,352 **** /* fake an `ioctl' call :) */ if ((opts & OPT_NAT) != 0) { ! if (!(fr = natparse(line, linenum))) continue; if (rremove == 0) { --- 347,367 ---- /* fake an `ioctl' call :) */ if ((opts & OPT_NAT) != 0) { ! parsestatus = 1; ! fr = natparse(line, linenum, &parsestatus); ! if (parsestatus != 0) { ! if (*line) { ! fprintf(stderr, ! "%d: syntax error in \"%s\"\n", ! linenum, line); ! } ! fprintf(stderr, "%s: %s error (%d), quitting\n", ! file, ! ((parsestatus < 0)? "parse": "internal"), ! parsestatus); ! exit(1); ! } ! if (!fr) continue; if (rremove == 0) { *************** *** 367,374 **** fr, i); } } else { ! if (!(fr = parse(line, linenum))) continue; if (rremove == 0) { i = IPL_EXTERN(ioctl)(0, SIOCADAFR, --- 382,400 ---- fr, i); } } else { ! fr = parse(line, linenum, &parsestatus); ! ! if (parsestatus != 0) { ! fprintf(stderr, "%s: %s error (%d), quitting\n", ! file, ! ((parsestatus < 0)? "parse": "internal"), ! parsestatus); ! exit(1); ! } ! ! if (!fr) { continue; + } if (rremove == 0) { i = IPL_EXTERN(ioctl)(0, SIOCADAFR, diff -crN ip_fil3.4.31/kmem.c ip_fil3.4.32/kmem.c *** ip_fil3.4.31/kmem.c Fri Dec 6 22:40:27 2002 --- ip_fil3.4.32/kmem.c Mon Jun 2 22:22:31 2003 *************** *** 46,59 **** #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.16 2002/12/06 11:40:27 darrenr Exp $"; #endif #ifdef __sgi typedef int kvm_t; static int kvm_fd = -1; ! static char *kvm_errstr; kvm_t *kvm_open(kernel, core, swap, mode, errstr) char *kernel, *core, *swap; --- 46,59 ---- #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.17 2003/06/02 12:22:31 darrenr Exp $"; #endif #ifdef __sgi typedef int kvm_t; static int kvm_fd = -1; ! static char *kvm_errstr = NULL; kvm_t *kvm_open(kernel, core, swap, mode, errstr) char *kernel, *core, *swap; *************** *** 79,86 **** int r; if (lseek(*kvm, pos, 0) == -1) { ! fprintf(stderr, "%s", kvm_errstr); ! perror("lseek"); return -1; } --- 79,88 ---- int r; if (lseek(*kvm, pos, 0) == -1) { ! if (kvm_errstr != NULL) { ! fprintf(stderr, "%s:", kvm_errstr); ! perror("lseek"); ! } return -1; } *************** *** 103,109 **** kvm_t *uk; } k; ! kvm_f = kvm_open(kern, core, NULL, O_RDONLY, ""); if (kvm_f == NULL) { perror("openkmem:open"); --- 105,111 ---- kvm_t *uk; } k; ! kvm_f = kvm_open(kern, core, NULL, O_RDONLY, NULL); if (kvm_f == NULL) { perror("openkmem:open"); diff -crN ip_fil3.4.31/man/ipf.5 ip_fil3.4.32/man/ipf.5 *** ip_fil3.4.31/man/ipf.5 Wed Oct 2 01:29:39 2002 --- ip_fil3.4.32/man/ipf.5 Mon Mar 31 21:52:33 2003 *************** *** 37,43 **** call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . ! froute = "fastroute" | "to" interface-name . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object . --- 37,43 ---- call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . ! froute = "fastroute" | "to" interface-name[":"ipaddr] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" [ "!" ] object "to" [ "!" ] object . diff -crN ip_fil3.4.31/man/ipmon.8 ip_fil3.4.32/man/ipmon.8 *** ip_fil3.4.31/man/ipmon.8 Fri Nov 1 02:13:14 2002 --- ip_fil3.4.32/man/ipmon.8 Fri May 16 23:38:43 2003 *************** *** 170,172 **** --- 170,174 ---- .SH SEE ALSO ipl(4), ipf(8), ipfstat(8), ipnat(8) .SH BUGS + .PP + If you find any, please send email to me at darrenr@pobox.com diff -crN ip_fil3.4.31/man/ipnat.5 ip_fil3.4.32/man/ipnat.5 *** ip_fil3.4.31/man/ipnat.5 Mon Nov 4 00:06:28 2002 --- ip_fil3.4.32/man/ipnat.5 Tue Mar 18 00:37:04 2003 *************** *** 187,193 **** using "ipnat -l", only the internal application order. .SH EXAMPLES .PP ! This section deals with the \fBmap\fP command and it's variations. .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit subnet at 209.1.2.0 through the ppp0 interface, the following would be used: --- 187,193 ---- using "ipnat -l", only the internal application order. .SH EXAMPLES .PP ! This section deals with the \fBmap\fP command and its variations. .PP To change IP#'s used internally from network 10 into an ISP provided 8 bit subnet at 209.1.2.0 through the ppp0 interface, the following would be used: diff -crN ip_fil3.4.31/mln_ipl.c ip_fil3.4.32/mln_ipl.c *** ip_fil3.4.31/mln_ipl.c Fri Dec 6 22:46:42 2002 --- ip_fil3.4.32/mln_ipl.c Wed Jan 22 02:59:29 2003 *************** *** 220,226 **** --- 220,228 ---- #ifdef OpenBSD VOP_LOCK(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY, curproc); #else + # if !defined(__NetBSD_Version__) || (__NetBSD_Version__ < 106000000) vn_lock(nd.ni_vp, LK_EXCLUSIVE | LK_RETRY); + # endif #endif VOP_LEASE(nd.ni_dvp, curproc, curproc->p_ucred, LEASE_WRITE); (void) VOP_REMOVE(nd.ni_dvp, nd.ni_vp, &nd.ni_cnd); diff -crN ip_fil3.4.31/natparse.c ip_fil3.4.32/natparse.c *** ip_fil3.4.31/natparse.c Fri Dec 6 22:40:27 2002 --- ip_fil3.4.32/natparse.c Fri May 16 03:45:34 2003 *************** *** 56,62 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.27 2002/12/06 11:40:27 darrenr Exp $"; #endif --- 56,62 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.29 2003/05/15 17:45:34 darrenr Exp $"; #endif *************** *** 68,74 **** extern int countbits __P((u_32_t)); extern char *proto; ! ipnat_t *natparse __P((char *, int)); void natparsefile __P((int, char *, int)); void nat_setgroupmap __P((struct ipnat *)); --- 68,74 ---- extern int countbits __P((u_32_t)); extern char *proto; ! ipnat_t *natparse __P((char *, int, int *)); void natparsefile __P((int, char *, int)); void nat_setgroupmap __P((struct ipnat *)); *************** *** 98,107 **** /* * Parse a line of input from the ipnat configuration file */ ! ipnat_t *natparse(line, linenum) char *line; int linenum; { static ipnat_t ipn; struct protoent *pr; --- 98,113 ---- /* * Parse a line of input from the ipnat configuration file + * + * status: + * < 0 error + * = 0 OK + * > 0 programmer error */ ! ipnat_t *natparse(line, linenum, status) char *line; int linenum; + int *status; { static ipnat_t ipn; struct protoent *pr; *************** *** 110,115 **** --- 116,122 ---- int i, cnt; char *port1a = NULL, *port1b = NULL, *port2a = NULL; + *status = 100; /* default to error */ proto = NULL; /* *************** *** 121,128 **** *s = '\0'; while (*line && isspace(*line)) line++; ! if (!*line) return NULL; bzero((char *)&ipn, sizeof(ipn)); cnt = 0; --- 128,137 ---- *s = '\0'; while (*line && isspace(*line)) line++; ! if (!*line) { ! *status = 0; return NULL; + } bzero((char *)&ipn, sizeof(ipn)); cnt = 0; *************** *** 137,142 **** --- 146,152 ---- if (cnt < 3) { fprintf(stderr, "%d: not enough segments in line\n", linenum); + *status = -1; return NULL; } *************** *** 156,161 **** --- 166,172 ---- else { fprintf(stderr, "%d: unknown mapping: \"%s\"\n", linenum, *cpp); + *status = -1; return NULL; } *************** *** 174,185 **** --- 185,198 ---- cpp++; if (strcasecmp(*cpp, "from")) { fprintf(stderr, "Missing from after !\n"); + *status = -1; return NULL; } ipn.in_flags |= IPN_NOTSRC; } else if (**cpp == '!') { if (strcasecmp(*cpp + 1, "from")) { fprintf(stderr, "Missing from after !\n"); + *status = -1; return NULL; } ipn.in_flags |= IPN_NOTSRC; *************** *** 187,192 **** --- 200,206 ---- if ((ipn.in_flags & IPN_NOTSRC) && (ipn.in_redir & (NAT_MAP|NAT_MAPBLK))) { fprintf(stderr, "Cannot use '! from' with map\n"); + *status = -1; return NULL; } *************** *** 196,207 **** --- 210,223 ---- if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, (u_32_t *)&ipn.in_srcmsk, &ipn.in_sport, &ipn.in_scmp, &ipn.in_stop, linenum)) { + *status = -1; return NULL; } } else { if (hostmask(&cpp, (u_32_t *)&ipn.in_inip, (u_32_t *)&ipn.in_inmsk, &ipn.in_sport, &ipn.in_scmp, &ipn.in_stop, linenum)) { + *status = -1; return NULL; } } *************** *** 217,238 **** --- 233,258 ---- if (strcasecmp(*cpp, "to")) { fprintf(stderr, "%d: unexpected keyword (%s) - to\n", linenum, *cpp); + *status = -1; return NULL; } if ((ipn.in_flags & IPN_NOTDST) && (ipn.in_redir & (NAT_REDIRECT))) { fprintf(stderr, "Cannot use '! to' with rdr\n"); + *status = -1; return NULL; } if (!*++cpp) { fprintf(stderr, "%d: missing host after to\n", linenum); + *status = -1; return NULL; } if (ipn.in_redir == NAT_REDIRECT) { if (hostmask(&cpp, (u_32_t *)&ipn.in_outip, (u_32_t *)&ipn.in_outmsk, &ipn.in_dport, &ipn.in_dcmp, &ipn.in_dtop, linenum)) { + *status = -1; return NULL; } ipn.in_pmin = htons(ipn.in_dport); *************** *** 240,245 **** --- 260,266 ---- if (hostmask(&cpp, (u_32_t *)&ipn.in_srcip, (u_32_t *)&ipn.in_srcmsk, &ipn.in_dport, &ipn.in_dcmp, &ipn.in_dtop, linenum)) { + *status = -1; return NULL; } } *************** *** 247,276 **** s = *cpp; if (!s) { fprintf(stderr, "%d: short line\n", linenum); return NULL; } t = strchr(s, '/'); if (!t) { fprintf(stderr, "%d: no netmask on LHS\n", linenum); return NULL; } *t++ = '\0'; if (ipn.in_redir == NAT_REDIRECT) { ! if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1) return NULL; if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) { return NULL; } } else { ! if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) return NULL; if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) { return NULL; } } cpp++; if (!*cpp) { fprintf(stderr, "%d: short line\n", linenum); return NULL; } } --- 268,306 ---- s = *cpp; if (!s) { fprintf(stderr, "%d: short line\n", linenum); + *status = -1; return NULL; } t = strchr(s, '/'); if (!t) { fprintf(stderr, "%d: no netmask on LHS\n", linenum); + *status = -1; return NULL; } *t++ = '\0'; if (ipn.in_redir == NAT_REDIRECT) { ! if (hostnum((u_32_t *)&ipn.in_outip, s, linenum) == -1){ ! *status = -1; return NULL; + } if (genmask(t, (u_32_t *)&ipn.in_outmsk) == -1) { + *status = -1; return NULL; } } else { ! if (hostnum((u_32_t *)&ipn.in_inip, s, linenum) == -1) { ! *status = -1; return NULL; + } if (genmask(t, (u_32_t *)&ipn.in_inmsk) == -1) { + *status = -1; return NULL; } } cpp++; if (!*cpp) { fprintf(stderr, "%d: short line\n", linenum); + *status = -1; return NULL; } } *************** *** 283,288 **** --- 313,319 ---- if (strcasecmp(*cpp, "port")) { fprintf(stderr, "%d: missing fields - 1st port\n", linenum); + *status = -1; return NULL; } *************** *** 292,297 **** --- 323,329 ---- fprintf(stderr, "%d: missing fields (destination port)\n", linenum); + *status = -1; return NULL; } *************** *** 319,328 **** --- 351,362 ---- */ if (!*cpp) { fprintf(stderr, "%d: missing fields (->)\n", linenum); + *status = -1; return NULL; } if (strcmp(*cpp, "->")) { fprintf(stderr, "%d: missing ->\n", linenum); + *status = -1; return NULL; } cpp++; *************** *** 330,335 **** --- 364,370 ---- if (!*cpp) { fprintf(stderr, "%d: missing fields (%s)\n", linenum, ipn.in_redir ? "destination" : "target"); + *status = -1; return NULL; } *************** *** 341,346 **** --- 376,382 ---- fprintf(stderr, "%d: missing fields (%s)\n", linenum, ipn.in_redir ? "destination":"target"); + *status = -1; return NULL; } } *************** *** 358,363 **** --- 394,400 ---- fprintf(stderr, "%d: desination range not specified\n", linenum); + *status = -1; return NULL; } } else if (ipn.in_redir != NAT_REDIRECT) { *************** *** 371,376 **** --- 408,414 ---- fprintf(stderr, "%d: missing fields (dest netmask)\n", linenum); + *status = -1; return NULL; } if (*dnetm == '/') *************** *** 383,402 **** ipn.in_flags |= IPN_SPLIT; *dnetm++ = '\0'; } ! if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) return NULL; #if SOLARIS if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) { fprintf(stderr, "localhost as destination not supported\n"); return NULL; } #endif } else { if (!strcmp(*cpp, ipn.in_ifname)) *cpp = "0"; ! if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) return NULL; } cpp++; --- 421,445 ---- ipn.in_flags |= IPN_SPLIT; *dnetm++ = '\0'; } ! if (hostnum((u_32_t *)&ipn.in_inip, *cpp, linenum) == -1) { ! *status = -1; return NULL; + } #if SOLARIS if (ntohl(ipn.in_inip) == INADDR_LOOPBACK) { fprintf(stderr, "localhost as destination not supported\n"); + *status = -1; return NULL; } #endif } else { if (!strcmp(*cpp, ipn.in_ifname)) *cpp = "0"; ! if (hostnum((u_32_t *)&ipn.in_outip, *cpp, linenum) == -1) { ! *status = -1; return NULL; + } } cpp++; *************** *** 406,411 **** --- 449,455 ---- fprintf(stderr, "%d: expected \"ports\" - got \"%s\"\n", linenum, *cpp); + *status = -1; return NULL; } cpp++; *************** *** 413,418 **** --- 457,463 ---- fprintf(stderr, "%d: missing argument to \"ports\"\n", linenum); + *status = -1; return NULL; } if (!strcasecmp(*cpp, "auto")) *************** *** 426,437 **** --- 471,484 ---- if (*cpp && (strrchr(*cpp, '/') != NULL)) { fprintf(stderr, "%d: No netmask supported in %s\n", linenum, "destination host for redirect"); + *status = -1; return NULL; } if (!*cpp) { fprintf(stderr, "%d: Missing destination port %s\n", linenum, "in redirect"); + *status = -1; return NULL; } *************** *** 440,445 **** --- 487,493 ---- if (strcasecmp(*cpp, "port")) { fprintf(stderr, "%d: missing fields - 2nd port (%s)\n", linenum, *cpp); + *status = -1; return NULL; } cpp++; *************** *** 447,452 **** --- 495,501 ---- fprintf(stderr, "%d: missing fields (destination port)\n", linenum); + *status = -1; return NULL; } *************** *** 458,474 **** if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { if (ipn.in_flags & IPN_IPRANGE) { if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm, ! linenum) == -1) return NULL; ! } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) return NULL; } else { if (ipn.in_flags & IPN_SPLIT) { if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm, ! linenum) == -1) return NULL; ! } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)) return NULL; if (!*cpp) { ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */ proto = "tcp"; --- 507,531 ---- if (ipn.in_redir & (NAT_MAP|NAT_MAPBLK)) { if (ipn.in_flags & IPN_IPRANGE) { if (hostnum((u_32_t *)&ipn.in_outmsk, dnetm, ! linenum) == -1) { ! *status = -1; return NULL; ! } ! } else if (genmask(dnetm, (u_32_t *)&ipn.in_outmsk)) { ! *status = -1; return NULL; + } } else { if (ipn.in_flags & IPN_SPLIT) { if (hostnum((u_32_t *)&ipn.in_inmsk, dnetm, ! linenum) == -1) { ! *status = -1; return NULL; ! } ! } else if (genmask("255.255.255.255", (u_32_t *)&ipn.in_inmsk)){ ! *status = -1; return NULL; + } if (!*cpp) { ipn.in_flags |= IPN_TCP; /* XXX- TCP only by default */ proto = "tcp"; *************** *** 494,499 **** --- 551,557 ---- fprintf(stderr, "%d: Unknown protocol %s\n", linenum, proto); + *status = -1; return NULL; } else ipn.in_p = atoi(proto); *************** *** 520,525 **** --- 578,584 ---- fprintf(stderr, "%d: age with no parameters\n", linenum); + *status = -1; return NULL; } *************** *** 541,546 **** --- 600,606 ---- fprintf(stderr, "%d: mssclamp with no parameters\n", linenum); + *status = -1; return NULL; } } *************** *** 549,574 **** fprintf(stderr, "%d: extra junk at the end of the line: %s\n", linenum, *cpp); return NULL; } } } if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { ! if (!portnum(port1a, &ipn.in_pmin, linenum)) return NULL; ipn.in_pmin = htons(ipn.in_pmin); if (port1b != NULL) { ! if (!portnum(port1b, &ipn.in_pmax, linenum)) return NULL; ipn.in_pmax = htons(ipn.in_pmax); } else ipn.in_pmax = ipn.in_pmin; } if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { ! if (!portnum(port2a, &ipn.in_pnext, linenum)) return NULL; ipn.in_pnext = htons(ipn.in_pnext); } --- 609,641 ---- fprintf(stderr, "%d: extra junk at the end of the line: %s\n", linenum, *cpp); + *status = -1; return NULL; } } } if ((ipn.in_redir == NAT_REDIRECT) && !(ipn.in_flags & IPN_FILTER)) { ! if (!portnum(port1a, &ipn.in_pmin, linenum)) { ! *status = -1; return NULL; + } ipn.in_pmin = htons(ipn.in_pmin); if (port1b != NULL) { ! if (!portnum(port1b, &ipn.in_pmax, linenum)) { ! *status = -1; return NULL; + } ipn.in_pmax = htons(ipn.in_pmax); } else ipn.in_pmax = ipn.in_pmin; } if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { ! if (!portnum(port2a, &ipn.in_pnext, linenum)) { ! *status = -1; return NULL; + } ipn.in_pnext = htons(ipn.in_pnext); } *************** *** 586,598 **** ipn.in_flags |= IPN_FRAG; } ! if (!*cpp) return &ipn; if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) { if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use proxy with bimap\n", linenum); return NULL; } cpp++; --- 653,670 ---- ipn.in_flags |= IPN_FRAG; } ! if (!*cpp) { ! *status = 0; return &ipn; + } if (ipn.in_redir != NAT_BIMAP && !strcasecmp(*cpp, "proxy")) { + u_short pport; + if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use proxy with bimap\n", linenum); + *status = -1; return NULL; } cpp++; *************** *** 600,605 **** --- 672,678 ---- fprintf(stderr, "%d: missing parameter for \"proxy\"\n", linenum); + *status = -1; return NULL; } dport = NULL; *************** *** 610,615 **** --- 683,689 ---- fprintf(stderr, "%d: missing parameter for \"port\"\n", linenum); + *status = -1; return NULL; } *************** *** 620,630 **** --- 694,706 ---- fprintf(stderr, "%d: missing parameter for \"proxy\"\n", linenum); + *status = -1; return NULL; } } else { fprintf(stderr, "%d: missing keyword \"port\"\n", linenum); + *status = -1; return NULL; } *************** *** 637,645 **** } else ipn.in_p = 0; ! if (dport && !portnum(dport, &ipn.in_dport, linenum)) return NULL; ! ipn.in_dport = htons(ipn.in_dport); (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); cpp++; --- 713,729 ---- } else ipn.in_p = 0; ! if (dport && !portnum(dport, &pport, linenum)) return NULL; ! if (ipn.in_dcmp != 0) { ! if (pport != ipn.in_dport) { ! fprintf(stderr, ! "%d: mismatch in port numbers\n", ! linenum); ! return NULL; ! } ! } else ! ipn.in_dport = htons(pport); (void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel)); cpp++; *************** *** 648,653 **** --- 732,738 ---- if (ipn.in_redir == NAT_BIMAP) { fprintf(stderr, "%d: cannot use portmap with bimap\n", linenum); + *status = -1; return NULL; } cpp++; *************** *** 655,660 **** --- 740,746 ---- fprintf(stderr, "%d: missing expression following portmap\n", linenum); + *status = -1; return NULL; } *************** *** 670,675 **** --- 756,762 ---- fprintf(stderr, "%d: expected protocol name - got \"%s\"\n", linenum, *cpp); + *status = -1; return NULL; } proto = *cpp; *************** *** 677,682 **** --- 764,770 ---- if (!*cpp) { fprintf(stderr, "%d: no port range found\n", linenum); + *status = -1; return NULL; } *************** *** 691,702 **** fprintf(stderr, "%d: no port range in \"%s\"\n", linenum, *cpp); return NULL; } *t++ = '\0'; if (!portnum(*cpp, &ipn.in_pmin, linenum) || ! !portnum(t, &ipn.in_pmax, linenum)) return NULL; ipn.in_pmin = htons(ipn.in_pmin); ipn.in_pmax = htons(ipn.in_pmax); cpp++; --- 779,793 ---- fprintf(stderr, "%d: no port range in \"%s\"\n", linenum, *cpp); + *status = -1; return NULL; } *t++ = '\0'; if (!portnum(*cpp, &ipn.in_pmin, linenum) || ! !portnum(t, &ipn.in_pmax, linenum)) { ! *status = -1; return NULL; + } ipn.in_pmin = htons(ipn.in_pmin); ipn.in_pmax = htons(ipn.in_pmax); cpp++; *************** *** 713,718 **** --- 804,810 ---- if (!*cpp) { fprintf(stderr, "%d: age with no parameters\n", linenum); + *status = -1; return NULL; } ipn.in_age[0] = atoi(*cpp); *************** *** 732,737 **** --- 824,830 ---- } else { fprintf(stderr, "%d: mssclamp with no parameters\n", linenum); + *status = -1; return NULL; } } *************** *** 739,746 **** --- 832,842 ---- if (*cpp) { fprintf(stderr, "%d: extra junk at the end of the line: %s\n", linenum, *cpp); + *status = -1; return NULL; } + + *status = 0; return &ipn; } *************** *** 754,759 **** --- 850,856 ---- ipnat_t *np; FILE *fp; int linenum = 0; + int parsestatus; if (strcmp(file, "-")) { if (!(fp = fopen(file, "r"))) { *************** *** 770,780 **** if ((s = strchr(line, '\n'))) *s = '\0'; ! if (!(np = natparse(line, linenum))) { ! if (*line) fprintf(stderr, "%d: syntax error in \"%s\"\n", linenum, line); ! } else { if ((opts & OPT_VERBOSE) && np) printnat(np, opts); if (!(opts & OPT_NODO)) { --- 867,886 ---- if ((s = strchr(line, '\n'))) *s = '\0'; ! parsestatus = 1; ! np = natparse(line, linenum, &parsestatus); ! if (parsestatus != 0) { ! if (*line) { fprintf(stderr, "%d: syntax error in \"%s\"\n", linenum, line); ! } ! fprintf(stderr, "%s: %s error (%d), quitting\n", ! file, ! ((parsestatus < 0)? "parse": "internal"), ! parsestatus); ! exit(1); ! } ! if (np) { if ((opts & OPT_VERBOSE) && np) printnat(np, opts); if (!(opts & OPT_NODO)) { diff -crN ip_fil3.4.31/parse.c ip_fil3.4.32/parse.c *** ip_fil3.4.31/parse.c Fri Dec 6 22:40:27 2002 --- ip_fil3.4.32/parse.c Thu Jun 26 05:09:35 2003 *************** *** 68,77 **** /* parse() * * parse a line read from the input filter rule file */ ! struct frentry *parse(line, linenum) char *line; int linenum; { static struct frentry fil; char *cps[31], **cpp, *endptr, *s; --- 68,83 ---- /* parse() * * parse a line read from the input filter rule file + * + * status: + * < 0 error + * = 0 OK + * > 0 programmer error */ ! struct frentry *parse(line, linenum, status) char *line; int linenum; + int *status; /* good, bad, or indifferent */ { static struct frentry fil; char *cps[31], **cpp, *endptr, *s; *************** *** 79,88 **** int i, cnt = 1, j, ch; u_int k; while (*line && isspace(*line)) line++; ! if (!*line) return NULL; bzero((char *)&fil, sizeof(fil)); fil.fr_mip.fi_v = 0xf; --- 85,98 ---- int i, cnt = 1, j, ch; u_int k; + *status = 100; /* default to error */ + while (*line && isspace(*line)) line++; ! if (!*line) { ! *status = 0; return NULL; + } bzero((char *)&fil, sizeof(fil)); fil.fr_mip.fi_v = 0xf; *************** *** 100,105 **** --- 110,116 ---- if (cnt < 3) { fprintf(stderr, "%d: not enough segments in line\n", linenum); + *status = -1; return NULL; } *************** *** 143,148 **** --- 154,160 ---- fprintf(stderr, "%d: unrecognised icmp code %s\n", linenum, *cpp + 20); + *status = -1; return NULL; } fil.fr_icode = j; *************** *** 172,177 **** --- 184,190 ---- else { fprintf(stderr, "%d: integer must follow skip\n", linenum); + *status = -1; return NULL; } } else if (!strcasecmp("log", *cpp)) { *************** *** 190,197 **** } if (!strcasecmp(*(cpp+1), "level")) { cpp++; ! if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) return NULL; cpp++; } } else { --- 203,213 ---- } if (!strcasecmp(*(cpp+1), "level")) { cpp++; ! if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) { ! /* NB loglevel prints its own error message */ ! *status = -1; return NULL; + } cpp++; } } else { *************** *** 199,208 **** --- 215,226 ---- * Doesn't start with one of the action words */ fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp); + *status = -1; return NULL; } if (!*++cpp) { fprintf(stderr, "%d: missing 'in'/'out' keyword\n", linenum); + *status = -1; return NULL; } *************** *** 218,233 **** --- 236,254 ---- fprintf(stderr, "%d: Can only use return-icmp with 'in'\n", linenum); + *status = -1; return NULL; } else if (fil.fr_flags & FR_RETRST) { fprintf(stderr, "%d: Can only use return-rst with 'in'\n", linenum); + *status = -1; return NULL; } } if (!*++cpp) { fprintf(stderr, "%d: missing source specification\n", linenum); + *status = -1; return NULL; } *************** *** 235,240 **** --- 256,262 ---- if (!*++cpp) { fprintf(stderr, "%d: missing source specification\n", linenum); + *status = -1; return NULL; } if (fil.fr_flags & FR_PASS) *************** *** 254,267 **** fprintf(stderr, "%d: or-block must be used with pass\n", linenum); return NULL; } fil.fr_flags |= FR_LOGORBLOCK; cpp++; } if (*cpp && !strcasecmp(*cpp, "level")) { ! if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) return NULL; cpp++; cpp++; } --- 276,292 ---- fprintf(stderr, "%d: or-block must be used with pass\n", linenum); + *status = -1; return NULL; } fil.fr_flags |= FR_LOGORBLOCK; cpp++; } if (*cpp && !strcasecmp(*cpp, "level")) { ! if (loglevel(cpp, &fil.fr_loglevel, linenum) == -1) { ! *status = -1; return NULL; + } cpp++; cpp++; } *************** *** 271,276 **** --- 296,302 ---- if (fil.fr_skip != 0) { fprintf(stderr, "%d: cannot use skip with quick\n", linenum); + *status = -1; return NULL; } cpp++; *************** *** 287,292 **** --- 313,319 ---- if (!*++cpp) { fprintf(stderr, "%d: interface name missing\n", linenum); + *status = -1; return NULL; } *************** *** 307,334 **** fprintf(stderr, "%d: %s can only be used with TCP\n", linenum, "return-rst"); return NULL; } return &fil; } if (*cpp) { if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) { cpp++; ! if (to_interface(&fil.fr_dif, *cpp, linenum)) return NULL; cpp++; } if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) { cpp++; ! if (to_interface(&fil.fr_tif, *cpp, linenum)) return NULL; cpp++; } else if (*cpp && !strcasecmp(*cpp, "fastroute")) { if (!(fil.fr_flags & FR_INQUE)) { fprintf(stderr, "can only use %s with 'in'\n", "fastroute"); return NULL; } fil.fr_flags |= FR_FASTROUTE; --- 334,368 ---- fprintf(stderr, "%d: %s can only be used with TCP\n", linenum, "return-rst"); + *status = -1; return NULL; } + *status = 0; return &fil; } if (*cpp) { if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) { cpp++; ! if (to_interface(&fil.fr_dif, *cpp, linenum)) { ! *status = -1; return NULL; + } cpp++; } if (*cpp && !strcasecmp(*cpp, "to") && *(cpp + 1)) { cpp++; ! if (to_interface(&fil.fr_tif, *cpp, linenum)) { ! *status = -1; return NULL; + } cpp++; } else if (*cpp && !strcasecmp(*cpp, "fastroute")) { if (!(fil.fr_flags & FR_INQUE)) { fprintf(stderr, "can only use %s with 'in'\n", "fastroute"); + *status = -1; return NULL; } fil.fr_flags |= FR_FASTROUTE; *************** *** 366,371 **** --- 400,406 ---- if (*cpp && !strcasecmp(*cpp, "tos")) { if (!*++cpp) { fprintf(stderr, "%d: tos missing value\n", linenum); + *status = -1; return NULL; } fil.fr_tos = strtol(*cpp, NULL, 0); *************** *** 377,382 **** --- 412,418 ---- if (!*++cpp) { fprintf(stderr, "%d: ttl missing hopcount value\n", linenum); + *status = -1; return NULL; } if (ratoi(*cpp, &i, 0, 255)) *************** *** 384,389 **** --- 420,426 ---- else { fprintf(stderr, "%d: invalid ttl (%s)\n", linenum, *cpp); + *status = -1; return NULL; } fil.fr_mip.fi_ttl = 0xff; *************** *** 397,402 **** --- 434,440 ---- if (*cpp && !strcasecmp(*cpp, "proto")) { if (!*++cpp) { fprintf(stderr, "%d: protocol name missing\n", linenum); + *status = -1; return NULL; } proto = *cpp++; *************** *** 412,417 **** --- 450,456 ---- fprintf(stderr, "%d: unknown protocol (%s)\n", linenum, proto); + *status = -1; return NULL; } if (p) *************** *** 422,427 **** --- 461,467 ---- fprintf(stderr, "%d: unknown protocol (%s)\n", linenum, proto); + *status = -1; return NULL; } fil.fr_proto = i; *************** *** 433,438 **** --- 473,479 ---- ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) { fprintf(stderr, "%d: %s can only be used with TCP\n", linenum, "return-rst"); + *status = -1; return NULL; } *************** *** 442,462 **** if (!*cpp) { fprintf(stderr, "%d: missing source specification\n", linenum); return NULL; } if (!strcasecmp(*cpp, "all")) { cpp++; ! if (!*cpp) return &fil; } else { if (strcasecmp(*cpp, "from")) { fprintf(stderr, "%d: unexpected keyword (%s) - from\n", linenum, *cpp); return NULL; } if (!*++cpp) { fprintf(stderr, "%d: missing host after from\n", linenum); return NULL; } if (!strcmp(*cpp, "!")) { --- 483,508 ---- if (!*cpp) { fprintf(stderr, "%d: missing source specification\n", linenum); + *status = -1; return NULL; } if (!strcasecmp(*cpp, "all")) { cpp++; ! if (!*cpp) { ! *status = 0; return &fil; + } } else { if (strcasecmp(*cpp, "from")) { fprintf(stderr, "%d: unexpected keyword (%s) - from\n", linenum, *cpp); + *status = -1; return NULL; } if (!*++cpp) { fprintf(stderr, "%d: missing host after from\n", linenum); + *status = -1; return NULL; } if (!strcmp(*cpp, "!")) { *************** *** 465,470 **** --- 511,517 ---- fprintf(stderr, "%d: missing host after from\n", linenum); + *status = -1; return NULL; } } else if (**cpp == '!') { *************** *** 475,480 **** --- 522,528 ---- if (hostmask(&cpp, (u_32_t *)&fil.fr_src, (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch, &fil.fr_stop, linenum)) { + *status = -1; return NULL; } *************** *** 484,495 **** --- 532,545 ---- fprintf(stderr, "%d: cannot use port and neither tcp or udp\n", linenum); + *status = -1; return NULL; } fil.fr_scmp = ch; if (!*cpp) { fprintf(stderr, "%d: missing to fields\n", linenum); + *status = -1; return NULL; } *************** *** 499,508 **** --- 549,560 ---- if (strcasecmp(*cpp, "to")) { fprintf(stderr, "%d: unexpected keyword (%s) - to\n", linenum, *cpp); + *status = -1; return NULL; } if (!*++cpp) { fprintf(stderr, "%d: missing host after to\n", linenum); + *status = -1; return NULL; } ch = 0; *************** *** 512,517 **** --- 564,570 ---- fprintf(stderr, "%d: missing host after from\n", linenum); + *status = -1; return NULL; } } else if (**cpp == '!') { *************** *** 521,526 **** --- 574,580 ---- if (hostmask(&cpp, (u_32_t *)&fil.fr_dst, (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch, &fil.fr_dtop, linenum)) { + *status = -1; return NULL; } if ((ch != 0) && (fil.fr_proto != IPPROTO_TCP) && *************** *** 529,534 **** --- 583,589 ---- fprintf(stderr, "%d: cannot use port and neither tcp or udp\n", linenum); + *status = -1; return NULL; } *************** *** 542,561 **** if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) && fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) { fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum); return NULL; } if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) { fprintf(stderr, "%d: icmp comparisons on wrong protocol\n", linenum); return NULL; } ! if (!*cpp) return &fil; if (*cpp && !strcasecmp(*cpp, "flags")) { if (!*++cpp) { fprintf(stderr, "%d: no flags present\n", linenum); return NULL; } fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum); --- 597,621 ---- if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) && fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) { fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum); + *status = -1; return NULL; } if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) { fprintf(stderr, "%d: icmp comparisons on wrong protocol\n", linenum); + *status = -1; return NULL; } ! if (!*cpp) { ! *status = 0; return &fil; + } if (*cpp && !strcasecmp(*cpp, "flags")) { if (!*++cpp) { fprintf(stderr, "%d: no flags present\n", linenum); + *status = -1; return NULL; } fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum); *************** *** 567,574 **** */ if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and"))) ! if (extras(&cpp, &fil, linenum)) return NULL; /* * icmp types for use with the icmp protocol --- 627,636 ---- */ if ((fil.fr_v == 4) && *cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and"))) ! if (extras(&cpp, &fil, linenum)) { ! *status = -1; return NULL; + } /* * icmp types for use with the icmp protocol *************** *** 579,588 **** fprintf(stderr, "%d: icmp with wrong protocol (%d)\n", linenum, fil.fr_proto); return NULL; } ! if (addicmp(&cpp, &fil, linenum)) return NULL; fil.fr_icmp = htons(fil.fr_icmp); fil.fr_icmpm = htons(fil.fr_icmpm); } --- 641,653 ---- fprintf(stderr, "%d: icmp with wrong protocol (%d)\n", linenum, fil.fr_proto); + *status = -1; return NULL; } ! if (addicmp(&cpp, &fil, linenum)) { ! *status = -1; return NULL; + } fil.fr_icmp = htons(fil.fr_icmp); fil.fr_icmpm = htons(fil.fr_icmpm); } *************** *** 591,598 **** * Keep something... */ while (*cpp && !strcasecmp(*cpp, "keep")) ! if (addkeep(&cpp, &fil, linenum)) return NULL; /* * This is here to enforce the old interface binding behaviour. --- 656,665 ---- * Keep something... */ while (*cpp && !strcasecmp(*cpp, "keep")) ! if (addkeep(&cpp, &fil, linenum)) { ! *status = -1; return NULL; + } /* * This is here to enforce the old interface binding behaviour. *************** *** 614,623 **** --- 681,692 ---- if (fil.fr_skip != 0) { fprintf(stderr, "%d: cannot use skip with head\n", linenum); + *status = -1; return NULL; } if (!*++cpp) { fprintf(stderr, "%d: head without group #\n", linenum); + *status = -1; return NULL; } if (ratoui(*cpp, &k, 0, UINT_MAX)) *************** *** 625,630 **** --- 694,700 ---- else { fprintf(stderr, "%d: invalid group (%s)\n", linenum, *cpp); + *status = -1; return NULL; } cpp++; *************** *** 637,642 **** --- 707,713 ---- if (!*++cpp) { fprintf(stderr, "%d: group without group #\n", linenum); + *status = -1; return NULL; } if (ratoui(*cpp, &k, 0, UINT_MAX)) *************** *** 644,649 **** --- 715,721 ---- else { fprintf(stderr, "%d: invalid group (%s)\n", linenum, *cpp); + *status = -1; return NULL; } cpp++; *************** *** 657,662 **** --- 729,735 ---- for (; *cpp; cpp++) fprintf(stderr, "%s ", *cpp); fprintf(stderr, "]\n"); + *status = -1; return NULL; } *************** *** 665,670 **** --- 738,744 ---- */ if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) { fprintf(stderr, "%d: TCP protocol not specified\n", linenum); + *status = -1; return NULL; } if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) && *************** *** 676,681 **** --- 750,756 ---- fprintf(stderr, "%d: port comparisons for non-TCP/UDP\n", linenum); + *status = -1; return NULL; } } *************** *** 685,693 **** --- 760,770 ---- fprintf(stderr, "%d: must use 'with frags' with 'keep frags'\n", linenum); + *status = -1; return NULL; } */ + *status = 0; return &fil; } diff -crN ip_fil3.4.31/printnat.c ip_fil3.4.32/printnat.c *** ip_fil3.4.31/printnat.c Fri Dec 6 22:40:27 2002 --- ip_fil3.4.32/printnat.c Sun Mar 23 02:31:49 2003 *************** *** 58,64 **** #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.13 2002/12/06 11:40:27 darrenr Exp $"; #endif --- 58,64 ---- #endif #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.15 2003/03/22 15:31:49 darrenr Exp $"; #endif *************** *** 399,405 **** np->in_space, np->in_flags, np->in_pmax, np->in_use); } else { - np->in_nextip.s_addr = htonl(np->in_nextip.s_addr); if (!(np->in_flags & IPN_FILTER)) { printf("%s/", inet_ntoa(np->in_in[0])); bits = countbits(np->in_in[1].s_addr); --- 399,404 ---- *************** *** 422,427 **** --- 421,428 ---- } if (*np->in_plabel) { printf(" proxy port"); + if (np->in_dcmp != 0) + np->in_dport = htons(np->in_dport); if (np->in_dport != 0) { if (pr != NULL) sv = getservbyport(np->in_dport, *************** *** 473,480 **** printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) { printf("\tspace %lu nextip %s pnext %d", np->in_space, ! inet_ntoa(np->in_nextip), np->in_pnext); printf(" flags %x use %u\n", np->in_flags, np->in_use); } --- 474,485 ---- printf(" age %d/%d", np->in_age[0], np->in_age[1]); printf("\n"); if (opts & OPT_DEBUG) { + struct in_addr nip; + + nip.s_addr = htonl(np->in_nextip.s_addr); + printf("\tspace %lu nextip %s pnext %d", np->in_space, ! inet_ntoa(nip), np->in_pnext); printf(" flags %x use %u\n", np->in_flags, np->in_use); } diff -crN ip_fil3.4.31/printstate.c ip_fil3.4.32/printstate.c *** ip_fil3.4.31/printstate.c Fri Dec 6 22:40:28 2002 --- ip_fil3.4.32/printstate.c Sat Jan 18 18:23:13 2003 *************** *** 47,68 **** #else PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes); #endif ! if (ips.is_p == IPPROTO_TCP) #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) ! PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, ips.is_maxswin>>ips.is_swscale, ips.is_swscale, ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #else ! PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, ips.is_maxswin>>ips.is_swscale, ips.is_swscale, ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #endif ! else if (ips.is_p == IPPROTO_UDP) PRINTF(" %hu -> %hu", ntohs(ips.is_sport), ntohs(ips.is_dport)); else if (ips.is_p == IPPROTO_ICMP --- 47,72 ---- #else PRINTF("\tpkts %ld bytes %ld", ips.is_pkts, ips.is_bytes); #endif ! if (ips.is_p == IPPROTO_TCP) { #if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \ (__FreeBSD_version >= 220000) || defined(__OpenBSD__) ! PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, + ips.is_maxsend, ips.is_maxdend); + PRINTF("\t%u<<%d:%u<<%d", ips.is_maxswin>>ips.is_swscale, ips.is_swscale, ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #else ! PRINTF("\t%hu -> %hu %x:%x (max %x:%x)\n", ntohs(ips.is_sport), ntohs(ips.is_dport), ips.is_send, ips.is_dend, + ips.is_maxsend, ips.is_maxdend); + PRINTF("\t%u<<%d:%u<<%d", ips.is_maxswin>>ips.is_swscale, ips.is_swscale, ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale); #endif ! } else if (ips.is_p == IPPROTO_UDP) PRINTF(" %hu -> %hu", ntohs(ips.is_sport), ntohs(ips.is_dport)); else if (ips.is_p == IPPROTO_ICMP diff -crN ip_fil3.4.31/test/expected/i11 ip_fil3.4.32/test/expected/i11 *** ip_fil3.4.31/test/expected/i11 Fri Jan 10 02:14:55 1997 --- ip_fil3.4.32/test/expected/i11 Tue Apr 15 10:02:23 2003 *************** *** 2,4 **** --- 2,5 ---- block in log first on lo0(!) proto tcp/udp from any to any keep state pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 2049 keep frags pass in proto udp from 127.0.0.1/32 to 127.0.0.1/32 port = 53 keep state keep frags + pass in proto tcp from any port > 1024 to 127.0.0.1/32 port = 25 keep state diff -crN ip_fil3.4.31/test/expected/in1 ip_fil3.4.32/test/expected/in1 *** ip_fil3.4.31/test/expected/in1 Fri May 3 21:52:16 2002 --- ip_fil3.4.32/test/expected/in1 Wed Jan 22 02:22:17 2003 *************** *** 22,24 **** --- 22,25 ---- map le0 0.0.0.0/0 -> 0.0.0.0/32 frag age 10/10 map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999 frag age 30/30 + map fxp0 from 192.168.0.0/18 to any port = ftp -> 1.2.3.4/32 proxy port ftp ftp/tcp diff -crN ip_fil3.4.31/test/expected/ni1 ip_fil3.4.32/test/expected/ni1 *** ip_fil3.4.31/test/expected/ni1 Fri Apr 26 20:25:10 2002 --- ip_fil3.4.32/test/expected/ni1 Tue Jun 10 23:26:30 2003 *************** *** 1,3 **** 4500 0028 4706 4000 0111 ced8 0606 0606 0404 0404 afc9 829e 0014 0b2d 0402 0000 3be5 468d 000a cfc3 ! 4500 0038 809a 0000 ff01 8f31 0303 0303 0202 0202 0b00 a537 0000 0000 4500 0028 4703 4000 0111 ef89 0202 0202 0404 0404 afc9 829e 0014 1d4f ------------------------------- --- 1,3 ---- 4500 0028 4706 4000 0111 ced8 0606 0606 0404 0404 afc9 829e 0014 0b2d 0402 0000 3be5 468d 000a cfc3 ! 4500 0038 809a 0000 ff01 8f31 0303 0303 0202 0202 0b00 b547 0000 0000 4500 0028 4703 4000 0111 ef89 0202 0202 0404 0404 afc9 829e 0014 1d4f ------------------------------- diff -crN ip_fil3.4.31/test/expected/ni2 ip_fil3.4.32/test/expected/ni2 *** ip_fil3.4.31/test/expected/ni2 Fri Apr 26 20:25:10 2002 --- ip_fil3.4.32/test/expected/ni2 Tue Jun 10 23:26:30 2003 *************** *** 6,10 **** 4510 002e bd1e 4000 3e06 ea0a 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5018 4470 1c98 0000 0000 0000 0d0a 4500 0048 e383 4000 7e06 839b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 d80a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4500 05dc e483 4000 7e06 7d07 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f2d 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ! 4500 0038 d71d 4000 4001 f0be 0101 0101 c0a8 0133 0304 348b 0000 05a0 4500 05dc e483 4000 7e06 8707 c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 ------------------------------- --- 6,10 ---- 4510 002e bd1e 4000 3e06 ea0a 0101 0101 c0a8 0133 9c40 0077 a664 2486 fbdf 1a55 5018 4470 1c98 0000 0000 0000 0d0a 4500 0048 e383 4000 7e06 839b c0a8 0133 0a01 0201 0077 05f6 fbdf 1a55 a664 248c 5018 2232 d80a 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4500 05dc e483 4000 7e06 7d07 c0a8 0133 0a01 0201 0077 05f6 fbdf 1a75 a664 248c 5010 2232 9f2d 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3331 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 1111 2222 3333 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 ! 4500 0038 d71d 4000 4001 f0be 0101 0101 c0a8 0133 0304 488b 0000 05a0 4500 05dc e483 4000 7e06 8707 c0a8 0133 0101 0101 0077 9c40 fbdf 1a75 ------------------------------- diff -crN ip_fil3.4.31/test/expected/ni3 ip_fil3.4.32/test/expected/ni3 *** ip_fil3.4.31/test/expected/ni3 Thu Jun 6 21:18:27 2002 --- ip_fil3.4.32/test/expected/ni3 Tue Jun 10 23:26:30 2003 *************** *** 1,4 **** 4500 003c 4706 4000 ff06 28aa 0606 0606 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ! 4500 0038 809a 0000 ff01 3323 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 ! 4500 0058 809a 0000 ff01 3303 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ------------------------------- --- 1,4 ---- 4500 003c 4706 4000 ff06 28aa 0606 0606 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d0da 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ! 4500 0038 809a 0000 ff01 3323 0303 0303 0202 0202 0303 bcbb 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 ! 4500 0058 809a 0000 ff01 3303 0303 0303 0202 0202 0303 1947 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ------------------------------- diff -crN ip_fil3.4.31/test/expected/ni4 ip_fil3.4.32/test/expected/ni4 *** ip_fil3.4.31/test/expected/ni4 Fri Apr 26 20:25:10 2002 --- ip_fil3.4.32/test/expected/ni4 Tue Jun 10 23:26:30 2003 *************** *** 1,4 **** 4500 003c 4706 4000 ff06 28aa 0606 0606 0404 0404 9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ! 4500 0038 809a 0000 ff01 3323 0303 0303 0202 0202 0303 acab 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 ! 4500 0058 809a 0000 ff01 3303 0303 0303 0202 0202 0303 0937 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ------------------------------- --- 1,4 ---- 4500 003c 4706 4000 ff06 28aa 0606 0606 0404 0404 9c40 0050 0000 0001 0000 0000 a002 16d0 849a 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ! 4500 0038 809a 0000 ff01 3323 0303 0303 0202 0202 0303 bcbb 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 ! 4500 0058 809a 0000 ff01 3303 0303 0303 0202 0202 0303 1947 0000 0000 4500 003c 4706 4000 ff06 28aa 0202 0202 0404 0404 5000 0050 0000 0001 0000 0000 a002 16d0 d8e2 0000 0204 05b4 0402 080a 0047 fbb0 0000 0000 0103 0300 ------------------------------- diff -crN ip_fil3.4.31/test/regress/i11 ip_fil3.4.32/test/regress/i11 *** ip_fil3.4.31/test/regress/i11 Fri Jan 10 02:14:57 1997 --- ip_fil3.4.32/test/regress/i11 Tue Apr 15 10:02:23 2003 *************** *** 2,4 **** --- 2,5 ---- block in log first on lo0 proto tcp/udp from any to any keep state pass in proto udp from localhost to localhost port = 2049 keep frags pass in proto udp from localhost to localhost port = 53 keep state keep frags + pass in proto tcp from any port gt 1024 to localhost port eq 25 keep state diff -crN ip_fil3.4.31/test/regress/in1 ip_fil3.4.32/test/regress/in1 *** ip_fil3.4.31/test/regress/in1 Thu Apr 25 02:43:48 2002 --- ip_fil3.4.32/test/regress/in1 Wed Jan 22 02:22:17 2003 *************** *** 22,24 **** --- 22,25 ---- map le0 0/0 -> 0/32 frag age 10 map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45 frag age 10/20 map ppp0 192.168.0.0/16 -> 0/32 portmap tcp 10000:19999 frag age 30 + map fxp0 from 192.168.0.0/18 to 0/0 port = 21 -> 1.2.3.4/32 proxy port 21 ftp/tcp