diff -c -r ip_fil4.1.15/HISTORY ip_fil4.1.16/HISTORY *** ip_fil4.1.15/HISTORY Thu Nov 2 08:41:36 2006 --- ip_fil4.1.16/HISTORY Tue Dec 19 04:07:40 2006 *************** *** 10,15 **** --- 10,40 ---- # and especially those who have found the time to port IP Filter to new # platforms. # + 4.1.16 - Released 20 December 2006 + + allow rdr rules to only differ on the new port number + + when creating state entry orphans, leave them on the linked list but not + attached to the hash table and mark them visible as orphans in "ipfstat -sl" + + log state removed when unloading differently to allow visible cues + + return ipf ticks via SIOCGETGS for /dev/ipnat so "ipnat -l" can display ttl + + abort logging a packet if the mbuf pointer is null when ipflog is called + + Some NetBSD's have a selinfo.h instead of select.h + + SIOCIPFFL was using copyoutptr and should have been using bcopy for /dev/ipauth + + listing accounting rules using ioctl interface wasn't possible + + fix leakage of state entries due to packets not matching up with NAT + + improve ICMP error packet matching with state/NAT + + fix problems with parsing and printing "-" as an interface name in ipnat.conf + 4.1.15 - Released 03 November 2006 Add in automatic flushing of NAT, like state, table if it fills up too much diff -c -r ip_fil4.1.15/HPUX/ipf.psf.dist ip_fil4.1.16/HPUX/ipf.psf.dist *** ip_fil4.1.15/HPUX/ipf.psf.dist Wed Nov 1 20:03:18 2006 --- ip_fil4.1.16/HPUX/ipf.psf.dist Tue Dec 19 04:07:40 2006 *************** *** 6,12 **** # # Description: PSF for IP FIlter 4.2 # ! # $Id: ipf.psf.dist,v 1.1.2.17 2006/11/01 09:03:18 darrenr Exp $ # The vendor definition here applies to all subsequently defined products. --- 6,12 ---- # # Description: PSF for IP FIlter 4.2 # ! # $Id: ipf.psf.dist,v 1.1.2.18 2006/12/18 17:07:40 darrenr Exp $ # The vendor definition here applies to all subsequently defined products. *************** *** 26,32 **** tag IPF title IP Filter 4.2 description Firewall/NAT ! revision A.04.01.15 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 26,32 ---- tag IPF title IP Filter 4.2 description Firewall/NAT ! revision A.04.01.16 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX *************** *** 37,43 **** is_reference false vendor_tag IPFilter hp_srdo swtype=O;user=B;bundle_type=O ! contents IPF-RUN,r=A.04.01.15,a=HP-UX_HPREV_32/64,v=IPFilter end # bundle IPF # Product definition(s): --- 37,43 ---- is_reference false vendor_tag IPFilter hp_srdo swtype=O;user=B;bundle_type=O ! contents IPF-RUN,r=A.04.01.16,a=HP-UX_HPREV_32/64,v=IPFilter end # bundle IPF # Product definition(s): *************** *** 46,52 **** title IP Filter 4.2 description Firewall/NAT copyright < ../../SunOS5/copyright ! revision A.04.01.15 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 46,52 ---- title IP Filter 4.2 description Firewall/NAT copyright < ../../SunOS5/copyright ! revision A.04.01.16 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX *************** *** 70,76 **** tag IPF-ALL title IP Filter 4.2 : IPF-ALL description < ../IPF-ALL/description ! revision A.04.01.15 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX --- 70,76 ---- tag IPF-ALL title IP Filter 4.2 : IPF-ALL description < ../IPF-ALL/description ! revision A.04.01.16 architecture HP-UX_HPREV_32/64 machine_type 9000/[678]??:* os_name HP-UX diff -c -r ip_fil4.1.15/Linux/ipfilter.spec.dist ip_fil4.1.16/Linux/ipfilter.spec.dist *** ip_fil4.1.15/Linux/ipfilter.spec.dist Wed Nov 1 20:03:18 2006 --- ip_fil4.1.16/Linux/ipfilter.spec.dist Tue Dec 19 04:07:40 2006 *************** *** 1,6 **** Summary: IP Filter Software Name: ipfilter ! Version: 4.1.15 Release: 1 Copyright: Copyright 2006 Darren Reed Group: System Environment/Base --- 1,6 ---- Summary: IP Filter Software Name: ipfilter ! Version: 4.1.16 Release: 1 Copyright: Copyright 2006 Darren Reed Group: System Environment/Base diff -c -r ip_fil4.1.15/SunOS5/pkginfo ip_fil4.1.16/SunOS5/pkginfo *** ip_fil4.1.15/SunOS5/pkginfo Wed Nov 1 20:03:18 2006 --- ip_fil4.1.16/SunOS5/pkginfo Tue Dec 19 04:07:40 2006 *************** *** 5,11 **** PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=4.1.15 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed --- 5,11 ---- PKG=ipf NAME=IP Filter ARCH=ARCH_updated_by_sed_when_package_is_built ! VERSION=4.1.16 CATEGORY=system DESC=This package contains tools for building a firewall VENDOR=Darren Reed diff -c -r ip_fil4.1.15/fil.c ip_fil4.1.16/fil.c *** ip_fil4.1.15/fil.c Sat Oct 28 16:56:02 2006 --- ip_fil4.1.16/fil.c Mon Dec 18 16:00:05 2006 *************** *** 144,150 **** #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.88 2006/10/28 06:56:02 darrenr Exp $"; #endif #ifndef _KERNEL --- 144,150 ---- #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: fil.c,v 2.243.2.93 2006/12/18 05:00:05 darrenr Exp $"; #endif #ifndef _KERNEL *************** *** 712,717 **** --- 712,718 ---- if (fin->fin_dlen > 1) { icmp6 = fin->fin_dp; + ip6_t *ip6; fin->fin_data[0] = *(u_short *)icmp6; *************** *** 725,736 **** case ICMP6_PACKET_TOO_BIG : case ICMP6_TIME_EXCEEDED : case ICMP6_PARAM_PROB : if ((fin->fin_m != NULL) && (M_LEN(fin->fin_m) < fin->fin_plen)) { if (fr_coalesce(fin) != 1) return; } ! fin->fin_flx |= FI_ICMPERR; minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t); break; default : --- 726,751 ---- case ICMP6_PACKET_TOO_BIG : case ICMP6_TIME_EXCEEDED : case ICMP6_PARAM_PROB : + fin->fin_flx |= FI_ICMPERR; if ((fin->fin_m != NULL) && (M_LEN(fin->fin_m) < fin->fin_plen)) { if (fr_coalesce(fin) != 1) return; } ! ! if (frpr_pullup(fin, ICMP6ERR_MINPKTLEN) == -1) ! return; ! ! /* ! * If the destination of this packet doesn't match the ! * source of the original packet then this packet is ! * not correct. ! */ ! ip6 = (ip6_t *)((char *)icmp6 + ICMPERR_ICMPHLEN); ! if (IP6_NEQ(&fin->fin_fi.fi_dst, ! (i6addr_t *)&ip6->ip6_src)) ! fin->fin_flx |= FI_BAD; ! minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t); break; default : *************** *** 1000,1005 **** --- 1015,1036 ---- oip = (ip_t *)((char *)fin->fin_dp + ICMPERR_ICMPHLEN); if ((ntohs(oip->ip_off) & IP_OFFMASK) != 0) fin->fin_flx |= FI_BAD; + + /* + * If the destination of this packet doesn't match the + * source of the original packet then this packet is + * not correct. + */ + if (oip->ip_src.s_addr != fin->fin_daddr) + fin->fin_flx |= FI_BAD; + + /* + * If the destination of this packet doesn't match the + * source of the original packet then this packet is + * not correct. + */ + if (oip->ip_src.s_addr != fin->fin_daddr) + fin->fin_flx |= FI_BAD; break; default : break; *************** *** 2475,2482 **** fr = fr_checkauth(fin, &pass); if (!out) { if (fr_checknatin(fin, &pass) == -1) { ! RWLOCK_EXIT(&ipf_mutex); ! goto finished; } } if (!out) --- 2506,2512 ---- fr = fr_checkauth(fin, &pass); if (!out) { if (fr_checknatin(fin, &pass) == -1) { ! goto filterdone; } } if (!out) *************** *** 2518,2525 **** (void) fr_acctpkt(fin, NULL); if (fr_checknatout(fin, &pass) == -1) { ! RWLOCK_EXIT(&ipf_mutex); ! goto finished; } else if ((fr_update_ipid != 0) && (v == 4)) { if (fr_updateipid(fin) == -1) { ATOMIC_INCL(frstats[1].fr_ipud); --- 2548,2554 ---- (void) fr_acctpkt(fin, NULL); if (fr_checknatout(fin, &pass) == -1) { ! ; } else if ((fr_update_ipid != 0) && (v == 4)) { if (fr_updateipid(fin) == -1) { ATOMIC_INCL(frstats[1].fr_ipud); *************** *** 2531,2536 **** --- 2560,2566 ---- } } + filterdone: #ifdef IPFILTER_LOG if ((fr_flags & FF_LOGGING) || (pass & FR_LOGMASK)) { (void) fr_dolog(fin, &pass); *************** *** 2539,2550 **** if (fin->fin_state != NULL) { fr_statederef((ipstate_t **)&fin->fin_state); - fin->fin_state = NULL; } if (fin->fin_nat != NULL) { fr_natderef((nat_t **)&fin->fin_nat); - fin->fin_nat = NULL; } /* --- 2569,2578 ---- *************** *** 3082,3088 **** * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.243.2.88 2006/10/28 06:56:02 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, --- 3110,3116 ---- * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 ! * $Id: fil.c,v 2.243.2.93 2006/12/18 05:00:05 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, *************** *** 6642,6649 **** int ipf_getnextrule(ipftoken_t *t, void *ptr) { frentry_t *fr, *next, zero; ipfruleiter_t it; - int error, count; frgroup_t *fg; char *dst; --- 6670,6677 ---- int ipf_getnextrule(ipftoken_t *t, void *ptr) { frentry_t *fr, *next, zero; + int error, count, out; ipfruleiter_t it; frgroup_t *fg; char *dst; *************** *** 6652,6658 **** error = fr_inobj(ptr, &it, IPFOBJ_IPFITER); if (error != 0) return error; ! if ((it.iri_inout != 0) && (it.iri_inout != 1)) return EINVAL; if ((it.iri_active != 0) && (it.iri_active != 1)) return EINVAL; --- 6680,6686 ---- error = fr_inobj(ptr, &it, IPFOBJ_IPFITER); if (error != 0) return error; ! if ((it.iri_inout < 0) || (it.iri_inout > 3)) return EINVAL; if ((it.iri_active != 0) && (it.iri_active != 1)) return EINVAL; *************** *** 6661,6674 **** if (it.iri_rule == NULL) return EFAULT; fr = t->ipt_data; READ_ENTER(&ipf_mutex); if (fr == NULL) { if (*it.iri_group == '\0') { ! if (it.iri_v == 4) ! next = ipfilter[it.iri_inout][it.iri_active]; ! else ! next = ipfilter6[it.iri_inout][it.iri_active]; } else { fg = fr_findgroup(it.iri_group, IPL_LOGIPF, it.iri_active, NULL); --- 6689,6710 ---- if (it.iri_rule == NULL) return EFAULT; + out = it.iri_inout & F_OUT; fr = t->ipt_data; READ_ENTER(&ipf_mutex); if (fr == NULL) { if (*it.iri_group == '\0') { ! if ((it.iri_inout & F_ACIN) != 0) { ! if (it.iri_v == 4) ! next = ipacct[out][it.iri_active]; ! else ! next = ipacct6[out][it.iri_active]; ! } else { ! if (it.iri_v == 4) ! next = ipfilter[out][it.iri_active]; ! else ! next = ipfilter6[out][it.iri_active]; ! } } else { fg = fr_findgroup(it.iri_group, IPL_LOGIPF, it.iri_active, NULL); *************** *** 6805,6810 **** --- 6841,6847 ---- /* ------------------------------------------------------------------------ */ int ipf_genericiter(data, uid, ctx) void *data, *ctx; + int uid; { ipftoken_t *token; ipfgeniter_t iter; *************** *** 6939,6946 **** else { WRITE_ENTER(&ipf_mutex); bzero((char *)frcache, sizeof(frcache[0]) * 2); ! error = COPYOUT((caddr_t)&fr_active, (caddr_t)data, ! sizeof(fr_active)); if (error != 0) error = EFAULT; else --- 6976,6983 ---- else { WRITE_ENTER(&ipf_mutex); bzero((char *)frcache, sizeof(frcache[0]) * 2); ! error = BCOPYOUT((caddr_t)&fr_active, (caddr_t)data, ! sizeof(fr_active)); if (error != 0) error = EFAULT; else diff -c -r ip_fil4.1.15/ip_auth.c ip_fil4.1.16/ip_auth.c *** ip_fil4.1.15/ip_auth.c Thu Oct 26 12:52:29 2006 --- ip_fil4.1.16/ip_auth.c Sun Dec 17 04:12:56 2006 *************** *** 117,123 **** /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.16 2006/10/26 02:52:29 darrenr Exp $"; #endif --- 117,123 ---- /* END OF INCLUDES */ #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.73.2.18 2006/12/16 17:12:56 darrenr Exp $"; #endif *************** *** 456,462 **** i = fr_authflush(); RWLOCK_EXIT(&ipf_auth); SPL_X(s); ! error = copyoutptr((char *)&i, data, sizeof(i)); break; case SIOCAUTHW: --- 456,464 ---- i = fr_authflush(); RWLOCK_EXIT(&ipf_auth); SPL_X(s); ! error = BCOPYOUT((char *)&i, data, sizeof(i)); ! if (error != 0) ! error = EFAULT; break; case SIOCAUTHW: *************** *** 931,937 **** READ_ENTER(&ipf_global); if (error == 0) goto fr_authioctlloop; ! return 0; } --- 933,939 ---- READ_ENTER(&ipf_global); if (error == 0) goto fr_authioctlloop; ! return error; } diff -c -r ip_fil4.1.15/ip_fil.h ip_fil4.1.16/ip_fil.h *** ip_fil4.1.15/ip_fil.h Sat Oct 28 16:56:02 2006 --- ip_fil4.1.16/ip_fil.h Sun Dec 17 04:16:25 2006 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.170.2.35 2006/10/28 06:56:02 darrenr Exp $ */ #ifndef __IP_FIL_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 ! * $Id: ip_fil.h,v 2.170.2.38 2006/12/16 17:16:25 darrenr Exp $ */ #ifndef __IP_FIL_H__ *************** *** 357,364 **** #define fin_dport fin_dat.fid_16[1] #define fin_ports fin_dat.fid_32 ! #define IPF_IN 0 ! #define IPF_OUT 1 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *)); typedef int (*ipfuncinit_t) __P((struct frentry *)); --- 357,364 ---- #define fin_dport fin_dat.fid_16[1] #define fin_ports fin_dat.fid_32 ! #define IPF_IN 0 ! #define IPF_OUT 1 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *)); typedef int (*ipfuncinit_t) __P((struct frentry *)); *************** *** 500,505 **** --- 500,512 ---- int fr_ref; /* reference count - for grouping */ int fr_statecnt; /* state count - for limit rules */ /* + * The line number from a file is here because we need to be able to + * match the rule generated with ``grep rule ipf.conf | ipf -rf -'' + * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be + * on the other side of fr_func. + */ + int fr_flineno; /* line number from conf file */ + /* * These are only incremented when a packet matches this rule and * it is the last match */ *************** *** 526,532 **** int fr_dsize; int fr_pps; int fr_statemax; /* max reference count */ - int fr_flineno; /* line number from conf file */ u_32_t fr_type; u_32_t fr_flags; /* per-rule flags && options (see below) */ u_32_t fr_logtag; /* user defined log tag # */ --- 533,538 ---- *************** *** 1160,1165 **** --- 1166,1180 ---- frentry_t *iri_rule; } ipfruleiter_t; + /* + * Values for iri_inout + */ + #define F_IN 0 + #define F_OUT 1 + #define F_ACIN 2 + #define F_ACOUT 3 + + typedef struct ipfgeniter { int igi_type; int igi_nitems; *************** *** 1258,1264 **** extern int bcopywrap __P((void *, void *, size_t)); #else /* #ifndef _KERNEL */ # ifdef BSD ! # include extern struct selinfo ipfselwait[IPL_LOGSIZE]; # endif # if defined(__NetBSD__) && defined(PFIL_HOOKS) --- 1273,1283 ---- extern int bcopywrap __P((void *, void *, size_t)); #else /* #ifndef _KERNEL */ # ifdef BSD ! # if defined(__NetBSD__) && (__NetBSD_Version__ < 399000000) ! # include ! # else ! # include ! # endif extern struct selinfo ipfselwait[IPL_LOGSIZE]; # endif # if defined(__NetBSD__) && defined(PFIL_HOOKS) diff -c -r ip_fil4.1.15/ip_h323_pxy.c ip_fil4.1.16/ip_h323_pxy.c *** ip_fil4.1.15/ip_h323_pxy.c Fri Jul 14 16:12:13 2006 --- ip_fil4.1.16/ip_h323_pxy.c Mon Dec 18 16:00:57 2006 *************** *** 267,272 **** --- 267,274 ---- udp.uh_sport = port; bcopy((caddr_t)fin, (caddr_t)&fi, sizeof(fi)); + fi.fin_state = NULL; + fi.fin_nat = NULL; fi.fin_fi.fi_p = IPPROTO_UDP; fi.fin_data[0] = port; fi.fin_data[1] = 0; diff -c -r ip_fil4.1.15/ip_log.c ip_fil4.1.16/ip_log.c *** ip_fil4.1.15/ip_log.c Sat Oct 28 16:56:03 2006 --- ip_fil4.1.16/ip_log.c Mon Dec 18 15:57:29 2006 *************** *** 3,9 **** * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.75.2.12 2006/10/28 06:56:03 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) --- 3,9 ---- * * See the IPFILTER.LICENCE file for details on licencing. * ! * $Id: ip_log.c,v 2.75.2.13 2006/12/18 04:57:29 darrenr Exp $ */ #include #if defined(KERNEL) || defined(_KERNEL) *************** *** 263,270 **** struct ifnet *ifp; # endif /* SOLARIS || __hpux */ - ipfl.fl_nattag.ipt_num[0] = 0; m = fin->fin_m; ifp = fin->fin_ifp; hlen = fin->fin_hlen; /* --- 263,273 ---- struct ifnet *ifp; # endif /* SOLARIS || __hpux */ m = fin->fin_m; + if (m == NULL) + return -1; + + ipfl.fl_nattag.ipt_num[0] = 0; ifp = fin->fin_ifp; hlen = fin->fin_hlen; /* diff -c -r ip_fil4.1.15/ip_nat.c ip_fil4.1.16/ip_nat.c *** ip_fil4.1.15/ip_nat.c Sat Oct 28 16:56:03 2006 --- ip_fil4.1.16/ip_nat.c Tue Dec 19 04:04:33 2006 *************** *** 111,117 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.66 2006/10/28 06:56:03 darrenr Exp $"; #endif --- 111,117 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.69 2006/12/18 17:04:33 darrenr Exp $"; #endif *************** *** 690,698 **** } MUTEX_ENTER(&ipf_natio); for (np = &nat_list; ((n = *np) != NULL); np = &n->in_next) ! if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, ! IPN_CMPSIZ)) break; } switch (cmd) --- 690,702 ---- } MUTEX_ENTER(&ipf_natio); for (np = &nat_list; ((n = *np) != NULL); np = &n->in_next) ! if (bcmp((char *)&nat->in_flags, (char *)&n->in_flags, ! IPN_CMPSIZ) == 0) { ! if (nat->in_redir == NAT_REDIRECT && ! nat->in_pnext != n->in_pnext) ! continue; break; + } } switch (cmd) *************** *** 804,809 **** --- 808,814 ---- nat_stats.ns_hostmap_sz = ipf_hostmap_sz; nat_stats.ns_instances = nat_instances; nat_stats.ns_apslist = ap_sess_list; + nat_stats.ns_ticks = fr_ticks; error = fr_outobj(data, &nat_stats, IPFOBJ_NATSTAT); break; *************** *** 2070,2079 **** natinfo_t *ni; { u_short nport, dport, sport; ! struct in_addr in; hostmap_t *hm; u_32_t flags; ipnat_t *np; int move; move = 1; --- 2075,2086 ---- natinfo_t *ni; { u_short nport, dport, sport; ! struct in_addr in, inb; ! u_short sp, dp; hostmap_t *hm; u_32_t flags; ipnat_t *np; + nat_t *natl; int move; move = 1; *************** *** 2183,2188 **** --- 2190,2212 ---- in.s_addr = ntohl(fin->fin_daddr); } + /* + * Check to see if this redirect mapping already exists and if + * it does, return "failure" (allowing it to be created will just + * cause one or both of these "connections" to stop working.) + */ + inb.s_addr = htonl(in.s_addr); + sp = fin->fin_data[0]; + dp = fin->fin_data[1]; + fin->fin_data[1] = fin->fin_data[0]; + fin->fin_data[0] = ntohs(nport); + natl = nat_outlookup(fin, flags & ~(SI_WILDP|NAT_SEARCH), + (u_int)fin->fin_p, inb, fin->fin_src); + fin->fin_data[0] = sp; + fin->fin_data[1] = dp; + if (natl != NULL) + return -1; + nat->nat_inip.s_addr = htonl(in.s_addr); nat->nat_outip = fin->fin_dst; nat->nat_oip = fin->fin_src; diff -c -r ip_fil4.1.15/ip_nat.h ip_fil4.1.16/ip_nat.h *** ip_fil4.1.15/ip_nat.h Sat Oct 28 16:56:03 2006 --- ip_fil4.1.16/ip_nat.h Wed Dec 13 03:12:58 2006 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.90.2.14 2006/10/28 06:56:03 darrenr Exp $ */ #ifndef __IP_NAT_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 ! * $Id: ip_nat.h,v 2.90.2.15 2006/12/12 16:12:58 darrenr Exp $ */ #ifndef __IP_NAT_H__ *************** *** 357,362 **** --- 357,363 ---- nat_t *ns_instances; hostmap_t *ns_maplist; u_long *ns_bucketlen[2]; + u_long ns_ticks; } natstat_t; typedef struct natlog { diff -c -r ip_fil4.1.15/ip_rpcb_pxy.c ip_fil4.1.16/ip_rpcb_pxy.c *** ip_fil4.1.15/ip_rpcb_pxy.c Fri Jul 14 16:12:18 2006 --- ip_fil4.1.16/ip_rpcb_pxy.c Mon Dec 18 16:00:57 2006 *************** *** 37,43 **** * o The enclosed hack of STREAMS support is pretty sick and most likely * broken. * ! * $Id: ip_rpcb_pxy.c,v 2.25.2.4 2006/07/14 06:12:18 darrenr Exp $ */ #define IPF_RPCB_PROXY --- 37,43 ---- * o The enclosed hack of STREAMS support is pretty sick and most likely * broken. * ! * $Id: ip_rpcb_pxy.c,v 2.25.2.5 2006/12/18 05:00:57 darrenr Exp $ */ #define IPF_RPCB_PROXY *************** *** 1156,1161 **** --- 1156,1163 ---- /* Generate dummy fr_info */ bcopy((char *)fin, (char *)&fi, sizeof(fi)); + fi.fin_state = NULL; + fi.fin_nat = NULL; fi.fin_out = 0; fi.fin_src = fin->fin_dst; fi.fin_dst = nat->nat_outip; diff -c -r ip_fil4.1.15/ip_state.c ip_fil4.1.16/ip_state.c *** ip_fil4.1.15/ip_state.c Sat Oct 28 16:56:03 2006 --- ip_fil4.1.16/ip_state.c Tue Dec 19 02:53:40 2006 *************** *** 111,117 **** #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.49 2006/10/28 06:56:03 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; --- 111,117 ---- #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.186.2.50 2006/12/18 15:53:40 darrenr Exp $"; #endif static ipstate_t **ips_table = NULL; *************** *** 128,134 **** static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *)); static int fr_state_flush __P((int, int)); static ips_stat_t *fr_statetstats __P((void)); ! static void fr_delstate __P((ipstate_t *, int)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t *, u_int)); static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *)); --- 128,134 ---- static ipstate_t *fr_checkicmpmatchingstate __P((fr_info_t *)); static int fr_state_flush __P((int, int)); static ips_stat_t *fr_statetstats __P((void)); ! static int fr_delstate __P((ipstate_t *, int)); static int fr_state_remove __P((caddr_t)); static void fr_ipsmove __P((ipstate_t *, u_int)); static int fr_tcpstate __P((fr_info_t *, tcphdr_t *, ipstate_t *)); *************** *** 301,307 **** ipstate_t *is; while ((is = ips_list) != NULL) ! fr_delstate(is, 0); /* * Proxy timeout queues are not cleaned here because although they --- 301,307 ---- ipstate_t *is; while ((is = ips_list) != NULL) ! fr_delstate(is, ISL_UNLOAD); /* * Proxy timeout queues are not cleaned here because although they *************** *** 2692,2699 **** fin->fin_rule = is->is_rulen; pass = is->is_pass; fr_updatestate(fin, is, ifq); - if (fin->fin_out == 1) - fin->fin_nat = is->is_nat[fin->fin_rev]; fin->fin_state = is; is->is_touched = fr_ticks; --- 2692,2697 ---- *************** *** 2838,2844 **** /* and timeout queue lists. Make adjustments to hash table statistics and */ /* global counters as required. */ /* ------------------------------------------------------------------------ */ ! static void fr_delstate(is, why) ipstate_t *is; int why; { --- 2836,2842 ---- /* and timeout queue lists. Make adjustments to hash table statistics and */ /* global counters as required. */ /* ------------------------------------------------------------------------ */ ! static int fr_delstate(is, why) ipstate_t *is; int why; { *************** *** 2849,2864 **** * Since we want to delete this, remove it from the state table, * where it can be found & used, first. */ - if (is->is_pnext != NULL) { - *is->is_pnext = is->is_next; - - if (is->is_next != NULL) - is->is_next->is_pnext = is->is_pnext; - - is->is_pnext = NULL; - is->is_next = NULL; - } - if (is->is_phnext != NULL) { *is->is_phnext = is->is_hnext; if (is->is_hnext != NULL) --- 2847,2852 ---- *************** *** 2904,2910 **** */ is->is_ref--; if (is->is_ref > 0) ! return; if (is->is_tqehead[0] != NULL) { if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0) --- 2892,2898 ---- */ is->is_ref--; if (is->is_ref > 0) ! return is->is_ref; if (is->is_tqehead[0] != NULL) { if (fr_deletetimeoutqueue(is->is_tqehead[0]) == 0) *************** *** 2923,2928 **** --- 2911,2929 ---- (void) ipsc_detachis(is); #endif + /* + * Now remove it from the linked list of known states + */ + if (is->is_pnext != NULL) { + *is->is_pnext = is->is_next; + + if (is->is_next != NULL) + is->is_next->is_pnext = is->is_pnext; + + is->is_pnext = NULL; + is->is_next = NULL; + } + if (ipstate_logging != 0 && why != 0) ipstate_log(is, why); *************** *** 2939,2944 **** --- 2940,2947 ---- MUTEX_DESTROY(&is->is_lock); KFREE(is); ips_num--; + + return 0; } *************** *** 3056,3063 **** } if (delete) { ! fr_delstate(is, ISL_FLUSH); ! removed++; } else isp = &is->is_next; } --- 3059,3068 ---- } if (delete) { ! if (fr_delstate(is, ISL_FLUSH) == 0) ! removed++; ! else ! isp = &is->is_next; } else isp = &is->is_next; } *************** *** 3104,3111 **** break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! fr_delstate(is, ISL_EXPIRE); ! removed++; } } --- 3109,3116 ---- break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! if (fr_delstate(is, ISL_EXPIRE) == 0) ! removed++; } } *************** *** 3118,3125 **** break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! fr_delstate(is, ISL_EXPIRE); ! removed++; } } if (try + interval > maxtick) --- 3123,3130 ---- break; tqn = tqe->tqe_next; is = tqe->tqe_parent; ! if (fr_delstate(is, ISL_EXPIRE) == 0) ! removed++; } } if (try + interval > maxtick) *************** *** 3840,3846 **** void fr_statederef(isp) ipstate_t **isp; { ! ipstate_t *is = *isp; is = *isp; *isp = NULL; --- 3845,3851 ---- void fr_statederef(isp) ipstate_t **isp; { ! ipstate_t *is; is = *isp; *isp = NULL; diff -c -r ip_fil4.1.15/ip_state.h ip_fil4.1.16/ip_state.h *** ip_fil4.1.15/ip_state.h Fri Jul 14 16:12:19 2006 --- ip_fil4.1.16/ip_state.h Tue Dec 19 02:53:40 2006 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.68.2.6 2006/07/14 06:12:19 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed ! * $Id: ip_state.h,v 2.68.2.7 2006/12/18 15:53:40 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ *************** *** 39,45 **** struct ipstate **is_me; void *is_ifp[4]; void *is_sync; - struct nat *is_nat[2]; frentry_t *is_rule; struct ipftq *is_tqehead[2]; struct ipscan *is_isc; --- 39,44 ---- *************** *** 187,192 **** --- 186,192 ---- #define ISL_INTERMEDIATE 0xfffc #define ISL_KILLED 0xfffb #define ISL_ORPHAN 0xfffa + #define ISL_UNLOAD 0xfff9 typedef struct ips_stat { diff -c -r ip_fil4.1.15/ipf.h ip_fil4.1.16/ipf.h *** ip_fil4.1.15/ipf.h Sat Sep 2 00:07:38 2006 --- ip_fil4.1.16/ipf.h Sun Dec 17 04:16:00 2006 *************** *** 4,10 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.71.2.11 2006/09/01 14:07:38 darrenr Exp $ */ #ifndef __IPF_H__ --- 4,10 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 ! * $Id: ipf.h,v 2.71.2.12 2006/12/16 17:16:00 darrenr Exp $ */ #ifndef __IPF_H__ *************** *** 281,287 **** extern struct ipstate *printstate __P((struct ipstate *, int, u_long)); extern void printsbuf __P((char *)); extern void printnat __P((struct ipnat *, int)); ! extern void printactivenat __P((struct nat *, int, int)); extern void printhostmap __P((struct hostmap *, u_int)); extern void printpacket __P((struct ip *)); --- 281,287 ---- extern struct ipstate *printstate __P((struct ipstate *, int, u_long)); extern void printsbuf __P((char *)); extern void printnat __P((struct ipnat *, int)); ! extern void printactivenat __P((struct nat *, int, int, u_long)); extern void printhostmap __P((struct hostmap *, u_int)); extern void printpacket __P((struct ip *)); diff -c -r ip_fil4.1.15/ipl.h ip_fil4.1.16/ipl.h *** ip_fil4.1.15/ipl.h Wed Nov 1 20:03:18 2006 --- ip_fil4.1.16/ipl.h Tue Dec 19 04:07:40 2006 *************** *** 4,17 **** * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.52.2.16 2006/11/01 09:03:18 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v4.1.15" ! #define IPFILTER_VERSION 4011500 #endif --- 4,17 ---- * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 ! * $Id: ipl.h,v 2.52.2.17 2006/12/18 17:07:40 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ ! #define IPL_VERSION "IP Filter: v4.1.16" ! #define IPFILTER_VERSION 4011600 #endif diff -c -r ip_fil4.1.15/lib/printactivenat.c ip_fil4.1.16/lib/printactivenat.c *** ip_fil4.1.15/lib/printactivenat.c Fri Jul 14 16:12:25 2006 --- ip_fil4.1.16/lib/printactivenat.c Wed Dec 13 03:13:00 2006 *************** *** 10,22 **** #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.6 2006/07/14 06:12:25 darrenr Exp $"; #endif ! void printactivenat(nat, opts, alive) nat_t *nat; int opts, alive; { printf("%s", getnattype(nat, alive)); --- 10,23 ---- #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printactivenat.c,v 1.3.2.7 2006/12/12 16:13:00 darrenr Exp $"; #endif ! void printactivenat(nat, opts, alive, now) nat_t *nat; int opts, alive; + u_long now; { printf("%s", getnattype(nat, alive)); *************** *** 40,47 **** printf("]"); if (opts & OPT_VERBOSE) { ! printf("\n\tage %lu use %hu sumd %s/", ! nat->nat_age, nat->nat_use, getsumd(nat->nat_sumd[0])); printf("%s pr %u bkt %d/%d flags %x\n", getsumd(nat->nat_sumd[1]), nat->nat_p, nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags); --- 41,49 ---- printf("]"); if (opts & OPT_VERBOSE) { ! printf("\n\tttl %lu use %hu sumd %s/", ! nat->nat_age - now, nat->nat_use, ! getsumd(nat->nat_sumd[0])); printf("%s pr %u bkt %d/%d flags %x\n", getsumd(nat->nat_sumd[1]), nat->nat_p, nat->nat_hv[0], nat->nat_hv[1], nat->nat_flags); diff -c -r ip_fil4.1.15/lib/printnat.c ip_fil4.1.16/lib/printnat.c *** ip_fil4.1.15/lib/printnat.c Sat Jun 17 03:21:13 2006 --- ip_fil4.1.16/lib/printnat.c Sat Dec 9 21:37:47 2006 *************** *** 11,17 **** #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.12 2006/06/16 17:21:13 darrenr Exp $"; #endif /* --- 11,17 ---- #if !defined(lint) ! static const char rcsid[] = "@(#)$Id: printnat.c,v 1.22.2.13 2006/12/09 10:37:47 darrenr Exp $"; #endif /* *************** *** 46,55 **** break; } ! printf(" %s", np->in_ifnames[0]); if ((np->in_ifnames[1][0] != '\0') && (strncmp(np->in_ifnames[0], np->in_ifnames[1], LIFNAMSIZ) != 0)) { ! printf(",%s", np->in_ifnames[1]); } putchar(' '); --- 46,61 ---- break; } ! if (!strcmp(np->in_ifnames[0], "-")) ! printf(" \"%s\"", np->in_ifnames[0]); ! else ! printf(" %s", np->in_ifnames[0]); if ((np->in_ifnames[1][0] != '\0') && (strncmp(np->in_ifnames[0], np->in_ifnames[1], LIFNAMSIZ) != 0)) { ! if (!strcmp(np->in_ifnames[1], "-")) ! printf(",\"%s\"", np->in_ifnames[1]); ! else ! printf(",%s", np->in_ifnames[1]); } putchar(' '); diff -c -r ip_fil4.1.15/lib/printstate.c ip_fil4.1.16/lib/printstate.c *** ip_fil4.1.15/lib/printstate.c Fri Jul 14 16:12:27 2006 --- ip_fil4.1.16/lib/printstate.c Tue Dec 19 02:30:00 2006 *************** *** 17,22 **** --- 17,24 ---- { synclist_t ipsync; + if (sp->is_phnext == NULL) + PRINTF("ORPHAN "); PRINTF("%s -> ", hostname(sp->is_v, &sp->is_src.in4)); PRINTF("%s pass %#x pr %d state %d/%d bkt %d\n", hostname(sp->is_v, &sp->is_dst.in4), sp->is_pass, sp->is_p, diff -c -r ip_fil4.1.15/test/expected/ipv6.1 ip_fil4.1.16/test/expected/ipv6.1 *** ip_fil4.1.15/test/expected/ipv6.1 Tue Mar 26 01:18:35 2002 --- ip_fil4.1.16/test/expected/ipv6.1 Mon Dec 11 05:47:57 2006 *************** *** 1,3 **** --- 1,4 ---- pass pass + nomatch -------- diff -c -r ip_fil4.1.15/test/expected/n4 ip_fil4.1.16/test/expected/n4 *** ip_fil4.1.15/test/expected/n4 Mon Dec 5 10:42:03 2005 --- ip_fil4.1.16/test/expected/n4 Mon Dec 11 03:03:47 2006 *************** *** 50,57 **** ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 ! ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 ! ip #0 40(20) 6 10.1.1.0,53 > 10.3.3.3,12345 ------------------------------- ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 --- 50,57 ---- ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 ! ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ! ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 ------------------------------- ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,23 ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12345 *************** *** 61,66 **** ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,53 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 ! ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,53 ! ip #0 40(20) 6 10.1.1.0,53 > 10.3.3.3,12345 ------------------------------- --- 61,66 ---- ip #0 40(20) 6 10.2.2.1,10023 > 10.3.3.3,12346 ip #0 28(20) 17 10.3.3.3,12345 > 10.2.2.1,53 ip #0 28(20) 17 10.2.2.1,10053 > 10.3.3.3,12345 ! ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ! ip #0 40(20) 6 10.1.1.1,53 > 10.3.3.3,12345 ------------------------------- diff -c -r ip_fil4.1.15/test/expected/n6 ip_fil4.1.16/test/expected/n6 *** ip_fil4.1.15/test/expected/n6 Mon Dec 5 10:42:04 2005 --- ip_fil4.1.16/test/expected/n6 Mon Dec 11 03:03:47 2006 *************** *** 13,19 **** ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ------------------------------- ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 ! ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 --- 13,19 ---- ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ------------------------------- ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 ! ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 *************** *** 27,33 **** ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ------------------------------- ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 ! ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 --- 27,33 ---- ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.0,53 ------------------------------- ip #0 40(20) 6 10.2.2.2,12345 > 10.2.2.1,10023 ! ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.1.2.2,23 ip #0 40(20) 6 10.3.0.1,12345 > 10.2.2.2,23 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,23 *************** *** 48,54 **** ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 ! ip #0 40(20) 6 10.3.3.3,12345 > 10.2.2.1,10023 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 --- 48,54 ---- ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.1,53 ip #0 40(20) 6 10.3.3.3,12345 > 10.1.1.1,53 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.0.0,23 ! ip #0 40(20) 6 10.3.3.3,12345 > 10.1.0.0,23 ip #0 28(20) 17 10.2.2.2,12345 > 10.1.1.0,53 ip #0 28(20) 17 10.3.3.3,12345 > 10.1.1.0,53 ip #0 40(20) 6 10.2.2.2,12345 > 10.1.1.0,53 diff -c -r ip_fil4.1.15/test/input/ipv6.1 ip_fil4.1.16/test/input/ipv6.1 *** ip_fil4.1.15/test/input/ipv6.1 Sat May 22 15:41:31 2004 --- ip_fil4.1.16/test/input/ipv6.1 Mon Dec 11 05:47:57 2006 *************** *** 18,20 **** --- 18,32 ---- f427 0000 0344 0000 0004 f8f1 9d3c ddba 0e00 + [in,gif0] 6000 0000 0048 3a40 + ef00 1001 0880 6cbf 0000 0000 0000 0001 + ef00 1001 2002 0001 0000 0000 0000 0070 + 0300 7d44 0000 0000 + 6000 0000 0018 1101 + ef00 1001 2002 1001 0000 0000 0000 0070 + 2001 1002 3333 0001 0000 0000 0000 0001 + 8083 829a + 0018 + f427 + 0000 0344 0000 0004 f8f1 9d3c ddba 0e00 + diff -c -r ip_fil4.1.15/tools/ipf_y.y ip_fil4.1.16/tools/ipf_y.y *** ip_fil4.1.15/tools/ipf_y.y Wed Aug 30 02:58:05 2006 --- ip_fil4.1.16/tools/ipf_y.y Mon Dec 11 03:18:58 2006 *************** *** 174,180 **** | file assign ; ! line: xx rule { while ((fr = frtop) != NULL) { frtop = fr->fr_next; fr->fr_next = NULL; (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); --- 174,180 ---- | file assign ; ! line: rule { while ((fr = frtop) != NULL) { frtop = fr->fr_next; fr->fr_next = NULL; (*ipfaddfunc)(ipffd, ipfioctl[IPL_LOGIPF], fr); *************** *** 193,198 **** --- 193,199 ---- resetlexer(); free($1); free($3); + yyvarnext = 0; } ; *************** *** 216,223 **** ; rulehead: ! collection action ! | insert collection action ; markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } --- 217,224 ---- ; rulehead: ! xx collection action ! | xx insert collection action ; markin: IPFY_IN { fr->fr_flags |= FR_INQUE; } diff -c -r ip_fil4.1.15/tools/ipfstat.c ip_fil4.1.16/tools/ipfstat.c *** ip_fil4.1.15/tools/ipfstat.c Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipfstat.c Sun Dec 10 02:01:25 2006 *************** *** 69,75 **** #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.17 2006/08/26 11:21:14 darrenr Exp $"; #endif #ifdef __hpux --- 69,75 ---- #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipfstat.c,v 1.44.2.18 2006/12/09 15:01:25 darrenr Exp $"; #endif #ifdef __hpux *************** *** 82,91 **** #define PRINTF (void)printf #define FPRINTF (void)fprintf - #define F_IN 0 - #define F_OUT 1 - #define F_ACIN 2 - #define F_ACOUT 3 static char *filters[4] = { "ipfilter(in)", "ipfilter(out)", "ipacct(in)", "ipacct(out)" }; static int state_logging = -1; --- 82,87 ---- diff -c -r ip_fil4.1.15/tools/ipftest.c ip_fil4.1.16/tools/ipftest.c *** ip_fil4.1.15/tools/ipftest.c Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipftest.c Wed Dec 13 03:13:01 2006 *************** *** 10,16 **** #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.12 2006/08/26 11:21:14 darrenr Exp $"; #endif extern char *optarg; --- 10,16 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipftest.c,v 1.44.2.13 2006/12/12 16:13:01 darrenr Exp $"; #endif extern char *optarg; *************** *** 643,649 **** printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); printf("\nList of active sessions:\n"); for (nat = nat_instances; nat; nat = nat->nat_next) { ! printactivenat(nat, opts, 0); if (nat->nat_aps) printaps(nat->nat_aps, opts); } --- 643,649 ---- printnat(ipn, opts & (OPT_DEBUG|OPT_VERBOSE)); printf("\nList of active sessions:\n"); for (nat = nat_instances; nat; nat = nat->nat_next) { ! printactivenat(nat, opts, 0, 0); if (nat->nat_aps) printaps(nat->nat_aps, opts); } diff -c -r ip_fil4.1.15/tools/ipmon.c ip_fil4.1.16/tools/ipmon.c *** ip_fil4.1.15/tools/ipmon.c Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipmon.c Tue Dec 19 02:27:58 2006 *************** *** 76,82 **** #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.16 2006/08/26 11:21:14 darrenr Exp $"; #endif --- 76,82 ---- #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipmon.c,v 1.33.2.17 2006/12/18 15:27:58 darrenr Exp $"; #endif *************** *** 815,841 **** (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); ! if (sl->isl_type == ISL_NEW) strcpy(t, "STATE:NEW "); ! else if (sl->isl_type == ISL_CLONE) strcpy(t, "STATE:CLONED "); ! else if (sl->isl_type == ISL_EXPIRE) { if ((sl->isl_p == IPPROTO_TCP) && (sl->isl_state[0] > IPF_TCPS_ESTABLISHED || sl->isl_state[1] > IPF_TCPS_ESTABLISHED)) strcpy(t, "STATE:CLOSE "); else strcpy(t, "STATE:EXPIRE "); ! } else if (sl->isl_type == ISL_FLUSH) strcpy(t, "STATE:FLUSH "); ! else if (sl->isl_type == ISL_INTERMEDIATE) strcpy(t, "STATE:INTERMEDIATE "); ! else if (sl->isl_type == ISL_REMOVE) strcpy(t, "STATE:REMOVE "); ! else if (sl->isl_type == ISL_KILLED) strcpy(t, "STATE:KILLED "); ! else sprintf(t, "Type: %d ", sl->isl_type); t += strlen(t); proto = getproto(sl->isl_p); --- 815,863 ---- (void) sprintf(t, ".%-.6ld ", ipl->ipl_usec); t += strlen(t); ! switch (sl->isl_type) ! { ! case ISL_NEW : strcpy(t, "STATE:NEW "); ! break; ! ! case ISL_CLONE : strcpy(t, "STATE:CLONED "); ! break; ! ! case ISL_EXPIRE : if ((sl->isl_p == IPPROTO_TCP) && (sl->isl_state[0] > IPF_TCPS_ESTABLISHED || sl->isl_state[1] > IPF_TCPS_ESTABLISHED)) strcpy(t, "STATE:CLOSE "); else strcpy(t, "STATE:EXPIRE "); ! break; ! ! case ISL_FLUSH : strcpy(t, "STATE:FLUSH "); ! break; ! ! case ISL_INTERMEDIATE : strcpy(t, "STATE:INTERMEDIATE "); ! break; ! ! case ISL_REMOVE : strcpy(t, "STATE:REMOVE "); ! break; ! ! case ISL_KILLED : strcpy(t, "STATE:KILLED "); ! break; ! ! case ISL_UNLOAD : ! strcpy(t, "STATE:UNLOAD "); ! break; ! ! default : sprintf(t, "Type: %d ", sl->isl_type); + break; + } t += strlen(t); proto = getproto(sl->isl_p); diff -c -r ip_fil4.1.15/tools/ipmon_y.y ip_fil4.1.16/tools/ipmon_y.y *** ip_fil4.1.15/tools/ipmon_y.y Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipmon_y.y Sat Dec 9 21:32:30 2006 *************** *** 80,85 **** --- 80,86 ---- resetlexer(); free($1); free($3); + yyvarnext = 0; } ; diff -c -r ip_fil4.1.15/tools/ipnat.c ip_fil4.1.16/tools/ipnat.c *** ip_fil4.1.15/tools/ipnat.c Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipnat.c Wed Dec 13 03:13:01 2006 *************** *** 65,71 **** #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.4 2006/08/26 11:21:14 darrenr Exp $"; #endif --- 65,71 ---- #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; ! static const char rcsid[] = "@(#)$Id: ipnat.c,v 1.24.2.5 2006/12/12 16:13:01 darrenr Exp $"; #endif *************** *** 332,338 **** for (np = nsp->ns_instances; np; np = nat.nat_next) { if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) break; ! printactivenat(&nat, opts, 0); if (nat.nat_aps) printaps(nat.nat_aps, opts); } --- 332,338 ---- for (np = nsp->ns_instances; np; np = nat.nat_next) { if (kmemcpy((char *)&nat, (long)np, sizeof(nat))) break; ! printactivenat(&nat, opts, 0, nsp->ns_ticks); if (nat.nat_aps) printaps(nat.nat_aps, opts); } *************** *** 417,423 **** while (nsp->ns_instances != NULL) { if (ioctl(fd, SIOCGENITER, &obj) == -1) break; ! printactivenat(&nat, opts, 1); if (nat.nat_aps) printaps(nat.nat_aps, opts); nsp->ns_instances = nat.nat_next; --- 417,423 ---- while (nsp->ns_instances != NULL) { if (ioctl(fd, SIOCGENITER, &obj) == -1) break; ! printactivenat(&nat, opts, 1, nsp->ns_ticks); if (nat.nat_aps) printaps(nat.nat_aps, opts); nsp->ns_instances = nat.nat_next; diff -c -r ip_fil4.1.15/tools/ipnat_y.y ip_fil4.1.16/tools/ipnat_y.y *** ip_fil4.1.15/tools/ipnat_y.y Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipnat_y.y Mon Dec 11 03:03:02 2006 *************** *** 120,125 **** --- 120,126 ---- resetlexer(); free($1); free($3); + yyvarnext = 0; } ; *************** *** 351,361 **** ; dport: | port portspec { nat->in_pmin = htons($2); ! nat->in_pmax = htons($2); } | port portspec '-' portspec { nat->in_pmin = htons($2); ! nat->in_pmax = htons($4); } | port portspec ':' portspec { nat->in_pmin = htons($2); ! nat->in_pmax = htons($4); } ; nport: port portspec { nat->in_pnext = htons($2); } --- 352,362 ---- ; dport: | port portspec { nat->in_pmin = htons($2); ! nat->in_pmax = htons($2); } | port portspec '-' portspec { nat->in_pmin = htons($2); ! nat->in_pmax = htons($4); } | port portspec ':' portspec { nat->in_pmin = htons($2); ! nat->in_pmax = htons($4); } ; nport: port portspec { nat->in_pnext = htons($2); } diff -c -r ip_fil4.1.15/tools/ippool_y.y ip_fil4.1.16/tools/ippool_y.y *** ip_fil4.1.15/tools/ippool_y.y Sun Aug 27 01:02:11 2006 --- ip_fil4.1.16/tools/ippool_y.y Sat Dec 9 21:32:31 2006 *************** *** 119,124 **** --- 119,125 ---- resetlexer(); free($1); free($3); + yyvarnext = 0; } ; diff -c -r ip_fil4.1.15/tools/ipscan_y.y ip_fil4.1.16/tools/ipscan_y.y *** ip_fil4.1.15/tools/ipscan_y.y Sat Aug 26 21:21:14 2006 --- ip_fil4.1.16/tools/ipscan_y.y Sat Dec 9 21:32:31 2006 *************** *** 97,102 **** --- 97,103 ---- resetlexer(); free($1); free($3); + yyvarnext = 0; } ; diff -c -r ip_fil4.1.15/tools/lexer.c ip_fil4.1.16/tools/lexer.c *** ip_fil4.1.15/tools/lexer.c Sat Aug 26 21:21:15 2006 --- ip_fil4.1.16/tools/lexer.c Sat Dec 9 21:32:31 2006 *************** *** 283,290 **** yypos++; } } while (n != c); ! yyunputc(n); ! break; case EOF : yylineNum = 1; --- 283,291 ---- yypos++; } } while (n != c); ! rval = YY_STR; ! goto done; ! /* NOTREACHED */ case EOF : yylineNum = 1; *************** *** 465,470 **** --- 466,474 ---- done: yystr = yytexttostr(0, yypos); + if (yydebug) + printf("isbuilding %d yyvarnext %d nokey %d\n", + isbuilding, yyvarnext, nokey); if (isbuilding == 1) { wordtab_t *w; *************** *** 491,498 **** yytokentype = rval; if (yydebug) ! printf("lexed(%s) [%d,%d,%d] => %d\n", yystr, string_start, ! string_end, pos, rval); switch (rval) { --- 495,502 ---- yytokentype = rval; if (yydebug) ! printf("lexed(%s) [%d,%d,%d] => %d @%d\n", yystr, string_start, ! string_end, pos, rval, yysavedepth); switch (rval) { *************** *** 607,612 **** --- 611,618 ---- void yyresetdict() { + if (yydebug) + printf("yyresetdict(%d)\n", yysavedepth); if (yysavedepth > 0) { yysettab(yysavewords[--yysavedepth]); if (yydebug)