aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2001-02-04 14:25:38 +0000
committerDarren Reed <darrenr@FreeBSD.org>2001-02-04 14:25:38 +0000
commit84822a3b55c9055b3bf23a1424ce69a471eab01e (patch)
tree385e237f9b94bd1f0ddf97318d3ced6f6e85ec8b
parent801aabae69beeda563d17b48dd776f039ffaf378 (diff)
downloadsrc-84822a3b55c9055b3bf23a1424ce69a471eab01e.tar.gz
src-84822a3b55c9055b3bf23a1424ce69a471eab01e.zip
Import IP Filter update
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=72003
-rwxr-xr-xcontrib/ipfilter/FreeBSD-4.0/kinstall4
-rwxr-xr-xcontrib/ipfilter/FreeBSD-4.0/unkinstall2
-rw-r--r--contrib/ipfilter/HISTORY31
-rw-r--r--contrib/ipfilter/Makefile8
-rw-r--r--contrib/ipfilter/common.c13
-rw-r--r--contrib/ipfilter/fil.c85
-rw-r--r--contrib/ipfilter/fils.c21
-rw-r--r--contrib/ipfilter/ip_auth.c4
-rw-r--r--contrib/ipfilter/ip_compat.h20
-rw-r--r--contrib/ipfilter/ip_fil.h5
-rw-r--r--contrib/ipfilter/ip_frag.c21
-rw-r--r--contrib/ipfilter/ip_frag.h3
-rw-r--r--contrib/ipfilter/ip_ftp_pxy.c30
-rw-r--r--contrib/ipfilter/ip_nat.c152
-rw-r--r--contrib/ipfilter/ip_nat.h9
-rw-r--r--contrib/ipfilter/ip_proxy.h3
-rw-r--r--contrib/ipfilter/ip_rcmd_pxy.c4
-rw-r--r--contrib/ipfilter/ip_sfil.c6
-rw-r--r--contrib/ipfilter/ip_state.c24
-rw-r--r--contrib/ipfilter/ipfs.c44
-rw-r--r--contrib/ipfilter/ipft_tx.c6
-rw-r--r--contrib/ipfilter/ipl.h4
-rw-r--r--contrib/ipfilter/ipmon.c14
-rw-r--r--contrib/ipfilter/ipnat.c12
-rw-r--r--contrib/ipfilter/ipsend/ip.c10
-rw-r--r--contrib/ipfilter/ipsend/ipsend.c8
-rw-r--r--contrib/ipfilter/ipsend/resend.c7
-rw-r--r--contrib/ipfilter/ipsend/sock.c11
-rw-r--r--contrib/ipfilter/man/ipfstat.816
-rw-r--r--contrib/ipfilter/mlf_ipl.c3
-rw-r--r--contrib/ipfilter/mlfk_ipl.c14
-rw-r--r--contrib/ipfilter/mli_ipl.c6
-rw-r--r--contrib/ipfilter/parse.c4
-rw-r--r--contrib/ipfilter/samples/userauth.c2
-rw-r--r--contrib/ipfilter/solaris.c8
-rw-r--r--contrib/ipfilter/test/expected/i72
36 files changed, 443 insertions, 173 deletions
diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall
index 7e663d22d3d5..b3ed4542e30e 100755
--- a/contrib/ipfilter/FreeBSD-4.0/kinstall
+++ b/contrib/ipfilter/FreeBSD-4.0/kinstall
@@ -10,8 +10,8 @@ set confdir="$archdir/conf"
if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Installing "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
- ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \
- ip_compat.h ip_auth.[ch] ip_log.c)
+ ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c mlfk_ipl.c \
+ ipl.h ip_compat.h ip_auth.[ch] ip_log.c)
echo -n "$i ";
cp $i /sys/netinet
chmod 644 /sys/netinet/$i
diff --git a/contrib/ipfilter/FreeBSD-4.0/unkinstall b/contrib/ipfilter/FreeBSD-4.0/unkinstall
index 4e9caaa9e541..b9c5f0294de8 100755
--- a/contrib/ipfilter/FreeBSD-4.0/unkinstall
+++ b/contrib/ipfilter/FreeBSD-4.0/unkinstall
@@ -12,7 +12,7 @@ if ( $dir =~ */FreeBSD* ) cd ..
echo -n "Uninstalling "
foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \
ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \
- ip_log.c mlf_ipl.c ipl.h)
+ ip_log.c mlf_ipl.c mlfk_ipl.c ipl.h)
echo -n "$i ";
/bin/rm -f /sys/netinet/$i
end
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index 279372bd3b66..02493671ca9b 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -22,6 +22,37 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.4.16 15/01/2001 - Released
+
+fix race condition in flushing of state entries that are timing out
+
+Add TCP ECN patches
+
+log all NAT entries created, not just those via rules
+
+3.4.15 17/12/2000 - Released
+
+add minimum ttl filtering (to be replaced later by return-icmp-as-dest
+for all ICMP packets matching state entries).
+
+fix NAT'ing of fragments
+
+fix sanity checks for ICMPV6
+
+fix up compiling on IRIX 6.2 with IDF/IDL installed
+
+3.4.14 02/11/2000 - Released
+
+cause flushing NAT table to generate log records the same as state flush
+does.
+
+fix ftp proxy port/pasv
+
+fix problem where nat_{in,out}lookup() would release a write lock when it
+didn't need to.
+
+add check for ipf6.conf in Solaris ipfboot
+
3.4.13 28/10/2000 - Released
fix introduced bug with ICMP packets being rejected when valid
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index e79eb12f7308..5770d404907a 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -5,7 +5,7 @@
# provided that this notice is preserved and due credit is given
# to the original author and the contributors.
#
-# $Id: Makefile,v 2.11.2.4 2000/10/19 15:42:56 darrenr Exp $
+# $Id: Makefile,v 2.11.2.6 2000/12/17 12:43:15 darrenr Exp $
#
BINDEST=/usr/local/bin
SBINDEST=/sbin
@@ -107,7 +107,7 @@ include:
fi
sunos solaris: include
- ./buildsunos $(MFLAGS)
+ CC="$(CC)" ./buildsunos
freebsd22: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
@@ -169,8 +169,8 @@ bsdi bsdos: include
irix IRIX: include
make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)"
- -(SMAKE=`which smake >/dev/null 2>&1; if [ $$? -ne 0 ] ; then echo make -f Makefile.std; else echo smake; fi`; cd IRIX/$(CPUDIR); $${SMAKE} build TOP=../.. $(DEST) $(MFLAGS); cd ..)
- -(SMAKE=`which smake >/dev/null 2>&1; if [ $$? -ne 0 ] ; then echo make -f Makefile.ipsend.std; else echo smake -f Makefile.ipsend; fi`; cd IRIX/$(CPUDIR); $${SMAKE} TOP=../.. $(DEST) $(MFLAGS); cd ..)
+ -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) $(MFLAGS); else smake build TOP=../.. $(DEST) $(MFLAGS); fi;)
+ -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); fi)
linux: include
make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)"
diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c
index d7706bd0036f..afcc95c58747 100644
--- a/contrib/ipfilter/common.c
+++ b/contrib/ipfilter/common.c
@@ -52,8 +52,9 @@ extern int use_inet6;
char *proto = NULL;
-char flagset[] = "FSRPAU";
-u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG };
+char flagset[] = "FSRPAUEC";
+u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG,
+ TH_ECN, TH_CWR };
#ifdef USE_INET6
void fill6bits __P((int, u_32_t *));
@@ -409,8 +410,12 @@ int linenum;
if (s && *s == '0')
tcpfm = strtol(s, NULL, 0);
- if (!tcpfm)
- tcpfm = 0xff;
+ if (!tcpfm) {
+ if (tcpf == TH_SYN)
+ tcpfm = 0xff & ~(TH_ECN|TH_CWR);
+ else
+ tcpfm = 0xff & ~(TH_ECN);
+ }
*mask = tcpfm;
return tcpf;
}
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index e0a5ed59240b..02f075b1c6c5 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -136,6 +136,8 @@ struct frgroup *ipfgroups[3][2];
int fr_flags = IPF_LOGGING;
int fr_active = 0;
int fr_chksrc = 0;
+int fr_minttl = 3;
+int fr_minttllog = 1;
#if defined(IPFILTER_DEFAULT_BLOCK)
int fr_pass = FR_NOMATCH|FR_BLOCK;
#else
@@ -269,6 +271,40 @@ fr_info_t *fin;
switch (p)
{
+#ifdef USE_INET6
+ case IPPROTO_ICMPV6 :
+ {
+ int minicmpsz = sizeof(struct icmp6_hdr);
+ struct icmp6_hdr *icmp6;
+
+ if (fin->fin_dlen > 1) {
+ fin->fin_data[0] = *(u_short *)tcp;
+
+ icmp6 = (struct icmp6_hdr *)tcp;
+
+ switch (icmp6->icmp6_type)
+ {
+ case ICMP6_ECHO_REPLY :
+ case ICMP6_ECHO_REQUEST :
+ minicmpsz = ICMP6ERR_MINPKTLEN;
+ break;
+ case ICMP6_DST_UNREACH :
+ case ICMP6_PACKET_TOO_BIG :
+ case ICMP6_TIME_EXCEEDED :
+ case ICMP6_PARAM_PROB :
+ minicmpsz = ICMP6ERR_IPICMPHLEN;
+ break;
+ default :
+ break;
+ }
+ }
+
+ if (!(plen >= hlen + minicmpsz))
+ fi->fi_fl |= FI_SHORT;
+
+ break;
+ }
+#endif
case IPPROTO_ICMP :
{
int minicmpsz = sizeof(struct icmp);
@@ -747,8 +783,8 @@ int out;
#endif
#ifdef _KERNEL
+ int p, len, drop = 0, logit = 0;
mb_t *mc = NULL;
- int p, len;
# if !defined(__SVR4) && !defined(__svr4__)
# ifdef __sgi
char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8];
@@ -802,11 +838,17 @@ int out;
break;
/* 96 - enough for complete ICMP error IP header */
case IPPROTO_ICMP:
+ plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
+ break;
# ifdef USE_INET6
case IPPROTO_ICMPV6 :
-# endif
- plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
+ /*
+ * XXX does not take intermediate header
+ * into account
+ */
+ plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t);
break;
+# endif
}
up = MIN(hlen + plen, len);
@@ -865,22 +907,37 @@ int out;
# ifdef USE_INET6
if (v == 6) {
ATOMIC_INCL(frstats[0].fr_ipv6[out]);
+ if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
+ ATOMIC_INCL(frstats[0].fr_badttl);
+ if (fr_minttllog)
+ logit = -2;
+ }
} else
# endif
- if (!out && fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
+ if (!out) {
+ if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
ATOMIC_INCL(frstats[0].fr_badsrc);
+ if (fr_chksrc == 2)
+ logit = -2;
+ } else if (ip->ip_ttl < fr_minttl) {
+ ATOMIC_INCL(frstats[0].fr_badttl);
+ if (fr_minttllog)
+ logit = -3;
+ }
+ }
+ if (drop) {
# ifdef IPFILTER_LOG
- if (fr_chksrc == 2) {
- fin->fin_group = -2;
- pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
- (void) IPLLOG(pass, ip, fin, m);
- }
+ if (logit) {
+ fin->fin_group = logit;
+ pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
+ (void) IPLLOG(pass, ip, fin, m);
+ }
# endif
# if !SOLARIS
- m_freem(m);
+ m_freem(m);
# endif
- return error;
- }
+ return error;
+ }
#endif
pass = fr_pass;
if (fin->fin_fi.fi_fl & FI_SHORT) {
@@ -1401,7 +1458,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
index 6a4cf677cc85..3184e4c53dd5 100644
--- a/contrib/ipfilter/fils.c
+++ b/contrib/ipfilter/fils.c
@@ -65,7 +65,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.5 2000/07/20 14:13:30 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $";
#endif
extern char *optarg;
@@ -892,7 +892,7 @@ int topclosed;
printw("%-21s %-21s", str1, str2);
/* print state */
- sprintf(str1, "%d/%d", tp->st_state[0],
+ sprintf(str1, "%X/%X", tp->st_state[0],
tp->st_state[1]);
printw(" %3s", str1);
@@ -994,6 +994,23 @@ ipfrstat_t *ifsp;
fr.fr_flags);
ipfrtab[i] = ifr.ipfr_next;
}
+ if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab)))
+ return;
+ for (i = 0; i < IPFT_SIZE; i++)
+ while (ipfrtab[i]) {
+ if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i],
+ sizeof(ifr)) == -1)
+ break;
+ PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src));
+ if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule,
+ sizeof(fr)) == -1)
+ break;
+ PRINTF("%s %d %d %d %#02x = %#x\n",
+ hostname(4, &ifr.ipfr_dst), ifr.ipfr_id,
+ ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos,
+ fr.fr_flags);
+ ipfrtab[i] = ifr.ipfr_next;
+ }
}
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
index d737b9c7b71f..a4536105819c 100644
--- a/contrib/ipfilter/ip_auth.c
+++ b/contrib/ipfilter/ip_auth.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.4 2000/08/05 14:48:50 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -352,7 +352,7 @@ fr_authioctlloop:
READ_ENTER(&ipf_auth);
if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) {
error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data,
- sizeof(fr_info_t));
+ sizeof(frauth_t));
RWLOCK_EXIT(&ipf_auth);
if (error)
break;
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
index 2369cf08cbd8..ed71f36cc021 100644
--- a/contrib/ipfilter/ip_compat.h
+++ b/contrib/ipfilter/ip_compat.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.6 2000/10/19 15:39:05 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@@ -974,8 +974,6 @@ struct ether_addr {
#define A_A &
#endif
-#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)
-
#ifndef ICMP_ROUTERADVERT
# define ICMP_ROUTERADVERT 9
#endif
@@ -995,6 +993,20 @@ struct ether_addr {
#define ICMPERR_IPICMPHLEN (20 + 8)
#define ICMPERR_MINPKTLEN (20 + 8 + 20)
#define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8)
-#define ICMP6ERR_MINPKTLEN (20 + 8)
+#define ICMP6ERR_MINPKTLEN (40 + 8)
+#define ICMP6ERR_IPICMPHLEN (40 + 8 + 40)
+
+/*
+ * ECN is a new addition to TCP - RFC 2481
+ */
+#ifndef TH_ECN
+# define TH_ECN 0x40
+#endif
+#ifndef TH_CWR
+# define TH_CWR 0x80
+#endif
+#define TH_ECNALL (TH_ECN|TH_CWR)
+
+#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR)
#endif /* __IP_COMPAT_H__ */
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index da109b754e10..ed1cfc4408fb 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.3 2000/06/05 13:12:42 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -335,6 +335,7 @@ typedef struct filterstats {
u_long fr_tcpbad; /* TCP checksum check failures */
u_long fr_pull[2]; /* good and bad pullup attempts */
u_long fr_badsrc; /* source received doesn't match route */
+ u_long fr_badttl; /* TTL in packet doesn't reach minimum */
#if SOLARIS
u_long fr_notdata; /* PROTO/PCPROTO that have no data */
u_long fr_nodata; /* mblks that have no data */
@@ -612,6 +613,8 @@ extern int fr_pass;
extern int fr_flags;
extern int fr_active;
extern int fr_chksrc;
+extern int fr_minttl;
+extern int fr_minttllog;
extern fr_info_t frcache[2];
extern char ipfilter_version[];
extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
index 1cb86c117488..556478d51d0b 100644
--- a/contrib/ipfilter/ip_frag.c
+++ b/contrib/ipfilter/ip_frag.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.5 2000/10/19 15:39:58 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $";
#endif
#if defined(KERNEL) && !defined(_KERNEL)
@@ -156,6 +156,7 @@ ipfr_t *table[];
idx += ip->ip_src.s_addr;
frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
idx += ip->ip_dst.s_addr;
+ frag.ipfr_ifp = fin->fin_ifp;
idx *= 127;
idx %= IPFT_SIZE;
@@ -270,6 +271,7 @@ ipfr_t *table[];
idx += ip->ip_src.s_addr;
frag.ipfr_dst.s_addr = ip->ip_dst.s_addr;
idx += ip->ip_dst.s_addr;
+ frag.ipfr_ifp = fin->fin_ifp;
idx *= 127;
idx %= IPFT_SIZE;
@@ -328,16 +330,13 @@ fr_info_t *fin;
ipf = ipfr_lookup(ip, fin, ipfr_nattab);
if (ipf != NULL) {
nat = ipf->ipfr_data;
- if (nat->nat_ifp == fin->fin_ifp) {
- /*
- * This is the last fragment for this packet.
- */
- if ((ipf->ipfr_ttl == 1) && (nat != NULL)) {
- nat->nat_data = NULL;
- ipf->ipfr_data = NULL;
- }
- } else
- nat = NULL;
+ /*
+ * This is the last fragment for this packet.
+ */
+ if ((ipf->ipfr_ttl == 1) && (nat != NULL)) {
+ nat->nat_data = NULL;
+ ipf->ipfr_data = NULL;
+ }
} else
nat = NULL;
RWLOCK_EXIT(&ipf_natfrag);
diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h
index 61b88aae66c4..362bcdd120c9 100644
--- a/contrib/ipfilter/ip_frag.h
+++ b/contrib/ipfilter/ip_frag.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_frag.h 1.5 3/24/96
- * $Id: ip_frag.h,v 2.4.2.1 2000/10/19 15:40:13 darrenr Exp $
+ * $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
@@ -19,6 +19,7 @@ typedef struct ipfr {
void *ipfr_data;
struct in_addr ipfr_src;
struct in_addr ipfr_dst;
+ void *ipfr_ifp;
u_short ipfr_id;
u_char ipfr_p;
u_char ipfr_tos;
diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c
index 653bbfe1386d..ddca8890f0bf 100644
--- a/contrib/ipfilter/ip_ftp_pxy.c
+++ b/contrib/ipfilter/ip_ftp_pxy.c
@@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ftp_pxy.c,v 2.7.2.18 2000/10/27 14:02:10 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.20 2000/12/02 00:15:06 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@@ -238,7 +238,7 @@ int dlen;
*/
dp = htons(fin->fin_data[1] - 1);
ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
- ip->ip_dst, (dp << 16) | sp);
+ ip->ip_dst, (dp << 16) | sp, 0);
if (ipn == NULL) {
int slen;
@@ -254,7 +254,9 @@ int dlen;
fi.fin_data[1] = 0;
fi.fin_dlen = sizeof(*tcp2);
fi.fin_dp = (char *)tcp2;
+ fi.fin_fr = &natfr;
swip = ip->ip_src;
+ fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
ip->ip_src = nat->nat_inip;
ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT,
NAT_OUTBOUND);
@@ -456,7 +458,7 @@ int dlen;
sp = 0;
dp = htons(fin->fin_data[1] - 1);
ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
- ip->ip_dst, (dp << 16) | sp);
+ ip->ip_dst, (dp << 16) | sp, 0);
if (ipn == NULL) {
int slen;
@@ -467,13 +469,16 @@ int dlen;
tcp2->th_win = htons(8192);
tcp2->th_sport = 0; /* XXX - fake it for nat_new */
tcp2->th_off = 5;
- fi.fin_data[0] = a5 << 8 | a6;
+ fi.fin_data[1] = a5 << 8 | a6;
fi.fin_dlen = sizeof(*tcp2);
- tcp2->th_dport = htons(fi.fin_data[0]);
- fi.fin_data[1] = 0;
+ tcp2->th_dport = htons(fi.fin_data[1]);
+ fi.fin_data[0] = 0;
fi.fin_dp = (char *)tcp2;
+ fi.fin_fr = &natfr;
swip = ip->ip_src;
swip2 = ip->ip_dst;
+ fi.fin_fi.fi_daddr = ip->ip_src.s_addr;
+ fi.fin_fi.fi_saddr = nat->nat_inip.s_addr;
ip->ip_dst = ip->ip_src;
ip->ip_src = nat->nat_inip;
ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT,
@@ -614,14 +619,18 @@ int rv;
#else
mlen = mbufchainlen(m) - off;
#endif
+
t = &ftp->ftp_side[1 - rv];
+ f = &ftp->ftp_side[rv];
if (!mlen) {
- t->ftps_seq = ntohl(tcp->th_ack);
+ if (!t->ftps_seq ||
+ (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0)
+ t->ftps_seq = ntohl(tcp->th_ack);
+ f->ftps_len = 0;
return 0;
}
inc = 0;
- f = &ftp->ftp_side[rv];
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
@@ -635,9 +644,12 @@ int rv;
* that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered).
*/
- if (ntohl(tcp->th_seq) + i != f->ftps_seq) {
+ if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq))
+ f->ftps_seq = ntohl(tcp->th_seq);
+ else if (ntohl(tcp->th_seq) + i != f->ftps_seq) {
return APR_ERR(-1);
}
+ f->ftps_len = mlen;
while (mlen > 0) {
len = MIN(mlen, FTP_BUFSZ / 2);
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index 4f6921d3f3de..e7e121a0b723 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.26 2000/10/27 14:06:48 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $";
#endif
#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
@@ -129,7 +129,7 @@ u_long fr_defnatage = DEF_NAT_AGE,
natstat_t nat_stats;
int fr_nat_lock = 0;
#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
-extern kmutex_t ipf_rw, ipf_hostmap;
+extern kmutex_t ipf_rw;
extern KRWLOCK_T ipf_nat;
#endif
@@ -143,7 +143,7 @@ static void nat_delnat __P((struct ipnat *));
static int fr_natgetent __P((caddr_t));
static int fr_natgetsz __P((caddr_t));
static int fr_natputent __P((caddr_t));
-static void nat_tabmove __P((nat_t *));
+static void nat_tabmove __P((nat_t *, u_32_t));
static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
struct in_addr));
@@ -250,6 +250,8 @@ ipnat_t *n;
/*
* check if an ip address has already been allocated for a given mapping that
* is not doing port based translation.
+ *
+ * Must be called with ipf_nat held as a write lock.
*/
static struct hostmap *nat_hostmap(np, real, map)
ipnat_t *np;
@@ -259,13 +261,11 @@ struct in_addr map;
hostmap_t *hm;
u_int hv;
- MUTEX_ENTER(&ipf_hostmap);
hv = real.s_addr % HOSTMAP_SIZE;
for (hm = maptable[hv]; hm; hm = hm->hm_next)
if ((hm->hm_realip.s_addr == real.s_addr) &&
(np == hm->hm_ipnat)) {
hm->hm_ref++;
- MUTEX_EXIT(&ipf_hostmap);
return hm;
}
@@ -281,15 +281,16 @@ struct in_addr map;
hm->hm_mapip = map;
hm->hm_ref = 1;
}
- MUTEX_EXIT(&ipf_hostmap);
return hm;
}
+/*
+ * Must be called with ipf_nat held as a write lock.
+ */
static void nat_hostmapdel(hm)
struct hostmap *hm;
{
- MUTEX_ENTER(&ipf_hostmap);
ATOMIC_DEC32(hm->hm_ref);
if (hm->hm_ref == 0) {
if (hm->hm_next)
@@ -297,7 +298,6 @@ struct hostmap *hm;
*hm->hm_pnext = hm->hm_next;
KFREE(hm);
}
- MUTEX_EXIT(&ipf_hostmap);
}
@@ -698,9 +698,9 @@ int mode;
break;
case FIONREAD :
#ifdef IPFILTER_LOG
+ arg = (int)iplused[IPL_LOGNAT];
MUTEX_DOWNGRADE(&ipf_nat);
- error = IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data,
- sizeof(iplused[IPL_LOGNAT]));
+ error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg));
if (error)
error = EFAULT;
#endif
@@ -1068,6 +1068,9 @@ static int nat_flushtable()
for (natp = &nat_instances; (nat = *natp); ) {
*natp = nat->nat_next;
+#ifdef IPFILTER_LOG
+ nat_log(nat, NL_FLUSH);
+#endif
nat_delete(nat);
j++;
}
@@ -1295,7 +1298,7 @@ int direction;
inb.s_addr = htonl(in.s_addr);
natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP,
(u_int)ip->ip_p, ip->ip_dst, inb,
- (port << 16) | dport);
+ (port << 16) | dport, 1);
/*
* Has the search wrapped around and come back to the
@@ -1444,6 +1447,9 @@ int direction;
tcp->th_dport = nport;
}
np->in_use++;
+#ifdef IPFILTER_LOG
+ nat_log(nat, (u_int)np->in_redir);
+#endif
return nat;
badnat:
nat_stats.ns_badnat++;
@@ -1565,18 +1571,18 @@ int dir;
if (dir == NAT_INBOUND)
return nat_inlookup(fin->fin_ifp, flags,
(u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
- (tcp->th_sport << 16) | tcp->th_dport);
+ (tcp->th_sport << 16) | tcp->th_dport, 0);
else
return nat_outlookup(fin->fin_ifp, flags,
(u_int)oip->ip_p, oip->ip_dst, oip->ip_src,
- (tcp->th_sport << 16) | tcp->th_dport);
+ (tcp->th_sport << 16) | tcp->th_dport, 0);
}
if (dir == NAT_INBOUND)
return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
- oip->ip_dst, oip->ip_src, 0);
+ oip->ip_dst, oip->ip_src, 0, 0);
else
return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p,
- oip->ip_dst, oip->ip_src, 0);
+ oip->ip_dst, oip->ip_src, 0, 0);
}
@@ -1590,7 +1596,7 @@ fr_info_t *fin;
u_int *nflags;
int dir;
{
- u_32_t sum1, sum2, sumd;
+ u_32_t sum1, sum2, sumd, sumd2 = 0;
struct in_addr in;
icmphdr_t *icmp;
udphdr_t *udp;
@@ -1639,7 +1645,7 @@ int dir;
* in the first 8 bytes, so it will not be available in most cases.
*/
- if (nat->nat_dir == NAT_OUTBOUND) {
+ if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) {
sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr));
in = nat->nat_inip;
oip->ip_src = in;
@@ -1691,7 +1697,7 @@ int dir;
* checksum adjustment.
*/
CALC_SUMD(sum1, sum2, sumd);
- fix_outcksum(&icmp->icmp_cksum, sumd);
+ sumd2 = sumd;
}
#if 0
@@ -1750,7 +1756,7 @@ int dir;
* checksum adjustment.
*/
CALC_SUMD(sum1, sum2, sumd);
- fix_incksum(&icmp->icmp_cksum, sumd);
+ sumd2 = sumd;
}
#if 0
@@ -1796,7 +1802,7 @@ int dir;
* device that returns more than 8 data bytes on icmp error)
*/
- if (nat->nat_dir == NAT_OUTBOUND) {
+ if (nat->nat_oport == tcp->th_dport) {
if (tcp->th_sport != nat->nat_inport) {
/*
* Fix ICMP checksum to compensate port
@@ -1805,8 +1811,8 @@ int dir;
sum1 = ntohs(tcp->th_sport);
sum2 = ntohs(nat->nat_inport);
CALC_SUMD(sum1, sum2, sumd);
+ sumd2 += sumd;
tcp->th_sport = nat->nat_inport;
- fix_outcksum(&icmp->icmp_cksum, sumd);
/*
* Fix udp checksum to compensate port
@@ -1829,11 +1835,10 @@ int dir;
* adjustment.
*/
CALC_SUMD(sum1, sum2, sumd);
- fix_outcksum(&icmp->icmp_cksum, sumd);
+ sumd2 += sumd;
}
}
} else {
-
if (tcp->th_dport != nat->nat_outport) {
/*
* Fix ICMP checksum to compensate port
@@ -1842,8 +1847,8 @@ int dir;
sum1 = ntohs(tcp->th_dport);
sum2 = ntohs(nat->nat_outport);
CALC_SUMD(sum1, sum2, sumd);
+ sumd2 += sumd;
tcp->th_dport = nat->nat_outport;
- fix_incksum(&icmp->icmp_cksum, sumd);
/*
* Fix udp checksum to compensate port
@@ -1865,10 +1870,19 @@ int dir;
* UDP checksum adjustment.
*/
CALC_SUMD(sum1, sum2, sumd);
- fix_incksum(&icmp->icmp_cksum, sumd);
+ sumd2 += sumd;
}
}
}
+ if (sumd2) {
+ sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
+ sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
+ if (nat->nat_dir == NAT_OUTBOUND) {
+ fix_outcksum(&icmp->icmp_cksum, sumd2);
+ } else {
+ fix_incksum(&icmp->icmp_cksum, sumd2);
+ }
+ }
}
nat->nat_age = fr_defnaticmpage;
return nat;
@@ -1885,11 +1899,12 @@ int dir;
* we're looking for a table entry, based on the destination address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/
-nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports)
+nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports, rw)
void *ifp;
register u_int flags, p;
struct in_addr src , mapdst;
u_32_t ports;
+int rw;
{
register u_short sport, dport;
register nat_t *nat;
@@ -1917,9 +1932,13 @@ u_32_t ports;
}
if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP))
return NULL;
- RWLOCK_EXIT(&ipf_nat);
+ if (!rw) {
+ RWLOCK_EXIT(&ipf_nat);
+ }
hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz);
- WRITE_ENTER(&ipf_nat);
+ if (!rw) {
+ WRITE_ENTER(&ipf_nat);
+ }
nat = nat_table[1][hv];
for (; nat; nat = nat->nat_hnext[1]) {
nflags = nat->nat_flags;
@@ -1934,21 +1953,38 @@ u_32_t ports;
continue;
if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) &&
((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) {
- nat_tabmove(nat);
+ nat_tabmove(nat, ports);
break;
}
}
- MUTEX_DOWNGRADE(&ipf_nat);
+ if (!rw) {
+ MUTEX_DOWNGRADE(&ipf_nat);
+ }
return nat;
}
-static void nat_tabmove(nat)
+/*
+ * This function is only called for TCP/UDP NAT table entries where the
+ * original was placed in the table without hashing on the ports and we now
+ * want to include hashing on port numbers.
+ */
+static void nat_tabmove(nat, ports)
nat_t *nat;
+u_32_t ports;
{
+ register u_short sport, dport;
nat_t **natp;
u_int hv;
+ dport = ports >> 16;
+ sport = ports & 0xffff;
+
+ if (nat->nat_oport == dport) {
+ nat->nat_inport = sport;
+ nat->nat_outport = sport;
+ }
+
/*
* Remove the NAT entry from the old location
*/
@@ -1963,8 +1999,7 @@ nat_t *nat;
/*
* Add into the NAT table in the new position
*/
- hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport,
- ipf_nattable_sz);
+ hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz);
natp = &nat_table[0][hv];
if (*natp)
(*natp)->nat_phnext[0] = &nat->nat_hnext[0];
@@ -1972,8 +2007,7 @@ nat_t *nat;
nat->nat_hnext[0] = *natp;
*natp = nat;
- hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport,
- ipf_nattable_sz);
+ hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz);
natp = &nat_table[1][hv];
if (*natp)
(*natp)->nat_phnext[1] = &nat->nat_hnext[1];
@@ -1989,11 +2023,12 @@ nat_t *nat;
* we're looking for a table entry, based on the source address.
* NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY.
*/
-nat_t *nat_outlookup(ifp, flags, p, src, dst, ports)
+nat_t *nat_outlookup(ifp, flags, p, src, dst, ports, rw)
void *ifp;
register u_int flags, p;
struct in_addr src , dst;
u_32_t ports;
+int rw;
{
register u_short sport, dport;
register nat_t *nat;
@@ -2014,7 +2049,7 @@ u_32_t ports;
if ((!ifp || ifp == nat->nat_ifp) &&
nat->nat_inip.s_addr == srcip &&
nat->nat_oip.s_addr == dst.s_addr &&
- (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP)))
+ (((p == 0) && (flags == (nflags & IPN_TCPUDP)))
|| (p == nat->nat_p)) && (!flags ||
((nat->nat_inport == sport || nflags & FI_W_SPORT) &&
(nat->nat_oport == dport || nflags & FI_W_DPORT))))
@@ -2022,9 +2057,13 @@ u_32_t ports;
}
if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP))
return NULL;
- RWLOCK_EXIT(&ipf_nat);
+ if (!rw) {
+ RWLOCK_EXIT(&ipf_nat);
+ }
hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz);
- WRITE_ENTER(&ipf_nat);
+ if (!rw) {
+ WRITE_ENTER(&ipf_nat);
+ }
nat = nat_table[0][hv];
for (; nat; nat = nat->nat_hnext[0]) {
nflags = nat->nat_flags;
@@ -2037,13 +2076,15 @@ u_32_t ports;
if ((nat->nat_inip.s_addr != srcip) ||
(nat->nat_oip.s_addr != dst.s_addr))
continue;
- if (((nat->nat_inport == sport) || (nflags & FI_W_DPORT)) &&
- ((nat->nat_oport == dport) || (nflags & FI_W_SPORT))) {
- nat_tabmove(nat);
+ if (((nat->nat_inport == sport) || (nflags & FI_W_SPORT)) &&
+ ((nat->nat_oport == dport) || (nflags & FI_W_DPORT))) {
+ nat_tabmove(nat, ports);
break;
}
}
- MUTEX_DOWNGRADE(&ipf_nat);
+ if (!rw) {
+ MUTEX_DOWNGRADE(&ipf_nat);
+ }
return nat;
}
@@ -2063,7 +2104,7 @@ register natlookup_t *np;
* ip address. Else, we use the fake.
*/
if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip,
- np->nl_outip, ports))) {
+ np->nl_outip, ports, 0))) {
np->nl_realip = nat->nat_outip;
np->nl_realport = nat->nat_outport;
}
@@ -2164,10 +2205,11 @@ fr_info_t *fin;
(nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND)))
;
else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) &&
- (nat = ipfr_nat_knownfrag(ip, fin)))
+ (nat = ipfr_nat_knownfrag(ip, fin)))
natadd = 0;
- else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src,
- ip->ip_dst, (dport << 16) | sport))) {
+ else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p,
+ ip->ip_src, ip->ip_dst,
+ (dport << 16) | sport, 0))) {
nflags = nat->nat_flags;
if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) {
if ((nflags & FI_W_SPORT) &&
@@ -2221,9 +2263,6 @@ maskloop:
if ((nat = nat_new(np, ip, fin, (u_int)nflags,
NAT_OUTBOUND))) {
np->in_hits++;
-#ifdef IPFILTER_LOG
- nat_log(nat, (u_int)np->in_redir);
-#endif
break;
}
}
@@ -2239,6 +2278,9 @@ maskloop:
MUTEX_DOWNGRADE(&ipf_nat);
}
+ /*
+ * NOTE: ipf_nat must now only be held as a read lock
+ */
if (nat) {
np = nat->nat_ptr;
if (natadd && fin->fin_fi.fi_fl & FI_FRAG)
@@ -2383,7 +2425,8 @@ fr_info_t *fin;
(nat = ipfr_nat_knownfrag(ip, fin)))
natadd = 0;
else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p,
- ip->ip_src, in, (dport << 16) | sport))) {
+ ip->ip_src, in, (dport << 16) | sport,
+ 0))) {
nflags = nat->nat_flags;
if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) {
if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT))
@@ -2424,9 +2467,6 @@ maskloop:
if ((nat = nat_new(np, ip, fin, nflags,
NAT_INBOUND))) {
np->in_hits++;
-#ifdef IPFILTER_LOG
- nat_log(nat, (u_int)np->in_redir);
-#endif
break;
}
}
@@ -2441,6 +2481,10 @@ maskloop:
}
MUTEX_DOWNGRADE(&ipf_nat);
}
+
+ /*
+ * NOTE: ipf_nat must now only be held as a read lock
+ */
if (nat) {
np = nat->nat_ptr;
fin->fin_fr = nat->nat_fr;
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
index 8e166df6148d..22f8503df113 100644
--- a/contrib/ipfilter/ip_nat.h
+++ b/contrib/ipfilter/ip_nat.h
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.17.2.10 2000/10/27 14:06:51 darrenr Exp $
+ * $Id: ip_nat.h,v 2.17.2.14 2000/11/18 03:58:04 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@@ -85,7 +85,7 @@ typedef struct nat {
void *nat_ifp;
int nat_dir;
char nat_ifname[IFNAMSIZ];
-#if SOLARIS || defined(_sgi)
+#if SOLARIS || defined(__sgi)
kmutex_t nat_lock;
#endif
} nat_t;
@@ -247,6 +247,7 @@ typedef struct natlog {
#define NL_NEWRDR NAT_REDIRECT
#define NL_NEWBIMAP NAT_BIMAP
#define NL_NEWBLOCK NAT_MAPBLK
+#define NL_FLUSH 0xfffe
#define NL_EXPIRE 0xffff
#define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m))
@@ -285,9 +286,9 @@ extern int nat_ioctl __P((caddr_t, int, int));
extern int nat_init __P((void));
extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int));
extern nat_t *nat_outlookup __P((void *, u_int, u_int, struct in_addr,
- struct in_addr, u_32_t));
+ struct in_addr, u_32_t, int));
extern nat_t *nat_inlookup __P((void *, u_int, u_int, struct in_addr,
- struct in_addr, u_32_t));
+ struct in_addr, u_32_t, int));
extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr,
struct in_addr));
extern nat_t *nat_lookupredir __P((natlookup_t *));
diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h
index 933d79d6bd07..212900fbea7e 100644
--- a/contrib/ipfilter/ip_proxy.h
+++ b/contrib/ipfilter/ip_proxy.h
@@ -5,7 +5,7 @@
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
- * $Id: ip_proxy.h,v 2.8.2.3 2000/05/06 12:32:43 darrenr Exp $
+ * $Id: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@@ -96,6 +96,7 @@ typedef struct ftpside {
char *ftps_rptr;
char *ftps_wptr;
u_32_t ftps_seq;
+ u_32_t ftps_len;
int ftps_junk;
char ftps_buf[FTP_BUFSZ];
} ftpside_t;
diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c
index e311b168139b..d017cf94c1d6 100644
--- a/contrib/ipfilter/ip_rcmd_pxy.c
+++ b/contrib/ipfilter/ip_rcmd_pxy.c
@@ -1,5 +1,5 @@
/*
- * $Id: ip_rcmd_pxy.c,v 1.4.2.3 2000/10/27 22:54:04 darrenr Exp $
+ * $Id: ip_rcmd_pxy.c,v 1.4.2.4 2000/11/01 14:34:20 darrenr Exp $
*/
/*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
@@ -131,7 +131,7 @@ nat_t *nat;
sp = htons(sp);
dp = htons(fin->fin_data[1]);
ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip,
- ip->ip_dst, (dp << 16) | sp);
+ ip->ip_dst, (dp << 16) | sp, 0);
if (ipn == NULL) {
int slen;
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
index 7d4ea2dba027..f637381107b2 100644
--- a/contrib/ipfilter/ip_sfil.c
+++ b/contrib/ipfilter/ip_sfil.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.8 2000/10/19 15:42:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.9 2000/11/12 11:55:17 darrenr Exp $";
#endif
#include <sys/types.h>
@@ -66,7 +66,7 @@ static int frzerostats __P((caddr_t));
static int frrequest __P((minor_t, int, caddr_t, int));
static int send_ip __P((fr_info_t *fin, mblk_t *m));
-kmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
+kmutex_t ipl_mutex, ipf_authmx, ipf_rw;
KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris;
KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
kcondvar_t iplwait, ipfauthwait;
@@ -90,7 +90,6 @@ int ipldetach()
ip_natunload();
cv_destroy(&iplwait);
cv_destroy(&ipfauthwait);
- mutex_destroy(&ipf_hostmap);
mutex_destroy(&ipf_authmx);
mutex_destroy(&ipl_mutex);
mutex_destroy(&ipf_rw);
@@ -117,7 +116,6 @@ int iplattach __P((void))
mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL);
mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL);
- mutex_init(&ipf_hostmap, "ipf hostmap mutex", MUTEX_DRIVER, NULL);
RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL);
RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL);
RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL);
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index 7499bfd72378..5d6396958eb5 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.23 2000/10/27 14:06:08 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -307,8 +307,8 @@ int mode;
break;
case FIONREAD :
#ifdef IPFILTER_LOG
- error = IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data,
- sizeof(iplused[IPL_LOGSTATE]));
+ arg = (int)iplused[IPL_LOGSTATE];
+ error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg));
#endif
break;
case SIOCSTLCK :
@@ -787,8 +787,6 @@ tcphdr_t *tcp;
}
ATOMIC_INCL(ips_stats.iss_hits);
- is->is_pkts++;
- is->is_bytes += fin->fin_dlen + fin->fin_hlen;
/*
* Nearing end of connection, start timeout.
*/
@@ -1148,10 +1146,6 @@ fr_info_t *fin;
fr_matchsrcdst(is, src, dst, &ofin, tcp)) {
fr = is->is_rule;
ips_stats.iss_hits++;
- /*
- * we must swap src and dst here because the icmp
- * comes the other way around
- */
is->is_pkts++;
is->is_bytes += fin->fin_plen;
/*
@@ -1379,6 +1373,9 @@ void *ifp;
}
+/*
+ * Must always be called with fr_ipfstate held as a write lock.
+ */
static void fr_delstate(is)
ipstate_t *is;
{
@@ -1397,9 +1394,10 @@ ipstate_t *is;
fr = is->is_rule;
if (fr != NULL) {
- ATOMIC_DEC32(fr->fr_ref);
- if (fr->fr_ref == 0)
+ fr->fr_ref--;
+ if (fr->fr_ref == 0) {
KFREE(fr);
+ }
}
#ifdef _KERNEL
MUTEX_DESTROY(&is->is_lock);
@@ -1452,12 +1450,12 @@ void fr_timeoutstate()
fr_delstate(is);
} else
isp = &is->is_next;
- RWLOCK_EXIT(&ipf_state);
- SPL_X(s);
if (fr_state_doflush) {
(void) fr_state_flush(1);
fr_state_doflush = 0;
}
+ RWLOCK_EXIT(&ipf_state);
+ SPL_X(s);
}
diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c
index 6dc2f0297853..d43fc56af446 100644
--- a/contrib/ipfilter/ipfs.c
+++ b/contrib/ipfilter/ipfs.c
@@ -41,12 +41,19 @@
#include "ipf.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.1 2000/05/06 00:11:18 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $";
#endif
#ifndef IPF_SAVEDIR
# define IPF_SAVEDIR "/var/db/ipf"
#endif
+#ifndef IPF_NATFILE
+# define IPF_NATFILE "ipnat.ipf"
+#endif
+#ifndef IPF_STATEFILE
+# define IPF_STATEFILE "ipstate.ipf"
+#endif
+
#if !defined(__SVR4) && defined(__GNUC__)
extern char *index __P((const char *, int));
#endif
@@ -271,8 +278,14 @@ char *argv[];
usage();
}
- if (ifs)
- return changestateif(ifs, filename);
+ if (ifs) {
+ if (!filename || ns<0)
+ usage();
+ if (ns == 0)
+ return changenatif(ifs, filename);
+ else
+ return changestateif(ifs, filename);
+ }
if ((ns >= 0) || (lock >= 0)) {
if (lock >= 0)
@@ -363,6 +376,9 @@ char *file;
ipstate_save_t ips, *ipsp;
int wfd = -1;
+ if (!file)
+ file = IPF_STATEFILE;
+
wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
if (wfd == -1) {
fprintf(stderr, "%s ", file);
@@ -404,6 +420,9 @@ char *file;
ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL;
int sfd = -1, i;
+ if (!file)
+ file = IPF_STATEFILE;
+
sfd = open(file, O_RDONLY, 0600);
if (sfd == -1) {
fprintf(stderr, "%s ", file);
@@ -432,6 +451,11 @@ char *file;
return 1;
}
is = (ipstate_save_t *)malloc(sizeof(*is));
+ if(!is) {
+ fprintf(stderr, "malloc failed\n");
+ return 1;
+ }
+
bcopy((char *)&ips, (char *)is, sizeof(ips));
/*
@@ -497,6 +521,9 @@ char *file;
int nfd = -1, i;
nat_t *nat;
+ if (!file)
+ file = IPF_NATFILE;
+
nfd = open(file, O_RDONLY);
if (nfd == -1) {
fprintf(stderr, "%s ", file);
@@ -615,6 +642,9 @@ char *file;
int nfd = -1;
natget_t ng;
+ if (!file)
+ file = IPF_NATFILE;
+
nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600);
if (nfd == -1) {
fprintf(stderr, "%s ", file);
@@ -699,14 +729,14 @@ char *dirname;
devfd = opendevice(IPL_STATE);
if (devfd == -1)
return 1;
- if (writestate(devfd, "ipstate.ipf"))
+ if (writestate(devfd, NULL))
return 1;
close(devfd);
devfd = opendevice(IPL_NAT);
if (devfd == -1)
return 1;
- if (writenat(devfd, "ipnat.ipf"))
+ if (writenat(devfd, NULL))
return 1;
close(devfd);
@@ -743,14 +773,14 @@ char *dirname;
devfd = opendevice(IPL_STATE);
if (devfd == -1)
return 1;
- if (readstate(devfd, "ipstate.ipf"))
+ if (readstate(devfd, NULL))
return 1;
close(devfd);
devfd = opendevice(IPL_NAT);
if (devfd == -1)
return 1;
- if (readnat(devfd, "ipnat.ipf"))
+ if (readnat(devfd, NULL))
return 1;
close(devfd);
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
index 9eeb0559e571..2668976ca352 100644
--- a/contrib/ipfilter/ipft_tx.c
+++ b/contrib/ipfilter/ipft_tx.c
@@ -43,7 +43,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3 2000/03/13 22:10:24 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $";
#endif
extern int opts;
@@ -54,9 +54,9 @@ static int text_open __P((char *)), text_close __P((void));
static int text_readip __P((char *, int, char **, int *));
static int parseline __P((char *, ip_t *, char **, int *));
-static char _tcp_flagset[] = "FSRPAU";
+static char _tcp_flagset[] = "FSRPAUEC";
static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH,
- TH_ACK, TH_URG };
+ TH_ACK, TH_URG, TH_ECN, TH_CWR };
struct ipread iptext = { text_open, text_close, text_readip };
static FILE *tfp = NULL;
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index b54d6f905a74..3529d6510143 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -6,12 +6,12 @@
* to the original author and the contributors.
*
* @(#)ipl.h 1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.14 2000/10/27 22:54:41 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.13"
+#define IPL_VERSION "IP Filter: v3.4.16"
#endif
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 5f9db0b4e570..9250e2457437 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.5 2000/10/19 15:41:41 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 darrenr Exp $";
#endif
#ifndef SOLARIS
@@ -91,6 +91,8 @@ struct flags tcpfl[] = {
{ TH_FIN, 'F' },
{ TH_URG, 'U' },
{ TH_PUSH,'P' },
+ { TH_ECN, 'E' },
+ { TH_CWR, 'C' },
{ 0, '\0' }
};
@@ -144,6 +146,7 @@ static char **tcp_ports = NULL;
#define OPT_FILTER 0x200
#define OPT_PORTNUM 0x400
#define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER)
+#define OPT_LOGBODY 0x800
#define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b))
@@ -401,6 +404,8 @@ int blen;
strcpy(t, "NAT:RDR ");
else if (nl->nl_type == NL_EXPIRE)
strcpy(t, "NAT:EXPIRE ");
+ else if (nl->nl_type == NL_FLUSH)
+ strcpy(t, "NAT:FLUSH ");
else if (nl->nl_type == NL_NEWBIMAP)
strcpy(t, "NAT:BIMAP ");
else if (nl->nl_type == NL_NEWBLOCK)
@@ -834,6 +839,8 @@ printipflog:
dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
if (opts & OPT_HEXBODY)
dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
+ else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
+ dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen);
}
@@ -945,7 +952,7 @@ char *argv[];
iplfile[1] = IPNAT_NAME;
iplfile[2] = IPSTATE_NAME;
- while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1)
+ while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1)
switch (c)
{
case 'a' :
@@ -954,6 +961,9 @@ char *argv[];
fdt[1] = IPL_LOGNAT;
fdt[2] = IPL_LOGSTATE;
break;
+ case 'b' :
+ opts |= OPT_LOGBODY;
+ break;
case 'D' :
make_daemon = 1;
break;
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
index 18b88193837a..51af2e10e8fe 100644
--- a/contrib/ipfilter/ipnat.c
+++ b/contrib/ipfilter/ipnat.c
@@ -57,7 +57,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.4 2000/10/27 14:06:47 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $";
#endif
@@ -236,15 +236,17 @@ int opts;
ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0';
ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0';
printf("\tClient:\n");
- printf("\t\trptr %p wptr %p seq %x junk %d\n",
+ printf("\t\trptr %p wptr %p seq %x len %d junk %d\n",
ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr,
- ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_junk);
+ ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len,
+ ftp.ftp_side[0].ftps_junk);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1);
printf("]\n\tServer:\n");
- printf("\t\trptr %p wptr %p seq %x junk %d\n",
+ printf("\t\trptr %p wptr %p seq %x len %d junk %d\n",
ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr,
- ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_junk);
+ ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len,
+ ftp.ftp_side[1].ftps_junk);
printf("\t\tbuf [");
printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1);
printf("]\n");
diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c
index e81c89040764..c5eacb3ea622 100644
--- a/contrib/ipfilter/ipsend/ip.c
+++ b/contrib/ipfilter/ipsend/ip.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C)1995";
-static const char rcsid[] = "@(#)$Id: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr Exp $";
#endif
#include <errno.h>
#include <stdio.h>
@@ -99,7 +99,15 @@ int frag;
int err, iplen;
if (!ipbuf)
+ {
ipbuf = (char *)malloc(65536);
+ if(!ipbuf)
+ {
+ perror("malloc failed");
+ return -2;
+ }
+ }
+
eh = (ether_header_t *)ipbuf;
bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost));
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index 748abfbb5241..3dd39af7f788 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -12,7 +12,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 darrenr Exp $";
#endif
#include <stdio.h>
#include <stdlib.h>
@@ -347,6 +347,12 @@ char **argv;
printf("Options: %d\n", olen);
ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
+ if(!ti)
+ {
+ fprintf(stderr,"malloc failed\n");
+ exit(2);
+ }
+
bcopy((char *)ip, (char *)ti, sizeof(*ip));
ip = (ip_t *)ti;
ip->ip_hl = (olen >> 2);
diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c
index e4397ce080ed..095aa9eb87f8 100644
--- a/contrib/ipfilter/ipsend/resend.c
+++ b/contrib/ipfilter/ipsend/resend.c
@@ -12,7 +12,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 darrenr Exp $";
#endif
#include <stdio.h>
#include <netdb.h>
@@ -97,6 +97,11 @@ char *datain;
ip = (struct ip *)pbuf;
eh = (ether_header_t *)malloc(sizeof(*eh));
+ if(!eh)
+ {
+ perror("malloc failed");
+ return -2;
+ }
bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost));
if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1))
diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c
index cef71fe0f86c..2ee5028a7101 100644
--- a/contrib/ipfilter/ipsend/sock.c
+++ b/contrib/ipfilter/ipsend/sock.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 2.1 1999/08/04 17:31:16 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darrenr Exp $";
#endif
#include <stdio.h>
#include <unistd.h>
@@ -282,12 +282,21 @@ struct tcpiphdr *ti;
return NULL;
fd = (struct filedesc *)malloc(sizeof(*fd));
+#if defined( __FreeBSD_version) && __FreeBSD_version >= 500013
+ if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1)
+ {
+ fprintf(stderr, "read(%#lx,%#lx) failed\n",
+ (u_long)p, (u_long)p->ki_fd);
+ return NULL;
+ }
+#else
if (KMCPY(fd, p->kp_proc.p_fd, sizeof(*fd)) == -1)
{
fprintf(stderr, "read(%#lx,%#lx) failed\n",
(u_long)p, (u_long)p->kp_proc.p_fd);
return NULL;
}
+#endif
o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1));
if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1)
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index 11149afdfd04..a5909d0b403c 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -139,14 +139,22 @@ kernel.
.SH STATE TOP
Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
this mode the state table is displayed similar to the way \fBtop\fP displays
-the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and\fB\-T\fP
+the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP
commandline options can be used to restrict the state entries that will be
shown and to specify the frequency of display updates.
.PP
In state top mode, the following keys can be used to influence the displayed
-information. \fBl\fP can be used to redraw the screen. \fBq\fP is used to
-quit the program. \fBs\fP can be used to change the sorting criterion and
-\fBr\fP can be used to reverse the sorting criterion.
+information:
+.TP
+\fBd\fP select information to display.
+.TP
+\fBl\fP redraw the screen.
+.TP
+\fBq\fP quit the program.
+.TP
+\fBs\fP switch between different sorting criterion.
+.TP
+\fBr\fP reverse the sorting criterion.
.PP
States can be sorted by protocol number, by number of IP packets, by number
of bytes and by time-to-live of the state entry. The default is to sort by
diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c
index f6e7ad40a05a..3ca7df328d70 100644
--- a/contrib/ipfilter/mlf_ipl.c
+++ b/contrib/ipfilter/mlf_ipl.c
@@ -93,6 +93,9 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW,
+ &fr_minttllog, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RW,
&fr_tcpidletimeout, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RW,
diff --git a/contrib/ipfilter/mlfk_ipl.c b/contrib/ipfilter/mlfk_ipl.c
index f96c57e365ee..0dc4ff202723 100644
--- a/contrib/ipfilter/mlfk_ipl.c
+++ b/contrib/ipfilter/mlfk_ipl.c
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $Id: mlfk_ipl.c,v 2.1.2.4 2000/08/23 11:02:33 darrenr Exp $
+ * $Id: mlfk_ipl.c,v 2.1.2.6 2000/11/18 03:58:29 darrenr Exp $
*/
@@ -38,6 +38,12 @@
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
+#if (__FreeBSD_version >= 199511)
+# include <net/route.h>
+# include <netinet/ip_var.h>
+# include <netinet/tcp.h>
+# include <netinet/tcpip.h>
+#endif
#include <netinet/ipl.h>
@@ -47,6 +53,7 @@
#include <netinet/ip_nat.h>
#include <netinet/ip_auth.h>
#include <netinet/ip_frag.h>
+#include <netinet/ip_proxy.h>
static dev_t ipf_devs[IPL_LOGMAX + 1];
@@ -86,6 +93,11 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD,
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW,
&fr_defaultauthage, 0, "");
SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW,
+ &ippr_ftp_pasvonly, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, "");
+SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW,
+ &fr_minttllog, 0, "");
#define CDEV_MAJOR 79
static struct cdevsw ipl_cdevsw = {
diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c
index 0630bb431bf1..a451a1092c0f 100644
--- a/contrib/ipfilter/mli_ipl.c
+++ b/contrib/ipfilter/mli_ipl.c
@@ -49,7 +49,7 @@ unsigned IPL_EXTERN(devflag) = D_MP;
char *IPL_EXTERN(mversion) = M_VERSION;
#endif
-kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw, ipf_hostmap;
+kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw;
kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **));
@@ -539,7 +539,6 @@ IPL_EXTERN(unload)(void)
LOCK_DEALLOC(ipf_rw.l);
LOCK_DEALLOC(ipf_auth.l);
LOCK_DEALLOC(ipf_natfrag.l);
- LOCK_DEALLOC(ipf_hostmap.l);
LOCK_DEALLOC(ipf_nat.l);
LOCK_DEALLOC(ipf_state.l);
LOCK_DEALLOC(ipf_frag.l);
@@ -562,7 +561,6 @@ IPL_EXTERN(init)(void)
ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
- ipf_hostmap.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP);
@@ -570,7 +568,7 @@ IPL_EXTERN(init)(void)
if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l ||
!ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l ||
- !ipl_mutex.l || !ipf_hostmap.l)
+ !ipl_mutex.l)
panic("IP Filter: LOCK_ALLOC failed");
#ifdef IPFILTER_LKM
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index ab1e08c53eb8..0441ad53500c 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -671,8 +671,8 @@ int linenum;
return -1;
while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
- !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) ||
- !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) ||
+ !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) ||
+ !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) ||
!strncasecmp(**cp, "short", 5))) {
if (***cp == 'n' || ***cp == 'N') {
notopt = 1;
diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c
index 65dcc74d4d45..5b50a94afd2e 100644
--- a/contrib/ipfilter/samples/userauth.c
+++ b/contrib/ipfilter/samples/userauth.c
@@ -21,7 +21,7 @@ main()
char yn[16];
int fd;
- fd = open(IPL_NAME, O_RDWR);
+ fd = open(IPL_AUTH, O_RDWR);
while (ioctl(fd, SIOCAUTHW, &frap) == 0) {
if (fra.fra_info.fin_out)
fra.fra_pass = FR_OUTQUE;
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
index c32f25094096..1e82ec0ba4c6 100644
--- a/contrib/ipfilter/solaris.c
+++ b/contrib/ipfilter/solaris.c
@@ -6,7 +6,7 @@
* to the original author and the contributors.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "@(#)$Id: solaris.c,v 2.15.2.7 2000/08/05 14:50:30 darrenr Exp $"
+#pragma ident "@(#)$Id: solaris.c,v 2.15.2.8 2000/11/27 10:28:41 darrenr Exp $"
#include <sys/systm.h>
#include <sys/types.h>
@@ -645,8 +645,8 @@ tryagain:
hlen = sizeof(ip6_t);
ip6 = (ip6_t *)ip;
/* XXX - might not be aligned (from ppp?) */
- ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0];
- ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1];
+ ((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0];
+ ((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1];
plen = ntohs(tlen);
sap = IP6_DL_SAP;
}
@@ -1689,7 +1689,7 @@ frdest_t *fdp;
# ifdef USE_INET6
else if (fin->fin_v == 6) {
p = ip6->ip6_nxt;
- dir = ire_route_lookup_v6(&ip6->ip6_dst, 0xffffffff, 0, 0,
+ dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0,
NULL, &gw, NULL, MATCH_IRE_DSTONLY|
MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE);
}
diff --git a/contrib/ipfilter/test/expected/i7 b/contrib/ipfilter/test/expected/i7
index 750cf26079ea..d1b79788771f 100644
--- a/contrib/ipfilter/test/expected/i7
+++ b/contrib/ipfilter/test/expected/i7
@@ -1,4 +1,4 @@
pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA
-block in on lo0(!) proto tcp from any to any flags A/0xff
+block in on lo0(!) proto tcp from any to any flags A/0xbf
pass in on lo0(!) proto tcp from any to any flags /SPA
block in on lo0(!) proto tcp from any to any flags 0x80/A