aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Wemm <peter@FreeBSD.org>1997-03-02 15:40:21 +0000
committerPeter Wemm <peter@FreeBSD.org>1997-03-02 15:40:21 +0000
commitb182e52bf6b074c57140cca8cf3a1c812cb195b1 (patch)
tree0c47f6260ed69e9661116832151ae20f9162b28c
parentb4ebec5bf8828aa1cc3f5a1a50faf812b5b6ba48 (diff)
downloadsrc-b182e52bf6b074c57140cca8cf3a1c812cb195b1.tar.gz
src-b182e52bf6b074c57140cca8cf3a1c812cb195b1.zip
reimport ipfilter v3.1.8 to get it onto the vendor branch again.vendor/ipfilter/3.1.8
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=23279 svn path=/vendor/ipfilter/3.1.8/; revision=23281; tag=vendor/ipfilter/3.1.8
-rw-r--r--contrib/ipfilter/FWTK/Index3
-rw-r--r--contrib/ipfilter/FWTK/README.ipfilter20
-rw-r--r--contrib/ipfilter/FWTK/fwtk_transparent.diff1025
-rw-r--r--contrib/ipfilter/HISTORY9
-rw-r--r--contrib/ipfilter/Makefile4
-rw-r--r--contrib/ipfilter/fil.c70
-rw-r--r--contrib/ipfilter/ip_fil.c8
-rw-r--r--contrib/ipfilter/ip_frag.c3
-rw-r--r--contrib/ipfilter/ip_nat.c21
-rw-r--r--contrib/ipfilter/ip_state.c8
-rw-r--r--contrib/ipfilter/ipnat.c10
-rw-r--r--contrib/ipfilter/ipsend/44arp.c2
-rw-r--r--contrib/ipfilter/parse.c15
13 files changed, 1145 insertions, 53 deletions
diff --git a/contrib/ipfilter/FWTK/Index b/contrib/ipfilter/FWTK/Index
new file mode 100644
index 000000000000..f5d7043ca39c
--- /dev/null
+++ b/contrib/ipfilter/FWTK/Index
@@ -0,0 +1,3 @@
+README - Readme for ftp-gw.diff and fwtkp
+README.ipfilter - README for fwtk_transparent.diff
+fwtk_transparent.diff - patches for 2.0beta
diff --git a/contrib/ipfilter/FWTK/README.ipfilter b/contrib/ipfilter/FWTK/README.ipfilter
new file mode 100644
index 000000000000..fd461cc6cfd8
--- /dev/null
+++ b/contrib/ipfilter/FWTK/README.ipfilter
@@ -0,0 +1,20 @@
+
+there was a patch for fwtk with ip_filter 3.1.5 from James B. Croall
+(thanx for his work) which I put onto fwtk 2.0beta.
+
+Now, if you decide to do transparent proxying with ip-filter you
+have to put -DUSE_IP_FILTER to COPTS in Makefile.config.
+With Solaris 2.x you have to correctly replace the path to your
+ip_filter sources. (lib/hnam.c needs ip_nat.h)
+
+I also patched plug-gw to be configured to accept not only one
+destination with the parameter "-all-destinations" in netperm-table.
+Perhaps this is a security hole...
+
+The patched fwtk worked fine for me with linux (kernel 2.0.28 and ipfadm 2.1)
+and Solaris 2.5 (ip_filter 3.1.5).
+
+If you try to enhance the transparent proxy features for other
+architectures, see lib/hnam.c (getdsthost).
+
+Michael Kutzner, Michael.Kutzner@paderlinx.de
diff --git a/contrib/ipfilter/FWTK/fwtk_transparent.diff b/contrib/ipfilter/FWTK/fwtk_transparent.diff
new file mode 100644
index 000000000000..4fe58087e4fe
--- /dev/null
+++ b/contrib/ipfilter/FWTK/fwtk_transparent.diff
@@ -0,0 +1,1025 @@
+diff -cr ../TIS.orig/fwtk/Makefile.config.linux fwtk/Makefile.config.linux
+*** ../TIS.orig/fwtk/Makefile.config.linux Sat Sep 7 05:58:21 1996
+--- fwtk/Makefile.config.linux Sun Feb 2 05:48:01 1997
+***************
+*** 13,19 ****
+
+
+ # Your C compiler (eg, "cc" or "gcc")
+! CC= cc
+
+
+ # program to use for installation -- this may or may not preserve
+--- 13,19 ----
+
+
+ # Your C compiler (eg, "cc" or "gcc")
+! CC= gcc
+
+
+ # program to use for installation -- this may or may not preserve
+***************
+*** 24,37 ****
+
+ # Defines for your operating system
+ #
+! DEFINES=-DLINUX
+ #DEFINES=-DSYSV -DSOLARIS
+
+ # Options for your compiler (eg, "-g" for debugging, "-O" for
+ # optimizing, or "-g -O" for both under GCC)
+ #COPT= -g -traditional $(DEFINES)
+! COPT= -g $(DEFINES)
+! #COPT= -O $(DEFINES)
+
+ # Version of "make" you want to use
+ #MAKE= gnumake
+--- 24,37 ----
+
+ # Defines for your operating system
+ #
+! DEFINES=-DLINUX -DUSE_IP_FILTER
+ #DEFINES=-DSYSV -DSOLARIS
+
+ # Options for your compiler (eg, "-g" for debugging, "-O" for
+ # optimizing, or "-g -O" for both under GCC)
+ #COPT= -g -traditional $(DEFINES)
+! #COPT= -g $(DEFINES)
+! COPT= -O $(DEFINES)
+
+ # Version of "make" you want to use
+ #MAKE= gnumake
+***************
+*** 44,50 ****
+
+
+ # Destination directory for installation of binaries
+! DEST= /usr/local/etc
+
+
+ # Destination directory for installation of man pages
+--- 44,50 ----
+
+
+ # Destination directory for installation of binaries
+! DEST= /usr/local/sbin
+
+
+ # Destination directory for installation of man pages
+***************
+*** 72,78 ****
+ # or -Bstatic for static binaries under SunOS 4.1.x)
+ #LDFL= -Bstatic
+ #LDFL=
+! LDFL= -g
+
+
+ # Location of the fwtk sources [For #include by any external tools needing it]
+--- 72,79 ----
+ # or -Bstatic for static binaries under SunOS 4.1.x)
+ #LDFL= -Bstatic
+ #LDFL=
+! #LDFL= -g
+! LDFL= -O
+
+
+ # Location of the fwtk sources [For #include by any external tools needing it]
+***************
+*** 81,87 ****
+
+
+ # Location of X libraries for X-gw
+! XLIBDIR=/usr/X11/lib
+ #XLIBDIR=/usr/local/X11R5/lib
+
+ # X Libraries
+--- 82,88 ----
+
+
+ # Location of X libraries for X-gw
+! XLIBDIR=/usr/X11R6/lib
+ #XLIBDIR=/usr/local/X11R5/lib
+
+ # X Libraries
+***************
+*** 96,102 ****
+ #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11
+
+ # Location of X include files
+! XINCLUDE=/usr/X11/include
+ #XINCLUDE=/usr/local/X11R5/include
+
+ # Objects to include in libfwall for SYSV
+--- 97,103 ----
+ #XLIBS = -L$(XLIBDIR) -lXaw -lXmu -lXt -lXext -lX11
+
+ # Location of X include files
+! XINCLUDE=/usr/X11R6/include
+ #XINCLUDE=/usr/local/X11R5/include
+
+ # Objects to include in libfwall for SYSV
+diff -cr ../TIS.orig/fwtk/Makefile.config.solaris fwtk/Makefile.config.solaris
+*** ../TIS.orig/fwtk/Makefile.config.solaris Sat Sep 7 06:14:13 1996
+--- fwtk/Makefile.config.solaris Sun Feb 2 06:09:19 1997
+***************
+*** 11,30 ****
+ #
+ # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $"
+
+
+ # Your C compiler (eg, "cc" or "gcc")
+! CC= cc
+
+
+ # program to use for installation -- this may or may not preserve
+ # old versions (or whatever). assumes that it takes parameters:
+ # copy source dest
+! CP= cp
+
+
+ # Defines for your operating system
+ #
+! DEFINES=-DSYSV -DSOLARIS
+
+ #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname \
+ -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \
+--- 11,34 ----
+ #
+ # RcsId: "$Header: /devel/CVS/IP-Filter/FWTK/fwtk_transparent.diff,v 2.0.1.1 1997/02/19 13:02:37 darrenr Exp $"
+
++ #
++ # Path to sources of ip_filter (ip_nat.h required in lib/hnam.c)
++ #
++ IPFPATH=/src/unpacked/firewall/ip_fil3.1.5
+
+ # Your C compiler (eg, "cc" or "gcc")
+! CC= gcc
+
+
+ # program to use for installation -- this may or may not preserve
+ # old versions (or whatever). assumes that it takes parameters:
+ # copy source dest
+! CP= /usr/ucb/install -c -s
+
+
+ # Defines for your operating system
+ #
+! DEFINES=-DSYSV -DSOLARIS -DUSE_IP_FILTER -I$(IPFPATH)
+
+ #DEFINES=-DSYSV -DSOLARIS -Dgethostbyname=res_gethostbyname \
+ -Dgethostbyaddr=res_gethostbyaddr -Dgetnetbyname=res_getnetbyname \
+***************
+*** 45,52 ****
+
+
+ # Your ranlib utility (use "touch" if you don't have ranlib)
+! RANLIB= ranlib
+! #RANLIB= touch
+
+
+ # Destination directory for installation of binaries
+--- 49,56 ----
+
+
+ # Your ranlib utility (use "touch" if you don't have ranlib)
+! # RANLIB= ranlib
+! RANLIB= touch
+
+
+ # Destination directory for installation of binaries
+diff -cr ../TIS.orig/fwtk/firewall.h fwtk/firewall.h
+*** ../TIS.orig/fwtk/firewall.h Sun Sep 8 05:55:26 1996
+--- fwtk/firewall.h Sun Feb 2 05:23:33 1997
+***************
+*** 47,53 ****
+ system.
+ */
+ #ifndef PERMFILE
+! #define PERMFILE "/usr/local/etc/netperm-table"
+ #endif
+
+ /*
+--- 47,53 ----
+ system.
+ */
+ #ifndef PERMFILE
+! #define PERMFILE "/etc/fwtk/netperm-table"
+ #endif
+
+ /*
+***************
+*** 67,73 ****
+
+ /* Choose a system logging facility for the firewall toolkit. */
+ #ifndef LFAC
+! #define LFAC LOG_DAEMON
+ #endif
+
+
+--- 67,73 ----
+
+ /* Choose a system logging facility for the firewall toolkit. */
+ #ifndef LFAC
+! #define LFAC LOG_LOCAL5
+ #endif
+
+
+***************
+*** 215,220 ****
+ #define PERM_ALLOW 01
+ #define PERM_DENY 02
+
+!
+ #define _INCL_FWALL_H
+ #endif
+--- 215,222 ----
+ #define PERM_ALLOW 01
+ #define PERM_DENY 02
+
+! #ifdef USE_IP_FILTER
+! extern char *getdsthost(int, int*);
+! #endif
+ #define _INCL_FWALL_H
+ #endif
+diff -cr ../TIS.orig/fwtk/ftp-gw/ftp-gw.c fwtk/ftp-gw/ftp-gw.c
+*** ../TIS.orig/fwtk/ftp-gw/ftp-gw.c Fri Sep 6 18:55:05 1996
+--- fwtk/ftp-gw/ftp-gw.c Sat Feb 1 06:49:13 1997
+***************
+*** 50,55 ****
+--- 50,59 ----
+ #ifndef FTPPORT
+ #define FTPPORT 21
+ #endif
++ #ifdef USE_IP_FILTER
++ static int do_transparent=0;
++ static int connectdest();
++ #endif
+
+ static Cfg *confp;
+ static char **validests = (char **)0;
+***************
+*** 170,175 ****
+--- 174,182 ----
+ char xuf[1024];
+ char huf[128];
+ char *passuser = (char *)0; /* passed user as av */
++ #ifdef USE_IP_FILTER
++ char *psychic, *hotline;
++ #endif
+
+ #ifndef LOG_DAEMON
+ openlog("ftp-gw",LOG_PID);
+***************
+*** 313,320 ****
+ }
+ } else
+ timeout = 60*60;
+
+-
+ /* display a welcome file or message */
+ if(passuser == (char *)0) {
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+--- 320,330 ----
+ }
+ } else
+ timeout = 60*60;
++ #ifdef USE_IP_FILTER
++ psychic=getdsthost(0,NULL);
++ if(psychic) { do_transparent++; }
++ #endif
+
+ /* display a welcome file or message */
+ if(passuser == (char *)0) {
+ if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+***************
+*** 322,327 ****
+--- 332,345 ----
+ syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+ exit(1);
+ }
++ #ifdef USE_IP_FILTER
++ if(do_transparent) {
++ if(sayfile2(0,cf->argv[0],220)) {
++ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
++ exit(1);
++ }
++ } else
++ #endif /* USE_IP_FILTER */
+ if(sayfile(0,cf->argv[0],220)) {
+ syslog(LLEV,"fwtksyserr: cannot display welcome %s: %m",cf->argv[0]);
+ exit(1);
+***************
+*** 332,338 ****
+ if(authallflg)
+ if(say(0,"220-Proxy first requires authentication"))
+ exit(1);
+! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
+ if(say(0,xuf))
+ exit(1);
+ }
+--- 350,361 ----
+ if(authallflg)
+ if(say(0,"220-Proxy first requires authentication"))
+ exit(1);
+! #ifdef USE_IP_FILTER
+! if(do_transparent)
+! sprintf(xuf,"220-%s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
+! else
+! #endif
+! sprintf(xuf,"220 %s FTP proxy (Version %s) ready.",huf,FWTK_VERSION_MINOR);
+ if(say(0,xuf))
+ exit(1);
+ }
+***************
+*** 352,358 ****
+ if(cmd_user(2,fakav,"user internal"))
+ exit(1);
+ }
+!
+ /* main loop */
+ while(1) {
+ FD_ZERO(&rdy);
+--- 375,386 ----
+ if(cmd_user(2,fakav,"user internal"))
+ exit(1);
+ }
+! #ifdef USE_IP_FILTER
+! if(do_transparent) {
+! connectdest(psychic,21);
+! }
+! #endif
+!
+ /* main loop */
+ while(1) {
+ FD_ZERO(&rdy);
+***************
+*** 676,681 ****
+--- 704,719 ----
+ return(sayn(0,noad,sizeof(noad)-1));
+ }
+
++ #ifdef USE_IP_FILTER
++ if(do_transparent) {
++ if((rfd==(-1)) && (x=connectdest(dest,port))) return x;
++ sprintf(buf,"USER %s",user);
++ if(say(rfd,buf)) return(1);
++ x=getresp(rfd,buf,sizeof(buf),1);
++ if(sendsaved(0,x)) return(1);
++ return(say(0,buf));
++ }
++ #endif
+ if(*dest == '\0')
+ dest = "localhost";
+
+***************
+*** 717,723 ****
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+! sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+--- 755,766 ----
+ char ebuf[512];
+
+ strcpy(ebuf,buf);
+! #ifdef USE_IP_FILTER
+! if(do_transparent) {
+! sprintf(buf,"521 %s,%d: %s",dest,ntohs(port),ebuf);
+! } else
+! #endif
+! sprintf(buf,"521 %s: %s",dest,ebuf);
+ rfd = -1;
+ return(say(0,buf));
+ }
+***************
+*** 1874,1876 ****
+--- 1917,2036 ----
+ dup(nread);
+ }
+ #endif
++
++ #ifdef USE_IP_FILTER
++ static int connectdest(dest, port)
++ char *dest;
++ short port;
++ {
++ char buf[1024], mbuf[512];
++ int msg_int, x;
++
++ if(*dest == '\0')
++ dest = "localhost";
++
++ if(validests != (char **)0) {
++ char **xp;
++ int x;
++
++ for(xp = validests; *xp != (char *)0; xp++) {
++ if(**xp == '!' && hostmatch(*xp + 1,dest)) {
++ return(baddest(0,dest));
++ } else {
++ if(hostmatch(*xp,dest))
++ break;
++ }
++ }
++ if(*xp == (char *)0)
++ return(baddest(0,dest));
++ }
++
++ /* Extended permissions processing goes in here for destination */
++ if(extendperm) {
++ msg_int = auth_perm(confp, authuser, "ftp-gw", dest,(char *)0);
++ if(msg_int == 1) {
++ sprintf(mbuf,"Permission denied for user %s to connect to %s",authuser,dest);
++ syslog(LLEV,"deny host=%s/%s connect to %s user=%s",rladdr,riaddr,dest,authuser);
++ say(0,mbuf);
++ return(1);
++ } else {
++ if(msg_int == -1) {
++ sprintf(mbuf,"No match in netperm-table for %s to ftp to %s",authuser,dest);
++ say(0,mbuf);
++ return(1);
++ }
++ }
++ }
++
++ syslog(LLEV,"permit host=%s/%s connect to %s",rladdr,riaddr,dest);
++
++ if((rfd = conn_server(dest,port,0,buf)) < 0) {
++ char ebuf[512];
++
++ strcpy(ebuf,buf);
++ sprintf(buf,"521 %s: %s",dest,ebuf);
++ rfd = -1;
++ return(say(0,buf));
++ }
++ if(!do_transparent) {
++ sprintf(buf,"----GATEWAY CONNECTED TO %s----",dest);
++ saveline(buf);
++ }
++
++ /* we are now connected and need to try the autologin thing */
++ x = getresp(rfd,buf,sizeof(buf),1);
++ if(x / 100 != COMPLETE) {
++ sendsaved(0,-1);
++ return(say(0,buf));
++ }
++ saveline(buf);
++
++ sendsaved(0,-1);
++ return 0;
++ }
++
++
++ /* ok, so i'm in a hurry. english paper due RSN. */
++ sayfile2(fd,fn,code)
++ int fd;
++ char *fn;
++ int code;
++ {
++ FILE *f;
++ char buf[BUFSIZ];
++ char yuf[BUFSIZ];
++ char *c;
++ int x;
++ int saidsomething = 0;
++
++ if((f = fopen(fn,"r")) == (FILE *)0)
++ return(1);
++ while(fgets(buf,sizeof(buf),f) != (char *)0) {
++ if((c = index(buf,'\n')) != (char *)0)
++ *c = '\0';
++ x = fgetc(f);
++ if(feof(f))
++ sprintf(yuf,"%3.3d-%s",code,buf);
++ else {
++ sprintf(yuf,"%3.3d-%s",code,buf);
++ ungetc(x,f);
++ }
++ if(say(fd,yuf)) {
++ fclose(f);
++ return(1);
++ }
++ saidsomething++;
++ }
++ fclose(f);
++ if (!saidsomething) {
++ syslog(LLEV,"fwtkcfgerr: sayfile for %d is empty",code);
++ sprintf(yuf, "%3.3d The file to display is empty",code);
++ if(say(fd,yuf)) {
++ fclose(f);
++ return(1);
++ }
++ }
++ return(0);
++ }
++
++ #endif /* USE_IP_FILTER */
+diff -cr ../TIS.orig/fwtk/http-gw/http-gw.c fwtk/http-gw/http-gw.c
+*** ../TIS.orig/fwtk/http-gw/http-gw.c Mon Sep 9 20:40:53 1996
+--- fwtk/http-gw/http-gw.c Sun Feb 2 06:41:18 1997
+***************
+*** 27,32 ****
+--- 27,35 ----
+ static char http_buffer[8192];
+ static char reason[8192];
+ static int checkBrowserType = 1;
++ #ifdef USE_IP_FILTER
++ static int do_transparent=0;
++ #endif
+
+ static void do_logging()
+ { char *proto = "GOPHER";
+***************
+*** 422,427 ****
+--- 425,441 ----
+ /*(NOT A SPECIAL FORM)*/
+
+ if((rem_type & TYPE_LOCAL)== 0){
++ #ifdef USE_IP_FILTER
++ char *psychic=getdsthost(sockfd,&def_port);
++ if(psychic) {
++ if(strlen(psychic)<=MAXHOSTNAMELEN) {
++ do_transparent++;
++ strncpy(def_httpd,psychic,strlen(psychic));
++ strncpy(def_server,psychic,strlen(psychic));
++ }
++ }
++
++ #endif /* USE_IP_FILTER */
+ /* See if it can be forwarded */
+
+ if( can_forward(buf)){
+***************
+*** 1513,1518 ****
+--- 1527,1537 ----
+ parse_vec[0],
+ parse_vec[1],
+ ourname, ourport);
++ }
++ #ifdef USE_IP_FILTER
++ else if(do_transparent) {
++ sprintf(new_reply,"%s\t%s\t%s\t%s",parse_vec[0],parse_vec[1],parse_vec[2],parse_vec[3]);
++ #endif /* USE_IP_FILTER */
+ }else{
+ sprintf(new_reply,"%s\tgopher://%s:%s/%c%s\t%s\t%u",
+ parse_vec[0], parse_vec[2],
+diff -cr ../TIS.orig/fwtk/lib/hnam.c fwtk/lib/hnam.c
+*** ../TIS.orig/fwtk/lib/hnam.c Sat Nov 5 00:30:19 1994
+--- fwtk/lib/hnam.c Sat Feb 1 08:17:46 1997
+***************
+*** 20,25 ****
+--- 20,37 ----
+
+ extern char *inet_ntoa();
+
++ #if defined(USE_IP_FILTER)
++ #include <net/if.h>
++ #ifndef LINUX
++ #include "ip_nat.h"
++ #endif
++ #if defined(SOLARIS)
++ #include <sys/stat.h>
++ #include <fcntl.h>
++ #include <unistd.h>
++ #include <sys/ioccom.h>
++ #endif
++ #endif /* IP_FILTER */
+
+ #include "firewall.h"
+
+***************
+*** 45,47 ****
+--- 57,158 ----
+ bcopy(hp->h_addr,&sin.sin_addr,hp->h_length);
+ return(inet_ntoa(sin.sin_addr));
+ }
++
++
++
++ #ifdef USE_IP_FILTER
++ char *getdsthost(fd, ptr)
++ int fd;
++ int *ptr;
++ {
++ struct sockaddr_in sin;
++ struct hostent *hp;
++ int sl=sizeof(struct sockaddr_in), err=0, local_h=0, i=0;
++ static char buf[255], hostbuf[255];
++ #if defined(__FreeBSD__) || defined(SOLARIS)
++ struct sockaddr_in rsin;
++ struct natlookup natlookup;
++ int natfd;
++ #endif
++
++ #ifdef linux
++ /* This should also work for UDP. Unfortunately, it doesn't.
++ Maybe when the Linux UDP proxy code gets a little cleaner.
++ */
++ if(!(err=getsockname(0,&sin,&sl))) {
++ if(ptr) *ptr=ntohs(sin.sin_port);
++ sprintf(buf,"%s",inet_ntoa(sin.sin_addr));
++ gethostname(hostbuf,254);
++ hp=gethostbyname(hostbuf);
++ while(hp->h_addr_list[i]) {
++ bzero(&sin,&sl);
++ memcpy(&sin.sin_addr,hp->h_addr_list[i++],sizeof(hp->h_addr_list[i++]));
++ if(!strcmp(buf,inet_ntoa(sin.sin_addr))) local_h++;
++ }
++ if(local_h) { /* syslog(LLEV,"DEBUG: hnam.c: non-transparent."); */ return(NULL); }
++ else { return(buf); }
++ }
++ #endif
++
++ #if defined(__FreeBSD__)
++ /* The basis for this block of code is Darren Reed's
++ patches to the TIS ftwk's ftp-gw.
++ */
++ bzero((char*)&sin,sizeof(sin));
++ bzero((char*)&rsin,sizeof(rsin));
++ if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
++ return NULL;
++ }
++ sl=sizeof(rsin);
++ if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
++ return NULL;
++ }
++ natlookup.nl_inport=sin.sin_port;
++ natlookup.nl_outport=rsin.sin_port;
++ natlookup.nl_inip=sin.sin_addr;
++ natlookup.nl_outip=rsin.sin_addr;
++ if((natfd=open("/dev/ipl",O_RDONLY))<0) {
++ return(NULL);
++ }
++ if(ioctl(natfd,SIOCGNATL,&natlookup)==(-1)) {
++ return(NULL);
++ }
++ close(natfd);
++ if(ptr) *ptr=ntohs(natlookup.nl_inport);
++ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip));
++ #endif
++
++ #if defined(SOLARIS) /* for Solaris */
++ /* The basis for this block of code is Darren Reed's
++ * patches to the TIS ftwk's ftp-gw.
++ * modified for Solaris from Michael Kutzner, Michael.Kutzner@paderlinx.de
++ */
++ memset((char*)&sin, 0, sizeof(sin));
++ memset((char*)&rsin, 0, sizeof(rsin));
++
++ if(getsockname(fd,(struct sockaddr*)&sin,&sl)<0) {
++ return NULL;
++ }
++ sl=sizeof(rsin);
++ if(getpeername(fd,(struct sockaddr*)&rsin,&sl)<0) {
++ return NULL;
++ }
++ natlookup.nl_inport=sin.sin_port;
++ natlookup.nl_outport=rsin.sin_port;
++ natlookup.nl_inip=sin.sin_addr;
++ natlookup.nl_outip=rsin.sin_addr;
++ if( (natfd=open("/dev/ipl",O_RDONLY)) < 0) {
++ return(NULL);
++ }
++ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
++ return(NULL);
++ }
++ close(natfd);
++ if(ptr) *ptr=ntohs(natlookup.nl_inport);
++ sprintf(buf,"%s",inet_ntoa(natlookup.nl_inip));
++ #endif
++
++ /* No transparent proxy support */
++ return(NULL);
++ }
++ #endif /* USE_IP_FILTER */
+diff -cr ../TIS.orig/fwtk/plug-gw/plug-gw.c fwtk/plug-gw/plug-gw.c
+*** ../TIS.orig/fwtk/plug-gw/plug-gw.c Thu Sep 5 21:36:33 1996
+--- fwtk/plug-gw/plug-gw.c Sun Feb 2 04:50:40 1997
+***************
+*** 38,44 ****
+ static int timeout = PROXY_TIMEOUT;
+ static char **validdests = (char **)0;
+ static Cfg *confp;
+!
+ main(ac,av)
+ int ac;
+ char *av[];
+--- 38,46 ----
+ static int timeout = PROXY_TIMEOUT;
+ static char **validdests = (char **)0;
+ static Cfg *confp;
+! #ifdef USE_IP_FILTER
+! static int do_transparent=0;
+! #endif
+ main(ac,av)
+ int ac;
+ char *av[];
+***************
+*** 189,201 ****
+ static char buf[1024 * 4];
+ void (*op)();
+ char *dhost = NULL;
+ char hostport[1024 * 4];
+ char *ptr;
+ int state = 0;
+ int ssl_plug = 0;
+!
+ struct timeval timo;
+
+ if(c->flags & PERM_DENY) {
+ if (p == -1)
+ syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
+--- 191,215 ----
+ static char buf[1024 * 4];
+ void (*op)();
+ char *dhost = NULL;
++ char *transhost = NULL;
+ char hostport[1024 * 4];
+ char *ptr;
+ int state = 0;
+ int ssl_plug = 0;
+! #ifdef USE_IP_FILTER
+! int pport;
+! #endif
+ struct timeval timo;
+
++ #ifdef USE_IP_FILTER
++ /* Transparent plug-gw is probably a bad idea, but hey .. */
++ transhost=getdsthost(0,&pport);
++ if(transhost) {
++ do_transparent++;
++ portid=pport;
++ }
++ #endif
++
+ if(c->flags & PERM_DENY) {
+ if (p == -1)
+ syslog(LLEV,"deny host=%s/%s port=any",rhost,raddr);
+***************
+*** 223,229 ****
+ privport = 1;
+ continue;
+ }
+!
+ if (!strcmp(av[x], "-port")) {
+ if (++x >= ac) {
+ syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln);
+--- 237,248 ----
+ privport = 1;
+ continue;
+ }
+! #ifdef USE_IP_FILTER
+! if (!strcmp(av[x],"-all-destinations")) {
+! dhost = transhost;
+! continue;
+! }
+! #endif
+ if (!strcmp(av[x], "-port")) {
+ if (++x >= ac) {
+ syslog(LLEV,"fwtkcfgerr: -port takes an argument, line %d",c->ln);
+diff -cr ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c fwtk/rlogin-gw/rlogin-gw.c
+*** ../TIS.orig/fwtk/rlogin-gw/rlogin-gw.c Fri Sep 6 18:56:33 1996
+--- fwtk/rlogin-gw/rlogin-gw.c Sun Feb 2 06:26:04 1997
+***************
+*** 40,46 ****
+
+ extern char *maphostname();
+
+!
+ static int cmd_quit();
+ static int cmd_help();
+ static int cmd_connect();
+--- 40,48 ----
+
+ extern char *maphostname();
+
+! #ifdef USE_IP_FILTER
+! static int do_transparent=0;
+! #endif
+ static int cmd_quit();
+ static int cmd_help();
+ static int cmd_connect();
+***************
+*** 120,125 ****
+--- 122,130 ----
+ static char *tokav[56];
+ int tokac;
+ struct timeval timo;
++ #ifdef USE_IP_FILTER
++ char *psychic;
++ #endif
+
+ #ifndef LOG_NDELAY
+ openlog("rlogin-gw",LOG_PID);
+***************
+*** 186,192 ****
+ }
+
+
+!
+ if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
+ if(cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln);
+--- 191,204 ----
+ }
+
+
+! #ifdef USE_IP_FILTER
+! psychic=getdsthost(0,NULL);
+! if(psychic) {
+! do_transparent++;
+! strncpy(dest,psychic,511);
+! dest[511]='\0';
+! }
+! #endif /* USE_IP_FILTER */
+ if((cf = cfg_get("directory",confp)) != (Cfg *)0) {
+ if(cf->argc != 1) {
+ syslog(LLEV,"fwtkcfgerr: chroot must have one parameter, line %d",cf->ln);
+***************
+*** 260,269 ****
+ }
+
+ /* if present a host name, chop and save username and hostname */
+- dest[0] = '\0';
+ if((p = index(rusername,'@')) != (char *)0) {
+ char *namp;
+
+ *p++ = '\0';
+ if(*p == '\0')
+ p = "localhost";
+--- 272,281 ----
+ }
+
+ /* if present a host name, chop and save username and hostname */
+ if((p = index(rusername,'@')) != (char *)0) {
+ char *namp;
+
++ dest[0] = '\0';
+ *p++ = '\0';
+ if(*p == '\0')
+ p = "localhost";
+***************
+*** 532,539 ****
+--- 544,557 ----
+ sprintf(ebuf,"Trying %s@%s...",rusername,namp);
+ else
+ sprintf(ebuf,"Trying %s...",namp);
++ #ifdef USE_IP_FILTER
++ if(!do_transparent) {
++ #endif
+ if(say(0,ebuf))
+ return(1);
++ #ifdef USE_IP_FILTER
++ }
++ #endif
+ } else
+ syslog(LLEV,"permit host=%s/%s connect to %s",rhost,raddr,av[1]);
+ if((serfd = conn_server(av[1],RLOGINPORT,1,buf)) < 0) {
+diff -cr ../TIS.orig/fwtk/tn-gw/tn-gw.c fwtk/tn-gw/tn-gw.c
+*** ../TIS.orig/fwtk/tn-gw/tn-gw.c Fri Sep 6 18:55:48 1996
+--- fwtk/tn-gw/tn-gw.c Sun Feb 2 06:06:33 1997
+***************
+*** 97,102 ****
+--- 97,106 ----
+ static int timeout = PROXY_TIMEOUT;
+ static char timed_out_msg[] = "\r\nConnection closed due to inactivity";
+
++ #ifdef USE_IP_FILTER
++ static int do_transparent=0;
++ #endif
++
+ typedef struct {
+ char *name;
+ char *hmsg;
+***************
+*** 140,145 ****
+--- 144,153 ----
+ char tokbuf[BSIZ];
+ char *tokav[56];
+ int tokac;
++ #ifdef USE_IP_FILTER
++ int port;
++ char *psychic;
++ #endif
+
+ #ifndef LOG_DAEMON
+ openlog("tn-gw",LOG_PID);
+***************
+*** 307,313 ****
+ exit(1);
+ }
+ }
+!
+ while (argc > 1) {
+ argc--;
+ argv++;
+--- 315,349 ----
+ exit(1);
+ }
+ }
+! #ifdef USE_IP_FILTER
+! psychic=getdsthost(0,&port);
+! if(psychic) {
+! if((strlen(psychic) + 10) < 510) {
+! do_transparent++;
+! if(port)
+! sprintf(dest,"%s:%d",psychic,port);
+! else
+! sprintf(dest,"%s",psychic);
+!
+!
+! if(!welcomedone)
+! if((cf = cfg_get("welcome-msg",confp)) != (Cfg *)0) {
+! if(cf->argc != 1) {
+! syslog(LLEV,"fwtkcfgerr: welcome-msg must have one parameter, line %d",cf->ln);
+! exit(1);
+! }
+! if(sayfile(0,cf->argv[0])) {
+! syslog(LLEV,"fwtksyserr: cannot display welcome %s:%m",cf->argv[0]);
+! exit(1);
+! }
+! welcomedone = 1;
+! }
+!
+!
+! }
+! }
+!
+! #endif /* USE_IP_FILTER */
+ while (argc > 1) {
+ argc--;
+ argv++;
+***************
+*** 870,877 ****
+
+ syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
+ sprintf(ebuf,"Trying %s port %d...",namp,port);
+! if(say(0,ebuf))
+! return(1);
+ } else
+ syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
+
+--- 906,920 ----
+
+ syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,namp);
+ sprintf(ebuf,"Trying %s port %d...",namp,port);
+! #ifdef USE_IP_FILTER
+! if(!do_transparent) {
+! sprintf(ebuf,"Trying %s port %d...",namp,port);
+! #endif
+! if(say(0,ebuf))
+! return(1);
+! #ifdef USE_IP_FILTER
+! }
+! #endif
+ } else
+ syslog(LLEV,"permit host=%s/%s destination=%s",rladdr,riaddr,av[1]);
+
+***************
+*** 903,910 ****
+
+ syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
+ strncpy(dest,av[1], 511);
+! sprintf(buf, "Connected to %s.", dest);
+ say(0, buf);
+ return(2);
+ }
+
+--- 946,959 ----
+
+ syslog(LLEV,"connected host=%s/%s destination=%s",rladdr,riaddr,av[1]);
+ strncpy(dest,av[1], 511);
+! #ifdef USE_IP_FILTER
+! if(!do_transparent) {
+! sprintf(buf, "Connected to %s.", dest);
+! say(0, buf);
+! }
+! #else
+ say(0, buf);
++ #endif
+ return(2);
+ }
+
+diff -cr ../TIS.orig/fwtk/x-gw/socket.c fwtk/x-gw/socket.c
+*** ../TIS.orig/fwtk/x-gw/socket.c Sat Sep 7 05:16:35 1996
+--- fwtk/x-gw/socket.c Sun Feb 2 05:26:44 1997
+***************
+*** 212,218 ****
+ case AF_UNIX: un_name = (struct sockaddr_un *)addr;
+ len = sizeof(un_name->sun_family) +
+ sizeof(un_name->sun_path)
+! #ifdef SCM_RIGHTS /* 4.3BSD Reno and later */
+ + sizeof(un_name->sun_len) + 1
+ #endif
+ ;
+--- 212,218 ----
+ case AF_UNIX: un_name = (struct sockaddr_un *)addr;
+ len = sizeof(un_name->sun_family) +
+ sizeof(un_name->sun_path)
+! #if defined(SCM_RIGHTS) && !defined(LINUX)/* 4.3BSD Reno and later */
+ + sizeof(un_name->sun_len) + 1
+ #endif
+ ;
+Only in fwtk/x-gw: socket.c.bak
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index 7cd91069beb4..41c94d120394 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -5,6 +5,15 @@
# Thanks to Craig Bishop of connect.com.au and Sun Microsystems for the
# loan of a machine to work on a Solaris 2.x port of this software.
#
+prevent use of return-rst and return-icmp with rules blocking packets going
+out, preventing panics in certain situations.
+
+loop forms in frag cache table - Yury Pshenychny <yura@rd.zgik.zaporizhzhe.ua>
+
+should use SPLNET/SPLX around expire routines in NAT/frag/state code.
+
+redeclared malloc in 44arp.c -
+
3.1.7 8/2/97 - Released
Macros used for ntohs/htons supplied with gcc don't always work very well
diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile
index d0d5309d98e6..258074aa301a 100644
--- a/contrib/ipfilter/Makefile
+++ b/contrib/ipfilter/Makefile
@@ -5,7 +5,7 @@
# and is not changed in any way. The author accepts no responsibility
# for the use of this software. I hate legaleese, don't you ?
#
-# $Id: Makefile,v 2.0.1.4 1997/02/08 06:39:28 darrenr Exp $
+# $Id: Makefile,v 2.0.1.5 1997/02/16 06:17:04 darrenr Exp $
#
# where to put things.
#
@@ -35,7 +35,7 @@ LOGFAC=-DLOGFAC=LOG_LOCAL0
# results: pass, block and nomatch. This is the sort of "block unless
# explicitly allowed" type #define switch.
#
-POLICY=-DNOMATCH=FR_PASS
+POLICY=-DIPF_DEFAULT_PASS=FR_PASS
#
MFLAGS="BINDEST=$(BINDEST)" "SBINDEST=$(SBINDEST)" "MANDIR=$(MANDIR)" \
"CC=$(CC)" 'CFLAGS=$(CFLAGS) $(SOLARIS2)' "IPFLKM=$(IPFLKM)" \
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index de776f9fc5c8..9f953614e42d 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: fil.c,v 2.0.1.4 1997/02/04 13:59:41 darrenr Exp $";
+static char rcsid[] = "$Id: fil.c,v 2.0.1.7 1997/02/18 10:53:47 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -97,10 +97,19 @@ extern int ipl_unreach, ipllog();
# endif
#endif
+#ifndef IPF_LOGGING
+#define IPF_LOGGING 0
+#endif
+#ifdef IPF_DEFAULT_PASS
+#define IPF_NOMATCH (IPF_DEFAULT_PASS|FR_NOMATCH)
+#else
+#define IPF_NOMATCH (FR_NOMATCH)
+#endif
+
struct filterstats frstats[2] = {{0,0,0,0,0},{0,0,0,0,0}};
struct frentry *ipfilter[2][2] = { { NULL, NULL }, { NULL, NULL } },
*ipacct[2][2] = { { NULL, NULL }, { NULL, NULL } };
-int fr_flags = 0, fr_active = 0;
+int fr_flags = IPF_LOGGING, fr_active = 0;
fr_info_t frcache[2];
@@ -573,16 +582,12 @@ int out;
frstats[out].fr_chit++;
pass = fin->fin_fr->fr_flags;
} else {
- pass = FR_NOMATCH;
+ pass = IPF_NOMATCH;
if ((fin->fin_fr = ipfilter[out][fr_active]))
- pass = FR_SCANLIST(FR_NOMATCH, ip, fin, m);
+ pass = FR_SCANLIST(IPF_NOMATCH, ip, fin, m);
bcopy((char *)fin, (char *)fc, FI_CSIZE);
- if (pass & FR_NOMATCH) {
+ if (pass & FR_NOMATCH)
frstats[out].fr_nom++;
-#ifdef NOMATCH
- pass |= NOMATCH;
-#endif
- }
}
fr = fin->fin_fr;
@@ -651,34 +656,40 @@ logit:
/*
* Should we return an ICMP packet to indicate error
* status passing through the packet filter ?
+ * WARNING: ICMP error packets AND TCP RST packets should
+ * ONLY be sent in repsonse to incoming packets. Sending them
+ * in response to outbound packets can result in a panic on
+ * some operating systems.
*/
+ if (!out) {
#ifdef _KERNEL
- if (pass & FR_RETICMP) {
+ if (pass & FR_RETICMP) {
# if SOLARIS
- ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
- qif, ip->ip_src);
+ ICMP_ERROR(q, ip, ICMP_UNREACH, fin->fin_icode,
+ qif, ip->ip_src);
# else
- ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
- ifp, ip->ip_src);
- m = NULL; /* freed by icmp_error() */
+ ICMP_ERROR(m, ip, ICMP_UNREACH, fin->fin_icode,
+ ifp, ip->ip_src);
+ m = *mp = NULL; /* freed by icmp_error() */
# endif
- frstats[0].fr_ret++;
- } else if ((pass & FR_RETRST) &&
- !(fin->fin_fi.fi_fl & FI_SHORT)) {
- if (SEND_RESET(ip, qif, q) == 0)
- frstats[1].fr_ret++;
- }
+ frstats[0].fr_ret++;
+ } else if ((pass & FR_RETRST) &&
+ !(fin->fin_fi.fi_fl & FI_SHORT)) {
+ if (SEND_RESET(ip, qif, q) == 0)
+ frstats[1].fr_ret++;
+ }
#else
- if (pass & FR_RETICMP) {
- verbose("- ICMP unreachable sent\n");
- frstats[0].fr_ret++;
- } else if ((pass & FR_RETRST) &&
- !(fin->fin_fi.fi_fl & FI_SHORT)) {
- verbose("- TCP RST sent\n");
- frstats[1].fr_ret++;
- }
+ if (pass & FR_RETICMP) {
+ verbose("- ICMP unreachable sent\n");
+ frstats[0].fr_ret++;
+ } else if ((pass & FR_RETRST) &&
+ !(fin->fin_fi.fi_fl & FI_SHORT)) {
+ verbose("- TCP RST sent\n");
+ frstats[1].fr_ret++;
+ }
#endif
+ }
}
#ifdef _KERNEL
# if !SOLARIS
@@ -691,7 +702,6 @@ logit:
(fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) {
ipfr_fastroute(m, fin, fdp);
m = *mp = NULL;
- pass = 0;
}
if (mc)
ipfr_fastroute(mc, fin, &fr->fr_dif);
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index 7a244345640e..fec484670f4b 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.5 1997/01/29 13:41:45 darrenr Exp $";
+static char rcsid[] = "$Id: ip_fil.c,v 2.0.1.7 1997/02/19 12:45:02 darrenr Exp $";
#endif
#include <sys/errno.h>
@@ -70,7 +70,7 @@ static int iplused = 0;
#endif /* IPFILTER_LOG */
static void frflush();
static int frrequest();
-static int (*fr_savep)();
+static int (*fr_savep)() = NULL;
#if _BSDI_VERSION >= 199501
# include <sys/device.h>
@@ -732,6 +732,9 @@ frdest_t *fdp;
dst = (struct sockaddr_in *)&ro->ro_dst;
dst->sin_family = AF_INET;
dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst;
+#ifdef __bsdi__
+ dst->sin_len = sizeof(*dst);
+#endif
#if (BSD >= 199306) && !defined(__NetBSD__) && !defined(__bsdi__)
# ifdef RTF_CLONING
rtalloc_ign(ro, RTF_CLONING);
@@ -780,7 +783,6 @@ frdest_t *fdp;
#if BSD >= 199306
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
ro->ro_rt);
-
#else
error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst);
#endif
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
index 6665404b9830..7ed97ceb56fd 100644
--- a/contrib/ipfilter/ip_frag.c
+++ b/contrib/ipfilter/ip_frag.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.1 1997/01/09 15:14:43 darrenr Exp $";
+static char rcsid[] = "$Id: ip_frag.c,v 2.0.1.2 1997/02/16 06:17:35 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -127,7 +127,6 @@ int pass;
fr->ipfr_ttl = fr_ipfrttl;
fr->ipfr_pass = pass & ~(FR_LOGFIRST|FR_LOG);
fr->ipfr_off = (ip->ip_off & 0x1fff) + (fin->fin_dlen >> 3);
- *fp = fr;
ipfr_stats.ifs_new++;
ipfr_inuse++;
MUTEX_EXIT(&ipf_frag);
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index afe9761bc093..ee59a6cda1dd 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -9,7 +9,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.10 1997/02/08 06:38:49 darrenr Exp $";
+static char rcsid[] = "$Id: ip_nat.c,v 2.0.1.11 1997/02/16 06:26:47 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -155,12 +155,13 @@ int cmd, mode;
{
register ipnat_t *nat, *n = NULL, **np = NULL;
ipnat_t natd;
- int error = 0, ret;
+ int error = 0, ret, s;
/*
* For add/delete, look to see if the NAT entry is already present
*/
MUTEX_ENTER(&ipf_nat);
+ SPLNET(s);
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
IRCOPY(data, (char *)&natd, sizeof(natd));
nat = &natd;
@@ -260,6 +261,7 @@ int cmd, mode;
IWCOPY((caddr_t)&ret, data, sizeof(ret));
break;
}
+ SPLX(s);
MUTEX_EXIT(&ipf_nat);
return error;
}
@@ -857,11 +859,13 @@ fr_info_t *fin;
*/
void ip_natunload()
{
- MUTEX_ENTER(&ipf_nat);
+ int s;
+ MUTEX_ENTER(&ipf_nat);
+ SPLNET(s);
(void) clear_natlist();
(void) flush_nattable();
-
+ SPLX(s)
MUTEX_EXIT(&ipf_nat);
}
@@ -873,14 +877,19 @@ void ip_natunload()
void ip_natexpire()
{
register struct nat *nat, **natp;
+ int s;
MUTEX_ENTER(&ipf_nat);
- for (natp = &nat_instances; (nat = *natp); natp = &nat->nat_next) {
- if (--nat->nat_age)
+ SPLNET(s);
+ for (natp = &nat_instances; (nat = *natp); ) {
+ if (--nat->nat_age) {
+ natp = &nat->nat_next;
continue;
+ }
*natp = nat->nat_next;
nat_delete(nat);
nat_stats.ns_expire++;
}
+ SPLX(s);
MUTEX_EXIT(&ipf_nat);
}
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index 62a49aa250ed..2643ce95a633 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-1995 Darren Reed";
-static char rcsid[] = "$Id: ip_state.c,v 2.0.1.2 1997/01/09 15:22:45 darrenr Exp $";
+static char rcsid[] = "$Id: ip_state.c,v 2.0.1.3 1997/02/16 06:18:36 darrenr Exp $";
#endif
#if !defined(_KERNEL) && !defined(KERNEL)
@@ -411,13 +411,16 @@ void fr_stateunload()
{
register int i;
register ipstate_t *is, **isp;
+ int s;
MUTEX_ENTER(&ipf_state);
+ SPLNET(s);
for (i = 0; i < IPSTATE_SIZE; i++)
for (isp = &ips_table[i]; (is = *isp); ) {
*isp = is->is_next;
KFREE(is);
}
+ SPLX(s);
MUTEX_EXIT(&ipf_state);
}
@@ -430,8 +433,10 @@ void fr_timeoutstate()
{
register int i;
register ipstate_t *is, **isp;
+ int s;
MUTEX_ENTER(&ipf_state);
+ SPLNET(s);
for (i = 0; i < IPSTATE_SIZE; i++)
for (isp = &ips_table[i]; (is = *isp); )
if (is->is_age && !--is->is_age) {
@@ -444,6 +449,7 @@ void fr_timeoutstate()
ips_num--;
} else
isp = &is->is_next;
+ SPLX(s);
MUTEX_EXIT(&ipf_state);
}
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
index 6458cde86b92..d7592284de14 100644
--- a/contrib/ipfilter/ipnat.c
+++ b/contrib/ipfilter/ipnat.c
@@ -51,7 +51,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static char rcsid[] = "$Id: ipnat.c,v 2.0.1.7 1997/01/30 12:02:32 darrenr Exp $";
+static char rcsid[] = "$Id: ipnat.c,v 2.0.1.8 1997/02/16 21:23:40 darrenr Exp $";
#endif
#if SOLARIS
@@ -190,7 +190,7 @@ void *ptr;
printf(" udp");
printf("\n");
if (verbose)
- printf("\t%x %u %x %u %x %d\n", (u_int)np->in_ifp,
+ printf("\t%p %u %x %u %x %d\n", (u_int)np->in_ifp,
np->in_space, np->in_flags, np->in_pnext, np,
np->in_use);
} else {
@@ -220,7 +220,7 @@ void *ptr;
}
printf("\n");
if (verbose)
- printf("\t%x %u %s %d %x\n", (u_int)np->in_ifp,
+ printf("\t%p %u %s %d %x\n", (u_int)np->in_ifp,
np->in_space, inet_ntoa(np->in_nextip),
np->in_pnext, np->in_flags);
}
@@ -264,7 +264,7 @@ int fd, opts;
ns.ns_added, ns.ns_expire);
printf("inuse\t%lu\n", ns.ns_inuse);
if (opts & OPT_VERBOSE)
- printf("table %#x list %#x\n",
+ printf("table %p list %p\n",
(u_int)ns.ns_table, (u_int)ns.ns_list);
}
if (opts & OPT_LIST) {
@@ -384,7 +384,7 @@ int *resolved;
struct netent *np;
*resolved = 0;
- if (!strcasecmp("any",host))
+ if (!strcasecmp("any", host))
return 0L;
if (isdigit(*host))
return inet_addr(host);
diff --git a/contrib/ipfilter/ipsend/44arp.c b/contrib/ipfilter/ipsend/44arp.c
index 621d84c86d5b..aa428593b57e 100644
--- a/contrib/ipfilter/ipsend/44arp.c
+++ b/contrib/ipfilter/ipsend/44arp.c
@@ -52,7 +52,7 @@ char *addr, *eaddr;
{
int mib[6];
size_t needed;
- char *malloc(), *lim, *buf, *next;
+ char *lim, *buf, *next;
struct rt_msghdr *rtm;
struct sockaddr_inarp *sin;
struct sockaddr_dl *sdl;
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index 1c463e86eb37..023605399d73 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -33,7 +33,7 @@
#if !defined(lint) && defined(LIBC_SCCS)
static char sccsid[] ="@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
-static char rcsid[] = "$Id: parse.c,v 2.0.1.1 1997/01/09 15:14:44 darrenr Exp $";
+static char rcsid[] = "$Id: parse.c,v 2.0.1.2 1997/02/17 13:59:44 darrenr Exp $";
#endif
extern struct ipopt_names ionames[], secclass[];
@@ -143,9 +143,18 @@ char *line;
}
cpp++;
- if (!strcasecmp("in", *cpp))
+ if (!strcasecmp("in", *cpp)) {
fil.fr_flags |= FR_INQUE;
- else if (!strcasecmp("out", *cpp))
+ if (fil.fr_flags & FR_RETICMP) {
+ (void)fprintf(stderr,
+ "Can only use return-icmp with 'in'\n");
+ return NULL;
+ } else if (fil.fr_flags & FR_RETRST) {
+ (void)fprintf(stderr,
+ "Can only use return-rst with 'in'\n");
+ return NULL;
+ }
+ } else if (!strcasecmp("out", *cpp))
fil.fr_flags |= FR_OUTQUE;
else {
(void)fprintf(stderr,