aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2002-04-25 03:34:26 +0000
committerDarren Reed <darrenr@FreeBSD.org>2002-04-25 03:34:26 +0000
commitce4e47980d06c821d787c47073b896cefda0546e (patch)
tree7e0ea7d4592339dca2c60043b1aadcbb907385b8
parent0868380a542955ca8e611f323f36c28a48b20fb2 (diff)
downloadsrc-ce4e47980d06c821d787c47073b896cefda0546e.tar.gz
src-ce4e47980d06c821d787c47073b896cefda0546e.zip
Import IPFilter 3.4.26
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=95419
-rw-r--r--contrib/ipfilter/BSD/Makefile20
-rw-r--r--contrib/ipfilter/BSD/kupgrade9
-rwxr-xr-xcontrib/ipfilter/FreeBSD-4.0/kinstall4
-rw-r--r--contrib/ipfilter/HISTORY53
-rw-r--r--contrib/ipfilter/fil.c9
-rw-r--r--contrib/ipfilter/fils.c16
-rw-r--r--contrib/ipfilter/ip_auth.c8
-rw-r--r--contrib/ipfilter/ip_compat.h82
-rw-r--r--contrib/ipfilter/ip_fil.c11
-rw-r--r--contrib/ipfilter/ip_fil.h27
-rw-r--r--contrib/ipfilter/ip_frag.c4
-rw-r--r--contrib/ipfilter/ip_h323_pxy.c40
-rw-r--r--contrib/ipfilter/ip_log.c3
-rw-r--r--contrib/ipfilter/ip_nat.c122
-rw-r--r--contrib/ipfilter/ip_nat.h4
-rw-r--r--contrib/ipfilter/ip_sfil.c22
-rw-r--r--contrib/ipfilter/ip_state.c218
-rw-r--r--contrib/ipfilter/ip_state.h27
-rw-r--r--contrib/ipfilter/ipf.c4
-rw-r--r--contrib/ipfilter/ipfs.c4
-rw-r--r--contrib/ipfilter/ipl.h4
-rw-r--r--contrib/ipfilter/ipmon.c2
-rw-r--r--contrib/ipfilter/ipsend/ipsend.c3
-rw-r--r--contrib/ipfilter/ipt.c8
-rw-r--r--contrib/ipfilter/kmem.c28
-rw-r--r--contrib/ipfilter/l4check/l4check.c5
-rw-r--r--contrib/ipfilter/man/ipmon.83
-rw-r--r--contrib/ipfilter/man/ipnat.59
-rw-r--r--contrib/ipfilter/mlf_ipl.c18
-rw-r--r--contrib/ipfilter/mls_ipl.c3
-rw-r--r--contrib/ipfilter/natparse.c45
-rw-r--r--contrib/ipfilter/printnat.c30
-rw-r--r--contrib/ipfilter/printstate.c13
-rw-r--r--contrib/ipfilter/solaris.c6
-rw-r--r--contrib/ipfilter/test/Makefile27
-rw-r--r--contrib/ipfilter/test/expected/f1147
-rw-r--r--contrib/ipfilter/test/expected/l172
-rw-r--r--contrib/ipfilter/test/expected/l1.b72
-rw-r--r--contrib/ipfilter/test/input/f115
-rwxr-xr-xcontrib/ipfilter/test/logtest8
-rw-r--r--contrib/ipfilter/test/regress/f111
41 files changed, 734 insertions, 362 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile
index 8d2b28d5f78f..afa9e52447a2 100644
--- a/contrib/ipfilter/BSD/Makefile
+++ b/contrib/ipfilter/BSD/Makefile
@@ -7,6 +7,8 @@
#
BINDEST=/usr/sbin
SBINDEST=/sbin
+SEARCHDIRS=$(BINDEST) $(SBINDEST) /bin /usr/bin /sbin /usr/sbin \
+ /usr/local/bin /usr/local/sbin
MANDIR=/usr/share/man
CC=cc -Wall -Wstrict-prototypes -Wuninitialized -O
CFLAGS=-g -I$(TOP)
@@ -49,6 +51,14 @@ IPNAT=ipnat.o kmem.o natparse.o common.o printnat.o
FILS=fils.o parse.o kmem.o opt.o facpri.o common.o printstate.o
build all: ipf ipfs ipfstat ipftest ipmon ipnat $(LKM)
+ /bin/rm -f $(TOP)/ipf
+ ln -s `pwd`/ipf $(TOP)
+ /bin/rm -f $(TOP)/ipftest
+ ln -s `pwd`/ipftest $(TOP)
+ /bin/rm -f $(TOP)/ipmon
+ ln -s `pwd`/ipmon $(TOP)
+ /bin/rm -f $(TOP)/ipnat
+ ln -s `pwd`/ipnat $(TOP)
ipfstat: $(FILS)
$(CC) -static $(DEBUG) $(CFLAGS) $(STATETOP_CFLAGS) $(STATETOP_INC) \
@@ -56,13 +66,9 @@ ipfstat: $(FILS)
ipf: $(IPF)
$(CC) -static $(DEBUG) $(CFLAGS) $(IPF) -o $@ $(LIBS)
- /bin/rm -f $(TOP)/ipf
- ln -s `pwd`/ipf $(TOP)
ipftest: $(IPT)
$(CC) $(DEBUG) $(CFLAGS) $(IPT) -o $@ $(LIBS)
- /bin/rm -f $(TOP)/ipftest
- ln -s `pwd`/ipftest $(TOP)
ipnat: $(IPNAT)
$(CC) -static $(DEBUG) $(CFLAGS) $(IPNAT) -o $@ $(LIBS) -lkvm
@@ -220,8 +226,6 @@ facpri.o: $(TOP)/facpri.c $(TOP)/facpri.h
ipmon: $(TOP)/ipmon.c
$(CC) $(DEBUG) $(CFLAGS) $(LOGFAC) $(TOP)/ipmon.c -o $@ $(LIBS)
- /bin/rm -f $(TOP)/ipmon
- ln -s `pwd`/ipmon $(TOP)
clean:
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
@@ -250,8 +254,8 @@ install:
ipfstat:$(SBINDEST) ipftest:$(SBINDEST) ipmon:$(BINDEST); do \
def="`expr $$i : '[^:]*:\(.*\)'`"; \
p="`expr $$i : '\([^:]*\):.*'`"; \
- for d in $(BINDEST) $(SBINDEST); do \
- if [ -f $$d/$$i ] ; then \
+ for d in $(SEARCHDIRS); do \
+ if [ -f $$d/$$p ] ; then \
echo "$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d"; \
$(INSTALL) -cs -g wheel -m 755 -o root $$p $$d; \
dd=$$d; \
diff --git a/contrib/ipfilter/BSD/kupgrade b/contrib/ipfilter/BSD/kupgrade
index 092f3ab05a85..4d8573d44790 100644
--- a/contrib/ipfilter/BSD/kupgrade
+++ b/contrib/ipfilter/BSD/kupgrade
@@ -8,6 +8,15 @@ set -e
argv0=`basename $0`
dir=`pwd`
karch=`uname -m`
+os=`uname -s`
+if [ $os = FreeBSD ] ; then
+ rev=`uname -r`
+ rev=`expr $rev : '\([0-9]*\)\..*'`
+ if [ $rev = 2 ] ; then
+ echo "Copying /usr/include/osreldate.h to /sys/sys"
+ cp /usr/include/osreldate.h /sys/sys
+ fi
+fi
archdir="/sys/arch/$karch"
ipfdir=/sys/netinet
if [ -d /sys/contrib/ipfilter ] ; then
diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall
index 9e34e33328bc..2598c6c88da4 100755
--- a/contrib/ipfilter/FreeBSD-4.0/kinstall
+++ b/contrib/ipfilter/FreeBSD-4.0/kinstall
@@ -28,11 +28,13 @@ echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
-patchfile=FreeBSd-4.0/ipv6-patch-$krev
+set patchfile=FreeBSd-4.0/ipv6-patch-$krev
if ( -f $patchfile ) then
echo ""
echo "Patching ip6_input.c and ip6_output.c"
cat $patchfile | (cd /sys/netinet6; patch)
+else
+ echo "IPv6 patching not required for your OS version"
endif
set config=`(cd $confdir; /bin/ls -1t [0-9A-Z_]*) | head -1`
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index 80632b498e83..ec317dc2ae05 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -22,6 +22,59 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.4.26 25/04/2002 - Released
+
+fix parsing and printing of NAT rules with regression tests.
+
+add code to adjust TCP checksums inside ICMP errors where present and as
+required for NAT.
+
+fix documentation problems in instal documents
+
+fix locking problem with auth code on Solaris
+
+fix use of version macros for FreeBSD and make the use of __FreeBSD_version
+override previous hacks except when not present
+
+fix the macros defined for SIOCAUTHR and SIOCAUTHW
+
+fix the H.323 proxy so it no longer panics (multiple issues: re-entry into
+nat_ioctl with lock held on Solaris, trying to copy data from kernel space
+with copyin, unaligned access to get 32bit & 16bit numbers)
+
+use the ip_ttl ndd parameter on Solaris to fill in ip_ttl for packets
+generated by IPFilter
+
+fix comparing state information to delete state table entries
+
+flag packets as being "bad state" if they're outside the window and prevent
+them from being able to cause new state to be created - except for SYN packets
+
+be stricter about what packets match a TCP state table entry if its creation
+was triggered by a SYN packet.
+
+add patches to handle TCP window scaling
+
+don't update TCP state table entries if the packet is not considered to be
+part of the connection
+
+ipfs wasn't allowing -i command line option in getopt
+
+IRIX: fix kvm interface, fix compile warnings, compile the kernel with -O2
+ regardless of user compile, fix the getkflags script to prune down the
+ output more so it is acceptable
+
+change building in Makefiles to create links to the application in $(TOP)
+at the end of "build" rather than when each is created.
+
+update BSD/kupgrade for FreeBSD
+
+l4check wasn't properly closing things when a connection fails
+
+man page updates for ipmon(8) and ipnat(5)
+
+more regression tests added.
+
3.4.25 13/03/2002 - Released
retain rule # in state information
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index 06623c357ebb..3ce8131413cd 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -97,7 +97,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.58 2002/03/13 02:23:13 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $";
#endif
#ifndef _KERNEL
@@ -211,9 +211,7 @@ fr_info_t *fin;
fin->fin_data[1] = 0;
fin->fin_rule = -1;
fin->fin_group = -1;
-#ifdef _KERNEL
fin->fin_icode = ipl_unreach;
-#endif
v = fin->fin_v;
fi->fi_v = v;
fin->fin_hlen = hlen;
@@ -263,6 +261,7 @@ fr_info_t *fin;
fin->fin_off = off;
fin->fin_plen = plen;
fin->fin_dp = (char *)tcp;
+ fin->fin_misc = 0;
off <<= 3;
switch (p)
@@ -295,7 +294,7 @@ fr_info_t *fin;
}
}
- if (!(plen >= hlen + minicmpsz))
+ if (!(plen >= minicmpsz))
fi->fi_fl |= FI_SHORT;
break;
@@ -1496,7 +1495,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.58 2002/03/13 02:23:13 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
index b3bfae2758c6..dcf74e5e67df 100644
--- a/contrib/ipfilter/fils.c
+++ b/contrib/ipfilter/fils.c
@@ -94,7 +94,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.34 2002/02/22 15:32:45 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $";
#endif
extern char *optarg;
@@ -1200,15 +1200,15 @@ int topclosed;
if (c == ERR)
continue;
- if (tolower(c) == 'l') {
+ if (isalpha(c) && isupper(c))
+ c = tolower(c);
+ if (c == 'l') {
redraw = 1;
- } else if (tolower(c) == 'q') {
- nocbreak();
- endwin();
- exit(0);
- } else if (tolower(c) == 'r') {
+ } else if (c == 'q') {
+ break; /* exits while() loop */
+ } else if (c == 'r') {
reverse = !reverse;
- } else if (tolower(c) == 's') {
+ } else if (c == 's') {
sorting++;
if (sorting > STSORT_MAX)
sorting = 0;
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
index e4ad347280c7..2a73079d2cb0 100644
--- a/contrib/ipfilter/ip_auth.c
+++ b/contrib/ipfilter/ip_auth.c
@@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.17 2002/03/06 09:44:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $";
#endif
@@ -405,6 +405,7 @@ fr_authioctlloop:
RWLOCK_EXIT(&ipf_auth);
return 0;
}
+ RWLOCK_EXIT(&ipf_auth);
#ifdef _KERNEL
# if SOLARIS
mutex_enter(&ipf_authmx);
@@ -417,7 +418,6 @@ fr_authioctlloop:
error = SLEEP(&fr_authnext, "fr_authnext");
# endif
#endif
- RWLOCK_EXIT(&ipf_auth);
if (!error)
goto fr_authioctlloop;
break;
@@ -447,7 +447,7 @@ fr_authioctlloop:
#ifdef _KERNEL
if (m && au->fra_info.fin_out) {
# if SOLARIS
- error = fr_qout(fra->fra_q, m);
+ error = (fr_qout(fra->fra_q, m) == 0) ? EINVAL : 0;
# else /* SOLARIS */
struct route ro;
@@ -469,7 +469,7 @@ fr_authioctlloop:
fr_authstats.fas_sendok++;
} else if (m) {
# if SOLARIS
- error = fr_qin(fra->fra_q, m);
+ error = (fr_qin(fra->fra_q, m) == 0) ? EINVAL : 0;
# else /* SOLARIS */
ifq = &ipintrq;
if (IF_QFULL(ifq)) {
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
index 4eab541231a6..d0dc859aae47 100644
--- a/contrib/ipfilter/ip_compat.h
+++ b/contrib/ipfilter/ip_compat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.39 2002/03/13 03:54:34 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.43 2002/04/23 16:08:50 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@@ -103,7 +103,6 @@ struct ether_addr {
# include <sys/sysmacros.h>
#endif
-
/*
* This is a workaround for <sys/uio.h> troubles on FreeBSD and OpenBSD.
*/
@@ -197,10 +196,6 @@ typedef int minor_t;
#endif /* SOLARIS */
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
-#if defined(__FreeBSD__) && (__FreeBSD__ >= 5) && defined(_KERNEL)
-# include <machine/in_cksum.h>
-#endif
-
#ifndef IP_OFFMASK
#define IP_OFFMASK 0x1fff
#endif
@@ -215,6 +210,30 @@ typedef int minor_t;
#endif /* BSD > 199306 */
+#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
+# include <sys/param.h>
+# ifndef __FreeBSD_version
+# include <sys/osreldate.h>
+# endif
+# ifdef IPFILTER_LKM
+# define ACTUALLY_LKM_NOT_KERNEL
+# endif
+# if defined(__FreeBSD_version) && (__FreeBSD_version < 300000)
+# include <machine/spl.h>
+# else
+# if (__FreeBSD_version >= 300000) && (__FreeBSD_version < 400000)
+# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
+# define ACTUALLY_LKM_NOT_KERNEL
+# endif
+# endif
+# endif
+#endif /* __FreeBSD__ && KERNEL */
+
+#if defined(__FreeBSD_version) && (__FreeBSD_version >= 500000) && \
+ defined(_KERNEL)
+# include <machine/in_cksum.h>
+#endif
+
/*
* These operating systems already take care of the problem for us.
*/
@@ -230,6 +249,13 @@ typedef u_int32_t u_32_t;
# include "opt_inet6.h"
# endif
# ifdef INET6
+# define USE_INET6
+# endif
+# endif
+# if !defined(_KERNEL) && !defined(IPFILTER_LKM)
+# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \
+ (defined(OpenBSD) && (OpenBSD >= 200111)) || \
+ (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000))
# define USE_INET6
# endif
# endif
@@ -341,40 +367,9 @@ union i6addr {
#define IPOPT_EIP 145 /* EIP */
#define IPOPT_FINN 205 /* FINN */
-
-#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
-# ifdef IPFILTER_LKM
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# else
-# include <sys/param.h>
-# endif
-# endif
-# define ACTUALLY_LKM_NOT_KERNEL
-# else
-# ifndef __FreeBSD_cc_version
-# include <sys/osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <sys/osreldate.h>
-# else
-# include <sys/param.h>
-# endif
-# endif
-# endif
-# if __FreeBSD__ < 3
-# include <machine/spl.h>
-# else
-# if __FreeBSD__ == 3
-# if defined(IPFILTER_LKM) && !defined(ACTUALLY_LKM_NOT_KERNEL)
-# define ACTUALLY_LKM_NOT_KERNEL
-# endif
-# endif
-# endif
-#endif /* __FreeBSD__ && KERNEL */
+#ifndef TCPOPT_WSCALE
+# define TCPOPT_WSCALE 3
+#endif
/*
* Build some macros and #defines to enable the same code to compile anywhere
@@ -580,7 +575,8 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t));
defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION)
# include <vm/vm.h>
# endif
-# if !defined(__FreeBSD__) || (defined (__FreeBSD__) && __FreeBSD__>=3)
+# if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \
+ (__FreeBSD_version >= 300000))
# if (defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105180000)) || \
(defined(OpenBSD) && (OpenBSD >= 200111))
# include <uvm/uvm_extern.h>
@@ -589,9 +585,9 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t));
extern vm_map_t kmem_map;
# endif
# include <sys/proc.h>
-# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */
+# else /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
# include <vm/vm_kern.h>
-# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD__>=3) */
+# endif /* !__FreeBSD__ || (__FreeBSD__ && __FreeBSD_version >= 300000) */
# ifdef M_PFIL
# define KMALLOC(a, b) MALLOC((a), b, sizeof(*(a)), M_PFIL, M_NOWAIT)
# define KMALLOCS(a, b, c) MALLOC((a), b, (c), M_PFIL, M_NOWAIT)
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index 1cac072015e6..2aeeaf878115 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -25,6 +25,7 @@
# endif
#endif
#ifdef __sgi
+# define _KMEMUSER
# include <sys/ptimers.h>
#endif
#ifndef _KERNEL
@@ -119,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.53 2002/03/13 02:29:08 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $";
#endif
@@ -359,7 +360,7 @@ int iplattach()
}
# ifdef NETBSD_PF
-# if __NetBSD_Version__ >= 104200000
+# if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)
# if __NetBSD_Version__ >= 105110000
if (
!(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET))
@@ -526,7 +527,7 @@ int ipldetach()
fr_running = 0;
# ifdef NETBSD_PF
-# if __NetBSD_Version__ >= 104200000
+# if ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
# if __NetBSD_Version__ >= 105110000
if (ph_inet != NULL)
error = pfil_remove_hook((void *)fr_check_wrapper, NULL,
@@ -2136,8 +2137,8 @@ struct uio *uio;
num = io->iov_len;
if (num > left)
num = left;
- start = io->iov_base + offset;
- if (start > io->iov_base + io->iov_len) {
+ start = (char *)io->iov_base + offset;
+ if (start > (char *)io->iov_base + io->iov_len) {
offset -= io->iov_len;
ioc++;
continue;
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index 96a8f4bb8c6e..82deef5f2cd7 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.29 2002/03/13 03:56:46 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -55,8 +55,8 @@
# define SIOCFRSYN _IOW('r', 73, u_int)
# define SIOCFRZST _IOWR('r', 74, struct friostat *)
# define SIOCZRLST _IOWR('r', 75, struct frentry *)
-# define SIOCAUTHW _IOWR('r', 76, struct frauth_t *)
-# define SIOCAUTHR _IOWR('r', 77, struct frauth_t *)
+# define SIOCAUTHW _IOWR('r', 76, struct frauth *)
+# define SIOCAUTHR _IOWR('r', 77, struct frauth *)
# define SIOCATHST _IOWR('r', 78, struct fr_authstat *)
# define SIOCSTLCK _IOWR('r', 79, u_int)
# define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *)
@@ -80,8 +80,8 @@
# define SIOCFRSYN _IOW(r, 73, u_int)
# define SIOCFRZST _IOWR(r, 74, struct friostat *)
# define SIOCZRLST _IOWR(r, 75, struct frentry *)
-# define SIOCAUTHW _IOWR(r, 76, struct frauth_t *)
-# define SIOCAUTHR _IOWR(r, 77, struct frauth_t *)
+# define SIOCAUTHW _IOWR(r, 76, struct frauth *)
+# define SIOCAUTHR _IOWR(r, 77, struct frauth *)
# define SIOCATHST _IOWR(r, 78, struct fr_authstat *)
# define SIOCSTLCK _IOWR(r, 79, u_int)
# define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *)
@@ -135,12 +135,11 @@ typedef struct fr_info {
void *fin_ifp; /* interface packet is `on' */
struct fr_ip fin_fi; /* IP Packet summary */
u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */
- u_char fin_out; /* in or out ? 1 == out, 0 == in */
- u_char fin_rev; /* state only: 1 = reverse */
+ u_int fin_out; /* in or out ? 1 == out, 0 == in */
u_short fin_hlen; /* length of IP header in bytes */
+ u_char fin_rev; /* state only: 1 = reverse */
u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
- /* From here on is packet specific */
- u_char fin_icode; /* ICMP error to return */
+ u_int fin_icode; /* ICMP error to return */
u_32_t fin_rule; /* rule # last matched */
u_32_t fin_group; /* group number, -1 for none */
struct frentry *fin_fr; /* last matching rule */
@@ -149,6 +148,7 @@ typedef struct fr_info {
u_short fin_off;
u_short fin_dlen; /* length of data portion of packet */
u_short fin_id; /* IP packet id field */
+ u_int fin_misc;
void *fin_mp; /* pointer to pointer to mbuf */
#if SOLARIS
void *fin_qfm; /* pointer to mblk where pkt starts */
@@ -171,6 +171,11 @@ typedef struct fr_info {
#define FI_LCSIZE offsetof(fr_info_t, fin_dp)
/*
+ * For fin_misc
+ */
+#define FM_BADSTATE 0x00000001
+
+/*
* Size for copying cache fr_info structure
*/
#define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
@@ -421,10 +426,10 @@ typedef struct iplog {
typedef struct ipflog {
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
- u_char fl_ifname[LIFNAMSIZ];
+ char fl_ifname[LIFNAMSIZ];
#else
u_int fl_unit;
- u_char fl_ifname[LIFNAMSIZ];
+ char fl_ifname[LIFNAMSIZ];
#endif
u_char fl_plen; /* extra data after hlen */
u_char fl_hlen; /* length of IP headers saved */
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
index abc0faa8d72a..f240cd9da4e0 100644
--- a/contrib/ipfilter/ip_frag.c
+++ b/contrib/ipfilter/ip_frag.c
@@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.20 2002/03/06 09:44:11 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $";
#endif
@@ -584,9 +584,9 @@ void ipfr_slowtimer()
if (fr_running <= 0)
return;
+ READ_ENTER(&ipf_solaris);
#endif
- READ_ENTER(&ipf_solaris);
#if defined(__sgi) && defined(_KERNEL)
ipfilter_sgi_intfsync();
#endif
diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c
index 14aa47b7d4b3..a61b0402e907 100644
--- a/contrib/ipfilter/ip_h323_pxy.c
+++ b/contrib/ipfilter/ip_h323_pxy.c
@@ -52,18 +52,27 @@ unsigned char *data;
int datlen, *off;
unsigned short *port;
{
+ u_32_t addr;
+ u_char *dp;
+ int offset;
+
if (datlen < 6)
return -1;
*port = 0;
- for (*off = 0; *off <= datlen - 6; *off = *off + 1) {
- if (ipaddr == *(int *)(data + *off))
+ offset = *off;
+ dp = (u_char *)data;
+
+ for (offset = 0; offset <= datlen - 6; offset++, dp++) {
+ addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3];
+ if (ipaddr == addr)
{
- *port = (*(data + *off + 4) << 8) + *(data + *off +5);
+ *port = (*(dp + 4) << 8) | *(dp + 5);
break;
}
}
- return (*off > datlen - 6) ? -1 : 0;
+ *off = offset;
+ return (offset > datlen - 6) ? -1 : 0;
}
/*
@@ -109,11 +118,15 @@ ap_session_t *aps;
* We are lucky here because this function is not
* called with ipf_nat locked.
*/
- if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, FWRITE) == -1) {
+ if (nat_ioctl((caddr_t)ipn, SIOCRMNAT, NAT_SYSSPACE|
+ NAT_LOCKHELD|FWRITE) == -1) {
/* log the error */
}
}
KFREES(aps->aps_data, aps->aps_psiz);
+ /* avoid double free */
+ aps->aps_data = NULL;
+ aps->aps_psiz = 0;
}
return;
}
@@ -144,7 +157,7 @@ nat_t *nat;
ipaddr = ip->ip_src.s_addr;
data = (unsigned char *)tcp + (tcp->th_off << 2);
- datlen = ip->ip_len - (ip->ip_hl << 2) - (tcp->th_off << 2);
+ datlen = fin->fin_dlen - (tcp->th_off << 2);
if (find_port(ipaddr, data, datlen, &off, &port) == 0) {
ipnat_t *ipn;
char *newarray;
@@ -177,13 +190,16 @@ nat_t *nat;
* of calling nat_ioctl(), we add the nat rule ourself.
*/
RWLOCK_EXIT(&ipf_nat);
- if (nat_ioctl((caddr_t)ipn, SIOCADNAT, FWRITE) == -1) {
+ if (nat_ioctl((caddr_t)ipn, SIOCADNAT,
+ NAT_SYSSPACE|FWRITE) == -1) {
READ_ENTER(&ipf_nat);
return -1;
}
READ_ENTER(&ipf_nat);
- bcopy(aps->aps_data, newarray, aps->aps_psiz);
- KFREES(aps->aps_data, aps->aps_psiz);
+ if (aps->aps_data != NULL && aps->aps_psiz > 0) {
+ bcopy(aps->aps_data, newarray, aps->aps_psiz);
+ KFREES(aps->aps_data, aps->aps_psiz);
+ }
aps->aps_data = newarray;
aps->aps_psiz += sizeof(*ipn);
}
@@ -256,8 +272,10 @@ nat_t *nat;
#ifdef IPFILTER_LOG
nat_log(ipn, (u_int)(nat->nat_ptr->in_redir));
#endif
- *(int *)(data + off) = ip->ip_src.s_addr;
- *(short *)(data + off + 4) = ipn->nat_outport;
+ bcopy((u_char*)&ip->ip_src.s_addr,
+ data + off, 4);
+ bcopy((u_char*)&ipn->nat_outport,
+ data + off + 4, 2);
}
}
}
diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c
index e56c60262460..45bc74c7114c 100644
--- a/contrib/ipfilter/ip_log.c
+++ b/contrib/ipfilter/ip_log.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_log.c,v 2.5.2.17 2002/03/13 03:57:05 darrenr Exp $
+ * $Id: ip_log.c,v 2.5.2.18 2002/03/26 15:54:40 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) && !defined(_KERNEL)
@@ -84,6 +84,7 @@
# include <net/route.h>
# include <netinet/in.h>
# ifdef __sgi
+# define _KMEMUSER
# include <sys/ddi.h>
# ifdef IFF_DRVRLOCK /* IRIX6 */
# include <sys/hashing.h>
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index 5c10bc4ba3f3..e0d595193460 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -109,7 +109,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.63 2002/03/06 09:44:11 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.66 2002/04/23 14:58:27 darrenr Exp $";
#endif
nat_t **nat_table[2] = { NULL, NULL },
@@ -425,7 +425,7 @@ caddr_t data;
int mode;
{
register ipnat_t *nat, *nt, *n = NULL, **np = NULL;
- int error = 0, ret, arg;
+ int error = 0, ret, arg, getlock;
ipnat_t natd;
u_32_t i, j;
@@ -436,9 +436,15 @@ int mode;
nat = NULL; /* XXX gcc -Wuninitialized */
KMALLOC(nt, ipnat_t *);
- if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT))
- error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));
- else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */
+ getlock = (mode & NAT_LOCKHELD) ? 0 : 1;
+ if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
+ if (mode & NAT_SYSSPACE) {
+ bcopy(data, (char *)&natd, sizeof(natd));
+ error = 0;
+ } else {
+ error = IRCOPYPTR(data, (char *)&natd, sizeof(natd));
+ }
+ } else if (cmd == SIOCIPFFL) { /* SIOCFLNAT & SIOCCNATL */
error = IRCOPY(data, (char *)&arg, sizeof(arg));
if (error)
error = EFAULT;
@@ -450,7 +456,8 @@ int mode;
/*
* For add/delete, look to see if the NAT entry is already present
*/
- WRITE_ENTER(&ipf_nat);
+ if (getlock == 1)
+ WRITE_ENTER(&ipf_nat);
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
nat = &natd;
nat->in_flags &= IPN_USERFLAGS;
@@ -715,7 +722,8 @@ int mode;
error = EINVAL;
break;
}
- RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
+ if (getlock == 1)
+ RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
done:
if (nt)
KFREE(nt);
@@ -831,7 +839,7 @@ caddr_t data;
return ENOMEM;
bcopy((char *)&ipn, (char *)ipnn, sizeof(ipn));
- bcopy((char *)aps, ipnn->ipn_data, sizeof(*aps));
+ bcopy((char *)aps, (char *)ipnn->ipn_data, sizeof(*aps));
if (aps->aps_data) {
bcopy(aps->aps_data, ipnn->ipn_data + sizeof(*aps),
aps->aps_psiz);
@@ -1650,11 +1658,12 @@ int dir;
{
u_32_t sum1, sum2, sumd, sumd2 = 0;
struct in_addr in;
+ int flags, dlen;
icmphdr_t *icmp;
udphdr_t *udp;
+ tcphdr_t *tcp;
nat_t *nat;
ip_t *oip;
- int flags;
if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0))
return NULL;
@@ -1673,6 +1682,13 @@ int dir;
else if (oip->ip_p == IPPROTO_UDP)
flags = IPN_UDP;
udp = (udphdr_t *)((((char *)oip) + (oip->ip_hl << 2)));
+ dlen = ip->ip_len - ((char *)udp - (char *)ip);
+ /*
+ * XXX - what if this is bogus hl and we go off the end ?
+ * In this case, nat_icmplookup() will have returned NULL.
+ */
+ tcp = (tcphdr_t *)udp;
+
/*
* Need to adjust ICMP header to include the real IP#'s and
* port #'s. Only apply a checksum change relative to the
@@ -1695,8 +1711,6 @@ int dir;
* change in the UDP and TCP checksums require yet another
* adjustment of the ICMP checksum of the ICMP error message.
*
- * For the moment we forget about TCP, because that checksum is not
- * in the first 8 bytes, so it will not be available in most cases.
*/
if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) {
@@ -1754,15 +1768,25 @@ int dir;
sumd2 = sumd;
}
-#if 0
+#if 1
/*
* Fix TCP pseudo header checksum to compensate for the
* IP address change. Before we can do the change, we
* must make sure that oip is sufficient large to hold
* the TCP checksum (normally it does not!).
*/
- if (oip->ip_p == IPPROTO_TCP) {
+ if (oip->ip_p == IPPROTO_TCP && dlen >= 18) {
+ sum1 = ntohs(tcp->th_sum);
+ fix_datacksum(&tcp->th_sum, sumd);
+ sum2 = ntohs(tcp->th_sum);
+
+ /*
+ * Fix ICMP checksum to compensate the TCP
+ * checksum adjustment.
+ */
+ CALC_SUMD(sum1, sum2, sumd);
+ sumd2 = sumd;
}
#endif
} else {
@@ -1813,15 +1837,25 @@ int dir;
sumd2 = sumd;
}
-#if 0
+#if 1
/*
* Fix TCP pseudo header checksum to compensate for the
* IP address change. Before we can do the change, we
* must make sure that oip is sufficient large to hold
* the TCP checksum (normally it does not!).
*/
- if (oip->ip_p == IPPROTO_TCP) {
+ if (oip->ip_p == IPPROTO_TCP && dlen >= 18) {
+ sum1 = ntohs(tcp->th_sum);
+ fix_datacksum(&tcp->th_sum, sumd);
+ sum2 = ntohs(tcp->th_sum);
+
+ /*
+ * Fix ICMP checksum to compensate the TCP
+ * checksum adjustment.
+ */
+ CALC_SUMD(sum1, sum2, sumd);
+ sumd2 = sumd;
};
#endif
@@ -1829,14 +1863,6 @@ int dir;
}
if ((flags & IPN_TCPUDP) != 0) {
- tcphdr_t *tcp;
-
- /*
- * XXX - what if this is bogus hl and we go off the end ?
- * In this case, nat_icmpinlookup() will have returned NULL.
- */
- tcp = (tcphdr_t *)udp;
-
/*
* Step 2 :
* For offending TCP/UDP IP packets, translate the ports as
@@ -1852,8 +1878,9 @@ int dir;
*
* To further complicate: the TCP checksum is not in the first
* 8 bytes of the offending ip packet, so it most likely is not
- * available (we might have to fix that if the encounter a
- * device that returns more than 8 data bytes on icmp error)
+ * available. Some OSses like Solaris return enough bytes to
+ * include the TCP checksum. So we have to check if the
+ * ip->ip_len actually holds the TCP checksum of the oip!
*/
if (nat->nat_oport == tcp->th_dport) {
@@ -1891,6 +1918,27 @@ int dir;
CALC_SUMD(sum1, sum2, sumd);
sumd2 += sumd;
}
+
+ /*
+ * Fix tcp checksum (if present) to compensate
+ * port adjustment. NOTE : the offending IP
+ * packet flows the other direction compared to
+ * the ICMP message.
+ */
+ if (oip->ip_p == IPPROTO_TCP && dlen >= 18) {
+
+ sum1 = ntohs(tcp->th_sum);
+ fix_datacksum(&tcp->th_sum, sumd);
+ sum2 = ntohs(tcp->th_sum);
+
+ /*
+ * Fix ICMP checksum to
+ * compensate TCP checksum
+ * adjustment.
+ */
+ CALC_SUMD(sum1, sum2, sumd);
+ sumd2 += sumd;
+ }
}
} else {
if (tcp->th_dport != nat->nat_outport) {
@@ -1926,6 +1974,26 @@ int dir;
CALC_SUMD(sum1, sum2, sumd);
sumd2 += sumd;
}
+
+ /*
+ * Fix tcp checksum (if present) to compensate
+ * port adjustment. NOTE : the offending IP
+ * packet flows the other direction compared to
+ * the ICMP message.
+ */
+ if (oip->ip_p == IPPROTO_TCP && dlen >= 18) {
+
+ sum1 = ntohs(tcp->th_sum);
+ fix_datacksum(&tcp->th_sum, sumd);
+ sum2 = ntohs(tcp->th_sum);
+
+ /*
+ * Fix ICMP checksum to compensate
+ * UDP checksum adjustment.
+ */
+ CALC_SUMD(sum1, sum2, sumd);
+ sumd2 += sumd;
+ }
}
}
if (sumd2) {
@@ -2435,7 +2503,7 @@ maskloop:
csump = &tcp->th_sum;
MUTEX_ENTER(&nat->nat_lock);
fr_tcp_age(&nat->nat_age,
- nat->nat_tcpstate, fin, 1);
+ nat->nat_tcpstate, fin, 1, 0);
if (nat->nat_age < fr_defnaticmpage)
nat->nat_age = fr_defnaticmpage;
#ifdef LARGE_NAT
@@ -2643,7 +2711,7 @@ maskloop:
csump = &tcp->th_sum;
MUTEX_ENTER(&nat->nat_lock);
fr_tcp_age(&nat->nat_age,
- nat->nat_tcpstate, fin, 0);
+ nat->nat_tcpstate, fin, 0, 0);
if (nat->nat_age < fr_defnaticmpage)
nat->nat_age = fr_defnaticmpage;
#ifdef LARGE_NAT
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
index 4b2acc485283..b3b0b27723f9 100644
--- a/contrib/ipfilter/ip_nat.h
+++ b/contrib/ipfilter/ip_nat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.17.2.25 2002/01/01 15:10:49 darrenr Exp $
+ * $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@@ -276,6 +276,8 @@ typedef struct natlog {
(sd) = (s2) - (s1); \
(sd) = ((sd) & 0xffff) + ((sd) >> 16); }
+#define NAT_SYSSPACE 0x80000000
+#define NAT_LOCKHELD 0x40000000
extern u_int ipf_nattable_sz;
extern u_int ipf_natrules_sz;
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
index e134f6562b6b..a00d8fda93df 100644
--- a/contrib/ipfilter/ip_sfil.c
+++ b/contrib/ipfilter/ip_sfil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.15 2001/12/26 22:28:51 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $";
#endif
#include <sys/types.h>
@@ -61,6 +61,7 @@ int fr_running = 0;
int ipl_unreach = ICMP_UNREACH_HOST;
u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t));
+static u_long *ip_ttl_ptr;
static int frrequest __P((minor_t, int, caddr_t, int));
static int send_ip __P((fr_info_t *fin, mblk_t *m));
@@ -107,6 +108,8 @@ int ipldetach()
int iplattach __P((void))
{
+ int i;
+
#ifdef IPFDEBUG
cmn_err(CE_CONT, "iplattach()\n");
#endif
@@ -133,6 +136,19 @@ int iplattach __P((void))
return -1;
if (appr_init() == -1)
return -1;
+
+ ip_ttl_ptr = NULL;
+ /*
+ * XXX - There is no terminator for this array, so it is not possible
+ * to tell if what we are looking for is missing and go off the end
+ * of the array.
+ */
+ for (i = 0; ; i++) {
+ if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) {
+ ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
+ break;
+ }
+ }
return 0;
}
@@ -774,7 +790,7 @@ mblk_t *m;
ip = (ip_t *)m->b_rptr;
ip->ip_v = IPVERSION;
- ip->ip_ttl = 60;
+ ip->ip_ttl = (u_char)(*ip_ttl_ptr);
ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
}
READ_ENTER(&ipf_solaris);
@@ -894,7 +910,7 @@ int dst;
ip->ip_p = IPPROTO_ICMP;
ip->ip_id = oip->ip_id;
ip->ip_sum = 0;
- ip->ip_ttl = 60;
+ ip->ip_ttl = (u_char)(*ip_ttl_ptr);
ip->ip_tos = oip->ip_tos;
ip->ip_len = (u_short)htons(sz);
if (dst == 0) {
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index 255bdad61f75..2e8b8f3f7e1b 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -93,7 +93,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.61 2002/03/06 14:07:36 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.66 2002/04/15 12:14:03 darrenr Exp $";
#endif
#ifndef MIN
@@ -123,6 +123,7 @@ static ips_stat_t *fr_statetstats __P((void));
static void fr_delstate __P((ipstate_t *));
static int fr_state_remove __P((caddr_t));
static void fr_ipsmove __P((ipstate_t **, ipstate_t *, u_int));
+static int fr_tcpoptions __P((tcphdr_t *));
int fr_stputent __P((caddr_t));
int fr_stgetent __P((caddr_t));
void fr_stinsert __P((ipstate_t *));
@@ -298,7 +299,7 @@ caddr_t data;
if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) &&
!bcmp((char *)&sp->is_src, (char *)&st.is_src,
sizeof(st.is_src)) &&
- !bcmp((char *)&sp->is_dst, (char *)&st.is_src,
+ !bcmp((char *)&sp->is_dst, (char *)&st.is_dst,
sizeof(st.is_dst)) &&
!bcmp((char *)&sp->is_ps, (char *)&st.is_ps,
sizeof(st.is_ps))) {
@@ -578,7 +579,8 @@ u_int flags;
void *ifp;
int out;
- if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT))
+ if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) ||
+ (fin->fin_misc & FM_BADSTATE))
return NULL;
if (ips_num == fr_statemax) {
ips_stats.iss_max++;
@@ -619,6 +621,8 @@ u_int flags;
switch (is->is_p)
{
+ int off;
+
#ifdef USE_INET6
case IPPROTO_ICMPV6 :
ic = (struct icmp *)fin->fin_dp;
@@ -680,15 +684,22 @@ u_int flags;
hv += is->is_dport;
}
is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
- (tcp->th_off << 2) +
+ (off = (tcp->th_off << 2)) +
((tcp->th_flags & TH_SYN) ? 1 : 0) +
((tcp->th_flags & TH_FIN) ? 1 : 0);
is->is_maxsend = is->is_send;
- is->is_dend = 0;
is->is_maxdwin = 1;
is->is_maxswin = ntohs(tcp->th_win);
if (is->is_maxswin == 0)
is->is_maxswin = 1;
+
+ if ((tcp->th_flags & TH_OPENING) == TH_SYN)
+ is->is_fsm = 1;
+
+ if ((tcp->th_flags & TH_SYN) &&
+ ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
+ is->is_swscale = fr_tcpoptions(tcp);
+
/*
* If we're creating state for a starting connection, start the
* timer on it as we'll never see an error if it fails to
@@ -785,7 +796,7 @@ u_int flags;
is->is_me = stsave;
if (is->is_p == IPPROTO_TCP) {
fr_tcp_age(&is->is_age, is->is_state, fin,
- 0); /* 0 = packet from the source */
+ 0, is->is_fsm); /* 0 = packet from the source */
}
#ifdef IPFILTER_LOG
ipstate_log(is, ISL_NEW);
@@ -798,6 +809,46 @@ u_int flags;
}
+static int fr_tcpoptions(tcp)
+tcphdr_t *tcp;
+{
+ u_char *opt, *last;
+ int wscale;
+
+ opt = (u_char *) (tcp + 1);
+ last = ((u_char *)tcp) + (tcp->th_off << 2);
+
+ /* If we don't find wscale here, we need to clear it */
+ wscale = -2;
+
+ /* Termination condition picked such that opt[0 .. 2] exist */
+ while ((opt < last - 2) && (*opt != TCPOPT_EOL)) {
+ switch (*opt) {
+ case TCPOPT_NOP:
+ opt++;
+ continue;
+ case TCPOPT_WSCALE:
+ /* Proper length ? */
+ if (opt[1] == 3) {
+ if (opt[2] > 14)
+ wscale = 14;
+ else
+ wscale = opt[2];
+ }
+ break;
+ default:
+ /* Unknown options must be two bytes+ */
+ if (opt[1] < 2)
+ break;
+ opt += opt[1];
+ continue;
+ }
+ break;
+ }
+ return wscale;
+}
+
+
/*
* check to see if a packet with TCP headers fits within the TCP window.
@@ -813,9 +864,10 @@ tcphdr_t *tcp;
register tcp_seq seq, ack, end;
register int ackskew;
tcpdata_t *fdata, *tdata;
- u_short win, maxwin;
- int ret = 0;
+ u_32_t win, maxwin;
+ int ret = 0, off;
int source;
+ int wscale;
/*
* Find difference between last checked packet and this packet.
@@ -825,15 +877,29 @@ tcphdr_t *tcp;
source = 0;
fdata = &is->is_tcp.ts_data[!source];
tdata = &is->is_tcp.ts_data[source];
+ off = tcp->th_off << 2;
seq = ntohl(tcp->th_seq);
ack = ntohl(tcp->th_ack);
win = ntohs(tcp->th_win);
- end = seq + fin->fin_dlen - (tcp->th_off << 2) +
+ end = seq + fin->fin_dlen - off +
((tcp->th_flags & TH_SYN) ? 1 : 0) +
((tcp->th_flags & TH_FIN) ? 1 : 0);
+
+ if ((tcp->th_flags & TH_SYN) && (off >= sizeof(*tcp) + 4))
+ wscale = fr_tcpoptions(tcp);
+ else
+ wscale = -1;
+
MUTEX_ENTER(&is->is_lock);
- if (fdata->td_end == 0) {
+
+ if (wscale >= 0)
+ fdata->td_wscale = wscale;
+ else if (wscale == -2)
+ fdata->td_wscale = tdata->td_wscale = 0;
+
+ if ((fdata->td_end == 0) &&
+ (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) {
/*
* Must be a (outgoing) SYN-ACK in reply to a SYN.
*/
@@ -853,6 +919,7 @@ tcphdr_t *tcp;
if (seq == end)
seq = end = fdata->td_end;
+ win <<= fdata->td_wscale;
maxwin = tdata->td_maxwin;
ackskew = tdata->td_end - ack;
@@ -878,29 +945,33 @@ tcphdr_t *tcp;
* Thus, when ackskew is negative but still seems to belong
* to this session, we bump up the destinations end value.
*/
- if (ackskew < 0)
- tdata->td_end = ack;
-
- /* update max window seen */
- if (fdata->td_maxwin < win)
- fdata->td_maxwin = win;
- if (SEQ_GT(end, fdata->td_end))
- fdata->td_end = end;
- if (SEQ_GE(ack + win, tdata->td_maxend)) {
- tdata->td_maxend = ack + win;
- if (win == 0)
- tdata->td_maxend++;
- }
-
- ATOMIC_INCL(ips_stats.iss_hits);
/*
* Nearing end of connection, start timeout.
*/
/* source ? 0 : 1 -> !source */
- fr_tcp_age(&is->is_age, is->is_state, fin, !source);
- ret = 1;
+ if (fr_tcp_age(&is->is_age, is->is_state, fin, !source,
+ (int)is->is_fsm) == 0) {
+ if (ackskew < 0)
+ tdata->td_end = ack;
+
+ /* update max window seen */
+ if (fdata->td_maxwin < win)
+ fdata->td_maxwin = win;
+ if (SEQ_GT(end, fdata->td_end))
+ fdata->td_end = end;
+ if (SEQ_GE(ack + win, tdata->td_maxend)) {
+ tdata->td_maxend = ack + win;
+ if (win == 0)
+ tdata->td_maxend++;
+ }
+
+ ATOMIC_INCL(ips_stats.iss_hits);
+ ret = 1;
+ }
}
MUTEX_EXIT(&is->is_lock);
+ if ((ret == 0) && (tcp->th_flags != TH_SYN))
+ fin->fin_misc |= FM_BADSTATE;
return ret;
}
@@ -1079,9 +1150,9 @@ fr_info_t *fin;
register ipstate_t *is, **isp;
register u_short sport, dport;
register u_char pr;
+ u_short savelen, ohlen;
union i6addr dst, src;
struct icmp *ic;
- u_short savelen;
icmphdr_t *icmp;
fr_info_t ofin;
int type, len;
@@ -1110,14 +1181,15 @@ fr_info_t *fin;
return NULL;
oip = (ip_t *)((char *)ic + ICMPERR_ICMPHLEN);
- if (fin->fin_plen < ICMPERR_MAXPKTLEN + ((oip->ip_hl - 5) << 2))
+ ohlen = oip->ip_hl << 2;
+ if (fin->fin_plen < ICMPERR_MAXPKTLEN + ohlen - sizeof(*oip))
return NULL;
/*
* Sanity checks.
*/
len = fin->fin_dlen - ICMPERR_ICMPHLEN;
- if ((len <= 0) || ((oip->ip_hl << 2) > len))
+ if ((len <= 0) || (ohlen > len))
return NULL;
/*
@@ -1157,7 +1229,7 @@ fr_info_t *fin;
switch (oip->ip_p)
{
case IPPROTO_ICMP :
- icmp = (icmphdr_t *)((char *)oip + (oip->ip_hl << 2));
+ icmp = (icmphdr_t *)((char *)oip + ohlen);
/*
* a ICMP error can only be generated as a result of an
@@ -1187,7 +1259,7 @@ fr_info_t *fin;
savelen = oip->ip_len;
oip->ip_len = len;
ofin.fin_v = 4;
- fr_makefrip(oip->ip_hl << 2, oip, &ofin);
+ fr_makefrip(ohlen, oip, &ofin);
oip->ip_len = savelen;
ofin.fin_ifp = fin->fin_ifp;
ofin.fin_out = !fin->fin_out;
@@ -1209,12 +1281,14 @@ fr_info_t *fin;
case IPPROTO_TCP :
case IPPROTO_UDP :
+ if (fin->fin_plen < ICMPERR_MAXPKTLEN)
+ return NULL;
break;
default :
return NULL;
}
- tcp = (tcphdr_t *)((char *)oip + (oip->ip_hl << 2));
+ tcp = (tcphdr_t *)((char *)oip + ohlen);
dport = tcp->th_dport;
sport = tcp->th_sport;
@@ -1239,7 +1313,7 @@ fr_info_t *fin;
savelen = oip->ip_len;
oip->ip_len = len;
ofin.fin_v = 4;
- fr_makefrip(oip->ip_hl << 2, oip, &ofin);
+ fr_makefrip(ohlen, oip, &ofin);
oip->ip_len = savelen;
ofin.fin_ifp = fin->fin_ifp;
ofin.fin_out = !fin->fin_out;
@@ -1481,9 +1555,8 @@ retry_tcpudp:
fr_matchsrcdst(is, src, dst, fin, tcp)) {
rev = fin->fin_rev;
if ((pr == IPPROTO_TCP)) {
- if (!fr_tcpstate(is, fin, ip, tcp)) {
- continue;
- }
+ if (!fr_tcpstate(is, fin, ip, tcp))
+ is = NULL;
} else if ((pr == IPPROTO_UDP)) {
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
@@ -1504,6 +1577,7 @@ retry_tcpudp:
}
break;
}
+
RWLOCK_EXIT(&ipf_state);
if (!tryagain && ips_wild) {
hv -= dport;
@@ -1703,15 +1777,16 @@ void fr_timeoutstate()
* dir == 1 : a packet from dest to source
*
*/
-void fr_tcp_age(age, state, fin, dir)
+int fr_tcp_age(age, state, fin, dir, fsm)
u_long *age;
u_char *state;
fr_info_t *fin;
-int dir;
+int dir, fsm;
{
tcphdr_t *tcp = (tcphdr_t *)fin->fin_dp;
u_char flags = tcp->th_flags;
int dlen, ostate;
+ u_long newage;
ostate = state[1 - dir];
@@ -1725,10 +1800,10 @@ int dir;
*age = fr_tcpclosewait;
state[dir] = TCPS_CLOSE_WAIT;
}
- return;
+ return 0;
}
- *age = fr_tcptimeout; /* default 4 mins */
+ newage = 0;
switch(state[dir])
{
@@ -1739,11 +1814,11 @@ int dir;
* CLOSED -> SYN_RECEIVED
*/
state[dir] = TCPS_SYN_RECEIVED;
- *age = fr_tcptimeout;
- } else if ((flags & (TH_SYN|TH_ACK)) == TH_SYN) {
+ newage = fr_tcptimeout;
+ } else if ((flags & TH_OPENING) == TH_SYN) {
/* 'dir' sent S, CLOSED -> SYN_SENT */
state[dir] = TCPS_SYN_SENT;
- *age = fr_tcptimeout;
+ newage = fr_tcptimeout;
}
/*
* The next piece of code makes it possible to get
@@ -1752,12 +1827,12 @@ int dir;
* does not work when a strict 'flags S keep state' is
* used for tcp connections of course
*/
- if ((flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) {
+ if (!fsm && (flags & (TH_FIN|TH_SYN|TH_RST|TH_ACK)) == TH_ACK) {
/* we saw an A, guess 'dir' is in ESTABLISHED mode */
if (state[1 - dir] == TCPS_CLOSED ||
state[1 - dir] == TCPS_ESTABLISHED) {
state[dir] = TCPS_ESTABLISHED;
- *age = fr_tcpidletimeout;
+ newage = fr_tcpidletimeout;
}
}
/*
@@ -1772,14 +1847,24 @@ int dir;
break;
case TCPS_SYN_SENT: /* 2 */
- if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
+ if (flags == TH_SYN) {
+ /*
+ * A retransmitted SYN packet. We do not reset the
+ * timeout here to fr_tcptimeout because a connection
+ * connect timeout does not renew after every packet
+ * that is sent. We need to set newage to something
+ * to indicate the packet has passed the check for its
+ * flags being valid in the TCP FSM.
+ */
+ newage = *age;
+ } else if ((flags & (TH_SYN|TH_FIN|TH_ACK)) == TH_ACK) {
/*
* We see an A from 'dir' which is in SYN_SENT
* state: 'dir' sent an A in response to an SA
* which it received, SYN_SENT -> ESTABLISHED
*/
state[dir] = TCPS_ESTABLISHED;
- *age = fr_tcpidletimeout;
+ newage = fr_tcpidletimeout;
} else if (flags & TH_FIN) {
/*
* We see an F from 'dir' which is in SYN_SENT
@@ -1787,7 +1872,7 @@ int dir;
* connection; SYN_SENT -> FIN_WAIT_1
*/
state[dir] = TCPS_FIN_WAIT_1;
- *age = fr_tcpidletimeout; /* or fr_tcptimeout? */
+ newage = fr_tcpidletimeout; /* or fr_tcptimeout? */
} else if ((flags & TH_OPENING) == TH_OPENING) {
/*
* We see an SA from 'dir' which is already in
@@ -1795,7 +1880,7 @@ int dir;
* simultaneous open; SYN_SENT -> SYN_RECEIVED
*/
state[dir] = TCPS_SYN_RECEIVED;
- *age = fr_tcptimeout;
+ newage = fr_tcptimeout;
}
break;
@@ -1807,7 +1892,7 @@ int dir;
* SYN_RECEIVED -> ESTABLISHED
*/
state[dir] = TCPS_ESTABLISHED;
- *age = fr_tcpidletimeout;
+ newage = fr_tcpidletimeout;
} else if (flags & TH_FIN) {
/*
* We see an F from 'dir' which is in SYN_RECEIVED
@@ -1815,7 +1900,7 @@ int dir;
* SYN_RECEIVED -> FIN_WAIT_1
*/
state[dir] = TCPS_FIN_WAIT_1;
- *age = fr_tcpidletimeout;
+ newage = fr_tcpidletimeout;
}
break;
@@ -1827,7 +1912,7 @@ int dir;
* ESTABLISHED -> FIN_WAIT_1
*/
state[dir] = TCPS_FIN_WAIT_1;
- *age = fr_tcphalfclosed;
+ newage = fr_tcphalfclosed;
} else if (flags & TH_ACK) {
/* an ACK, should we exclude other flags here? */
if (ostate == TCPS_FIN_WAIT_1) {
@@ -1839,13 +1924,13 @@ int dir;
* a half-closed connection
*/
state[dir] = TCPS_CLOSE_WAIT;
- *age = fr_tcphalfclosed;
+ newage = fr_tcphalfclosed;
} else if (ostate < TCPS_CLOSE_WAIT)
/*
* Still a fully established connection,
* reset timeout
*/
- *age = fr_tcpidletimeout;
+ newage = fr_tcpidletimeout;
}
break;
@@ -1855,7 +1940,7 @@ int dir;
* Application closed and 'dir' sent a FIN, we're now
* going into LAST_ACK state
*/
- *age = fr_tcplastack;
+ newage = fr_tcplastack;
state[dir] = TCPS_LAST_ACK;
} else {
/*
@@ -1863,7 +1948,7 @@ int dir;
* closed already and we did not close our side yet;
* reset timeout
*/
- *age = fr_tcphalfclosed;
+ newage = fr_tcphalfclosed;
}
break;
@@ -1880,14 +1965,14 @@ int dir;
* packet here? does the window code guarantee that?
*/
state[dir] = TCPS_TIME_WAIT;
- *age = fr_tcptimeout;
+ newage = fr_tcptimeout;
} else
/*
* We closed our side of the connection already but the
* other side is still active (ESTABLISHED/CLOSE_WAIT);
* continue with this half-closed connection
*/
- *age = fr_tcphalfclosed;
+ newage = fr_tcphalfclosed;
break;
case TCPS_CLOSING: /* 7 */
@@ -1901,7 +1986,7 @@ int dir;
* There is still data to be delivered, reset
* timeout
*/
- *age = fr_tcplastack;
+ newage = fr_tcplastack;
}
/*
* We cannot detect when we go out of LAST_ACK state to CLOSED
@@ -1916,9 +2001,16 @@ int dir;
break;
case TCPS_TIME_WAIT: /* 10 */
+ newage = fr_tcptimeout; /* default 4 mins */
/* we're in 2MSL timeout now */
break;
}
+
+ if (newage != 0) {
+ *age = newage;
+ return 0;
+ }
+ return -1;
}
@@ -2068,8 +2160,14 @@ fr_info_t *fin;
hv = (pr = oip->ip6_nxt);
src.in6 = oip->ip6_src;
hv += src.in4.s_addr;
+ hv += src.i6[1];
+ hv += src.i6[2];
+ hv += src.i6[3];
dst.in6 = oip->ip6_dst;
hv += dst.in4.s_addr;
+ hv += dst.i6[1];
+ hv += dst.i6[2];
+ hv += dst.i6[3];
hv += dport;
hv += sport;
hv %= fr_statesize;
diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h
index fe6a505fe66d..01b12561a7a9 100644
--- a/contrib/ipfilter/ip_state.h
+++ b/contrib/ipfilter/ip_state.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $Id: ip_state.h,v 2.13.2.10 2002/03/06 14:07:38 darrenr Exp $
+ * $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@@ -42,7 +42,8 @@ typedef struct icmpstate {
typedef struct tcpdata {
u_32_t td_end;
u_32_t td_maxend;
- u_short td_maxwin;
+ u_32_t td_maxwin;
+ u_char td_wscale;
} tcpdata_t;
typedef struct tcpstate {
@@ -58,20 +59,22 @@ typedef struct ipstate {
struct ipstate *is_hnext;
struct ipstate **is_phnext;
struct ipstate **is_me;
- u_long is_age;
- u_int is_frage[2]; /* age from filter rule, forward & reverse */
- u_int is_pass;
+ frentry_t *is_rule;
U_QUAD_T is_pkts;
U_QUAD_T is_bytes;
- void *is_ifp[4];
- frentry_t *is_rule;
union i6addr is_src;
union i6addr is_dst;
+ void *is_ifp[4];
+ u_long is_age;
+ u_int is_frage[2]; /* age from filter rule, forward & reverse */
+ u_int is_pass;
u_char is_p; /* Protocol */
- u_char is_v;
- u_int is_hv;
+ u_char is_v; /* IP version */
+ u_char is_fsm; /* 1 = following FSM, 0 = not */
+ u_char is_xxx; /* pad */
+ u_int is_hv; /* hash value for this in the table */
u_32_t is_rulen; /* rule number */
- u_32_t is_flags;
+ u_32_t is_flags; /* flags for this structure */
u_32_t is_opt; /* packet options set */
u_32_t is_optmsk; /* " " mask */
u_short is_sec; /* security options set */
@@ -100,6 +103,8 @@ typedef struct ipstate {
#define is_dend is_tcp.ts_data[1].td_end
#define is_maxswin is_tcp.ts_data[0].td_maxwin
#define is_maxdwin is_tcp.ts_data[1].td_maxwin
+#define is_swscale is_tcp.ts_data[0].td_wscale
+#define is_dwscale is_tcp.ts_data[1].td_wscale
#define is_maxsend is_tcp.ts_data[0].td_maxend
#define is_maxdend is_tcp.ts_data[1].td_maxend
#define is_sport is_tcp.ts_sport
@@ -191,7 +196,7 @@ extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, ipstate_t **, u_int));
extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *));
extern void ip_statesync __P((void *));
extern void fr_timeoutstate __P((void));
-extern void fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int));
+extern int fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int, int));
extern void fr_stateunload __P((void));
extern void ipstate_log __P((struct ipstate *, u_int));
#if defined(__NetBSD__) || defined(__OpenBSD__)
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
index b983781d8f60..fc35b31b585b 100644
--- a/contrib/ipfilter/ipf.c
+++ b/contrib/ipfilter/ipf.c
@@ -50,7 +50,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.13 2002/02/22 15:32:53 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $";
#endif
#if SOLARIS
@@ -225,7 +225,7 @@ u_int enable;
if (ioctl(fd, SIOCFRENB, &enable) == -1) {
if (errno == EBUSY)
fprintf(stderr,
- "IP FIlter: already initialized\n");
+ "IP Filter: already initialized\n");
else
perror("SIOCFRENB");
}
diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c
index b111bfd90506..a2ccf8923156 100644
--- a/contrib/ipfilter/ipfs.c
+++ b/contrib/ipfilter/ipfs.c
@@ -45,7 +45,7 @@
#include "ipf.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.8 2001/09/14 18:52:21 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $";
#endif
#ifndef IPF_SAVEDIR
@@ -208,7 +208,7 @@ char *argv[];
int c, lock = -1, devfd = -1, err = 0, rw = -1, ns = -1, set = 0;
char *dirname = NULL, *filename = NULL, *ifs = NULL;
- while ((c = getopt(argc, argv, "d:f:lNnSRruvWw")) != -1)
+ while ((c = getopt(argc, argv, "d:f:i:lNnSRruvWw")) != -1)
switch (c)
{
case 'd' :
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index 75f9d67efaf2..2e99b65c0276 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -4,12 +4,12 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.31 2002/03/13 03:57:42 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.32 2002/04/23 14:59:13 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.25"
+#define IPL_VERSION "IP Filter: v3.4.26"
#endif
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 6a894039c4ff..3e8707b06ea4 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -68,7 +68,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.32 2002/03/13 03:30:18 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp $";
#endif
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index 86a1e3f0ba0e..4dc5e973bb92 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -31,11 +31,10 @@
#include <netinet/ip_var.h>
#endif
#include "ipsend.h"
-#include "ipf.h"
#if !defined(lint)
static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.4 2002/02/22 15:32:57 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.5 2002/04/23 14:58:57 darrenr Exp $";
#endif
diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c
index 189e35f3632f..0c3b50ce153e 100644
--- a/contrib/ipfilter/ipt.c
+++ b/contrib/ipfilter/ipt.c
@@ -13,6 +13,7 @@
# endif
#endif
#ifdef __sgi
+# define _KMEMUSER
# include <sys/ptimers.h>
#endif
#include <stdio.h>
@@ -63,7 +64,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.19 2002/03/11 03:30:51 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $";
#endif
extern char *optarg;
@@ -113,10 +114,13 @@ char *argv[];
while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1)
switch (c)
{
-#ifdef USE_INET6
case '6' :
+#ifdef USE_INET6
use_inet6 = 1;
break;
+#else
+ fprintf(stderr, "IPv6 not supported\n");
+ exit(1);
#endif
case 'b' :
opts |= OPT_BRIEF;
diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c
index eec8b3c450d1..254bbf935eb6 100644
--- a/contrib/ipfilter/kmem.c
+++ b/contrib/ipfilter/kmem.c
@@ -46,18 +46,13 @@
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.12 2002/03/06 09:44:16 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $";
#endif
-#ifndef __sgi
+#ifdef __sgi
+typedef int kvm_t;
-static kvm_t *kvm_f = NULL;
-
-#else
-
-typedef int kvm_t;
-
-static kvm_t kvm_f = -1;
+static int kvm_fd = -1;
static char *kvm_errstr;
kvm_t kvm_open(kernel, core, swap, mode, errstr)
@@ -65,12 +60,12 @@ char *kernel, *core, *swap;
int mode;
char *errstr;
{
- kvm_t fd;
-
kvm_errstr = errstr;
- fd = open(core, mode);
- return fd;
+ if (core == NULL)
+ core = "/dev/kmem";
+ kvm_fd = open(core, mode);
+ return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL;
}
int kvm_read(kvm, pos, buffer, size)
@@ -82,21 +77,22 @@ size_t size;
int r, left;
char *bufp;
- if (lseek(kvm, pos, 0) == -1) {
+ if (lseek(*kvm, pos, 0) == -1) {
fprintf(stderr, "%s", kvm_errstr);
perror("lseek");
return -1;
}
for (bufp = buffer, left = size; left > 0; bufp += r, left -= r) {
- r = read(kvm, bufp, 1);
+ r = read(*kvm, bufp, 1);
if (r <= 0)
return -1;
}
- return 0;
+ return size;
}
#endif
+static kvm_t *kvm_f = NULL;
int openkmem(kern, core)
char *kern, *core;
diff --git a/contrib/ipfilter/l4check/l4check.c b/contrib/ipfilter/l4check/l4check.c
index 6945b1c2cbce..23ac79af849b 100644
--- a/contrib/ipfilter/l4check/l4check.c
+++ b/contrib/ipfilter/l4check/l4check.c
@@ -141,7 +141,8 @@ void closel4(l4, dead)
l4cfg_t *l4;
int dead;
{
- close(l4->l4_fd);
+ if (l4->l4_fd != -1)
+ close(l4->l4_fd);
l4->l4_fd = -1;
l4->l4_rw = -1;
if (dead && l4->l4_alive) {
@@ -307,7 +308,7 @@ int runconfig()
if (opts & OPT_VERBOSE)
fprintf(stderr, "failed\n");
perror("connect");
- close(fd);
+ closel4(l4, 1);
fd = -1;
} else {
if (opts & OPT_VERBOSE)
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 386f3a29346a..0ec7854eb35c 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -46,7 +46,8 @@ long).
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
-5. The action: \fBp\fP for passed or \fBb\fP for blocked.
+5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
+packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
.LP
6. The addresses.
This is actually three fields: the source address and port
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 7fb2e90582cb..16c1752b4f54 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -7,8 +7,8 @@ The format for files accepted by ipnat is described by the following grammar:
.nf
ipmap :: = mapblock | redir | map .
-map ::= mapit ifname ipmask "->" ipmask [ mapport ] .
-map ::= mapit ifname fromto "->" ipmask [ mapport ] .
+map ::= mapit ifname ipmask "->" dstipmask [ mapport ] .
+map ::= mapit ifname fromto "->" dstipmask [ mapport ] .
mapblock ::= "map-block" ifname ipmask "->" ipmask [ ports ] .
redir ::= "rdr" ifname ipmask dport "->" ip [ "," ip ] rdrport options .
@@ -18,6 +18,7 @@ rdrport ::= "port" portnum .
mapit ::= "map" | "bimap" .
fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
+dstipmask ::= ipmask | "range" ip "-" ip .
mapport ::= "portmap" tcpudp portnumber ":" portnumber .
options ::= [ tcpudp ] [ rr ] .
@@ -34,6 +35,10 @@ ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
.fi
.PP
+In addition to this, # is used to mark the start of a comment and may
+appear at the end of a line with a NAT rule (as described above) or on its
+own lines. Blank lines are ignored.
+.PP
For standard NAT functionality, a rule should start with \fBmap\fP and then
proceeds to specify the interface for which outgoing packets will have their
source address rewritten.
diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c
index 00f7d226178a..84d2a955a4de 100644
--- a/contrib/ipfilter/mlf_ipl.c
+++ b/contrib/ipfilter/mlf_ipl.c
@@ -12,23 +12,11 @@
#include <sys/param.h>
#if defined(__FreeBSD__)
+# ifndef __FreeBSD_version
+# include <sys/osreldate.h>
+# endif
# ifdef IPFILTER_LKM
-# ifndef __FreeBSD_cc_version
-# include <osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <osreldate.h>
-# endif
-# endif
# define ACTUALLY_LKM_NOT_KERNEL
-# else
-# ifndef __FreeBSD_cc_version
-# include <sys/osreldate.h>
-# else
-# if __FreeBSD_cc_version < 430000
-# include <sys/osreldate.h>
-# endif
-# endif
# endif
#endif
#include <sys/systm.h>
diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c
index bc8f3ed642ca..5a70ab9d35a1 100644
--- a/contrib/ipfilter/mls_ipl.c
+++ b/contrib/ipfilter/mls_ipl.c
@@ -40,7 +40,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.2 2002/04/10 05:05:54 darrenr Exp $";
#endif
extern int ipldetach __P((void));
@@ -49,6 +49,7 @@ extern int ipldetach __P((void));
#endif
extern int nulldev __P((void));
extern int errno;
+extern int iplidentify __P((char *));
extern int nodev __P((void));
diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c
index e484316a858e..e1c3a499fef4 100644
--- a/contrib/ipfilter/natparse.c
+++ b/contrib/ipfilter/natparse.c
@@ -56,7 +56,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.23 2002/02/22 15:32:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.24 2002/04/24 17:30:51 darrenr Exp $";
#endif
@@ -394,15 +394,24 @@ int linenum;
cpp++;
if (ipn.in_redir & NAT_MAPBLK) {
- if (*cpp && strcasecmp(*cpp, "ports")) {
- fprintf(stderr,
- "%d: expected \"ports\" - got \"%s\"\n",
- linenum, *cpp);
- return NULL;
- }
- cpp++;
if (*cpp) {
- ipn.in_pmin = atoi(*cpp);
+ if (strcasecmp(*cpp, "ports")) {
+ fprintf(stderr,
+ "%d: expected \"ports\" - got \"%s\"\n",
+ linenum, *cpp);
+ return NULL;
+ }
+ cpp++;
+ if (*cpp == NULL) {
+ fprintf(stderr,
+ "%d: missing argument to \"ports\"\n",
+ linenum);
+ return NULL;
+ }
+ if (!strcasecmp(*cpp, "auto"))
+ ipn.in_flags |= IPN_AUTOPORTMAP;
+ else
+ ipn.in_pmin = atoi(*cpp);
cpp++;
} else
ipn.in_pmin = 0;
@@ -483,6 +492,10 @@ int linenum;
ipn.in_p = atoi(proto);
}
}
+ if ((ipn.in_flags & IPN_TCPUDP) == 0) {
+ port1a = "0";
+ port2a = "0";
+ }
if (*cpp && !strcasecmp(*cpp, "round-robin")) {
cpp++;
@@ -548,7 +561,7 @@ int linenum;
if ((ipn.in_redir & NAT_MAPBLK) != 0)
nat_setgroupmap(&ipn);
- if (*cpp && !strcasecmp(*cpp, "frag")) {
+ if (*cpp && !*(cpp+1) && !strcasecmp(*cpp, "frag")) {
cpp++;
ipn.in_flags |= IPN_FRAG;
}
@@ -618,12 +631,6 @@ int linenum;
(void) strncpy(ipn.in_plabel, *cpp, sizeof(ipn.in_plabel));
cpp++;
- if (*cpp) {
- fprintf(stderr,
- "%d: too many parameters for \"proxy\"\n",
- linenum);
- return NULL;
- }
} else if (!strcasecmp(*cpp, "portmap")) {
if (ipn.in_redir == NAT_BIMAP) {
fprintf(stderr, "%d: cannot use portmap with bimap\n",
@@ -683,6 +690,11 @@ int linenum;
}
}
+ if (*cpp && !strcasecmp(*cpp, "frag")) {
+ cpp++;
+ ipn.in_flags |= IPN_FRAG;
+ }
+
if (*cpp && !strcasecmp(*cpp, "age")) {
cpp++;
if (!*cpp) {
@@ -690,6 +702,7 @@ int linenum;
linenum);
return NULL;
}
+ ipn.in_age[0] = atoi(*cpp);
s = index(*cpp, '/');
if (s != NULL)
ipn.in_age[1] = atoi(s + 1);
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
index 647c92e9f1bc..dd5927271188 100644
--- a/contrib/ipfilter/printnat.c
+++ b/contrib/ipfilter/printnat.c
@@ -58,7 +58,7 @@ extern char *sys_errlist[];
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.6 2002/02/22 15:32:56 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.7 2002/04/24 17:35:37 darrenr Exp $";
#endif
@@ -298,6 +298,9 @@ int opts;
struct servent *sv;
int bits;
+ if (np->in_p != 0)
+ pr = getprotobynumber(np->in_p);
+
switch (np->in_redir)
{
case NAT_REDIRECT :
@@ -372,12 +375,18 @@ int opts;
printf(" udp");
else if (np->in_p == 0)
printf(" ip");
- else if (np->in_p != 0)
- printf(" %d", np->in_p);
+ else if (np->in_p != 0) {
+ if (pr != NULL)
+ printf(" %s", pr->p_name);
+ else
+ printf(" %d", np->in_p);
+ }
if (np->in_flags & IPN_ROUNDR)
printf(" round-robin");
if (np->in_flags & IPN_FRAG)
printf(" frag");
+ if (np->in_age[0])
+ printf(" age %d/%d", np->in_age[0], np->in_age[1]);
printf("\n");
if (opts & OPT_DEBUG)
printf("\tspc %lu flg %#x max %u use %d\n",
@@ -389,7 +398,7 @@ int opts;
printf("%s/", inet_ntoa(np->in_in[0]));
bits = countbits(np->in_in[1].s_addr);
if (bits != -1)
- printf("%d ", bits);
+ printf("%d", bits);
else
printf("%s", inet_ntoa(np->in_in[1]));
}
@@ -401,12 +410,11 @@ int opts;
printf("%s/", inet_ntoa(np->in_out[0]));
bits = countbits(np->in_out[1].s_addr);
if (bits != -1)
- printf("%d ", bits);
+ printf("%d", bits);
else
printf("%s", inet_ntoa(np->in_out[1]));
}
if (*np->in_plabel) {
- pr = getprotobynumber(np->in_p);
printf(" proxy port");
if (np->in_dport != 0) {
if (pr != NULL)
@@ -426,8 +434,12 @@ int opts;
else
printf("%d", np->in_p);
} else if (np->in_redir == NAT_MAPBLK) {
- printf(" ports %d", np->in_pmin);
- if (opts & OPT_VERBOSE)
+ if ((np->in_pmin == 0) &&
+ (np->in_flags & IPN_AUTOPORTMAP))
+ printf(" ports auto");
+ else
+ printf(" ports %d", np->in_pmin);
+ if (opts & OPT_DEBUG)
printf("\n\tip modulous %d", np->in_pmax);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
@@ -451,6 +463,8 @@ int opts;
}
if (np->in_flags & IPN_FRAG)
printf(" frag");
+ if (np->in_age[0])
+ printf(" age %d/%d", np->in_age[0], np->in_age[1]);
printf("\n");
if (opts & OPT_DEBUG) {
printf("\tspace %lu nextip %s pnext %d", np->in_space,
diff --git a/contrib/ipfilter/printstate.c b/contrib/ipfilter/printstate.c
index 16bda9b274e6..d462a22f432d 100644
--- a/contrib/ipfilter/printstate.c
+++ b/contrib/ipfilter/printstate.c
@@ -15,6 +15,9 @@
#include <netinet/in_systm.h>
#include <net/if.h>
#include <stdio.h>
+#if __FreeBSD_version >= 300000
+# include <net/if_var.h>
+#endif
#include "kmem.h"
#include "netinet/ip_compat.h"
#include "ipf.h"
@@ -47,15 +50,17 @@ int opts;
if (ips.is_p == IPPROTO_TCP)
#if defined(NetBSD) && (NetBSD >= 199905) && (NetBSD < 1991011) || \
(__FreeBSD_version >= 220000) || defined(__OpenBSD__)
- PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
+ PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
- ips.is_maxswin, ips.is_maxdwin);
+ ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
+ ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
#else
- PRINTF("\t%hu -> %hu %x:%x %hu:%hu",
+ PRINTF("\t%hu -> %hu %x:%x %u<<%d:%u<<%d",
ntohs(ips.is_sport), ntohs(ips.is_dport),
ips.is_send, ips.is_dend,
- ips.is_maxswin, ips.is_maxdwin);
+ ips.is_maxswin>>ips.is_swscale, ips.is_swscale,
+ ips.is_maxdwin>>ips.is_dwscale, ips.is_dwscale);
#endif
else if (ips.is_p == IPPROTO_UDP)
PRINTF(" %hu -> %hu", ntohs(ips.is_sport),
diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c
index 4ff13dfbf2b4..aa139d3b042a 100644
--- a/contrib/ipfilter/solaris.c
+++ b/contrib/ipfilter/solaris.c
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*/
/* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/
-#pragma ident "@(#)$Id: solaris.c,v 2.15.2.29 2002/01/15 14:36:54 darrenr Exp $"
+#pragma ident "@(#)$Id: solaris.c,v 2.15.2.30 2002/04/23 14:57:51 darrenr Exp $"
#include <sys/systm.h>
#include <sys/types.h>
@@ -1112,7 +1112,7 @@ again:
freemsg(mb);
}
RWLOCK_EXIT(&ipf_solaris);
- return 0;
+ return 1;
}
@@ -1263,7 +1263,7 @@ again:
freemsg(mb);
}
RWLOCK_EXIT(&ipf_solaris);
- return 0;
+ return 1;
}
diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile
index 2d93c7f6ddb1..334abc2efa4a 100644
--- a/contrib/ipfilter/test/Makefile
+++ b/contrib/ipfilter/test/Makefile
@@ -9,23 +9,27 @@ BINDEST=/usr/local/bin
SBINDEST=/sbin
MANDIR=/usr/share/man
-tests: first 0 ftests ptests ntests nitests logtests
+tests: first 0 ftests ptests ntests nitests logtests ipv6 intests
first:
-mkdir -p results
# Filtering tests
-ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16
+ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17
# Rule parsing tests
ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
ntests: n1 n2 n3 n4 n5 n6 n7
-nitests: ni1 ni2
+nitests: ni1 ni2 ni3 ni4
+
+intests: in1 in2 in3 in4
logtests: l1
+ipv6: ipv6.1 ipv6.2
+
0:
@(cd ..; make ipftest; )
@@ -38,22 +42,33 @@ f12 f13:
f15 f16:
@/bin/sh ./mtest $@
+f17:
+ @/bin/sh ./mhtest $@
+
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
@/bin/sh ./itest $@
n1 n2 n3 n4 n5 n6 n7:
@/bin/sh ./nattest $@
-ni1 ni2:
+ni1 ni2 ni3 ni4:
@/bin/sh ./natipftest $@
+in1 in2 in3 in4:
+ @/bin/sh ./intest $@
+
l1:
@/bin/sh ./logtest $@
+ipv6.1 ipv6.2:
+ @/bin/sh ./dotest6 $@
+
clean:
- /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16
+ /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17
/bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
/bin/rm -f n1 n2 n3 n4 n5 n6 n7
- /bin/rm -f ni1 ni2
+ /bin/rm -f ni1 ni2 ni3 ni4
+ /bin/rm -f in1 in2 in3 in4
/bin/rm -f l1
+ /bin/rm -f ipv6.1 ipv6.2
/bin/rm -f results/*
diff --git a/contrib/ipfilter/test/expected/f11 b/contrib/ipfilter/test/expected/f11
index ac37783be54d..b977e41604ee 100644
--- a/contrib/ipfilter/test/expected/f11
+++ b/contrib/ipfilter/test/expected/f11
@@ -1,6 +1,11 @@
pass
+nomatch
+nomatch
+pass
pass
+nomatch
pass
+nomatch
pass
nomatch
nomatch
@@ -11,8 +16,13 @@ nomatch
nomatch
--------
block
+nomatch
+nomatch
+block
block
+nomatch
block
+nomatch
block
nomatch
nomatch
@@ -28,6 +38,11 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
pass
pass
nomatch
@@ -40,6 +55,11 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
block
block
nomatch
@@ -52,6 +72,11 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
pass
pass
pass
@@ -64,9 +89,31 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
block
block
block
nomatch
nomatch
--------
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+pass
+nomatch
+pass
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+nomatch
+--------
diff --git a/contrib/ipfilter/test/expected/l1 b/contrib/ipfilter/test/expected/l1
index c158752d5330..dbd6b012e4b5 100644
--- a/contrib/ipfilter/test/expected/l1
+++ b/contrib/ipfilter/test/expected/l1
@@ -1,49 +1,49 @@
log in all
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
-01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
+01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------
pass in on anon0 all head 100
--------
pass in log quick from 3.3.3.3 to any group 100
--------
pass in log body quick from 2.2.2.2 to any
-01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
--------
pass in log quick proto tcp from 1.1.1.1 to any flags S keep state
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
--------
pass in log first quick proto tcp from 1.1.1.1 to any flags S keep state
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
--------
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
-01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------
diff --git a/contrib/ipfilter/test/expected/l1.b b/contrib/ipfilter/test/expected/l1.b
index eef36606b295..e5c107759930 100644
--- a/contrib/ipfilter/test/expected/l1.b
+++ b/contrib/ipfilter/test/expected/l1.b
@@ -1,47 +1,47 @@
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
-01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F IN
+01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------
--------
--------
-01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
-01/01/1970 10:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS IN
+01/01/1970 00:00:00.000000 2x anon0 @0:1 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01 02 03 04 05 06 07 08 09 0a 0b 0d ............
-01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
--------
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 10:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 00:00:00.000000 e1 @0:1 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
--------
-01/01/1970 10:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:1 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
--------
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
-01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
-01/01/1970 10:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
-01/01/1970 10:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
-01/01/1970 10:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
-01/01/1970 10:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
-01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S IN
+01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -S K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A K-S IN
+01/01/1970 00:00:00.000000 anon0 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -AS K-S IN
+01/01/1970 00:00:00.000000 e1 @0:4 p 2.2.2.2,25 -> 1.1.1.1,1025 PR tcp len 20 40 -A K-S OUT
+01/01/1970 00:00:00.000000 anon0 @0:4 p 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -F K-S IN
+01/01/1970 00:00:00.000000 2x anon0 @-1:-1 L 1.1.1.1,1025 -> 2.2.2.2,25 PR tcp len 20 40 -A IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
+01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 40 IN
01 02 03 04 05 06 07 08 09 0a 0b 0d ............
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
-01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
+01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2,1 -> 4.4.4.4,53 PR udp len 20 56 IN
01 02 03 04 05 06 07 08 09 0a 0b 0d 0e 0f 40 61 ..............@a
42 63 44 65 46 67 48 69 4a 6b 4c 6d BcDeFgHiJkLm
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 10:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 10:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
-01/01/1970 10:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @0:3 p 2.2.2.2 -> 4.4.4.4 PR ip len 20 (20) IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @100:1 p 3.3.3.3,1023 -> 1.1.1.1,2049 PR udp len 20 28 IN
+01/01/1970 00:00:00.000000 anon0 @-1:-1 L 1.1.1.1,2049 -> 3.3.3.3,1023 PR udp len 20 28 IN
--------
diff --git a/contrib/ipfilter/test/input/f11 b/contrib/ipfilter/test/input/f11
index 4eda58eac04e..25c670d18332 100644
--- a/contrib/ipfilter/test/input/f11
+++ b/contrib/ipfilter/test/input/f11
@@ -1,6 +1,11 @@
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 S
+in on e0 tcp 1.1.1.1,1 2.1.2.2,24 SA
+in on e1 tcp 2.1.2.2,23 1.1.1.1,2 SA
+in on e1 tcp 2.1.2.2,23 1.1.1.1,1 SA
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
+in on e0 tcp 1.1.1.1,1 2.1.2.2,25 A
in on e1 tcp 2.1.2.2,23 1.1.1.1,1 A
+in on e1 tcp 2.1.2.2,25 1.1.1.1,1 A
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 F
in on e0 tcp 1.1.1.1,1 2.1.2.2,23 A
in on e0 tcp 1.1.1.1,2 2.1.2.2,23 A
diff --git a/contrib/ipfilter/test/logtest b/contrib/ipfilter/test/logtest
index 0600056c00ed..38d93eeb629f 100755
--- a/contrib/ipfilter/test/logtest
+++ b/contrib/ipfilter/test/logtest
@@ -22,15 +22,15 @@ echo "$1...";
/bin/rm -f logout
exit 1
fi
- ../ipmon -P /dev/null -f logout >> results/$1
+ TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1
echo "--------" >> results/$1
- ../ipmon -P /dev/null -bf logout >> results/$1.b
+ TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
echo "--------" >> results/$1.b
done ) < regress/$1
../ipftest -br regress/$1 -Hi input/$1 -l logout > /dev/null
-../ipmon -P /dev/null -f logout >> results/$1
+TZ=GMT ../ipmon -P /dev/null -f logout >> results/$1
echo "--------" >> results/$1
-../ipmon -P /dev/null -bf logout >> results/$1.b
+TZ=GMT ../ipmon -P /dev/null -bf logout >> results/$1.b
echo "--------" >> results/$1.b
cmp expected/$1 results/$1
diff --git a/contrib/ipfilter/test/regress/f11 b/contrib/ipfilter/test/regress/f11
index 0bf0a2a7322d..a71e528c2215 100644
--- a/contrib/ipfilter/test/regress/f11
+++ b/contrib/ipfilter/test/regress/f11
@@ -4,3 +4,4 @@ pass in proto udp from any to any port = 53 keep frags
block in proto udp from any to any port = 53 keep frags
pass in proto udp from any to any port = 53 keep state
block in proto udp from any to any port = 53 keep state
+pass in on e0 proto tcp from any to any port = 25 keep state