aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2002-06-07 08:58:22 +0000
committerDarren Reed <darrenr@FreeBSD.org>2002-06-07 08:58:22 +0000
commitd37d8bd759240377564d8f2dd862a0c1daed951e (patch)
tree8d2f795a0e1f329027a752795bb21f35e0e0ba99
parenta5b879f8a3064a430cb42c9d937b6647b8ddcc4e (diff)
downloadsrc-d37d8bd759240377564d8f2dd862a0c1daed951e.tar.gz
src-d37d8bd759240377564d8f2dd862a0c1daed951e.zip
Import IPFilter 3.4.28
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=98005
-rw-r--r--contrib/ipfilter/BSD/Makefile1
-rwxr-xr-xcontrib/ipfilter/FreeBSD-4.0/kinstall2
-rw-r--r--contrib/ipfilter/HISTORY39
-rw-r--r--contrib/ipfilter/fil.c5
-rw-r--r--contrib/ipfilter/ip_auth.c7
-rw-r--r--contrib/ipfilter/ip_compat.h8
-rw-r--r--contrib/ipfilter/ip_fil.c40
-rw-r--r--contrib/ipfilter/ip_fil.h3
-rw-r--r--contrib/ipfilter/ip_ftp_pxy.c10
-rw-r--r--contrib/ipfilter/ip_h323_pxy.c5
-rw-r--r--contrib/ipfilter/ip_nat.c8
-rw-r--r--contrib/ipfilter/ip_proxy.c7
-rw-r--r--contrib/ipfilter/ip_sfil.c12
-rw-r--r--contrib/ipfilter/ip_state.c19
-rw-r--r--contrib/ipfilter/ipf.c7
-rw-r--r--contrib/ipfilter/ipfs.c15
-rw-r--r--contrib/ipfilter/ipl.h4
-rw-r--r--contrib/ipfilter/ipmon.c13
-rw-r--r--contrib/ipfilter/ipnat.c4
-rw-r--r--contrib/ipfilter/ipsend/ip_var.h2
-rw-r--r--contrib/ipfilter/ipt.c52
-rw-r--r--contrib/ipfilter/man/ipftest.113
-rw-r--r--contrib/ipfilter/man/ipnat.42
-rw-r--r--contrib/ipfilter/man/ipnat.514
-rw-r--r--contrib/ipfilter/mlf_ipl.c6
-rw-r--r--contrib/ipfilter/parse.c2
-rw-r--r--contrib/ipfilter/printnat.c14
-rw-r--r--contrib/ipfilter/test/Makefile6
-rw-r--r--contrib/ipfilter/test/expected/in16
29 files changed, 236 insertions, 90 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile
index afa9e52447a2..835d2336953c 100644
--- a/contrib/ipfilter/BSD/Makefile
+++ b/contrib/ipfilter/BSD/Makefile
@@ -231,6 +231,7 @@ clean:
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \
y.tab.? lex.yy.c ipfs
+ ${RM} -f ../opt_inet6.h
${MAKE} -f Makefile.ipsend ${MFLAGS} clean
-(for i in *; do \
diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall
index 2598c6c88da4..99ec6790bb00 100755
--- a/contrib/ipfilter/FreeBSD-4.0/kinstall
+++ b/contrib/ipfilter/FreeBSD-4.0/kinstall
@@ -28,7 +28,7 @@ echo ""
echo "Linking /usr/include/osreldate.h to /sys/sys/osreldate.h"
ln -s /usr/include/osreldate.h /sys/sys/osreldate.h
-set patchfile=FreeBSd-4.0/ipv6-patch-$krev
+set patchfile=FreeBSD-4.0/ipv6-patch-$krev
if ( -f $patchfile ) then
echo ""
echo "Patching ip6_input.c and ip6_output.c"
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index ec317dc2ae05..0369d3f0ae8d 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -22,6 +22,45 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.4.28 6/6/2002 - Released
+
+Fix for H.323 proxy to work on little endian boxes
+
+IRIX: Update installation documentation
+ add route lock patch
+
+allow use of groups > 65535
+
+create a new packet info summary for packets going through ipfr_fastroute()
+so that where details are different (RST/ICMP errors), the packet now gets
+correctly NAT'd, etc.
+
+fix the FTP proxy so that checks for TCP sequence numbers outside the
+normal offset due to data changes use absolute numbers
+
+make it possible to remove rules in ipftest
+
+Update installing onto OpenBSD and split into two directories:
+OpenBSD-2 and OpenBSD-3
+
+fix error in printout out the protocol in NAT rules
+
+always unlock ipfilter if locking fails half way through in ipfs
+
+fix problems with TCP window scaling
+
+update of man pages for ipnat(4) and ipftest(1)
+
+3.4.27 28/04/2002 - Released
+
+fix calculation of 2's complmenent 16 bit checksum for user space
+
+add mbuflen() to usespace compiles.
+
+add more #ifdef complexity for platform portability
+
+add OpenBSD 3.1 diffs
+
3.4.26 25/04/2002 - Released
fix parsing and printing of NAT rules with regression tests.
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index 92d82f1a5d78..ed319d4b52e9 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -97,7 +97,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $";
#endif
#ifndef _KERNEL
@@ -1501,7 +1501,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1616,7 +1616,6 @@ frgroup_t ***fgpp;
fgp = &ipfgroups[0][set];
else
return NULL;
- num &= 0xffff;
while ((fg = *fgp))
if (fg->fg_num == num)
diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c
index 2a73079d2cb0..efe2e99337d5 100644
--- a/contrib/ipfilter/ip_auth.c
+++ b/contrib/ipfilter/ip_auth.c
@@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.19 2002/04/23 14:57:27 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $";
#endif
@@ -615,7 +615,10 @@ void fr_authexpire()
} else
faep = &fae->fae_next;
}
- ipauth = &fae_list->fae_fr;
+ if (fae_list != NULL)
+ ipauth = &fae_list->fae_fr;
+ else
+ ipauth = NULL;
for (frp = &fr_authlist; (fr = *frp); ) {
if (fr->fr_ref == 1) {
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
index 3b1b9807b561..81690a7f9a32 100644
--- a/contrib/ipfilter/ip_compat.h
+++ b/contrib/ipfilter/ip_compat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.44 2002/04/25 16:32:15 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@@ -213,7 +213,11 @@ typedef int minor_t;
#if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
# include <sys/param.h>
# ifndef __FreeBSD_version
-# include <sys/osreldate.h>
+# ifdef IPFILTER_LKM
+# include <osreldate.h>
+# else
+# include <sys/osreldate.h>
+# endif
# endif
# ifdef IPFILTER_LKM
# define ACTUALLY_LKM_NOT_KERNEL
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index 2aeeaf878115..52383564e79c 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.55 2002/03/26 15:54:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $";
#endif
@@ -643,6 +643,9 @@ int mode;
unit = dev;
#endif
+ if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
+ return ENODEV;
+
SPL_NET(s);
if (unit == IPL_LOGNAT) {
@@ -887,7 +890,8 @@ caddr_t data;
* Check that the group number does exist and that if a head group
* has been specified, doesn't exist.
*/
- if ((req != SIOCZRLST) && fp->fr_grhead &&
+ if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
+ (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
return EEXIST;
if ((req != SIOCZRLST) && fp->fr_group &&
@@ -1221,13 +1225,18 @@ fr_info_t *fin;
struct mbuf **mp;
{
struct mbuf *m = *mp;
- char *dpsave;
- int error;
+ int error, hlen;
+ fr_info_t frn;
ip_t *ip;
- dpsave = fin->fin_dp;
+ bzero((char *)&frn, sizeof(frn));
+ frn.fin_ifp = fin->fin_ifp;
+ frn.fin_v = fin->fin_v;
+ frn.fin_out = fin->fin_out;
+ frn.fin_mp = fin->fin_mp;
ip = mtod(m, ip_t *);
+ hlen = sizeof(*ip);
ip->ip_v = fin->fin_v;
if (ip->ip_v == 4) {
@@ -1242,21 +1251,24 @@ struct mbuf **mp;
ip->ip_ttl = ip_defttl;
# endif
ip->ip_sum = 0;
- fin->fin_dp = (char *)(ip + 1);
+ frn.fin_dp = (char *)(ip + 1);
}
# ifdef USE_INET6
else if (ip->ip_v == 6) {
ip6_t *ip6 = (ip6_t *)ip;
+ hlen = sizeof(*ip6);
ip6->ip6_hlim = 127;
- fin->fin_dp = (char *)(ip6 + 1);
+ frn.fin_dp = (char *)(ip6 + 1);
}
# endif
# ifdef IPSEC
m->m_pkthdr.rcvif = NULL;
# endif
- error = ipfr_fastroute(m, mp, fin, NULL);
- fin->fin_dp = dpsave;
+
+ fr_makefrip(hlen, ip, &frn);
+
+ error = ipfr_fastroute(m, mp, &frn, NULL);
return error;
}
@@ -1563,6 +1575,9 @@ frdest_t *fdp;
/*
* Route packet.
*/
+#ifdef __sgi
+ ROUTE_RDLOCK();
+#endif
bzero((caddr_t)ro, sizeof (*ro));
dst = (struct sockaddr_in *)&ro->ro_dst;
dst->sin_family = AF_INET;
@@ -1599,6 +1614,11 @@ frdest_t *fdp;
# else
rtalloc(ro);
# endif
+
+#ifdef __sgi
+ ROUTE_UNLOCK();
+#endif
+
if (!ifp) {
if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
error = -2;
@@ -2098,7 +2118,7 @@ int code;
fr_info_t *fin;
int dst;
{
- verbose("- ICMP UNREACHABLE RST sent\n");
+ verbose("- ICMP UNREACHABLE sent\n");
return 0;
}
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index 82deef5f2cd7..56175f28c986 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.32 2002/04/10 04:57:14 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -508,6 +508,7 @@ extern int send_reset __P((ip_t *, fr_info_t *));
extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int));
extern int ipf_log __P((void));
extern struct ifnet *get_unit __P((char *, int));
+extern int mbuflen __P((mb_t *));
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
extern int iplioctl __P((dev_t, u_long, caddr_t, int));
diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c
index 2411bd998c61..f2603e07d279 100644
--- a/contrib/ipfilter/ip_ftp_pxy.c
+++ b/contrib/ipfilter/ip_ftp_pxy.c
@@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ftp_pxy.c,v 2.7.2.34 2002/04/26 10:22:45 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@@ -766,10 +766,10 @@ int rv;
i = 0;
sel = nat->nat_aps->aps_sel[1 - rv];
if (rv) {
- if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq))
+ if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq))
i = nat->nat_aps->aps_ackoff[sel];
} else {
- if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq))
+ if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq))
i = nat->nat_aps->aps_seqoff[sel];
}
/*
@@ -781,6 +781,10 @@ int rv;
f->ftps_seq = ntohl(tcp->th_seq);
else {
inc = ntohl(tcp->th_seq) - f->ftps_seq;
+ if (inc < 0)
+ inc = -inc;
+ if (i < 0)
+ i = -i;
if (inc > i) {
return APR_ERR(1);
}
diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c
index a61b0402e907..ec9b2fe2b8a6 100644
--- a/contrib/ipfilter/ip_h323_pxy.c
+++ b/contrib/ipfilter/ip_h323_pxy.c
@@ -52,7 +52,7 @@ unsigned char *data;
int datlen, *off;
unsigned short *port;
{
- u_32_t addr;
+ u_32_t addr, netaddr;
u_char *dp;
int offset;
@@ -62,10 +62,11 @@ unsigned short *port;
*port = 0;
offset = *off;
dp = (u_char *)data;
+ netaddr = ntohl(ipaddr);
for (offset = 0; offset <= datlen - 6; offset++, dp++) {
addr = (dp[0] << 24) | (dp[1] << 16) | (dp[2] << 8) | dp[3];
- if (ipaddr == addr)
+ if (netaddr == addr)
{
*port = (*(dp + 4) << 8) | *(dp + 5);
break;
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index bf346610beca..da5235a2ca28 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -109,7 +109,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.67 2002/04/27 15:23:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $";
#endif
nat_t **nat_table[2] = { NULL, NULL },
@@ -469,8 +469,12 @@ int mode;
}
for (np = &nat_list; (n = *np); np = &n->in_next)
if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
- IPN_CMPSIZ))
+ IPN_CMPSIZ)) {
+ if (n->in_redir == NAT_REDIRECT &&
+ n->in_pnext != nat->in_pnext)
+ continue;
break;
+ }
}
switch (cmd)
diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c
index 2bc32d410f74..2051f2a466e3 100644
--- a/contrib/ipfilter/ip_proxy.c
+++ b/contrib/ipfilter/ip_proxy.c
@@ -75,7 +75,7 @@
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.22 2002/04/26 10:23:17 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $";
#endif
#if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@@ -122,7 +122,7 @@ aproxy_t ap_proxies[] = {
ippr_ipsec_match },
#endif
#ifdef IPF_NETBIOS_PROXY
- { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL,
+ { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
NULL, NULL, NULL, ippr_netbios_out, NULL },
#endif
#ifdef IPF_H323_PROXY
@@ -421,11 +421,14 @@ int inc;
int sel, ch = 0, out, nlen;
u_32_t seq1, seq2;
tcphdr_t *tcp;
+ short inc2;
tcp = (tcphdr_t *)fin->fin_dp;
out = fin->fin_out;
nlen = ip->ip_len;
nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
+ inc2 = inc;
+ inc = (int)inc2;
if (out != 0) {
seq1 = (u_32_t)ntohl(tcp->th_seq);
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
index a00d8fda93df..5a76f4b12576 100644
--- a/contrib/ipfilter/ip_sfil.c
+++ b/contrib/ipfilter/ip_sfil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.16 2002/04/05 08:43:25 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $";
#endif
#include <sys/types.h>
@@ -61,7 +61,11 @@ int fr_running = 0;
int ipl_unreach = ICMP_UNREACH_HOST;
u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t));
+#if SOLARIS2 >= 7
+static u_int *ip_ttl_ptr;
+#else
static u_long *ip_ttl_ptr;
+#endif
static int frrequest __P((minor_t, int, caddr_t, int));
static int send_ip __P((fr_info_t *fin, mblk_t *m));
@@ -196,6 +200,9 @@ int *rp;
if (IPL_LOGMAX < unit)
return ENXIO;
+ if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
+ return ENODEV;
+
if (fr_running <= 0)
return 0;
@@ -422,7 +429,8 @@ caddr_t data;
* Check that the group number does exist and that if a head group
* has been specified, doesn't exist.
*/
- if ((req != SIOCZRLST) && fp->fr_grhead &&
+ if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
+ (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
fr_findgroup(fp->fr_grhead, fp->fr_flags, unit, set, NULL)) {
error = EEXIST;
goto out;
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index a6d1773b5ba9..f4dac8a02c81 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -93,7 +93,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.70 2002/04/27 16:06:15 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $";
#endif
#ifndef MIN
@@ -575,9 +575,9 @@ u_int flags;
register u_int hv;
struct icmp *ic;
ipstate_t ips;
+ int out, ws;
u_int pass;
void *ifp;
- int out;
if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) ||
(fin->fin_misc & FM_BADSTATE))
@@ -691,8 +691,11 @@ u_int flags;
is->is_maxsend = is->is_send;
if ((tcp->th_flags & TH_SYN) &&
- ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
- is->is_swscale = fr_tcpoptions(tcp);
+ ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) {
+ ws = fr_tcpoptions(tcp);
+ if (ws >= 0)
+ is->is_swscale = ws;
+ }
}
is->is_maxdwin = 1;
@@ -900,6 +903,7 @@ tcphdr_t *tcp;
fdata->td_wscale = wscale;
else if (wscale == -2)
fdata->td_wscale = tdata->td_wscale = 0;
+ win <<= fdata->td_wscale;
if ((fdata->td_end == 0) &&
(!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) {
@@ -908,7 +912,9 @@ tcphdr_t *tcp;
*/
fdata->td_end = end;
fdata->td_maxwin = 1;
- fdata->td_maxend = end + 1;
+ fdata->td_maxend = end + win;
+ if (win == 0)
+ fdata->td_maxend++;
}
if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */
@@ -922,7 +928,6 @@ tcphdr_t *tcp;
if (seq == end)
seq = end = fdata->td_end;
- win <<= fdata->td_wscale;
maxwin = tdata->td_maxwin;
ackskew = tdata->td_end - ack;
@@ -1457,7 +1462,7 @@ icmp6again:
rev = fin->fin_rev;
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
- else if (fin->fin_rev)
+ else if (rev != 0)
is->is_age = fr_icmpacktimeout;
else
is->is_age = fr_icmptimeout;
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
index fc35b31b585b..f9b85aff8f03 100644
--- a/contrib/ipfilter/ipf.c
+++ b/contrib/ipfilter/ipf.c
@@ -50,7 +50,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.14 2002/04/10 04:56:36 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $";
#endif
#if SOLARIS
@@ -193,8 +193,11 @@ char *ipfdev;
if (!(opts & OPT_DONOTHING) && fd == -1)
if ((fd = open(ipfdev, O_RDWR)) == -1)
- if ((fd = open(ipfdev, O_RDONLY)) == -1)
+ if ((fd = open(ipfdev, O_RDONLY)) == -1) {
perror("open device");
+ if (errno == ENODEV)
+ fprintf(stderr, "IPFilter enabled?\n");
+ }
return fd;
}
diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c
index a2ccf8923156..0e864f7c2361 100644
--- a/contrib/ipfilter/ipfs.c
+++ b/contrib/ipfilter/ipfs.c
@@ -45,7 +45,7 @@
#include "ipf.h"
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.9 2002/04/17 17:42:59 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.11 2002/06/04 14:44:05 darrenr Exp $";
#endif
#ifndef IPF_SAVEDIR
@@ -733,16 +733,16 @@ char *dirname;
devfd = opendevice(IPL_STATE);
if (devfd == -1)
- return 1;
+ goto bad;
if (writestate(devfd, NULL))
- return 1;
+ goto bad;
close(devfd);
devfd = opendevice(IPL_NAT);
if (devfd == -1)
- return 1;
+ goto bad;
if (writenat(devfd, NULL))
- return 1;
+ goto bad;
close(devfd);
if (setlock(fd, 0)) {
@@ -751,6 +751,11 @@ char *dirname;
}
return 0;
+
+bad:
+ setlock(fd, 0);
+ close(fd);
+ return 1;
}
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index 0fc3a8ddfeda..6cd868d155e6 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -4,12 +4,12 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.33 2002/04/27 14:53:48 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.27"
+#define IPL_VERSION "IP Filter: v3.4.28"
#endif
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 3e8707b06ea4..6bf90b91e4be 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -68,7 +68,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.34 2002/03/22 10:27:16 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.35 2002/06/04 14:43:49 darrenr Exp $";
#endif
@@ -1252,14 +1252,15 @@ int main(argc, argv)
int argc;
char *argv[];
{
- struct stat sb;
- FILE *log = stdout;
- int fd[3], doread, n, i;
- int tr, nr, regular[3], c;
int fdt[3], devices = 0, make_daemon = 0;
char buf[IPLLOGSIZE], *iplfile[3], *s;
- extern int optind;
+ int fd[3], doread, n, i;
extern char *optarg;
+ extern int optind;
+ int regular[3], c;
+ FILE *log = stdout;
+ struct stat sb;
+ size_t nr, tr;
fd[0] = fd[1] = fd[2] = -1;
fdt[0] = fdt[1] = fdt[2] = -1;
diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c
index e19edb86a75e..5df3f20e41f9 100644
--- a/contrib/ipfilter/ipnat.c
+++ b/contrib/ipfilter/ipnat.c
@@ -60,7 +60,7 @@ extern char *sys_errlist[];
#if !defined(lint)
static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.20 2002/02/22 15:32:55 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.21 2002/06/06 10:49:19 darrenr Exp $";
#endif
@@ -175,6 +175,8 @@ char *argv[];
((fd = open(IPL_NAT, O_RDONLY)) == -1)) {
(void) fprintf(stderr, "%s: open: %s\n", IPL_NAT,
STRERROR(errno));
+ if (errno == ENODEV)
+ fprintf(stderr, "IPFilter enabled?\n");
exit(1);
}
if (ioctl(fd, SIOCGNATS, &nsp) == -1) {
diff --git a/contrib/ipfilter/ipsend/ip_var.h b/contrib/ipfilter/ipsend/ip_var.h
index 92eb38a0befc..ace980079313 100644
--- a/contrib/ipfilter/ipsend/ip_var.h
+++ b/contrib/ipfilter/ipsend/ip_var.h
@@ -44,7 +44,7 @@ struct ipq {
* Note: ipf_next must be at same offset as ipq_next above
*/
struct ipasfrag {
-#if defined(vax) || defined(i386)
+#if defined(vax) || defined(i386) || defined(__i386__)
u_char ip_hl:4,
ip_v:4;
#endif
diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c
index 0c3b50ce153e..83650859f4ab 100644
--- a/contrib/ipfilter/ipt.c
+++ b/contrib/ipfilter/ipt.c
@@ -64,7 +64,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.21 2002/03/26 15:54:40 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.22 2002/06/04 14:52:58 darrenr Exp $";
#endif
extern char *optarg;
@@ -76,6 +76,7 @@ extern ipnat_t *natparse __P((char *, int));
extern int fr_running;
int opts = 0;
+int rremove = 0;
int use_inet6 = 0;
int main __P((int, char *[]));
int loadrules __P((char *));
@@ -111,7 +112,7 @@ char *argv[];
ipflog_init();
fr_running = 1;
- while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:STvxX")) != -1)
+ while ((c = getopt(argc, argv, "6bdDEHi:I:l:NoPr:RSTvxX")) != -1)
switch (c)
{
case '6' :
@@ -163,6 +164,9 @@ char *argv[];
case 'P' :
r = &pcap;
break;
+ case 'R' :
+ rremove = 1;
+ break;
case 'S' :
r = &snoop;
break;
@@ -330,20 +334,44 @@ char *file;
if (!(fr = natparse(line, linenum)))
continue;
- i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
- (caddr_t)&fr, FWRITE|FREAD);
- if (opts & OPT_DEBUG)
- fprintf(stderr, "iplioctl(ADNAT,%p,1) = %d\n",
- fr, i);
+ if (rremove == 0) {
+ i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCADNAT,
+ (caddr_t)&fr,
+ FWRITE|FREAD);
+ if (opts & OPT_DEBUG)
+ fprintf(stderr,
+ "iplioctl(ADNAT,%p,1) = %d\n",
+ fr, i);
+ } else {
+ i = IPL_EXTERN(ioctl)(IPL_LOGNAT, SIOCRMNAT,
+ (caddr_t)&fr,
+ FWRITE|FREAD);
+ if (opts & OPT_DEBUG)
+ fprintf(stderr,
+ "iplioctl(RMNAT,%p,1) = %d\n",
+ fr, i);
+ }
} else {
if (!(fr = parse(line, linenum)))
continue;
- i = IPL_EXTERN(ioctl)(0, SIOCADAFR, (caddr_t)&fr,
- FWRITE|FREAD);
- if (opts & OPT_DEBUG)
- fprintf(stderr, "iplioctl(ADAFR,%p,1) = %d\n",
- fr, i);
+ if (rremove == 0) {
+ i = IPL_EXTERN(ioctl)(0, SIOCADAFR,
+ (caddr_t)&fr,
+ FWRITE|FREAD);
+ if (opts & OPT_DEBUG)
+ fprintf(stderr,
+ "iplioctl(ADAFR,%p,1) = %d\n",
+ fr, i);
+ } else {
+ i = IPL_EXTERN(ioctl)(0, SIOCRMAFR,
+ (caddr_t)&fr,
+ FWRITE|FREAD);
+ if (opts & OPT_DEBUG)
+ fprintf(stderr,
+ "iplioctl(RMAFR,%p,1) = %d\n",
+ fr, i);
+ }
}
}
(void)fclose(fp);
diff --git a/contrib/ipfilter/man/ipftest.1 b/contrib/ipfilter/man/ipftest.1
index aba216a87fdb..9f7f2e3f2982 100644
--- a/contrib/ipfilter/man/ipftest.1
+++ b/contrib/ipfilter/man/ipftest.1
@@ -4,7 +4,7 @@ ipftest \- test packet filter rules with arbitary input.
.SH SYNOPSIS
.B ipftest
[
-.B \-vbdPSTEHX
+.B \-vbdPRSTEHX
] [
.B \-I
interface
@@ -76,6 +76,10 @@ The input file specified by \fB\-i\fP is a binary file produced using libpcap
(i.e., tcpdump version 3). Packets are read from this file as being input
(for rule purposes). An interface maybe specified using \fB\-I\fP.
.TP
+.B \-R
+Remove rules rather than load them. This is not a toggle option, so once
+set, it cannot be reset by further use of -R.
+.TP
.B \-S
The input file is to be in "snoop" format (see RFC 1761). Packets are read
from this file and used as input from any interface. This is perhaps the
@@ -98,7 +102,12 @@ option combinations:
.B \-H
The input file is to be hex digits, representing the binary makeup of the
packet. No length correction is made, if an incorrect length is put in
-the IP header.
+the IP header. A packet may be broken up over several lines of hex digits,
+a blank line indicating the end of the packet. It is possible to specify
+both the interface name and direction of the packet (for filtering purposes)
+at the start of the line using this format: [direction,interface] To define
+a packet going in on le0, we would use \fB[in,le0]\fP - the []'s are required
+and part of the input syntax.
.TP
.B \-X
The input file is composed of text descriptions of IP packets.
diff --git a/contrib/ipfilter/man/ipnat.4 b/contrib/ipfilter/man/ipnat.4
index 6cba7b64ede2..54f55d3de810 100644
--- a/contrib/ipfilter/man/ipnat.4
+++ b/contrib/ipfilter/man/ipnat.4
@@ -31,7 +31,7 @@ being that the fd must be that of the device associated with the module
(i.e., /dev/ipl).
.LP
.PP
-The strcture used with the NAT interface is described below:
+The structure used with the NAT interface is described below:
.LP
.nf
typedef struct ipnat {
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index 16c1752b4f54..a8beb6fc3d39 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -19,17 +19,19 @@ mapit ::= "map" | "bimap" .
fromto ::= "from" object "to" object .
ipmask ::= ip "/" bits | ip "/" mask | ip "netmask" mask .
dstipmask ::= ipmask | "range" ip "-" ip .
-mapport ::= "portmap" tcpudp portnumber ":" portnumber .
+mapport ::= "portmap" tcpudp portspec .
options ::= [ tcpudp ] [ rr ] .
-object = addr [ port-comp | port-range ] .
-addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
-port-comp = "port" compare port-num .
-port-range = "port" port-num range port-num .
+object :: = addr [ port-comp | port-range ] .
+addr :: = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
+port-comp :: = "port" compare port-num .
+port-range :: = "port" port-num range port-num .
rr ::= "round-robin" .
+nummask = host-name [ "/" decnumber ] .
tcpudp ::= "tcp" | "udp" | "tcp/udp" .
-portnumber ::= number { numbers } | "auto" .
+portspec ::= "auto" | portnumber ":" portnumber .
+portnumber ::= number { numbers } .
ifname ::= 'A' - 'Z' { 'A' - 'Z' } numbers .
numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c
index 84d2a955a4de..a165c792cde4 100644
--- a/contrib/ipfilter/mlf_ipl.c
+++ b/contrib/ipfilter/mlf_ipl.c
@@ -13,7 +13,11 @@
#if defined(__FreeBSD__)
# ifndef __FreeBSD_version
-# include <sys/osreldate.h>
+# ifdef IPFILTER_LKM
+# include <osreldate.h>
+# else
+# include <sys/osreldate.h>
+# endif
# endif
# ifdef IPFILTER_LKM
# define ACTUALLY_LKM_NOT_KERNEL
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index 6a2a04ed5327..02590dfbe7b8 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -147,7 +147,7 @@ int linenum;
}
fil.fr_icode = j;
}
- } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
+ } else if (!strcasecmp(*(cpp+1), "return-rst")) {
fil.fr_flags |= FR_RETRST;
cpp++;
}
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
index fe8388d70e4a..ba5524b83434 100644
--- a/contrib/ipfilter/printnat.c
+++ b/contrib/ipfilter/printnat.c
@@ -58,7 +58,7 @@ extern char *sys_errlist[];
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.8 2002/04/25 16:44:13 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $";
#endif
@@ -442,6 +442,12 @@ int opts;
printf("\n\tip modulous %d", np->in_pmax);
} else if (np->in_pmin || np->in_pmax) {
printf(" portmap");
+ if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
+ printf(" tcp/udp");
+ else if (np->in_flags & IPN_TCP)
+ printf(" tcp");
+ else if (np->in_flags & IPN_UDP)
+ printf(" udp");
if (np->in_flags & IPN_AUTOPORTMAP) {
printf(" auto");
if (opts & OPT_DEBUG)
@@ -450,12 +456,6 @@ int opts;
ntohs(np->in_pmax),
np->in_ippip, np->in_ppip);
} else {
- if ((np->in_flags & IPN_TCPUDP) == IPN_TCPUDP)
- printf(" tcp/udp");
- else if (np->in_flags & IPN_TCP)
- printf(" tcp");
- else if (np->in_flags & IPN_UDP)
- printf(" udp");
printf(" %d:%d", ntohs(np->in_pmin),
ntohs(np->in_pmax));
}
diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile
index 2c4acd817cf5..812841348a7a 100644
--- a/contrib/ipfilter/test/Makefile
+++ b/contrib/ipfilter/test/Makefile
@@ -18,7 +18,7 @@ first:
ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 f15 f16 f17
# Rule parsing tests
-ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
+ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12
ntests: n1 n2 n3 n4 n5 n6 n7
@@ -45,7 +45,7 @@ f15 f16:
f17:
@/bin/sh ./mhtest $@
-i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11:
+i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12:
@/bin/sh ./itest $@
n1 n2 n3 n4 n5 n6 n7:
@@ -65,7 +65,7 @@ ipv6.1 ipv6.2:
clean:
/bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 f15 f16 f17
- /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11
+ /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 i12
/bin/rm -f n1 n2 n3 n4 n5 n6 n7
/bin/rm -f ni1 ni2 ni3 ni4 ni5
/bin/rm -f in1 in2 in3 in4
diff --git a/contrib/ipfilter/test/expected/in1 b/contrib/ipfilter/test/expected/in1
index f3d0777943c0..73e39f92f0de 100644
--- a/contrib/ipfilter/test/expected/in1
+++ b/contrib/ipfilter/test/expected/in1
@@ -7,9 +7,9 @@ map le0 192.168.0.0/16 -> range 203.1.1.23-203.1.3.45
map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp 10000:19999
map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp 20000:29999
map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 30000:39999
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto
-map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap auto
+map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp auto
+map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap udp auto
+map ppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map ppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port 1010 ftp/tcp
map le0 0.0.0.0/0 -> 0.0.0.0/32 frag