aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2002-08-28 13:42:48 +0000
committerDarren Reed <darrenr@FreeBSD.org>2002-08-28 13:42:48 +0000
commitf7a96e18f16f15c9ffeff1ab041faeb5584c7fb3 (patch)
treef2d0223cccbc9beaa3eb21f7810ca0eea835a8ce
parenta8e3e73627cfa19308889fa99131e4deef49c6c6 (diff)
downloadsrc-f7a96e18f16f15c9ffeff1ab041faeb5584c7fb3.tar.gz
src-f7a96e18f16f15c9ffeff1ab041faeb5584c7fb3.zip
With a bit of luck, this will be a first-time right import of ipfilter 3.4.29
on to the vendor branch.
Notes
Notes: svn path=/vendor/ipfilter/dist/; revision=102521
-rw-r--r--contrib/ipfilter/BSD/Makefile9
-rw-r--r--contrib/ipfilter/HISTORY23
-rw-r--r--contrib/ipfilter/fil.c17
-rw-r--r--contrib/ipfilter/fils.c8
-rw-r--r--contrib/ipfilter/ip_compat.h5
-rw-r--r--contrib/ipfilter/ip_fil.c23
-rw-r--r--contrib/ipfilter/ip_frag.c21
-rw-r--r--contrib/ipfilter/ip_frag.h6
-rw-r--r--contrib/ipfilter/ip_ftp_pxy.c190
-rw-r--r--contrib/ipfilter/ip_h323_pxy.c1
-rw-r--r--contrib/ipfilter/ip_nat.c13
-rw-r--r--contrib/ipfilter/ip_nat.h3
-rw-r--r--contrib/ipfilter/ip_proxy.c94
-rw-r--r--contrib/ipfilter/ip_proxy.h4
-rw-r--r--contrib/ipfilter/ip_sfil.c19
-rw-r--r--contrib/ipfilter/ip_state.c14
-rw-r--r--contrib/ipfilter/ip_state.h5
-rw-r--r--contrib/ipfilter/ipf.c6
-rw-r--r--contrib/ipfilter/ipft_ef.c12
-rw-r--r--contrib/ipfilter/ipft_td.c6
-rw-r--r--contrib/ipfilter/ipft_tx.c6
-rw-r--r--contrib/ipfilter/ipl.h4
-rw-r--r--contrib/ipfilter/ipmon.c6
-rw-r--r--contrib/ipfilter/kmem.c23
-rw-r--r--contrib/ipfilter/man/ipmon.87
-rw-r--r--contrib/ipfilter/man/ipnat.59
-rw-r--r--contrib/ipfilter/parse.c4
-rw-r--r--contrib/ipfilter/printnat.c7
-rw-r--r--contrib/ipfilter/rules/example.92
-rw-r--r--contrib/ipfilter/test/expected/f1312
-rw-r--r--contrib/ipfilter/test/input/f1314
31 files changed, 435 insertions, 138 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile
index 835d2336953c..4d97a9bd4d00 100644
--- a/contrib/ipfilter/BSD/Makefile
+++ b/contrib/ipfilter/BSD/Makefile
@@ -231,7 +231,7 @@ clean:
${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \
vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \
y.tab.? lex.yy.c ipfs
- ${RM} -f ../opt_inet6.h
+ ${RM} -f ../opt_inet6.h ../ipftest ../ipmon ../ipf ../ipnat
${MAKE} -f Makefile.ipsend ${MFLAGS} clean
-(for i in *; do \
@@ -243,8 +243,11 @@ clean:
done)
install:
- -$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h
- -$(CHMOD) 444 /usr/include/netinet/ip_fil.h
+ for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \
+ ip_frag.h ip_auth.h; do \
+ /bin/cp $(TOP)/$$i /usr/include/netinet/; \
+ -$(CHMOD) 444 /usr/include/netinet/$$i; \
+ done
-if [ -d /lkm -a -f if_ipl.o ] ; then \
cp if_ipl.o /lkm; \
fi
diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY
index 0369d3f0ae8d..75026a0c3eaf 100644
--- a/contrib/ipfilter/HISTORY
+++ b/contrib/ipfilter/HISTORY
@@ -22,6 +22,29 @@
# and especially those who have found the time to port IP Filter to new
# platforms.
#
+3.4.29 28/8/2002 - Released
+
+Make substantial changes to the FTP proxy to improve reliability, security
+and functionality.
+
+don't send ICMP errors/TCP RST's in response to blocked proxy packets
+
+fix potential memory leaks when unloading ipfilter from kernel
+
+fix bug in SIOCGNATL handler that did not preserve the expected
+byte order from earlier versions in the port number
+
+set do not fragment flag in generated packets according to system flags,
+where available.
+
+preserve filter rule number and group number in state structure
+
+fix bug in ipmon printing of p/P/b/B
+
+make some changes to the kmem.c code for IRIX compatibility
+
+add code to specifically handle ip.tun* interfaces on Solaris
+
3.4.28 6/6/2002 - Released
Fix for H.323 proxy to work on little endian boxes
diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index ed319d4b52e9..146e70aac1df 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -97,7 +97,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $";
#endif
#ifndef _KERNEL
@@ -1076,7 +1076,7 @@ int out;
fin->fin_fr = fr;
if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) {
if (fin->fin_fl & FI_FRAG) {
- if (ipfr_newfrag(ip, fin, pass) == -1) {
+ if (ipfr_newfrag(ip, fin) == -1) {
ATOMIC_INCL(frstats[out].fr_bnfr);
} else {
ATOMIC_INCL(frstats[out].fr_nfr);
@@ -1191,7 +1191,16 @@ logit:
* some operating systems.
*/
if (!out) {
- if (pass & FR_RETICMP) {
+ if (changed == -1)
+ /*
+ * If a packet results in a NAT error, do not
+ * send a reset or ICMP error as it may disrupt
+ * an existing flow. This is the proxy saying
+ * the content is bad so just drop the packet
+ * silently.
+ */
+ ;
+ else if (pass & FR_RETICMP) {
int dst;
if ((pass & FR_RETMASK) == FR_FAKEICMP)
@@ -1501,7 +1510,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c
index dcf74e5e67df..e6bf11f2bd75 100644
--- a/contrib/ipfilter/fils.c
+++ b/contrib/ipfilter/fils.c
@@ -94,7 +94,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $";
#endif
extern char *optarg;
@@ -197,7 +197,7 @@ char *argv[];
ipfrstat_t *ifrstp = &ifrst;
char *device = IPL_NAME, *memf = NULL;
char *kern = NULL;
- int c, fd, myoptind;
+ int c, myoptind;
struct protoent *proto;
int protocol = -1; /* -1 = wild card for any protocol */
@@ -354,8 +354,8 @@ char *argv[];
bzero((char *)&ipsst, sizeof(ipsst));
bzero((char *)&ifrst, sizeof(ifrst));
- fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
- &frauthstp, &frf);
+ ipfstate_live(device, &fiop, &ipsstp, &ifrstp,
+ &frauthstp, &frf);
} else
ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf);
diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h
index 81690a7f9a32..4d8cfafe2b87 100644
--- a/contrib/ipfilter/ip_compat.h
+++ b/contrib/ipfilter/ip_compat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@@ -186,6 +186,9 @@ typedef struct qif {
*/
size_t qf_hl; /* header length */
int qf_sap;
+# if SOLARIS2 >= 8
+ int qf_tunoff; /* tunnel offset */
+#endif
size_t qf_incnt;
size_t qf_outcnt;
} qif_t;
diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c
index 52383564e79c..90bcb8218c8e 100644
--- a/contrib/ipfilter/ip_fil.c
+++ b/contrib/ipfilter/ip_fil.c
@@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *));
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $";
#endif
@@ -157,6 +157,7 @@ static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **,
fr_info_t *, frdest_t *));
# endif
# ifdef __sgi
+extern int tcp_mtudisc;
extern kmutex_t ipf_rw;
extern KRWLOCK_T ipf_mutex;
# endif
@@ -482,7 +483,7 @@ int ipl_disable()
int ipldetach()
# endif
{
- int s, i = FR_INQUE|FR_OUTQUE;
+ int s, i;
#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
int error = 0;
# if __NetBSD_Version__ >= 105150000
@@ -523,7 +524,8 @@ int ipldetach()
printf("%s unloaded\n", ipfilter_version);
fr_checkp = fr_savep;
- i = frflush(IPL_LOGIPF, i);
+ i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+ i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
fr_running = 0;
# ifdef NETBSD_PF
@@ -1244,7 +1246,17 @@ struct mbuf **mp;
ip->ip_v = IPVERSION;
ip->ip_tos = oip->ip_tos;
ip->ip_id = oip->ip_id;
- ip->ip_off = 0;
+
+# if defined(__NetBSD__) || defined(__OpenBSD__)
+ if (ip_mtudisc != 0)
+ ip->ip_off = IP_DF;
+# else
+# if defined(__sgi)
+ if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0)
+ ip->ip_off = IP_DF;
+# endif
+# endif
+
# if (BSD < 199306) || defined(__sgi)
ip->ip_ttl = tcp_ttl;
# else
@@ -1671,7 +1683,8 @@ frdest_t *fdp;
*/
if (ip->ip_len <= ifp->if_mtu) {
# ifndef sparc
-# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510))
+# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \
+ !(__NetBSD_Version__ >= 105110000)
ip->ip_id = htons(ip->ip_id);
# endif
ip->ip_len = htons(ip->ip_len);
diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c
index f240cd9da4e0..bed47b708f69 100644
--- a/contrib/ipfilter/ip_frag.c
+++ b/contrib/ipfilter/ip_frag.c
@@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $";
#endif
@@ -120,7 +120,7 @@ extern kmutex_t ipf_rw;
#endif
-static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **));
+static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **));
static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **));
static void ipfr_delete __P((ipfr_t *));
@@ -138,10 +138,9 @@ ipfrstat_t *ipfr_fragstats()
* add a new entry to the fragment cache, registering it as having come
* through this box, with the result of the filter operation.
*/
-static ipfr_t *ipfr_new(ip, fin, pass, table)
+static ipfr_t *ipfr_new(ip, fin, table)
ip_t *ip;
fr_info_t *fin;
-u_int pass;
ipfr_t *table[];
{
ipfr_t **fp, *fra, frag;
@@ -198,7 +197,7 @@ ipfr_t *table[];
/*
* Instert the fragment into the fragment table, copy the struct used
* in the search using bcopy rather than reassign each field.
- * Set the ttl to the default and mask out logging from "pass"
+ * Set the ttl to the default.
*/
if ((fra->ipfr_next = table[idx]))
table[idx]->ipfr_prev = fra;
@@ -220,17 +219,16 @@ ipfr_t *table[];
}
-int ipfr_newfrag(ip, fin, pass)
+int ipfr_newfrag(ip, fin)
ip_t *ip;
fr_info_t *fin;
-u_int pass;
{
ipfr_t *ipf;
if ((ip->ip_v != 4) || (fr_frag_lock))
return -1;
WRITE_ENTER(&ipf_frag);
- ipf = ipfr_new(ip, fin, pass, ipfr_heads);
+ ipf = ipfr_new(ip, fin, ipfr_heads);
RWLOCK_EXIT(&ipf_frag);
if (ipf == NULL) {
ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr);
@@ -241,10 +239,9 @@ u_int pass;
}
-int ipfr_nat_newfrag(ip, fin, pass, nat)
+int ipfr_nat_newfrag(ip, fin, nat)
ip_t *ip;
fr_info_t *fin;
-u_int pass;
nat_t *nat;
{
ipfr_t *ipf;
@@ -256,10 +253,10 @@ nat_t *nat;
off = fin->fin_off;
off <<= 3;
if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0))
- return NULL;
+ return -1;
WRITE_ENTER(&ipf_natfrag);
- ipf = ipfr_new(ip, fin, pass, ipfr_nattab);
+ ipf = ipfr_new(ip, fin, ipfr_nattab);
if (ipf != NULL) {
ipf->ipfr_data = nat;
nat->nat_data = ipf;
diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h
index 03f41f8d04cd..4bd6b5223297 100644
--- a/contrib/ipfilter/ip_frag.h
+++ b/contrib/ipfilter/ip_frag.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_frag.h 1.5 3/24/96
- * $Id: ip_frag.h,v 2.4.2.6 2002/01/01 15:09:38 darrenr Exp $
+ * $Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp $
*/
#ifndef __IP_FRAG_H__
@@ -48,8 +48,8 @@ typedef struct ipfrstat {
extern int fr_ipfrttl;
extern int fr_frag_lock;
extern ipfrstat_t *ipfr_fragstats __P((void));
-extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int));
-extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *));
+extern int ipfr_newfrag __P((ip_t *, fr_info_t *));
+extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *));
extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *));
extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *));
extern void ipfr_forget __P((void *));
diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c
index f2603e07d279..a5a27be6b905 100644
--- a/contrib/ipfilter/ip_ftp_pxy.c
+++ b/contrib/ipfilter/ip_ftp_pxy.c
@@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@@ -294,7 +294,7 @@ int dlen;
ip->ip_len = slen;
ip->ip_src = swip;
}
- return APR_INC(inc);
+ return inc;
}
@@ -577,7 +577,7 @@ int dlen;
wptr = f->ftps_wptr;
if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2)))
- return inc;
+ return 0;
if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4))
inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
@@ -717,6 +717,10 @@ size_t len;
}
+/*
+ * rv == 0 for outbound processing,
+ * rv == 1 for inbound processing.
+ */
int ippr_ftp_process(fin, ip, nat, ftp, rv)
fr_info_t *fin;
ip_t *ip;
@@ -724,15 +728,16 @@ nat_t *nat;
ftpinfo_t *ftp;
int rv;
{
- int mlen, len, off, inc, i, sel;
+ int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff;
+ u_32_t thseq, thack;
char *rptr, *wptr;
+ ap_session_t *aps;
ftpside_t *f, *t;
tcphdr_t *tcp;
mb_t *m;
tcp = (tcphdr_t *)fin->fin_dp;
off = fin->fin_hlen + (tcp->th_off << 2);
-
#if SOLARIS && defined(_KERNEL)
m = fin->fin_qfm;
#else
@@ -750,46 +755,149 @@ int rv;
#endif
mlen -= off;
+ aps = nat->nat_aps;
t = &ftp->ftp_side[1 - rv];
f = &ftp->ftp_side[rv];
- if (!mlen) {
- if (!t->ftps_seq ||
- (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0)
- t->ftps_seq = ntohl(tcp->th_ack);
- f->ftps_len = 0;
- return 0;
- }
-
- rptr = f->ftps_rptr;
- wptr = f->ftps_wptr;
-
- i = 0;
- sel = nat->nat_aps->aps_sel[1 - rv];
- if (rv) {
- if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq))
- i = nat->nat_aps->aps_ackoff[sel];
+ thseq = ntohl(tcp->th_seq);
+ thack = ntohl(tcp->th_ack);
+
+ sel = aps->aps_sel[1 - rv];
+ sel2 = aps->aps_sel[rv];
+ if (rv == 0) {
+ seqoff = aps->aps_seqoff[sel];
+ if (aps->aps_seqmin[sel] > seqoff + thseq)
+ seqoff = aps->aps_seqoff[!sel];
+ ackoff = aps->aps_ackoff[sel2];
+ if (aps->aps_ackmin[sel2] > ackoff + thack)
+ ackoff = aps->aps_ackoff[!sel2];
} else {
- if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq))
- i = nat->nat_aps->aps_seqoff[sel];
+#if PROXY_DEBUG
+ printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq,
+ aps->aps_ackmin[sel]);
+#endif
+ seqoff = aps->aps_ackoff[sel];
+ if (aps->aps_ackmin[sel] > seqoff + thseq)
+ seqoff = aps->aps_ackoff[!sel];
+
+#if PROXY_DEBUG
+ printf("ackoff %d thack %x seqmin %x\n", ackoff, thack,
+ aps->aps_seqmin[sel2]);
+#endif
+ ackoff = aps->aps_seqoff[sel2];
+ if (ackoff > 0) {
+ if (aps->aps_seqmin[sel2] > ackoff + thack)
+ ackoff = aps->aps_seqoff[!sel2];
+ } else {
+ if (aps->aps_seqmin[sel2] > thack)
+ ackoff = aps->aps_seqoff[!sel2];
+ }
}
+#if PROXY_DEBUG
+ printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT",
+ tcp->th_flags, thseq, seqoff, thack, ackoff, mlen);
+ printf("sel %d seqmin %x/%x offset %d/%d\n", sel,
+ aps->aps_seqmin[sel], aps->aps_seqmin[sel2],
+ aps->aps_seqoff[sel], aps->aps_seqoff[sel2]);
+ printf("sel %d ackmin %x/%x offset %d/%d\n", sel2,
+ aps->aps_ackmin[sel], aps->aps_ackmin[sel2],
+ aps->aps_ackoff[sel], aps->aps_ackoff[sel2]);
+#endif
+
/*
* XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so
* apart from causing packets to go through here ordered).
*/
- if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq))
- f->ftps_seq = ntohl(tcp->th_seq);
+#if PROXY_DEBUG
+ printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n",
+ rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff);
+#endif
+
+ ok = 0;
+ if (t->ftps_seq[0] == 0)
+ t->ftps_seq[0] = thack, ok = 1;
else {
- inc = ntohl(tcp->th_seq) - f->ftps_seq;
- if (inc < 0)
- inc = -inc;
- if (i < 0)
- i = -i;
- if (inc > i) {
+ if (ackoff == 0) {
+ if (t->ftps_seq[0] == thack)
+ ok = 1;
+ else if (t->ftps_seq[1] == thack) {
+ t->ftps_seq[0] = thack;
+ ok = 1;
+ }
+ } else {
+ if (t->ftps_seq[0] + ackoff == thack)
+ ok = 1;
+ else if (t->ftps_seq[0] == thack + ackoff)
+ ok = 1;
+ else if (t->ftps_seq[1] + ackoff == thack) {
+ t->ftps_seq[0] = thack - ackoff;
+ ok = 1;
+ } else if (t->ftps_seq[1] == thack + ackoff) {
+ t->ftps_seq[0] = thack - ackoff;
+ ok = 1;
+ }
+ }
+ }
+
+#if PROXY_DEBUG
+ if (!ok)
+ printf("not ok\n");
+#endif
+
+ if (!mlen) {
+ if (t->ftps_seq[0] + ackoff != thack)
return APR_ERR(1);
+
+#if PROXY_DEBUG
+ printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]);
+#endif
+ if (tcp->th_flags & TH_FIN) {
+ if (thseq + seqoff == f->ftps_seq[0] + 1 ||
+ f->ftps_seq[0] + seqoff + 1 == thseq ||
+ thseq + seqoff == f->ftps_seq[0] ||
+ thseq == f->ftps_seq[0] + seqoff)
+ ;
+ else {
+#if PROXY_DEBUG
+ printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
+ thseq, seqoff, f->ftps_seq[0]);
+#endif
+ return APR_ERR(1);
+ }
}
+ f->ftps_len = 0;
+ return 0;
}
+
+ ok = 0;
+ if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1])
+ ok = 1;
+ /*
+ * Retransmitted data packet.
+ */
+ else if (thseq + mlen == f->ftps_seq[0] ||
+ thseq + mlen == f->ftps_seq[1])
+ ok = 1;
+ if (ok == 0) {
+ inc = thseq - f->ftps_seq[0];
+#if PROXY_DEBUG
+ printf("inc %d sel %d rv %d\n", inc, sel, rv);
+ printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0],
+ f->ftps_seq[1]);
+ printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel],
+ aps->aps_ackoff[sel]);
+ printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel],
+ aps->aps_seqoff[sel]);
+#endif
+
+ return APR_ERR(1);
+ }
+
inc = 0;
+ rptr = f->ftps_rptr;
+ wptr = f->ftps_wptr;
+ f->ftps_seq[0] = thseq;
+ f->ftps_seq[1] = f->ftps_seq[0] + mlen;
f->ftps_len = mlen;
while (mlen > 0) {
@@ -833,6 +941,7 @@ int rv;
* ftp proxy for this connection.
*/
if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
+ /* f->ftps_seq[1] += inc; */
return APR_ERR(2);
}
@@ -873,7 +982,24 @@ int rv;
}
}
- t->ftps_seq = ntohl(tcp->th_ack);
+ /* f->ftps_seq[1] += inc; */
+ if (tcp->th_flags & TH_FIN)
+ f->ftps_seq[1]++;
+#ifndef _KERNEL
+ mlen = mbuflen(m);
+#else
+# if SOLARIS
+ mlen = msgdsize(m);
+# else
+ mlen = mbufchainlen(m);
+# endif
+#endif
+ off = fin->fin_hlen + (tcp->th_off << 2);
+ mlen -= off;
+#if PROXY_DEBUG
+ printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen);
+#endif
+
f->ftps_rptr = rptr;
f->ftps_wptr = wptr;
return APR_INC(inc);
diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c
index ec9b2fe2b8a6..8d8ef923f7ac 100644
--- a/contrib/ipfilter/ip_h323_pxy.c
+++ b/contrib/ipfilter/ip_h323_pxy.c
@@ -9,6 +9,7 @@
* authorized by a written license agreement from QSSL. For more information,
* please email licensing@qnx.com.
*
+ * For more details, see QNX_OCL.txt provided with this distribution.
*/
/*
diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c
index da5235a2ca28..854c68dc4a2d 100644
--- a/contrib/ipfilter/ip_nat.c
+++ b/contrib/ipfilter/ip_nat.c
@@ -109,7 +109,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $";
#endif
nat_t **nat_table[2] = { NULL, NULL },
@@ -2265,8 +2265,8 @@ register natlookup_t *np;
fr_info_t fi;
bzero((char *)&fi, sizeof(fi));
- fi.fin_data[0] = np->nl_inport;
- fi.fin_data[1] = np->nl_outport;
+ fi.fin_data[0] = ntohs(np->nl_inport);
+ fi.fin_data[1] = ntohs(np->nl_outport);
/*
* If nl_inip is non null, this is a lookup based on the real
@@ -2448,7 +2448,7 @@ maskloop:
if (nat) {
np = nat->nat_ptr;
if (natadd && (fin->fin_fl & FI_FRAG) && np)
- ipfr_nat_newfrag(ip, fin, 0, nat);
+ ipfr_nat_newfrag(ip, fin, nat);
MUTEX_ENTER(&nat->nat_lock);
if (fin->fin_p != IPPROTO_TCP) {
if (np && np->in_age[1])
@@ -2540,6 +2540,8 @@ maskloop:
i = appr_check(ip, fin, nat);
if (i == 0)
i = 1;
+ else if (i == -1)
+ nat->nat_drop[1]++;
} else
i = 1;
ATOMIC_INCL(nat_stats.ns_mapped[1]);
@@ -2664,11 +2666,12 @@ maskloop:
np = nat->nat_ptr;
fin->fin_fr = nat->nat_fr;
if (natadd && (fin->fin_fl & FI_FRAG) && np)
- ipfr_nat_newfrag(ip, fin, 0, nat);
+ ipfr_nat_newfrag(ip, fin, nat);
if (np && (np->in_apr != NULL) && (np->in_dport == 0 ||
(tcp != NULL && sport == np->in_dport))) {
i = appr_check(ip, fin, nat);
if (i == -1) {
+ nat->nat_drop[0]++;
RWLOCK_EXIT(&ipf_nat);
return i;
}
diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h
index b3b0b27723f9..e1b160fbf618 100644
--- a/contrib/ipfilter/ip_nat.h
+++ b/contrib/ipfilter/ip_nat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $
+ * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@@ -77,6 +77,7 @@ typedef struct nat {
struct in_addr nat_oip; /* other ip */
U_QUAD_T nat_pkts;
U_QUAD_T nat_bytes;
+ u_int nat_drop[2];
u_short nat_oport; /* other port */
u_short nat_inport;
u_short nat_outport;
diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c
index 2051f2a466e3..f36753ad0fa3 100644
--- a/contrib/ipfilter/ip_proxy.c
+++ b/contrib/ipfilter/ip_proxy.c
@@ -75,7 +75,7 @@
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $";
#endif
#if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@@ -89,6 +89,8 @@ extern KRWLOCK_T ipf_nat, ipf_state;
static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
+#define PROXY_DEBUG 0
+
#define AP_SESS_SIZE 53
#include "netinet/ip_ftp_pxy.c"
@@ -313,9 +315,19 @@ nat_t *nat;
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif
if (sum != tcp->th_sum) {
+#if PROXY_DEBUG
+ printf("proxy tcp checksum failure\n");
+#endif
frstats[fin->fin_out].fr_tcpbad++;
return -1;
}
+
+ /*
+ * Don't both the proxy with these...or in fact, should
+ * we free up proxy stuff when seen?
+ */
+ if ((tcp->th_flags & TH_RST) != 0)
+ return 0;
}
apr = aps->aps_apr;
@@ -329,9 +341,16 @@ nat_t *nat;
}
rv = APR_EXIT(err);
- if (rv == 1)
+ if (rv == 1) {
+#if PROXY_DEBUG
+ printf("proxy says bad packet received\n");
+#endif
return -1;
+ }
if (rv == 2) {
+#if PROXY_DEBUG
+ printf("proxy says free app proxy data\n");
+#endif
appr_free(apr);
nat->nat_aps = NULL;
return -1;
@@ -412,6 +431,9 @@ ap_session_t *aps;
}
+/*
+ * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise
+ */
static int appr_fixseqack(fin, ip, aps, inc)
fr_info_t *fin;
ip_t *ip;
@@ -425,8 +447,12 @@ int inc;
tcp = (tcphdr_t *)fin->fin_dp;
out = fin->fin_out;
+ /*
+ * ip_len has already been adjusted by 'inc'.
+ */
nlen = ip->ip_len;
nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
+
inc2 = inc;
inc = (int)inc2;
@@ -436,8 +462,13 @@ int inc;
/* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
- (seq1 > aps->aps_seqmin[!sel]))
+ (seq1 > aps->aps_seqmin[!sel])) {
+#if PROXY_DEBUG
+ printf("proxy out switch set seq %d -> %d %x > %x\n",
+ sel, !sel, seq1, aps->aps_seqmin[!sel]);
+#endif
sel = aps->aps_sel[out] = !sel;
+}
if (aps->aps_seqoff[sel]) {
seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
@@ -450,8 +481,13 @@ int inc;
}
if (inc && (seq1 > aps->aps_seqmin[!sel])) {
- aps->aps_seqmin[!sel] = seq1 + nlen - 1;
- aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc;
+ aps->aps_seqmin[sel] = seq1 + nlen - 1;
+ aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc;
+#if PROXY_DEBUG
+ printf("proxy seq set %d at %x to %d + %d\n", sel,
+ aps->aps_seqmin[sel], aps->aps_seqoff[sel],
+ inc);
+#endif
}
/***/
@@ -461,8 +497,13 @@ int inc;
/* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
- (seq1 > aps->aps_ackmin[!sel]))
+ (seq1 > aps->aps_ackmin[!sel])) {
+#if PROXY_DEBUG
+ printf("proxy out switch set ack %d -> %d %x > %x\n",
+ sel, !sel, seq1, aps->aps_ackmin[!sel]);
+#endif
sel = aps->aps_sel[1 - out] = !sel;
+}
if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
seq2 = aps->aps_ackoff[sel];
@@ -475,12 +516,16 @@ int inc;
/* switch to other set ? */
if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) &&
- (seq1 > aps->aps_ackmin[!sel]))
+ (seq1 > aps->aps_ackmin[!sel])) {
+#if PROXY_DEBUG
+ printf("proxy in switch set ack %d -> %d %x > %x\n",
+ sel, !sel, seq1, aps->aps_ackmin[!sel]);
+#endif
sel = aps->aps_sel[out] = !sel;
+}
if (aps->aps_ackoff[sel]) {
- seq2 = aps->aps_ackmin[sel] -
- aps->aps_ackoff[sel];
+ seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
if (seq1 > seq2) {
seq2 = aps->aps_ackoff[sel];
seq1 += seq2;
@@ -492,6 +537,11 @@ int inc;
if (inc && (seq1 > aps->aps_ackmin[!sel])) {
aps->aps_ackmin[!sel] = seq1 + nlen - 1;
aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc;
+#if PROXY_DEBUG
+ printf("proxy ack set %d at %x to %d + %d\n", !sel,
+ aps->aps_seqmin[!sel], aps->aps_seqoff[sel],
+ inc);
+#endif
}
/***/
@@ -501,15 +551,31 @@ int inc;
/* switch to other set ? */
if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) &&
- (seq1 > aps->aps_seqmin[!sel]))
+ (seq1 > aps->aps_seqmin[!sel])) {
+#if PROXY_DEBUG
+ printf("proxy in switch set seq %d -> %d %x > %x\n",
+ sel, !sel, seq1, aps->aps_seqmin[!sel]);
+#endif
sel = aps->aps_sel[1 - out] = !sel;
+}
- if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) {
- seq2 = aps->aps_seqoff[sel];
- tcp->th_ack = htonl(seq1 - seq2);
- ch = 1;
+ if (aps->aps_seqoff[sel] != 0) {
+#if PROXY_DEBUG
+ printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel,
+ aps->aps_seqoff[sel], seq1,
+ aps->aps_seqmin[sel]);
+#endif
+ if (seq1 > aps->aps_seqmin[sel]) {
+ seq2 = aps->aps_seqoff[sel];
+ tcp->th_ack = htonl(seq1 - seq2);
+ ch = 1;
+ }
}
}
+#if PROXY_DEBUG
+ printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq),
+ ntohl(tcp->th_ack));
+#endif
return ch ? 2 : 0;
}
diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h
index 0f1ab8469b2d..fad791dcd67b 100644
--- a/contrib/ipfilter/ip_proxy.h
+++ b/contrib/ipfilter/ip_proxy.h
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_proxy.h,v 2.8.2.12 2002/01/01 13:41:43 darrenr Exp $
+ * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@@ -95,7 +95,7 @@ typedef struct aproxy {
typedef struct ftpside {
char *ftps_rptr;
char *ftps_wptr;
- u_32_t ftps_seq;
+ u_32_t ftps_seq[2];
u_32_t ftps_len;
int ftps_junk;
int ftps_cmds;
diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c
index 5a76f4b12576..2904585c5885 100644
--- a/contrib/ipfilter/ip_sfil.c
+++ b/contrib/ipfilter/ip_sfil.c
@@ -7,7 +7,7 @@
*/
#if !defined(lint)
static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $";
#endif
#include <sys/types.h>
@@ -63,8 +63,10 @@ u_long ipl_frouteok[2] = {0, 0};
static int frzerostats __P((caddr_t));
#if SOLARIS2 >= 7
static u_int *ip_ttl_ptr;
+static u_int *ip_mtudisc;
#else
static u_long *ip_ttl_ptr;
+static u_long *ip_mtudisc;
#endif
static int frrequest __P((minor_t, int, caddr_t, int));
@@ -86,8 +88,8 @@ int ipldetach()
for (i = IPL_LOGMAX; i >= 0; i--)
ipflog_clear(i);
#endif
- i = FR_INQUE|FR_OUTQUE;
- (void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
+ i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+ i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
ipfr_unload();
fr_stateunload();
ip_natunload();
@@ -142,16 +144,22 @@ int iplattach __P((void))
return -1;
ip_ttl_ptr = NULL;
+ ip_mtudisc = NULL;
/*
* XXX - There is no terminator for this array, so it is not possible
* to tell if what we are looking for is missing and go off the end
* of the array.
*/
for (i = 0; ; i++) {
- if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) {
+ if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) {
ip_ttl_ptr = &ip_param_arr[i].ip_param_value;
- break;
+ } else if (strcmp(ip_param_arr[i].ip_param_name,
+ "ip_path_mtu_discovery") == 0) {
+ ip_mtudisc = &ip_param_arr[i].ip_param_value;
}
+
+ if (ip_mtudisc != NULL && ip_ttl_ptr != NULL)
+ break;
}
return 0;
}
@@ -799,6 +807,7 @@ mblk_t *m;
ip = (ip_t *)m->b_rptr;
ip->ip_v = IPVERSION;
ip->ip_ttl = (u_char)(*ip_ttl_ptr);
+ ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0);
ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m);
}
READ_ENTER(&ipf_solaris);
diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c
index f4dac8a02c81..43fe8203ceea 100644
--- a/contrib/ipfilter/ip_state.c
+++ b/contrib/ipfilter/ip_state.c
@@ -93,7 +93,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $";
#endif
#ifndef MIN
@@ -741,6 +741,7 @@ u_int flags;
is->is_hv = hv;
is->is_rule = fin->fin_fr;
if (is->is_rule != NULL) {
+ is->is_group = is->is_rule->fr_group;
ATOMIC_INC32(is->is_rule->fr_ref);
pass = is->is_rule->fr_flags;
is->is_frage[0] = is->is_rule->fr_age[0];
@@ -810,7 +811,7 @@ u_int flags;
RWLOCK_EXIT(&ipf_state);
fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst);
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
- ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
+ ipfr_newfrag(ip, fin);
return is;
}
@@ -1066,7 +1067,7 @@ tcphdr_t *tcp;
} else {
is->is_src = fin->fin_fi.fi_dst;
}
- } else if ((flags & FI_W_DPORT) != 0) {
+ } else if ((flags & FI_W_DADDR) != 0) {
if (rev == 0) {
is->is_dst = fin->fin_fi.fi_dst;
} else {
@@ -1402,7 +1403,8 @@ fr_info_t *fin;
tcphdr_t *tcp;
int rev;
- if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT))
+ if ((ips_list == NULL) || (fin->fin_off != 0) || fr_state_lock ||
+ (fin->fin_fl & FI_SHORT))
return NULL;
is = NULL;
@@ -1633,7 +1635,7 @@ retry_tcpudp:
pass = is->is_pass;
RWLOCK_EXIT(&ipf_state);
if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG))
- ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE);
+ ipfr_newfrag(ip, fin);
#ifndef _KERNEL
if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE))
fr_delstate(is);
@@ -2044,6 +2046,8 @@ u_int type;
ipsl.isl_p = is->is_p;
ipsl.isl_v = is->is_v;
ipsl.isl_flags = is->is_flags;
+ ipsl.isl_rulen = is->is_rulen;
+ ipsl.isl_group = is->is_group;
if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) {
ipsl.isl_sport = is->is_sport;
ipsl.isl_dport = is->is_dport;
diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h
index 01b12561a7a9..35368c43949c 100644
--- a/contrib/ipfilter/ip_state.h
+++ b/contrib/ipfilter/ip_state.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
- * $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $
+ * $Id: ip_state.h,v 2.13.2.13 2002/06/27 14:40:29 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
@@ -86,6 +86,7 @@ typedef struct ipstate {
tcpstate_t is_ts;
udpstate_t is_us;
} is_ps;
+ u_32_t is_group;
char is_ifname[4][IFNAMSIZ];
#if SOLARIS || defined(__sgi)
kmutex_t is_lock;
@@ -147,6 +148,8 @@ typedef struct ipslog {
u_char isl_p;
u_char isl_flags;
u_char isl_state[2];
+ u_32_t isl_rulen;
+ u_32_t isl_group;
} ipslog_t;
#define isl_sport isl_ps.isl_ports[0]
diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c
index f9b85aff8f03..b22addf0d5ff 100644
--- a/contrib/ipfilter/ipf.c
+++ b/contrib/ipfilter/ipf.c
@@ -50,7 +50,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $";
#endif
#if SOLARIS
@@ -389,7 +389,7 @@ int *linenum;
static void packetlogon(opt)
char *opt;
{
- int flag, err;
+ int flag;
flag = get_flags();
if (flag != 0) {
@@ -415,7 +415,7 @@ char *opt;
printf("set log flag: block\n");
}
- if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag)))
+ if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0))
perror("ioctl(SIOCSETFF)");
if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c
index 8344d5f027ba..ae408277856a 100644
--- a/contrib/ipfilter/ipft_ef.c
+++ b/contrib/ipfilter/ipft_ef.c
@@ -52,7 +52,7 @@ etherfind -n -t
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
#endif
static int etherf_open __P((char *));
@@ -97,7 +97,7 @@ int cnt, *dir;
struct protoent *p = NULL;
char src[16], dst[16], sprt[16], dprt[16];
char lbuf[128], len[8], prot[8], time[8], *s;
- int slen, extra = 0, i, n;
+ int slen, extra = 0, i;
if (!fgets(lbuf, sizeof(lbuf) - 1, efp))
return 0;
@@ -108,10 +108,10 @@ int cnt, *dir;
bzero(&pkt, sizeof(pkt));
- if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
- sprt, dprt)) != 6)
- if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time,
- len, prot, src, dst, sprt, dprt)) != 7)
+ if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst,
+ sprt, dprt) != 6)
+ if (sscanf(lbuf, "%s %s %s %s %s %s %s", time,
+ len, prot, src, dst, sprt, dprt) != 7)
return -1;
ip->ip_p = atoi(prot);
diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c
index 253aa860fbe9..7fede06c1868 100644
--- a/contrib/ipfilter/ipft_td.c
+++ b/contrib/ipfilter/ipft_td.c
@@ -61,7 +61,7 @@ tcpdump -nqte
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $";
#endif
static int tcpd_open __P((char *));
@@ -120,7 +120,7 @@ int cnt, *dir;
struct protoent *p;
char src[32], dst[32], misc[256], time[32], link1[32], link2[32];
char lbuf[160], *s;
- int n, dots, slen, extra = 0;
+ int n, slen, extra = 0;
if (!fgets(lbuf, sizeof(lbuf) - 1, tfp))
return 0;
@@ -142,7 +142,7 @@ int cnt, *dir;
return -1;
}
- if ((dots = count_dots(dst)) == 4) {
+ if (count_dots(dst) == 4) {
s = strrchr(src, '.');
*s++ = '\0';
(void) inet_aton(src, &ip->ip_src);
diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c
index f61b0d09f86c..1de571355b82 100644
--- a/contrib/ipfilter/ipft_tx.c
+++ b/contrib/ipfilter/ipft_tx.c
@@ -44,7 +44,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $";
#endif
extern int opts;
@@ -177,10 +177,8 @@ char *buf, **ifn;
int cnt, *dir;
{
register char *s;
- ip_t *ip;
char line[513];
- ip = (ip_t *)buf;
*ifn = NULL;
while (fgets(line, sizeof(line)-1, tfp)) {
if ((s = index(line, '\n')))
@@ -197,7 +195,7 @@ int cnt, *dir;
*dir = 0;
if (!parseline(line, (ip_t *)buf, ifn, dir))
#if 0
- return sizeof(*ip) + sizeof(tcphdr_t);
+ return sizeof(ip_t) + sizeof(tcphdr_t);
#else
return sizeof(ip_t);
#endif
diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h
index 6cd868d155e6..ced3e567b162 100644
--- a/contrib/ipfilter/ipl.h
+++ b/contrib/ipfilter/ipl.h
@@ -4,12 +4,12 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.28"
+#define IPL_VERSION "IP Filter: v3.4.29"
#endif
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index 6bf90b91e4be..88270b9524fc 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -68,7 +68,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.35 2002/06/04 14:43:49 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp $";
#endif
@@ -959,13 +959,13 @@ int blen;
*t++ = 'S';
lvl = LOG_ERR;
} else if (ipf->fl_flags & FR_PASS) {
- if (ipf->fl_flags & FR_LOGP)
+ if (ipf->fl_flags & FR_LOG)
*t++ = 'p';
else
*t++ = 'P';
lvl = LOG_NOTICE;
} else if (ipf->fl_flags & FR_BLOCK) {
- if (ipf->fl_flags & FR_LOGB)
+ if (ipf->fl_flags & FR_LOG)
*t++ = 'b';
else
*t++ = 'B';
diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c
index 254bbf935eb6..5cb0efd363aa 100644
--- a/contrib/ipfilter/kmem.c
+++ b/contrib/ipfilter/kmem.c
@@ -46,7 +46,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed";
-static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $";
#endif
#ifdef __sgi
@@ -55,7 +55,7 @@ typedef int kvm_t;
static int kvm_fd = -1;
static char *kvm_errstr;
-kvm_t kvm_open(kernel, core, swap, mode, errstr)
+kvm_t *kvm_open(kernel, core, swap, mode, errstr)
char *kernel, *core, *swap;
int mode;
char *errstr;
@@ -65,17 +65,18 @@ char *errstr;
if (core == NULL)
core = "/dev/kmem";
kvm_fd = open(core, mode);
- return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL;
+ return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL;
}
int kvm_read(kvm, pos, buffer, size)
-kvm_t kvm;
+kvm_t *kvm;
u_long pos;
char *buffer;
size_t size;
{
- int r, left;
+ size_t left;
char *bufp;
+ int r;
if (lseek(*kvm, pos, 0) == -1) {
fprintf(stderr, "%s", kvm_errstr);
@@ -97,13 +98,19 @@ static kvm_t *kvm_f = NULL;
int openkmem(kern, core)
char *kern, *core;
{
+ union {
+ int ui;
+ kvm_t *uk;
+ } k;
+
kvm_f = kvm_open(kern, core, NULL, O_RDONLY, "");
if (kvm_f == NULL)
{
perror("openkmem:open");
return -1;
}
- return (int)kvm_f;
+ k.uk = kvm_f;
+ return k.ui;
}
int kmemcpy(buf, pos, n)
@@ -120,7 +127,7 @@ register int n;
if (openkmem(NULL, NULL) == -1)
return -1;
- while ((r = kvm_read(kvm_f, pos, buf, n)) < n)
+ while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n)
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);
@@ -152,7 +159,7 @@ register int n;
while (n > 0)
{
- r = kvm_read(kvm_f, pos, buf, 1);
+ r = kvm_read(kvm_f, pos, buf, (size_t)1);
if (r <= 0)
{
fprintf(stderr, "pos=0x%x ", (u_int)pos);
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8
index 0ec7854eb35c..0030c7454957 100644
--- a/contrib/ipfilter/man/ipmon.8
+++ b/contrib/ipfilter/man/ipmon.8
@@ -46,8 +46,11 @@ long).
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
-5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
-packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
+5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short
+packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order
+of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or
+\fBB\fP means that the packet has been logged due to a global logging
+setting, not a particular rule.
.LP
6. The addresses.
This is actually three fields: the source address and port
diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5
index a8beb6fc3d39..f0a4ac93c5ea 100644
--- a/contrib/ipfilter/man/ipnat.5
+++ b/contrib/ipfilter/man/ipnat.5
@@ -96,6 +96,15 @@ or as
map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32
.fi
.LP
+For even greater control, one may negate either of the "from" or "to" clauses
+with a preceding exclamation mark ("!"). Please note that one may not use a
+negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP
+rule. Such a rule might look like the following:
+.LP
+.nf
++map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32
+.fi
+.PP
Only IP address and port numbers can be compared against. This is available
with all NAT rules.
.SH TRANSLATION
diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c
index 02590dfbe7b8..ea13356e80a7 100644
--- a/contrib/ipfilter/parse.c
+++ b/contrib/ipfilter/parse.c
@@ -935,7 +935,6 @@ u_long optmsk, optbits;
u_short secmsk = sec[0], secbits = sec[1];
struct ipopt_names *io, *so;
char *s;
- int secflag = 0;
s = " opt ";
for (io = ionames; io->on_name; io++)
@@ -947,8 +946,7 @@ u_long optmsk, optbits;
if (io->on_value == IPOPT_SECURITY)
io++;
s = ",";
- } else
- secflag = 1;
+ }
}
diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c
index ba5524b83434..9ccae18f1dcb 100644
--- a/contrib/ipfilter/printnat.c
+++ b/contrib/ipfilter/printnat.c
@@ -58,7 +58,7 @@ extern char *sys_errlist[];
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $";
#endif
@@ -242,9 +242,10 @@ int opts;
0xffffffff),
hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport,
NAT_TABLE_SZ),
- printf("%s pr %u bkt %d/%d flags %x\n",
+ printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n",
getsumd(nat->nat_sumd[1]), nat->nat_p,
- hv1, hv2, nat->nat_flags);
+ hv1, hv2, nat->nat_flags,
+ nat->nat_drop[0], nat->nat_drop[1]);
printf("\tifp %s ", getifname(nat->nat_ifp));
#ifdef USE_QUAD_T
printf("bytes %qu pkts %qu",
diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9
index 77968f85d2f4..daff2031db8e 100644
--- a/contrib/ipfilter/rules/example.9
+++ b/contrib/ipfilter/rules/example.9
@@ -4,7 +4,7 @@
block in all
pass in all with opt sec
#
-# only allow packets in and out on le0 which are top secret
+# only allow packets in and out on le1 which are top secret
#
block out on le1 all
pass out on le1 all with opt sec-class topsecret
diff --git a/contrib/ipfilter/test/expected/f13 b/contrib/ipfilter/test/expected/f13
index a2a950a9baba..b3c7e54bf362 100644
--- a/contrib/ipfilter/test/expected/f13
+++ b/contrib/ipfilter/test/expected/f13
@@ -9,6 +9,8 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
--------
block
nomatch
@@ -21,6 +23,8 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
--------
nomatch
nomatch
@@ -32,6 +36,8 @@ nomatch
pass
pass
nomatch
+nomatch
+nomatch
pass
--------
nomatch
@@ -44,6 +50,8 @@ nomatch
block
block
nomatch
+nomatch
+nomatch
block
--------
pass
@@ -57,6 +65,8 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
--------
block
nomatch
@@ -69,4 +79,6 @@ nomatch
nomatch
nomatch
nomatch
+nomatch
+nomatch
--------
diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13
index b90d6bacdf6b..ccd74a3357a0 100644
--- a/contrib/ipfilter/test/input/f13
+++ b/contrib/ipfilter/test/input/f13
@@ -29,15 +29,23 @@
45 00 0018 0007 2000 3f 11 0000 01010101 02010101
0035 0035
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0
+# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0
45 00 001c 0008 2000 3f 11 0000 01010101 02010101
0035003500040000
-# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short)
+# 1.1.1.1,53 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 (short)
45 00 0018 0008 2000 3f 11 0000 01010101 02010101
00350036
-# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1
+# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 UDP MF FO=0
+45 00 001c 0008 2000 3f 11 0000 01010101 02010101
+0015003600040000
+
+# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 TCP MF FO=0
+45 00 001c 0008 2000 3f 06 0000 01010101 02010101
+0015 0036 00000000 00000000 50 02 2000 0000 0000
+
+# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=1
45 00 001c 0008 0001 3f 11 0000 01010101 02010101
0000000000000000