aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDarren Reed <darrenr@FreeBSD.org>2003-02-15 06:18:25 +0000
committerDarren Reed <darrenr@FreeBSD.org>2003-02-15 06:18:25 +0000
commit46e22717ef19d69b4b74b02ddd23fc5fadb8713a (patch)
treea4b00c07eabcdaeae3ab07a69909f01608f44735
parentd7d368dd57d12e62ba554f3cc01fd576101149c3 (diff)
downloadsrc-46e22717ef19d69b4b74b02ddd23fc5fadb8713a.tar.gz
src-46e22717ef19d69b4b74b02ddd23fc5fadb8713a.zip
Import IPFilter 3.4.31 into -current
Notes
Notes: svn path=/vendor-sys/ipfilter/dist/; revision=110911
-rw-r--r--sys/contrib/ipfilter/netinet/fil.c65
-rw-r--r--sys/contrib/ipfilter/netinet/ip_auth.c122
-rw-r--r--sys/contrib/ipfilter/netinet/ip_auth.h8
-rw-r--r--sys/contrib/ipfilter/netinet/ip_compat.h4
-rw-r--r--sys/contrib/ipfilter/netinet/ip_fil.c113
-rw-r--r--sys/contrib/ipfilter/netinet/ip_fil.h18
-rw-r--r--sys/contrib/ipfilter/netinet/ip_frag.c4
-rw-r--r--sys/contrib/ipfilter/netinet/ip_ftp_pxy.c278
-rw-r--r--sys/contrib/ipfilter/netinet/ip_log.c29
-rw-r--r--sys/contrib/ipfilter/netinet/ip_nat.c88
-rw-r--r--sys/contrib/ipfilter/netinet/ip_nat.h4
-rw-r--r--sys/contrib/ipfilter/netinet/ip_proxy.c24
-rw-r--r--sys/contrib/ipfilter/netinet/ip_proxy.h3
-rw-r--r--sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c3
-rw-r--r--sys/contrib/ipfilter/netinet/ip_state.c49
-rw-r--r--sys/contrib/ipfilter/netinet/ipl.h4
-rw-r--r--sys/contrib/ipfilter/netinet/y12
-rw-r--r--sys/contrib/ipfilter/netinet/y.pub1
18 files changed, 622 insertions, 207 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 146e70aac1df..a981fcb91992 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@@ -97,7 +97,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $";
#endif
#ifndef _KERNEL
@@ -699,7 +699,8 @@ void *m;
if (!fr_tcpudpchk(&fr->fr_tuc, fin))
continue;
} else if (fr->fr_icmpm || fr->fr_icmp) {
- if ((fi->fi_p != IPPROTO_ICMP) || off ||
+ if (((fi->fi_p != IPPROTO_ICMP) &&
+ (fi->fi_p != IPPROTO_ICMPV6)) || off ||
(fin->fin_dlen < 2))
continue;
if ((fin->fin_data[0] & fr->fr_icmpm) != fr->fr_icmp) {
@@ -814,6 +815,26 @@ int out;
# endif
int up;
+# if !SOLARIS && !defined(NETBSD_PF) && \
+ ((defined(__FreeBSD__) && (__FreeBSD_version < 500011)) || \
+ defined(__OpenBSD__) || defined(_BSDI_VERSION))
+ if (fr_checkp != fr_check && fr_running > 0) {
+ static int counter = 0;
+
+ if (counter == 0) {
+ printf("WARNING: fr_checkp corrupt: value %lx\n",
+ (u_long)fr_checkp);
+ printf("WARNING: fr_checkp should be %lx\n",
+ (u_long)fr_check);
+ printf("WARNING: fixing fr_checkp\n");
+ }
+ fr_checkp = fr_check;
+ counter++;
+ if (counter == 10000)
+ counter = 0;
+ }
+# endif
+
# ifdef M_CANFASTFWD
/*
* XXX For now, IP Filter and fast-forwarding of cached flows
@@ -1510,7 +1531,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.67 2002/12/06 13:28:05 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1716,9 +1737,9 @@ frentry_t **listp;
}
-int frflush(unit, flags)
+int frflush(unit, proto, flags)
minor_t unit;
-int flags;
+int proto, flags;
{
int flushed = 0, set;
@@ -1733,19 +1754,35 @@ int flags;
if (flags & FR_OUTQUE) {
#ifdef USE_INET6
- (void) frflushlist(set, unit, &flushed, &ipfilter6[1][set]);
- (void) frflushlist(set, unit, &flushed, &ipacct6[1][set]);
+ if (proto == 0 || proto == 6) {
+ (void) frflushlist(set, unit,
+ &flushed, &ipfilter6[1][set]);
+ (void) frflushlist(set, unit,
+ &flushed, &ipacct6[1][set]);
+ }
#endif
- (void) frflushlist(set, unit, &flushed, &ipfilter[1][set]);
- (void) frflushlist(set, unit, &flushed, &ipacct[1][set]);
+ if (proto == 0 || proto == 4) {
+ (void) frflushlist(set, unit,
+ &flushed, &ipfilter[1][set]);
+ (void) frflushlist(set, unit,
+ &flushed, &ipacct[1][set]);
+ }
}
if (flags & FR_INQUE) {
#ifdef USE_INET6
- (void) frflushlist(set, unit, &flushed, &ipfilter6[0][set]);
- (void) frflushlist(set, unit, &flushed, &ipacct6[0][set]);
+ if (proto == 0 || proto == 6) {
+ (void) frflushlist(set, unit,
+ &flushed, &ipfilter6[0][set]);
+ (void) frflushlist(set, unit,
+ &flushed, &ipacct6[0][set]);
+ }
#endif
- (void) frflushlist(set, unit, &flushed, &ipfilter[0][set]);
- (void) frflushlist(set, unit, &flushed, &ipacct[0][set]);
+ if (proto == 0 || proto == 4) {
+ (void) frflushlist(set, unit,
+ &flushed, &ipfilter[0][set]);
+ (void) frflushlist(set, unit,
+ &flushed, &ipacct[0][set]);
+ }
}
RWLOCK_EXIT(&ipf_mutex);
return flushed;
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c
index efe2e99337d5..604d7547a23c 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.c
+++ b/sys/contrib/ipfilter/netinet/ip_auth.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@@ -104,7 +104,7 @@ extern struct ifqueue ipintrq; /* ip packet input queue */
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.20 2002/06/04 14:40:42 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.24 2002/12/06 11:40:21 darrenr Exp $";
#endif
@@ -292,9 +292,9 @@ ip_t *ip;
cv_signal(&ipfauthwait);
#else
# if defined(BSD) && !defined(sparc) && (BSD >= 199306)
- if (!fin->fin_out) {
- HTONS(ip->ip_len);
- HTONS(ip->ip_off);
+ if (fin->fin_out == 0) {
+ ip->ip_len = htons(ip->ip_len);
+ ip->ip_off = htons(ip->ip_off);
}
# endif
fr_authpkts[i] = m;
@@ -304,7 +304,7 @@ ip_t *ip;
}
-int fr_auth_ioctl(data, mode, cmd, fr, frptr)
+int fr_auth_ioctl(data, mode, cmd)
caddr_t data;
int mode;
#if defined(__NetBSD__) || defined(__OpenBSD__) || (__FreeBSD_version >= 300003)
@@ -312,7 +312,6 @@ u_long cmd;
#else
int cmd;
#endif
-frentry_t *fr, **frptr;
{
mb_t *m;
#if defined(_KERNEL) && !SOLARIS
@@ -320,12 +319,15 @@ frentry_t *fr, **frptr;
int s;
#endif
frauth_t auth, *au = &auth, *fra;
- frauthent_t *fae, **faep;
int i, error = 0;
switch (cmd)
{
case SIOCSTLCK :
+ if (!(mode & FWRITE)) {
+ error = EPERM;
+ break;
+ }
error = fr_lock(data, &fr_auth_lock);
break;
case SIOCINIFR :
@@ -338,45 +340,8 @@ frentry_t *fr, **frptr;
break;
case SIOCRMAFR :
case SIOCADAFR :
- for (faep = &fae_list; (fae = *faep); )
- if (&fae->fae_fr == fr)
- break;
- else
- faep = &fae->fae_next;
- if (cmd == SIOCRMAFR) {
- if (!fr || !frptr)
- error = EINVAL;
- else if (!fae)
- error = ESRCH;
- else {
- WRITE_ENTER(&ipf_auth);
- SPL_NET(s);
- *faep = fae->fae_next;
- *frptr = fr->fr_next;
- SPL_X(s);
- RWLOCK_EXIT(&ipf_auth);
- KFREE(fae);
- }
- } else if (fr && frptr) {
- KMALLOC(fae, frauthent_t *);
- if (fae != NULL) {
- bcopy((char *)fr, (char *)&fae->fae_fr,
- sizeof(*fr));
- WRITE_ENTER(&ipf_auth);
- SPL_NET(s);
- fae->fae_age = fr_defaultauthage;
- fae->fae_fr.fr_hits = 0;
- fae->fae_fr.fr_next = *frptr;
- *frptr = &fae->fae_fr;
- fae->fae_next = *faep;
- *faep = fae;
- ipauth = &fae_list->fae_fr;
- SPL_X(s);
- RWLOCK_EXIT(&ipf_auth);
- } else
- error = ENOMEM;
- } else
- error = EINVAL;
+ /* These commands go via request to fr_preauthcmd */
+ error = EINVAL;
break;
case SIOCATHST:
fr_authstats.fas_faelist = fae_list;
@@ -630,3 +595,66 @@ void fr_authexpire()
RWLOCK_EXIT(&ipf_auth);
SPL_X(s);
}
+
+int fr_preauthcmd(cmd, fr, frptr)
+#if defined(__NetBSD__) || defined(__OpenBSD__) || \
+ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
+u_long cmd;
+#else
+int cmd;
+#endif
+frentry_t *fr, **frptr;
+{
+ frauthent_t *fae, **faep;
+ int error = 0;
+#if defined(KERNEL) && !SOLARIS
+ int s;
+#endif
+
+ if ((cmd != SIOCADAFR) && (cmd != SIOCRMAFR)) {
+ /* Should not happen */
+ printf("fr_preauthcmd called with bad cmd 0x%lx", (u_long)cmd);
+ return EIO;
+ }
+
+ for (faep = &fae_list; (fae = *faep); )
+ if (&fae->fae_fr == fr)
+ break;
+ else
+ faep = &fae->fae_next;
+ if (cmd == SIOCRMAFR) {
+ if (!fr || !frptr)
+ error = EINVAL;
+ else if (!fae)
+ error = ESRCH;
+ else {
+ WRITE_ENTER(&ipf_auth);
+ SPL_NET(s);
+ *faep = fae->fae_next;
+ *frptr = fr->fr_next;
+ SPL_X(s);
+ RWLOCK_EXIT(&ipf_auth);
+ KFREE(fae);
+ }
+ } else if (fr && frptr) {
+ KMALLOC(fae, frauthent_t *);
+ if (fae != NULL) {
+ bcopy((char *)fr, (char *)&fae->fae_fr,
+ sizeof(*fr));
+ WRITE_ENTER(&ipf_auth);
+ SPL_NET(s);
+ fae->fae_age = fr_defaultauthage;
+ fae->fae_fr.fr_hits = 0;
+ fae->fae_fr.fr_next = *frptr;
+ *frptr = &fae->fae_fr;
+ fae->fae_next = *faep;
+ *faep = fae;
+ ipauth = &fae_list->fae_fr;
+ SPL_X(s);
+ RWLOCK_EXIT(&ipf_auth);
+ } else
+ error = ENOMEM;
+ } else
+ error = EINVAL;
+ return error;
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.h b/sys/contrib/ipfilter/netinet/ip_auth.h
index cb168c4ca959..e0cbf048f0a5 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.h
+++ b/sys/contrib/ipfilter/netinet/ip_auth.h
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_auth.h,v 2.3.2.5 2001/11/04 13:15:51 darrenr Exp $
+ * $Id: ip_auth.h,v 2.3.2.6 2002/10/26 07:03:00 darrenr Exp $
*
*/
#ifndef __IP_AUTH_H__
@@ -54,8 +54,10 @@ extern mb_t *fr_authpkts[];
extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *));
#if defined(__NetBSD__) || defined(__OpenBSD__) || \
(__FreeBSD_version >= 300003)
-extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **));
+extern int fr_preauthcmd __P((u_long, frentry_t *, frentry_t **));
+extern int fr_auth_ioctl __P((caddr_t, int, u_long));
#else
-extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **));
+extern int fr_preauthcmd __P((int, frentry_t *, frentry_t **));
+extern int fr_auth_ioctl __P((caddr_t, int, int));
#endif
#endif /* __IP_AUTH_H__ */
diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h
index 4d8cfafe2b87..3eacc7354e99 100644
--- a/sys/contrib/ipfilter/netinet/ip_compat.h
+++ b/sys/contrib/ipfilter/netinet/ip_compat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_compat.h 1.8 1/14/96
- * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $
+ * $Id: ip_compat.h,v 2.26.2.47 2002/10/26 06:24:42 darrenr Exp $
*/
#ifndef __IP_COMPAT_H__
@@ -532,6 +532,7 @@ extern ill_t *get_unit __P((char *, int));
# ifdef sun
# if !SOLARIS
+# include <sys/time.h>
# include <sys/kmem_alloc.h>
# define GETUNIT(n, v) ifunit(n, IFNAMSIZ)
# define IFNAME(x) ((struct ifnet *)x)->if_name
@@ -654,6 +655,7 @@ extern vm_map_t kmem_map;
# define IWCOPYPTR iwcopyptr
# define IFNAME(x) get_ifname((struct ifnet *)x)
# define UIOMOVE(a,b,c,d) ipfuiomove(a,b,c,d)
+# include <sys/time.h>
extern void m_copydata __P((mb_t *, int, int, caddr_t));
extern int ipfuiomove __P((caddr_t, int, int, struct uio *));
#endif /* KERNEL */
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c
index 90bcb8218c8e..8fcd05db7b48 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil.c
+++ b/sys/contrib/ipfilter/netinet/ip_fil.c
@@ -24,7 +24,7 @@
# include <osreldate.h>
# endif
#endif
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# define _KMEMUSER
# include <sys/ptimers.h>
#endif
@@ -117,10 +117,14 @@
# include <sys/kernel.h>
extern int ip_optcopy __P((struct ip *, struct ip *));
#endif
+#if defined(OpenBSD) && (OpenBSD >= 200211) && defined(_KERNEL)
+extern int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
+ struct ifnet *, struct in6_addr *, u_long *);
+#endif
#if !defined(lint)
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.64 2002/12/06 11:45:45 darrenr Exp $";
#endif
@@ -192,6 +196,15 @@ struct timeout ipfr_slowtimer_ch;
toid_t ipfr_slowtimer_ch;
#endif
+#if defined(__NetBSD__) && (__NetBSD_Version__ >= 106080000) && \
+ defined(_KERNEL)
+# include <sys/conf.h>
+const struct cdevsw ipl_cdevsw = {
+ iplopen, iplclose, iplread, nowrite, iplioctl,
+ nostop, notty, nopoll, nommap,
+};
+#endif
+
#if (_BSDI_VERSION >= 199510) && defined(_KERNEL)
# include <sys/device.h>
# include <sys/conf.h>
@@ -319,7 +332,7 @@ int count;
# endif
-# if defined(__NetBSD__)
+# if defined(__NetBSD__) || defined(__OpenBSD__)
int ipl_enable()
# else
int iplattach()
@@ -363,10 +376,13 @@ int iplattach()
# ifdef NETBSD_PF
# if (__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011)
# if __NetBSD_Version__ >= 105110000
- if (
- !(ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET))
+ ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
+# ifdef USE_INET6
+ ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6);
+# endif
+ if (ph_inet == NULL
# ifdef USE_INET6
- && !(ph_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6))
+ && ph_inet6 == NULL
# endif
)
return ENODEV;
@@ -484,7 +500,8 @@ int ipldetach()
# endif
{
int s, i;
-#if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000)
+#if defined(NETBSD_PF) && \
+ ((__NetBSD_Version__ >= 104200000) || (__FreeBSD_version >= 500011))
int error = 0;
# if __NetBSD_Version__ >= 105150000
struct pfil_head *ph_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET);
@@ -524,8 +541,8 @@ int ipldetach()
printf("%s unloaded\n", ipfilter_version);
fr_checkp = fr_savep;
- i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
- i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE);
+ i = frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE|FR_INACTIVE);
+ i += frflush(IPL_LOGIPF, 0, FR_INQUE|FR_OUTQUE);
fr_running = 0;
# ifdef NETBSD_PF
@@ -670,7 +687,16 @@ int mode;
if (!fr_running)
error = EIO;
else
- error = fr_auth_ioctl(data, mode, cmd, NULL, NULL);
+ if ((cmd == SIOCADAFR) || (cmd == SIOCRMAFR)) {
+ if (!(mode & FWRITE)) {
+ error = EPERM;
+ } else {
+ error = frrequest(unit, cmd, data,
+ fr_active);
+ }
+ } else {
+ error = fr_auth_ioctl(data, mode, cmd);
+ }
SPL_X(s);
return error;
}
@@ -694,7 +720,7 @@ int mode;
if (error)
break;
if (enable)
-# if defined(__NetBSD__)
+# if defined(__NetBSD__) || defined(__OpenBSD__)
error = ipl_enable();
# else
error = iplattach();
@@ -767,12 +793,26 @@ int mode;
else {
error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
if (!error) {
- tmp = frflush(unit, tmp);
+ tmp = frflush(unit, 4, tmp);
error = IWCOPY((caddr_t)&tmp, data,
sizeof(tmp));
}
}
break;
+#ifdef USE_INET6
+ case SIOCIPFL6 :
+ if (!(mode & FWRITE))
+ error = EPERM;
+ else {
+ error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
+ if (!error) {
+ tmp = frflush(unit, 6, tmp);
+ error = IWCOPY((caddr_t)&tmp, data,
+ sizeof(tmp));
+ }
+ }
+ break;
+#endif
case SIOCSTLCK :
error = IRCOPY(data, (caddr_t)&tmp, sizeof(tmp));
if (!error) {
@@ -797,12 +837,6 @@ int mode;
if (error)
error = EFAULT;
break;
- case SIOCAUTHW :
- case SIOCAUTHR :
- if (!(mode & FWRITE)) {
- error = EPERM;
- break;
- }
case SIOCFRSYN :
if (!(mode & FWRITE))
error = EPERM;
@@ -1008,6 +1042,9 @@ caddr_t data;
return EBUSY;
if (fg && fg->fg_head)
fg->fg_head->fr_ref--;
+ if (unit == IPL_LOGAUTH) {
+ return fr_preauthcmd(req, f, ftail);
+ }
if (f->fr_grhead)
fr_delgroup((u_int)f->fr_grhead, fp->fr_flags,
unit, set);
@@ -1022,6 +1059,9 @@ caddr_t data;
if (f)
error = EEXIST;
else {
+ if (unit == IPL_LOGAUTH) {
+ return fr_preauthcmd(req, fp, ftail);
+ }
KMALLOC(f, frentry_t *);
if (f != NULL) {
if (fg && fg->fg_head)
@@ -1247,7 +1287,8 @@ struct mbuf **mp;
ip->ip_tos = oip->ip_tos;
ip->ip_id = oip->ip_id;
-# if defined(__NetBSD__) || defined(__OpenBSD__)
+# if defined(__NetBSD__) || \
+ (defined(__OpenBSD__) && (OpenBSD >= 200012))
if (ip_mtudisc != 0)
ip->ip_off = IP_DF;
# else
@@ -1482,7 +1523,7 @@ void
iplinit()
{
-# if defined(__NetBSD__)
+# if defined(__NetBSD__) || defined(__OpenBSD__)
if (ipl_enable() != 0)
# else
if (iplattach() != 0)
@@ -1587,7 +1628,7 @@ frdest_t *fdp;
/*
* Route packet.
*/
-#ifdef __sgi
+#if defined(__sgi) && (IRIX >= 605)
ROUTE_RDLOCK();
#endif
bzero((caddr_t)ro, sizeof (*ro));
@@ -1627,7 +1668,7 @@ frdest_t *fdp;
rtalloc(ro);
# endif
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
ROUTE_UNLOCK();
#endif
@@ -1898,6 +1939,12 @@ frdest_t *fdp;
struct route_in6 *ro;
struct ifnet *ifp;
frentry_t *fr;
+#if defined(OpenBSD) && (OpenBSD >= 200211)
+ struct route_in6 *ro_pmtu = NULL;
+ struct in6_addr finaldst;
+ ip6_t *ip6;
+#endif
+ u_long mtu;
int error;
ifp = NULL;
@@ -1935,11 +1982,23 @@ frdest_t *fdp;
dst6 = (struct sockaddr_in6 *)ro->ro_rt->rt_gateway;
ro->ro_rt->rt_use++;
- if (m0->m_pkthdr.len <= nd_ifinfo[ifp->if_index].linkmtu)
- error = nd6_output(ifp, fin->fin_ifp, m0, dst6,
- ro->ro_rt);
- else
- error = EMSGSIZE;
+#if defined(OpenBSD) && (OpenBSD >= 200211)
+ ip6 = mtod(m0, ip6_t *);
+ ro_pmtu = ro;
+ finaldst = ip6->ip6_dst;
+ error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu);
+ if (error == 0) {
+#else
+ mtu = nd_ifinfo[ifp->if_index].linkmtu;
+#endif
+ if (m0->m_pkthdr.len <= mtu)
+ error = nd6_output(ifp, fin->fin_ifp, m0,
+ dst6, ro->ro_rt);
+ else
+ error = EMSGSIZE;
+#if defined(OpenBSD) && (OpenBSD >= 200211)
+ }
+#endif
}
if (ro->ro_rt != NULL) {
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h
index 56175f28c986..b97c796376c0 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil.h
+++ b/sys/contrib/ipfilter/netinet/ip_fil.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
- * $Id: ip_fil.h,v 2.29.2.33 2002/06/04 14:46:28 darrenr Exp $
+ * $Id: ip_fil.h,v 2.29.2.34 2002/10/01 15:23:37 darrenr Exp $
*/
#ifndef __IP_FIL_H__
@@ -63,6 +63,7 @@
# define SIOCSTGET _IOWR('r', 81, struct ipstate_save *)
# define SIOCSTGSZ _IOWR('r', 82, struct natget)
# define SIOCGFRST _IOWR('r', 83, struct ipfrstat *)
+# define SIOCIPFL6 _IOWR('r', 84, int)
#else
# define SIOCADAFR _IOW(r, 60, struct frentry *)
# define SIOCRMAFR _IOW(r, 61, struct frentry *)
@@ -88,6 +89,7 @@
# define SIOCSTGET _IOWR(r, 81, struct ipstate_save *)
# define SIOCSTGSZ _IOWR(r, 82, struct natget)
# define SIOCGFRST _IOWR(r, 83, struct ipfrstat *)
+# define SIOCIPFL6 _IOWR(r, 84, int)
#endif
#define SIOCADDFR SIOCADAFR
#define SIOCDELFR SIOCRMAFR
@@ -412,14 +414,16 @@ typedef struct frgroup {
* structure which is then followed by any packet data.
*/
typedef struct iplog {
- u_32_t ipl_magic;
- u_int ipl_count;
- u_long ipl_sec;
- u_long ipl_usec;
- size_t ipl_dsize;
+ u_32_t ipl_magic;
+ u_int ipl_count;
+ struct timeval ipl_tv;
+ size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
+#define ipl_sec ipl_tv.tv_sec
+#define ipl_usec ipl_tv.tv_usec
+
#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
#define IPLOG_SIZE sizeof(iplog_t)
@@ -612,7 +616,7 @@ extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
extern int ipflog_read __P((minor_t, struct uio *));
-extern int frflush __P((minor_t, int));
+extern int frflush __P((minor_t, int, int));
extern void frsync __P((void));
extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int));
extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int));
diff --git a/sys/contrib/ipfilter/netinet/ip_frag.c b/sys/contrib/ipfilter/netinet/ip_frag.c
index bed47b708f69..0f3b818f9694 100644
--- a/sys/contrib/ipfilter/netinet/ip_frag.c
+++ b/sys/contrib/ipfilter/netinet/ip_frag.c
@@ -7,7 +7,7 @@
# define _KERNEL
#endif
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.25 2002/12/06 11:40:21 darrenr Exp $";
#endif
diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
index a5a27be6b905..010841026840 100644
--- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
@@ -2,7 +2,7 @@
* Simple FTP transparent proxy for in-kernel use. For use with the NAT
* code.
*
- * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $
+ * $Id: ip_ftp_pxy.c,v 2.7.2.42 2002/11/25 21:42:35 darrenr Exp $
*/
#if SOLARIS && defined(_KERNEL)
extern kmutex_t ipf_rw;
@@ -39,24 +39,30 @@ extern kmutex_t ipf_rw;
#define FTPXY_PASS_2 14
#define FTPXY_PAOK_2 15
+/*
+ * Values for FTP commands. Numerics cover 0-999
+ */
+#define FTPXY_C_PASV 1000
+
int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_complete __P((char *, size_t));
int ippr_ftp_in __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_init __P((void));
int ippr_ftp_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
int ippr_ftp_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
-int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
+int ippr_ftp_pasv __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_port __P((fr_info_t *, ip_t *, nat_t *, ftpside_t *, int));
int ippr_ftp_process __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
int ippr_ftp_server __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int));
-int ippr_ftp_valid __P((int, char *, size_t));
-int ippr_ftp_server_valid __P((char *, size_t));
-int ippr_ftp_client_valid __P((char *, size_t));
+int ippr_ftp_valid __P((ftpinfo_t *, int, char *, size_t));
+int ippr_ftp_server_valid __P((ftpside_t *, char *, size_t));
+int ippr_ftp_client_valid __P((ftpside_t *, char *, size_t));
u_short ippr_ftp_atoi __P((char **));
static frentry_t ftppxyfr;
int ippr_ftp_pasvonly = 0;
int ippr_ftp_insecure = 0;
+int ippr_ftp_forcepasv = 0;
/*
@@ -123,8 +129,13 @@ int dlen;
/*
* Check for client sending out PORT message.
*/
- if (dlen < IPF_MINPORTLEN)
+ if (dlen < IPF_MINPORTLEN) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_port:dlen(%d) < IPF_MINPORTLEN\n", dlen);
+#endif
return 0;
+ }
off = fin->fin_hlen + (tcp->th_off << 2);
/*
* Skip the PORT command + space
@@ -134,23 +145,39 @@ int dlen;
* Pick out the address components, two at a time.
*/
a1 = ippr_ftp_atoi(&s);
- if (!s)
+ if (s == NULL) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(1) failed\n");
+#endif
return 0;
+ }
a2 = ippr_ftp_atoi(&s);
- if (!s)
+ if (s == NULL) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(2) failed\n");
+#endif
return 0;
+ }
/*
* check that IP address in the PORT/PASV reply is the same as the
* sender of the command - prevents using PORT for port scanning.
*/
a1 <<= 16;
a1 |= a2;
- if (a1 != ntohl(nat->nat_inip.s_addr))
+ if (a1 != ntohl(nat->nat_inip.s_addr)) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_port:a1 != nat->nat_inip\n");
+#endif
return 0;
+ }
a5 = ippr_ftp_atoi(&s);
- if (!s)
+ if (s == NULL) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_port:ippr_ftp_atoi(3) failed\n");
+#endif
return 0;
+ }
if (*s == ')')
s++;
@@ -162,8 +189,12 @@ int dlen;
if ((*s == '\r') && (*(s + 1) == '\n')) {
s += 2;
a6 = a5 & 0xff;
- } else
+ } else {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_port:missing cr-lf\n");
+#endif
return 0;
+ }
a5 >>= 8;
a5 &= 0xff;
/*
@@ -181,8 +212,13 @@ int dlen;
nlen = strlen(newbuf);
inc = nlen - olen;
- if ((inc + ip->ip_len) > 65535)
+ if ((inc + ip->ip_len) > 65535) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_port:inc(%d) + ip->ip_len > 65535\n", inc);
+#endif
return 0;
+ }
#if !defined(_KERNEL)
m = *((mb_t **)fin->fin_mp);
@@ -253,8 +289,13 @@ int dlen;
* Don't allow the PORT command to specify a port < 1024 due to
* security crap.
*/
- if (sp < 1024)
+ if (sp < 1024) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_port:sp(%d) < 1024\n", sp);
+#endif
return 0;
+ }
+
/*
* The server may not make the connection back from port 20, but
* it is the most likely so use it here to check for a conflicting
@@ -369,11 +410,11 @@ int dlen;
}
-int ippr_ftp_pasv(fin, ip, nat, f, dlen)
+int ippr_ftp_pasv(fin, ip, nat, ftp, dlen)
fr_info_t *fin;
ip_t *ip;
nat_t *nat;
-ftpside_t *f;
+ftpinfo_t *ftp;
int dlen;
{
tcphdr_t *tcp, tcph, *tcp2 = &tcph;
@@ -381,23 +422,45 @@ int dlen;
u_int a1, a2, a3, a4;
u_short a5, a6, dp;
fr_info_t fi;
+ ftpside_t *f;
nat_t *ipn;
int inc;
char *s;
+ if (ippr_ftp_forcepasv != 0 &&
+ ftp->ftp_side[0].ftps_cmds != FTPXY_C_PASV) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_pasv:ftps_cmds(%d) != FTPXY_C_PASV\n",
+ ftp->ftp_side[0].ftps_cmds);
+#endif
+ return 0;
+ }
+
+ f = &ftp->ftp_side[1];
+
#define PASV_REPLEN 24
/*
* Check for PASV reply message.
*/
- if (dlen < IPF_MIN227LEN)
+ if (dlen < IPF_MIN227LEN) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_pasv:dlen(%d) < IPF_MIN227LEN\n", dlen);
+#endif
return 0;
- else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN))
+ } else if (strncmp(f->ftps_rptr,
+ "227 Entering Passive Mod", PASV_REPLEN)) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_pasv:227 reply wrong\n");
+#endif
return 0;
+ }
tcp = (tcphdr_t *)fin->fin_dp;
/*
- * Skip the PORT command + space
+ * Skip the PASV reply + space
*/
s = f->ftps_rptr + PASV_REPLEN;
while (*s && !isdigit(*s))
@@ -406,11 +469,19 @@ int dlen;
* Pick out the address components, two at a time.
*/
a1 = ippr_ftp_atoi(&s);
- if (!s)
+ if (s == NULL) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(1) failed\n");
+#endif
return 0;
+ }
a2 = ippr_ftp_atoi(&s);
- if (!s)
+ if (s == NULL) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(2) failed\n");
+#endif
return 0;
+ }
/*
* check that IP address in the PORT/PASV reply is the same as the
@@ -418,12 +489,20 @@ int dlen;
*/
a1 <<= 16;
a1 |= a2;
- if (a1 != ntohl(nat->nat_oip.s_addr))
+ if (a1 != ntohl(nat->nat_oip.s_addr)) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_pasv:a1 != nat->nat_oip\n");
+#endif
return 0;
+ }
a5 = ippr_ftp_atoi(&s);
- if (!s)
+ if (s == NULL) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_pasv:ippr_ftp_atoi(3) failed\n");
+#endif
return 0;
+ }
if (*s == ')')
s++;
@@ -437,8 +516,12 @@ int dlen;
if ((*s == '\r') && (*(s + 1) == '\n')) {
s += 2;
a6 = a5 & 0xff;
- } else
+ } else {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_pasv:missing cr-lf\n");
+#endif
return 0;
+ }
a5 >>= 8;
/*
* Calculate new address parts for 227 reply
@@ -580,9 +663,9 @@ int dlen;
return 0;
if (ftp->ftp_passok == FTPXY_GO) {
if (!strncmp(rptr, "227 ", 4))
- inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
+ inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
} else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) {
- inc = ippr_ftp_pasv(fin, ip, nat, f, dlen);
+ inc = ippr_ftp_pasv(fin, ip, nat, ftp, dlen);
} else if (*rptr == '5' || *rptr == '4')
ftp->ftp_passok = FTPXY_INIT;
else if (ftp->ftp_incok) {
@@ -608,6 +691,7 @@ int dlen;
}
}
ftp->ftp_incok = 0;
+
while ((*rptr++ != '\n') && (rptr < wptr))
;
f->ftps_rptr = rptr;
@@ -619,100 +703,150 @@ int dlen;
* Look to see if the buffer starts with something which we recognise as
* being the correct syntax for the FTP protocol.
*/
-int ippr_ftp_client_valid(buf, len)
+int ippr_ftp_client_valid(ftps, buf, len)
+ftpside_t *ftps;
char *buf;
size_t len;
{
register char *s, c;
register size_t i = len;
+ char cmd[5];
- if (i < 5)
+ if (i < 5) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_client_valid:i(%d) < 5\n", i);
+#endif
return 2;
+ }
s = buf;
c = *s++;
i--;
if (isalpha(c)) {
+ cmd[0] = toupper(c);
c = *s++;
i--;
if (isalpha(c)) {
+ cmd[1] = toupper(c);
c = *s++;
i--;
if (isalpha(c)) {
+ cmd[2] = toupper(c);
c = *s++;
i--;
if (isalpha(c)) {
+ cmd[3] = toupper(c);
c = *s++;
i--;
if ((c != ' ') && (c != '\r'))
- return 1;
+ goto bad_client_command;
} else if ((c != ' ') && (c != '\r'))
- return 1;
+ goto bad_client_command;
} else
- return 1;
+ goto bad_client_command;
} else
- return 1;
- } else
+ goto bad_client_command;
+ } else {
+bad_client_command:
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_client_valid:bad cmd:len %d i %d c 0x%x\n",
+ i, len, c);
+#endif
return 1;
+ }
+
for (; i; i--) {
c = *s++;
- if (c == '\n')
+ if (c == '\n') {
+ cmd[4] = '\0';
+ if (!strcmp(cmd, "PASV"))
+ ftps->ftps_cmds = FTPXY_C_PASV;
+ else
+ ftps->ftps_cmds = 0;
return 0;
+ }
}
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_client_valid:junk after cmd[%s]\n", buf);
+#endif
return 2;
}
-int ippr_ftp_server_valid(buf, len)
+int ippr_ftp_server_valid(ftps, buf, len)
+ftpside_t *ftps;
char *buf;
size_t len;
{
register char *s, c;
register size_t i = len;
+ int cmd;
if (i < 5)
return 2;
s = buf;
c = *s++;
+ cmd = 0;
i--;
if (isdigit(c)) {
+ cmd = (c - '0') * 100;
c = *s++;
i--;
if (isdigit(c)) {
+ cmd += (c - '0') * 10;
c = *s++;
i--;
if (isdigit(c)) {
+ cmd += (c - '0');
c = *s++;
i--;
if ((c != '-') && (c != ' '))
- return 1;
+ goto bad_server_command;
} else
- return 1;
+ goto bad_server_command;
} else
- return 1;
- } else
+ goto bad_server_command;
+ } else {
+bad_server_command:
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_server_valid:bad cmd:len %d i %d c 0x%x\n",
+ i, len, c);
+#endif
return 1;
+ }
+
for (; i; i--) {
c = *s++;
- if (c == '\n')
+ if (c == '\n') {
+ ftps->ftps_cmds = cmd;
return 0;
+ }
}
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout, "ippr_ftp_server_valid:junk after cmd[%s]\n", buf);
+#endif
return 2;
}
-int ippr_ftp_valid(side, buf, len)
+int ippr_ftp_valid(ftp, side, buf, len)
+ftpinfo_t *ftp;
int side;
char *buf;
size_t len;
{
+ ftpside_t *ftps;
int ret;
+ ftps = &ftp->ftp_side[side];
+
if (side == 0)
- ret = ippr_ftp_client_valid(buf, len);
+ ret = ippr_ftp_client_valid(ftps, buf, len);
else
- ret = ippr_ftp_server_valid(buf, len);
+ ret = ippr_ftp_server_valid(ftps, buf, len);
return ret;
}
@@ -814,9 +948,10 @@ int rv;
#endif
ok = 0;
- if (t->ftps_seq[0] == 0)
- t->ftps_seq[0] = thack, ok = 1;
- else {
+ if (t->ftps_seq[0] == 0) {
+ t->ftps_seq[0] = thack;
+ ok = 1;
+ } else {
if (ackoff == 0) {
if (t->ftps_seq[0] == thack)
ok = 1;
@@ -845,20 +980,24 @@ int rv;
#endif
if (!mlen) {
- if (t->ftps_seq[0] + ackoff != thack)
+ if (t->ftps_seq[0] + ackoff != thack) {
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_process:seq[0](%x) + ackoff(%x) != thack(%x)\n",
+ t->ftps_seq[0], ackoff, thack);
+#endif
return APR_ERR(1);
+ }
#if PROXY_DEBUG
printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]);
#endif
if (tcp->th_flags & TH_FIN) {
- if (thseq + seqoff == f->ftps_seq[0] + 1 ||
- f->ftps_seq[0] + seqoff + 1 == thseq ||
- thseq + seqoff == f->ftps_seq[0] ||
- thseq == f->ftps_seq[0] + seqoff)
- ;
- else {
-#if PROXY_DEBUG
+ if (thseq == f->ftps_seq[1]) {
+ f->ftps_seq[0] = f->ftps_seq[1] - seqoff;
+ f->ftps_seq[1] = thseq + 1 - seqoff;
+ } else {
+#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("FIN: thseq %x seqoff %d ftps_seq %x\n",
thseq, seqoff, f->ftps_seq[0]);
#endif
@@ -870,17 +1009,19 @@ int rv;
}
ok = 0;
- if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1])
+ if ((thseq == f->ftps_seq[0]) || (thseq == f->ftps_seq[1])) {
ok = 1;
/*
* Retransmitted data packet.
*/
- else if (thseq + mlen == f->ftps_seq[0] ||
- thseq + mlen == f->ftps_seq[1])
+ } else if ((thseq + mlen == f->ftps_seq[0]) ||
+ (thseq + mlen == f->ftps_seq[1])) {
ok = 1;
+ }
+
if (ok == 0) {
inc = thseq - f->ftps_seq[0];
-#if PROXY_DEBUG
+#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("inc %d sel %d rv %d\n", inc, sel, rv);
printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0],
f->ftps_seq[1]);
@@ -917,10 +1058,12 @@ int rv;
wptr += len;
f->ftps_wptr = wptr;
if (f->ftps_junk == 2)
- f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr);
+ f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
+ wptr - rptr);
while ((f->ftps_junk == 0) && (wptr > rptr)) {
- f->ftps_junk = ippr_ftp_valid(rv, rptr, wptr - rptr);
+ f->ftps_junk = ippr_ftp_valid(ftp, rv, rptr,
+ wptr - rptr);
if (f->ftps_junk == 0) {
f->ftps_cmds++;
len = wptr - rptr;
@@ -942,6 +1085,10 @@ int rv;
*/
if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
/* f->ftps_seq[1] += inc; */
+#if !defined(_KERNEL) && !defined(KERNEL)
+ fprintf(stdout,
+ "ippr_ftp_process:cmds == 0 junk == 1\n");
+#endif
return APR_ERR(2);
}
@@ -985,18 +1132,17 @@ int rv;
/* f->ftps_seq[1] += inc; */
if (tcp->th_flags & TH_FIN)
f->ftps_seq[1]++;
-#ifndef _KERNEL
+#if PROXY_DEBUG
+# ifndef _KERNEL
mlen = mbuflen(m);
-#else
-# if SOLARIS
- mlen = msgdsize(m);
# else
+# if SOLARIS
+ mlen = msgdsize(m);
+# else
mlen = mbufchainlen(m);
+# endif
# endif
-#endif
- off = fin->fin_hlen + (tcp->th_off << 2);
mlen -= off;
-#if PROXY_DEBUG
printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen);
#endif
diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c
index 6bf7a4d9b171..e57bd690969f 100644
--- a/sys/contrib/ipfilter/netinet/ip_log.c
+++ b/sys/contrib/ipfilter/netinet/ip_log.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_log.c,v 2.5.2.19 2002/04/25 16:32:48 darrenr Exp $
+ * $Id: ip_log.c,v 2.5.2.21 2002/10/26 06:21:30 darrenr Exp $
*/
#include <sys/param.h>
#if defined(KERNEL) && !defined(_KERNEL)
@@ -99,6 +99,9 @@
# include <netinet/tcp.h>
# include <netinet/udp.h>
# include <netinet/ip_icmp.h>
+# ifdef USE_INET6
+# include <netinet/icmp6.h>
+# endif
# include <netinet/ip_var.h>
# ifndef _KERNEL
# include <syslog.h>
@@ -211,6 +214,26 @@ mb_t *m;
break;
}
}
+#ifdef USE_INET6
+ else if (p == IPPROTO_ICMPV6) {
+ struct icmp6_hdr *icmp;
+
+ icmp = (struct icmp6_hdr *)fin->fin_dp;
+
+ /*
+ * For ICMPV6, if the packet is an error packet, also
+ * include the information about the packet which
+ * caused the error.
+ */
+ if (icmp->icmp6_type < 128) {
+ hlen += MIN(sizeof(struct icmp6_hdr) + 8,
+ fin->fin_dlen);
+ } else {
+ hlen += MIN(sizeof(struct icmp6_hdr),
+ fin->fin_dlen);
+ }
+ }
+#endif
}
/*
* Get the interface number and name to which this packet is
@@ -334,10 +357,10 @@ int *types, cnt;
ipl->ipl_dsize = len;
# ifdef _KERNEL
# if SOLARIS || defined(sun)
- uniqtime((struct timeval *)&ipl->ipl_sec);
+ uniqtime(&ipl->ipl_tv);
# else
# if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi)
- microtime((struct timeval *)&ipl->ipl_sec);
+ microtime(&ipl->ipl_tv);
# endif
# endif
# else
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c
index 854c68dc4a2d..d8c862220cea 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@@ -9,7 +9,7 @@
#define _KERNEL
#endif
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@@ -109,7 +109,7 @@ extern struct ifnet vpnif;
#if !defined(lint)
static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.74 2002/12/06 11:40:21 darrenr Exp $";
#endif
nat_t **nat_table[2] = { NULL, NULL },
@@ -148,6 +148,7 @@ static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *));
static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr,
struct in_addr));
static void nat_hostmapdel __P((struct hostmap *));
+static void nat_mssclamp __P((tcphdr_t *, u_32_t, fr_info_t *, u_short *));
int nat_init()
@@ -456,8 +457,9 @@ int mode;
/*
* For add/delete, look to see if the NAT entry is already present
*/
- if (getlock == 1)
+ if (getlock == 1) {
WRITE_ENTER(&ipf_nat);
+ }
if ((cmd == SIOCADNAT) || (cmd == SIOCRMNAT)) {
nat = &natd;
nat->in_flags &= IPN_USERFLAGS;
@@ -726,8 +728,9 @@ int mode;
error = EINVAL;
break;
}
- if (getlock == 1)
+ if (getlock == 1) {
RWLOCK_EXIT(&ipf_nat); /* READ/WRITE */
+ }
done:
if (nt)
KFREE(nt);
@@ -1465,6 +1468,7 @@ int direction;
nat->nat_p = fin->fin_p;
nat->nat_bytes = 0;
nat->nat_pkts = 0;
+ nat->nat_mssclamp = np->in_mssclamp;
nat->nat_fr = fin->fin_fr;
if (nat->nat_fr != NULL) {
ATOMIC_INC32(nat->nat_fr->fr_ref);
@@ -2517,6 +2521,16 @@ maskloop:
*/
if (nat->nat_age == fr_tcpclosed)
nat->nat_age = fr_tcplastack;
+
+ /*
+ * Do a MSS CLAMPING on a SYN packet,
+ * only deal IPv4 for now.
+ */
+ if (nat->nat_mssclamp &&
+ (tcp->th_flags & TH_SYN) != 0)
+ nat_mssclamp(tcp, nat->nat_mssclamp,
+ fin, csump);
+
MUTEX_EXIT(&nat->nat_lock);
} else if (fin->fin_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@@ -2728,6 +2742,15 @@ maskloop:
*/
if (nat->nat_age == fr_tcpclosed)
nat->nat_age = fr_tcplastack;
+ /*
+ * Do a MSS CLAMPING on a SYN packet,
+ * only deal IPv4 for now.
+ */
+ if (nat->nat_mssclamp &&
+ (tcp->th_flags & TH_SYN) != 0)
+ nat_mssclamp(tcp, nat->nat_mssclamp,
+ fin, csump);
+
MUTEX_EXIT(&nat->nat_lock);
} else if (fin->fin_p == IPPROTO_UDP) {
udphdr_t *udp = (udphdr_t *)tcp;
@@ -2927,3 +2950,60 @@ void *ifp;
return;
}
#endif
+
+
+/*
+ * Check for MSS option and clamp it if necessary.
+ */
+static void nat_mssclamp(tcp, maxmss, fin, csump)
+tcphdr_t *tcp;
+u_32_t maxmss;
+fr_info_t *fin;
+u_short *csump;
+{
+ u_char *cp, *ep, opt;
+ int hlen, advance;
+ u_32_t mss, sumd;
+ u_short v;
+
+ hlen = tcp->th_off << 2;
+ if (hlen > sizeof(*tcp)) {
+ cp = (u_char *)tcp + sizeof(*tcp);
+ ep = (u_char *)tcp + hlen;
+
+ while (cp < ep) {
+ opt = cp[0];
+ if (opt == TCPOPT_EOL)
+ break;
+ else if (opt == TCPOPT_NOP) {
+ cp++;
+ continue;
+ }
+
+ if (&cp[1] >= ep)
+ break;
+ advance = cp[1];
+ if (&cp[advance] >= ep)
+ break;
+ switch (opt) {
+ case TCPOPT_MAXSEG:
+ if (advance != 4)
+ break;
+ bcopy(&cp[2], &v, sizeof(v));
+ mss = ntohs(v);
+ if (mss > maxmss) {
+ v = htons(maxmss);
+ bcopy(&v, &cp[2], sizeof(v));
+ CALC_SUMD(mss, maxmss, sumd);
+ fix_outcksum(fin, csump, sumd);
+ }
+ break;
+ default:
+ /* ignore unknown options */
+ break;
+ }
+
+ cp += advance;
+ }
+ }
+}
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h
index e1b160fbf618..e052449b1894 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.h
+++ b/sys/contrib/ipfilter/netinet/ip_nat.h
@@ -4,7 +4,7 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_nat.h 1.5 2/4/96
- * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $
+ * $Id: ip_nat.h,v 2.17.2.28 2002/11/03 13:06:21 darrenr Exp $
*/
#ifndef __IP_NAT_H__
@@ -84,6 +84,7 @@ typedef struct nat {
u_short nat_use;
u_char nat_tcpstate[2];
u_char nat_p; /* protocol for NAT */
+ u_32_t nat_mssclamp; /* if != zero clamp MSS to this */
struct ipnat *nat_ptr; /* pointer back to the rule */
struct hostmap *nat_hm;
struct nat *nat_next;
@@ -113,6 +114,7 @@ typedef struct ipnat {
u_short in_pnext;
u_short in_ippip; /* IP #'s per IP# */
u_32_t in_flags; /* From here to in_dport must be reflected */
+ u_32_t in_mssclamp; /* if != zero clamp MSS to this */
u_short in_spare;
u_short in_ppip; /* ports per IP */
u_short in_port[2]; /* correctly in IPN_CMPSIZ */
diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c
index f36753ad0fa3..f3b2cd5d21a2 100644
--- a/sys/contrib/ipfilter/netinet/ip_proxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_proxy.c
@@ -7,7 +7,7 @@
# define _KERNEL
#endif
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@@ -75,7 +75,7 @@
#endif
#if !defined(lint)
-static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.26 2002/12/06 11:40:23 darrenr Exp $";
#endif
#if defined(_KERNEL) && (SOLARIS || defined(__sgi))
@@ -315,7 +315,7 @@ nat_t *nat;
sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp);
#endif
if (sum != tcp->th_sum) {
-#if PROXY_DEBUG
+#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("proxy tcp checksum failure\n");
#endif
frstats[fin->fin_out].fr_tcpbad++;
@@ -323,8 +323,8 @@ nat_t *nat;
}
/*
- * Don't both the proxy with these...or in fact, should
- * we free up proxy stuff when seen?
+ * Don't bother the proxy with these...or in fact,
+ * should we free up proxy stuff when seen?
*/
if ((tcp->th_flags & TH_RST) != 0)
return 0;
@@ -342,13 +342,13 @@ nat_t *nat;
rv = APR_EXIT(err);
if (rv == 1) {
-#if PROXY_DEBUG
+#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("proxy says bad packet received\n");
#endif
return -1;
}
if (rv == 2) {
-#if PROXY_DEBUG
+#if PROXY_DEBUG || (!defined(_KERNEL) && !defined(KERNEL))
printf("proxy says free app proxy data\n");
#endif
appr_free(apr);
@@ -424,7 +424,7 @@ ap_session_t *aps;
apr = aps->aps_apr;
if ((apr != NULL) && (apr->apr_del != NULL))
(*apr->apr_del)(aps);
-
+
if ((aps->aps_data != NULL) && (aps->aps_psiz != 0))
KFREES(aps->aps_data, aps->aps_psiz);
KFREE(aps);
@@ -468,7 +468,7 @@ int inc;
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel;
-}
+ }
if (aps->aps_seqoff[sel]) {
seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel];
@@ -503,7 +503,7 @@ int inc;
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel;
-}
+ }
if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) {
seq2 = aps->aps_ackoff[sel];
@@ -522,7 +522,7 @@ int inc;
sel, !sel, seq1, aps->aps_ackmin[!sel]);
#endif
sel = aps->aps_sel[out] = !sel;
-}
+ }
if (aps->aps_ackoff[sel]) {
seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel];
@@ -557,7 +557,7 @@ int inc;
sel, !sel, seq1, aps->aps_seqmin[!sel]);
#endif
sel = aps->aps_sel[1 - out] = !sel;
-}
+ }
if (aps->aps_seqoff[sel] != 0) {
#if PROXY_DEBUG
diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.h b/sys/contrib/ipfilter/netinet/ip_proxy.h
index fad791dcd67b..50b0559ea263 100644
--- a/sys/contrib/ipfilter/netinet/ip_proxy.h
+++ b/sys/contrib/ipfilter/netinet/ip_proxy.h
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*
- * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $
+ * $Id: ip_proxy.h,v 2.8.2.14 2002/09/02 12:19:26 darrenr Exp $
*/
#ifndef __IP_PROXY_H__
@@ -99,6 +99,7 @@ typedef struct ftpside {
u_32_t ftps_len;
int ftps_junk;
int ftps_cmds;
+ int ftps_cmd;
char ftps_buf[FTP_BUFSZ];
} ftpside_t;
diff --git a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c
index 641d303c023e..3fecf49e2aec 100644
--- a/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_rcmd_pxy.c
@@ -1,5 +1,5 @@
/*
- * $Id: ip_rcmd_pxy.c,v 1.4.2.5 2001/10/30 16:38:14 darrenr Exp $
+ * $Id: ip_rcmd_pxy.c,v 1.4.2.6 2002/10/01 15:24:59 darrenr Exp $
*/
/*
* Simple RCMD transparent proxy for in-kernel use. For use with the NAT
@@ -143,6 +143,7 @@ nat_t *nat;
tcp2->th_sport = htons(sp);
tcp2->th_dport = 0; /* XXX - don't specify remote port */
tcp2->th_off = 5;
+ tcp2->th_flags = TH_SYN;
fi.fin_data[1] = 0;
fi.fin_dp = (char *)tcp2;
fi.fin_dlen = sizeof(*tcp2);
diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c
index 43fe8203ceea..5ab78cc3b34a 100644
--- a/sys/contrib/ipfilter/netinet/ip_state.c
+++ b/sys/contrib/ipfilter/netinet/ip_state.c
@@ -3,7 +3,7 @@
*
* See the IPFILTER.LICENCE file for details on licencing.
*/
-#ifdef __sgi
+#if defined(__sgi) && (IRIX > 602)
# include <sys/ptimers.h>
#endif
#include <sys/errno.h>
@@ -93,7 +93,7 @@
#if !defined(lint)
static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed";
-static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.77 2002/12/06 11:40:24 darrenr Exp $";
#endif
#ifndef MIN
@@ -117,8 +117,8 @@ static frentry_t *fr_checkicmp6matchingstate __P((ip6_t *, fr_info_t *));
static int fr_matchsrcdst __P((ipstate_t *, union i6addr, union i6addr,
fr_info_t *, tcphdr_t *));
static frentry_t *fr_checkicmpmatchingstate __P((ip_t *, fr_info_t *));
-static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *));
-static int fr_state_flush __P((int));
+static int fr_matchicmpqueryreply __P((int, ipstate_t *, icmphdr_t *, int));
+static int fr_state_flush __P((int, int));
static ips_stat_t *fr_statetstats __P((void));
static void fr_delstate __P((ipstate_t *));
static int fr_state_remove __P((caddr_t));
@@ -203,8 +203,8 @@ static ips_stat_t *fr_statetstats()
* starting at > 4 days idle and working back in successive half-
* days to at most 12 hours old.
*/
-static int fr_state_flush(which)
-int which;
+static int fr_state_flush(which, proto)
+int which, proto;
{
ipstate_t *is, **isp;
#if defined(_KERNEL) && !SOLARIS
@@ -216,6 +216,9 @@ int which;
for (isp = &ips_list; (is = *isp); ) {
delete = 0;
+ if ((proto != 0) && (is->is_v != proto))
+ continue;
+
switch (which)
{
case 0 :
@@ -337,12 +340,26 @@ int mode;
break;
if (arg == 0 || arg == 1) {
WRITE_ENTER(&ipf_state);
- ret = fr_state_flush(arg);
+ ret = fr_state_flush(arg, 4);
RWLOCK_EXIT(&ipf_state);
error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
} else
error = EINVAL;
break;
+#ifdef USE_INET6
+ case SIOCIPFL6 :
+ error = IRCOPY(data, (caddr_t)&arg, sizeof(arg));
+ if (error)
+ break;
+ if (arg == 0 || arg == 1) {
+ WRITE_ENTER(&ipf_state);
+ ret = fr_state_flush(arg, 6);
+ RWLOCK_EXIT(&ipf_state);
+ error = IWCOPY((caddr_t)&ret, data, sizeof(ret));
+ } else
+ error = EINVAL;
+ break;
+#endif
#ifdef IPFILTER_LOG
case SIOCIPFFB :
if (!(mode & FWRITE))
@@ -1118,7 +1135,7 @@ tcphdr_t *tcp;
return 1;
}
-static int fr_matchicmpqueryreply(v, is, icmp)
+static int fr_matchicmpqueryreply(v, is, icmp, rev)
int v;
ipstate_t *is;
icmphdr_t *icmp;
@@ -1128,8 +1145,8 @@ icmphdr_t *icmp;
* If we matched its type on the way in, then when going out
* it will still be the same type.
*/
- if (((icmp->icmp_type == is->is_type) ||
- (icmpreplytype4[is->is_type] == icmp->icmp_type))) {
+ if ((!rev && (icmp->icmp_type == is->is_type)) ||
+ (rev && (icmpreplytype4[is->is_type] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP_ECHOREPLY)
return 1;
if ((icmp->icmp_id == is->is_icmp.ics_id) &&
@@ -1139,8 +1156,8 @@ icmphdr_t *icmp;
}
#ifdef USE_INET6
else if (is->is_v == 6) {
- if (((icmp->icmp_type == is->is_type) ||
- (icmpreplytype6[is->is_type] == icmp->icmp_type))) {
+ if ((!rev && (icmp->icmp_type == is->is_type)) ||
+ (rev && (icmpreplytype6[is->is_type] == icmp->icmp_type))) {
if (icmp->icmp_type != ICMP6_ECHO_REPLY)
return 1;
if ((icmp->icmp_id == is->is_icmp.ics_id) &&
@@ -1278,7 +1295,7 @@ fr_info_t *fin;
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext)
if ((is->is_p == pr) && (is->is_v == 4) &&
fr_matchsrcdst(is, src, dst, &ofin, NULL) &&
- fr_matchicmpqueryreply(is->is_v, is, icmp)) {
+ fr_matchicmpqueryreply(is->is_v, is, icmp, fin->fin_rev)) {
ips_stats.iss_hits++;
is->is_pkts++;
is->is_bytes += ip->ip_len;
@@ -1460,7 +1477,7 @@ icmp6again:
for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext)
if ((is->is_p == pr) && (is->is_v == v) &&
fr_matchsrcdst(is, src, dst, fin, NULL) &&
- fr_matchicmpqueryreply(v, is, ic)) {
+ fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) {
rev = fin->fin_rev;
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
@@ -1515,7 +1532,7 @@ icmp6again:
for (isp = &ips_table[hvm]; (is = *isp); isp = &is->is_hnext)
if ((is->is_p == pr) && (is->is_v == v) &&
fr_matchsrcdst(is, src, dst, fin, NULL) &&
- fr_matchicmpqueryreply(v, is, ic)) {
+ fr_matchicmpqueryreply(v, is, ic, fin->fin_rev)) {
rev = fin->fin_rev;
if (is->is_frage[rev] != 0)
is->is_age = is->is_frage[rev];
@@ -1750,7 +1767,7 @@ void fr_timeoutstate()
} else
isp = &is->is_next;
if (fr_state_doflush) {
- (void) fr_state_flush(2);
+ (void) fr_state_flush(2, 0);
fr_state_doflush = 0;
}
RWLOCK_EXIT(&ipf_state);
diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h
index ced3e567b162..2a23a441a12f 100644
--- a/sys/contrib/ipfilter/netinet/ipl.h
+++ b/sys/contrib/ipfilter/netinet/ipl.h
@@ -4,12 +4,12 @@
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ipl.h 1.21 6/5/96
- * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $
+ * $Id: ipl.h,v 2.15.2.38 2002/12/07 02:40:05 darrenr Exp $
*/
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.29"
+#define IPL_VERSION "IP Filter: v3.4.31"
#endif
diff --git a/sys/contrib/ipfilter/netinet/y b/sys/contrib/ipfilter/netinet/y
new file mode 100644
index 000000000000..d9aa6718e895
--- /dev/null
+++ b/sys/contrib/ipfilter/netinet/y
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQCXGsxsgDt2euTDP/IQGY4O4CsKH9NXzI3dQ44L0w3PLYr/JQuY
+kB8TLuCFZPIO/nlkubnCQGNnmcyUBlIA654Y7FEPBhLa4BWT6cpF4rfVzCQMq4W9
+ZqXv549OZ0Ejg6ciJ/Udhhjx/TMn6sIojEZmHBdToTtK54119hC6eOxnQwIVAIO3
+p+t6ASypQY8M+h96GZlVmkHRAoGAfK41snqWLcHspLYsIHu2tUwip7GqPPNe7Iej
+CX17PiPbt9S5ph8aI6hPVmAUoKpfEb8OMDak3sFAFoDnve/FgOsZS+HKRpJRqUtW
+PbBrhvRkQ5N4SWOzK54GXt/aWRTcUoVDz29QiakTfrZtdHeiJTbVNR36JdQ/nIHO
+VWTWpcMCgYA4oHMrfK7/LMrjKWOLW8bXanvgL+nMoFVChYqzfBptvd492chAokKa
+cr8NJDeT10i98TYooi0AvEthor9PVBDFMA0fj+LdM95HZTr6NIMAtxik8Ici4e7X
+S4xWlsjTJQO6Kx7Hfuyt9EH2QkraLXFiFFKudGdvHqHeZ0q3iJ5JXwIVAIGBuoE0
+wrpIyJQuIMYL5HJxQ8wt
+-----END DSA PRIVATE KEY-----
diff --git a/sys/contrib/ipfilter/netinet/y.pub b/sys/contrib/ipfilter/netinet/y.pub
new file mode 100644
index 000000000000..a225f3922a01
--- /dev/null
+++ b/sys/contrib/ipfilter/netinet/y.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAJcazGyAO3Z65MM/8hAZjg7gKwof01fMjd1DjgvTDc8tiv8lC5iQHxMu4IVk8g7+eWS5ucJAY2eZzJQGUgDrnhjsUQ8GEtrgFZPpykXit9XMJAyrhb1mpe/nj05nQSODpyIn9R2GGPH9MyfqwiiMRmYcF1OhO0rnjXX2ELp47GdDAAAAFQCDt6fregEsqUGPDPofehmZVZpB0QAAAIB8rjWyepYtweyktiwge7a1TCKnsao8817sh6MJfXs+I9u31LmmHxojqE9WYBSgql8Rvw4wNqTewUAWgOe978WA6xlL4cpGklGpS1Y9sGuG9GRDk3hJY7MrngZe39pZFNxShUPPb1CJqRN+tm10d6IlNtU1Hfol1D+cgc5VZNalwwAAAIA4oHMrfK7/LMrjKWOLW8bXanvgL+nMoFVChYqzfBptvd492chAokKacr8NJDeT10i98TYooi0AvEthor9PVBDFMA0fj+LdM95HZTr6NIMAtxik8Ici4e7XS4xWlsjTJQO6Kx7Hfuyt9EH2QkraLXFiFFKudGdvHqHeZ0q3iJ5JXw== darrenr@freefall.freebsd.org