fix conflicts

6 files changed, 103 insertions, 19 deletions

diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c
index 9accee8..2315a93 100644
--- a/contrib/ipfilter/fil.c
+++ b/contrib/ipfilter/fil.c
@@ -136,6 +136,8 @@ struct	frgroup *ipfgroups[3][2];
 int	fr_flags = IPF_LOGGING;
 int	fr_active = 0;
 int	fr_chksrc = 0;
+int	fr_minttl = 3;
+int	fr_minttllog = 1;
 #if defined(IPFILTER_DEFAULT_BLOCK)
 int	fr_pass = FR_NOMATCH|FR_BLOCK;
 #else
@@ -269,6 +271,40 @@ fr_info_t *fin;
 
 	switch (p)
 	{
+#ifdef USE_INET6
+	case IPPROTO_ICMPV6 :
+	{
+		int minicmpsz = sizeof(struct icmp6_hdr);
+		struct icmp6_hdr *icmp6;
+
+		if (fin->fin_dlen > 1) {
+			fin->fin_data[0] = *(u_short *)tcp;
+
+			icmp6 = (struct icmp6_hdr *)tcp;
+
+			switch (icmp6->icmp6_type)
+			{
+			case ICMP6_ECHO_REPLY :
+			case ICMP6_ECHO_REQUEST :
+				minicmpsz = ICMP6ERR_MINPKTLEN;
+				break;
+			case ICMP6_DST_UNREACH :
+			case ICMP6_PACKET_TOO_BIG :
+			case ICMP6_TIME_EXCEEDED :
+			case ICMP6_PARAM_PROB :
+				minicmpsz = ICMP6ERR_IPICMPHLEN;
+				break;
+			default :
+				break;
+			}
+		}
+
+		if (!(plen >= hlen + minicmpsz))
+			fi->fi_fl |= FI_SHORT;
+
+		break;
+	}
+#endif
 	case IPPROTO_ICMP :
 	{
 		int minicmpsz = sizeof(struct icmp);
@@ -747,8 +783,8 @@ int out;
 #endif
 
 #ifdef	_KERNEL
+	int p, len, drop = 0, logit = 0;
 	mb_t *mc = NULL;
-	int p, len;
 # if !defined(__SVR4) && !defined(__svr4__)
 #  ifdef __sgi
 	char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8];
@@ -802,11 +838,17 @@ int out;
 				break;
 			/* 96 - enough for complete ICMP error IP header */
 			case IPPROTO_ICMP:
+				plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
+				break;
 # ifdef USE_INET6
 	    		case IPPROTO_ICMPV6 :
-# endif
-				plen = ICMPERR_MAXPKTLEN - sizeof(ip_t);
+				/*
+				 * XXX does not take intermediate header
+				 * into account
+				 */
+				plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t);
 				break;
+# endif
 			}
 		up = MIN(hlen + plen, len);
 
@@ -865,22 +907,37 @@ int out;
 # ifdef	USE_INET6
 	if (v == 6) {
 		ATOMIC_INCL(frstats[0].fr_ipv6[out]);
+		if (((ip6_t *)ip)->ip6_hlim < fr_minttl) {
+			ATOMIC_INCL(frstats[0].fr_badttl);
+			if (fr_minttllog)
+				logit = -2;
+		}
 	} else
 # endif
-		if (!out && fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
+	if (!out) {
+		if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) {
 			ATOMIC_INCL(frstats[0].fr_badsrc);
+			if (fr_chksrc == 2)
+				logit = -2;
+		} else if (ip->ip_ttl < fr_minttl) {
+			ATOMIC_INCL(frstats[0].fr_badttl);
+			if (fr_minttllog)
+				logit = -3;
+		}
+	}
+	if (drop) {
 # ifdef	IPFILTER_LOG
-			if (fr_chksrc == 2) {
-				fin->fin_group = -2;
-				pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
-				(void) IPLLOG(pass, ip, fin, m);
-			}
+		if (logit) {
+			fin->fin_group = logit;
+			pass = FR_INQUE|FR_NOMATCH|FR_LOGB;
+			(void) IPLLOG(pass, ip, fin, m);
+		}
 # endif
 # if !SOLARIS
-			m_freem(m);
+		m_freem(m);
 # endif
-			return error;
-		}
+		return error;
+	}
 #endif
 	pass = fr_pass;
 	if (fin->fin_fi.fi_fl & FI_SHORT) {
@@ -1401,7 +1458,7 @@ nodata:
  * SUCH DAMAGE.
  *
  *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $
  */
 /*
  * Copy data from an mbuf chain starting "off" bytes from the beginning,
diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h
index 487fe90..9dd75f0 100644
--- a/contrib/ipfilter/ip_fil.h
+++ b/contrib/ipfilter/ip_fil.h
@@ -335,6 +335,7 @@ typedef	struct	filterstats {
 	u_long	fr_tcpbad;	/* TCP checksum check failures */
 	u_long	fr_pull[2];	/* good and bad pullup attempts */
 	u_long	fr_badsrc;	/* source received doesn't match route */
+	u_long	fr_badttl;	/* TTL in packet doesn't reach minimum */
 #if SOLARIS
 	u_long	fr_notdata;	/* PROTO/PCPROTO that have no data */
 	u_long	fr_nodata;	/* mblks that have no data */
@@ -612,6 +613,8 @@ extern	int	fr_pass;
 extern	int	fr_flags;
 extern	int	fr_active;
 extern	int	fr_chksrc;
+extern	int	fr_minttl;
+extern	int	fr_minttllog;
 extern	fr_info_t	frcache[2];
 extern	char	ipfilter_version[];
 extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c
index ebc67a3..57edc7f 100644
--- a/contrib/ipfilter/ipmon.c
+++ b/contrib/ipfilter/ipmon.c
@@ -91,6 +91,8 @@ struct	flags	tcpfl[] = {
 	{ TH_FIN, 'F' },
 	{ TH_URG, 'U' },
 	{ TH_PUSH,'P' },
+	{ TH_ECN, 'E' },
+	{ TH_CWR, 'C' },
 	{ 0, '\0' }
 };
 
@@ -144,6 +146,7 @@ static	char	**tcp_ports = NULL;
 #define	OPT_FILTER	0x200
 #define	OPT_PORTNUM	0x400
 #define	OPT_LOGALL	(OPT_NAT|OPT_STATE|OPT_FILTER)
+#define	OPT_LOGBODY	0x800
 
 #define	HOSTNAME_V4(a,b)	hostname((a), 4, (u_32_t *)&(b))
 
@@ -401,6 +404,8 @@ int	blen;
 		strcpy(t, "NAT:RDR ");
 	else if (nl->nl_type == NL_EXPIRE)
 		strcpy(t, "NAT:EXPIRE ");
+	else if (nl->nl_type == NL_FLUSH)
+		strcpy(t, "NAT:FLUSH ");
 	else if (nl->nl_type == NL_NEWBIMAP)
 		strcpy(t, "NAT:BIMAP ");
 	else if (nl->nl_type == NL_NEWBLOCK)
@@ -834,6 +839,8 @@ printipflog:
 		dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf));
 	if (opts & OPT_HEXBODY)
 		dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen);
+	else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY))
+		dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen);
 }
 
 
@@ -945,7 +952,7 @@ char *argv[];
 	iplfile[1] = IPNAT_NAME;
 	iplfile[2] = IPSTATE_NAME;
 
-	while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1)
+	while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1)
 		switch (c)
 		{
 		case 'a' :
@@ -954,6 +961,9 @@ char *argv[];
 			fdt[1] = IPL_LOGNAT;
 			fdt[2] = IPL_LOGSTATE;
 			break;
+		case 'b' :
+			opts |= OPT_LOGBODY;
+			break;
 		case 'D' :
 			make_daemon = 1;
 			break;
diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c
index f0d1a3f..b047dd0 100644
--- a/contrib/ipfilter/ipsend/ipsend.c
+++ b/contrib/ipfilter/ipsend/ipsend.c
@@ -348,6 +348,12 @@ char	**argv;
 
 		printf("Options: %d\n", olen);
 		ti = (struct tcpiphdr *)malloc(olen + ip->ip_len);
+		if(!ti)
+		    {
+			fprintf(stderr,"malloc failed\n");
+			exit(2);
+		    } 
+
 		bcopy((char *)ip, (char *)ti, sizeof(*ip));
 		ip = (ip_t *)ti;
 		ip->ip_hl = (olen >> 2);
diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c
index a641592..6907a08 100644
--- a/contrib/ipfilter/ipsend/sock.c
+++ b/contrib/ipfilter/ipsend/sock.c
@@ -8,7 +8,7 @@
  */
 #if !defined(lint)
 static const char sccsid[] = "@(#)sock.c	1.2 1/11/96 (C)1995 Darren Reed";
-static const char rcsid[] = "@(#)$Id: sock.c,v 2.1 1999/08/04 17:31:16 darrenr Exp $";
+static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darrenr Exp $";
 #endif
 #include <stdio.h>
 #include <unistd.h>
diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8
index c0c751b..f36e31b 100644
--- a/contrib/ipfilter/man/ipfstat.8
+++ b/contrib/ipfilter/man/ipfstat.8
@@ -140,14 +140,22 @@ kernel.
 .SH STATE TOP
 Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
 this mode the state table is displayed similar to the way \fBtop\fP displays
-the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and\fB\-T\fP 
+the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP 
 commandline options can be used to restrict the state entries that will be 
 shown and to specify the frequency of display updates.
 .PP
 In state top mode, the following keys can be used to influence the displayed
-information. \fBl\fP can be used to redraw the screen. \fBq\fP is used to
-quit the program. \fBs\fP can be used to change the sorting criterion and
-\fBr\fP can be used to reverse the sorting criterion.
+information:
+.TP
+\fBd\fP select information to display.
+.TP
+\fBl\fP redraw the screen.
+.TP
+\fBq\fP quit the program. 
+.TP
+\fBs\fP switch between different sorting criterion.
+.TP
+\fBr\fP reverse the sorting criterion.
 .PP
 States can be sorted by protocol number, by number of IP packets, by number
 of bytes and by time-to-live of the state entry. The default is to sort by