diff options
author | darrenr <darrenr@FreeBSD.org> | 2001-02-04 14:25:38 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2001-02-04 14:25:38 +0000 |
commit | 53b25e2c4c7f67b0a0f4809050fb478bd1ff2d88 (patch) | |
tree | 42f02e2ffdb2f882e95fd170ab2f77b41d909085 /contrib/ipfilter | |
parent | c417101ae55dd9941fb03ce6fce4955a6a2a2e8f (diff) | |
parent | 5e62aa9b3dacb0e670998fad60638b79751aff14 (diff) | |
download | FreeBSD-src-53b25e2c4c7f67b0a0f4809050fb478bd1ff2d88.zip FreeBSD-src-53b25e2c4c7f67b0a0f4809050fb478bd1ff2d88.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r72003,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib/ipfilter')
30 files changed, 327 insertions, 150 deletions
diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index 7e663d2..b3ed454 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -10,8 +10,8 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \ - ip_compat.h ip_auth.[ch] ip_log.c) + ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c mlfk_ipl.c \ + ipl.h ip_compat.h ip_auth.[ch] ip_log.c) echo -n "$i "; cp $i /sys/netinet chmod 644 /sys/netinet/$i diff --git a/contrib/ipfilter/FreeBSD-4.0/unkinstall b/contrib/ipfilter/FreeBSD-4.0/unkinstall index 4e9caaa..b9c5f029 100755 --- a/contrib/ipfilter/FreeBSD-4.0/unkinstall +++ b/contrib/ipfilter/FreeBSD-4.0/unkinstall @@ -12,7 +12,7 @@ if ( $dir =~ */FreeBSD* ) cd .. echo -n "Uninstalling " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \ - ip_log.c mlf_ipl.c ipl.h) + ip_log.c mlf_ipl.c mlfk_ipl.c ipl.h) echo -n "$i "; /bin/rm -f /sys/netinet/$i end diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 279372b..0249367 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,37 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.16 15/01/2001 - Released + +fix race condition in flushing of state entries that are timing out + +Add TCP ECN patches + +log all NAT entries created, not just those via rules + +3.4.15 17/12/2000 - Released + +add minimum ttl filtering (to be replaced later by return-icmp-as-dest +for all ICMP packets matching state entries). + +fix NAT'ing of fragments + +fix sanity checks for ICMPV6 + +fix up compiling on IRIX 6.2 with IDF/IDL installed + +3.4.14 02/11/2000 - Released + +cause flushing NAT table to generate log records the same as state flush +does. + +fix ftp proxy port/pasv + +fix problem where nat_{in,out}lookup() would release a write lock when it +didn't need to. + +add check for ipf6.conf in Solaris ipfboot + 3.4.13 28/10/2000 - Released fix introduced bug with ICMP packets being rejected when valid diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index e79eb12..5770d40 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.11.2.4 2000/10/19 15:42:56 darrenr Exp $ +# $Id: Makefile,v 2.11.2.6 2000/12/17 12:43:15 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -107,7 +107,7 @@ include: fi sunos solaris: include - ./buildsunos $(MFLAGS) + CC="$(CC)" ./buildsunos freebsd22: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" @@ -169,8 +169,8 @@ bsdi bsdos: include irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" - -(SMAKE=`which smake >/dev/null 2>&1; if [ $$? -ne 0 ] ; then echo make -f Makefile.std; else echo smake; fi`; cd IRIX/$(CPUDIR); $${SMAKE} build TOP=../.. $(DEST) $(MFLAGS); cd ..) - -(SMAKE=`which smake >/dev/null 2>&1; if [ $$? -ne 0 ] ; then echo make -f Makefile.ipsend.std; else echo smake -f Makefile.ipsend; fi`; cd IRIX/$(CPUDIR); $${SMAKE} TOP=../.. $(DEST) $(MFLAGS); cd ..) + -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) $(MFLAGS); else smake build TOP=../.. $(DEST) $(MFLAGS); fi;) + -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); fi) linux: include make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)" diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c index d7706bd..afcc95c 100644 --- a/contrib/ipfilter/common.c +++ b/contrib/ipfilter/common.c @@ -52,8 +52,9 @@ extern int use_inet6; char *proto = NULL; -char flagset[] = "FSRPAU"; -u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; +char flagset[] = "FSRPAUEC"; +u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, + TH_ECN, TH_CWR }; #ifdef USE_INET6 void fill6bits __P((int, u_32_t *)); @@ -409,8 +410,12 @@ int linenum; if (s && *s == '0') tcpfm = strtol(s, NULL, 0); - if (!tcpfm) - tcpfm = 0xff; + if (!tcpfm) { + if (tcpf == TH_SYN) + tcpfm = 0xff & ~(TH_ECN|TH_CWR); + else + tcpfm = 0xff & ~(TH_ECN); + } *mask = tcpfm; return tcpf; } diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index 6a4cf67..3184e4c 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -65,7 +65,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.5 2000/07/20 14:13:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $"; #endif extern char *optarg; @@ -892,7 +892,7 @@ int topclosed; printw("%-21s %-21s", str1, str2); /* print state */ - sprintf(str1, "%d/%d", tp->st_state[0], + sprintf(str1, "%X/%X", tp->st_state[0], tp->st_state[1]); printw(" %3s", str1); @@ -994,6 +994,23 @@ ipfrstat_t *ifsp; fr.fr_flags); ipfrtab[i] = ifr.ipfr_next; } + if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) + return; + for (i = 0; i < IPFT_SIZE; i++) + while (ipfrtab[i]) { + if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], + sizeof(ifr)) == -1) + break; + PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src)); + if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, + sizeof(fr)) == -1) + break; + PRINTF("%s %d %d %d %#02x = %#x\n", + hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, + ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, + fr.fr_flags); + ipfrtab[i] = ifr.ipfr_next; + } } diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index d737b9c..a453610 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.4 2000/08/05 14:48:50 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $"; #endif #include <sys/errno.h> @@ -352,7 +352,7 @@ fr_authioctlloop: READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, - sizeof(fr_info_t)); + sizeof(frauth_t)); RWLOCK_EXIT(&ipf_auth); if (error) break; diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 2369cf0..ed71f36 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.6 2000/10/19 15:39:05 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -974,8 +974,6 @@ struct ether_addr { #define A_A & #endif -#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) - #ifndef ICMP_ROUTERADVERT # define ICMP_ROUTERADVERT 9 #endif @@ -995,6 +993,20 @@ struct ether_addr { #define ICMPERR_IPICMPHLEN (20 + 8) #define ICMPERR_MINPKTLEN (20 + 8 + 20) #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) -#define ICMP6ERR_MINPKTLEN (20 + 8) +#define ICMP6ERR_MINPKTLEN (40 + 8) +#define ICMP6ERR_IPICMPHLEN (40 + 8 + 40) + +/* + * ECN is a new addition to TCP - RFC 2481 + */ +#ifndef TH_ECN +# define TH_ECN 0x40 +#endif +#ifndef TH_CWR +# define TH_CWR 0x80 +#endif +#define TH_ECNALL (TH_ECN|TH_CWR) + +#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR) #endif /* __IP_COMPAT_H__ */ diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 1cb86c1..556478d 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.5 2000/10/19 15:39:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -156,6 +156,7 @@ ipfr_t *table[]; idx += ip->ip_src.s_addr; frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; idx += ip->ip_dst.s_addr; + frag.ipfr_ifp = fin->fin_ifp; idx *= 127; idx %= IPFT_SIZE; @@ -270,6 +271,7 @@ ipfr_t *table[]; idx += ip->ip_src.s_addr; frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; idx += ip->ip_dst.s_addr; + frag.ipfr_ifp = fin->fin_ifp; idx *= 127; idx %= IPFT_SIZE; @@ -328,16 +330,13 @@ fr_info_t *fin; ipf = ipfr_lookup(ip, fin, ipfr_nattab); if (ipf != NULL) { nat = ipf->ipfr_data; - if (nat->nat_ifp == fin->fin_ifp) { - /* - * This is the last fragment for this packet. - */ - if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { - nat->nat_data = NULL; - ipf->ipfr_data = NULL; - } - } else - nat = NULL; + /* + * This is the last fragment for this packet. + */ + if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { + nat->nat_data = NULL; + ipf->ipfr_data = NULL; + } } else nat = NULL; RWLOCK_EXIT(&ipf_natfrag); diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 61b88aa..362bcdd 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.4.2.1 2000/10/19 15:40:13 darrenr Exp $ + * $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -19,6 +19,7 @@ typedef struct ipfr { void *ipfr_data; struct in_addr ipfr_src; struct in_addr ipfr_dst; + void *ipfr_ifp; u_short ipfr_id; u_char ipfr_p; u_char ipfr_tos; diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 653bbfe..ddca889 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.18 2000/10/27 14:02:10 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.20 2000/12/02 00:15:06 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -238,7 +238,7 @@ int dlen; */ dp = htons(fin->fin_data[1] - 1); ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp); + ip->ip_dst, (dp << 16) | sp, 0); if (ipn == NULL) { int slen; @@ -254,7 +254,9 @@ int dlen; fi.fin_data[1] = 0; fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; + fi.fin_fr = &natfr; swip = ip->ip_src; + fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, NAT_OUTBOUND); @@ -456,7 +458,7 @@ int dlen; sp = 0; dp = htons(fin->fin_data[1] - 1); ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp); + ip->ip_dst, (dp << 16) | sp, 0); if (ipn == NULL) { int slen; @@ -467,13 +469,16 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; - fi.fin_data[0] = a5 << 8 | a6; + fi.fin_data[1] = a5 << 8 | a6; fi.fin_dlen = sizeof(*tcp2); - tcp2->th_dport = htons(fi.fin_data[0]); - fi.fin_data[1] = 0; + tcp2->th_dport = htons(fi.fin_data[1]); + fi.fin_data[0] = 0; fi.fin_dp = (char *)tcp2; + fi.fin_fr = &natfr; swip = ip->ip_src; swip2 = ip->ip_dst; + fi.fin_fi.fi_daddr = ip->ip_src.s_addr; + fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; ip->ip_dst = ip->ip_src; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT, @@ -614,14 +619,18 @@ int rv; #else mlen = mbufchainlen(m) - off; #endif + t = &ftp->ftp_side[1 - rv]; + f = &ftp->ftp_side[rv]; if (!mlen) { - t->ftps_seq = ntohl(tcp->th_ack); + if (!t->ftps_seq || + (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0) + t->ftps_seq = ntohl(tcp->th_ack); + f->ftps_len = 0; return 0; } inc = 0; - f = &ftp->ftp_side[rv]; rptr = f->ftps_rptr; wptr = f->ftps_wptr; @@ -635,9 +644,12 @@ int rv; * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ - if (ntohl(tcp->th_seq) + i != f->ftps_seq) { + if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) + f->ftps_seq = ntohl(tcp->th_seq); + else if (ntohl(tcp->th_seq) + i != f->ftps_seq) { return APR_ERR(-1); } + f->ftps_len = mlen; while (mlen > 0) { len = MIN(mlen, FTP_BUFSZ / 2); diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 4f6921d..e7e121a 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.26 2000/10/27 14:06:48 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -129,7 +129,7 @@ u_long fr_defnatage = DEF_NAT_AGE, natstat_t nat_stats; int fr_nat_lock = 0; #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_rw, ipf_hostmap; +extern kmutex_t ipf_rw; extern KRWLOCK_T ipf_nat; #endif @@ -143,7 +143,7 @@ static void nat_delnat __P((struct ipnat *)); static int fr_natgetent __P((caddr_t)); static int fr_natgetsz __P((caddr_t)); static int fr_natputent __P((caddr_t)); -static void nat_tabmove __P((nat_t *)); +static void nat_tabmove __P((nat_t *, u_32_t)); static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); @@ -250,6 +250,8 @@ ipnat_t *n; /* * check if an ip address has already been allocated for a given mapping that * is not doing port based translation. + * + * Must be called with ipf_nat held as a write lock. */ static struct hostmap *nat_hostmap(np, real, map) ipnat_t *np; @@ -259,13 +261,11 @@ struct in_addr map; hostmap_t *hm; u_int hv; - MUTEX_ENTER(&ipf_hostmap); hv = real.s_addr % HOSTMAP_SIZE; for (hm = maptable[hv]; hm; hm = hm->hm_next) if ((hm->hm_realip.s_addr == real.s_addr) && (np == hm->hm_ipnat)) { hm->hm_ref++; - MUTEX_EXIT(&ipf_hostmap); return hm; } @@ -281,15 +281,16 @@ struct in_addr map; hm->hm_mapip = map; hm->hm_ref = 1; } - MUTEX_EXIT(&ipf_hostmap); return hm; } +/* + * Must be called with ipf_nat held as a write lock. + */ static void nat_hostmapdel(hm) struct hostmap *hm; { - MUTEX_ENTER(&ipf_hostmap); ATOMIC_DEC32(hm->hm_ref); if (hm->hm_ref == 0) { if (hm->hm_next) @@ -297,7 +298,6 @@ struct hostmap *hm; *hm->hm_pnext = hm->hm_next; KFREE(hm); } - MUTEX_EXIT(&ipf_hostmap); } @@ -698,9 +698,9 @@ int mode; break; case FIONREAD : #ifdef IPFILTER_LOG + arg = (int)iplused[IPL_LOGNAT]; MUTEX_DOWNGRADE(&ipf_nat); - error = IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, - sizeof(iplused[IPL_LOGNAT])); + error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg)); if (error) error = EFAULT; #endif @@ -1068,6 +1068,9 @@ static int nat_flushtable() for (natp = &nat_instances; (nat = *natp); ) { *natp = nat->nat_next; +#ifdef IPFILTER_LOG + nat_log(nat, NL_FLUSH); +#endif nat_delete(nat); j++; } @@ -1295,7 +1298,7 @@ int direction; inb.s_addr = htonl(in.s_addr); natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP, (u_int)ip->ip_p, ip->ip_dst, inb, - (port << 16) | dport); + (port << 16) | dport, 1); /* * Has the search wrapped around and come back to the @@ -1444,6 +1447,9 @@ int direction; tcp->th_dport = nport; } np->in_use++; +#ifdef IPFILTER_LOG + nat_log(nat, (u_int)np->in_redir); +#endif return nat; badnat: nat_stats.ns_badnat++; @@ -1565,18 +1571,18 @@ int dir; if (dir == NAT_INBOUND) return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, - (tcp->th_sport << 16) | tcp->th_dport); + (tcp->th_sport << 16) | tcp->th_dport, 0); else return nat_outlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, - (tcp->th_sport << 16) | tcp->th_dport); + (tcp->th_sport << 16) | tcp->th_dport, 0); } if (dir == NAT_INBOUND) return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, - oip->ip_dst, oip->ip_src, 0); + oip->ip_dst, oip->ip_src, 0, 0); else return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, - oip->ip_dst, oip->ip_src, 0); + oip->ip_dst, oip->ip_src, 0, 0); } @@ -1590,7 +1596,7 @@ fr_info_t *fin; u_int *nflags; int dir; { - u_32_t sum1, sum2, sumd; + u_32_t sum1, sum2, sumd, sumd2 = 0; struct in_addr in; icmphdr_t *icmp; udphdr_t *udp; @@ -1639,7 +1645,7 @@ int dir; * in the first 8 bytes, so it will not be available in most cases. */ - if (nat->nat_dir == NAT_OUTBOUND) { + if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); in = nat->nat_inip; oip->ip_src = in; @@ -1691,7 +1697,7 @@ int dir; * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_outcksum(&icmp->icmp_cksum, sumd); + sumd2 = sumd; } #if 0 @@ -1750,7 +1756,7 @@ int dir; * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_incksum(&icmp->icmp_cksum, sumd); + sumd2 = sumd; } #if 0 @@ -1796,7 +1802,7 @@ int dir; * device that returns more than 8 data bytes on icmp error) */ - if (nat->nat_dir == NAT_OUTBOUND) { + if (nat->nat_oport == tcp->th_dport) { if (tcp->th_sport != nat->nat_inport) { /* * Fix ICMP checksum to compensate port @@ -1805,8 +1811,8 @@ int dir; sum1 = ntohs(tcp->th_sport); sum2 = ntohs(nat->nat_inport); CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; tcp->th_sport = nat->nat_inport; - fix_outcksum(&icmp->icmp_cksum, sumd); /* * Fix udp checksum to compensate port @@ -1829,11 +1835,10 @@ int dir; * adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_outcksum(&icmp->icmp_cksum, sumd); + sumd2 += sumd; } } } else { - if (tcp->th_dport != nat->nat_outport) { /* * Fix ICMP checksum to compensate port @@ -1842,8 +1847,8 @@ int dir; sum1 = ntohs(tcp->th_dport); sum2 = ntohs(nat->nat_outport); CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; tcp->th_dport = nat->nat_outport; - fix_incksum(&icmp->icmp_cksum, sumd); /* * Fix udp checksum to compensate port @@ -1865,10 +1870,19 @@ int dir; * UDP checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_incksum(&icmp->icmp_cksum, sumd); + sumd2 += sumd; } } } + if (sumd2) { + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + if (nat->nat_dir == NAT_OUTBOUND) { + fix_outcksum(&icmp->icmp_cksum, sumd2); + } else { + fix_incksum(&icmp->icmp_cksum, sumd2); + } + } } nat->nat_age = fr_defnaticmpage; return nat; @@ -1885,11 +1899,12 @@ int dir; * we're looking for a table entry, based on the destination address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports) +nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports, rw) void *ifp; register u_int flags, p; struct in_addr src , mapdst; u_32_t ports; +int rw; { register u_short sport, dport; register nat_t *nat; @@ -1917,9 +1932,13 @@ u_32_t ports; } if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; - RWLOCK_EXIT(&ipf_nat); + if (!rw) { + RWLOCK_EXIT(&ipf_nat); + } hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); - WRITE_ENTER(&ipf_nat); + if (!rw) { + WRITE_ENTER(&ipf_nat); + } nat = nat_table[1][hv]; for (; nat; nat = nat->nat_hnext[1]) { nflags = nat->nat_flags; @@ -1934,21 +1953,38 @@ u_32_t ports; continue; if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) { - nat_tabmove(nat); + nat_tabmove(nat, ports); break; } } - MUTEX_DOWNGRADE(&ipf_nat); + if (!rw) { + MUTEX_DOWNGRADE(&ipf_nat); + } return nat; } -static void nat_tabmove(nat) +/* + * This function is only called for TCP/UDP NAT table entries where the + * original was placed in the table without hashing on the ports and we now + * want to include hashing on port numbers. + */ +static void nat_tabmove(nat, ports) nat_t *nat; +u_32_t ports; { + register u_short sport, dport; nat_t **natp; u_int hv; + dport = ports >> 16; + sport = ports & 0xffff; + + if (nat->nat_oport == dport) { + nat->nat_inport = sport; + nat->nat_outport = sport; + } + /* * Remove the NAT entry from the old location */ @@ -1963,8 +1999,7 @@ nat_t *nat; /* * Add into the NAT table in the new position */ - hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, - ipf_nattable_sz); + hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz); natp = &nat_table[0][hv]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; @@ -1972,8 +2007,7 @@ nat_t *nat; nat->nat_hnext[0] = *natp; *natp = nat; - hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, - ipf_nattable_sz); + hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz); natp = &nat_table[1][hv]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; @@ -1989,11 +2023,12 @@ nat_t *nat; * we're looking for a table entry, based on the source address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -nat_t *nat_outlookup(ifp, flags, p, src, dst, ports) +nat_t *nat_outlookup(ifp, flags, p, src, dst, ports, rw) void *ifp; register u_int flags, p; struct in_addr src , dst; u_32_t ports; +int rw; { register u_short sport, dport; register nat_t *nat; @@ -2014,7 +2049,7 @@ u_32_t ports; if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == srcip && nat->nat_oip.s_addr == dst.s_addr && - (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) + (((p == 0) && (flags == (nflags & IPN_TCPUDP))) || (p == nat->nat_p)) && (!flags || ((nat->nat_inport == sport || nflags & FI_W_SPORT) && (nat->nat_oport == dport || nflags & FI_W_DPORT)))) @@ -2022,9 +2057,13 @@ u_32_t ports; } if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; - RWLOCK_EXIT(&ipf_nat); + if (!rw) { + RWLOCK_EXIT(&ipf_nat); + } hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); - WRITE_ENTER(&ipf_nat); + if (!rw) { + WRITE_ENTER(&ipf_nat); + } nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { nflags = nat->nat_flags; @@ -2037,13 +2076,15 @@ u_32_t ports; if ((nat->nat_inip.s_addr != srcip) || (nat->nat_oip.s_addr != dst.s_addr)) continue; - if (((nat->nat_inport == sport) || (nflags & FI_W_DPORT)) && - ((nat->nat_oport == dport) || (nflags & FI_W_SPORT))) { - nat_tabmove(nat); + if (((nat->nat_inport == sport) || (nflags & FI_W_SPORT)) && + ((nat->nat_oport == dport) || (nflags & FI_W_DPORT))) { + nat_tabmove(nat, ports); break; } } - MUTEX_DOWNGRADE(&ipf_nat); + if (!rw) { + MUTEX_DOWNGRADE(&ipf_nat); + } return nat; } @@ -2063,7 +2104,7 @@ register natlookup_t *np; * ip address. Else, we use the fake. */ if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip, - np->nl_outip, ports))) { + np->nl_outip, ports, 0))) { np->nl_realip = nat->nat_outip; np->nl_realport = nat->nat_outport; } @@ -2164,10 +2205,11 @@ fr_info_t *fin; (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND))) ; else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && - (nat = ipfr_nat_knownfrag(ip, fin))) + (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; - else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src, - ip->ip_dst, (dport << 16) | sport))) { + else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, + ip->ip_src, ip->ip_dst, + (dport << 16) | sport, 0))) { nflags = nat->nat_flags; if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { if ((nflags & FI_W_SPORT) && @@ -2221,9 +2263,6 @@ maskloop: if ((nat = nat_new(np, ip, fin, (u_int)nflags, NAT_OUTBOUND))) { np->in_hits++; -#ifdef IPFILTER_LOG - nat_log(nat, (u_int)np->in_redir); -#endif break; } } @@ -2239,6 +2278,9 @@ maskloop: MUTEX_DOWNGRADE(&ipf_nat); } + /* + * NOTE: ipf_nat must now only be held as a read lock + */ if (nat) { np = nat->nat_ptr; if (natadd && fin->fin_fi.fi_fl & FI_FRAG) @@ -2383,7 +2425,8 @@ fr_info_t *fin; (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, - ip->ip_src, in, (dport << 16) | sport))) { + ip->ip_src, in, (dport << 16) | sport, + 0))) { nflags = nat->nat_flags; if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT)) @@ -2424,9 +2467,6 @@ maskloop: if ((nat = nat_new(np, ip, fin, nflags, NAT_INBOUND))) { np->in_hits++; -#ifdef IPFILTER_LOG - nat_log(nat, (u_int)np->in_redir); -#endif break; } } @@ -2441,6 +2481,10 @@ maskloop: } MUTEX_DOWNGRADE(&ipf_nat); } + + /* + * NOTE: ipf_nat must now only be held as a read lock + */ if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index 8e166df..22f8503 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.10 2000/10/27 14:06:51 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.14 2000/11/18 03:58:04 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -85,7 +85,7 @@ typedef struct nat { void *nat_ifp; int nat_dir; char nat_ifname[IFNAMSIZ]; -#if SOLARIS || defined(_sgi) +#if SOLARIS || defined(__sgi) kmutex_t nat_lock; #endif } nat_t; @@ -247,6 +247,7 @@ typedef struct natlog { #define NL_NEWRDR NAT_REDIRECT #define NL_NEWBIMAP NAT_BIMAP #define NL_NEWBLOCK NAT_MAPBLK +#define NL_FLUSH 0xfffe #define NL_EXPIRE 0xffff #define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m)) @@ -285,9 +286,9 @@ extern int nat_ioctl __P((caddr_t, int, int)); extern int nat_init __P((void)); extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int)); extern nat_t *nat_outlookup __P((void *, u_int, u_int, struct in_addr, - struct in_addr, u_32_t)); + struct in_addr, u_32_t, int)); extern nat_t *nat_inlookup __P((void *, u_int, u_int, struct in_addr, - struct in_addr, u_32_t)); + struct in_addr, u_32_t, int)); extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr, struct in_addr)); extern nat_t *nat_lookupredir __P((natlookup_t *)); diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index 933d79d..212900f 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -5,7 +5,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_proxy.h,v 2.8.2.3 2000/05/06 12:32:43 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -96,6 +96,7 @@ typedef struct ftpside { char *ftps_rptr; char *ftps_wptr; u_32_t ftps_seq; + u_32_t ftps_len; int ftps_junk; char ftps_buf[FTP_BUFSZ]; } ftpside_t; diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c index e311b16..d017cf9 100644 --- a/contrib/ipfilter/ip_rcmd_pxy.c +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_rcmd_pxy.c,v 1.4.2.3 2000/10/27 22:54:04 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.4.2.4 2000/11/01 14:34:20 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT @@ -131,7 +131,7 @@ nat_t *nat; sp = htons(sp); dp = htons(fin->fin_data[1]); ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp); + ip->ip_dst, (dp << 16) | sp, 0); if (ipn == NULL) { int slen; diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 7d4ea2d..f6373811 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.8 2000/10/19 15:42:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.9 2000/11/12 11:55:17 darrenr Exp $"; #endif #include <sys/types.h> @@ -66,7 +66,7 @@ static int frzerostats __P((caddr_t)); static int frrequest __P((minor_t, int, caddr_t, int)); static int send_ip __P((fr_info_t *fin, mblk_t *m)); -kmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap; +kmutex_t ipl_mutex, ipf_authmx, ipf_rw; KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris; KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; kcondvar_t iplwait, ipfauthwait; @@ -90,7 +90,6 @@ int ipldetach() ip_natunload(); cv_destroy(&iplwait); cv_destroy(&ipfauthwait); - mutex_destroy(&ipf_hostmap); mutex_destroy(&ipf_authmx); mutex_destroy(&ipl_mutex); mutex_destroy(&ipf_rw); @@ -117,7 +116,6 @@ int iplattach __P((void)) mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL); mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_hostmap, "ipf hostmap mutex", MUTEX_DRIVER, NULL); RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL); RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL); diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 7499bfd..5d63969 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.23 2000/10/27 14:06:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $"; #endif #include <sys/errno.h> @@ -307,8 +307,8 @@ int mode; break; case FIONREAD : #ifdef IPFILTER_LOG - error = IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data, - sizeof(iplused[IPL_LOGSTATE])); + arg = (int)iplused[IPL_LOGSTATE]; + error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg)); #endif break; case SIOCSTLCK : @@ -787,8 +787,6 @@ tcphdr_t *tcp; } ATOMIC_INCL(ips_stats.iss_hits); - is->is_pkts++; - is->is_bytes += fin->fin_dlen + fin->fin_hlen; /* * Nearing end of connection, start timeout. */ @@ -1148,10 +1146,6 @@ fr_info_t *fin; fr_matchsrcdst(is, src, dst, &ofin, tcp)) { fr = is->is_rule; ips_stats.iss_hits++; - /* - * we must swap src and dst here because the icmp - * comes the other way around - */ is->is_pkts++; is->is_bytes += fin->fin_plen; /* @@ -1379,6 +1373,9 @@ void *ifp; } +/* + * Must always be called with fr_ipfstate held as a write lock. + */ static void fr_delstate(is) ipstate_t *is; { @@ -1397,9 +1394,10 @@ ipstate_t *is; fr = is->is_rule; if (fr != NULL) { - ATOMIC_DEC32(fr->fr_ref); - if (fr->fr_ref == 0) + fr->fr_ref--; + if (fr->fr_ref == 0) { KFREE(fr); + } } #ifdef _KERNEL MUTEX_DESTROY(&is->is_lock); @@ -1452,12 +1450,12 @@ void fr_timeoutstate() fr_delstate(is); } else isp = &is->is_next; - RWLOCK_EXIT(&ipf_state); - SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } + RWLOCK_EXIT(&ipf_state); + SPL_X(s); } diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index 6dc2f02..d43fc56 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -41,12 +41,19 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.1 2000/05/06 00:11:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR # define IPF_SAVEDIR "/var/db/ipf" #endif +#ifndef IPF_NATFILE +# define IPF_NATFILE "ipnat.ipf" +#endif +#ifndef IPF_STATEFILE +# define IPF_STATEFILE "ipstate.ipf" +#endif + #if !defined(__SVR4) && defined(__GNUC__) extern char *index __P((const char *, int)); #endif @@ -271,8 +278,14 @@ char *argv[]; usage(); } - if (ifs) - return changestateif(ifs, filename); + if (ifs) { + if (!filename || ns<0) + usage(); + if (ns == 0) + return changenatif(ifs, filename); + else + return changestateif(ifs, filename); + } if ((ns >= 0) || (lock >= 0)) { if (lock >= 0) @@ -363,6 +376,9 @@ char *file; ipstate_save_t ips, *ipsp; int wfd = -1; + if (!file) + file = IPF_STATEFILE; + wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); if (wfd == -1) { fprintf(stderr, "%s ", file); @@ -404,6 +420,9 @@ char *file; ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL; int sfd = -1, i; + if (!file) + file = IPF_STATEFILE; + sfd = open(file, O_RDONLY, 0600); if (sfd == -1) { fprintf(stderr, "%s ", file); @@ -432,6 +451,11 @@ char *file; return 1; } is = (ipstate_save_t *)malloc(sizeof(*is)); + if(!is) { + fprintf(stderr, "malloc failed\n"); + return 1; + } + bcopy((char *)&ips, (char *)is, sizeof(ips)); /* @@ -497,6 +521,9 @@ char *file; int nfd = -1, i; nat_t *nat; + if (!file) + file = IPF_NATFILE; + nfd = open(file, O_RDONLY); if (nfd == -1) { fprintf(stderr, "%s ", file); @@ -615,6 +642,9 @@ char *file; int nfd = -1; natget_t ng; + if (!file) + file = IPF_NATFILE; + nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); if (nfd == -1) { fprintf(stderr, "%s ", file); @@ -699,14 +729,14 @@ char *dirname; devfd = opendevice(IPL_STATE); if (devfd == -1) return 1; - if (writestate(devfd, "ipstate.ipf")) + if (writestate(devfd, NULL)) return 1; close(devfd); devfd = opendevice(IPL_NAT); if (devfd == -1) return 1; - if (writenat(devfd, "ipnat.ipf")) + if (writenat(devfd, NULL)) return 1; close(devfd); @@ -743,14 +773,14 @@ char *dirname; devfd = opendevice(IPL_STATE); if (devfd == -1) return 1; - if (readstate(devfd, "ipstate.ipf")) + if (readstate(devfd, NULL)) return 1; close(devfd); devfd = opendevice(IPL_NAT); if (devfd == -1) return 1; - if (readnat(devfd, "ipnat.ipf")) + if (readnat(devfd, NULL)) return 1; close(devfd); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 9eeb055..2668976 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $"; #endif extern int opts; @@ -54,9 +54,9 @@ static int text_open __P((char *)), text_close __P((void)); static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); -static char _tcp_flagset[] = "FSRPAU"; +static char _tcp_flagset[] = "FSRPAUEC"; static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, - TH_ACK, TH_URG }; + TH_ACK, TH_URG, TH_ECN, TH_CWR }; struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index b54d6f9..3529d65 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -6,12 +6,12 @@ * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.14 2000/10/27 22:54:41 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.13" +#define IPL_VERSION "IP Filter: v3.4.16" #endif diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index 18b8819..51af2e1 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -57,7 +57,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.4 2000/10/27 14:06:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $"; #endif @@ -236,15 +236,17 @@ int opts; ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; printf("\tClient:\n"); - printf("\t\trptr %p wptr %p seq %x junk %d\n", + printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr, - ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_junk); + ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len, + ftp.ftp_side[0].ftps_junk); printf("\t\tbuf ["); printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); printf("]\n\tServer:\n"); - printf("\t\trptr %p wptr %p seq %x junk %d\n", + printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr, - ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_junk); + ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len, + ftp.ftp_side[1].ftps_junk); printf("\t\tbuf ["); printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); printf("]\n"); diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index e81c890..c5eacb3 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr Exp $"; #endif #include <errno.h> #include <stdio.h> @@ -99,7 +99,15 @@ int frag; int err, iplen; if (!ipbuf) + { ipbuf = (char *)malloc(65536); + if(!ipbuf) + { + perror("malloc failed"); + return -2; + } + } + eh = (ether_header_t *)ipbuf; bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index e4397ce..095aa9e 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 darrenr Exp $"; #endif #include <stdio.h> #include <netdb.h> @@ -97,6 +97,11 @@ char *datain; ip = (struct ip *)pbuf; eh = (ether_header_t *)malloc(sizeof(*eh)); + if(!eh) + { + perror("malloc failed"); + return -2; + } bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1)) diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index f6e7ad4..3ca7df3 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -93,6 +93,9 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW, + &fr_minttllog, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RW, &fr_tcpidletimeout, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RW, diff --git a/contrib/ipfilter/mlfk_ipl.c b/contrib/ipfilter/mlfk_ipl.c index f96c57e..0dc4ff2 100644 --- a/contrib/ipfilter/mlfk_ipl.c +++ b/contrib/ipfilter/mlfk_ipl.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: mlfk_ipl.c,v 2.1.2.4 2000/08/23 11:02:33 darrenr Exp $ + * $Id: mlfk_ipl.c,v 2.1.2.6 2000/11/18 03:58:29 darrenr Exp $ */ @@ -38,6 +38,12 @@ #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> +#if (__FreeBSD_version >= 199511) +# include <net/route.h> +# include <netinet/ip_var.h> +# include <netinet/tcp.h> +# include <netinet/tcpip.h> +#endif #include <netinet/ipl.h> @@ -47,6 +53,7 @@ #include <netinet/ip_nat.h> #include <netinet/ip_auth.h> #include <netinet/ip_frag.h> +#include <netinet/ip_proxy.h> static dev_t ipf_devs[IPL_LOGMAX + 1]; @@ -86,6 +93,11 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, &fr_defaultauthage, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW, + &ippr_ftp_pasvonly, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW, + &fr_minttllog, 0, ""); #define CDEV_MAJOR 79 static struct cdevsw ipl_cdevsw = { diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index 0630bb4..a451a10 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -49,7 +49,7 @@ unsigned IPL_EXTERN(devflag) = D_MP; char *IPL_EXTERN(mversion) = M_VERSION; #endif -kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw, ipf_hostmap; +kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw; kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **)); @@ -539,7 +539,6 @@ IPL_EXTERN(unload)(void) LOCK_DEALLOC(ipf_rw.l); LOCK_DEALLOC(ipf_auth.l); LOCK_DEALLOC(ipf_natfrag.l); - LOCK_DEALLOC(ipf_hostmap.l); LOCK_DEALLOC(ipf_nat.l); LOCK_DEALLOC(ipf_state.l); LOCK_DEALLOC(ipf_frag.l); @@ -562,7 +561,6 @@ IPL_EXTERN(init)(void) ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); - ipf_hostmap.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); @@ -570,7 +568,7 @@ IPL_EXTERN(init)(void) if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l || !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l || - !ipl_mutex.l || !ipf_hostmap.l) + !ipl_mutex.l) panic("IP Filter: LOCK_ALLOC failed"); #ifdef IPFILTER_LKM diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index ab1e08c..0441ad5 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -671,8 +671,8 @@ int linenum; return -1; while (**cp && (!strncasecmp(**cp, "ipopt", 5) || - !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) || - !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) || + !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) || + !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) || !strncasecmp(**cp, "short", 5))) { if (***cp == 'n' || ***cp == 'N') { notopt = 1; diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c index 65dcc74..5b50a94 100644 --- a/contrib/ipfilter/samples/userauth.c +++ b/contrib/ipfilter/samples/userauth.c @@ -21,7 +21,7 @@ main() char yn[16]; int fd; - fd = open(IPL_NAME, O_RDWR); + fd = open(IPL_AUTH, O_RDWR); while (ioctl(fd, SIOCAUTHW, &frap) == 0) { if (fra.fra_info.fin_out) fra.fra_pass = FR_OUTQUE; diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index c32f250..1e82ec0 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.7 2000/08/05 14:50:30 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.8 2000/11/27 10:28:41 darrenr Exp $" #include <sys/systm.h> #include <sys/types.h> @@ -645,8 +645,8 @@ tryagain: hlen = sizeof(ip6_t); ip6 = (ip6_t *)ip; /* XXX - might not be aligned (from ppp?) */ - ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0]; - ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1]; + ((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0]; + ((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1]; plen = ntohs(tlen); sap = IP6_DL_SAP; } @@ -1689,7 +1689,7 @@ frdest_t *fdp; # ifdef USE_INET6 else if (fin->fin_v == 6) { p = ip6->ip6_nxt; - dir = ire_route_lookup_v6(&ip6->ip6_dst, 0xffffffff, 0, 0, + dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0, NULL, &gw, NULL, MATCH_IRE_DSTONLY| MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE); } diff --git a/contrib/ipfilter/test/expected/i7 b/contrib/ipfilter/test/expected/i7 index 750cf26..d1b7978 100644 --- a/contrib/ipfilter/test/expected/i7 +++ b/contrib/ipfilter/test/expected/i7 @@ -1,4 +1,4 @@ pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA -block in on lo0(!) proto tcp from any to any flags A/0xff +block in on lo0(!) proto tcp from any to any flags A/0xbf pass in on lo0(!) proto tcp from any to any flags /SPA block in on lo0(!) proto tcp from any to any flags 0x80/A |