diff options
author | darrenr <darrenr@FreeBSD.org> | 2001-02-04 14:25:38 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2001-02-04 14:25:38 +0000 |
commit | 5e62aa9b3dacb0e670998fad60638b79751aff14 (patch) | |
tree | 385e237f9b94bd1f0ddf97318d3ced6f6e85ec8b /contrib/ipfilter | |
parent | 77a62e2a58642d4f2e31e9cfc354994062d9777b (diff) | |
download | FreeBSD-src-5e62aa9b3dacb0e670998fad60638b79751aff14.zip FreeBSD-src-5e62aa9b3dacb0e670998fad60638b79751aff14.tar.gz |
Import IP Filter update
Diffstat (limited to 'contrib/ipfilter')
36 files changed, 443 insertions, 173 deletions
diff --git a/contrib/ipfilter/FreeBSD-4.0/kinstall b/contrib/ipfilter/FreeBSD-4.0/kinstall index 7e663d2..b3ed454 100755 --- a/contrib/ipfilter/FreeBSD-4.0/kinstall +++ b/contrib/ipfilter/FreeBSD-4.0/kinstall @@ -10,8 +10,8 @@ set confdir="$archdir/conf" if ( $dir =~ */FreeBSD* ) cd .. echo -n "Installing " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ - ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c ipl.h \ - ip_compat.h ip_auth.[ch] ip_log.c) + ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c mlf_ipl.c mlfk_ipl.c \ + ipl.h ip_compat.h ip_auth.[ch] ip_log.c) echo -n "$i "; cp $i /sys/netinet chmod 644 /sys/netinet/$i diff --git a/contrib/ipfilter/FreeBSD-4.0/unkinstall b/contrib/ipfilter/FreeBSD-4.0/unkinstall index 4e9caaa..b9c5f029 100755 --- a/contrib/ipfilter/FreeBSD-4.0/unkinstall +++ b/contrib/ipfilter/FreeBSD-4.0/unkinstall @@ -12,7 +12,7 @@ if ( $dir =~ */FreeBSD* ) cd .. echo -n "Uninstalling " foreach i (ip_fil.[ch] ip_nat.[ch] ip_frag.[ch] ip_state.[ch] fil.c \ ip_auth.[ch] ip_proxy.[ch] ip_{ftp,rcmd,raudio}_pxy.c ip_compat.h \ - ip_log.c mlf_ipl.c ipl.h) + ip_log.c mlf_ipl.c mlfk_ipl.c ipl.h) echo -n "$i "; /bin/rm -f /sys/netinet/$i end diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 279372b..0249367 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,37 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.16 15/01/2001 - Released + +fix race condition in flushing of state entries that are timing out + +Add TCP ECN patches + +log all NAT entries created, not just those via rules + +3.4.15 17/12/2000 - Released + +add minimum ttl filtering (to be replaced later by return-icmp-as-dest +for all ICMP packets matching state entries). + +fix NAT'ing of fragments + +fix sanity checks for ICMPV6 + +fix up compiling on IRIX 6.2 with IDF/IDL installed + +3.4.14 02/11/2000 - Released + +cause flushing NAT table to generate log records the same as state flush +does. + +fix ftp proxy port/pasv + +fix problem where nat_{in,out}lookup() would release a write lock when it +didn't need to. + +add check for ipf6.conf in Solaris ipfboot + 3.4.13 28/10/2000 - Released fix introduced bug with ICMP packets being rejected when valid diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index e79eb12..5770d40 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -5,7 +5,7 @@ # provided that this notice is preserved and due credit is given # to the original author and the contributors. # -# $Id: Makefile,v 2.11.2.4 2000/10/19 15:42:56 darrenr Exp $ +# $Id: Makefile,v 2.11.2.6 2000/12/17 12:43:15 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -107,7 +107,7 @@ include: fi sunos solaris: include - ./buildsunos $(MFLAGS) + CC="$(CC)" ./buildsunos freebsd22: include make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)" @@ -169,8 +169,8 @@ bsdi bsdos: include irix IRIX: include make setup "TARGOS=IRIX" "CPUDIR=$(CPUDIR)" - -(SMAKE=`which smake >/dev/null 2>&1; if [ $$? -ne 0 ] ; then echo make -f Makefile.std; else echo smake; fi`; cd IRIX/$(CPUDIR); $${SMAKE} build TOP=../.. $(DEST) $(MFLAGS); cd ..) - -(SMAKE=`which smake >/dev/null 2>&1; if [ $$? -ne 0 ] ; then echo make -f Makefile.ipsend.std; else echo smake -f Makefile.ipsend; fi`; cd IRIX/$(CPUDIR); $${SMAKE} TOP=../.. $(DEST) $(MFLAGS); cd ..) + -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.std build TOP=../.. $(DEST) $(MFLAGS); else smake build TOP=../.. $(DEST) $(MFLAGS); fi;) + -(cd IRIX/$(CPUDIR); if [ $(MAKE) = make ] ; then make -f Makefile.ipsend.std TOP=../.. $(DEST) $(MFLAGS); else smake -f Makefile.ipsend TOP=../.. $(DEST) $(MFLAGS); fi) linux: include make setup "TARGOS=Linux" "CPUDIR=$(CPUDIR)" diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c index d7706bd..afcc95c 100644 --- a/contrib/ipfilter/common.c +++ b/contrib/ipfilter/common.c @@ -52,8 +52,9 @@ extern int use_inet6; char *proto = NULL; -char flagset[] = "FSRPAU"; -u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG }; +char flagset[] = "FSRPAUEC"; +u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, + TH_ECN, TH_CWR }; #ifdef USE_INET6 void fill6bits __P((int, u_32_t *)); @@ -409,8 +410,12 @@ int linenum; if (s && *s == '0') tcpfm = strtol(s, NULL, 0); - if (!tcpfm) - tcpfm = 0xff; + if (!tcpfm) { + if (tcpf == TH_SYN) + tcpfm = 0xff & ~(TH_ECN|TH_CWR); + else + tcpfm = 0xff & ~(TH_ECN); + } *mask = tcpfm; return tcpf; } diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index e0a5ed5..02f075b 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $"; #endif #include <sys/errno.h> @@ -136,6 +136,8 @@ struct frgroup *ipfgroups[3][2]; int fr_flags = IPF_LOGGING; int fr_active = 0; int fr_chksrc = 0; +int fr_minttl = 3; +int fr_minttllog = 1; #if defined(IPFILTER_DEFAULT_BLOCK) int fr_pass = FR_NOMATCH|FR_BLOCK; #else @@ -269,6 +271,40 @@ fr_info_t *fin; switch (p) { +#ifdef USE_INET6 + case IPPROTO_ICMPV6 : + { + int minicmpsz = sizeof(struct icmp6_hdr); + struct icmp6_hdr *icmp6; + + if (fin->fin_dlen > 1) { + fin->fin_data[0] = *(u_short *)tcp; + + icmp6 = (struct icmp6_hdr *)tcp; + + switch (icmp6->icmp6_type) + { + case ICMP6_ECHO_REPLY : + case ICMP6_ECHO_REQUEST : + minicmpsz = ICMP6ERR_MINPKTLEN; + break; + case ICMP6_DST_UNREACH : + case ICMP6_PACKET_TOO_BIG : + case ICMP6_TIME_EXCEEDED : + case ICMP6_PARAM_PROB : + minicmpsz = ICMP6ERR_IPICMPHLEN; + break; + default : + break; + } + } + + if (!(plen >= hlen + minicmpsz)) + fi->fi_fl |= FI_SHORT; + + break; + } +#endif case IPPROTO_ICMP : { int minicmpsz = sizeof(struct icmp); @@ -747,8 +783,8 @@ int out; #endif #ifdef _KERNEL + int p, len, drop = 0, logit = 0; mb_t *mc = NULL; - int p, len; # if !defined(__SVR4) && !defined(__svr4__) # ifdef __sgi char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8]; @@ -802,11 +838,17 @@ int out; break; /* 96 - enough for complete ICMP error IP header */ case IPPROTO_ICMP: + plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); + break; # ifdef USE_INET6 case IPPROTO_ICMPV6 : -# endif - plen = ICMPERR_MAXPKTLEN - sizeof(ip_t); + /* + * XXX does not take intermediate header + * into account + */ + plen = ICMP6ERR_MINPKTLEN + 8 - sizeof(ip6_t); break; +# endif } up = MIN(hlen + plen, len); @@ -865,22 +907,37 @@ int out; # ifdef USE_INET6 if (v == 6) { ATOMIC_INCL(frstats[0].fr_ipv6[out]); + if (((ip6_t *)ip)->ip6_hlim < fr_minttl) { + ATOMIC_INCL(frstats[0].fr_badttl); + if (fr_minttllog) + logit = -2; + } } else # endif - if (!out && fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) { + if (!out) { + if (fr_chksrc && !fr_verifysrc(ip->ip_src, ifp)) { ATOMIC_INCL(frstats[0].fr_badsrc); + if (fr_chksrc == 2) + logit = -2; + } else if (ip->ip_ttl < fr_minttl) { + ATOMIC_INCL(frstats[0].fr_badttl); + if (fr_minttllog) + logit = -3; + } + } + if (drop) { # ifdef IPFILTER_LOG - if (fr_chksrc == 2) { - fin->fin_group = -2; - pass = FR_INQUE|FR_NOMATCH|FR_LOGB; - (void) IPLLOG(pass, ip, fin, m); - } + if (logit) { + fin->fin_group = logit; + pass = FR_INQUE|FR_NOMATCH|FR_LOGB; + (void) IPLLOG(pass, ip, fin, m); + } # endif # if !SOLARIS - m_freem(m); + m_freem(m); # endif - return error; - } + return error; + } #endif pass = fr_pass; if (fin->fin_fi.fi_fl & FI_SHORT) { @@ -1401,7 +1458,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.27 2000/10/26 21:20:54 darrenr Exp $ + * $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index 6a4cf67..3184e4c 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -65,7 +65,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.5 2000/07/20 14:13:30 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $"; #endif extern char *optarg; @@ -892,7 +892,7 @@ int topclosed; printw("%-21s %-21s", str1, str2); /* print state */ - sprintf(str1, "%d/%d", tp->st_state[0], + sprintf(str1, "%X/%X", tp->st_state[0], tp->st_state[1]); printw(" %3s", str1); @@ -994,6 +994,23 @@ ipfrstat_t *ifsp; fr.fr_flags); ipfrtab[i] = ifr.ipfr_next; } + if (kmemcpy((char *)ipfrtab, (u_long)ifsp->ifs_nattab,sizeof(ipfrtab))) + return; + for (i = 0; i < IPFT_SIZE; i++) + while (ipfrtab[i]) { + if (kmemcpy((char *)&ifr, (u_long)ipfrtab[i], + sizeof(ifr)) == -1) + break; + PRINTF("NAT: %s -> ", hostname(4, &ifr.ipfr_src)); + if (kmemcpy((char *)&fr, (u_long)ifr.ipfr_rule, + sizeof(fr)) == -1) + break; + PRINTF("%s %d %d %d %#02x = %#x\n", + hostname(4, &ifr.ipfr_dst), ifr.ipfr_id, + ifr.ipfr_ttl, ifr.ipfr_p, ifr.ipfr_tos, + fr.fr_flags); + ipfrtab[i] = ifr.ipfr_next; + } } diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index d737b9c..a453610 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.4 2000/08/05 14:48:50 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $"; #endif #include <sys/errno.h> @@ -352,7 +352,7 @@ fr_authioctlloop: READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { error = IWCOPYPTR((char *)&fr_auth[fr_authnext], data, - sizeof(fr_info_t)); + sizeof(frauth_t)); RWLOCK_EXIT(&ipf_auth); if (error) break; diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 2369cf0..ed71f36 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.6 2000/10/19 15:39:05 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -974,8 +974,6 @@ struct ether_addr { #define A_A & #endif -#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) - #ifndef ICMP_ROUTERADVERT # define ICMP_ROUTERADVERT 9 #endif @@ -995,6 +993,20 @@ struct ether_addr { #define ICMPERR_IPICMPHLEN (20 + 8) #define ICMPERR_MINPKTLEN (20 + 8 + 20) #define ICMPERR_MAXPKTLEN (20 + 8 + 20 + 8) -#define ICMP6ERR_MINPKTLEN (20 + 8) +#define ICMP6ERR_MINPKTLEN (40 + 8) +#define ICMP6ERR_IPICMPHLEN (40 + 8 + 40) + +/* + * ECN is a new addition to TCP - RFC 2481 + */ +#ifndef TH_ECN +# define TH_ECN 0x40 +#endif +#ifndef TH_CWR +# define TH_CWR 0x80 +#endif +#define TH_ECNALL (TH_ECN|TH_CWR) + +#define TCPF_ALL (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG|TH_ECN|TH_CWR) #endif /* __IP_COMPAT_H__ */ diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index da109b7..ed1cfc4 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.3 2000/06/05 13:12:42 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -335,6 +335,7 @@ typedef struct filterstats { u_long fr_tcpbad; /* TCP checksum check failures */ u_long fr_pull[2]; /* good and bad pullup attempts */ u_long fr_badsrc; /* source received doesn't match route */ + u_long fr_badttl; /* TTL in packet doesn't reach minimum */ #if SOLARIS u_long fr_notdata; /* PROTO/PCPROTO that have no data */ u_long fr_nodata; /* mblks that have no data */ @@ -612,6 +613,8 @@ extern int fr_pass; extern int fr_flags; extern int fr_active; extern int fr_chksrc; +extern int fr_minttl; +extern int fr_minttllog; extern fr_info_t frcache[2]; extern char ipfilter_version[]; extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 1cb86c1..556478d 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.5 2000/10/19 15:39:58 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -156,6 +156,7 @@ ipfr_t *table[]; idx += ip->ip_src.s_addr; frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; idx += ip->ip_dst.s_addr; + frag.ipfr_ifp = fin->fin_ifp; idx *= 127; idx %= IPFT_SIZE; @@ -270,6 +271,7 @@ ipfr_t *table[]; idx += ip->ip_src.s_addr; frag.ipfr_dst.s_addr = ip->ip_dst.s_addr; idx += ip->ip_dst.s_addr; + frag.ipfr_ifp = fin->fin_ifp; idx *= 127; idx %= IPFT_SIZE; @@ -328,16 +330,13 @@ fr_info_t *fin; ipf = ipfr_lookup(ip, fin, ipfr_nattab); if (ipf != NULL) { nat = ipf->ipfr_data; - if (nat->nat_ifp == fin->fin_ifp) { - /* - * This is the last fragment for this packet. - */ - if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { - nat->nat_data = NULL; - ipf->ipfr_data = NULL; - } - } else - nat = NULL; + /* + * This is the last fragment for this packet. + */ + if ((ipf->ipfr_ttl == 1) && (nat != NULL)) { + nat->nat_data = NULL; + ipf->ipfr_data = NULL; + } } else nat = NULL; RWLOCK_EXIT(&ipf_natfrag); diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 61b88aa..362bcdd 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.4.2.1 2000/10/19 15:40:13 darrenr Exp $ + * $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -19,6 +19,7 @@ typedef struct ipfr { void *ipfr_data; struct in_addr ipfr_src; struct in_addr ipfr_dst; + void *ipfr_ifp; u_short ipfr_id; u_char ipfr_p; u_char ipfr_tos; diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index 653bbfe..ddca889 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.18 2000/10/27 14:02:10 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.20 2000/12/02 00:15:06 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -238,7 +238,7 @@ int dlen; */ dp = htons(fin->fin_data[1] - 1); ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp); + ip->ip_dst, (dp << 16) | sp, 0); if (ipn == NULL) { int slen; @@ -254,7 +254,9 @@ int dlen; fi.fin_data[1] = 0; fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; + fi.fin_fr = &natfr; swip = ip->ip_src; + fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_DPORT, NAT_OUTBOUND); @@ -456,7 +458,7 @@ int dlen; sp = 0; dp = htons(fin->fin_data[1] - 1); ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp); + ip->ip_dst, (dp << 16) | sp, 0); if (ipn == NULL) { int slen; @@ -467,13 +469,16 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; - fi.fin_data[0] = a5 << 8 | a6; + fi.fin_data[1] = a5 << 8 | a6; fi.fin_dlen = sizeof(*tcp2); - tcp2->th_dport = htons(fi.fin_data[0]); - fi.fin_data[1] = 0; + tcp2->th_dport = htons(fi.fin_data[1]); + fi.fin_data[0] = 0; fi.fin_dp = (char *)tcp2; + fi.fin_fr = &natfr; swip = ip->ip_src; swip2 = ip->ip_dst; + fi.fin_fi.fi_daddr = ip->ip_src.s_addr; + fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; ip->ip_dst = ip->ip_src; ip->ip_src = nat->nat_inip; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_TCP|FI_W_SPORT, @@ -614,14 +619,18 @@ int rv; #else mlen = mbufchainlen(m) - off; #endif + t = &ftp->ftp_side[1 - rv]; + f = &ftp->ftp_side[rv]; if (!mlen) { - t->ftps_seq = ntohl(tcp->th_ack); + if (!t->ftps_seq || + (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0) + t->ftps_seq = ntohl(tcp->th_ack); + f->ftps_len = 0; return 0; } inc = 0; - f = &ftp->ftp_side[rv]; rptr = f->ftps_rptr; wptr = f->ftps_wptr; @@ -635,9 +644,12 @@ int rv; * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ - if (ntohl(tcp->th_seq) + i != f->ftps_seq) { + if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) + f->ftps_seq = ntohl(tcp->th_seq); + else if (ntohl(tcp->th_seq) + i != f->ftps_seq) { return APR_ERR(-1); } + f->ftps_len = mlen; while (mlen > 0) { len = MIN(mlen, FTP_BUFSZ / 2); diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index 4f6921d..e7e121a 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.26 2000/10/27 14:06:48 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $"; #endif #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) @@ -129,7 +129,7 @@ u_long fr_defnatage = DEF_NAT_AGE, natstat_t nat_stats; int fr_nat_lock = 0; #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern kmutex_t ipf_rw, ipf_hostmap; +extern kmutex_t ipf_rw; extern KRWLOCK_T ipf_nat; #endif @@ -143,7 +143,7 @@ static void nat_delnat __P((struct ipnat *)); static int fr_natgetent __P((caddr_t)); static int fr_natgetsz __P((caddr_t)); static int fr_natputent __P((caddr_t)); -static void nat_tabmove __P((nat_t *)); +static void nat_tabmove __P((nat_t *, u_32_t)); static int nat_match __P((fr_info_t *, ipnat_t *, ip_t *)); static hostmap_t *nat_hostmap __P((ipnat_t *, struct in_addr, struct in_addr)); @@ -250,6 +250,8 @@ ipnat_t *n; /* * check if an ip address has already been allocated for a given mapping that * is not doing port based translation. + * + * Must be called with ipf_nat held as a write lock. */ static struct hostmap *nat_hostmap(np, real, map) ipnat_t *np; @@ -259,13 +261,11 @@ struct in_addr map; hostmap_t *hm; u_int hv; - MUTEX_ENTER(&ipf_hostmap); hv = real.s_addr % HOSTMAP_SIZE; for (hm = maptable[hv]; hm; hm = hm->hm_next) if ((hm->hm_realip.s_addr == real.s_addr) && (np == hm->hm_ipnat)) { hm->hm_ref++; - MUTEX_EXIT(&ipf_hostmap); return hm; } @@ -281,15 +281,16 @@ struct in_addr map; hm->hm_mapip = map; hm->hm_ref = 1; } - MUTEX_EXIT(&ipf_hostmap); return hm; } +/* + * Must be called with ipf_nat held as a write lock. + */ static void nat_hostmapdel(hm) struct hostmap *hm; { - MUTEX_ENTER(&ipf_hostmap); ATOMIC_DEC32(hm->hm_ref); if (hm->hm_ref == 0) { if (hm->hm_next) @@ -297,7 +298,6 @@ struct hostmap *hm; *hm->hm_pnext = hm->hm_next; KFREE(hm); } - MUTEX_EXIT(&ipf_hostmap); } @@ -698,9 +698,9 @@ int mode; break; case FIONREAD : #ifdef IPFILTER_LOG + arg = (int)iplused[IPL_LOGNAT]; MUTEX_DOWNGRADE(&ipf_nat); - error = IWCOPY((caddr_t)&iplused[IPL_LOGNAT], (caddr_t)data, - sizeof(iplused[IPL_LOGNAT])); + error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg)); if (error) error = EFAULT; #endif @@ -1068,6 +1068,9 @@ static int nat_flushtable() for (natp = &nat_instances; (nat = *natp); ) { *natp = nat->nat_next; +#ifdef IPFILTER_LOG + nat_log(nat, NL_FLUSH); +#endif nat_delete(nat); j++; } @@ -1295,7 +1298,7 @@ int direction; inb.s_addr = htonl(in.s_addr); natl = nat_inlookup(fin->fin_ifp, flags & ~FI_WILDP, (u_int)ip->ip_p, ip->ip_dst, inb, - (port << 16) | dport); + (port << 16) | dport, 1); /* * Has the search wrapped around and come back to the @@ -1444,6 +1447,9 @@ int direction; tcp->th_dport = nport; } np->in_use++; +#ifdef IPFILTER_LOG + nat_log(nat, (u_int)np->in_redir); +#endif return nat; badnat: nat_stats.ns_badnat++; @@ -1565,18 +1571,18 @@ int dir; if (dir == NAT_INBOUND) return nat_inlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, - (tcp->th_sport << 16) | tcp->th_dport); + (tcp->th_sport << 16) | tcp->th_dport, 0); else return nat_outlookup(fin->fin_ifp, flags, (u_int)oip->ip_p, oip->ip_dst, oip->ip_src, - (tcp->th_sport << 16) | tcp->th_dport); + (tcp->th_sport << 16) | tcp->th_dport, 0); } if (dir == NAT_INBOUND) return nat_inlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, - oip->ip_dst, oip->ip_src, 0); + oip->ip_dst, oip->ip_src, 0, 0); else return nat_outlookup(fin->fin_ifp, 0, (u_int)oip->ip_p, - oip->ip_dst, oip->ip_src, 0); + oip->ip_dst, oip->ip_src, 0, 0); } @@ -1590,7 +1596,7 @@ fr_info_t *fin; u_int *nflags; int dir; { - u_32_t sum1, sum2, sumd; + u_32_t sum1, sum2, sumd, sumd2 = 0; struct in_addr in; icmphdr_t *icmp; udphdr_t *udp; @@ -1639,7 +1645,7 @@ int dir; * in the first 8 bytes, so it will not be available in most cases. */ - if (nat->nat_dir == NAT_OUTBOUND) { + if (oip->ip_dst.s_addr == nat->nat_oip.s_addr) { sum1 = LONG_SUM(ntohl(oip->ip_src.s_addr)); in = nat->nat_inip; oip->ip_src = in; @@ -1691,7 +1697,7 @@ int dir; * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_outcksum(&icmp->icmp_cksum, sumd); + sumd2 = sumd; } #if 0 @@ -1750,7 +1756,7 @@ int dir; * checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_incksum(&icmp->icmp_cksum, sumd); + sumd2 = sumd; } #if 0 @@ -1796,7 +1802,7 @@ int dir; * device that returns more than 8 data bytes on icmp error) */ - if (nat->nat_dir == NAT_OUTBOUND) { + if (nat->nat_oport == tcp->th_dport) { if (tcp->th_sport != nat->nat_inport) { /* * Fix ICMP checksum to compensate port @@ -1805,8 +1811,8 @@ int dir; sum1 = ntohs(tcp->th_sport); sum2 = ntohs(nat->nat_inport); CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; tcp->th_sport = nat->nat_inport; - fix_outcksum(&icmp->icmp_cksum, sumd); /* * Fix udp checksum to compensate port @@ -1829,11 +1835,10 @@ int dir; * adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_outcksum(&icmp->icmp_cksum, sumd); + sumd2 += sumd; } } } else { - if (tcp->th_dport != nat->nat_outport) { /* * Fix ICMP checksum to compensate port @@ -1842,8 +1847,8 @@ int dir; sum1 = ntohs(tcp->th_dport); sum2 = ntohs(nat->nat_outport); CALC_SUMD(sum1, sum2, sumd); + sumd2 += sumd; tcp->th_dport = nat->nat_outport; - fix_incksum(&icmp->icmp_cksum, sumd); /* * Fix udp checksum to compensate port @@ -1865,10 +1870,19 @@ int dir; * UDP checksum adjustment. */ CALC_SUMD(sum1, sum2, sumd); - fix_incksum(&icmp->icmp_cksum, sumd); + sumd2 += sumd; } } } + if (sumd2) { + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); + if (nat->nat_dir == NAT_OUTBOUND) { + fix_outcksum(&icmp->icmp_cksum, sumd2); + } else { + fix_incksum(&icmp->icmp_cksum, sumd2); + } + } } nat->nat_age = fr_defnaticmpage; return nat; @@ -1885,11 +1899,12 @@ int dir; * we're looking for a table entry, based on the destination address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports) +nat_t *nat_inlookup(ifp, flags, p, src, mapdst, ports, rw) void *ifp; register u_int flags, p; struct in_addr src , mapdst; u_32_t ports; +int rw; { register u_short sport, dport; register nat_t *nat; @@ -1917,9 +1932,13 @@ u_32_t ports; } if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; - RWLOCK_EXIT(&ipf_nat); + if (!rw) { + RWLOCK_EXIT(&ipf_nat); + } hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); - WRITE_ENTER(&ipf_nat); + if (!rw) { + WRITE_ENTER(&ipf_nat); + } nat = nat_table[1][hv]; for (; nat; nat = nat->nat_hnext[1]) { nflags = nat->nat_flags; @@ -1934,21 +1953,38 @@ u_32_t ports; continue; if (((nat->nat_oport == sport) || (nflags & FI_W_DPORT)) && ((nat->nat_outport == dport) || (nflags & FI_W_SPORT))) { - nat_tabmove(nat); + nat_tabmove(nat, ports); break; } } - MUTEX_DOWNGRADE(&ipf_nat); + if (!rw) { + MUTEX_DOWNGRADE(&ipf_nat); + } return nat; } -static void nat_tabmove(nat) +/* + * This function is only called for TCP/UDP NAT table entries where the + * original was placed in the table without hashing on the ports and we now + * want to include hashing on port numbers. + */ +static void nat_tabmove(nat, ports) nat_t *nat; +u_32_t ports; { + register u_short sport, dport; nat_t **natp; u_int hv; + dport = ports >> 16; + sport = ports & 0xffff; + + if (nat->nat_oport == dport) { + nat->nat_inport = sport; + nat->nat_outport = sport; + } + /* * Remove the NAT entry from the old location */ @@ -1963,8 +1999,7 @@ nat_t *nat; /* * Add into the NAT table in the new position */ - hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, - ipf_nattable_sz); + hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz); natp = &nat_table[0][hv]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; @@ -1972,8 +2007,7 @@ nat_t *nat; nat->nat_hnext[0] = *natp; *natp = nat; - hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, - ipf_nattable_sz); + hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz); natp = &nat_table[1][hv]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; @@ -1989,11 +2023,12 @@ nat_t *nat; * we're looking for a table entry, based on the source address. * NOTE: THE PACKET BEING CHECKED (IF FOUND) HAS A MAPPING ALREADY. */ -nat_t *nat_outlookup(ifp, flags, p, src, dst, ports) +nat_t *nat_outlookup(ifp, flags, p, src, dst, ports, rw) void *ifp; register u_int flags, p; struct in_addr src , dst; u_32_t ports; +int rw; { register u_short sport, dport; register nat_t *nat; @@ -2014,7 +2049,7 @@ u_32_t ports; if ((!ifp || ifp == nat->nat_ifp) && nat->nat_inip.s_addr == srcip && nat->nat_oip.s_addr == dst.s_addr && - (((p == 0) && (flags == (nat->nat_flags & IPN_TCPUDP))) + (((p == 0) && (flags == (nflags & IPN_TCPUDP))) || (p == nat->nat_p)) && (!flags || ((nat->nat_inport == sport || nflags & FI_W_SPORT) && (nat->nat_oport == dport || nflags & FI_W_DPORT)))) @@ -2022,9 +2057,13 @@ u_32_t ports; } if (!nat_stats.ns_wilds || !(flags & IPN_TCPUDP)) return NULL; - RWLOCK_EXIT(&ipf_nat); + if (!rw) { + RWLOCK_EXIT(&ipf_nat); + } hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); - WRITE_ENTER(&ipf_nat); + if (!rw) { + WRITE_ENTER(&ipf_nat); + } nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { nflags = nat->nat_flags; @@ -2037,13 +2076,15 @@ u_32_t ports; if ((nat->nat_inip.s_addr != srcip) || (nat->nat_oip.s_addr != dst.s_addr)) continue; - if (((nat->nat_inport == sport) || (nflags & FI_W_DPORT)) && - ((nat->nat_oport == dport) || (nflags & FI_W_SPORT))) { - nat_tabmove(nat); + if (((nat->nat_inport == sport) || (nflags & FI_W_SPORT)) && + ((nat->nat_oport == dport) || (nflags & FI_W_DPORT))) { + nat_tabmove(nat, ports); break; } } - MUTEX_DOWNGRADE(&ipf_nat); + if (!rw) { + MUTEX_DOWNGRADE(&ipf_nat); + } return nat; } @@ -2063,7 +2104,7 @@ register natlookup_t *np; * ip address. Else, we use the fake. */ if ((nat = nat_outlookup(NULL, np->nl_flags, 0, np->nl_inip, - np->nl_outip, ports))) { + np->nl_outip, ports, 0))) { np->nl_realip = nat->nat_outip; np->nl_realport = nat->nat_outport; } @@ -2164,10 +2205,11 @@ fr_info_t *fin; (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND))) ; else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && - (nat = ipfr_nat_knownfrag(ip, fin))) + (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; - else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, ip->ip_src, - ip->ip_dst, (dport << 16) | sport))) { + else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, + ip->ip_src, ip->ip_dst, + (dport << 16) | sport, 0))) { nflags = nat->nat_flags; if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { if ((nflags & FI_W_SPORT) && @@ -2221,9 +2263,6 @@ maskloop: if ((nat = nat_new(np, ip, fin, (u_int)nflags, NAT_OUTBOUND))) { np->in_hits++; -#ifdef IPFILTER_LOG - nat_log(nat, (u_int)np->in_redir); -#endif break; } } @@ -2239,6 +2278,9 @@ maskloop: MUTEX_DOWNGRADE(&ipf_nat); } + /* + * NOTE: ipf_nat must now only be held as a read lock + */ if (nat) { np = nat->nat_ptr; if (natadd && fin->fin_fi.fi_fl & FI_FRAG) @@ -2383,7 +2425,8 @@ fr_info_t *fin; (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, - ip->ip_src, in, (dport << 16) | sport))) { + ip->ip_src, in, (dport << 16) | sport, + 0))) { nflags = nat->nat_flags; if ((nflags & (FI_W_SPORT|FI_W_DPORT)) != 0) { if ((nat->nat_oport != sport) && (nflags & FI_W_DPORT)) @@ -2424,9 +2467,6 @@ maskloop: if ((nat = nat_new(np, ip, fin, nflags, NAT_INBOUND))) { np->in_hits++; -#ifdef IPFILTER_LOG - nat_log(nat, (u_int)np->in_redir); -#endif break; } } @@ -2441,6 +2481,10 @@ maskloop: } MUTEX_DOWNGRADE(&ipf_nat); } + + /* + * NOTE: ipf_nat must now only be held as a read lock + */ if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index 8e166df..22f8503 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -6,7 +6,7 @@ * to the original author and the contributors. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.10 2000/10/27 14:06:51 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.14 2000/11/18 03:58:04 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -85,7 +85,7 @@ typedef struct nat { void *nat_ifp; int nat_dir; char nat_ifname[IFNAMSIZ]; -#if SOLARIS || defined(_sgi) +#if SOLARIS || defined(__sgi) kmutex_t nat_lock; #endif } nat_t; @@ -247,6 +247,7 @@ typedef struct natlog { #define NL_NEWRDR NAT_REDIRECT #define NL_NEWBIMAP NAT_BIMAP #define NL_NEWBLOCK NAT_MAPBLK +#define NL_FLUSH 0xfffe #define NL_EXPIRE 0xffff #define NAT_HASH_FN(k,l,m) (((k) + ((k) >> 12) + l) % (m)) @@ -285,9 +286,9 @@ extern int nat_ioctl __P((caddr_t, int, int)); extern int nat_init __P((void)); extern nat_t *nat_new __P((ipnat_t *, ip_t *, fr_info_t *, u_int, int)); extern nat_t *nat_outlookup __P((void *, u_int, u_int, struct in_addr, - struct in_addr, u_32_t)); + struct in_addr, u_32_t, int)); extern nat_t *nat_inlookup __P((void *, u_int, u_int, struct in_addr, - struct in_addr, u_32_t)); + struct in_addr, u_32_t, int)); extern nat_t *nat_maplookup __P((void *, u_int, struct in_addr, struct in_addr)); extern nat_t *nat_lookupredir __P((natlookup_t *)); diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index 933d79d..212900f 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -5,7 +5,7 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * $Id: ip_proxy.h,v 2.8.2.3 2000/05/06 12:32:43 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -96,6 +96,7 @@ typedef struct ftpside { char *ftps_rptr; char *ftps_wptr; u_32_t ftps_seq; + u_32_t ftps_len; int ftps_junk; char ftps_buf[FTP_BUFSZ]; } ftpside_t; diff --git a/contrib/ipfilter/ip_rcmd_pxy.c b/contrib/ipfilter/ip_rcmd_pxy.c index e311b16..d017cf9 100644 --- a/contrib/ipfilter/ip_rcmd_pxy.c +++ b/contrib/ipfilter/ip_rcmd_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_rcmd_pxy.c,v 1.4.2.3 2000/10/27 22:54:04 darrenr Exp $ + * $Id: ip_rcmd_pxy.c,v 1.4.2.4 2000/11/01 14:34:20 darrenr Exp $ */ /* * Simple RCMD transparent proxy for in-kernel use. For use with the NAT @@ -131,7 +131,7 @@ nat_t *nat; sp = htons(sp); dp = htons(fin->fin_data[1]); ipn = nat_outlookup(fin->fin_ifp, IPN_TCP, nat->nat_p, nat->nat_inip, - ip->ip_dst, (dp << 16) | sp); + ip->ip_dst, (dp << 16) | sp, 0); if (ipn == NULL) { int slen; diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 7d4ea2d..f6373811 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -9,7 +9,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.8 2000/10/19 15:42:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.9 2000/11/12 11:55:17 darrenr Exp $"; #endif #include <sys/types.h> @@ -66,7 +66,7 @@ static int frzerostats __P((caddr_t)); static int frrequest __P((minor_t, int, caddr_t, int)); static int send_ip __P((fr_info_t *fin, mblk_t *m)); -kmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap; +kmutex_t ipl_mutex, ipf_authmx, ipf_rw; KRWLOCK_T ipf_mutex, ipfs_mutex, ipf_solaris; KRWLOCK_T ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; kcondvar_t iplwait, ipfauthwait; @@ -90,7 +90,6 @@ int ipldetach() ip_natunload(); cv_destroy(&iplwait); cv_destroy(&ipfauthwait); - mutex_destroy(&ipf_hostmap); mutex_destroy(&ipf_authmx); mutex_destroy(&ipl_mutex); mutex_destroy(&ipf_rw); @@ -117,7 +116,6 @@ int iplattach __P((void)) mutex_init(&ipf_rw, "ipf rw mutex", MUTEX_DRIVER, NULL); mutex_init(&ipl_mutex, "ipf log mutex", MUTEX_DRIVER, NULL); mutex_init(&ipf_authmx, "ipf auth log mutex", MUTEX_DRIVER, NULL); - mutex_init(&ipf_hostmap, "ipf hostmap mutex", MUTEX_DRIVER, NULL); RWLOCK_INIT(&ipf_solaris, "ipf filter load/unload mutex", NULL); RWLOCK_INIT(&ipf_mutex, "ipf filter rwlock", NULL); RWLOCK_INIT(&ipfs_mutex, "ipf solaris mutex", NULL); diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 7499bfd..5d63969 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.23 2000/10/27 14:06:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $"; #endif #include <sys/errno.h> @@ -307,8 +307,8 @@ int mode; break; case FIONREAD : #ifdef IPFILTER_LOG - error = IWCOPY((caddr_t)&iplused[IPL_LOGSTATE], (caddr_t)data, - sizeof(iplused[IPL_LOGSTATE])); + arg = (int)iplused[IPL_LOGSTATE]; + error = IWCOPY((caddr_t)&arg, (caddr_t)data, sizeof(arg)); #endif break; case SIOCSTLCK : @@ -787,8 +787,6 @@ tcphdr_t *tcp; } ATOMIC_INCL(ips_stats.iss_hits); - is->is_pkts++; - is->is_bytes += fin->fin_dlen + fin->fin_hlen; /* * Nearing end of connection, start timeout. */ @@ -1148,10 +1146,6 @@ fr_info_t *fin; fr_matchsrcdst(is, src, dst, &ofin, tcp)) { fr = is->is_rule; ips_stats.iss_hits++; - /* - * we must swap src and dst here because the icmp - * comes the other way around - */ is->is_pkts++; is->is_bytes += fin->fin_plen; /* @@ -1379,6 +1373,9 @@ void *ifp; } +/* + * Must always be called with fr_ipfstate held as a write lock. + */ static void fr_delstate(is) ipstate_t *is; { @@ -1397,9 +1394,10 @@ ipstate_t *is; fr = is->is_rule; if (fr != NULL) { - ATOMIC_DEC32(fr->fr_ref); - if (fr->fr_ref == 0) + fr->fr_ref--; + if (fr->fr_ref == 0) { KFREE(fr); + } } #ifdef _KERNEL MUTEX_DESTROY(&is->is_lock); @@ -1452,12 +1450,12 @@ void fr_timeoutstate() fr_delstate(is); } else isp = &is->is_next; - RWLOCK_EXIT(&ipf_state); - SPL_X(s); if (fr_state_doflush) { (void) fr_state_flush(1); fr_state_doflush = 0; } + RWLOCK_EXIT(&ipf_state); + SPL_X(s); } diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index 6dc2f02..d43fc56 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -41,12 +41,19 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.1 2000/05/06 00:11:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR # define IPF_SAVEDIR "/var/db/ipf" #endif +#ifndef IPF_NATFILE +# define IPF_NATFILE "ipnat.ipf" +#endif +#ifndef IPF_STATEFILE +# define IPF_STATEFILE "ipstate.ipf" +#endif + #if !defined(__SVR4) && defined(__GNUC__) extern char *index __P((const char *, int)); #endif @@ -271,8 +278,14 @@ char *argv[]; usage(); } - if (ifs) - return changestateif(ifs, filename); + if (ifs) { + if (!filename || ns<0) + usage(); + if (ns == 0) + return changenatif(ifs, filename); + else + return changestateif(ifs, filename); + } if ((ns >= 0) || (lock >= 0)) { if (lock >= 0) @@ -363,6 +376,9 @@ char *file; ipstate_save_t ips, *ipsp; int wfd = -1; + if (!file) + file = IPF_STATEFILE; + wfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); if (wfd == -1) { fprintf(stderr, "%s ", file); @@ -404,6 +420,9 @@ char *file; ipstate_save_t ips, *is, *ipshead = NULL, *is1, *ipstail = NULL; int sfd = -1, i; + if (!file) + file = IPF_STATEFILE; + sfd = open(file, O_RDONLY, 0600); if (sfd == -1) { fprintf(stderr, "%s ", file); @@ -432,6 +451,11 @@ char *file; return 1; } is = (ipstate_save_t *)malloc(sizeof(*is)); + if(!is) { + fprintf(stderr, "malloc failed\n"); + return 1; + } + bcopy((char *)&ips, (char *)is, sizeof(ips)); /* @@ -497,6 +521,9 @@ char *file; int nfd = -1, i; nat_t *nat; + if (!file) + file = IPF_NATFILE; + nfd = open(file, O_RDONLY); if (nfd == -1) { fprintf(stderr, "%s ", file); @@ -615,6 +642,9 @@ char *file; int nfd = -1; natget_t ng; + if (!file) + file = IPF_NATFILE; + nfd = open(file, O_WRONLY|O_TRUNC|O_CREAT, 0600); if (nfd == -1) { fprintf(stderr, "%s ", file); @@ -699,14 +729,14 @@ char *dirname; devfd = opendevice(IPL_STATE); if (devfd == -1) return 1; - if (writestate(devfd, "ipstate.ipf")) + if (writestate(devfd, NULL)) return 1; close(devfd); devfd = opendevice(IPL_NAT); if (devfd == -1) return 1; - if (writenat(devfd, "ipnat.ipf")) + if (writenat(devfd, NULL)) return 1; close(devfd); @@ -743,14 +773,14 @@ char *dirname; devfd = opendevice(IPL_STATE); if (devfd == -1) return 1; - if (readstate(devfd, "ipstate.ipf")) + if (readstate(devfd, NULL)) return 1; close(devfd); devfd = opendevice(IPL_NAT); if (devfd == -1) return 1; - if (readnat(devfd, "ipnat.ipf")) + if (readnat(devfd, NULL)) return 1; close(devfd); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 9eeb055..2668976 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -43,7 +43,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $"; #endif extern int opts; @@ -54,9 +54,9 @@ static int text_open __P((char *)), text_close __P((void)); static int text_readip __P((char *, int, char **, int *)); static int parseline __P((char *, ip_t *, char **, int *)); -static char _tcp_flagset[] = "FSRPAU"; +static char _tcp_flagset[] = "FSRPAUEC"; static u_char _tcp_flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, - TH_ACK, TH_URG }; + TH_ACK, TH_URG, TH_ECN, TH_CWR }; struct ipread iptext = { text_open, text_close, text_readip }; static FILE *tfp = NULL; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index b54d6f9..3529d65 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -6,12 +6,12 @@ * to the original author and the contributors. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.14 2000/10/27 22:54:41 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.13" +#define IPL_VERSION "IP Filter: v3.4.16" #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 5f9db0b..9250e24 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.5 2000/10/19 15:41:41 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 darrenr Exp $"; #endif #ifndef SOLARIS @@ -91,6 +91,8 @@ struct flags tcpfl[] = { { TH_FIN, 'F' }, { TH_URG, 'U' }, { TH_PUSH,'P' }, + { TH_ECN, 'E' }, + { TH_CWR, 'C' }, { 0, '\0' } }; @@ -144,6 +146,7 @@ static char **tcp_ports = NULL; #define OPT_FILTER 0x200 #define OPT_PORTNUM 0x400 #define OPT_LOGALL (OPT_NAT|OPT_STATE|OPT_FILTER) +#define OPT_LOGBODY 0x800 #define HOSTNAME_V4(a,b) hostname((a), 4, (u_32_t *)&(b)) @@ -401,6 +404,8 @@ int blen; strcpy(t, "NAT:RDR "); else if (nl->nl_type == NL_EXPIRE) strcpy(t, "NAT:EXPIRE "); + else if (nl->nl_type == NL_FLUSH) + strcpy(t, "NAT:FLUSH "); else if (nl->nl_type == NL_NEWBIMAP) strcpy(t, "NAT:BIMAP "); else if (nl->nl_type == NL_NEWBLOCK) @@ -834,6 +839,8 @@ printipflog: dumphex(log, (u_char *)buf, sizeof(iplog_t) + sizeof(*ipf)); if (opts & OPT_HEXBODY) dumphex(log, (u_char *)ip, ipf->fl_plen + ipf->fl_hlen); + else if ((opts & OPT_LOGBODY) && (ipf->fl_flags & FR_LOGBODY)) + dumphex(log, (u_char *)ip + ipf->fl_hlen, ipf->fl_plen); } @@ -945,7 +952,7 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; - while ((c = getopt(argc, argv, "?aDf:FhnN:o:O:pP:sS:tvxX")) != -1) + while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1) switch (c) { case 'a' : @@ -954,6 +961,9 @@ char *argv[]; fdt[1] = IPL_LOGNAT; fdt[2] = IPL_LOGSTATE; break; + case 'b' : + opts |= OPT_LOGBODY; + break; case 'D' : make_daemon = 1; break; diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index 18b8819..51af2e1 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -57,7 +57,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.4 2000/10/27 14:06:47 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $"; #endif @@ -236,15 +236,17 @@ int opts; ftp.ftp_side[0].ftps_buf[FTP_BUFSZ - 1] = '\0'; ftp.ftp_side[1].ftps_buf[FTP_BUFSZ - 1] = '\0'; printf("\tClient:\n"); - printf("\t\trptr %p wptr %p seq %x junk %d\n", + printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", ftp.ftp_side[0].ftps_rptr, ftp.ftp_side[0].ftps_wptr, - ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_junk); + ftp.ftp_side[0].ftps_seq, ftp.ftp_side[0].ftps_len, + ftp.ftp_side[0].ftps_junk); printf("\t\tbuf ["); printbuf(ftp.ftp_side[0].ftps_buf, FTP_BUFSZ, 1); printf("]\n\tServer:\n"); - printf("\t\trptr %p wptr %p seq %x junk %d\n", + printf("\t\trptr %p wptr %p seq %x len %d junk %d\n", ftp.ftp_side[1].ftps_rptr, ftp.ftp_side[1].ftps_wptr, - ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_junk); + ftp.ftp_side[1].ftps_seq, ftp.ftp_side[1].ftps_len, + ftp.ftp_side[1].ftps_junk); printf("\t\tbuf ["); printbuf(ftp.ftp_side[1].ftps_buf, FTP_BUFSZ, 1); printf("]\n"); diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index e81c890..c5eacb3 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.1 1999/08/04 17:31:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr Exp $"; #endif #include <errno.h> #include <stdio.h> @@ -99,7 +99,15 @@ int frag; int err, iplen; if (!ipbuf) + { ipbuf = (char *)malloc(65536); + if(!ipbuf) + { + perror("malloc failed"); + return -2; + } + } + eh = (ether_header_t *)ipbuf; bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 748abfb..3dd39af 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 darrenr Exp $"; #endif #include <stdio.h> #include <stdlib.h> @@ -347,6 +347,12 @@ char **argv; printf("Options: %d\n", olen); ti = (struct tcpiphdr *)malloc(olen + ip->ip_len); + if(!ti) + { + fprintf(stderr,"malloc failed\n"); + exit(2); + } + bcopy((char *)ip, (char *)ti, sizeof(*ip)); ip = (ip_t *)ti; ip->ip_hl = (olen >> 2); diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index e4397ce..095aa9e 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -12,7 +12,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.1 1999/08/04 17:31:12 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 darrenr Exp $"; #endif #include <stdio.h> #include <netdb.h> @@ -97,6 +97,11 @@ char *datain; ip = (struct ip *)pbuf; eh = (ether_header_t *)malloc(sizeof(*eh)); + if(!eh) + { + perror("malloc failed"); + return -2; + } bzero((char *)A_A eh->ether_shost, sizeof(eh->ether_shost)); if (gwip.s_addr && (arp((char *)&gwip, dhost) == -1)) diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index cef71fe..2ee5028 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.1 1999/08/04 17:31:16 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> @@ -282,12 +282,21 @@ struct tcpiphdr *ti; return NULL; fd = (struct filedesc *)malloc(sizeof(*fd)); +#if defined( __FreeBSD_version) && __FreeBSD_version >= 500013 + if (KMCPY(fd, p->ki_fd, sizeof(*fd)) == -1) + { + fprintf(stderr, "read(%#lx,%#lx) failed\n", + (u_long)p, (u_long)p->ki_fd); + return NULL; + } +#else if (KMCPY(fd, p->kp_proc.p_fd, sizeof(*fd)) == -1) { fprintf(stderr, "read(%#lx,%#lx) failed\n", (u_long)p, (u_long)p->kp_proc.p_fd); return NULL; } +#endif o = (struct file **)calloc(1, sizeof(*o) * (fd->fd_lastfile + 1)); if (KMCPY(o, fd->fd_ofiles, (fd->fd_lastfile + 1) * sizeof(*o)) == -1) diff --git a/contrib/ipfilter/man/ipfstat.8 b/contrib/ipfilter/man/ipfstat.8 index 11149afdf..a5909d0 100644 --- a/contrib/ipfilter/man/ipfstat.8 +++ b/contrib/ipfilter/man/ipfstat.8 @@ -139,14 +139,22 @@ kernel. .SH STATE TOP Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In this mode the state table is displayed similar to the way \fBtop\fP displays -the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and\fB\-T\fP +the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP commandline options can be used to restrict the state entries that will be shown and to specify the frequency of display updates. .PP In state top mode, the following keys can be used to influence the displayed -information. \fBl\fP can be used to redraw the screen. \fBq\fP is used to -quit the program. \fBs\fP can be used to change the sorting criterion and -\fBr\fP can be used to reverse the sorting criterion. +information: +.TP +\fBd\fP select information to display. +.TP +\fBl\fP redraw the screen. +.TP +\fBq\fP quit the program. +.TP +\fBs\fP switch between different sorting criterion. +.TP +\fBr\fP reverse the sorting criterion. .PP States can be sorted by protocol number, by number of IP packets, by number of bytes and by time-to-live of the state entry. The default is to sort by diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index f6e7ad4..3ca7df3 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -93,6 +93,9 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_flags, CTLFLAG_RW, &fr_flags, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_pass, CTLFLAG_RW, &fr_pass, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_active, CTLFLAG_RD, &fr_active, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW, + &fr_minttllog, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcpidletimeout, CTLFLAG_RW, &fr_tcpidletimeout, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_tcphalfclosed, CTLFLAG_RW, diff --git a/contrib/ipfilter/mlfk_ipl.c b/contrib/ipfilter/mlfk_ipl.c index f96c57e..0dc4ff2 100644 --- a/contrib/ipfilter/mlfk_ipl.c +++ b/contrib/ipfilter/mlfk_ipl.c @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: mlfk_ipl.c,v 2.1.2.4 2000/08/23 11:02:33 darrenr Exp $ + * $Id: mlfk_ipl.c,v 2.1.2.6 2000/11/18 03:58:29 darrenr Exp $ */ @@ -38,6 +38,12 @@ #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> +#if (__FreeBSD_version >= 199511) +# include <net/route.h> +# include <netinet/ip_var.h> +# include <netinet/tcp.h> +# include <netinet/tcpip.h> +#endif #include <netinet/ipl.h> @@ -47,6 +53,7 @@ #include <netinet/ip_nat.h> #include <netinet/ip_auth.h> #include <netinet/ip_frag.h> +#include <netinet/ip_proxy.h> static dev_t ipf_devs[IPL_LOGMAX + 1]; @@ -86,6 +93,11 @@ SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_authused, CTLFLAG_RD, SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_defaultauthage, CTLFLAG_RW, &fr_defaultauthage, 0, ""); SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &fr_chksrc, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, ippr_ftp_pasvonly, CTLFLAG_RW, + &ippr_ftp_pasvonly, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &fr_minttl, 0, ""); +SYSCTL_INT(_net_inet_ipf, OID_AUTO, fr_minttllog, CTLFLAG_RW, + &fr_minttllog, 0, ""); #define CDEV_MAJOR 79 static struct cdevsw ipl_cdevsw = { diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index 0630bb4..a451a10 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -49,7 +49,7 @@ unsigned IPL_EXTERN(devflag) = D_MP; char *IPL_EXTERN(mversion) = M_VERSION; #endif -kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw, ipf_hostmap; +kmutex_t ipl_mutex, ipf_mutex, ipfi_mutex, ipf_rw; kmutex_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; int (*fr_checkp) __P((struct ip *, int, void *, int, mb_t **)); @@ -539,7 +539,6 @@ IPL_EXTERN(unload)(void) LOCK_DEALLOC(ipf_rw.l); LOCK_DEALLOC(ipf_auth.l); LOCK_DEALLOC(ipf_natfrag.l); - LOCK_DEALLOC(ipf_hostmap.l); LOCK_DEALLOC(ipf_nat.l); LOCK_DEALLOC(ipf_state.l); LOCK_DEALLOC(ipf_frag.l); @@ -562,7 +561,6 @@ IPL_EXTERN(init)(void) ipf_frag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_state.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_nat.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); - ipf_hostmap.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_natfrag.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_auth.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); ipf_rw.l = LOCK_ALLOC((uchar_t)-1, IPF_LOCK_PL, (lkinfo_t *)-1, KM_NOSLEEP); @@ -570,7 +568,7 @@ IPL_EXTERN(init)(void) if (!ipfi_mutex.l || !ipf_mutex.l || !ipf_frag.l || !ipf_state.l || !ipf_nat.l || !ipf_natfrag.l || !ipf_auth.l || !ipf_rw.l || - !ipl_mutex.l || !ipf_hostmap.l) + !ipl_mutex.l) panic("IP Filter: LOCK_ALLOC failed"); #ifdef IPFILTER_LKM diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index ab1e08c..0441ad5 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -671,8 +671,8 @@ int linenum; return -1; while (**cp && (!strncasecmp(**cp, "ipopt", 5) || - !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) || - !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) || + !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 3) || + !strncasecmp(**cp, "frag", 4) || !strncasecmp(**cp, "no", 2) || !strncasecmp(**cp, "short", 5))) { if (***cp == 'n' || ***cp == 'N') { notopt = 1; diff --git a/contrib/ipfilter/samples/userauth.c b/contrib/ipfilter/samples/userauth.c index 65dcc74..5b50a94 100644 --- a/contrib/ipfilter/samples/userauth.c +++ b/contrib/ipfilter/samples/userauth.c @@ -21,7 +21,7 @@ main() char yn[16]; int fd; - fd = open(IPL_NAME, O_RDWR); + fd = open(IPL_AUTH, O_RDWR); while (ioctl(fd, SIOCAUTHW, &frap) == 0) { if (fra.fra_info.fin_out) fra.fra_pass = FR_OUTQUE; diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index c32f250..1e82ec0 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -6,7 +6,7 @@ * to the original author and the contributors. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.7 2000/08/05 14:50:30 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.8 2000/11/27 10:28:41 darrenr Exp $" #include <sys/systm.h> #include <sys/types.h> @@ -645,8 +645,8 @@ tryagain: hlen = sizeof(ip6_t); ip6 = (ip6_t *)ip; /* XXX - might not be aligned (from ppp?) */ - ((char *)&tlen)[0] = ((char *)&ip->ip_len)[0]; - ((char *)&tlen)[1] = ((char *)&ip->ip_len)[1]; + ((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0]; + ((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1]; plen = ntohs(tlen); sap = IP6_DL_SAP; } @@ -1689,7 +1689,7 @@ frdest_t *fdp; # ifdef USE_INET6 else if (fin->fin_v == 6) { p = ip6->ip6_nxt; - dir = ire_route_lookup_v6(&ip6->ip6_dst, 0xffffffff, 0, 0, + dir = ire_route_lookup_v6(&ip6->ip6_dst, NULL, 0, 0, NULL, &gw, NULL, MATCH_IRE_DSTONLY| MATCH_IRE_DEFAULT|MATCH_IRE_RECURSIVE); } diff --git a/contrib/ipfilter/test/expected/i7 b/contrib/ipfilter/test/expected/i7 index 750cf26..d1b7978 100644 --- a/contrib/ipfilter/test/expected/i7 +++ b/contrib/ipfilter/test/expected/i7 @@ -1,4 +1,4 @@ pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA -block in on lo0(!) proto tcp from any to any flags A/0xff +block in on lo0(!) proto tcp from any to any flags A/0xbf pass in on lo0(!) proto tcp from any to any flags /SPA block in on lo0(!) proto tcp from any to any flags 0x80/A |