diff options
| author | darrenr <darrenr@FreeBSD.org> | 2001-07-28 11:59:33 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2001-07-28 11:59:33 +0000 |
| commit | c51cd1facc817411a340278e6e0b901d53f11cc5 (patch) | |
| tree | 503d2119100a8bd3735c0bda1607f3a64ed1ad33 /contrib/ipfilter | |
| parent | c32397cc6efcbaabe335e3ec33e4a4dd78df29c7 (diff) | |
| download | FreeBSD-src-c51cd1facc817411a340278e6e0b901d53f11cc5.zip FreeBSD-src-c51cd1facc817411a340278e6e0b901d53f11cc5.tar.gz | |
Import IPFilter version 3.4.20
Diffstat (limited to 'contrib/ipfilter')
93 files changed, 1972 insertions, 1091 deletions
diff --git a/contrib/ipfilter/BNF b/contrib/ipfilter/BNF index 556171d..ac2381b 100644 --- a/contrib/ipfilter/BNF +++ b/contrib/ipfilter/BNF @@ -17,7 +17,7 @@ log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . call = "call" [ "now" ] function-name . skip = "skip" decnumber . dup = "dup-to" interface-name[":"ipaddr] . -froute = "fastroute" | "to" interface-name . +froute = "fastroute" | "to" interface-name [ ":" ipaddr ] . protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber . srcdst = "all" | fromto . fromto = "from" object "to" object . diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 0249367..584f4f2 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,121 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.20 24/07/2001 - Released + +adjust NAT hashing to give a better spread across the table + +show icmp code/type names in output, where known + +fix bug in altering cached interface names in state when resync'ing + +fix bug in real audio proxy that caused crashs + +fix compiling using sunos4 cc + +patch from casper to address weird exit problem for ipstat in top mode + +patch from Greg Woods to produce names for icmp types/unreach codes, +where they are known + +fix bug where ipfr_fastroute() would use a mblk and it would also get +freed later. + +don't match fragments which would cause 64k length to be exceeded + +ftp proxy fix for port numbers being setup for pasv ftp with state/nat + +change hashing for NAT to include both IP#'s and ports. + +Solaris fixes for IPv6 + +fix compiling iplang bits, under Solaris, for ipsend + +3.4.19 29/06/2001 - Released + +fix to support suspend/resume on solaris8 as well as ipv6 + +include group/group-head in match of filter rules + +fix endian problem reading snoop files + +make all licence comments point to the one place + +fix ftp proxy to only advance state if a reply is received in response to +a recognised command + +3.4.18 05/06/2001 - Released + +fix up parsing of "from ! host" where '!' is separate + +disable hardware checksums for NetBSD + +put ipftest temporary files in . rather than /tmp + +modify ftp proxy to be more intelligent about moving between states +and recognise new authentication commands + +allow state/nat table sizes to be externally influenced + +print out host mapping table for NAT with ipnat -l + +fix handling of hardware checksum'ing on Solaris + +fixup makefiles for Solaris + +update regression tests + +fix surrender of SPL's for failure cases + +include patches for OpenBSD's new timeout mechanism + +default ipl_unreach to ICMP_UNREACH_FILTER_PROHIB if defined, else make it +ICMP_UNREACH_FILTER + +fix up handling of packets matching auth rules and interaction with state + +add -q command line option to ipfstat on Solaris to list bound interfaces + +add command line option to ipfstat/ipnat to select different core image + +don't use ncurses on Solaris for STATETOP + +fix includes to get FreeBSD version + +do not byte swap ip_id + +fix handling success for packets matching the auth rule + +don't double-count short packets + +add ICMP router discovery message size recognition + +fix packet length calculation for IPv6 + +set CPUDIR when for install-sunos5 make target + +SUNWspro -xF causes Solaris 2.5.1 kernel to crash + +3.4.17 06/04/2001 - Released + +fix fragment#0 handling bug where they could get in via cache information +created by state table entries + +use ire_walk to look for ire cache entries with link layer headers cached + +deal with bad SPL assumptions for log reading on BSD + +fix ftp proxy to allow logins with passwords + +some auth rule patches, fixing byte endian problems and returning as an error + +support LOG_SECURITY, where available, in ipmon + +don't return an error for packets which match auth rules + +introduce fr_icmpacktimeout to timeout entries once an ICMP reply has +been seen separately to when created + 3.4.16 15/01/2001 - Released fix race condition in flushing of state entries that are timing out diff --git a/contrib/ipfilter/IMPORTANT b/contrib/ipfilter/IMPORTANT index de2cc85..0ef7a3d 100644 --- a/contrib/ipfilter/IMPORTANT +++ b/contrib/ipfilter/IMPORTANT @@ -3,41 +3,6 @@ **************************************** 1) -If you're using this software and have a rule which ends like this: - -flags S - -(for TCP), then to make it totally effective, you need to change it to appear -as follows: - -flags S/SA - -The problem is that the old code would compare all the TCP flags against the -rule (which just has "S") to see if that matched exactly. It is very possible -for this to not be the case and in these cases, the rule would fail to match -a 'valid' TCP SYN packet. - -Why does it need to be "S/SA" and not "S/S" ? - -"S/S" will match the SYN-ACK as well the SYN. - -By defalt, "flags S" will now be converted to "flags S/AUPRFS". - -If you have any queries regarding this, see the examples and ipf(4). -If you still have a query or suggestion, please email me. - - -2) - -If a filter rule used, in combination port comparisons and the flags -keywords, a "short" TCP packet, if not explicitly blocked high up in -the list of packets, would actually get matched even though it would -otherwise not have been (due to the ports not). This behaviour has -subsequently been fixed. - - -3) - If you have BOTH GNU make and the normal make shipped with your system, DO NOT use the GNU make to build this package. diff --git a/contrib/ipfilter/Makefile b/contrib/ipfilter/Makefile index 5770d40..09b5db6 100644 --- a/contrib/ipfilter/Makefile +++ b/contrib/ipfilter/Makefile @@ -1,11 +1,9 @@ # -# Copyright (C) 1993-2000 by Darren Reed. +# Copyright (C) 1993-2001 by Darren Reed. # -# Redistribution and use in source and binary forms are permitted -# provided that this notice is preserved and due credit is given -# to the original author and the contributors. +# See the IPFILTER.LICENCE file for details on licencing. # -# $Id: Makefile,v 2.11.2.6 2000/12/17 12:43:15 darrenr Exp $ +# $Id: Makefile,v 2.11.2.8 2001/06/26 10:43:10 darrenr Exp $ # BINDEST=/usr/local/bin SBINDEST=/sbin @@ -19,6 +17,7 @@ TOP=../.. CFLAGS=-I$$(TOP) CPU=`uname -m` CPUDIR=`uname -s|sed -e 's@/@@g'`-`uname -r`-`uname -m` +IPFILKERN=`/bin/ls -1tr /usr/src/sys/compile | grep -v .bak | tail -1` # # To enable this to work as a Loadable Kernel Module... # @@ -262,7 +261,7 @@ install-sunos4: solaris (cd SunOS4; $(MAKE) "CPU=$(CPU) TOP=.." install) install-sunos5: solaris - (cd SunOS5; $(MAKE) "CPU=$(CPU) TOP=.." install) + (cd SunOS5; $(MAKE) "CPUDIR=`uname -p`-`uname -r`" "CPU=$(CPU) TOP=.." install) install-irix: irix (cd IRIX; smake install "CPU=$(CPU) TOP=.." $(DEST) $(MFLAGS)) diff --git a/contrib/ipfilter/common.c b/contrib/ipfilter/common.c index afcc95c..e46e63e 100644 --- a/contrib/ipfilter/common.c +++ b/contrib/ipfilter/common.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) diff --git a/contrib/ipfilter/etc/services b/contrib/ipfilter/etc/services index 7afcde8..01c4b782 100644 --- a/contrib/ipfilter/etc/services +++ b/contrib/ipfilter/etc/services @@ -2360,6 +2360,7 @@ dpserve 7020/udp # DP Serve dpserveadmin 7021/tcp # DP Serve Admin dpserveadmin 7021/udp # DP Serve Admin arcp 7070/tcp # ARCP +raudio 7070/tcp # Real Audio arcp 7070/udp # ARCP clutild 7174/tcp # Clutild clutild 7174/udp # Clutild diff --git a/contrib/ipfilter/facpri.c b/contrib/ipfilter/facpri.c index f851918..79afdd2 100644 --- a/contrib/ipfilter/facpri.c +++ b/contrib/ipfilter/facpri.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <string.h> @@ -18,8 +16,12 @@ #include <syslog.h> #include "facpri.h" +#ifndef __STDC__ +# define const +#endif + #if !defined(lint) -static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3 2000/03/13 22:10:18 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: facpri.c,v 1.3.2.4 2001/07/15 22:06:12 darrenr Exp $"; #endif typedef struct table { @@ -55,6 +57,9 @@ table_t facs[] = { #else { "cron2", LOG_CRON2 }, #endif +#ifdef LOG_SECURITY + { "security", LOG_SECURITY }, +#endif { "local0", LOG_LOCAL0 }, { "local1", LOG_LOCAL1 }, { "local2", LOG_LOCAL2 }, { "local3", LOG_LOCAL3 }, { "local4", LOG_LOCAL4 }, { "local5", LOG_LOCAL5 }, diff --git a/contrib/ipfilter/facpri.h b/contrib/ipfilter/facpri.h index b80dbe8..7b80377 100644 --- a/contrib/ipfilter/facpri.h +++ b/contrib/ipfilter/facpri.h @@ -1,10 +1,8 @@ /* - * Copyright (C) 1999-2000 by Darren Reed. + * Copyright (C) 1999-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $Id: facpri.h,v 1.3 2000/03/13 22:10:18 darrenr Exp $ + * See the IPFILTER.LICENCE file for details on licencing. + * $Id: facpri.h,v 1.3.2.1 2001/06/26 10:43:11 darrenr Exp $ */ #ifndef __FACPRI_H__ diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index 02f075b..c4cd2e0 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -1,15 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $"; -#endif - #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> @@ -100,6 +93,11 @@ static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darr #endif #include "netinet/ipl.h" +#if !defined(lint) +static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.39 2001/07/18 13:30:32 darrenr Exp $"; +#endif + #ifndef _KERNEL # include "ipf.h" # include "ipt.h" @@ -115,12 +113,6 @@ extern int opts; # if SOLARIS || defined(__sgi) extern KRWLOCK_T ipf_mutex, ipf_auth, ipf_nat; extern kmutex_t ipf_rw; -# endif -# if SOLARIS -# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, \ - ip, qif) -# else /* SOLARIS */ -# define FR_NEWAUTH(m, fi, ip, qif) fr_newauth((mb_t *)m, fi, ip) # endif /* SOLARIS || __sgi */ #endif /* _KERNEL */ @@ -226,7 +218,7 @@ fr_info_t *fin; if (v == 4) { fin->fin_id = ip->ip_id; fi->fi_tos = ip->ip_tos; - off = (ip->ip_off & IP_OFFMASK) << 3; + off = (ip->ip_off & IP_OFFMASK); tcp = (tcphdr_t *)((char *)ip + hlen); (*(((u_short *)fi) + 1)) = (*(((u_short *)ip) + 4)); fi->fi_src.i6[1] = 0; @@ -239,7 +231,7 @@ fr_info_t *fin; fi->fi_daddr = ip->ip_dst.s_addr; p = ip->ip_p; fi->fi_fl = (hlen > sizeof(ip_t)) ? FI_OPTIONS : 0; - if (ip->ip_off & 0x3fff) + if (ip->ip_off & (IP_MF|IP_OFFMASK)) fi->fi_fl |= FI_FRAG; plen = ip->ip_len; fin->fin_dlen = plen - hlen; @@ -260,6 +252,7 @@ fr_info_t *fin; fi->fi_fl = 0; plen = ntohs(ip6->ip6_plen); fin->fin_dlen = plen; + plen += sizeof(*ip6); } #endif else @@ -268,6 +261,7 @@ fr_info_t *fin; fin->fin_off = off; fin->fin_plen = plen; fin->fin_dp = (void *)tcp; + off <<= 3; switch (p) { @@ -315,25 +309,34 @@ fr_info_t *fin; icmp = (icmphdr_t *)tcp; - if (icmp->icmp_type == ICMP_ECHOREPLY || - icmp->icmp_type == ICMP_ECHO) + switch (icmp->icmp_type) + { + case ICMP_ECHOREPLY : + case ICMP_ECHO : + /* Router discovery messages - RFC 1256 */ + case ICMP_ROUTERADVERT : + case ICMP_ROUTERSOLICIT : minicmpsz = ICMP_MINLEN; - + break; /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + * 3*timestamp(3*4) */ - else if (icmp->icmp_type == ICMP_TSTAMP || - icmp->icmp_type == ICMP_TSTAMPREPLY) + case ICMP_TSTAMP : + case ICMP_TSTAMPREPLY : minicmpsz = 20; - + break; /* * type(1) + code(1) + cksum(2) + id(2) seq(2) + * mask(4) */ - else if (icmp->icmp_type == ICMP_MASKREQ || - icmp->icmp_type == ICMP_MASKREPLY) + case ICMP_MASKREQ : + case ICMP_MASKREPLY : minicmpsz = 12; + break; + default : + break; + } } if ((!(plen >= hlen + minicmpsz) && !off) || @@ -522,7 +525,7 @@ fr_info_t *fin; * satisfy the "short" class too). */ if (err && (fin->fin_fi.fi_p == IPPROTO_TCP)) { - if (fin->fin_fi.fi_fl & FI_SHORT) + if (fin->fin_fl & FI_SHORT) return !(ft->ftu_tcpf | ft->ftu_tcpfm); /* * Match the flags ? If not, abort this match. @@ -557,10 +560,7 @@ void *m; fin->fin_fr = NULL; fin->fin_rule = 0; fin->fin_group = 0; - if (fin->fin_v == 4) - off = ip->ip_off & IP_OFFMASK; - else - off = 0; + off = fin->fin_off; pass |= (fi->fi_fl << 24); if ((fi->fi_fl & FI_TCPUDP) && (fin->fin_dlen > 3) && !off) @@ -787,7 +787,7 @@ int out; mb_t *mc = NULL; # if !defined(__SVR4) && !defined(__svr4__) # ifdef __sgi - char hbuf[(0xf << 2) + sizeof(struct icmp) + sizeof(ip_t) + 8]; + char hbuf[128]; # endif int up; @@ -812,6 +812,9 @@ int out; # ifdef USE_INET6 if (v == 6) { len = ntohs(((ip6_t*)ip)->ip6_plen); + if (!len) + return -1; /* potential jumbo gram */ + len += sizeof(ip6_t); p = ((ip6_t *)ip)->ip6_nxt; } else # endif @@ -820,7 +823,8 @@ int out; len = ip->ip_len; } - if ((p == IPPROTO_TCP || p == IPPROTO_UDP || p == IPPROTO_ICMP + if ((p == IPPROTO_TCP || p == IPPROTO_UDP || + (v == 4 && p == IPPROTO_ICMP) # ifdef USE_INET6 || (v == 6 && p == IPPROTO_ICMPV6) # endif @@ -889,13 +893,6 @@ int out; # endif #endif /* _KERNEL */ - /* - * Be careful here: ip_id is in network byte order when called - * from ip_output() - */ - if ((out) && (v == 4)) - ip->ip_id = ntohs(ip->ip_id); - changed = 0; fin->fin_ifp = ifp; fin->fin_v = v; @@ -940,15 +937,12 @@ int out; } #endif pass = fr_pass; - if (fin->fin_fi.fi_fl & FI_SHORT) { + if (fin->fin_fl & FI_SHORT) { ATOMIC_INCL(frstats[out].fr_short); } READ_ENTER(&ipf_mutex); - if (fin->fin_fi.fi_fl & FI_SHORT) - ATOMIC_INCL(frstats[out].fr_short); - /* * Check auth now. This, combined with the check below to see if apass * is 0 is to ensure that we don't count the packet twice, which can @@ -972,8 +966,18 @@ int out; } } - if (apass || (!(fr = ipfr_knownfrag(ip, fin)) && - !(fr = fr_checkstate(ip, fin)))) { + if (!apass) { + if ((fin->fin_fl & FI_FRAG) == FI_FRAG) + fr = ipfr_knownfrag(ip, fin); + if (!fr && !(fin->fin_fl & FI_SHORT)) + fr = fr_checkstate(ip, fin); + if (fr != NULL) + pass = fr->fr_flags; + if (fr && (pass & FR_LOGFIRST)) + pass &= ~(FR_LOGFIRST|FR_LOG); + } + + if (apass || !fr) { /* * If a packet is found in the auth table, then skip checking * the access lists for permission but we do need to consider @@ -1008,22 +1012,26 @@ int out; ATOMIC_INCL(frstats[out].fr_nom); } } - fr = fin->fin_fr; } else pass = apass; + fr = fin->fin_fr; /* * If we fail to add a packet to the authorization queue, * then we drop the packet later. However, if it was added * then pretend we've dropped it already. */ - if ((pass & FR_AUTH)) - if (fr_newauth((mb_t *)m, fin, ip) != 0) + if ((pass & FR_AUTH)) { + if (fr_newauth((mb_t *)m, fin, ip) != 0) { #ifdef _KERNEL m = *mp = NULL; #else ; #endif + error = 0; + } else + error = ENOSPC; + } if (pass & FR_PREAUTH) { READ_ENTER(&ipf_auth); @@ -1038,7 +1046,7 @@ int out; fin->fin_fr = fr; if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { - if (fin->fin_fi.fi_fl & FI_FRAG) { + if (fin->fin_fl & FI_FRAG) { if (ipfr_newfrag(ip, fin, pass) == -1) { ATOMIC_INCL(frstats[out].fr_bnfr); } else { @@ -1116,9 +1124,6 @@ logit: } #endif /* IPFILTER_LOG */ - if ((out) && (v == 4)) - ip->ip_id = htons(ip->ip_id); - #ifdef _KERNEL /* * Only allow FR_DUP to work if a rule matched - it makes no sense to @@ -1160,7 +1165,7 @@ logit: send_icmp_err(ip, ICMP_UNREACH, fin, dst); ATOMIC_INCL(frstats[0].fr_ret); } else if (((pass & FR_RETMASK) == FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { + !(fin->fin_fl & FI_SHORT)) { if (send_reset(ip, fin) == 0) { ATOMIC_INCL(frstats[1].fr_ret); } @@ -1173,7 +1178,7 @@ logit: verbose("- forged ICMP unreachable sent\n"); ATOMIC_INCL(frstats[0].fr_ret); } else if (((pass & FR_RETMASK) == FR_RETRST) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { + !(fin->fin_fl & FI_SHORT)) { verbose("- TCP RST sent\n"); ATOMIC_INCL(frstats[1].fr_ret); } @@ -1202,15 +1207,17 @@ logit: frdest_t *fdp = &fr->fr_tif; if (((pass & FR_FASTROUTE) && !out) || - (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - if (ipfr_fastroute(m, fin, fdp) == 0) - m = *mp = NULL; - } - if (mc) - ipfr_fastroute(mc, fin, &fr->fr_dif); + (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) + (void) ipfr_fastroute(m, mp, fin, fdp); + + if (mc != NULL) + (void) ipfr_fastroute(mc, &mc, fin, &fr->fr_dif); } - if (!(pass & FR_PASS) && m) + + if (!(pass & FR_PASS) && m) { m_freem(m); + m = *mp = NULL; + } # ifdef __sgi else if (changed && up && m) m_copyback(m, 0, up, hbuf); @@ -1221,12 +1228,11 @@ logit: frdest_t *fdp = &fr->fr_tif; if (((pass & FR_FASTROUTE) && !out) || - (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) { - if (ipfr_fastroute(ip, m, mp, fin, fdp) == 0) - m = *mp = NULL; - } - if (mc) - ipfr_fastroute(ip, mc, mp, fin, &fr->fr_dif); + (fdp->fd_ifp && fdp->fd_ifp != (struct ifnet *)-1)) + (void) ipfr_fastroute(ip, m, mp, fin, fdp); + + if (mc != NULL) + (void) ipfr_fastroute(ip, mc, &mc, fin, &fr->fr_dif); } # endif /* !SOLARIS */ return (pass & FR_PASS) ? 0 : error; @@ -1458,7 +1464,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.30 2000/12/17 05:49:22 darrenr Exp $ + * $Id: fil.c,v 2.35.2.39 2001/07/18 13:30:32 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1907,7 +1913,7 @@ void frsync() ip_statesync(ifp); } ip_natsync((struct ifnet *)-1); -# endif +# endif /* !SOLARIS */ WRITE_ENTER(&ipf_mutex); frsynclist(ipacct[0][fr_active]); diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index 3184e4c..3ed698a 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -1,12 +1,16 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#ifdef __FreeBSD__ -# include <osreldate.h> +#ifdef __FreeBSD__ +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# endif +# endif #endif #include <stdio.h> #include <string.h> @@ -25,10 +29,6 @@ #include <fcntl.h> #include <stddef.h> #include <nlist.h> -#ifdef STATETOP -#include <ctype.h> -#include <ncurses.h> -#endif #include <sys/socket.h> #include <sys/ioctl.h> #include <netinet/in.h> @@ -56,8 +56,17 @@ #include "netinet/ip_state.h" #include "netinet/ip_auth.h" #ifdef STATETOP -#include "netinet/ipl.h" -#endif +# include "netinet/ipl.h" +# include <ctype.h> +# if SOLARIS +# ifdef ERR +# undef ERR +# endif +# include <curses.h> +# else /* SOLARIS */ +# include <ncurses.h> +# endif /* SOLARIS */ +#endif /* STATETOP */ #include "kmem.h" #if defined(__NetBSD__) || (__OpenBSD__) # include <paths.h> @@ -65,10 +74,11 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.7 2000/12/02 00:13:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.17 2001/07/19 12:24:09 darrenr Exp $"; #endif extern char *optarg; +extern int optind; #define PRINTF (void)printf #define FPRINTF (void)fprintf @@ -86,6 +96,7 @@ int use_inet6 = 0; #ifdef STATETOP #define STSTRSIZE 80 #define STGROWSIZE 16 +#define HOSTNMLEN 40 #define STSORT_PR 0 #define STSORT_PKTS 1 @@ -128,6 +139,9 @@ static int sort_pkts __P((const void *, const void *)); static int sort_bytes __P((const void *, const void *)); static int sort_ttl __P((const void *, const void *)); #endif +#if SOLARIS +void showqiflist __P((char *)); +#endif static char *hostname(v, ip) int v; @@ -160,7 +174,11 @@ char *name; #else fprintf(stderr, "Usage: %s [-aAfhIinosv] [-d <device>]\n", name); #endif - fprintf(stderr, " %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); + fprintf(stderr, "\t\t[-M corefile]"); +#if SOLARIS + fprintf(stderr, " [-N symbol-list]"); +#endif + fprintf(stderr, "\n %s -t [-S source address] [-D destination address] [-P protocol] [-T refreshtime] [-C] [-d <device>]\n", name); exit(1); } @@ -177,8 +195,11 @@ char *argv[]; ips_stat_t *ipsstp = &ipsst; ipfrstat_t ifrst; ipfrstat_t *ifrstp = &ifrst; - char *name = NULL, *device = IPL_NAME; - int c, fd; + char *name = NULL, *device = IPL_NAME, *memf = NULL; +#if SOLARIS + char *kern = NULL; +#endif + int c, fd, myoptind; struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ @@ -190,13 +211,50 @@ char *argv[]; saddr.s_addr = INADDR_ANY; /* default any source addr */ daddr.s_addr = INADDR_ANY; /* default any dest addr */ - if (openkmem() == -1) + /* + * Parse these two arguments now lest there be any buffer overflows + * in the parsing of the rest. + */ + myoptind = optind; +#if SOLARIS + while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1) +#else + while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:P:S:T:")) != -1) +#endif + switch (c) + { + case 'M' : + memf = optarg; + break; +#if SOLARIS + case 'N' : + kern = optarg; + break; +#endif + } + optind = myoptind; + +#if SOLARIS + if (kern != NULL || memf != NULL) +#else + if (memf != NULL) +#endif + { + (void)setuid(getuid()); + (void)setgid(getgid()); + } + + if (openkmem(memf) == -1) exit(-1); (void)setuid(getuid()); (void)setgid(getgid()); - while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:P:S:T:")) != -1) +#if SOLARIS + while ((c = getopt(argc, argv, "6aACfghIilnoqstvd:D:M:N:P:S:T:")) != -1) +#else + while ((c = getopt(argc, argv, "6aACfghIilnostvd:D:M:P:S:T:")) != -1) +#endif { switch (c) { @@ -207,8 +265,7 @@ char *argv[]; #endif case 'a' : opts |= OPT_ACCNT|OPT_SHOWLIST; - break; - case 'A' : + break; case 'A' : device = IPAUTH_NAME; opts |= OPT_AUTHSTATS; break; @@ -239,6 +296,10 @@ char *argv[]; case 'l' : opts |= OPT_SHOWLIST; break; + case 'M' : + break; + case 'N' : + break; case 'n' : opts |= OPT_SHOWLINENO; break; @@ -255,6 +316,12 @@ char *argv[]; exit(-2); } break; +#if SOLARIS + case 'q' : + showqiflist(kern); + exit(0); + break; +#endif case 's' : opts |= OPT_IPSTATES; break; @@ -653,13 +720,52 @@ ips_stat_t *ipsp; PRINTF("\tpkt_security & %x = %x, pkt_auth & %x = %x\n", ips.is_secmsk, ips.is_sec, ips.is_authmsk, ips.is_auth); - PRINTF("interfaces: in %s[%p] ", + PRINTF("\tinterfaces: in %s[%p] ", get_ifname(ips.is_ifpin), ips.is_ifpin); PRINTF("out %s[%p]\n", get_ifname(ips.is_ifpout), ips.is_ifpout); } } + +#if SOLARIS +void showqiflist(kern) +char *kern; +{ + struct nlist qifnlist[2] = { + { "qif_head" }, + { NULL } + }; + qif_t qif, *qf; + + if (kern == NULL) + kern = "/dev/ksyms"; + + if (nlist(kern, qifnlist) == -1) { + fprintf(stderr, "nlist error\n"); + return; + } + + printf("List of interfaces bound by IPFilter:\n"); + if (kmemcpy((char *)&qf, (u_long)qifnlist[0].n_value, sizeof(qf))) + return; + while (qf) { + if (kmemcpy((char *)&qif, (u_long)qf, sizeof(qif))) + break; + printf("\tName: %-8s Header Length: %2d SAP: %s (%04x)\n", + qif.qf_name, qif.qf_hl, +#ifdef IP6_DL_SAP + (qif.qf_sap == IP6_DL_SAP) ? "IPv6" : "IPv4" +#else + "IPv4" +#endif + , qif.qf_sap); + qf = qif.qf_next; + } +} +#endif + + #ifdef STATETOP static void topipstates(fd, saddr, daddr, sport, dport, protocol, refreshtime, topclosed) @@ -679,9 +785,10 @@ int topclosed; ips_stat_t ipsst, *ipsstp = &ipsst; statetop_t *tstable = NULL, *tp; struct timeval selecttimeout; + char hostnm[HOSTNMLEN]; struct protoent *proto; fd_set readfd; - char c = '\0'; + int c = 0; time_t t; /* open state device */ @@ -694,7 +801,10 @@ int topclosed; initscr(); cbreak(); noecho(); - nodelay(stdscr, 1); + + /* init hostname */ + gethostname(hostnm, sizeof(hostnm) - 1); + hostnm[sizeof(hostnm) - 1] = '\0'; /* repeat until user aborts */ while ( 1 ) { @@ -799,8 +909,8 @@ int topclosed; attron(A_BOLD); winx = 0; move(winx,0); - sprintf(str1, "%s - state top", IPL_VERSION); - for(j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) + sprintf(str1, "%s - %s - state top", hostnm, IPL_VERSION); + for (j = 0 ; j < (maxx - 8 - strlen(str1)) / 2; j++) printw(" "); printw("%s", str1); attroff(A_BOLD); @@ -873,7 +983,9 @@ int topclosed; if (reverse) tp += tsentry; - for(i = 0; i <= tsentry; i++) { + if (tsentry > maxy - 6) + tsentry = maxy - 6; + for (i = 0; i <= tsentry; i++) { /* print src/dest and port */ if ((tp->st_p == IPPROTO_TCP) || (tp->st_p == IPPROTO_UDP)) { @@ -938,22 +1050,25 @@ int topclosed; select(1, &readfd, NULL, NULL, &selecttimeout); /* if key pressed, read all waiting keys */ - if (FD_ISSET(0, &readfd)) - while ((c = wgetch(stdscr)) != ERR) { - if (tolower(c) == 'l') { - redraw = 1; - } else if (tolower(c) == 'q') { - nocbreak(); - endwin(); - exit(0); - } else if (tolower(c) == 'r') { - reverse = !reverse; - } else if (tolower(c) == 's') { - sorting++; - if (sorting > STSORT_MAX) - sorting = 0; - } + if (FD_ISSET(0, &readfd)) { + c = wgetch(stdscr); + if (c == ERR) + continue; + + if (tolower(c) == 'l') { + redraw = 1; + } else if (tolower(c) == 'q') { + nocbreak(); + endwin(); + exit(0); + } else if (tolower(c) == 'r') { + reverse = !reverse; + } else if (tolower(c) == 's') { + sorting++; + if (sorting > STSORT_MAX) + sorting = 0; } + } } /* while */ close(sfd); diff --git a/contrib/ipfilter/inet_addr.c b/contrib/ipfilter/inet_addr.c index 49278a8..03bcf23 100644 --- a/contrib/ipfilter/inet_addr.c +++ b/contrib/ipfilter/inet_addr.c @@ -52,10 +52,20 @@ * - * --Copyright-- */ +#ifdef __STDC__ +# ifndef __P +# define __P(x) x +# endif +#else +# undef __P +# define __P(x) () +# undef const +# define const +#endif #if !defined(lint) static const char sccsid[] = "@(#)inet_addr.c 8.1 (Berkeley) 6/17/93"; -static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1 1999/08/04 17:29:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1.4.1 2001/07/15 22:06:14 darrenr Exp $"; #endif /* LIBC_SCCS and not lint */ #include <sys/param.h> @@ -63,13 +73,6 @@ static const char rcsid[] = "@(#)$Id: inet_addr.c,v 2.1 1999/08/04 17:29:54 darr #include <arpa/inet.h> #include <ctype.h> -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif -#endif int inet_aton __P((const char *, struct in_addr *)); /* diff --git a/contrib/ipfilter/ip_auth.c b/contrib/ipfilter/ip_auth.c index a453610..b22d470 100644 --- a/contrib/ipfilter/ip_auth.c +++ b/contrib/ipfilter/ip_auth.c @@ -1,14 +1,8 @@ /* - * Copyright (C) 1998-2000 by Darren Reed & Guido van Rooij. + * Copyright (C) 1998-2001 by Darren Reed & Guido van Rooij. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 darrenr Exp $"; -#endif - #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> @@ -77,7 +71,7 @@ static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.5 2001/01/10 06:18:35 d #endif #include <netinet/tcp.h> #if defined(__sgi) && !defined(IFF_DRVRLOCK) /* IRIX < 6 */ -extern struct ifqueue ipintrq; /* ip packet input queue */ +extern struct ifqueue ipintrq; /* ip packet input queue */ #else # ifndef linux # if __FreeBSD_version >= 300000 @@ -107,10 +101,13 @@ extern struct ifqueue ipintrq; /* ip packet input queue */ # endif #endif +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: ip_auth.c,v 2.11.2.12 2001/07/18 14:57:08 darrenr Exp $"; +#endif #if (SOLARIS || defined(__sgi)) && defined(_KERNEL) -extern KRWLOCK_T ipf_auth; +extern KRWLOCK_T ipf_auth, ipf_mutex; extern kmutex_t ipf_authmx; # if SOLARIS extern kcondvar_t ipfauthwait; @@ -129,7 +126,8 @@ static frauth_t fr_auth[FR_NUMAUTH]; mb_t *fr_authpkts[FR_NUMAUTH]; static int fr_authstart = 0, fr_authend = 0, fr_authnext = 0; static frauthent_t *fae_list = NULL; -frentry_t *ipauth = NULL; +frentry_t *ipauth = NULL, + *fr_authlist = NULL; /* @@ -142,10 +140,12 @@ ip_t *ip; fr_info_t *fin; { u_short id = ip->ip_id; + frentry_t *fr; + frauth_t *fra; u_32_t pass; int i; - if (fr_auth_lock) + if (fr_auth_lock || !fr_authused) return 0; READ_ENTER(&ipf_auth); @@ -155,24 +155,54 @@ fr_info_t *fin; * case the same packet gets sent again and it hasn't yet been * auth'd. */ - if ((fr_auth[i].fra_index == -2) && - (id == fr_auth[i].fra_info.fin_id) && - !bcmp((char *)fin,(char *)&fr_auth[i].fra_info,FI_CSIZE)) { + fra = fr_auth + i; + if ((fra->fra_index == -2) && (id == fra->fra_info.fin_id) && + !bcmp((char *)fin, (char *)&fra->fra_info, FI_CSIZE)) { /* * Avoid feedback loop. */ - if (!(pass = fr_auth[i].fra_pass) || (pass & FR_AUTH)) + if (!(pass = fra->fra_pass) || (pass & FR_AUTH)) pass = FR_BLOCK; + /* + * Create a dummy rule for the stateful checking to + * use and return. Zero out any values we don't + * trust from userland! + */ + if ((pass & FR_KEEPSTATE) || ((pass & FR_KEEPFRAG) && + (fin->fin_fi.fi_fl & FI_FRAG))) { + KMALLOC(fr, frentry_t *); + if (fr) { + bcopy((char *)fra->fra_info.fin_fr, + fr, sizeof(*fr)); + fr->fr_grp = NULL; + fr->fr_ifa = fin->fin_ifp; + fr->fr_func = NULL; + fr->fr_ref = 1; + fr->fr_flags = pass; +#if BSD >= 199306 + fr->fr_oifa = NULL; +#endif + } + } else + fr = fra->fra_info.fin_fr; + fin->fin_fr = fr; RWLOCK_EXIT(&ipf_auth); WRITE_ENTER(&ipf_auth); + if (fr && fr != fra->fra_info.fin_fr) { + fr->fr_next = fr_authlist; + fr_authlist = fr; + } fr_authstats.fas_hits++; - fr_auth[i].fra_index = -1; + fra->fra_index = -1; fr_authused--; if (i == fr_authstart) { - while (fr_auth[i].fra_index == -1) { + while (fra->fra_index == -1) { i++; - if (i == FR_NUMAUTH) + fra++; + if (i == FR_NUMAUTH) { i = 0; + fra = fr_auth; + } fr_authstart = i; if (i == fr_authend) break; @@ -208,6 +238,7 @@ ip_t *ip; #if defined(_KERNEL) && SOLARIS qif_t *qif = fin->fin_qif; #endif + frauth_t *fra; int i; if (fr_auth_lock) @@ -219,7 +250,7 @@ ip_t *ip; RWLOCK_EXIT(&ipf_auth); return 0; } else { - if ((fr_authstart == 0) && (fr_authend == FR_NUMAUTH - 1)) { + if (fr_authused == FR_NUMAUTH) { fr_authstats.fas_nospace++; RWLOCK_EXIT(&ipf_auth); return 0; @@ -232,51 +263,48 @@ ip_t *ip; if (fr_authend == FR_NUMAUTH) fr_authend = 0; RWLOCK_EXIT(&ipf_auth); - fr_auth[i].fra_index = i; - fr_auth[i].fra_pass = 0; - fr_auth[i].fra_age = fr_defaultauthage; - bcopy((char *)fin, (char *)&fr_auth[i].fra_info, sizeof(*fin)); -#if !defined(sparc) && !defined(m68k) + fra = fr_auth + i; + fra->fra_index = i; + fra->fra_pass = 0; + fra->fra_age = fr_defaultauthage; + bcopy((char *)fin, (char *)&fra->fra_info, sizeof(*fin)); +#if SOLARIS && defined(_KERNEL) +# if !defined(sparc) /* * No need to copyback here as we want to undo the changes, not keep * them. */ -# if SOLARIS && defined(_KERNEL) if ((ip == (ip_t *)m->b_rptr) && (ip->ip_v == 4)) -# endif { register u_short bo; bo = ip->ip_len; ip->ip_len = htons(bo); -# if !SOLARIS && !defined(__NetBSD__) - /* 4.4BSD converts this ip_input.c, but I don't in solaris.c */ - bo = ip->ip_id; - ip->ip_id = htons(bo); -# endif bo = ip->ip_off; ip->ip_off = htons(bo); } -#endif -#if SOLARIS && defined(_KERNEL) +# endif m->b_rptr -= qif->qf_off; fr_authpkts[i] = *(mblk_t **)fin->fin_mp; - fr_auth[i].fra_q = qif->qf_q; + fra->fra_q = qif->qf_q; cv_signal(&ipfauthwait); #else +# if defined(BSD) && !defined(sparc) && (BSD >= 199306) + if (!fin->fin_out) { + HTONS(ip->ip_len); + HTONS(ip->ip_off); + } +# endif fr_authpkts[i] = m; -# if defined(linux) && defined(_KERNEL) - wake_up_interruptible(&ipfauthwait); -# else WAKEUP(&fr_authnext); -# endif #endif return 1; } -int fr_auth_ioctl(data, cmd, fr, frptr) +int fr_auth_ioctl(data, mode, cmd, fr, frptr) caddr_t data; +int mode; #if defined(__NetBSD__) || defined(__OpenBSD__) || (FreeBSD_version >= 300003) u_long cmd; #else @@ -287,8 +315,9 @@ frentry_t *fr, **frptr; mb_t *m; #if defined(_KERNEL) && !SOLARIS struct ifqueue *ifq; + int s; #endif - frauth_t auth, *au = &auth; + frauth_t auth, *au = &auth, *fra; frauthent_t *fae, **faep; int i, error = 0; @@ -313,21 +342,26 @@ frentry_t *fr, **frptr; else faep = &fae->fae_next; if (cmd == SIOCRMAFR) { - if (!fae) + if (!fr || !frptr) + error = EINVAL; + else if (!fae) error = ESRCH; else { WRITE_ENTER(&ipf_auth); + SPL_NET(s); *faep = fae->fae_next; *frptr = fr->fr_next; + SPL_X(s); RWLOCK_EXIT(&ipf_auth); KFREE(fae); } - } else { + } else if (fr && frptr) { KMALLOC(fae, frauthent_t *); if (fae != NULL) { bcopy((char *)fr, (char *)&fae->fae_fr, sizeof(*fr)); WRITE_ENTER(&ipf_auth); + SPL_NET(s); fae->fae_age = fr_defaultauthage; fae->fae_fr.fr_hits = 0; fae->fae_fr.fr_next = *frptr; @@ -335,10 +369,12 @@ frentry_t *fr, **frptr; fae->fae_next = *faep; *faep = fae; ipauth = &fae_list->fae_fr; + SPL_X(s); RWLOCK_EXIT(&ipf_auth); } else error = ENOMEM; - } + } else + error = EINVAL; break; case SIOCATHST: READ_ENTER(&ipf_auth); @@ -348,6 +384,10 @@ frentry_t *fr, **frptr; sizeof(fr_authstats)); break; case SIOCAUTHW: + if (!(mode & FWRITE)) { + error = EPERM; + break; + } fr_authioctlloop: READ_ENTER(&ipf_auth); if ((fr_authnext != fr_authend) && fr_authpkts[fr_authnext]) { @@ -357,9 +397,11 @@ fr_authioctlloop: if (error) break; WRITE_ENTER(&ipf_auth); + SPL_NET(s); fr_authnext++; if (fr_authnext == FR_NUMAUTH) fr_authnext = 0; + SPL_X(s); RWLOCK_EXIT(&ipf_auth); return 0; } @@ -372,55 +414,62 @@ fr_authioctlloop: } mutex_exit(&ipf_authmx); # else -# ifdef linux - interruptible_sleep_on(&ipfauthwait); - if (current->signal & ~current->blocked) - error = -EINTR; -# else error = SLEEP(&fr_authnext, "fr_authnext"); # endif -# endif #endif RWLOCK_EXIT(&ipf_auth); if (!error) goto fr_authioctlloop; break; case SIOCAUTHR: + if (!(mode & FWRITE)) { + error = EPERM; + break; + } error = IRCOPYPTR(data, (caddr_t)&auth, sizeof(auth)); if (error) return error; WRITE_ENTER(&ipf_auth); + SPL_NET(s); i = au->fra_index; + fra = fr_auth + i; if ((i < 0) || (i > FR_NUMAUTH) || - (fr_auth[i].fra_info.fin_id != au->fra_info.fin_id)) { + (fra->fra_info.fin_id != au->fra_info.fin_id)) { + SPL_X(s); RWLOCK_EXIT(&ipf_auth); return EINVAL; } m = fr_authpkts[i]; - fr_auth[i].fra_index = -2; - fr_auth[i].fra_pass = au->fra_pass; + fra->fra_index = -2; + fra->fra_pass = au->fra_pass; fr_authpkts[i] = NULL; -#ifdef _KERNEL RWLOCK_EXIT(&ipf_auth); -# ifndef linux +#ifdef _KERNEL if (m && au->fra_info.fin_out) { -# if SOLARIS - error = fr_qout(fr_auth[i].fra_q, m); -# else /* SOLARIS */ -# if (_BSDI_VERSION >= 199802) || defined(__OpenBSD__) - error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, +# if SOLARIS + error = fr_qout(fra->fra_q, m); +# else /* SOLARIS */ + struct route ro; + + bzero((char *)&ro, sizeof(ro)); +# if ((_BSDI_VERSION >= 199802) && (_BSDI_VERSION < 200005)) || \ + defined(__OpenBSD__) + error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL); -# else - error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL); -# endif -# endif /* SOLARIS */ +# else + error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL); +# endif + if (ro.ro_rt) { + RTFREE(ro.ro_rt); + } +# endif /* SOLARIS */ if (error) fr_authstats.fas_sendfail++; else fr_authstats.fas_sendok++; } else if (m) { # if SOLARIS - error = fr_qin(fr_auth[i].fra_q, m); + error = fr_qin(fra->fra_q, m); # else /* SOLARIS */ ifq = &ipintrq; if (IF_QFULL(ifq)) { @@ -438,7 +487,6 @@ fr_authioctlloop: fr_authstats.fas_queok++; } else error = EINVAL; -# endif # if SOLARIS if (error) error = EINVAL; @@ -449,10 +497,10 @@ fr_authioctlloop: */ if (error == ENOBUFS) { fr_authused--; - fr_auth[i].fra_index = -1; - fr_auth[i].fra_pass = 0; + fra->fra_index = -1; + fra->fra_pass = 0; if (i == fr_authstart) { - while (fr_auth[i].fra_index == -1) { + while (fra->fra_index == -1) { i++; if (i == FR_NUMAUTH) i = 0; @@ -468,6 +516,7 @@ fr_authioctlloop: } # endif #endif /* _KERNEL */ + SPL_X(s); break; default : error = EINVAL; @@ -485,6 +534,7 @@ void fr_authunload() { register int i; register frauthent_t *fae, **faep; + frentry_t *fr, **frp; mb_t *m; WRITE_ENTER(&ipf_auth); @@ -503,6 +553,26 @@ void fr_authunload() } ipauth = NULL; RWLOCK_EXIT(&ipf_auth); + + if (fr_authlist) { + /* + * We *MuST* reget ipf_auth because otherwise we won't get the + * locks in the right order and risk deadlock. + * We need ipf_mutex here to prevent a rule from using it + * inside fr_check(). + */ + WRITE_ENTER(&ipf_mutex); + WRITE_ENTER(&ipf_auth); + for (frp = &fr_authlist; (fr = *frp); ) { + if (fr->fr_ref == 1) { + *frp = fr->fr_next; + KFREE(fr); + } else + frp = &fr->fr_next; + } + RWLOCK_EXIT(&ipf_auth); + RWLOCK_EXIT(&ipf_mutex); + } } @@ -515,6 +585,7 @@ void fr_authexpire() register int i; register frauth_t *fra; register frauthent_t *fae, **faep; + register frentry_t *fr, **frp; mb_t *m; #if !SOLARIS int s; @@ -544,6 +615,14 @@ void fr_authexpire() faep = &fae->fae_next; } ipauth = &fae_list->fae_fr; + + for (frp = &fr_authlist; (fr = *frp); ) { + if (fr->fr_ref == 1) { + *frp = fr->fr_next; + KFREE(fr); + } else + frp = &fr->fr_next; + } RWLOCK_EXIT(&ipf_auth); SPL_X(s); } diff --git a/contrib/ipfilter/ip_auth.h b/contrib/ipfilter/ip_auth.h index 681a6e5..7d3e463 100644 --- a/contrib/ipfilter/ip_auth.h +++ b/contrib/ipfilter/ip_auth.h @@ -1,11 +1,9 @@ /* - * Copyright (C) 1997-2000 by Darren Reed & Guido Van Rooij. + * Copyright (C) 1997-2001 by Darren Reed & Guido Van Rooij. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_auth.h,v 2.3.2.2 2000/10/19 15:38:44 darrenr Exp $ + * $Id: ip_auth.h,v 2.3.2.4 2001/07/18 14:57:08 darrenr Exp $ * */ #ifndef __IP_AUTH_H__ @@ -55,8 +53,8 @@ extern void fr_authunload __P((void)); extern mb_t *fr_authpkts[]; extern int fr_newauth __P((mb_t *, fr_info_t *, ip_t *)); #if defined(__NetBSD__) || defined(__OpenBSD__) -extern int fr_auth_ioctl __P((caddr_t, u_long, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, u_long, frentry_t *, frentry_t **)); #else -extern int fr_auth_ioctl __P((caddr_t, int, frentry_t *, frentry_t **)); +extern int fr_auth_ioctl __P((caddr_t, int, int, frentry_t *, frentry_t **)); #endif #endif /* __IP_AUTH_H__ */ diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index ed71f36..a7d0db4 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.9 2001/01/14 14:58:01 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.17 2001/07/23 04:22:48 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -27,6 +25,9 @@ #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif +#if SOLARIS && !defined(SOLARIS2) +# define SOLARIS2 4 /* Pick an old version */ +#endif #if SOLARIS2 >= 8 # ifndef USE_INET6 # define USE_INET6 @@ -119,10 +120,34 @@ struct ether_addr { # define V4_PART_OF_V6(v6) v6.s6_addr32[3] # endif # endif -#else + +typedef struct qif { + struct qif *qf_next; + ill_t *qf_ill; + kmutex_t qf_lock; + void *qf_iptr; + void *qf_optr; + queue_t *qf_in; + queue_t *qf_out; + struct qinit *qf_wqinfo; + struct qinit *qf_rqinfo; + struct qinit qf_wqinit; + struct qinit qf_rqinit; + mblk_t *qf_m; /* These three fields are for passing data up from */ + queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ + size_t qf_off; + size_t qf_len; /* this field is used for in ipfr_fastroute */ + char qf_name[8]; + /* + * in case the ILL has disappeared... + */ + size_t qf_hl; /* header length */ + int qf_sap; +} qif_t; +#else /* SOLARIS */ # if !defined(__sgi) typedef int minor_t; -#endif +# endif #endif /* SOLARIS */ #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) @@ -264,10 +289,26 @@ union i6addr { #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # ifdef IPFILTER_LKM -# include <osreldate.h> +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# else +# include <sys/param.h> +# endif +# endif # define ACTUALLY_LKM_NOT_KERNEL # else -# include <sys/osreldate.h> +# ifndef __FreeBSD_cc_version +# include <sys/osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <sys/osreldate.h> +# else +# include <sys/param.h> +# endif +# endif # endif # if __FreeBSD__ < 3 # include <machine/spl.h> @@ -325,6 +366,7 @@ typedef struct { # define ATOMIC_DEC32(x) atomic_add_32((uint32_t*)&(x), -1) # define ATOMIC_DEC16(x) atomic_add_16((uint16_t*)&(x), -1) # else +# define IRE_CACHE IRE_ROUTE # define ATOMIC_INC(x) { mutex_enter(&ipf_rw); (x)++; \ mutex_exit(&ipf_rw); } # define ATOMIC_DEC(x) { mutex_enter(&ipf_rw); (x)--; \ @@ -374,29 +416,6 @@ typedef struct { # define KMALLOC(a,b) (a) = (b)kmem_alloc(sizeof(*(a)), KM_NOSLEEP) # define KMALLOCS(a,b,c) (a) = (b)kmem_alloc((c), KM_NOSLEEP) # define GET_MINOR(x) getminor(x) -typedef struct qif { - struct qif *qf_next; - ill_t *qf_ill; - kmutex_t qf_lock; - void *qf_iptr; - void *qf_optr; - queue_t *qf_in; - queue_t *qf_out; - struct qinit *qf_wqinfo; - struct qinit *qf_rqinfo; - struct qinit qf_wqinit; - struct qinit qf_rqinit; - mblk_t *qf_m; /* These three fields are for passing data up from */ - queue_t *qf_q; /* fr_qin and fr_qout to the packet processing. */ - size_t qf_off; - size_t qf_len; /* this field is used for in ipfr_fastroute */ - char qf_name[8]; - /* - * in case the ILL has disappeared... - */ - size_t qf_hl; /* header length */ - int qf_sap; -} qif_t; extern ill_t *get_unit __P((char *, int)); # define GETUNIT(n, v) get_unit(n, v) # define IFNAME(x) ((ill_t *)x)->ill_name @@ -452,7 +471,9 @@ extern ill_t *get_unit __P((char *, int)); (defined(OpenBSD) && (OpenBSD >= 199603)) # define IFNAME(x) ((struct ifnet *)x)->if_xname # else -# define IFNAME(x) ((struct ifnet *)x)->if_name +# define USE_GETIFNAME 1 +# define IFNAME(x) get_ifname((struct ifnet *)x) +extern char *get_ifname __P((struct ifnet *)); # endif # endif # endif /* sun */ @@ -508,7 +529,8 @@ extern vm_map_t kmem_map; # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) # define WAKEUP(id) wakeup(id) # endif /* BSD */ -# if defined(NetBSD) && NetBSD <= 1991011 && NetBSD >= 199407 +# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199407)) || \ + (defined(OpenBSD) && (OpenBSD >= 200006)) # define SPL_NET(x) x = splsoftnet() # define SPL_X(x) (void) splx(x) # else @@ -517,7 +539,7 @@ extern vm_map_t kmem_map; # define SPL_NET(x) x = splnet() # define SPL_X(x) (void) splx(x) # endif -# endif /* NetBSD && NetBSD <= 1991011 && NetBSD >= 199407 */ +# endif /* NetBSD && (NetBSD <= 1991011) && (NetBSD >= 199407) */ # define PANIC(x,y) if (x) panic y #else /* KERNEL */ # define SLEEP(x,y) ; @@ -576,7 +598,6 @@ typedef struct mbuf mb_t; # endif #endif /* SOLARIS */ -#if defined(linux) || defined(__sgi) /* * These #ifdef's are here mainly for linux, but who knows, they may * not be in other places or maybe one day linux will grow up and some @@ -615,6 +636,9 @@ typedef struct mbuf mb_t; #ifndef ICMP_MASKREPLY # define ICMP_MASKREPLY ICMP_ADDRESSREPLY #endif +#ifndef ICMP_PARAMPROB_OPTABSENT +# define ICMP_PARAMPROB_OPTABSENT 1 +#endif #ifndef IPVERSION # define IPVERSION 4 #endif @@ -702,7 +726,6 @@ typedef struct mbuf mb_t; #ifndef IPOPT_OLEN # define IPOPT_OLEN 1 #endif -#endif /* linux || __sgi */ #ifdef linux #include <linux/in_systm.h> diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 9253775..e15ff67 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -1,15 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.17 2000/10/19 15:39:42 darrenr Exp $"; -#endif - #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif @@ -118,6 +111,11 @@ static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.17 2000/10/19 15:39:42 d extern int ip_optcopy __P((struct ip *, struct ip *)); #endif +#if !defined(lint) +static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.34 2001/07/23 13:49:57 darrenr Exp $"; +#endif + extern struct protosw inetsw[]; @@ -131,7 +129,11 @@ extern int tcp_ttl; # endif #endif +#ifdef ICMP_UNREACH_FILTER_PROHIB +int ipl_unreach = ICMP_UNREACH_FILTER_PROHIB; +#else int ipl_unreach = ICMP_UNREACH_FILTER; +#endif u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); @@ -171,6 +173,10 @@ struct callout_handle ipfr_slowtimer_ch; # include <sys/callout.h> struct callout ipfr_slowtimer_ch; #endif +#if defined(__OpenBSD__) +# include <sys/timeout.h> +struct timeout ipfr_slowtimer_ch; +#endif #if defined(__sgi) && defined(_KERNEL) toid_t ipfr_slowtimer_ch; #endif @@ -246,12 +252,18 @@ int iplattach() # ifdef IPFILTER_LOG ipflog_init(); # endif - if (nat_init() == -1) - return -1; - if (fr_stateinit() == -1) - return -1; - if (appr_init() == -1) - return -1; + if (nat_init() == -1) { + SPL_X(s); + return EIO; + } + if (fr_stateinit() == -1) { + SPL_X(s); + return EIO; + } + if (appr_init() == -1) { + SPL_X(s); + return EIO; + } # ifdef NETBSD_PF # if __NetBSD_Version__ >= 104200000 @@ -261,6 +273,7 @@ int iplattach() # ifdef USE_INET6 goto pfil_error; # else + SPL_X(s); appr_unload(); ip_natunload(); fr_stateunload(); @@ -277,6 +290,7 @@ int iplattach() pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); pfil_error: + SPL_X(s); appr_unload(); ip_natunload(); fr_stateunload(); @@ -321,10 +335,15 @@ pfil_error: callout_init(&ipfr_slowtimer_ch); callout_reset(&ipfr_slowtimer_ch, hz / 2, ipfr_slowtimer, NULL); # else -# if (__FreeBSD_version >= 300000) || defined(__sgi) - ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# if defined(__OpenBSD__) + timeout_set(&ipfr_slowtimer_ch, ipfr_slowtimer, NULL); + timeout_add(&ipfr_slowtimer_ch, hz/2); # else +# if (__FreeBSD_version >= 300000) || defined(__sgi) + ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); +# else timeout(ipfr_slowtimer, NULL, hz/2); +# endif # endif # endif #endif @@ -353,8 +372,12 @@ int ipldetach() # ifdef __sgi untimeout(ipfr_slowtimer_ch); # else +# if defined(__OpenBSD__) + timeout_del(&ipfr_slowtimer_ch); +# else untimeout(ipfr_slowtimer, NULL); -# endif +# endif /* OpenBSD */ +# endif /* __sgi */ # endif /* FreeBSD */ # endif /* NetBSD */ #endif @@ -376,16 +399,20 @@ int ipldetach() # if __NetBSD_Version__ >= 104200000 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh); - if (error) + if (error) { + SPL_X(s); return error; + } # else pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT); # endif # ifdef USE_INET6 error = pfil_remove_hook((void *)fr_check, PFIL_IN|PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh); - if (error) + if (error) { + SPL_X(s); return error; + } # endif # endif @@ -489,8 +516,9 @@ int mode; } if (unit == IPL_LOGAUTH) { if (!fr_running) - return EIO; - error = fr_auth_ioctl(data, cmd, NULL, NULL); + error = EIO; + else + error = fr_auth_ioctl(data, mode, cmd, NULL, NULL); SPL_X(s); return error; } @@ -564,7 +592,7 @@ int mode; fr_getstat(&fio); error = IWCOPYPTR((caddr_t)&fio, data, sizeof(fio)); if (error) - return EFAULT; + error = EFAULT; break; } case SIOCFRZST : @@ -607,7 +635,7 @@ int mode; error = IWCOPYPTR((caddr_t)ipfr_fragstats(), data, sizeof(ipfrstat_t)); if (error) - return EFAULT; + error = EFAULT; break; case SIOCAUTHW : case SIOCAUTHR : @@ -820,8 +848,6 @@ caddr_t data; return EBUSY; if (fg && fg->fg_head) fg->fg_head->fr_ref--; - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); if (f->fr_grhead) fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, unit, set); @@ -835,8 +861,6 @@ caddr_t data; if (f) error = EEXIST; else { - if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, fp, ftail); KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) @@ -1068,7 +1092,7 @@ struct mbuf *m; # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif - return ipfr_fastroute(m, fin, NULL); + return ipfr_fastroute(m, fin->fin_mp, fin, NULL); } @@ -1079,6 +1103,7 @@ fr_info_t *fin; int dst; { int err, hlen = 0, xtra = 0, iclen, ohlen = 0, avail, code; + u_short shlen, slen = 0, soff = 0; struct in_addr dst4; struct icmp *icmp; struct mbuf *m; @@ -1220,6 +1245,11 @@ int dst; } else #endif { + slen = oip->ip_len; + oip->ip_len = htons(oip->ip_len); + soff = oip->ip_off; + oip->ip_off = htons(ip->ip_off); + ip->ip_src.s_addr = dst4.s_addr; ip->ip_dst.s_addr = oip->ip_src.s_addr; @@ -1233,7 +1263,18 @@ int dst; ip->ip_len = iclen; ip->ip_p = IPPROTO_ICMP; } + + shlen = fin->fin_hlen; + fin->fin_hlen = hlen; err = send_ip(oip, fin, m); + fin->fin_hlen = shlen; +#ifdef USE_INET6 + if (fin->fin_v == 4) +#endif + { + oip->ip_len = slen; + oip->ip_off = soff; + } return err; } @@ -1268,8 +1309,8 @@ register struct mbuf *m0; } -int ipfr_fastroute(m0, fin, fdp) -struct mbuf *m0; +int ipfr_fastroute(m0, mpp, fin, fdp) +struct mbuf *m0, **mpp; fr_info_t *fin; frdest_t *fdp; { @@ -1282,16 +1323,49 @@ frdest_t *fdp; struct route iproute; frentry_t *fr; +#ifdef M_WRITABLE + /* + * HOT FIX/KLUDGE: + * + * If the mbuf we're about to send is not writable (because of + * a cluster reference, for example) we'll need to make a copy + * of it since this routine modifies the contents. + * + * If you have non-crappy network hardware that can transmit data + * from the mbuf, rather than making a copy, this is gonna be a + * problem. + */ + if (M_WRITABLE(m) == 0) { + if ((m0 = m_dup(m, M_DONTWAIT)) != 0) { + m_freem(m); + m = m0; + } else { + error = ENOBUFS; + m_freem(m); + ipl_frouteok[1]++; + } + } +#endif + hlen = fin->fin_hlen; ip = mtod(m0, struct ip *); +#if defined(__NetBSD__) && defined(M_CSUM_IPv4) + /* + * Clear any in-bound checksum flags for this packet. + */ + m0->m_pkthdr.csuminfo = 0; +#endif /* __NetBSD__ && M_CSUM_IPv4 */ + #ifdef USE_INET6 if (ip->ip_v == 6) { /* * currently "to <if>" and "to <if>:ip#" are not supported * for IPv6 */ - return ip6_output(m0, NULL, NULL, 0, NULL, NULL); + error = ip6_output(m0, NULL, NULL, 0, NULL, NULL); + *mpp = NULL; + return error; } #endif /* @@ -1316,10 +1390,15 @@ frdest_t *fdp; */ if ((fr != NULL) && (fin->fin_rev != 0)) { if ((ifp != NULL) && (fdp == &fr->fr_tif)) - return -1; + return 0; dst->sin_addr = ip->ip_dst; - } else if (fdp) - dst->sin_addr = fdp->fd_ip.s_addr ? fdp->fd_ip : ip->ip_dst; + } else if (fdp) { + if (fdp->fd_ip.s_addr) { + dst->sin_addr = fdp->fd_ip; + ip->ip_dst = fdp->fd_ip; + } else + dst->sin_addr = ip->ip_dst; + } # if BSD >= 199306 dst->sin_len = sizeof(*dst); @@ -1374,36 +1453,44 @@ frdest_t *fdp; * If small enough for interface, can just send directly. */ if (ip->ip_len <= ifp->if_mtu) { -# if BSD >= 199306 +# if defined(MCLISREFERENCED) && !defined(sparc) int i = 0; -# ifdef MCLISREFERENCED if ((m->m_flags & M_EXT) && MCLISREFERENCED(m)) -# else - if (m->m_flags & M_EXT) -# endif i = 1; # endif # ifndef sparc +# if !(_BSDI_VERSION >= 199510) ip->ip_id = htons(ip->ip_id); +# endif ip->ip_len = htons(ip->ip_len); ip->ip_off = htons(ip->ip_off); # endif +# if defined(__NetBSD__) && defined(M_CSUM_IPv4) + if (ifp->if_capabilities & IFCAP_CSUM_IPv4) + m->m_pkthdr.csuminfo |= M_CSUM_IPv4; + else if (ip->ip_sum == 0) + ip->ip_sum = in_cksum(m, hlen); +# else if (!ip->ip_sum) ip->ip_sum = in_cksum(m, hlen); +# endif /* __NetBSD__ && M_CSUM_IPv4 */ # if BSD >= 199306 error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst, ro->ro_rt); +# if defined(MCLISREFERENCED) && !defined(sparc) if (i) { ip->ip_id = ntohs(ip->ip_id); ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); } +# endif # else error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst); # endif goto done; } + /* * Too large for interface; fragment if possible. * Must be able to put at least 8 bytes per fragment. @@ -1506,9 +1593,11 @@ done: else ipl_frouteok[1]++; - if (ro->ro_rt) + if (ro->ro_rt) { RTFREE(ro->ro_rt); - return 0; + } + *mpp = NULL; + return error; bad: if (error == EMSGSIZE) { sifp = fin->fin_ifp; @@ -1550,6 +1639,18 @@ void *ifp; return (ifp == iproute.ro_rt->rt_ifp); } + +# ifdef USE_GETIFNAME +char * +get_ifname(ifp) +struct ifnet *ifp; +{ + static char workbuf[64]; + + sprintf(workbuf, "%s%d", ifp->if_name, ifp->if_unit); + return workbuf; +} +# endif #else /* #ifdef _KERNEL */ @@ -1586,9 +1687,9 @@ ip_t *ip; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) - sprintf(fname, "/tmp/%s", ifp->if_xname); + sprintf(fname, "%s", ifp->if_xname); # else - sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit); + sprintf(fname, "%s%d", ifp->if_name, ifp->if_unit); # endif fd = open(fname, O_WRONLY|O_APPEND); if (fd == -1) { @@ -1605,7 +1706,7 @@ struct ifnet *get_unit(name, v) char *name; int v; { - struct ifnet *ifp, **ifa; + struct ifnet *ifp, **ifa, **old_ifneta; # if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \ (defined(OpenBSD) && (OpenBSD >= 199603)) for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) { @@ -1634,10 +1735,12 @@ int v; } nifs = 1; } else { + old_ifneta = ifneta; nifs++; ifneta = (struct ifnet **)realloc(ifneta, (nifs + 1) * sizeof(*ifa)); if (!ifneta) { + free(old_ifneta); nifs = 0; return NULL; } @@ -1704,28 +1807,6 @@ void init_ifp() } -int ipfr_fastroute(ip, fin, fdp) -ip_t *ip; -fr_info_t *fin; -frdest_t *fdp; -{ - struct ifnet *ifp = fdp->fd_ifp; - - if (!ifp) - return 0; /* no routing table out here */ - - ip->ip_len = htons((u_short)ip->ip_len); - ip->ip_off = htons((u_short)(ip->ip_off | IP_MF)); - ip->ip_sum = 0; -#ifdef __sgi - (*ifp->if_output)(ifp, (void *)ip, NULL); -#else - (*ifp->if_output)(ifp, (void *)ip, NULL, 0); -#endif - return 0; -} - - int ipllog __P((void)) { verbose("l"); diff --git a/contrib/ipfilter/ip_fil.h b/contrib/ipfilter/ip_fil.h index ed1cfc4..6d51ced 100644 --- a/contrib/ipfilter/ip_fil.h +++ b/contrib/ipfilter/ip_fil.h @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_fil.h 1.35 6/5/96 - * $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $ + * $Id: ip_fil.h,v 2.29.2.10 2001/07/15 13:51:42 darrenr Exp $ */ #ifndef __IP_FIL_H__ @@ -59,7 +57,7 @@ # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) # define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) -# define SIOCSTGSZ _IOWR('r', 82, struct natget *) +# define SIOCSTGSZ _IOWR('r', 82, struct natget) # define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) #else # define SIOCADAFR _IOW(r, 60, struct frentry *) @@ -84,7 +82,7 @@ # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) # define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) -# define SIOCSTGSZ _IOWR(r, 82, struct natget *) +# define SIOCSTGSZ _IOWR(r, 82, struct natget) # define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) #endif #define SIOCADDFR SIOCADAFR @@ -152,7 +150,10 @@ typedef struct fr_info { u_short fin_off; } fr_info_t; -#define fin_v fin_fi.fi_v +#define fin_v fin_fi.fi_v +#define fin_saddr fin_fi.fi_saddr +#define fin_daddr fin_fi.fi_daddr +#define fin_fl fin_fi.fi_fl /* * Size for compares on fr_info structures @@ -168,6 +169,9 @@ typedef struct frdest { void *fd_ifp; struct in_addr fd_ip; char fd_ifname[IFNAMSIZ]; +#if SOLARIS + mb_t *fd_mp; /* cache resolver for to/dup-to */ +#endif } frdest_t; typedef struct frpcmp { @@ -192,8 +196,6 @@ typedef struct frtuc { typedef struct frentry { struct frentry *fr_next; - u_32_t fr_group; /* group to which this rule belongs */ - u_32_t fr_grhead; /* group # which this rule starts */ struct frentry *fr_grp; int fr_ref; /* reference count - for grouping */ void *fr_ifa; @@ -217,6 +219,8 @@ typedef struct frentry { u_short fr_icmp; frtuc_t fr_tuc; + u_32_t fr_group; /* group to which this rule belongs */ + u_32_t fr_grhead; /* group # which this rule starts */ u_32_t fr_flags; /* per-rule flags && options (see below) */ u_int fr_skip; /* # of rules to skip */ u_int fr_loglevel; /* syslog log facility + priority */ @@ -436,6 +440,8 @@ typedef struct ipflog { #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPLLOGSIZE 8192 +#define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */ + /* * Device filenames for reading log information. Use ipf on Solaris2 because * ipl is already a name used by something else. @@ -484,7 +490,6 @@ extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); extern int send_reset __P((ip_t *, struct ifnet *)); extern int icmp_error __P((ip_t *, struct ifnet *)); extern int ipf_log __P((void)); -extern int ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); extern struct ifnet *get_unit __P((char *, int)); # if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) @@ -530,7 +535,7 @@ extern int iplread __P((dev_t, struct uio *, cred_t *)); # else /* SOLARIS */ extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); -extern int ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); +extern int ipfr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); extern size_t mbufchainlen __P((mb_t *)); # ifdef __sgi # include <sys/cred.h> diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index 556478d..b0e63a9 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -1,15 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 darrenr Exp $"; -#endif - #if defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif @@ -81,7 +74,7 @@ static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 d # ifndef IPFILTER_LKM # include <sys/libkern.h> # include <sys/systm.h> -# endif +# endif extern struct callout_handle ipfr_slowtimer_ch; # endif #endif @@ -89,6 +82,15 @@ extern struct callout_handle ipfr_slowtimer_ch; # include <sys/callout.h> extern struct callout ipfr_slowtimer_ch; #endif +#if defined(__OpenBSD__) +# include <sys/timeout.h> +extern struct timeout ipfr_slowtimer_ch; +#endif + +#if !defined(lint) +static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.14 2001/07/15 22:06:15 darrenr Exp $"; +#endif static ipfr_t *ipfr_heads[IPFT_SIZE]; @@ -141,12 +143,15 @@ fr_info_t *fin; u_int pass; ipfr_t *table[]; { - ipfr_t **fp, *fra, frag; - u_int idx; + ipfr_t **fp, *fra, frag; + u_int idx, off; if (ipfr_inuse >= IPFT_SIZE) return NULL; + if (!(fin->fin_fl & FI_FRAG)) + return NULL; + frag.ipfr_p = ip->ip_p; idx = ip->ip_p; frag.ipfr_id = ip->ip_id; @@ -160,6 +165,10 @@ ipfr_t *table[]; idx *= 127; idx %= IPFT_SIZE; + frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY; + frag.ipfr_secmsk = fin->fin_fi.fi_secmsk; + frag.ipfr_auth = fin->fin_fi.fi_auth; + /* * first, make sure it isn't already there... */ @@ -200,7 +209,10 @@ ipfr_t *table[]; /* * Compute the offset of the expected start of the next packet. */ - fra->ipfr_off = (ip->ip_off & IP_OFFMASK) + (fin->fin_dlen >> 3); + off = ip->ip_off & IP_OFFMASK; + if (!off) + fra->ipfr_seen0 = 1; + fra->ipfr_off = off + (fin->fin_dlen >> 3); ATOMIC_INCL(ipfr_stats.ifs_new); ATOMIC_INC32(ipfr_inuse); return fra; @@ -219,7 +231,12 @@ u_int pass; WRITE_ENTER(&ipf_frag); ipf = ipfr_new(ip, fin, pass, ipfr_heads); RWLOCK_EXIT(&ipf_frag); - return ipf ? 0 : -1; + if (ipf == NULL) { + ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr); + return -1; + } + ATOMIC_INCL(frstats[fin->fin_out].fr_nfr); + return 0; } @@ -230,9 +247,16 @@ u_int pass; nat_t *nat; { ipfr_t *ipf; + int off; if ((ip->ip_v != 4) || (fr_frag_lock)) return -1; + + off = fin->fin_off; + off <<= 3; + if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) + return NULL; + WRITE_ENTER(&ipf_natfrag); ipf = ipfr_new(ip, fin, pass, ipfr_nattab); if (ipf != NULL) { @@ -254,8 +278,8 @@ fr_info_t *fin; ipfr_t *table[]; { ipfr_t *f, frag; - u_int idx; - + u_int idx; + /* * For fragments, we record protocol, packet id, TOS and both IP#'s * (these should all be the same for all fragments of a packet). @@ -275,6 +299,10 @@ ipfr_t *table[]; idx *= 127; idx %= IPFT_SIZE; + frag.ipfr_optmsk = fin->fin_fi.fi_optmsk & IPF_OPTCOPY; + frag.ipfr_secmsk = fin->fin_fi.fi_secmsk; + frag.ipfr_auth = fin->fin_fi.fi_auth; + /* * check the table, careful to only compare the right amount of data */ @@ -283,6 +311,20 @@ ipfr_t *table[]; IPFR_CMPSZ)) { u_short atoff, off; + off = fin->fin_off; + + /* + * XXX - We really need to be guarding against the + * retransmission of (src,dst,id,offset-range) here + * because a fragmented packet is never resent with + * the same IP ID#. + */ + if (f->ipfr_seen0) { + if (!off || (fin->fin_fl & FI_SHORT)) + continue; + } else if (!off) + f->ipfr_seen0 = 1; + if (f != table[idx]) { /* * move fragment info. to the top of the list @@ -295,7 +337,6 @@ ipfr_t *table[]; f->ipfr_prev = NULL; table[idx] = f; } - off = ip->ip_off & IP_OFFMASK; atoff = off + (fin->fin_dlen >> 3); /* * If we've follwed the fragments, and this is the @@ -321,11 +362,18 @@ nat_t *ipfr_nat_knownfrag(ip, fin) ip_t *ip; fr_info_t *fin; { - nat_t *nat; - ipfr_t *ipf; + ipfr_t *ipf; + nat_t *nat; + int off; - if ((ip->ip_v != 4) || (fr_frag_lock)) + if ((fin->fin_v != 4) || (fr_frag_lock)) + return NULL; + + off = fin->fin_off; + off <<= 3; + if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) return NULL; + READ_ENTER(&ipf_natfrag); ipf = ipfr_lookup(ip, fin, ipfr_nattab); if (ipf != NULL) { @@ -351,15 +399,24 @@ frentry_t *ipfr_knownfrag(ip, fin) ip_t *ip; fr_info_t *fin; { - frentry_t *fr = NULL; - ipfr_t *fra; + frentry_t *fr; + ipfr_t *fra; + int off; - if ((ip->ip_v != 4) || (fr_frag_lock)) + if ((fin->fin_v != 4) || (fr_frag_lock)) + return NULL; + + off = fin->fin_off; + off <<= 3; + if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) return NULL; + READ_ENTER(&ipf_frag); fra = ipfr_lookup(ip, fin, ipfr_heads); if (fra != NULL) fr = fra->ipfr_rule; + else + fr = NULL; RWLOCK_EXIT(&ipf_frag); return fr; } @@ -544,7 +601,11 @@ int ipfr_slowtimer() # if (__FreeBSD_version >= 300000) ipfr_slowtimer_ch = timeout(ipfr_slowtimer, NULL, hz/2); # else +# if defined(__OpenBSD_) + timeout_add(&ipfr_slowtimer_ch, hz/2, ipfr_slowtimer, NULL); +# else timeout(ipfr_slowtimer, NULL, hz/2); +# endif # endif # if (BSD < 199306) && !defined(__sgi) return 0; diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 362bcdd..446510f 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.4.2.2 2000/11/10 13:10:54 darrenr Exp $ + * $Id: ip_frag.h,v 2.4.2.5 2001/06/26 10:43:13 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -20,11 +18,15 @@ typedef struct ipfr { struct in_addr ipfr_src; struct in_addr ipfr_dst; void *ipfr_ifp; + u_32_t ipfr_optmsk; + u_short ipfr_secmsk; + u_short ipfr_auth; u_short ipfr_id; u_char ipfr_p; u_char ipfr_tos; u_short ipfr_off; - u_short ipfr_ttl; + u_char ipfr_ttl; + u_char ipfr_seen0; frentry_t *ipfr_rule; } ipfr_t; @@ -40,7 +42,8 @@ typedef struct ipfrstat { struct ipfr **ifs_nattab; } ipfrstat_t; -#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) +#define IPFR_CMPSZ (offsetof(ipfr_t, ipfr_off) - \ + offsetof(ipfr_t, ipfr_src)) extern int fr_ipfrttl; extern int fr_frag_lock; diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index ddca889..830a4f6 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.20 2000/12/02 00:15:06 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.26 2001/07/15 13:50:54 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -22,6 +22,22 @@ extern kmutex_t ipf_rw; #define IPF_MAX227LEN 51 #define IPF_FTPBUFSZ 96 /* This *MUST* be >= 53! */ +#define FTPXY_GO 0 +#define FTPXY_INIT 1 +#define FTPXY_USER_1 2 +#define FTPXY_USOK_1 3 +#define FTPXY_PASS_1 4 +#define FTPXY_PAOK_1 5 +#define FTPXY_AUTH_1 6 +#define FTPXY_AUOK_1 7 +#define FTPXY_ADAT_1 8 +#define FTPXY_ADOK_1 9 +#define FTPXY_ACCT_1 10 +#define FTPXY_ACOK_1 11 +#define FTPXY_USER_2 12 +#define FTPXY_USOK_2 13 +#define FTPXY_PASS_2 14 +#define FTPXY_PAOK_2 15 int ippr_ftp_client __P((fr_info_t *, ip_t *, nat_t *, ftpinfo_t *, int)); int ippr_ftp_complete __P((char *, size_t)); @@ -75,6 +91,7 @@ nat_t *nat; f = &ftp->ftp_side[1]; f->ftps_rptr = f->ftps_buf; f->ftps_wptr = f->ftps_buf; + ftp->ftp_passok = FTPXY_INIT; return 0; } @@ -215,7 +232,7 @@ int dlen; sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); - fix_outcksum(&ip->ip_sum, sum2); + fix_outcksum(fin, &ip->ip_sum, sum2); #endif ip->ip_len += inc; } @@ -255,6 +272,7 @@ int dlen; fi.fin_dlen = sizeof(*tcp2); fi.fin_dp = (char *)tcp2; fi.fin_fr = &natfr; + fi.fin_out = 1; swip = ip->ip_src; fi.fin_fi.fi_saddr = nat->nat_inip.s_addr; ip->ip_src = nat->nat_inip; @@ -297,11 +315,36 @@ int dlen; } cmd[i] = '\0'; - if ((ftp->ftp_passok == 0) && !strncmp(cmd, "USER ", 5)) - ftp->ftp_passok = 1; - else if ((ftp->ftp_passok == 2) && !strncmp(cmd, "PASS ", 5)) - ftp->ftp_passok = 3; - else if ((ftp->ftp_passok == 4) && !ippr_ftp_pasvonly && + ftp->ftp_incok = 0; + if (!strncmp(cmd, "USER ", 5) || !strncmp(cmd, "XAUT ", 5)) { + if (ftp->ftp_passok == FTPXY_ADOK_1 || + ftp->ftp_passok == FTPXY_AUOK_1) { + ftp->ftp_passok = FTPXY_USER_2; + ftp->ftp_incok = 1; + } else { + ftp->ftp_passok = FTPXY_USER_1; + ftp->ftp_incok = 1; + } + } else if (!strncmp(cmd, "AUTH ", 5)) { + ftp->ftp_passok = FTPXY_AUTH_1; + ftp->ftp_incok = 1; + } else if (!strncmp(cmd, "PASS ", 5)) { + if (ftp->ftp_passok == FTPXY_USOK_1) { + ftp->ftp_passok = FTPXY_PASS_1; + ftp->ftp_incok = 1; + } else if (ftp->ftp_passok == FTPXY_USOK_2) { + ftp->ftp_passok = FTPXY_PASS_2; + ftp->ftp_incok = 1; + } + } else if ((ftp->ftp_passok == FTPXY_AUOK_1) && + !strncmp(cmd, "ADAT ", 5)) { + ftp->ftp_passok = FTPXY_ADAT_1; + ftp->ftp_incok = 1; + } else if ((ftp->ftp_passok == FTPXY_PAOK_2) && + !strncmp(cmd, "ACCT ", 5)) { + ftp->ftp_passok = FTPXY_ACCT_1; + ftp->ftp_incok = 1; + } else if ((ftp->ftp_passok == FTPXY_GO) && !ippr_ftp_pasvonly && !strncmp(cmd, "PORT ", 5)) { inc = ippr_ftp_port(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !ippr_ftp_pasvonly && @@ -332,12 +375,13 @@ int dlen; int inc; char *s; +#define PASV_REPLEN 24 /* * Check for PASV reply message. */ if (dlen < IPF_MIN227LEN) return 0; - else if (strncmp(f->ftps_rptr, "227 Entering Passive Mode", 25)) + else if (strncmp(f->ftps_rptr, "227 Entering Passive Mod", PASV_REPLEN)) return 0; tcp = (tcphdr_t *)fin->fin_dp; @@ -345,7 +389,7 @@ int dlen; /* * Skip the PORT command + space */ - s = f->ftps_rptr + 25; + s = f->ftps_rptr + PASV_REPLEN; while (*s && !isdigit(*s)) s++; /* @@ -373,6 +417,8 @@ int dlen; if (*s == ')') s++; + if (*s == '.') + s++; if (*s == '\n') s--; /* @@ -445,7 +491,7 @@ int dlen; sum2 -= sum1; sum2 = (sum2 & 0xffff) + (sum2 >> 16); - fix_outcksum(&ip->ip_sum, sum2); + fix_outcksum(fin, &ip->ip_sum, sum2); #endif /* SOLARIS || defined(__sgi) */ ip->ip_len += inc; } @@ -469,12 +515,13 @@ int dlen; tcp2->th_win = htons(8192); tcp2->th_sport = 0; /* XXX - fake it for nat_new */ tcp2->th_off = 5; - fi.fin_data[1] = a5 << 8 | a6; + fi.fin_data[0] = a5 << 8 | a6; fi.fin_dlen = sizeof(*tcp2); - tcp2->th_dport = htons(fi.fin_data[1]); - fi.fin_data[0] = 0; + tcp2->th_dport = htons(fi.fin_data[0]); + fi.fin_data[1] = 0; fi.fin_dp = (char *)tcp2; fi.fin_fr = &natfr; + fi.fin_out = 1; swip = ip->ip_src; swip2 = ip->ip_dst; fi.fin_fi.fi_daddr = ip->ip_src.s_addr; @@ -511,17 +558,38 @@ int dlen; rptr = f->ftps_rptr; wptr = f->ftps_wptr; - if ((ftp->ftp_passok == 1) && !strncmp(rptr, "331", 3)) - ftp->ftp_passok = 2; - else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "230", 3)) - ftp->ftp_passok = 4; - else if ((ftp->ftp_passok == 3) && !strncmp(rptr, "530", 3)) - ftp->ftp_passok = 0; - else if ((ftp->ftp_passok == 4) && !strncmp(rptr, "227 ", 4)) { - inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) + return inc; + if (ftp->ftp_passok == FTPXY_GO) { + if (!strncmp(rptr, "227 ", 4)) + inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); } else if (ippr_ftp_insecure && !strncmp(rptr, "227 ", 4)) { inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); + } else if (*rptr == '5' || *rptr == '4') + ftp->ftp_passok = FTPXY_INIT; + else if (ftp->ftp_incok) { + if (*rptr == '3') { + if (ftp->ftp_passok == FTPXY_ACCT_1) + ftp->ftp_passok = FTPXY_GO; + else + ftp->ftp_passok++; + } else if (*rptr == '2') { + switch (ftp->ftp_passok) + { + case FTPXY_USER_1 : + case FTPXY_USER_2 : + case FTPXY_PASS_1 : + case FTPXY_PASS_2 : + case FTPXY_ACCT_1 : + ftp->ftp_passok = FTPXY_GO; + break; + default : + ftp->ftp_passok += 3; + break; + } + } } + ftp->ftp_incok = 0; while ((*rptr++ != '\n') && (rptr < wptr)) ; f->ftps_rptr = rptr; diff --git a/contrib/ipfilter/ip_lfil.c b/contrib/ipfilter/ip_lfil.c index 4763ad7..14e6b42 100644 --- a/contrib/ipfilter/ip_lfil.c +++ b/contrib/ipfilter/ip_lfil.c @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6 2000/03/13 22:10:21 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_lfil.c,v 2.6.2.2 2001/07/18 14:57:09 darrenr Exp $"; #endif #if defined(KERNEL) && !defined(_KERNEL) @@ -337,7 +335,7 @@ int iplioctl(dev_t dev, int cmd, caddr_t data, int mode) break; } case SIOCATHST : - error = fr_auth_ioctl(data, cmd, NULL, NULL); + error = fr_auth_ioctl(data, mode, cmd, NULL, NULL); break; case SIOCFRSYN : if (!(mode & FWRITE)) @@ -484,7 +482,7 @@ caddr_t data; if (fg && fg->fg_head) fg->fg_head->fr_ref--; if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); + return fr_auth_ioctl(data, mode, req, f, ftail); if (f->fr_grhead) fr_delgroup((u_int)f->fr_grhead, fp->fr_flags, unit, set); @@ -497,7 +495,7 @@ caddr_t data; error = EEXIST; else { if (unit == IPL_LOGAUTH) - return fr_auth_ioctl(data, req, f, ftail); + return fr_auth_ioctl(data, mode, req, f, ftail); KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) diff --git a/contrib/ipfilter/ip_log.c b/contrib/ipfilter/ip_log.c index 8adc410..5968f46 100644 --- a/contrib/ipfilter/ip_log.c +++ b/contrib/ipfilter/ip_log.c @@ -1,11 +1,9 @@ /* - * Copyright (C) 1997-2000 by Darren Reed. + * Copyright (C) 1997-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_log.c,v 2.5.2.2 2000/08/13 03:50:41 darrenr Exp $ + * $Id: ip_log.c,v 2.5.2.5 2001/06/26 10:43:14 darrenr Exp $ */ #include <sys/param.h> #if defined(KERNEL) && !defined(_KERNEL) @@ -21,7 +19,13 @@ # endif # else # ifdef KLD_MODULE -# include <osreldate.h> +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# endif +# endif # endif # endif #endif @@ -45,7 +49,7 @@ # include <sys/ioctl.h> # endif # include <sys/time.h> -# if defined(_KERNEL) && !defined(linux) +# if defined(_KERNEL) # include <sys/systm.h> # endif # include <sys/uio.h> @@ -55,9 +59,7 @@ # else # include <sys/dir.h> # endif -# ifndef linux -# include <sys/mbuf.h> -# endif +# include <sys/mbuf.h> # else # include <sys/filio.h> # include <sys/cred.h> @@ -69,9 +71,7 @@ # include <sys/dditypes.h> # include <sys/cmn_err.h> # endif -# ifndef linux -# include <sys/protosw.h> -# endif +# include <sys/protosw.h> # include <sys/socket.h> # include <net/if.h> @@ -89,7 +89,7 @@ # include <sys/hashing.h> # endif # endif -# if !defined(linux) && !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/ +# if !(defined(__sgi) && !defined(IFF_DRVRLOCK)) /*IRIX<6*/ # include <netinet/in_var.h> # endif # include <netinet/in_systm.h> @@ -97,9 +97,7 @@ # include <netinet/tcp.h> # include <netinet/udp.h> # include <netinet/ip_icmp.h> -# ifndef linux -# include <netinet/ip_var.h> -# endif +# include <netinet/ip_var.h> # ifndef _KERNEL # include <syslog.h> # endif @@ -130,9 +128,6 @@ extern kcondvar_t iplwait; iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1], *ipll[IPL_LOGMAX+1]; size_t iplused[IPL_LOGMAX+1]; static fr_info_t iplcrc[IPL_LOGMAX+1]; -# ifdef linux -static struct wait_queue *iplwait[IPL_LOGMAX+1]; -# endif /* @@ -229,9 +224,7 @@ mb_t *m; (defined(OpenBSD) && (OpenBSD >= 199603)) strncpy(ipfl.fl_ifname, ifp->if_xname, IFNAMSIZ); # else -# ifndef linux ipfl.fl_unit = (u_char)ifp->if_unit; -# endif if ((ipfl.fl_ifname[0] = ifp->if_name[0])) if ((ipfl.fl_ifname[1] = ifp->if_name[1])) if ((ipfl.fl_ifname[2] = ifp->if_name[2])) @@ -337,7 +330,7 @@ int *types, cnt; ipl->ipl_count = 1; ipl->ipl_next = NULL; ipl->ipl_dsize = len; -# if SOLARIS || defined(sun) || defined(linux) +# if SOLARIS || defined(sun) uniqtime((struct timeval *)&ipl->ipl_sec); # else # if BSD >= 199306 || defined(__FreeBSD__) || defined(__sgi) @@ -370,11 +363,7 @@ int *types, cnt; mutex_exit(&ipl_mutex); # else MUTEX_EXIT(&ipl_mutex); -# ifdef linux - wake_up_interruptible(&iplwait[dev]); -# else wakeup(&iplh[dev]); -# endif # endif return 1; } @@ -399,8 +388,7 @@ struct uio *uio; return ENXIO; if (!uio->uio_resid) return 0; - if ((uio->uio_resid < sizeof(iplog_t)) || - (uio->uio_resid > IPLLOGSIZE)) + if (uio->uio_resid < sizeof(iplog_t)) return EINVAL; /* @@ -417,19 +405,13 @@ struct uio *uio; return EINTR; } # else -# ifdef linux - interruptible_sleep_on(&iplwait[unit]); - if (current->signal & ~current->blocked) - return -EINTR; -# else MUTEX_EXIT(&ipl_mutex); - SPL_X(s); error = SLEEP(&iplh[unit], "ipl sleep"); - if (error) + if (error) { + SPL_X(s); return error; - SPL_NET(s); + } MUTEX_ENTER(&ipl_mutex); -# endif /* linux */ # endif /* SOLARIS */ } @@ -447,10 +429,8 @@ struct uio *uio; iplt[unit] = ipl->ipl_next; iplused[unit] -= dlen; MUTEX_EXIT(&ipl_mutex); - SPL_X(s); error = UIOMOVE((caddr_t)ipl, dlen, UIO_READ, uio); if (error) { - SPL_NET(s); MUTEX_ENTER(&ipl_mutex); ipl->ipl_next = iplt[unit]; iplt[unit] = ipl; @@ -458,7 +438,6 @@ struct uio *uio; break; } KFREES((caddr_t)ipl, dlen); - SPL_NET(s); MUTEX_ENTER(&ipl_mutex); } if (!iplt[unit]) { @@ -469,13 +448,7 @@ struct uio *uio; MUTEX_EXIT(&ipl_mutex); SPL_X(s); -# ifdef linux - if (!error) - return (int)copied; - return -error; -# else return error; -# endif } diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index e7e121a..eb6e133 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -1,17 +1,10 @@ /* - * Copyright (C) 1995-2000 by Darren Reed. + * Copyright (C) 1995-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * Added redirect stuff and a LOT of bug fixes. (mcn@EnGarde.com) */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.32 2001/01/10 06:19:11 darrenr Exp $"; -#endif - #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif @@ -91,6 +84,7 @@ extern struct ifnet vpnif; #ifndef linux # include <netinet/ip_var.h> +# include <netinet/tcp_fsm.h> #endif #include <netinet/tcp.h> #include <netinet/udp.h> @@ -111,6 +105,11 @@ extern struct ifnet vpnif; #undef SOCKADDR_IN #define SOCKADDR_IN struct sockaddr_in +#if !defined(lint) +static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.44 2001/07/21 07:17:22 darrenr Exp $"; +#endif + nat_t **nat_table[2] = { NULL, NULL }, *nat_instances = NULL; ipnat_t *nat_list = NULL; @@ -301,7 +300,8 @@ struct hostmap *hm; } -void fix_outcksum(sp, n) +void fix_outcksum(fin, sp, n) +fr_info_t *fin; u_short *sp; u_32_t n; { @@ -310,12 +310,13 @@ u_32_t n; if (!n) return; -#if SOLARIS2 >= 6 else if (n & NAT_HW_CKSUM) { + n &= 0xffff; + n += fin->fin_dlen; + n = (n & 0xffff) + (n >> 16); *sp = n & 0xffff; return; } -#endif sum1 = (~ntohs(*sp)) & 0xffff; sum1 += (n); sum1 = (sum1 >> 16) + (sum1 & 0xffff); @@ -326,7 +327,8 @@ u_32_t n; } -void fix_incksum(sp, n) +void fix_incksum(fin, sp, n) +fr_info_t *fin; u_short *sp; u_32_t n; { @@ -335,12 +337,13 @@ u_32_t n; if (!n) return; -#if SOLARIS2 >= 6 else if (n & NAT_HW_CKSUM) { + n &= 0xffff; + n += fin->fin_dlen; + n = (n & 0xffff) + (n >> 16); *sp = n & 0xffff; return; } -#endif #ifdef sparc sum1 = (~(*sp)) & 0xffff; #else @@ -625,9 +628,11 @@ int mode; nat_stats.ns_table[0] = nat_table[0]; nat_stats.ns_table[1] = nat_table[1]; nat_stats.ns_list = nat_list; + nat_stats.ns_maptable = maptable; nat_stats.ns_nattab_sz = ipf_nattable_sz; nat_stats.ns_rultab_sz = ipf_natrules_sz; nat_stats.ns_rdrtab_sz = ipf_rdrrules_sz; + nat_stats.ns_hostmap_sz = ipf_hostmap_sz; nat_stats.ns_instances = nat_instances; nat_stats.ns_apslist = ap_sess_list; error = IWCOPYPTR((char *)&nat_stats, (char *)data, @@ -1395,14 +1400,14 @@ int direction; CALC_SUMD(sum1, sum2, sumd); nat->nat_sumd[0] = (sumd & 0xffff) + (sumd >> 16); #if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) - if ((flags == IPN_TCP) && dohwcksum && + if ((flags & IPN_TCPUDP) && dohwcksum && (qf->qf_ill->ill_ick.ick_magic == ICK_M_CTL_MAGIC)) { if (direction == NAT_OUTBOUND) sum1 = LONG_SUM(ntohl(in.s_addr)); else sum1 = LONG_SUM(ntohl(ip->ip_src.s_addr)); sum1 += LONG_SUM(ntohl(ip->ip_dst.s_addr)); - sum1 += 30; + sum1 += IPPROTO_TCP; sum1 = (sum1 & 0xffff) + (sum1 >> 16); nat->nat_sumd[1] = NAT_HW_CKSUM|(sum1 & 0xffff); } else @@ -1463,8 +1468,8 @@ badnat: void nat_insert(nat) nat_t *nat; { + u_int hv1, hv2; nat_t **natp; - u_int hv; MUTEX_INIT(&nat->nat_lock, "nat entry lock", NULL); @@ -1477,18 +1482,30 @@ nat_t *nat; nat->nat_next = nat_instances; nat_instances = nat; - hv = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, - ipf_nattable_sz); - natp = &nat_table[0][hv]; + if (!(nat->nat_flags & (FI_W_SPORT|FI_W_DPORT))) { + hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, nat->nat_inport, + 0xffffffff); + hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1 + nat->nat_oport, + ipf_nattable_sz); + hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, + 0xffffffff); + hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport, + ipf_nattable_sz); + } else { + hv1 = NAT_HASH_FN(nat->nat_inip.s_addr, 0, 0xffffffff); + hv1 = NAT_HASH_FN(nat->nat_oip.s_addr, hv1, ipf_nattable_sz); + hv2 = NAT_HASH_FN(nat->nat_outip.s_addr, 0, 0xffffffff); + hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2, ipf_nattable_sz); + } + + natp = &nat_table[0][hv1]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; nat->nat_phnext[0] = natp; nat->nat_hnext[0] = *natp; *natp = nat; - hv = NAT_HASH_FN(nat->nat_outip.s_addr, nat->nat_outport, - ipf_nattable_sz); - natp = &nat_table[1][hv]; + natp = &nat_table[1][hv2]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; nat->nat_phnext[1] = natp; @@ -1604,7 +1621,7 @@ int dir; ip_t *oip; int flags = 0; - if ((fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) + if ((fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) return NULL; /* * nat_icmplookup() will return NULL for `defective' packets. @@ -1878,13 +1895,14 @@ int dir; sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16); if (nat->nat_dir == NAT_OUTBOUND) { - fix_outcksum(&icmp->icmp_cksum, sumd2); + fix_outcksum(fin, &icmp->icmp_cksum, sumd2); } else { - fix_incksum(&icmp->icmp_cksum, sumd2); + fix_incksum(fin, &icmp->icmp_cksum, sumd2); } } } - nat->nat_age = fr_defnaticmpage; + if (oip->ip_p == IPPROTO_ICMP) + nat->nat_age = fr_defnaticmpage; return nat; } @@ -1917,7 +1935,8 @@ int rw; sport = ports & 0xffff; flags &= IPN_TCPUDP; - hv = NAT_HASH_FN(dst, dport, ipf_nattable_sz); + hv = NAT_HASH_FN(dst, dport, 0xffffffff); + hv = NAT_HASH_FN(src.s_addr, hv + sport, ipf_nattable_sz); nat = nat_table[1][hv]; for (; nat; nat = nat->nat_hnext[1]) { nflags = nat->nat_flags; @@ -1935,7 +1954,8 @@ int rw; if (!rw) { RWLOCK_EXIT(&ipf_nat); } - hv = NAT_HASH_FN(dst, 0, ipf_nattable_sz); + hv = NAT_HASH_FN(dst, 0, 0xffffffff); + hv = NAT_HASH_FN(src.s_addr, hv, ipf_nattable_sz); if (!rw) { WRITE_ENTER(&ipf_nat); } @@ -1999,7 +2019,8 @@ u_32_t ports; /* * Add into the NAT table in the new position */ - hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, ipf_nattable_sz); + hv = NAT_HASH_FN(nat->nat_inip.s_addr, sport, 0xffffffff); + hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + dport, ipf_nattable_sz); natp = &nat_table[0][hv]; if (*natp) (*natp)->nat_phnext[0] = &nat->nat_hnext[0]; @@ -2007,7 +2028,8 @@ u_32_t ports; nat->nat_hnext[0] = *natp; *natp = nat; - hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, ipf_nattable_sz); + hv = NAT_HASH_FN(nat->nat_outip.s_addr, sport, 0xffffffff); + hv = NAT_HASH_FN(nat->nat_oip.s_addr, hv + dport, ipf_nattable_sz); natp = &nat_table[1][hv]; if (*natp) (*natp)->nat_phnext[1] = &nat->nat_hnext[1]; @@ -2041,7 +2063,8 @@ int rw; flags &= IPN_TCPUDP; srcip = src.s_addr; - hv = NAT_HASH_FN(srcip, sport, ipf_nattable_sz); + hv = NAT_HASH_FN(srcip, sport, 0xffffffff); + hv = NAT_HASH_FN(dst.s_addr, hv + dport, ipf_nattable_sz); nat = nat_table[0][hv]; for (; nat; nat = nat->nat_hnext[0]) { nflags = nat->nat_flags; @@ -2061,6 +2084,7 @@ int rw; RWLOCK_EXIT(&ipf_nat); } hv = NAT_HASH_FN(srcip, 0, ipf_nattable_sz); + hv = NAT_HASH_FN(dst.s_addr, hv, ipf_nattable_sz); if (!rw) { WRITE_ENTER(&ipf_nat); } @@ -2145,8 +2169,8 @@ ip_t *ip; } ft = &np->in_tuc; - if (!(fin->fin_fi.fi_fl & FI_TCPUDP) || - (fin->fin_fi.fi_fl & FI_SHORT) || (ip->ip_off & IP_OFFMASK)) { + if (!(fin->fin_fl & FI_TCPUDP) || + (fin->fin_fl & FI_SHORT) || (fin->fin_off != 0)) { if (ft->ftu_scmp || ft->ftu_dcmp) return 0; return 1; @@ -2168,13 +2192,12 @@ fr_info_t *fin; register u_32_t ipa; tcphdr_t *tcp = NULL; u_short sport = 0, dport = 0, *csump = NULL; + int natadd = 1, i, icmpset = 1; + u_int nflags = 0, hv, msk; struct ifnet *ifp; - int natadd = 1; frentry_t *fr; - u_int nflags = 0, hv, msk; u_32_t iph; nat_t *nat; - int i; if (nat_list == NULL || (fr_nat_lock)) return 0; @@ -2185,7 +2208,7 @@ fr_info_t *fin; else ifp = fin->fin_ifp; - if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) @@ -2203,8 +2226,8 @@ fr_info_t *fin; if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_OUTBOUND))) - ; - else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && + icmpset = 1; + else if ((fin->fin_fl & FI_FRAG) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; else if ((nat = nat_outlookup(ifp, nflags, (u_int)ip->ip_p, @@ -2238,8 +2261,7 @@ maskloop: hv = NAT_HASH_FN(iph, 0, ipf_natrules_sz); for (np = nat_rules[hv]; np; np = np->in_mnext) { - if ((np->in_ifp && (np->in_ifp != ifp)) || - !np->in_space) + if (np->in_ifp && (np->in_ifp != ifp)) continue; if ((np->in_flags & IPN_RF) && !(np->in_flags & nflags)) @@ -2283,7 +2305,7 @@ maskloop: */ if (nat) { np = nat->nat_ptr; - if (natadd && fin->fin_fi.fi_fl & FI_FRAG) + if (natadd && (fin->fin_fl & FI_FRAG) && np) ipfr_nat_newfrag(ip, fin, 0, nat); MUTEX_ENTER(&nat->nat_lock); nat->nat_age = fr_defnatage; @@ -2303,22 +2325,21 @@ maskloop: CALC_SUMD(s1, s2, sumd); if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&ip->ip_sum, sumd); + fix_incksum(fin, &ip->ip_sum, sumd); else - fix_outcksum(&ip->ip_sum, sumd); + fix_outcksum(fin, &ip->ip_sum, sumd); } #if SOLARIS || defined(__sgi) else { if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd); else - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd); } #endif ip->ip_src = nat->nat_outip; - if (!(ip->ip_off & IP_OFFMASK) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { + if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) { if ((nat->nat_outport != 0) && (nflags & IPN_TCPUDP)) { tcp->th_sport = nat->nat_outport; @@ -2351,14 +2372,15 @@ maskloop: if (udp->uh_sum) csump = &udp->uh_sum; } else if (ip->ip_p == IPPROTO_ICMP) { - nat->nat_age = fr_defnaticmpage; + if (!icmpset) + nat->nat_age = fr_defnaticmpage; } if (csump) { if (nat->nat_dir == NAT_OUTBOUND) - fix_outcksum(csump, nat->nat_sumd[1]); + fix_outcksum(fin, csump, nat->nat_sumd[1]); else - fix_incksum(csump, nat->nat_sumd[1]); + fix_incksum(fin, csump, nat->nat_sumd[1]); } } @@ -2389,18 +2411,18 @@ fr_info_t *fin; register struct in_addr src; register struct in_addr in; register ipnat_t *np; + u_short sport = 0, dport = 0, *csump = NULL; u_int nflags = 0, natadd = 1, hv, msk; struct ifnet *ifp = fin->fin_ifp; tcphdr_t *tcp = NULL; - u_short sport = 0, dport = 0, *csump = NULL; + int i, icmpset = 0; nat_t *nat; u_32_t iph; - int i; if ((nat_list == NULL) || (ip->ip_v != 4) || (fr_nat_lock)) return 0; - if (!(ip->ip_off & IP_OFFMASK) && !(fin->fin_fi.fi_fl & FI_SHORT)) { + if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) { if (ip->ip_p == IPPROTO_TCP) nflags = IPN_TCP; else if (ip->ip_p == IPPROTO_UDP) @@ -2420,8 +2442,8 @@ fr_info_t *fin; if ((ip->ip_p == IPPROTO_ICMP) && (nat = nat_icmp(ip, fin, &nflags, NAT_INBOUND))) - ; - else if ((ip->ip_off & (IP_OFFMASK|IP_MF)) && + icmpset = 1; + else if ((fin->fin_fl & FI_FRAG) && (nat = ipfr_nat_knownfrag(ip, fin))) natadd = 0; else if ((nat = nat_inlookup(fin->fin_ifp, nflags, (u_int)ip->ip_p, @@ -2488,7 +2510,7 @@ maskloop: if (nat) { np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; - if (natadd && fin->fin_fi.fi_fl & FI_FRAG) + if (natadd && (fin->fin_fl & FI_FRAG) && np) ipfr_nat_newfrag(ip, fin, 0, nat); if ((np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { @@ -2515,12 +2537,11 @@ maskloop: */ #if SOLARIS || defined(__sgi) if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(&ip->ip_sum, nat->nat_ipsumd); + fix_incksum(fin, &ip->ip_sum, nat->nat_ipsumd); else - fix_outcksum(&ip->ip_sum, nat->nat_ipsumd); + fix_outcksum(fin, &ip->ip_sum, nat->nat_ipsumd); #endif - if (!(ip->ip_off & IP_OFFMASK) && - !(fin->fin_fi.fi_fl & FI_SHORT)) { + if ((fin->fin_off == 0) && !(fin->fin_fl & FI_SHORT)) { if ((nat->nat_inport != 0) && (nflags & IPN_TCPUDP)) { tcp->th_dport = nat->nat_inport; @@ -2553,14 +2574,15 @@ maskloop: if (udp->uh_sum) csump = &udp->uh_sum; } else if (ip->ip_p == IPPROTO_ICMP) { - nat->nat_age = fr_defnaticmpage; + if (!icmpset) + nat->nat_age = fr_defnaticmpage; } if (csump) { if (nat->nat_dir == NAT_OUTBOUND) - fix_incksum(csump, nat->nat_sumd[0]); + fix_incksum(fin, csump, nat->nat_sumd[0]); else - fix_outcksum(csump, nat->nat_sumd[0]); + fix_outcksum(fin, csump, nat->nat_sumd[0]); } } ATOMIC_INCL(nat_stats.ns_mapped[0]); diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index 22f8503..f712dfc 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -1,12 +1,10 @@ /* - * Copyright (C) 1995-2000 by Darren Reed. + * Copyright (C) 1995-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.14 2000/11/18 03:58:04 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.20 2001/06/26 10:43:15 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -35,10 +33,18 @@ * appropriate sizes. The figures below were used for * a setup with 1000-2000 networks to NAT. */ -#define NAT_SIZE 127 -#define RDR_SIZE 127 -#define HOSTMAP_SIZE 127 -#define NAT_TABLE_SZ 127 +#ifndef NAT_SIZE +# define NAT_SIZE 127 +#endif +#ifndef RDR_SIZE +# define RDR_SIZE 127 +#endif +#ifndef HOSTMAP_SIZE +# define HOSTMAP_SIZE 127 +#endif +#ifndef NAT_TABLE_SZ +# define NAT_TABLE_SZ 127 +#endif #ifdef LARGE_NAT #undef NAT_SIZE #undef RDR_SIZE @@ -201,11 +207,13 @@ typedef struct natstat { u_long ns_memfail; u_long ns_badnat; nat_t **ns_table[2]; + hostmap_t **ns_maptable; ipnat_t *ns_list; void *ns_apslist; u_int ns_nattab_sz; u_int ns_rultab_sz; u_int ns_rdrtab_sz; + u_int ns_hostmap_sz; nat_t *ns_instances; u_int ns_wilds; } natstat_t; @@ -220,12 +228,13 @@ typedef struct natstat { #define IPN_AUTOPORTMAP 0x010 #define IPN_IPRANGE 0x020 #define IPN_USERFLAGS (IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\ - IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST) + IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|IPN_FRAG) #define IPN_FILTER 0x040 #define IPN_SPLIT 0x080 #define IPN_ROUNDR 0x100 #define IPN_NOTSRC 0x080000 #define IPN_NOTDST 0x100000 +#define IPN_FRAG 0x200000 typedef struct natlog { @@ -300,8 +309,8 @@ extern int ip_natout __P((ip_t *, fr_info_t *)); extern int ip_natin __P((ip_t *, fr_info_t *)); extern void ip_natunload __P((void)), ip_natexpire __P((void)); extern void nat_log __P((struct nat *, u_int)); -extern void fix_incksum __P((u_short *, u_32_t)); -extern void fix_outcksum __P((u_short *, u_32_t)); +extern void fix_incksum __P((fr_info_t *, u_short *, u_32_t)); +extern void fix_outcksum __P((fr_info_t *, u_short *, u_32_t)); extern void fix_datacksum __P((u_short *, u_32_t)); #endif /* __IP_NAT_H__ */ diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index e1e55f1..325f362 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -1,14 +1,8 @@ /* - * Copyright (C) 1997-2000 by Darren Reed. + * Copyright (C) 1997-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 darrenr Exp $"; -#endif - #if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL) # define _KERNEL #endif @@ -78,6 +72,10 @@ static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.1 2000/05/06 12:30:50 d # include <sys/malloc.h> #endif +#if !defined(lint) +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.6 2001/07/15 22:06:15 darrenr Exp $"; +#endif + #ifndef MIN #define MIN(a,b) (((a)<(b))?(a):(b)) @@ -216,9 +214,13 @@ ip_t *ip; fr_info_t *fin; nat_t *nat; { +#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) + mb_t *m = fin->fin_qfm; + int dosum = 1; +#endif + tcphdr_t *tcp = NULL; ap_session_t *aps; aproxy_t *apr; - tcphdr_t *tcp = NULL; u_32_t sum; short rv; int err; @@ -234,8 +236,13 @@ nat_t *nat; * verify that the checksum is correct. If not, then * don't do anything with this packet. */ -#if SOLARIS && defined(_KERNEL) - sum = fr_tcpsum(fin->fin_qfm, ip, tcp); +#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) + if (dohwcksum && (m->b_ick_flag == ICK_VALID)) { + sum = tcp->th_sum; + dosum = 0; + } + if (dosum) + sum = fr_tcpsum(fin->fin_qfm, ip, tcp); #else sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif @@ -261,8 +268,9 @@ nat_t *nat; if (tcp != NULL) { err = appr_fixseqack(fin, ip, aps, APR_INC(err)); -#if SOLARIS && defined(_KERNEL) - tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); +#if SOLARIS && defined(_KERNEL) && (SOLARIS2 >= 6) + if (dosum) + tcp->th_sum = fr_tcpsum(fin->fin_qfm, ip, tcp); #else tcp->th_sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index 212900f..b8c8eb0 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -1,11 +1,9 @@ /* - * Copyright (C) 1997-2000 by Darren Reed. + * Copyright (C) 1997-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_proxy.h,v 2.8.2.4 2000/12/02 00:15:03 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.7 2001/06/26 10:43:16 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -102,7 +100,8 @@ typedef struct ftpside { } ftpside_t; typedef struct ftpinfo { - u_int ftp_passok; + int ftp_passok; + int ftp_incok; ftpside_t ftp_side[2]; } ftpinfo_t; diff --git a/contrib/ipfilter/ip_raudio_pxy.c b/contrib/ipfilter/ip_raudio_pxy.c index 9ea437c..476e159 100644 --- a/contrib/ipfilter/ip_raudio_pxy.c +++ b/contrib/ipfilter/ip_raudio_pxy.c @@ -1,5 +1,5 @@ /* - * $Id: ip_raudio_pxy.c,v 1.7.2.3 2000/10/27 22:54:04 darrenr Exp $ + * $Id: ip_raudio_pxy.c,v 1.7.2.6 2001/07/23 04:17:56 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -62,8 +62,8 @@ nat_t *nat; raudio_t *rap = aps->aps_data; unsigned char membuf[512 + 1], *s; u_short id = 0; - tcphdr_t *tcp; int off, dlen; + tcphdr_t *tcp; int len = 0; mb_t *m; #if SOLARIS @@ -86,14 +86,16 @@ nat_t *nat; dlen = msgdsize(m) - off; if (dlen <= 0) return 0; - copyout_mblk(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); + dlen = MIN(sizeof(membuf), dlen); + copyout_mblk(m, off, dlen, (char *)membuf); #else m = *(mb_t **)fin->fin_mp; dlen = mbufchainlen(m) - off; if (dlen <= 0) return 0; - m_copydata(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); + dlen = MIN(sizeof(membuf), dlen); + m_copydata(m, off, dlen, (char *)membuf); #endif /* * In all the startup parsing, ensure that we don't go outside @@ -170,8 +172,8 @@ nat_t *nat; unsigned char membuf[IPF_MAXPORTLEN + 1], *s; tcphdr_t *tcp, tcph, *tcp2 = &tcph; raudio_t *rap = aps->aps_data; + int off, dlen, slen, clen; struct in_addr swa, swb; - int off, dlen, slen; int a1, a2, a3, a4; u_short sp, dp; fr_info_t fi; @@ -202,13 +204,15 @@ nat_t *nat; if (dlen <= 0) return 0; bzero(membuf, sizeof(membuf)); - copyout_mblk(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); + clen = MIN(sizeof(membuf), dlen); + copyout_mblk(m, off, clen, (char *)membuf); #else dlen = mbufchainlen(m) - off; if (dlen <= 0) return 0; bzero(membuf, sizeof(membuf)); - m_copydata(m, off, MIN(sizeof(membuf), dlen), (char *)membuf); + clen = MIN(sizeof(membuf), dlen); + m_copydata(m, off, clen, (char *)membuf); #endif seq = ntohl(tcp->th_seq); @@ -217,7 +221,7 @@ nat_t *nat; * We only care for the first 19 bytes coming back from the server. */ if (rap->rap_sseq == 0) { - s = (u_char *)memstr("PNA", (char *)membuf, 3, dlen); + s = (u_char *)memstr("PNA", (char *)membuf, 3, clen); if (s == NULL) return 0; a1 = s - membuf; @@ -278,6 +282,7 @@ nat_t *nat; tcp2->th_dport = htons(dp); fi.fin_data[0] = dp; fi.fin_data[1] = sp; + fi.fin_out = 0; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_UDP | (sp ? 0 : FI_W_SPORT), NAT_OUTBOUND); if (ipn != NULL) { @@ -292,6 +297,7 @@ nat_t *nat; tcp2->th_dport = 0; /* XXX - don't specify remote port */ fi.fin_data[0] = sp; fi.fin_data[1] = 0; + fi.fin_out = 1; ipn = nat_new(nat->nat_ptr, ip, &fi, IPN_UDP|FI_W_DPORT, NAT_OUTBOUND); if (ipn != NULL) { diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index f6373811..26ef65f 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -1,15 +1,13 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * I hate legaleese, don't you ? */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.9 2000/11/12 11:55:17 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.12 2001/07/18 14:57:09 darrenr Exp $"; #endif #include <sys/types.h> @@ -197,7 +195,7 @@ int *rp; return error; } if (unit == IPL_LOGAUTH) { - error = fr_auth_ioctl((caddr_t)data, cmd, NULL, NULL); + error = fr_auth_ioctl((caddr_t)data, mode, cmd, NULL, NULL); RWLOCK_EXIT(&ipf_solaris); return error; } @@ -458,6 +456,7 @@ caddr_t data; } fdp = &fp->fr_dif; + fdp->fd_mp = NULL; fp->fr_flags &= ~FR_DUP; if (*fdp->fd_ifname) { ill = get_unit(fdp->fd_ifname, (int)fp->fr_v); @@ -491,6 +490,7 @@ caddr_t data; } fdp = &fp->fr_tif; + fdp->fd_mp = NULL; if (*fdp->fd_ifname) { ill = get_unit(fdp->fd_ifname, (int)fp->fr_v); if (!ill) @@ -577,10 +577,6 @@ caddr_t data; } if (fg && fg->fg_head) fg->fg_head->fr_ref--; - if (unit == IPL_LOGAUTH) { - error = fr_auth_ioctl(data, req, fp, ftail); - goto out; - } if (f->fr_grhead) fr_delgroup(f->fr_grhead, fp->fr_flags, unit, set); @@ -594,10 +590,6 @@ caddr_t data; if (f) { error = EEXIST; } else { - if (unit == IPL_LOGAUTH) { - error = fr_auth_ioctl(data, req, fp, ftail); - goto out; - } KMALLOC(f, frentry_t *); if (f != NULL) { if (fg && fg->fg_head) diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index 5d63969..649ad93 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -1,15 +1,8 @@ /* - * Copyright (C) 1995-2000 by Darren Reed. + * Copyright (C) 1995-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 darrenr Exp $"; -#endif - #include <sys/errno.h> #include <sys/types.h> #include <sys/param.h> @@ -97,6 +90,11 @@ static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.28 2001/01/08 14:04:46 # endif #endif +#if !defined(lint) +static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.38 2001/07/23 13:49:46 darrenr Exp $"; +#endif + #ifndef MIN # define MIN(a,b) (((a)<(b))?(a):(b)) #endif @@ -140,7 +138,9 @@ u_long fr_tcpidletimeout = FIVE_DAYS, fr_tcpclosed = 120, fr_tcphalfclosed = 2 * 2 * 3600, /* 2 hours */ fr_udptimeout = 240, - fr_icmptimeout = 120; + fr_udpacktimeout = 24, + fr_icmptimeout = 120, + fr_icmpacktimeout = 12; int fr_statemax = IPSTATE_MAX, fr_statesize = IPSTATE_SIZE; int fr_state_doflush = 0, @@ -241,6 +241,7 @@ caddr_t data; if (error) return EFAULT; + WRITE_ENTER(&ipf_state); for (sp = ips_list; sp; sp = sp->is_next) if ((sp->is_p == st.is_p) && (sp->is_v == st.is_v) && !bcmp((char *)&sp->is_src, (char *)&st.is_src, @@ -249,7 +250,6 @@ caddr_t data; sizeof(st.is_dst)) && !bcmp((char *)&sp->is_ps, (char *)&st.is_ps, sizeof(st.is_ps))) { - WRITE_ENTER(&ipf_state); #ifdef IPFILTER_LOG ipstate_log(sp, ISL_REMOVE); #endif @@ -257,6 +257,7 @@ caddr_t data; RWLOCK_EXIT(&ipf_state); return 0; } + RWLOCK_EXIT(&ipf_state); return ESRCH; } @@ -502,8 +503,7 @@ u_int flags; u_int pass; int out; - if (fr_state_lock || (fin->fin_off & IP_OFFMASK) || - (fin->fin_fi.fi_fl & FI_SHORT)) + if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) return NULL; if (ips_num == fr_statemax) { ips_stats.iss_max++; @@ -663,7 +663,7 @@ u_int flags; is->is_secmsk = 0xffff; is->is_auth = fin->fin_fi.fi_auth; is->is_authmsk = 0xffff; - is->is_flags = fin->fin_fi.fi_fl & FI_CMP; + is->is_flags = fin->fin_fl & FI_CMP; is->is_flags |= FI_CMP << 4; is->is_flags |= flags & (FI_WILDP|FI_WILDA); if (flags & (FI_WILDP|FI_WILDA)) @@ -688,7 +688,7 @@ u_int flags; #endif RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); - if (fin->fin_fi.fi_fl & FI_FRAG) + if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return is; } @@ -717,6 +717,8 @@ tcphdr_t *tcp; * Find difference between last checked packet and this packet. */ source = IP6EQ(fin->fin_fi.fi_src, is->is_src); + if (source && (ntohs(is->is_sport) != fin->fin_data[0])) + source = 0; fdata = &is->is_tcp.ts_data[!source]; tdata = &is->is_tcp.ts_data[source]; seq = ntohl(tcp->th_seq); @@ -809,7 +811,7 @@ tcphdr_t *tcp; u_short sp, dp; void *ifp; - rev = fin->fin_rev = IP6NEQ(is->is_dst, dst); + rev = IP6NEQ(is->is_dst, dst); ifp = fin->fin_ifp; out = fin->fin_out; @@ -817,6 +819,12 @@ tcphdr_t *tcp; flags = is->is_flags; sp = tcp->th_sport; dp = tcp->th_dport; + if (!rev) { + if (!(flags & FI_W_SPORT) && (sp != is->is_sport)) + rev = 1; + else if (!(flags & FI_W_DPORT) && (dp != is->is_dport)) + rev = 1; + } } else { flags = is->is_flags & FI_WILDA; sp = 0; @@ -871,10 +879,10 @@ tcphdr_t *tcp; if (tcp == NULL) flags = is->is_flags & (FI_CMP|(FI_CMP<<4)); - if (((fin->fin_fi.fi_fl & (flags >> 4)) != (flags & FI_CMP)) || - ((fin->fin_fi.fi_optmsk & is->is_optmsk) != is->is_opt) || - ((fin->fin_fi.fi_secmsk & is->is_secmsk) != is->is_sec) || - ((fin->fin_fi.fi_auth & is->is_authmsk) != is->is_auth)) + if (((fin->fin_fl & (flags >> 4)) != (flags & FI_CMP)) || + (fin->fin_fi.fi_optmsk != is->is_opt) || + (fin->fin_fi.fi_secmsk != is->is_sec) || + (fin->fin_fi.fi_auth != is->is_auth)) return 0; if ((flags & (FI_W_SPORT|FI_W_DPORT))) { @@ -924,16 +932,11 @@ tcphdr_t *tcp; if (ret >= 0) { is->is_ifp[ret] = ifp; #ifdef _KERNEL - strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), - sizeof(is->is_ifname[1])); + strncpy(is->is_ifname[ret], IFNAME(fin->fin_ifp), + sizeof(is->is_ifname[ret])); #endif } -#ifdef _KERNEL - if (ret >= 0) { - strncpy(is->is_ifname[out], IFNAME(fin->fin_ifp), - sizeof(is->is_ifname[1])); - } -#endif + fin->fin_rev = rev; return 1; } @@ -1209,8 +1212,7 @@ fr_info_t *fin; frentry_t *fr; tcphdr_t *tcp; - if (fr_state_lock || (fin->fin_off & IP_OFFMASK) || - (fin->fin_fi.fi_fl & FI_SHORT)) + if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) return NULL; is = NULL; @@ -1254,7 +1256,10 @@ fr_info_t *fin; if ((is->is_p == pr) && (is->is_v == v) && fr_matchsrcdst(is, src, dst, fin, NULL) && fr_matchicmpqueryreply(v, is, ic)) { - is->is_age = fr_icmptimeout; + if (fin->fin_rev) + is->is_age = fr_icmpacktimeout; + else + is->is_age = fr_icmptimeout; break; } } @@ -1302,6 +1307,11 @@ retry_tcpudp: if (!fr_tcpstate(is, fin, ip, tcp)) { continue; } + } else if ((pr == IPPROTO_UDP)) { + if (fin->fin_rev) + is->is_age = fr_udpacktimeout; + else + is->is_age = fr_udptimeout; } break; } @@ -1345,7 +1355,7 @@ retry_tcpudp: fr_delstate(is); #endif RWLOCK_EXIT(&ipf_state); - if (fin->fin_fi.fi_fl & FI_FRAG) + if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); return fr; } @@ -1420,7 +1430,8 @@ void fr_stateunload() ips_stats.iss_inuse = 0; ips_num = 0; RWLOCK_EXIT(&ipf_state); - KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); + if (ips_table) + KFREES(ips_table, fr_statesize * sizeof(ipstate_t *)); ips_table = NULL; } diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index 1d1bc00..b940d77 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -1,12 +1,10 @@ /* - * Copyright (C) 1995-2000 by Darren Reed. + * Copyright (C) 1995-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.13.2.2 2000/08/23 11:01:31 darrenr Exp $ + * $Id: ip_state.h,v 2.13.2.4 2001/06/26 10:43:17 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -17,8 +15,12 @@ # define SIOCDELST _IOW(r, 61, struct ipstate *) #endif -#define IPSTATE_SIZE 5737 -#define IPSTATE_MAX 4013 /* Maximum number of states held */ +#ifndef IPSTATE_SIZE +# define IPSTATE_SIZE 5737 +#endif +#ifndef IPSTATE_MAX +# define IPSTATE_MAX 4013 /* Maximum number of states held */ +#endif #define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ (((s1) == (d2)) && ((d1) == (s2)))) diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index 355c42a..4d25fce 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -1,12 +1,16 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #ifdef __FreeBSD__ -# include <osreldate.h> +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# endif +# endif #endif #include <stdio.h> #include <unistd.h> @@ -43,7 +47,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.5 2000/10/25 10:37:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.10 2001/07/18 11:34:19 darrenr Exp $"; #endif #if SOLARIS @@ -74,13 +78,19 @@ static void closedevice __P((void)); static char *getline __P((char *, size_t, FILE *, int *)); static char *ipfname = IPL_NAME; static void usage __P((void)); -static void showversion __P((void)); +static int showversion __P((void)); static int get_flags __P((void)); +#if SOLARIS +# define OPTS "6AdDEf:F:Il:noPrsUvVyzZ" +#else +# define OPTS "6AdDEf:F:Il:noPrsvVyzZ" +#endif + static void usage() { - fprintf(stderr, "usage: ipf [-6AdDEInoPrsUvVyzZ] %s %s %s\n", + fprintf(stderr, "usage: ipf [-%s] %s %s %s\n", OPTS, "[-l block|pass|nomatch]", "[-F i|o|a|s|S]", "[-f filename]"); exit(1); } @@ -92,11 +102,9 @@ char *argv[]; { int c; - while ((c = getopt(argc, argv, "6AdDEf:F:Il:noPrsUvVyzZ")) != -1) { + while ((c = getopt(argc, argv, OPTS)) != -1) { switch (c) { - case '?' : - usage(); #ifdef USE_INET6 case '6' : use_inet6 = 1; @@ -146,10 +154,11 @@ char *argv[]; break; #endif case 'v' : - opts |= OPT_VERBOSE; + opts += OPT_VERBOSE; break; case 'V' : - showversion(); + if (showversion()) + exit(1); break; case 'y' : frsync(); @@ -160,6 +169,9 @@ char *argv[]; case 'Z' : zerostats(); break; + default : + usage(); + break; } } @@ -553,7 +565,7 @@ static void blockunknown() #endif -static void showversion() +static int showversion() { struct friostat fio; struct friostat *fiop=&fio; @@ -565,13 +577,13 @@ static void showversion() if ((vfd = open(ipfname, O_RDONLY)) == -1) { perror("open device"); - return; + return 1; } if (ioctl(vfd, SIOCGETFS, &fiop)) { perror("ioctl(SIOCGETFS)"); close(vfd); - return; + return 1; } close(vfd); flags = get_flags(); @@ -610,4 +622,6 @@ static void showversion() s = "nomatch -> block"; printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un"); printf("Active list: %d\n", fio.f_active); + + return 0; } diff --git a/contrib/ipfilter/ipf.h b/contrib/ipfilter/ipf.h index ee6ae4d..e7a70ca 100644 --- a/contrib/ipfilter/ipf.h +++ b/contrib/ipfilter/ipf.h @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipf.h 1.12 6/5/96 - * $Id: ipf.h,v 2.9.2.2 2000/05/06 11:20:20 darrenr Exp $ + * $Id: ipf.h,v 2.9.2.3 2001/06/26 10:43:18 darrenr Exp $ */ #ifndef __IPF_H__ diff --git a/contrib/ipfilter/ipfs.c b/contrib/ipfilter/ipfs.c index d43fc56..baf3d1c 100644 --- a/contrib/ipfilter/ipfs.c +++ b/contrib/ipfilter/ipfs.c @@ -1,12 +1,16 @@ /* - * Copyright (C) 1999 by Darren Reed. + * Copyright (C) 1999-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #ifdef __FreeBSD__ -# include <osreldate.h> +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# endif +# endif #endif #include <stdio.h> #include <unistd.h> @@ -41,7 +45,7 @@ #include "ipf.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.3 2001/01/10 06:20:12 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipfs.c,v 2.6.2.7 2001/06/26 10:43:18 darrenr Exp $"; #endif #ifndef IPF_SAVEDIR @@ -532,6 +536,7 @@ char *file; } bzero((char *)&ipn, sizeof(ipn)); + ipnp = &ipn; /* * 1. Read all state information in. @@ -573,7 +578,7 @@ char *file; } } else in = (nat_save_t *)malloc(sizeof(*in)); - bcopy((char *)&ipnp, (char *)in, sizeof(ipn)); + bcopy((char *)ipnp, (char *)in, sizeof(ipn)); /* * Check to see if this is the first state entry that will diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index cbdc599..0cb4623 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* @@ -51,7 +49,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $"; #endif static int etherf_open __P((char *)); diff --git a/contrib/ipfilter/ipft_hx.c b/contrib/ipfilter/ipft_hx.c index ccbc3ee..2be1698 100644 --- a/contrib/ipfilter/ipft_hx.c +++ b/contrib/ipfilter/ipft_hx.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1995-2000 by Darren Reed. + * Copyright (C) 1995-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <ctype.h> @@ -42,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_hx.c 1.1 3/9/96 (C) 1996 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_hx.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ipft_pc.c b/contrib/ipfilter/ipft_pc.c index 061b7e4..eced91f 100644 --- a/contrib/ipfilter/ipft_pc.c +++ b/contrib/ipfilter/ipft_pc.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <string.h> @@ -33,7 +31,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_pc.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $"; #endif struct llc { @@ -46,7 +44,7 @@ struct llc { * While many of these maybe the same, some do have different header formats * which make this useful. */ -#define DLT_MAX 10 +#define DLT_MAX 14 static struct llc llcs[DLT_MAX+1] = { { 0, 0, 0 }, /* DLT_NULL */ @@ -59,7 +57,10 @@ static struct llc llcs[DLT_MAX+1] = { { 0, 0, 0 }, /* DLT_ARCNET */ { 0, 0, 0 }, /* DLT_SLIP */ { 0, 0, 0 }, /* DLT_PPP */ - { 0, 0, 0 } /* DLT_FDDI */ + { 0, 0, 0 }, /* DLT_FDDI */ + { 0, 0, 0 }, /* DLT_ATMRFC1483 */ + { 0, 0, 0 }, /* DLT_LOOP */ + { 0, 0, 0 } /* DLT_ENC */ }; static int pcap_open __P((char *)); @@ -114,7 +115,7 @@ char *fname; swap_hdr(&ph); } - if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type > DLT_MAX) { + if (ph.pc_v_maj != PCAP_VERSION_MAJ || ph.pc_type >= DLT_MAX) { (void) close(fd); return -2; } diff --git a/contrib/ipfilter/ipft_sn.c b/contrib/ipfilter/ipft_sn.c index 573c007..1b5e219 100644 --- a/contrib/ipfilter/ipft_sn.c +++ b/contrib/ipfilter/ipft_sn.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* @@ -37,7 +35,7 @@ #include "ipt.h" #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_sn.c,v 2.2.2.2 2001/06/26 10:43:18 darrenr Exp $"; #endif struct llc { @@ -78,6 +76,7 @@ char *fname; { struct snoophdr sh; int fd; + int s_v; if (sfd != -1) return sfd; @@ -90,16 +89,18 @@ char *fname; if (read(fd, (char *)&sh, sizeof(sh)) != sizeof(sh)) return -2; - if (sh.s_v != SNOOP_VERSION || - sh.s_type < 0 || sh.s_type > SDL_MAX) { + s_v = (int)ntohl(sh.s_v); + s_type = (int)ntohl(sh.s_type); + + if (s_v != SNOOP_VERSION || + s_type < 0 || s_type > SDL_MAX) { (void) close(fd); return -2; } sfd = fd; - s_type = sh.s_type; printf("opened snoop file %s:\n", fname); - printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, sh.s_v, s_type); + printf("\tid: %8.8s version: %d type: %d\n", sh.s_id, s_v, s_type); return fd; } @@ -118,20 +119,22 @@ static int snoop_close() static int snoop_read_rec(rec) struct snooppkt *rec; { - int n, p; + int n, plen, ilen; if (read(sfd, (char *)rec, sizeof(*rec)) != sizeof(*rec)) return -2; - if (rec->sp_ilen > rec->sp_plen || rec->sp_plen < sizeof(*rec)) + ilen = (int)ntohl(rec->sp_ilen); + plen = (int)ntohl(rec->sp_plen); + if (ilen > plen || plen < sizeof(*rec)) return -2; - p = rec->sp_plen - sizeof(*rec); - n = MIN(p, rec->sp_ilen); + plen -= sizeof(*rec); + n = MIN(plen, ilen); if (!n || n < 0) return -3; - return p; + return plen; } diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index 457591c..5f470ee 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* @@ -60,7 +58,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2 2000/03/13 22:10:24 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.1 2001/06/26 10:43:18 darrenr Exp $"; #endif static int tcpd_open __P((char *)); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index 2668976..1e650f5 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1995-2000 by Darren Reed. + * Copyright (C) 1995-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <ctype.h> @@ -43,7 +41,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.1 2001/01/10 06:19:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.4 2001/06/26 10:43:18 darrenr Exp $"; #endif extern int opts; @@ -223,12 +221,12 @@ int *out; bzero(ipopts, sizeof(ipopts)); ip->ip_hl = sizeof(*ip) >> 2; ip->ip_v = IPVERSION; - for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && i < 19; ) + for (i = 0, cps[0] = strtok(line, " \b\t\r\n"); cps[i] && (i < 19); ) cps[++i] = strtok(NULL, " \b\t\r\n"); - if (i < 2) - return 1; cpp = cps; + if (!*cpp) + return 1; c = **cpp; if (!isalpha(c) || (tolower(c) != 'o' && tolower(c) != 'i')) { @@ -237,12 +235,16 @@ int *out; } *out = (tolower(c) == 'o') ? 1 : 0; cpp++; + if (!*cpp) + return 1; if (!strcasecmp(*cpp, "on")) { cpp++; if (!*cpp) return 1; *ifn = strdup(*cpp++); + if (!*cpp) + return 1; } c = **cpp; diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 3529d65..472bcce 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -1,17 +1,15 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.17 2001/01/14 13:47:15 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.23 2001/07/23 13:52:10 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.16" +#define IPL_VERSION "IP Filter: v3.4.20" #endif diff --git a/contrib/ipfilter/iplang/iplang.h b/contrib/ipfilter/iplang/iplang.h index d8986c8..f36a384 100644 --- a/contrib/ipfilter/iplang/iplang.h +++ b/contrib/ipfilter/iplang/iplang.h @@ -1,9 +1,7 @@ /* * Copyright (C) 1997-1998 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ typedef struct iface { int if_MTU; diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 9250e24..0ccc947 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -1,15 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 darrenr Exp $"; -#endif - #ifndef SOLARIS #define SOLARIS (defined(__SVR4) || defined(__svr4__)) && defined(sun) #endif @@ -37,7 +30,9 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 dar # include <sys/filio.h> # include <sys/byteorder.h> #endif -#include <strings.h> +#if !defined(__SVR4) && !defined(__GNUC__) +# include <strings.h> +#endif #include <signal.h> #include <stdlib.h> #include <stddef.h> @@ -70,6 +65,11 @@ static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.8 2001/01/10 06:18:08 dar #include "netinet/ip_nat.h" #include "netinet/ip_state.h" +#if !defined(lint) +static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.13 2001/07/19 12:24:59 darrenr Exp $"; +#endif + #if defined(sun) && !defined(SOLARIS2) #define STRERROR(x) sys_errlist[x] @@ -121,6 +121,7 @@ static void print_statelog __P((FILE *, char *, int)); static void dumphex __P((FILE *, u_char *, int)); static int read_log __P((int, int *, char *, int)); static void write_pid __P((char *)); +static char *icmpname __P((u_int, u_int)); char *hostname __P((int, int, u_32_t *)); char *portname __P((int, char *, u_int)); @@ -133,7 +134,7 @@ static char *getproto __P((u_int)); static char **protocols = NULL; static char **udp_ports = NULL; static char **tcp_ports = NULL; - +static char *argv0 = "ipmon"; #define OPT_SYSLOG 0x001 #define OPT_RESOLVE 0x002 @@ -155,7 +156,49 @@ static char **tcp_ports = NULL; #endif -void handlehup(sig) +#define ICMPUNREACHNAMES 14 +static char *icmpunreachnames[ICMPUNREACHNAMES] = { + "net", + "host", + "protocol", + "port", + "needfrag", + "srcfail", + "net_unknown", + "host_unknown", + "isolated", + "net_prohib", + "host_prohib", + "tosnet", + "toshost", + "admin_prohibit" +}; + +#define ICMPTYPES 19 +static char *icmptypes[ICMPTYPES] = { + "echoreply", + NULL, + NULL, + "unreach", + "sourcequench", + "redirect", + NULL, + NULL, + "echo", + "routeradvert", + "routersolicit", + "timxceed", + "paramprob", + "timestamp", + "timestampreply", + "inforeq", + "inforeply", + "maskreq", + "maskreply" +}; + + +static void handlehup(sig) int sig; { FILE *fp; @@ -265,6 +308,8 @@ char *hostname(res, v, ip) int res, v; u_32_t *ip; { +# define MAX_INETA 16 + static char hname[MAXHOSTNAMELEN + MAX_INETA + 3]; #ifdef USE_INET6 static char hostbuf[MAXHOSTNAMELEN+1]; #endif @@ -278,8 +323,8 @@ u_32_t *ip; hp = gethostbyaddr((char *)ip, sizeof(ip), AF_INET); if (!hp) return inet_ntoa(ipa); - return hp->h_name; - + sprintf(hname, "%.*s[%s]", MAXHOSTNAMELEN, hp->h_name, inet_ntoa(ipa)); + return hname; } #ifdef USE_INET6 (void) inet_ntop(AF_INET6, ip, hostbuf, sizeof(hostbuf) - 1); @@ -315,6 +360,67 @@ u_int port; } +#define TYPECODE(x,y) (((x) << 8) | (y)) + +static char *icmpname(type, code) +u_int type; +u_int code; +{ + static char name[80]; + char codeval[8], *s; + u_int typecode; + + sprintf(codeval, "%d", code); + + s = NULL; + if (type < ICMPTYPES) + s = icmptypes[type]; + if (s == NULL) + sprintf(name, "icmptype(%d)/", type); + else + sprintf(name, "%s/", s); + + if (type == ICMP_UNREACH) { + if (code >= ICMPUNREACHNAMES) + sprintf(name + strlen(name), "%d", code); + else + strcat(name, icmpunreachnames[code]); + } else { + typecode = (type << 8) | code; + + switch (typecode) + { + case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_NET) : + strcat(name, "net"); + break; + case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_HOST) : + strcat(name, "host"); + break; + case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_TOSNET) : + strcat(name, "tosnet"); + break; + case TYPECODE(ICMP_REDIRECT, ICMP_REDIRECT_TOSHOST) : + strcat(name, "toshost"); + break; + case TYPECODE(ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS) : + strcat(name, "intrans"); + break; + case TYPECODE(ICMP_TIMXCEED, ICMP_TIMXCEED_REASS) : + strcat(name, "reass"); + break; + case TYPECODE(ICMP_PARAMPROB, ICMP_PARAMPROB_OPTABSENT) : + strcat(name, "optabsent"); + break; + default: + strcat(name, codeval); + break; + } + } + + return name; +} + + static void dumphex(log, buf, len) FILE *log; u_char *buf; @@ -739,9 +845,9 @@ int blen; ic = (struct icmp *)((char *)ip + hl); (void) sprintf(t, "%s -> ", hostname(res, v, s)); t += strlen(t); - (void) sprintf(t, "%s PR icmp len %hu %hu icmp %d/%d", + (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s", hostname(res, v, d), hl, plen, - ic->icmp_type, ic->icmp_code); + icmpname((u_int) ic->icmp_type, (u_int) ic->icmp_code)); if (ic->icmp_type == ICMP_UNREACH || ic->icmp_type == ICMP_SOURCEQUENCH || ic->icmp_type == ICMP_PARAMPROB || @@ -879,7 +985,7 @@ FILE *log; if ((fd = open(file, O_RDWR)) == -1) { (void) fprintf(stderr, "%s: open: %s\n", file,STRERROR(errno)); - exit(-1); + exit(1); } if (ioctl(fd, SIOCIPFFB, &flushed) == 0) { @@ -942,7 +1048,7 @@ char *argv[]; int fd[3], doread, n, i; int tr, nr, regular[3], c; int fdt[3], devices = 0, make_daemon = 0; - char buf[512], *iplfile[3], *s; + char buf[512], *iplfile[3]; extern int optind; extern char *optarg; @@ -952,6 +1058,12 @@ char *argv[]; iplfile[1] = IPNAT_NAME; iplfile[2] = IPSTATE_NAME; + argv0 = strrchr(argv[0], '/'); + if (argv0 == NULL) + argv0 = argv[0]; + else + argv0++; + while ((c = getopt(argc, argv, "?abDf:FhnN:o:O:pP:sS:tvxX")) != -1) switch (c) { @@ -1002,14 +1114,9 @@ char *argv[]; pidfile = optarg; break; case 's' : - s = strrchr(argv[0], '/'); - if (s == NULL) - s = argv[0]; - else - s++; - openlog(s, LOG_NDELAY|LOG_PID, LOGFAC); - s = NULL; + openlog(argv0, LOG_NDELAY|LOG_PID, LOGFAC); opts |= OPT_SYSLOG; + log = NULL; break; case 'S' : opts |= OPT_STATE; @@ -1031,7 +1138,7 @@ char *argv[]; default : case 'h' : case '?' : - usage(argv[0]); + usage(argv0); } init_tabs(); @@ -1052,13 +1159,14 @@ char *argv[]; (void) fprintf(stderr, "%s: open: %s\n", iplfile[i], STRERROR(errno)); - exit(-1); + exit(1); + /* NOTREACHED */ } - if (fstat(fd[i], &sb) == -1) { (void) fprintf(stderr, "%d: fstat: %s\n",fd[i], STRERROR(errno)); - exit(-1); + exit(1); + /* NOTREACHED */ } if (!(regular[i] = !S_ISCHR(sb.st_mode))) devices++; @@ -1069,25 +1177,36 @@ char *argv[]; logfile = argv[optind]; log = logfile ? fopen(logfile, "a") : stdout; if (log == NULL) { - (void) fprintf(stderr, "%s: fopen: %s\n", argv[optind], STRERROR(errno)); - exit(-1); + exit(1); + /* NOTREACHED */ } setvbuf(log, NULL, _IONBF, 0); } else log = NULL; if (make_daemon && ((log != stdout) || (opts & OPT_SYSLOG))) { - if (fork() > 0) +#if BSD + daemon(0, !(opts & OPT_SYSLOG)); +#else + int pid; + if ((pid = fork()) > 0) exit(0); - write_pid(pidfile); + if (pid < 0) { + (void) fprintf(stderr, "%s: fork() failed: %s\n", argv0, + STRERROR(errno)); + exit(1); + /* NOTREACHED */ + } + setsid(); + if ((opts & OPT_SYSLOG)) + close(2); +#endif /* !BSD */ close(0); close(1); - close(2); - setsid(); - } else - write_pid(pidfile); + } + write_pid(pidfile); signal(SIGHUP, handlehup); @@ -1100,8 +1219,12 @@ char *argv[]; continue; if (!regular[i]) { if (ioctl(fd[i], FIONREAD, &tr) == -1) { - perror("ioctl(FIONREAD)"); - exit(-1); + if (opts & OPT_SYSLOG) + syslog(LOG_CRIT, "ioctl(FIONREAD): %m"); + else + perror("ioctl(FIONREAD)"); + exit(1); + /* NOTREACHED */ } } else { tr = (lseek(fd[i], 0, SEEK_CUR) < sb.st_size); @@ -1126,14 +1249,14 @@ char *argv[]; { case -1 : if (opts & OPT_SYSLOG) - syslog(LOG_ERR, "read: %m\n"); + syslog(LOG_CRIT, "read: %m\n"); else perror("read"); doread = 0; break; case 1 : if (opts & OPT_SYSLOG) - syslog(LOG_ERR, "aborting logging\n"); + syslog(LOG_CRIT, "aborting logging\n"); else fprintf(log, "aborting logging\n"); doread = 0; diff --git a/contrib/ipfilter/ipnat.c b/contrib/ipfilter/ipnat.c index 51af2e1..b8cb37e 100644 --- a/contrib/ipfilter/ipnat.c +++ b/contrib/ipfilter/ipnat.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * Added redirect stuff and a variety of bug fixes. (mcn@EnGarde.com) */ @@ -57,7 +55,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.5 2000/12/02 00:15:04 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipnat.c,v 2.16.2.9 2001/07/18 15:06:33 darrenr Exp $"; #endif @@ -110,10 +108,10 @@ int main(argc, argv) int argc; char *argv[]; { - char *file = NULL; int fd = -1, opts = 0, c, mode = O_RDWR; + char *file = NULL, *core = NULL; - while ((c = getopt(argc, argv, "CdFf:hlnrsv")) != -1) + while ((c = getopt(argc, argv, "CdFf:hlM:nrsv")) != -1) switch (c) { case 'C' : @@ -135,6 +133,9 @@ char *argv[]; opts |= OPT_LIST; mode = O_RDONLY; break; + case 'M' : + core = optarg; + break; case 'n' : opts |= OPT_NODO; mode = O_RDONLY; @@ -153,6 +154,13 @@ char *argv[]; usage(argv[0]); } + if (core != NULL) { + if (openkmem(core) == -1) + exit(1); + (void) setgid(getgid()); + (void) setuid(getuid()); + } + gethostname(thishost, sizeof(thishost)); thishost[sizeof(thishost) - 1] = '\0'; @@ -292,8 +300,10 @@ ipnat_t *ipnat; void dostats(fd, opts) int fd, opts; { + hostmap_t hm, *hmp, **maptable; natstat_t ns, *nsp = &ns; nat_t **nt[2], *np, nat; + u_int hv, hv1, hv2; ipnat_t ipn; bzero((char *)&ns, sizeof(ns)); @@ -353,15 +363,21 @@ int fd, opts; printf("\n\tage %lu use %hu sumd %s/", nat.nat_age, nat.nat_use, getsumd(nat.nat_sumd[0])); + hv1 = NAT_HASH_FN(nat.nat_inip.s_addr, + nat.nat_inport, + 0xffffffff), + hv1 = NAT_HASH_FN(nat.nat_oip.s_addr, + hv1 + nat.nat_oport, + NAT_TABLE_SZ), + hv2 = NAT_HASH_FN(nat.nat_outip.s_addr, + nat.nat_outport, + 0xffffffff), + hv2 = NAT_HASH_FN(nat.nat_oip.s_addr, + hv2 + nat.nat_oport, + NAT_TABLE_SZ), printf("%s pr %u bkt %d/%d flags %x ", getsumd(nat.nat_sumd[1]), nat.nat_p, - (int)NAT_HASH_FN(nat.nat_inip.s_addr, - nat.nat_inport, - NAT_TABLE_SZ), - (int)NAT_HASH_FN(nat.nat_outip.s_addr, - nat.nat_outport, - NAT_TABLE_SZ), - nat.nat_flags); + hv1, hv2, nat.nat_flags); #ifdef USE_QUAD_T printf("bytes %qu pkts %qu", (unsigned long long)nat.nat_bytes, @@ -379,6 +395,38 @@ int fd, opts; printaps(nat.nat_aps, opts); } + if (opts & OPT_VERBOSE) { + printf("\nList of active host mappings:\n"); + + maptable = (hostmap_t **)malloc(sizeof(hostmap_t *) * + ns.ns_hostmap_sz); + if (kmemcpy((char *)maptable, (u_long)ns.ns_maptable, + sizeof(hostmap_t *) * ns.ns_hostmap_sz)) { + perror("kmemcpy (maptable)"); + return; + } + + for (hv = 0; hv < ns.ns_hostmap_sz; hv++) { + hmp = maptable[hv]; + + while(hmp) { + + if (kmemcpy((char *)&hm, (u_long)hmp, + sizeof(hostmap_t))) { + perror("kmemcpy (hostmap)"); + return; + } + + printf("%s -> ", + inet_ntoa(hm.hm_realip)); + printf("%s ", inet_ntoa(hm.hm_mapip)); + printf("(use = %d hv = %u)\n", + hm.hm_ref, hv); + hmp = hm.hm_next; + } + } + free(maptable); + } free(nt[0]); } } diff --git a/contrib/ipfilter/ipsd/ipsd.c b/contrib/ipfilter/ipsd/ipsd.c index 4ed6d70..261ad89 100644 --- a/contrib/ipfilter/ipsd/ipsd.c +++ b/contrib/ipfilter/ipsd/ipsd.c @@ -1,9 +1,7 @@ /* * (C)opyright 1995-1998 Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * The author of this software makes no garuntee about the * performance of this package or its suitability to fulfill any purpose. @@ -37,7 +35,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsd.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1 1999/08/04 17:30:56 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsd.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipsd/ipsd.h b/contrib/ipfilter/ipsd/ipsd.h index 1dbe1c4..a8f58c3 100644 --- a/contrib/ipfilter/ipsd/ipsd.h +++ b/contrib/ipfilter/ipsd/ipsd.h @@ -1,9 +1,7 @@ /* * (C)opyright 1995-1998 Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * The author of this software makes no garuntee about the * performance of this package or its suitability to fulfill any purpose. diff --git a/contrib/ipfilter/ipsd/ipsdr.c b/contrib/ipfilter/ipsd/ipsdr.c index 3b95ca0..298f655 100644 --- a/contrib/ipfilter/ipsd/ipsdr.c +++ b/contrib/ipfilter/ipsd/ipsdr.c @@ -1,9 +1,7 @@ /* * (C)opyright 1995-1998 Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * The author of this software makes no garuntee about the * performance of this package or its suitability to fulfill any purpose. @@ -38,7 +36,7 @@ #ifndef lint static const char sccsid[] = "@(#)ipsdr.c 1.3 12/3/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1 1999/08/04 17:30:57 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipsdr.c,v 2.1.4.1 2001/06/26 10:43:21 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipsd/linux.h b/contrib/ipfilter/ipsd/linux.h index 61f52b3..d9606cb 100644 --- a/contrib/ipfilter/ipsd/linux.h +++ b/contrib/ipfilter/ipsd/linux.h @@ -1,9 +1,7 @@ /* * Copyright (C) 1997-1998 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)linux.h 1.1 8/19/95 */ diff --git a/contrib/ipfilter/ipsd/sbpf.c b/contrib/ipfilter/ipsd/sbpf.c index 5d128c4..97bb4ce 100644 --- a/contrib/ipfilter/ipsd/sbpf.c +++ b/contrib/ipfilter/ipsd/sbpf.c @@ -1,9 +1,7 @@ /* * (C)opyright 1995-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * */ #include <stdio.h> diff --git a/contrib/ipfilter/ipsd/sdlpi.c b/contrib/ipfilter/ipsd/sdlpi.c index 9ec7b3f..c08fe69 100644 --- a/contrib/ipfilter/ipsd/sdlpi.c +++ b/contrib/ipfilter/ipsd/sdlpi.c @@ -1,9 +1,7 @@ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * */ diff --git a/contrib/ipfilter/ipsd/slinux.c b/contrib/ipfilter/ipsd/slinux.c index 5b2734b..2c5aa97d 100644 --- a/contrib/ipfilter/ipsd/slinux.c +++ b/contrib/ipfilter/ipsd/slinux.c @@ -1,9 +1,7 @@ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * The author of this software makes no garuntee about the * performance of this package or its suitability to fulfill any purpose. diff --git a/contrib/ipfilter/ipsd/snit.c b/contrib/ipfilter/ipsd/snit.c index 3f3aa50..ec7178f 100644 --- a/contrib/ipfilter/ipsd/snit.c +++ b/contrib/ipfilter/ipsd/snit.c @@ -1,9 +1,7 @@ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. * * The author of this software makes no garuntee about the * performance of this package or its suitability to fulfill any purpose. diff --git a/contrib/ipfilter/ipsend/arp.c b/contrib/ipfilter/ipsend/arp.c index e4159fa..898815a 100644 --- a/contrib/ipfilter/ipsend/arp.c +++ b/contrib/ipfilter/ipsend/arp.c @@ -1,14 +1,8 @@ /* * arp.c (C) 1995-1998 Darren Reed * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: arp.c,v 2.1 1999/08/04 17:31:03 darrenr Exp $"; -#endif #include <stdio.h> #include <errno.h> #include <sys/types.h> @@ -30,6 +24,11 @@ static const char rcsid[] = "@(#)$Id: arp.c,v 2.1 1999/08/04 17:31:03 darrenr Ex #include "ipsend.h" #include "iplang/iplang.h" +#if !defined(lint) +static const char sccsid[] = "@(#)arp.c 1.4 1/11/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: arp.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $"; +#endif + /* * lookup host and return diff --git a/contrib/ipfilter/ipsend/hpux.c b/contrib/ipfilter/ipsend/hpux.c index 42078e3..463fdbf 100644 --- a/contrib/ipfilter/ipsend/hpux.c +++ b/contrib/ipfilter/ipsend/hpux.c @@ -1,9 +1,7 @@ /* * (C)opyright 1997-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <strings.h> diff --git a/contrib/ipfilter/ipsend/ip.c b/contrib/ipfilter/ipsend/ip.c index c5eacb3..db6d477 100644 --- a/contrib/ipfilter/ipsend/ip.c +++ b/contrib/ipfilter/ipsend/ip.c @@ -1,14 +1,8 @@ /* * ip.c (C) 1995-1998 Darren Reed * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995"; -static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr Exp $"; -#endif #include <errno.h> #include <stdio.h> #include <stdlib.h> @@ -33,6 +27,10 @@ static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.1 2001/01/10 06:21:19 darrenr #endif #include "ipsend.h" +#if !defined(lint) +static const char sccsid[] = "%W% %G% (C)1995"; +static const char rcsid[] = "@(#)$Id: ip.c,v 2.1.4.3 2001/07/15 22:00:13 darrenr Exp $"; +#endif static char *ipbuf = NULL, *ethbuf = NULL; diff --git a/contrib/ipfilter/ipsend/ipresend.1 b/contrib/ipfilter/ipsend/ipresend.1 index ab90471..6014313 100644 --- a/contrib/ipfilter/ipsend/ipresend.1 +++ b/contrib/ipfilter/ipsend/ipresend.1 @@ -2,7 +2,7 @@ .SH NAME ipresend \- resend IP packets out to network .SH SYNOPSIS -.B ipsend +.B ipresend [ .B \-EHPRSTX ] [ diff --git a/contrib/ipfilter/ipsend/ipresend.c b/contrib/ipfilter/ipsend/ipresend.c index bad0f67..4a4ec1c 100644 --- a/contrib/ipfilter/ipsend/ipresend.c +++ b/contrib/ipfilter/ipsend/ipresend.c @@ -6,14 +6,8 @@ * conditions, enough of the TCP header is missing for unpredictable * results unless the filter is aware that this can happen. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1 1999/08/04 17:31:05 darrenr Exp $"; -#endif #include <stdio.h> #include <stdlib.h> #include <unistd.h> @@ -34,6 +28,11 @@ static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1 1999/08/04 17:31:05 darre #endif #include "ipsend.h" +#if !defined(lint) +static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipresend.c,v 2.1.4.2 2001/07/15 22:00:13 darrenr Exp $"; +#endif + extern char *optarg; extern int optind; diff --git a/contrib/ipfilter/ipsend/ipsend.c b/contrib/ipfilter/ipsend/ipsend.c index 3dd39af..74f624e 100644 --- a/contrib/ipfilter/ipsend/ipsend.c +++ b/contrib/ipfilter/ipsend/ipsend.c @@ -6,14 +6,8 @@ * conditions, enough of the TCP header is missing for unpredictable * results unless the filter is aware that this can happen. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 darrenr Exp $"; -#endif #include <stdio.h> #include <stdlib.h> #include <unistd.h> @@ -36,6 +30,11 @@ static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.1 2001/01/10 06:21:19 dar #include "ipsend.h" #include "ipf.h" +#if !defined(lint) +static const char sccsid[] = "@(#)ipsend.c 1.5 12/10/95 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipsend.c,v 2.2.2.3 2001/07/15 22:00:14 darrenr Exp $"; +#endif + extern char *optarg; extern int optind; diff --git a/contrib/ipfilter/ipsend/ipsend.h b/contrib/ipfilter/ipsend/ipsend.h index e2f8ff8..71e5490 100644 --- a/contrib/ipfilter/ipsend/ipsend.h +++ b/contrib/ipfilter/ipsend/ipsend.h @@ -6,11 +6,7 @@ * conditions, enough of the TCP header is missing for unpredictable * results unless the filter is aware that this can happen. * - * The author provides this program as-is, with no gaurantee for its - * suitability for any specific purpose. The author takes no responsibility - * for the misuse/abuse of this program and provides it for the sole purpose - * of testing packet filter policies. This file maybe distributed freely - * providing it is not modified and that this notice remains in tact. + * See the IPFILTER.LICENCE file for details on licencing. * */ #ifndef __P @@ -67,3 +63,9 @@ extern int kmemcpy __P((char *, void *, int)); #ifndef OPT_RAW #define OPT_RAW 0x80000 #endif + +#ifndef __STDC__ +# ifndef const +# define const +# endif +#endif diff --git a/contrib/ipfilter/ipsend/ipsopt.c b/contrib/ipfilter/ipsend/ipsopt.c index 2827c77..691ee7d 100644 --- a/contrib/ipfilter/ipsend/ipsopt.c +++ b/contrib/ipfilter/ipsend/ipsopt.c @@ -1,14 +1,8 @@ /* * Copyright (C) 1995-1998 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr Exp $"; -#endif #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -25,13 +19,9 @@ static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1 1999/08/04 17:31:07 darrenr #include <arpa/inet.h> #include "ipsend.h" - -#ifndef __P -# ifdef __STDC__ -# define __P(x) x -# else -# define __P(x) () -# endif +#if !defined(lint) +static const char sccsid[] = "@(#)ipsopt.c 1.2 1/11/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: ipsopt.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $"; #endif diff --git a/contrib/ipfilter/ipsend/iptest.c b/contrib/ipfilter/ipsend/iptest.c index dffee98..d4d37ba 100644 --- a/contrib/ipfilter/ipsend/iptest.c +++ b/contrib/ipfilter/ipsend/iptest.c @@ -6,14 +6,8 @@ * conditions, enough of the TCP header is missing for unpredictable * results unless the filter is aware that this can happen. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2 1999/12/04 03:37:05 darrenr Exp $"; -#endif #include <stdio.h> #include <netdb.h> #include <unistd.h> @@ -38,6 +32,11 @@ static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2 1999/12/04 03:37:05 darrenr #endif #include "ipsend.h" +#if !defined(lint) +static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: iptest.c,v 2.2.2.2 2001/07/15 22:00:14 darrenr Exp $"; +#endif + extern char *optarg; extern int optind; diff --git a/contrib/ipfilter/ipsend/iptests.c b/contrib/ipfilter/ipsend/iptests.c index 0eb263b..a133e34 100644 --- a/contrib/ipfilter/ipsend/iptests.c +++ b/contrib/ipfilter/ipsend/iptests.c @@ -1,14 +1,8 @@ /* * Copyright (C) 1993-1998 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1 1999/08/04 17:31:09 darrenr Exp $"; -#endif #include <stdio.h> #include <unistd.h> #include <stdlib.h> @@ -80,6 +74,11 @@ static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1 1999/08/04 17:31:09 darren #endif #include "ipsend.h" +#if !defined(lint) +static const char sccsid[] = "%W% %G% (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: iptests.c,v 2.1.4.2 2001/07/15 22:00:14 darrenr Exp $"; +#endif + #define PAUSE() tv.tv_sec = 0; tv.tv_usec = 10000; \ (void) select(0, NULL, NULL, NULL, &tv) diff --git a/contrib/ipfilter/ipsend/larp.c b/contrib/ipfilter/ipsend/larp.c index d64e701..d178d64 100644 --- a/contrib/ipfilter/ipsend/larp.c +++ b/contrib/ipfilter/ipsend/larp.c @@ -1,13 +1,11 @@ /* * larp.c (C) 1995-1998 Darren Reed * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)larp.c 1.1 8/19/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: larp.c,v 2.1 1999/08/04 17:31:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: larp.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $"; #endif #include <stdio.h> #include <errno.h> diff --git a/contrib/ipfilter/ipsend/linux.h b/contrib/ipfilter/ipsend/linux.h index ae2e05f..2d2a243 100644 --- a/contrib/ipfilter/ipsend/linux.h +++ b/contrib/ipfilter/ipsend/linux.h @@ -1,9 +1,7 @@ /* * Copyright (C) 1995-1998 by Darren Reed. * - * This code may be freely distributed as long as it retains this notice - * and is not changed in any way. The author accepts no responsibility - * for the use of this software. I hate legaleese, don't you ? + * See the IPFILTER.LICENCE file for details on licencing. * * @(#)linux.h 1.1 8/19/95 */ diff --git a/contrib/ipfilter/ipsend/lsock.c b/contrib/ipfilter/ipsend/lsock.c index a430e19..058ab40 100644 --- a/contrib/ipfilter/ipsend/lsock.c +++ b/contrib/ipfilter/ipsend/lsock.c @@ -1,13 +1,11 @@ /* * lsock.c (C) 1995-1998 Darren Reed * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #if !defined(lint) static const char sccsid[] = "@(#)lsock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1 1999/08/04 17:31:11 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: lsock.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $"; #endif #include <stdio.h> #include <unistd.h> diff --git a/contrib/ipfilter/ipsend/resend.c b/contrib/ipfilter/ipsend/resend.c index 095aa9e..0d4102c 100644 --- a/contrib/ipfilter/ipsend/resend.c +++ b/contrib/ipfilter/ipsend/resend.c @@ -6,14 +6,8 @@ * conditions, enough of the TCP header is missing for unpredictable * results unless the filter is aware that this can happen. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 darrenr Exp $"; -#endif #include <stdio.h> #include <netdb.h> #include <string.h> @@ -39,6 +33,12 @@ static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.1 2001/01/10 06:21:20 dar #endif #include "ipsend.h" +#if !defined(lint) +static const char sccsid[] = "@(#)resend.c 1.3 1/11/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: resend.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $"; +#endif + + extern int opts; static u_char pbuf[65536]; /* 1 big packet */ diff --git a/contrib/ipfilter/ipsend/sbpf.c b/contrib/ipfilter/ipsend/sbpf.c index f84deb9..5b8428c 100644 --- a/contrib/ipfilter/ipsend/sbpf.c +++ b/contrib/ipfilter/ipsend/sbpf.c @@ -1,9 +1,7 @@ /* * (C)opyright 1995-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <netdb.h> @@ -43,7 +41,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sbpf.c 1.3 8/25/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sbpf.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $"; #endif /* diff --git a/contrib/ipfilter/ipsend/sdlpi.c b/contrib/ipfilter/ipsend/sdlpi.c index 3d797c1..dcd8422 100644 --- a/contrib/ipfilter/ipsend/sdlpi.c +++ b/contrib/ipfilter/ipsend/sdlpi.c @@ -1,9 +1,7 @@ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> @@ -40,7 +38,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)sdlpi.c 1.3 10/30/95 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1 1999/08/04 17:31:13 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: sdlpi.c,v 2.1.4.2 2001/06/26 10:43:22 darrenr Exp $"; #endif #define CHUNKSIZE 8192 @@ -58,7 +56,8 @@ int sport, tout; char devname[16], *s, buf[256]; int i, fd; - (void) sprintf(devname, "/dev/%s", device); + (void) strcpy(devname, "/dev/"); + (void) strncat(devname, device, sizeof(devname) - strlen(devname)); s = devname + 5; while (*s && !isdigit(*s)) diff --git a/contrib/ipfilter/ipsend/sirix.c b/contrib/ipfilter/ipsend/sirix.c index 5317a90..4178c0e 100644 --- a/contrib/ipfilter/ipsend/sirix.c +++ b/contrib/ipfilter/ipsend/sirix.c @@ -2,9 +2,7 @@ * (C)opyright 1992-1998 Darren Reed. * (C)opyright 1997 Marc Boucher. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <sys/types.h> diff --git a/contrib/ipfilter/ipsend/slinux.c b/contrib/ipfilter/ipsend/slinux.c index 353f3ad..7438d1c 100644 --- a/contrib/ipfilter/ipsend/slinux.c +++ b/contrib/ipfilter/ipsend/slinux.c @@ -1,9 +1,7 @@ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> @@ -29,7 +27,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)slinux.c 1.2 8/25/95"; -static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1 1999/08/04 17:31:14 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: slinux.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/snit.c b/contrib/ipfilter/ipsend/snit.c index 40aaae5..6f2c662 100644 --- a/contrib/ipfilter/ipsend/snit.c +++ b/contrib/ipfilter/ipsend/snit.c @@ -1,9 +1,7 @@ /* * (C)opyright 1992-1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> @@ -40,7 +38,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)snit.c 1.5 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: snit.c,v 2.1 1999/08/04 17:31:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: snit.c,v 2.1.4.1 2001/06/26 10:43:22 darrenr Exp $"; #endif #define CHUNKSIZE 8192 diff --git a/contrib/ipfilter/ipsend/sock.c b/contrib/ipfilter/ipsend/sock.c index 2ee5028..b20bf93 100644 --- a/contrib/ipfilter/ipsend/sock.c +++ b/contrib/ipfilter/ipsend/sock.c @@ -1,14 +1,8 @@ /* * sock.c (C) 1995-1998 Darren Reed * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ -#if !defined(lint) -static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darrenr Exp $"; -#endif #include <stdio.h> #include <unistd.h> #include <string.h> @@ -66,6 +60,12 @@ static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.1 2000/12/16 21:05:44 darre #include <netinet/tcp_var.h> #include "ipsend.h" +#if !defined(lint) +static const char sccsid[] = "@(#)sock.c 1.2 1/11/96 (C)1995 Darren Reed"; +static const char rcsid[] = "@(#)$Id: sock.c,v 2.1.4.3 2001/07/15 22:00:14 darrenr Exp $"; +#endif + + int nproc; struct proc *proc; diff --git a/contrib/ipfilter/ipsend/ultrix.c b/contrib/ipfilter/ipsend/ultrix.c index ffab2ce..f41a8a9 100644 --- a/contrib/ipfilter/ipsend/ultrix.c +++ b/contrib/ipfilter/ipsend/ultrix.c @@ -1,9 +1,7 @@ /* * (C)opyright 1998 Darren Reed. (from tcplog) * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <strings.h> diff --git a/contrib/ipfilter/ipt.c b/contrib/ipfilter/ipt.c index 34a35e9..4749e38 100644 --- a/contrib/ipfilter/ipt.c +++ b/contrib/ipfilter/ipt.c @@ -1,12 +1,16 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #ifdef __FreeBSD__ -# include <osreldate.h> +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# endif +# endif #endif #include <stdio.h> #include <assert.h> @@ -55,7 +59,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipt.c 1.19 6/3/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6 2000/03/13 22:10:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipt.c,v 2.6.2.2 2001/06/26 10:43:19 darrenr Exp $"; #endif extern char *optarg; diff --git a/contrib/ipfilter/ipt.h b/contrib/ipfilter/ipt.h index bdc6a29..677c74a 100644 --- a/contrib/ipfilter/ipt.h +++ b/contrib/ipfilter/ipt.h @@ -1,10 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $Id: ipt.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $ + * See the IPFILTER.LICENCE file for details on licencing. + * $Id: ipt.h,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $ */ #ifndef __IPT_H__ diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index ab90bba..3cad5a0 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* * kmemcpy() - copies n bytes from kernel memory into user buffer. @@ -18,16 +16,24 @@ #include <sys/file.h> #include "kmem.h" +#ifndef __STDC__ +# define const +#endif + #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.3 2001/07/15 22:06:16 darrenr Exp $"; #endif static int kmemfd = -1; -int openkmem() +int openkmem(core) +char *core; { - if ((kmemfd = open(KMEM,O_RDONLY)) == -1) + if (core == NULL) + core = KMEM; + + if ((kmemfd = open(core, O_RDONLY)) == -1) { perror("kmeminit:open"); return -1; @@ -45,7 +51,7 @@ register int n; if (!n) return 0; if (kmemfd == -1) - if (openkmem() == -1) + if (openkmem(NULL) == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { @@ -76,7 +82,7 @@ register int n; if (!n) return 0; if (kmemfd == -1) - if (openkmem() == -1) + if (openkmem(NULL) == -1) return -1; if (lseek(kmemfd, pos, 0) == -1) { diff --git a/contrib/ipfilter/kmem.h b/contrib/ipfilter/kmem.h index d6ed3c4..08a6c5e 100644 --- a/contrib/ipfilter/kmem.h +++ b/contrib/ipfilter/kmem.h @@ -1,10 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $Id: kmem.h,v 2.2 2000/03/13 22:10:25 darrenr Exp $ + * See the IPFILTER.LICENCE file for details on licencing. + * $Id: kmem.h,v 2.2.2.2 2001/06/26 10:43:19 darrenr Exp $ */ #ifndef __KMEM_H__ @@ -17,7 +15,7 @@ # define __P(x) () # endif #endif -extern int openkmem __P((void)); +extern int openkmem __P((char *)); extern int kmemcpy __P((char *, long, int)); extern int kstrncpy __P((char *, long, int)); diff --git a/contrib/ipfilter/man/ipf.5 b/contrib/ipfilter/man/ipf.5 index 243edac..c359703 100644 --- a/contrib/ipfilter/man/ipf.5 +++ b/contrib/ipfilter/man/ipf.5 @@ -374,7 +374,7 @@ against, e.g.: # packets with ONLY the SYN flag set. ... flags SA - # becomes "flags SA/AUPRFS" and will match any + # becomes "flags SA/AUPRFSC" and will match any # packet with only the SYN and ACK flags set. ... flags S/SA diff --git a/contrib/ipfilter/man/ipl.4 b/contrib/ipfilter/man/ipl.4 index 26aa604..15f587b 100644 --- a/contrib/ipfilter/man/ipl.4 +++ b/contrib/ipfilter/man/ipl.4 @@ -76,4 +76,4 @@ ipf(4) .SH BUGS Packet headers are dropped when the internal buffer (static size) fills. .SH FILES -/dev/ipl0 +/dev/ipl diff --git a/contrib/ipfilter/misc.c b/contrib/ipfilter/misc.c index 38b385d..df65e2c 100644 --- a/contrib/ipfilter/misc.c +++ b/contrib/ipfilter/misc.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #if (SOLARIS2 >= 7) # define _SYS_VARARGS_H @@ -52,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)misc.c 1.3 2/4/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: misc.c,v 2.2 2000/03/13 22:10:25 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: misc.c,v 2.2.2.1 2001/06/26 10:43:19 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/ml_ipl.c b/contrib/ipfilter/ml_ipl.c index 0ee29cb..4db9a9b 100644 --- a/contrib/ipfilter/ml_ipl.c +++ b/contrib/ipfilter/ml_ipl.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. The author accepts no + * See the IPFILTER.LICENCE file for details on licencing. * responsibility and is not changed in any way. * * I hate legaleese, don't you ? diff --git a/contrib/ipfilter/mlf_ipl.c b/contrib/ipfilter/mlf_ipl.c index 3ca7df3..50c2d94 100644 --- a/contrib/ipfilter/mlf_ipl.c +++ b/contrib/ipfilter/mlf_ipl.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate @@ -13,12 +11,24 @@ #include <sys/param.h> -#if defined(__FreeBSD__) && (__FreeBSD__ > 1) +#if defined(__FreeBSD__) # ifdef IPFILTER_LKM -# include <osreldate.h> +# ifndef __FreeBSD_cc_version +# include <osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <osreldate.h> +# endif +# endif # define ACTUALLY_LKM_NOT_KERNEL # else -# include <sys/osreldate.h> +# ifndef __FreeBSD_cc_version +# include <sys/osreldate.h> +# else +# if __FreeBSD_cc_version < 430000 +# include <sys/osreldate.h> +# endif +# endif # endif #endif #include <sys/systm.h> @@ -53,19 +63,16 @@ #if (__FreeBSD_version >= 300000) # include <sys/socket.h> #endif -#if (__FreeBSD_version >= 199511) #include <net/if.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <net/route.h> +#include <net/if.h> #include <netinet/ip_var.h> #include <netinet/tcp.h> #include <netinet/tcpip.h> -#endif -#if (__FreeBSD__ > 1) -# include <sys/sysent.h> -#endif +#include <sys/sysent.h> #include <sys/lkm.h> #include "netinet/ipl.h" #include "netinet/ip_compat.h" @@ -392,7 +399,7 @@ int cmd, ver; # endif } # endif /* IPFILTER_LKM */ -static ipl_devsw_installed = 0; +static int ipl_devsw_installed = 0; static void ipl_drvinit __P((void *unused)) { diff --git a/contrib/ipfilter/mli_ipl.c b/contrib/ipfilter/mli_ipl.c index a451a10..2412029 100644 --- a/contrib/ipfilter/mli_ipl.c +++ b/contrib/ipfilter/mli_ipl.c @@ -1,10 +1,8 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * (C)opyright 1997 by Marc Boucher. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original authors and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* TODO: (MARCXXX) diff --git a/contrib/ipfilter/mln_ipl.c b/contrib/ipfilter/mln_ipl.c index 777ca9f..bda0f2e 100644 --- a/contrib/ipfilter/mln_ipl.c +++ b/contrib/ipfilter/mln_ipl.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate diff --git a/contrib/ipfilter/mls_ipl.c b/contrib/ipfilter/mls_ipl.c index 391b814..bc8f3ed 100644 --- a/contrib/ipfilter/mls_ipl.c +++ b/contrib/ipfilter/mls_ipl.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* * 29/12/94 Added code from Marc Huber <huber@fzi.de> to allow it to allocate @@ -42,7 +40,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)mls_ipl.c 2.6 10/15/95 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2 2000/03/13 22:10:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: mls_ipl.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $"; #endif extern int ipldetach __P((void)); diff --git a/contrib/ipfilter/natparse.c b/contrib/ipfilter/natparse.c index 9655615..f237708 100644 --- a/contrib/ipfilter/natparse.c +++ b/contrib/ipfilter/natparse.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <string.h> @@ -54,7 +52,7 @@ extern char *sys_errlist[]; #if !defined(lint) static const char sccsid[] ="@(#)ipnat.c 1.9 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.6 2000/07/08 02:14:40 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: natparse.c,v 1.17.2.11 2001/07/17 14:33:09 darrenr Exp $"; #endif @@ -160,6 +158,8 @@ void *ptr; printf(" udp"); if (np->in_flags & IPN_ROUNDR) printf(" round-robin"); + if (np->in_flags & IPN_FRAG) + printf(" frag"); printf("\n"); if (opts & OPT_DEBUG) printf("\t%p %lu %#x %u %p %d\n", np->in_ifp, @@ -231,6 +231,8 @@ void *ptr; ntohs(np->in_pmax)); } } + if (np->in_flags & IPN_FRAG) + printf(" frag"); printf("\n"); if (opts & OPT_DEBUG) { printf("\tifp %p space %lu nextip %s pnext %d", @@ -277,6 +279,7 @@ int linenum; char *s, *t, *cps[31], **cpp; int i, cnt; + proto = NULL; if ((s = strchr(line, '\n'))) *s = '\0'; @@ -553,7 +556,7 @@ int linenum; } else ipn.in_pmin = 0; } else if ((ipn.in_redir & NAT_BIMAP) == NAT_REDIRECT) { - if (strrchr(*cpp, '/') != NULL) { + if (!*cpp || strrchr(*cpp, '/') != NULL) { fprintf(stderr, "%d: No netmask supported in %s\n", linenum, "destination host for redirect"); return NULL; @@ -623,6 +626,11 @@ int linenum; ipn.in_flags |= IPN_ROUNDR; } + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } + if (*cpp) { fprintf(stderr, "%d: extra junk at the end of rdr: %s\n", @@ -641,6 +649,11 @@ int linenum; if ((ipn.in_redir & NAT_MAPBLK) != 0) nat_setgroupmap(&ipn); + if (*cpp && !strcasecmp(*cpp, "frag")) { + cpp++; + ipn.in_flags |= IPN_FRAG; + } + if (!*cpp) return &ipn; diff --git a/contrib/ipfilter/opt.c b/contrib/ipfilter/opt.c index ae153a1..e0dd125 100644 --- a/contrib/ipfilter/opt.c +++ b/contrib/ipfilter/opt.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <stdio.h> #include <string.h> @@ -27,7 +25,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)opt.c 1.8 4/10/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: opt.c,v 2.2 2000/03/13 22:10:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: opt.c,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $"; #endif extern int opts; diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 0441ad5..56bc3fc 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #include <sys/types.h> #if !defined(__SVR4) && !defined(__svr4__) @@ -394,7 +392,15 @@ int linenum; linenum); return NULL; } - if (**cpp == '!') { + if (!strcmp(*cpp, "!")) { + fil.fr_flags |= FR_NOTSRCIP; + if (!*++cpp) { + fprintf(stderr, + "%d: missing host after from\n", + linenum); + return NULL; + } + } else if (**cpp == '!') { fil.fr_flags |= FR_NOTSRCIP; (*cpp)++; } @@ -424,7 +430,15 @@ int linenum; return NULL; } ch = 0; - if (**cpp == '!') { + if (!strcmp(*cpp, "!")) { + fil.fr_flags |= FR_NOTDSTIP; + if (!*++cpp) { + fprintf(stderr, + "%d: missing host after from\n", + linenum); + return NULL; + } + } else if (**cpp == '!') { fil.fr_flags |= FR_NOTDSTIP; (*cpp)++; } diff --git a/contrib/ipfilter/pcap.h b/contrib/ipfilter/pcap.h index 1a53382..aa24798 100644 --- a/contrib/ipfilter/pcap.h +++ b/contrib/ipfilter/pcap.h @@ -1,10 +1,9 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. - * $Id: pcap.h,v 2.2 2000/03/13 22:10:27 darrenr Exp $ + * See the IPFILTER.LICENCE file for details on licencing. + * + * $Id: pcap.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $ */ /* * This header file is constructed to match the version described by diff --git a/contrib/ipfilter/relay.c b/contrib/ipfilter/relay.c index 5919086..58a44f0 100644 --- a/contrib/ipfilter/relay.c +++ b/contrib/ipfilter/relay.c @@ -107,7 +107,7 @@ char *argv[]; int fd, sl = sizeof(sl), se; openlog(argv[0], LOG_PID|LOG_NDELAY, LOG_DAEMON); - if ((fd = open("/dev/ipl", O_RDONLY)) == -1) { + if ((fd = open("/dev/ipnat", O_RDONLY)) == -1) { se = errno; perror("open"); errno = se; @@ -115,6 +115,9 @@ char *argv[]; exit(-1); } + bzero(&nl, sizeof(nl)); + nl.nl_flags = IPN_TCP; + bzero(&sin, sizeof(sin)); sin.sin_family = AF_INET; sl = sizeof(sin); @@ -151,8 +154,8 @@ char *argv[]; exit(-1); } - sin.sin_port = nl.nl_inport; - sin.sin_addr = nl.nl_inip; + sin.sin_port = nl.nl_realport; + sin.sin_addr = nl.nl_realip; sl = sizeof(sin); fd = socket(AF_INET, SOCK_STREAM, 0); diff --git a/contrib/ipfilter/snoop.h b/contrib/ipfilter/snoop.h index df800ae..2f6c305 100644 --- a/contrib/ipfilter/snoop.h +++ b/contrib/ipfilter/snoop.h @@ -1,9 +1,7 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ #ifndef __SNOOP_H__ @@ -11,7 +9,7 @@ /* * written to comply with the RFC (1761) from Sun. - * $Id: snoop.h,v 2.2 2000/03/13 22:10:27 darrenr Exp $ + * $Id: snoop.h,v 2.2.2.1 2001/06/26 10:43:20 darrenr Exp $ */ struct snoophdr { char s_id[8]; diff --git a/contrib/ipfilter/solaris.c b/contrib/ipfilter/solaris.c index 1e82ec0..b526327 100644 --- a/contrib/ipfilter/solaris.c +++ b/contrib/ipfilter/solaris.c @@ -1,12 +1,10 @@ /* - * Copyright (C) 1993-2000 by Darren Reed. + * Copyright (C) 1993-2001 by Darren Reed. * - * Redistribution and use in source and binary forms are permitted - * provided that this notice is preserved and due credit is given - * to the original author and the contributors. + * See the IPFILTER.LICENCE file for details on licencing. */ /* #pragma ident "@(#)solaris.c 1.12 6/5/96 (C) 1995 Darren Reed"*/ -#pragma ident "@(#)$Id: solaris.c,v 2.15.2.8 2000/11/27 10:28:41 darrenr Exp $" +#pragma ident "@(#)$Id: solaris.c,v 2.15.2.20 2001/07/18 14:58:28 darrenr Exp $" #include <sys/systm.h> #include <sys/types.h> @@ -147,7 +145,7 @@ static struct modlinkage modlink1 = { MODREV_1, &iplmod, NULL }; static size_t hdrsizes[57][2] = { { 0, 0 }, { IFT_OTHER, 0 }, - { IFT_1822, 0 }, + { IFT_1822, 14 }, /* 14 for ire0 ?? */ { IFT_HDH1822, 0 }, { IFT_X25DDN, 0 }, { IFT_X25, 0 }, @@ -210,8 +208,6 @@ int _init() { int ipfinst; - if (fr_running < 0) - return -1; ipfinst = mod_install(&modlink1); #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _init() = %d", ipfinst); @@ -224,8 +220,6 @@ int _fini(void) { int ipfinst; - if (fr_running < 0) - return -1; ipfinst = mod_remove(&modlink1); #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _fini() = %d", ipfinst); @@ -239,8 +233,6 @@ struct modinfo *modinfop; { int ipfinst; - if (fr_running < 0) - return -1; ipfinst = mod_info(&modlink1, modinfop); #ifdef IPFDEBUG cmn_err(CE_NOTE, "IP Filter: _info(%x) = %x", modinfop, ipfinst); @@ -275,6 +267,31 @@ dev_info_t *dip; } +static void ipf_ire_walk(ire, arg) +ire_t *ire; +void *arg; +{ + qif_t *qif = arg; + + if ((ire->ire_type == IRE_CACHE) && +#if SOLARIS2 >= 6 + (ire->ire_ipif != NULL) && + (ire->ire_ipif->ipif_ill == qif->qf_ill) +#else + (ire_to_ill(ire) == qif->qf_ill) +#endif + ) { +#if SOLARIS2 >= 8 + mblk_t *m = ire->ire_fp_mp; +#else + mblk_t *m = ire->ire_ll_hdr_mp; +#endif + if (m != NULL) + qif->qf_hl = m->b_wptr - m->b_rptr; + } +} + + static int ipf_attach(dip, cmd) dev_info_t *dip; ddi_attach_cmd_t cmd; @@ -336,6 +353,14 @@ ddi_attach_cmd_t cmd; drv_usectohz(500000)); if (fr_running == 1) return DDI_SUCCESS; +#if SOLARIS2 >= 8 + case DDI_RESUME : + case DDI_PM_RESUME : + if (ipfr_timer_id == 0) + ipfr_timer_id = timeout(ipfr_slowtimer, NULL, + drv_usectohz(500000)); + return DDI_SUCCESS; +#endif default: return DDI_FAILURE; } @@ -403,6 +428,19 @@ ddi_detach_cmd_t cmd; cmn_err(CE_CONT, "%s detached\n", ipfilter_version); return (DDI_SUCCESS); } +#if SOLARIS2 >= 8 + case DDI_SUSPEND : + case DDI_PM_SUSPEND : + if (ipfr_timer_id != 0) { + untimeout(ipfr_timer_id); + ipfr_timer_id = 0; + } + if (synctimeoutid) { + untimeout(synctimeoutid); + synctimeoutid = 0; + } + return DDI_SUCCESS; +#endif default: return (DDI_FAILURE); } @@ -479,7 +517,7 @@ size_t off; m = m->b_cont; cmn_err(CE_CONT, " !IP %s:%d %d %p %p %p %d %p/%d %p/%d %p %d %d %p\n", - qif ? qif->qf_name : "?", out, qif->qf_hl, q, + qif ? qif->qf_name : "?", out, qif ? qif->qf_hl : -1, q, q ? q->q_ptr : NULL, q ? q->q_qinfo : NULL, mt->b_wptr - mt->b_rptr, m, MTYPE(m), mt, MTYPE(mt), m->b_rptr, m->b_wptr - m->b_rptr, off, ip); @@ -529,8 +567,8 @@ int out; { register mblk_t *m, *mt = *mp; register ip_t *ip; - size_t hlen, len, off, mlen, iphlen, plen; - int err, synced = 0, sap, p; + size_t hlen, len, off, off2, mlen, iphlen, plen, woff; + int err, synced = 0, sap, p, realigned = 0, multi = 0; u_char *bp; #if SOLARIS2 >= 8 ip6_t *ip6; @@ -556,8 +594,21 @@ tryagain: bp = (u_char *)ALIGN32(mt->b_rptr); if (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO) { dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; - if (dl->dl_primitive != DL_UNITDATA_IND && - dl->dl_primitive != DL_UNITDATA_REQ) { + if (dl->dl_primitive == DL_UNITDATA_IND) { + multi = dl->dl_group_address; + m = mt->b_cont; + /* + * This is a complete kludge to try and work around + * some bizarre packets which drop through into + * fr_donotip. + */ + if (m && multi && ((*((u_char *)m->b_rptr) == 0x0) && + ((*((u_char *)m->b_rptr + 2) == 0x45)))) { + ip = (ip_t *)(m->b_rptr + 2); + off = 2; + } else + off = 0; + } else if (dl->dl_primitive != DL_UNITDATA_REQ) { ip = (ip_t *)dl; if ((ip->ip_v == IPVERSION) && (ip->ip_hl == (sizeof(*ip) >> 2)) && @@ -584,19 +635,6 @@ tryagain: return 0; /* No data blocks */ } - /* - * This is a complete kludge to try and work around some bizarre - * packets which drop through into fr_donotip. - */ - if ((mt != m) && (MTYPE(mt) == M_PROTO || MTYPE(mt) == M_PCPROTO)) { - dl_unitdata_ind_t *dl = (dl_unitdata_ind_t *)bp; - if ((dl->dl_primitive == DL_UNITDATA_IND) && - (dl->dl_group_address == 1)) - if (((*((u_char *)m->b_rptr) == 0x0) && - ((*((u_char *)m->b_rptr + 2) == 0x45)))) - off += 2; - } - ip = (ip_t *)(m->b_rptr + off); /* MMM */ /* @@ -648,10 +686,13 @@ tryagain: ((char *)&tlen)[0] = ((char *)&ip6->ip6_plen)[0]; ((char *)&tlen)[1] = ((char *)&ip6->ip6_plen)[1]; plen = ntohs(tlen); - sap = IP6_DL_SAP; + if (!plen) + return -1; /* Jumbo gram */ + plen += sizeof(*ip6); } #endif else { + plen = 0; hlen = 0; sap = -1; } @@ -659,34 +700,77 @@ tryagain: /* * Ok, the IP header isn't on a 32bit aligned address so junk it. */ - if (((u_int)ip & 0x3) || (len < hlen) || (sap == -1)) { - mblk_t *m2; - u_char *s; + if (((u_long)ip & 0x3) || (plen > mlen) || (len < hlen) || + (sap == -1)) { + mblk_t *m1, *m2; + u_char *s, c; + int v; /* * Junk using pullupmsg - it's next to useless. */ fixalign: + if (off) + m->b_rptr -= off; + c = *(u_char *)ip; + c >>= 4; + if (c != 4 +#if SOLARIS2 >= 8 + && c != 6 +#endif + ) { + frstats[out].fr_notip++; + return (fr_flags & FF_BLOCKNONIP) ? -1 : 0; + } + + if (realigned) + return -1; + realigned = 1; + off2 = (size_t)((u_long)ip & 0x3); + if (off2) + off2 = 4 - off2; len = msgdsize(m); - m2 = allocb(len, BPRI_HI); + m2 = allocb(len + off2, BPRI_HI); if (m2 == NULL) { frstats[out].fr_pull[1]++; return -1; } + MTYPE(m2) = M_DATA; + if (m->b_rptr != (u_char *)ip) + m2->b_rptr += off2; m2->b_wptr = m2->b_rptr + len; - s = (u_char *)ip; - for (bp = m2->b_rptr; m; bp += len) { - len = m->b_wptr - s; - bcopy(m->b_rptr, bp, len); - m = m->b_cont; - if (m) - s = m->b_rptr; + m1 = m; + s = (u_char *)m->b_rptr; + for (bp = m2->b_rptr; m1 && (bp < m2->b_wptr); bp += len) { + len = MIN(m1->b_wptr - s, m2->b_wptr - bp); + bcopy(s, bp, len); + m1 = m1->b_cont; + if (m1) + s = m1->b_rptr; + } + + if (mt != m && mt->b_cont == m && !off) { + /* + * check if the buffer we're changing is chained in- + * between other buffers and unlink/relink as required. + */ + (void) unlinkb(mt); /* should return 'm' */ + m1 = unlinkb(m); + if (m1) + linkb(m2, m1); + freemsg(m); + linkb(mt, m2); + } else { + if (m == mt) { + m1 = unlinkb(mt); + if (m1) + linkb(m2, m1); + } + freemsg(mt); + *mp = m2; + mt = m2; } - *mp = m2; - MTYPE(m2) = M_DATA; - freemsg(mt); - mt = m2; frstats[out].fr_pull[0]++; synced = 1; @@ -714,7 +798,7 @@ fixalign: #ifndef sparc # if SOLARIS2 >= 8 if (sap == IP6_DL_SAP) { - ip6->ip6_plen = plen; + ip6->ip6_plen = plen - sizeof(*ip6); } else { # endif __ipoff = (u_short)ip->ip_off; @@ -734,7 +818,7 @@ fixalign: if (( #if SOLARIS2 >= 8 - (sap == IP6_DL_SAP) && (mlen < iphlen + plen)) || + (sap == IP6_DL_SAP) && (mlen < plen)) || ((sap == 0) && #endif ((iphlen < hlen) || (iphlen > plen) || (mlen < plen)))) { @@ -744,7 +828,7 @@ fixalign: #ifndef sparc # if SOLARIS2 >= 8 if (sap == IP6_DL_SAP) { - ip6->ip6_plen = htons(plen); + ip6->ip6_plen = htons(plen - sizeof(*ip6)); } else { # endif __ipoff = (u_short)ip->ip_off; @@ -790,15 +874,13 @@ fixalign: break; } + woff = 0; if (hlen > mlen) { hlen = mlen; -#if SOLARIS2 >= 8 - } else if (sap == IP6_DL_SAP) { - if (m->b_wptr - m->b_rptr > plen + hlen) - m->b_wptr = m->b_rptr + plen + hlen; -#endif - } else if (m->b_wptr - m->b_rptr > plen) - m->b_wptr = m->b_rptr + plen; + } else if (m->b_wptr - m->b_rptr > plen) { + woff = m->b_wptr - m->b_rptr - plen; + m->b_wptr -= woff; + } /* * If we don't have enough data in the mblk or we haven't yet copied @@ -806,7 +888,7 @@ fixalign: */ if ((hlen > len)) { if (!pullupmsg(m, (int)hlen)) { - cmn_err(CE_NOTE, "pullupmsg failed\n"); + cmn_err(CE_NOTE, "pullupmsg failed"); frstats[out].fr_pull[1]++; return -1; } @@ -818,8 +900,9 @@ fixalign: qif->qf_off = off; qif->qf_len = len; err = fr_check(ip, iphlen, qif->qf_ill, out, qif, mp); - if (err == 2) + if (err == 2) { goto fixalign; + } /* * Copy back the ip header data if it was changed, we haven't yet * freed the message and we aren't going to drop the packet. @@ -828,11 +911,12 @@ fixalign: */ if (*mp != NULL) { if (*mp == mt) { + m->b_wptr += woff; m->b_rptr -= off; #ifndef sparc # if SOLARIS2 >= 8 if (sap == IP6_DL_SAP) { - ip6->ip6_plen = htons(plen); + ip6->ip6_plen = htons(plen - sizeof(*ip6)); } else { # endif __ipoff = (u_short)ip->ip_off; @@ -847,13 +931,37 @@ fixalign: #endif } else cmn_err(CE_NOTE, - "!IP Filter: *mp %p mt %p %s\n", *mp, mt, + "!IP Filter: *mp %p mt %p %s", *mp, mt, "mblk changed, cannot revert ip_len, ip_off"); } return err; } +/* + * Only called for M_IOCACK messages + */ +void fr_qif_update(qif, mp) +qif_t *qif; +mblk_t *mp; +{ + struct iocblk *iocp; + + if (!qif || !mp) + return; + iocp = (struct iocblk *)mp->b_rptr; + if (mp->b_cont && (iocp->ioc_cmd == DL_IOC_HDR_INFO)) { + mp = mp->b_cont; + if (MTYPE(mp) == M_PROTO && mp->b_cont) { + mp = mp->b_cont; + if (MTYPE(mp) == M_DATA) { + qif->qf_hl = mp->b_wptr - mp->b_rptr; + } + } + } +} + + int fr_qin(q, mb) queue_t *q; mblk_t *mb; @@ -863,6 +971,7 @@ mblk_t *mb; if (fr_running <= 0) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } @@ -871,6 +980,17 @@ mblk_t *mb; mblk_t *m1; m1 = copymsg(mb); + if (!m1) { + frstats[0].fr_drop++; + mb->b_next = NULL; + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + m1->b_next = mb->b_next; + mb->b_next = NULL; + m1->b_prev = mb->b_prev; + mb->b_prev = NULL; freemsg(mb); mb = m1; frstats[0].fr_copy++; @@ -881,6 +1001,7 @@ again: if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } @@ -925,17 +1046,21 @@ again: frstats[0].fr_drop++; RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } - bcopy((char *)qif, (char *)&qf, sizeof(qf)); - qif = &qf; - type = MTYPE(mb); pnext = qif->qf_rqinfo->qi_putp; + type = MTYPE(mb); + if (type == M_IOCACK) + fr_qif_update(qif, mb); + else { + bcopy((char *)qif, (char *)&qf, sizeof(qf)); - if (datamsg(type) || (type == M_BREAK)) - err = fr_precheck(&mb, q, qif, 0); + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, &qf, 0); + } RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); @@ -944,11 +1069,13 @@ again: if (pnext) return (*pnext)(q, mb); - cmn_err(CE_WARN, "!IP Filter: inp NULL: qif %x q %x info %x", - qif, q, q->q_qinfo); + cmn_err(CE_WARN, + "!IP Filter: inp NULL: qif %x %s q %x info %x", + &qf, qf.qf_name, q, q->q_qinfo); } if (mb) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); } return 0; @@ -964,14 +1091,32 @@ mblk_t *mb; if (fr_running <= 0) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } - if (mb->b_datap->db_ref > 1) { +#if SOLARIS2 >= 6 + if ((!dohwcksum || mb->b_ick_flag != ICK_VALID) && + (mb->b_datap->db_ref > 1)) +#else + if (mb->b_datap->db_ref > 1) +#endif + { mblk_t *m1; m1 = copymsg(mb); + if (!m1) { + frstats[1].fr_drop++; + mb->b_next = NULL; + mb->b_prev = NULL; + freemsg(mb); + return 0; + } + m1->b_next = mb->b_next; + mb->b_next = NULL; + m1->b_prev = mb->b_prev; + mb->b_prev = NULL; freemsg(mb); mb = m1; frstats[1].fr_copy++; @@ -982,6 +1127,7 @@ again: if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } @@ -998,7 +1144,7 @@ again: synced = 1; goto again; } - /* fr_donotip(0, NULL, q, mb, mb, NULL, 0); */ + /* fr_donotip(1, NULL, q, mb, mb, NULL, 0); */ RWLOCK_EXIT(&ipf_solaris); return (*pnext)(q, mb); } @@ -1036,17 +1182,21 @@ again: frstats[1].fr_drop++; RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } - bcopy((char *)qif, (char *)&qf, sizeof(qf)); - qif = &qf; - type = MTYPE(mb); pnext = qif->qf_wqinfo->qi_putp; + type = MTYPE(mb); + if (type == M_IOCACK) + fr_qif_update(qif, mb); + else { + bcopy((char *)qif, (char *)&qf, sizeof(qf)); - if (datamsg(type) || (type == M_BREAK)) - err = fr_precheck(&mb, q, qif, 1); + if (datamsg(type) || (type == M_BREAK)) + err = fr_precheck(&mb, q, &qf, 1); + } RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); @@ -1057,10 +1207,11 @@ again: cmn_err(CE_WARN, "!IP Filter: outp NULL: qif %x %s q %x info %x", - qif, qif->qf_name, q, q->q_qinfo); + &qf, qf.qf_name, q, q->q_qinfo); } if (mb) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); } return 0; @@ -1080,6 +1231,7 @@ void *arg; RWLOCK_EXIT(&ipf_solaris); } + static int ipf_ip_qin(q, mb) queue_t *q; mblk_t *mb; @@ -1089,6 +1241,7 @@ mblk_t *mb; if (fr_running <= 0) { mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } @@ -1100,18 +1253,24 @@ mblk_t *mb; if (fr_running <= 0) { RWLOCK_EXIT(&ipf_solaris); mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); return 0; } ioc = (struct iocblk *)mb->b_rptr; - switch (ioc->ioc_cmd) { + switch (ioc->ioc_cmd) + { + case DL_IOC_HDR_INFO: + fr_qif_update(qif_from_queue(q), mb); + break; case I_LINK: case I_UNLINK: case SIOCSIFADDR: case SIOCSIFFLAGS: #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x\n", ioc->ioc_cmd); + cmn_err(CE_NOTE, "IP Filter: ipf_ip_qin() M_IOCTL type=0x%x", + ioc->ioc_cmd); #endif WRITE_ENTER(&ipfs_mutex); if (synctimeoutid == 0) { @@ -1135,7 +1294,7 @@ extern struct streamtab ipinfo; void solipdrvattach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx\n", + cmn_err(CE_NOTE, "IP Filter: solipdrvattach() %d ipinfo=0x%lx", ipdrvattcnt, &ipinfo); #endif @@ -1150,7 +1309,7 @@ void solipdrvattach() int solipdrvdetach() { #ifdef IPFDEBUG - cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx\n", + cmn_err(CE_NOTE, "IP Filter: solipdrvdetach() %d ipinfo=0x%lx", ipdrvattcnt, &ipinfo); #endif @@ -1212,7 +1371,7 @@ void solattach() KMALLOC(qif, qif_t *); if (!qif) { cmn_err(CE_WARN, - "IP Filter: malloc(%d) for qif_t failed\n", + "IP Filter: malloc(%d) for qif_t failed", sizeof(qif_t)); RWLOCK_EXIT(&ipfs_mutex); continue; @@ -1288,11 +1447,17 @@ void solattach() (hdrsizes[il->ill_type][0] == il->ill_type)) qif->qf_hl = hdrsizes[il->ill_type][1]; - if (qif->qf_hl == 0) + if (qif->qf_hl == 0 && il->ill_type != IFT_OTHER) cmn_err(CE_WARN, - "Unknown layer 2 header size for %s type %d\n", - qif->qf_name, il->ill_type); + "Unknown layer 2 header size for %s type %d", + il->ill_name, il->ill_type); } + + /* + * XXX Awful hack for PPP; fix when PPP/snoop fixed. + */ + if (il->ill_type == IFT_ETHER && !il->ill_bcast_addr_length) + qif->qf_hl = 0; #endif strncpy(qif->qf_name, il->ill_name, sizeof(qif->qf_name)); qif->qf_name[sizeof(qif->qf_name) - 1] = '\0'; @@ -1377,6 +1542,7 @@ void solattach() #endif out->q_qinfo = &qif->qf_wqinit; + ire_walk(ipf_ire_walk, (char *)qif); RWLOCK_EXIT(&ipfs_mutex); cmn_err(CE_CONT, "IP Filter: attach to [%s,%d] - %s\n", qif->qf_name, il->ill_ppa, @@ -1634,7 +1800,7 @@ frdest_t *fdp; * data, not the original, if and only if it is already pointing at * the current mblk data. */ - if (ip == (ip_t *)qf->qf_m->b_rptr && qf->qf_m != mb) + if ((ip == (ip_t *)qf->qf_m->b_rptr) && (qf->qf_m != mb)) ip = (ip_t *)mb->b_rptr; /* @@ -1646,6 +1812,7 @@ frdest_t *fdp; mp = (*mpp)->b_cont; (*mpp)->b_cont = NULL; (*mpp)->b_prev = NULL; + (*mpp)->b_next = NULL; freemsg(*mpp); *mpp = mp; } @@ -1666,7 +1833,7 @@ frdest_t *fdp; if (!ir) ir = (ire_t *)-1; - fd.fd_ifp = (struct ifnet *)ir; + fd.fd_ifp = (struct ifnet *)ir; fd.fd_ip = ip->ip_dst; fdp = &fd; } @@ -1715,6 +1882,7 @@ frdest_t *fdp; if (ifp == NULL) goto bad_fastroute; fr = fin->fin_fr; + /* * In case we're here due to "to <if>" being used with * "keep state", check that we're going in the correct @@ -1722,7 +1890,7 @@ frdest_t *fdp; */ if ((fr != NULL) && (fdp->fd_ifp != NULL) && (fin->fin_rev != 0) && (fdp == &fr->fr_tif)) - return -1; + return 1; fin->fin_ifp = ifp; if (fin->fin_out == 0) { @@ -1783,6 +1951,7 @@ frdest_t *fdp; q = WR(ir->ire_rfq); if (q) { mb->b_prev = NULL; + mb->b_next = NULL; mb->b_queue = q; RWLOCK_EXIT(&ipfs_mutex); RWLOCK_EXIT(&ipf_solaris); @@ -1804,13 +1973,16 @@ frdest_t *fdp; READ_ENTER(&ipf_solaris); READ_ENTER(&ipfs_mutex); ipl_frouteok[0]++; + *mpp = NULL; return 0; } } bad_fastroute: mb->b_prev = NULL; + mb->b_next = NULL; freemsg(mb); ipl_frouteok[1]++; + *mpp = NULL; return -1; } diff --git a/contrib/ipfilter/test/Makefile b/contrib/ipfilter/test/Makefile index 0726cdd..385c1de 100644 --- a/contrib/ipfilter/test/Makefile +++ b/contrib/ipfilter/test/Makefile @@ -15,7 +15,7 @@ first: -mkdir -p results # Filtering tests -ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 +ftests: f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f13 f14 # Rule parsing tests ptests: i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 @@ -28,7 +28,7 @@ ntests: n1 n2 n3 n4 n5 n6 n7 f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f14: @/bin/sh ./dotest $@ -f12: +f12 f13: @/bin/sh ./hextest $@ i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11: @@ -38,6 +38,6 @@ n1 n2 n3 n4 n5 n6 n7: @/bin/sh ./nattest $@ clean: - /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 f14 results/* + /bin/rm -f f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f13 f12 f14 results/* /bin/rm -f i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 i11 /bin/rm -f n1 n2 n3 n4 n5 n6 n7 diff --git a/contrib/ipfilter/test/expected/i7 b/contrib/ipfilter/test/expected/i7 index d1b7978..db9cd01 100644 --- a/contrib/ipfilter/test/expected/i7 +++ b/contrib/ipfilter/test/expected/i7 @@ -1,4 +1,4 @@ pass in on ed0(!) proto tcp from 127.0.0.1/32 to 127.0.0.1/32 port = 23 flags S/SA -block in on lo0(!) proto tcp from any to any flags A/0xbf +block in on lo0(!) proto tcp from any to any flags A/FSRPAUC pass in on lo0(!) proto tcp from any to any flags /SPA -block in on lo0(!) proto tcp from any to any flags 0x80/A +block in on lo0(!) proto tcp from any to any flags C/A diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 index 56ec16d..b90d6ba 100644 --- a/contrib/ipfilter/test/input/f13 +++ b/contrib/ipfilter/test/input/f13 @@ -33,6 +33,10 @@ 45 00 001c 0008 2000 3f 11 0000 01010101 02010101 0035003500040000 +# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short) +45 00 0018 0008 2000 3f 11 0000 01010101 02010101 +00350036 + # 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 45 00 001c 0008 0001 3f 11 0000 01010101 02010101 0000000000000000 |
