diff options
author | darrenr <darrenr@FreeBSD.org> | 2002-08-28 13:42:48 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2002-08-28 13:42:48 +0000 |
commit | 694c267c8d167aa37044133d07c98fa76a0de2cf (patch) | |
tree | 7cf1fdc0c816aa5373736136ad047a5a3e039bf6 /contrib | |
parent | 18a0c3053aaaa535b8ff6da16c42213ecab93518 (diff) | |
parent | 3aab5fb9fd5d3200009207f552a48b8100b853b2 (diff) | |
download | FreeBSD-src-694c267c8d167aa37044133d07c98fa76a0de2cf.zip FreeBSD-src-694c267c8d167aa37044133d07c98fa76a0de2cf.tar.gz |
This commit was generated by cvs2svn to compensate for changes in r102521,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/ipfilter/BSD/Makefile | 9 | ||||
-rw-r--r-- | contrib/ipfilter/HISTORY | 23 | ||||
-rw-r--r-- | contrib/ipfilter/fils.c | 8 | ||||
-rw-r--r-- | contrib/ipfilter/ip_sfil.c | 19 | ||||
-rw-r--r-- | contrib/ipfilter/ipf.c | 6 | ||||
-rw-r--r-- | contrib/ipfilter/ipft_ef.c | 12 | ||||
-rw-r--r-- | contrib/ipfilter/ipft_td.c | 6 | ||||
-rw-r--r-- | contrib/ipfilter/ipft_tx.c | 6 | ||||
-rw-r--r-- | contrib/ipfilter/kmem.c | 23 | ||||
-rw-r--r-- | contrib/ipfilter/man/ipnat.5 | 9 | ||||
-rw-r--r-- | contrib/ipfilter/parse.c | 4 | ||||
-rw-r--r-- | contrib/ipfilter/printnat.c | 7 | ||||
-rw-r--r-- | contrib/ipfilter/rules/example.9 | 2 | ||||
-rw-r--r-- | contrib/ipfilter/test/expected/f13 | 12 | ||||
-rw-r--r-- | contrib/ipfilter/test/input/f13 | 14 |
15 files changed, 114 insertions, 46 deletions
diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 835d233..4d97a9b 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -231,7 +231,7 @@ clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \ y.tab.? lex.yy.c ipfs - ${RM} -f ../opt_inet6.h + ${RM} -f ../opt_inet6.h ../ipftest ../ipmon ../ipf ../ipnat ${MAKE} -f Makefile.ipsend ${MFLAGS} clean -(for i in *; do \ @@ -243,8 +243,11 @@ clean: done) install: - -$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h - -$(CHMOD) 444 /usr/include/netinet/ip_fil.h + for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \ + ip_frag.h ip_auth.h; do \ + /bin/cp $(TOP)/$$i /usr/include/netinet/; \ + -$(CHMOD) 444 /usr/include/netinet/$$i; \ + done -if [ -d /lkm -a -f if_ipl.o ] ; then \ cp if_ipl.o /lkm; \ fi diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 0369d3f..75026a0 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,29 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.29 28/8/2002 - Released + +Make substantial changes to the FTP proxy to improve reliability, security +and functionality. + +don't send ICMP errors/TCP RST's in response to blocked proxy packets + +fix potential memory leaks when unloading ipfilter from kernel + +fix bug in SIOCGNATL handler that did not preserve the expected +byte order from earlier versions in the port number + +set do not fragment flag in generated packets according to system flags, +where available. + +preserve filter rule number and group number in state structure + +fix bug in ipmon printing of p/P/b/B + +make some changes to the kmem.c code for IRIX compatibility + +add code to specifically handle ip.tun* interfaces on Solaris + 3.4.28 6/6/2002 - Released Fix for H.323 proxy to work on little endian boxes diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index dcf74e5..e6bf11f 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -94,7 +94,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $"; #endif extern char *optarg; @@ -197,7 +197,7 @@ char *argv[]; ipfrstat_t *ifrstp = &ifrst; char *device = IPL_NAME, *memf = NULL; char *kern = NULL; - int c, fd, myoptind; + int c, myoptind; struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ @@ -354,8 +354,8 @@ char *argv[]; bzero((char *)&ipsst, sizeof(ipsst)); bzero((char *)&ifrst, sizeof(ifrst)); - fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp, - &frauthstp, &frf); + ipfstate_live(device, &fiop, &ipsstp, &ifrstp, + &frauthstp, &frf); } else ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 5a76f4b..2904585 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $"; #endif #include <sys/types.h> @@ -63,8 +63,10 @@ u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); #if SOLARIS2 >= 7 static u_int *ip_ttl_ptr; +static u_int *ip_mtudisc; #else static u_long *ip_ttl_ptr; +static u_long *ip_mtudisc; #endif static int frrequest __P((minor_t, int, caddr_t, int)); @@ -86,8 +88,8 @@ int ipldetach() for (i = IPL_LOGMAX; i >= 0; i--) ipflog_clear(i); #endif - i = FR_INQUE|FR_OUTQUE; - (void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); + i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); ipfr_unload(); fr_stateunload(); ip_natunload(); @@ -142,16 +144,22 @@ int iplattach __P((void)) return -1; ip_ttl_ptr = NULL; + ip_mtudisc = NULL; /* * XXX - There is no terminator for this array, so it is not possible * to tell if what we are looking for is missing and go off the end * of the array. */ for (i = 0; ; i++) { - if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) { + if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) { ip_ttl_ptr = &ip_param_arr[i].ip_param_value; - break; + } else if (strcmp(ip_param_arr[i].ip_param_name, + "ip_path_mtu_discovery") == 0) { + ip_mtudisc = &ip_param_arr[i].ip_param_value; } + + if (ip_mtudisc != NULL && ip_ttl_ptr != NULL) + break; } return 0; } @@ -799,6 +807,7 @@ mblk_t *m; ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; ip->ip_ttl = (u_char)(*ip_ttl_ptr); + ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0); ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); } READ_ENTER(&ipf_solaris); diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index f9b85af..b22addf 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -50,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $"; #endif #if SOLARIS @@ -389,7 +389,7 @@ int *linenum; static void packetlogon(opt) char *opt; { - int flag, err; + int flag; flag = get_flags(); if (flag != 0) { @@ -415,7 +415,7 @@ char *opt; printf("set log flag: block\n"); } - if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag))) + if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0)) perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index 8344d5f..ae40827 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -52,7 +52,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $"; #endif static int etherf_open __P((char *)); @@ -97,7 +97,7 @@ int cnt, *dir; struct protoent *p = NULL; char src[16], dst[16], sprt[16], dprt[16]; char lbuf[128], len[8], prot[8], time[8], *s; - int slen, extra = 0, i, n; + int slen, extra = 0, i; if (!fgets(lbuf, sizeof(lbuf) - 1, efp)) return 0; @@ -108,10 +108,10 @@ int cnt, *dir; bzero(&pkt, sizeof(pkt)); - if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, - sprt, dprt)) != 6) - if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time, - len, prot, src, dst, sprt, dprt)) != 7) + if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, + sprt, dprt) != 6) + if (sscanf(lbuf, "%s %s %s %s %s %s %s", time, + len, prot, src, dst, sprt, dprt) != 7) return -1; ip->ip_p = atoi(prot); diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index 253aa86..7fede06 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -61,7 +61,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $"; #endif static int tcpd_open __P((char *)); @@ -120,7 +120,7 @@ int cnt, *dir; struct protoent *p; char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; char lbuf[160], *s; - int n, dots, slen, extra = 0; + int n, slen, extra = 0; if (!fgets(lbuf, sizeof(lbuf) - 1, tfp)) return 0; @@ -142,7 +142,7 @@ int cnt, *dir; return -1; } - if ((dots = count_dots(dst)) == 4) { + if (count_dots(dst) == 4) { s = strrchr(src, '.'); *s++ = '\0'; (void) inet_aton(src, &ip->ip_src); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index f61b0d0..1de5713 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -44,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $"; #endif extern int opts; @@ -177,10 +177,8 @@ char *buf, **ifn; int cnt, *dir; { register char *s; - ip_t *ip; char line[513]; - ip = (ip_t *)buf; *ifn = NULL; while (fgets(line, sizeof(line)-1, tfp)) { if ((s = index(line, '\n'))) @@ -197,7 +195,7 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 - return sizeof(*ip) + sizeof(tcphdr_t); + return sizeof(ip_t) + sizeof(tcphdr_t); #else return sizeof(ip_t); #endif diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 254bbf9..5cb0efd 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -46,7 +46,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $"; #endif #ifdef __sgi @@ -55,7 +55,7 @@ typedef int kvm_t; static int kvm_fd = -1; static char *kvm_errstr; -kvm_t kvm_open(kernel, core, swap, mode, errstr) +kvm_t *kvm_open(kernel, core, swap, mode, errstr) char *kernel, *core, *swap; int mode; char *errstr; @@ -65,17 +65,18 @@ char *errstr; if (core == NULL) core = "/dev/kmem"; kvm_fd = open(core, mode); - return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; + return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL; } int kvm_read(kvm, pos, buffer, size) -kvm_t kvm; +kvm_t *kvm; u_long pos; char *buffer; size_t size; { - int r, left; + size_t left; char *bufp; + int r; if (lseek(*kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); @@ -97,13 +98,19 @@ static kvm_t *kvm_f = NULL; int openkmem(kern, core) char *kern, *core; { + union { + int ui; + kvm_t *uk; + } k; + kvm_f = kvm_open(kern, core, NULL, O_RDONLY, ""); if (kvm_f == NULL) { perror("openkmem:open"); return -1; } - return (int)kvm_f; + k.uk = kvm_f; + return k.ui; } int kmemcpy(buf, pos, n) @@ -120,7 +127,7 @@ register int n; if (openkmem(NULL, NULL) == -1) return -1; - while ((r = kvm_read(kvm_f, pos, buf, n)) < n) + while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n) if (r <= 0) { fprintf(stderr, "pos=0x%x ", (u_int)pos); @@ -152,7 +159,7 @@ register int n; while (n > 0) { - r = kvm_read(kvm_f, pos, buf, 1); + r = kvm_read(kvm_f, pos, buf, (size_t)1); if (r <= 0) { fprintf(stderr, "pos=0x%x ", (u_int)pos); diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index a8beb6f..f0a4ac9 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -96,6 +96,15 @@ or as map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 .fi .LP +For even greater control, one may negate either of the "from" or "to" clauses +with a preceding exclamation mark ("!"). Please note that one may not use a +negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP +rule. Such a rule might look like the following: +.LP +.nf ++map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32 +.fi +.PP Only IP address and port numbers can be compared against. This is available with all NAT rules. .SH TRANSLATION diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 02590df..ea13356 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -935,7 +935,6 @@ u_long optmsk, optbits; u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io, *so; char *s; - int secflag = 0; s = " opt "; for (io = ionames; io->on_name; io++) @@ -947,8 +946,7 @@ u_long optmsk, optbits; if (io->on_value == IPOPT_SECURITY) io++; s = ","; - } else - secflag = 1; + } } diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c index ba5524b..9ccae18 100644 --- a/contrib/ipfilter/printnat.c +++ b/contrib/ipfilter/printnat.c @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $"; #endif @@ -242,9 +242,10 @@ int opts; 0xffffffff), hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport, NAT_TABLE_SZ), - printf("%s pr %u bkt %d/%d flags %x\n", + printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n", getsumd(nat->nat_sumd[1]), nat->nat_p, - hv1, hv2, nat->nat_flags); + hv1, hv2, nat->nat_flags, + nat->nat_drop[0], nat->nat_drop[1]); printf("\tifp %s ", getifname(nat->nat_ifp)); #ifdef USE_QUAD_T printf("bytes %qu pkts %qu", diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9 index 77968f8..daff203 100644 --- a/contrib/ipfilter/rules/example.9 +++ b/contrib/ipfilter/rules/example.9 @@ -4,7 +4,7 @@ block in all pass in all with opt sec # -# only allow packets in and out on le0 which are top secret +# only allow packets in and out on le1 which are top secret # block out on le1 all pass out on le1 all with opt sec-class topsecret diff --git a/contrib/ipfilter/test/expected/f13 b/contrib/ipfilter/test/expected/f13 index a2a950a..b3c7e54 100644 --- a/contrib/ipfilter/test/expected/f13 +++ b/contrib/ipfilter/test/expected/f13 @@ -9,6 +9,8 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- block nomatch @@ -21,6 +23,8 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- nomatch nomatch @@ -32,6 +36,8 @@ nomatch pass pass nomatch +nomatch +nomatch pass -------- nomatch @@ -44,6 +50,8 @@ nomatch block block nomatch +nomatch +nomatch block -------- pass @@ -57,6 +65,8 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- block nomatch @@ -69,4 +79,6 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 index b90d6ba..ccd74a3 100644 --- a/contrib/ipfilter/test/input/f13 +++ b/contrib/ipfilter/test/input/f13 @@ -29,15 +29,23 @@ 45 00 0018 0007 2000 3f 11 0000 01010101 02010101 0035 0035 -# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 45 00 001c 0008 2000 3f 11 0000 01010101 02010101 0035003500040000 -# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short) +# 1.1.1.1,53 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 (short) 45 00 0018 0008 2000 3f 11 0000 01010101 02010101 00350036 -# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 +# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 +45 00 001c 0008 2000 3f 11 0000 01010101 02010101 +0015003600040000 + +# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 TCP MF FO=0 +45 00 001c 0008 2000 3f 06 0000 01010101 02010101 +0015 0036 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=1 45 00 001c 0008 0001 3f 11 0000 01010101 02010101 0000000000000000 |