Commit changes that happened in IPFilter versions 3.4.27 - 3.4.28

author: darrenr <darrenr@FreeBSD.org> 2002-06-07 08:56:30 +0000
committer: darrenr <darrenr@FreeBSD.org> 2002-06-07 08:56:30 +0000
commit: dbc4d6b0e38e781d1a2fc5b28c852ee47bb4ce49 (patch)
tree: 79c45f15c6e0a4c606599d059ad3199a497403be /sys/contrib
parent: a98a42559d88c1293390a4d988a0d84337e2c3f7 (diff)
download: FreeBSD-src-dbc4d6b0e38e781d1a2fc5b28c852ee47bb4ce49.zip
FreeBSD-src-dbc4d6b0e38e781d1a2fc5b28c852ee47bb4ce49.tar.gz
10 files changed, 67 insertions, 24 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index 605f8d3..28eb05b 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -1517,7 +1517,7 @@ nodata:
  * SUCH DAMAGE.
  *
  *	@(#)uipc_mbuf.c	8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $
  */
 /*
  * Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -1632,7 +1632,6 @@ frgroup_t ***fgpp;
 		fgp = &ipfgroups[0][set];
 	else
 		return NULL;
-	num &= 0xffff;
 
 	while ((fg = *fgp))
 		if (fg->fg_num == num)
diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c
index cdbfb92..b395b53 100644
--- a/sys/contrib/ipfilter/netinet/ip_auth.c
+++ b/sys/contrib/ipfilter/netinet/ip_auth.c
@@ -613,7 +613,10 @@ void fr_authexpire()
 		} else
 			faep = &fae->fae_next;
 	}
-	ipauth = &fae_list->fae_fr;
+	if (fae_list != NULL)
+		ipauth = &fae_list->fae_fr;
+	else
+		ipauth = NULL;
 
 	for (frp = &fr_authlist; (fr = *frp); ) {
 		if (fr->fr_ref == 1) {
diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h
index 3f9707e..608424a 100644
--- a/sys/contrib/ipfilter/netinet/ip_compat.h
+++ b/sys/contrib/ipfilter/netinet/ip_compat.h
@@ -214,7 +214,11 @@ typedef	 int	minor_t;
 #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL))
 # include <sys/param.h>
 # ifndef __FreeBSD_version
-#  include <sys/osreldate.h>
+#  ifdef IPFILTER_LKM
+#   include <osreldate.h>
+#  else
+#   include <sys/osreldate.h>
+#  endif
 # endif
 # ifdef IPFILTER_LKM
 #  define       ACTUALLY_LKM_NOT_KERNEL
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c
index 3a41c5c..6305663 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil.c
+++ b/sys/contrib/ipfilter/netinet/ip_fil.c
@@ -649,6 +649,9 @@ int mode;
 	unit = dev;
 #endif
 
+	if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF))
+		return ENODEV;
+
 	SPL_NET(s);
 
 	if (unit == IPL_LOGNAT) {
@@ -893,7 +896,8 @@ caddr_t data;
 	 * Check that the group number does exist and that if a head group
 	 * has been specified, doesn't exist.
 	 */
-	if ((req != SIOCZRLST) && fp->fr_grhead &&
+	if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) ||
+	     (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead &&
 	    fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL))
 		return EEXIST;
 	if ((req != SIOCZRLST) && fp->fr_group &&
@@ -1227,13 +1231,18 @@ fr_info_t *fin;
 struct mbuf **mp;
 {
 	struct mbuf *m = *mp;
-	char *dpsave;
-	int error;
+	int error, hlen;
+	fr_info_t frn;
 	ip_t *ip;
 
-	dpsave = fin->fin_dp;
+	bzero((char *)&frn, sizeof(frn));
+	frn.fin_ifp = fin->fin_ifp;
+	frn.fin_v = fin->fin_v;
+	frn.fin_out = fin->fin_out;
+	frn.fin_mp = fin->fin_mp;
 
 	ip = mtod(m, ip_t *);
+	hlen = sizeof(*ip);
 
 	ip->ip_v = fin->fin_v;
 	if (ip->ip_v == 4) {
@@ -1248,21 +1257,24 @@ struct mbuf **mp;
 		ip->ip_ttl = ip_defttl;
 # endif
 		ip->ip_sum = 0;
-		fin->fin_dp = (char *)(ip + 1);
+		frn.fin_dp = (char *)(ip + 1);
 	}
 # ifdef	USE_INET6
 	else if (ip->ip_v == 6) {
 		ip6_t *ip6 = (ip6_t *)ip;
 
+		hlen = sizeof(*ip6);
 		ip6->ip6_hlim = 127;
-		fin->fin_dp = (char *)(ip6 + 1);
+		frn.fin_dp = (char *)(ip6 + 1);
 	}
 # endif
 # ifdef	IPSEC
 	m->m_pkthdr.rcvif = NULL;
 # endif
-	error = ipfr_fastroute(m, mp, fin, NULL);
-	fin->fin_dp = dpsave;
+
+	fr_makefrip(hlen, ip, &frn);
+
+	error = ipfr_fastroute(m, mp, &frn, NULL);
 	return error;
 }
 
@@ -1569,6 +1581,9 @@ frdest_t *fdp;
 	/*
 	 * Route packet.
 	 */
+#ifdef	__sgi
+	ROUTE_RDLOCK();
+#endif
 	bzero((caddr_t)ro, sizeof (*ro));
 	dst = (struct sockaddr_in *)&ro->ro_dst;
 	dst->sin_family = AF_INET;
@@ -1605,6 +1620,11 @@ frdest_t *fdp;
 # else
 	rtalloc(ro);
 # endif
+
+#ifdef	__sgi
+	ROUTE_UNLOCK();
+#endif
+
 	if (!ifp) {
 		if (!fr || !(fr->fr_flags & FR_FASTROUTE)) {
 			error = -2;
@@ -2104,7 +2124,7 @@ int code;
 fr_info_t *fin;
 int dst;
 {
-	verbose("- ICMP UNREACHABLE RST sent\n");
+	verbose("- ICMP UNREACHABLE sent\n");
 	return 0;
 }
 
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h
index 5088fb3..ae5025c 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil.h
+++ b/sys/contrib/ipfilter/netinet/ip_fil.h
@@ -510,6 +510,7 @@ extern	int	send_reset __P((ip_t *, fr_info_t *));
 extern	int	send_icmp_err __P((ip_t *, int, fr_info_t *, int));
 extern	int	ipf_log __P((void));
 extern	struct	ifnet *get_unit __P((char *, int));
+extern	int	mbuflen __P((mb_t *));
 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
 	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
 extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
index 93d76bd..68a3455 100644
--- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
@@ -766,10 +766,10 @@ int rv;
 	i = 0;
 	sel = nat->nat_aps->aps_sel[1 - rv];
 	if (rv) {
-		if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq))
+		if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq))
 			i = nat->nat_aps->aps_ackoff[sel];
 	} else {
-		if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq))
+		if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq))
 			i = nat->nat_aps->aps_seqoff[sel];
 	}
 	/*
@@ -781,6 +781,10 @@ int rv;
 		f->ftps_seq = ntohl(tcp->th_seq);
 	else {
 		inc = ntohl(tcp->th_seq) - f->ftps_seq;
+		if (inc < 0)
+			inc = -inc;
+		if (i < 0)
+			i = -i;
 		if (inc > i) {
 			return APR_ERR(1);
 		}
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c
index aca0cd3..ce6574f 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@@ -471,8 +471,12 @@ int mode;
 		}
 		for (np = &nat_list; (n = *np); np = &n->in_next)
 			if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags,
-					IPN_CMPSIZ))
+					IPN_CMPSIZ)) {
+				if (n->in_redir == NAT_REDIRECT &&
+				    n->in_pnext != nat->in_pnext)
+					continue;
 				break;
+			}
 	}
 
 	switch (cmd)
diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c
index 484bf18..9212582 100644
--- a/sys/contrib/ipfilter/netinet/ip_proxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_proxy.c
@@ -123,7 +123,7 @@ aproxy_t	ap_proxies[] = {
 	  ippr_ipsec_match },
 #endif
 #ifdef	IPF_NETBIOS_PROXY
-	{ NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL,
+	{ NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL,
 	  NULL, NULL, NULL, ippr_netbios_out, NULL },
 #endif
 #ifdef  IPF_H323_PROXY
@@ -422,11 +422,14 @@ int inc;
 	int sel, ch = 0, out, nlen;
 	u_32_t seq1, seq2;
 	tcphdr_t *tcp;
+	short inc2;
 
 	tcp = (tcphdr_t *)fin->fin_dp;
 	out = fin->fin_out;
 	nlen = ip->ip_len;
 	nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2);
+	inc2 = inc;
+	inc = (int)inc2;
 
 	if (out != 0) {
 		seq1 = (u_32_t)ntohl(tcp->th_seq);
diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c
index be64b21..619c46b 100644
--- a/sys/contrib/ipfilter/netinet/ip_state.c
+++ b/sys/contrib/ipfilter/netinet/ip_state.c
@@ -577,9 +577,9 @@ u_int flags;
 	register u_int hv;
 	struct icmp *ic;
 	ipstate_t ips;
+	int out, ws;
 	u_int pass;
 	void *ifp;
-	int out;
 
 	if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) ||
 	    (fin->fin_misc & FM_BADSTATE))
@@ -693,8 +693,11 @@ u_int flags;
 			is->is_maxsend = is->is_send;
 
 			if ((tcp->th_flags & TH_SYN) &&
-			    ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
-				is->is_swscale = fr_tcpoptions(tcp);
+			    ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) {
+				ws = fr_tcpoptions(tcp);
+				if (ws >= 0)
+					is->is_swscale = ws;
+			}
 		}
 
 		is->is_maxdwin = 1;
@@ -902,6 +905,7 @@ tcphdr_t *tcp;
 		fdata->td_wscale = wscale;
 	else if (wscale == -2)
 		fdata->td_wscale = tdata->td_wscale = 0;
+	win <<= fdata->td_wscale;
 
 	if ((fdata->td_end == 0) &&
 	    (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) {
@@ -910,7 +914,9 @@ tcphdr_t *tcp;
 		 */
 		fdata->td_end = end;
 		fdata->td_maxwin = 1;
-		fdata->td_maxend = end + 1;
+		fdata->td_maxend = end + win;
+		if (win == 0)
+			fdata->td_maxend++;
 	}
 
 	if (!(tcp->th_flags & TH_ACK)) {  /* Pretend an ack was sent */
@@ -924,7 +930,6 @@ tcphdr_t *tcp;
 	if (seq == end)
 		seq = end = fdata->td_end;
 
-	win <<= fdata->td_wscale;
 	maxwin = tdata->td_maxwin;
 	ackskew = tdata->td_end - ack;
 
@@ -1459,7 +1464,7 @@ icmp6again:
 				rev = fin->fin_rev;
 				if (is->is_frage[rev] != 0)
 					is->is_age = is->is_frage[rev];
-				else if (fin->fin_rev)
+				else if (rev != 0)
 					is->is_age = fr_icmpacktimeout;
 				else
 					is->is_age = fr_icmptimeout;
diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h
index 8548710..24245b0 100644
--- a/sys/contrib/ipfilter/netinet/ipl.h
+++ b/sys/contrib/ipfilter/netinet/ipl.h
@@ -10,6 +10,6 @@
 #ifndef	__IPL_H__
 #define	__IPL_H__
 
-#define	IPL_VERSION	"IP Filter: v3.4.27"
+#define	IPL_VERSION	"IP Filter: v3.4.28"
 
 #endif
author	darrenr <darrenr@FreeBSD.org>	2002-06-07 08:56:30 +0000
committer	darrenr <darrenr@FreeBSD.org>	2002-06-07 08:56:30 +0000
commit	dbc4d6b0e38e781d1a2fc5b28c852ee47bb4ce49 (patch)
tree	79c45f15c6e0a4c606599d059ad3199a497403be /sys/contrib
parent	a98a42559d88c1293390a4d988a0d84337e2c3f7 (diff)
download	FreeBSD-src-dbc4d6b0e38e781d1a2fc5b28c852ee47bb4ce49.zip FreeBSD-src-dbc4d6b0e38e781d1a2fc5b28c852ee47bb4ce49.tar.gz