summaryrefslogtreecommitdiffstats
path: root/sys/contrib
diff options
context:
space:
mode:
authordarrenr <darrenr@FreeBSD.org>2002-04-27 16:56:25 +0000
committerdarrenr <darrenr@FreeBSD.org>2002-04-27 16:56:25 +0000
commitf9bbacbcce49ac738c454d4569d6e7ac97ff6c26 (patch)
treed3aa57db040cde809aa6464cf6cea035732146cf /sys/contrib
parent8b065032911d00f5d96b533557c0b39268f6375d (diff)
downloadFreeBSD-src-f9bbacbcce49ac738c454d4569d6e7ac97ff6c26.zip
FreeBSD-src-f9bbacbcce49ac738c454d4569d6e7ac97ff6c26.tar.gz
Merge updates from 3.4.26 - 3.4.27.
Diffstat (limited to 'sys/contrib')
-rw-r--r--sys/contrib/ipfilter/netinet/fil.c22
-rw-r--r--sys/contrib/ipfilter/netinet/ip_compat.h5
-rw-r--r--sys/contrib/ipfilter/netinet/ip_ftp_pxy.c73
-rw-r--r--sys/contrib/ipfilter/netinet/ip_log.c3
-rw-r--r--sys/contrib/ipfilter/netinet/ip_nat.c7
-rw-r--r--sys/contrib/ipfilter/netinet/ip_proxy.c2
-rw-r--r--sys/contrib/ipfilter/netinet/ip_state.c66
-rw-r--r--sys/contrib/ipfilter/netinet/ipl.h2
8 files changed, 115 insertions, 65 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c
index bffb4b2..605f8d3 100644
--- a/sys/contrib/ipfilter/netinet/fil.c
+++ b/sys/contrib/ipfilter/netinet/fil.c
@@ -1470,7 +1470,13 @@ nodata:
# endif /* defined(BSD) || defined(sun) */
# endif /* SOLARIS */
#else /* KERNEL */
- sum2 = 0;
+ for (; slen > 1; slen -= 2)
+ sum += *sp++;
+ if (slen)
+ sum += ntohs(*(u_char *)sp << 8);
+ while (sum > 0xffff)
+ sum = (sum & 0xffff) + (sum >> 16);
+ sum2 = (u_short)(~sum & 0xffff);
#endif /* KERNEL */
tcp->th_sum = ts;
return sum2;
@@ -1511,7 +1517,7 @@ nodata:
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $Id: fil.c,v 2.35.2.59 2002/03/25 11:07:37 darrenr Exp $
+ * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $
*/
/*
* Copy data from an mbuf chain starting "off" bytes from the beginning,
@@ -2176,3 +2182,15 @@ int icmptoicmp6unreach[ICMP_MAX_UNREACH] = {
ICMP6_DST_UNREACH_ADMIN, /* 13: ICMP_UNREACH_ADMIN_PROHIBIT */
};
#endif
+
+
+#ifndef _KERNEL
+int mbuflen(buf)
+mb_t *buf;
+{
+ ip_t *ip;
+
+ ip = (ip_t *)buf;
+ return ip->ip_len;
+}
+#endif
diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h
index bf67827..3f9707e 100644
--- a/sys/contrib/ipfilter/netinet/ip_compat.h
+++ b/sys/contrib/ipfilter/netinet/ip_compat.h
@@ -253,7 +253,7 @@ typedef u_int32_t u_32_t;
# define USE_INET6
# endif
# endif
-# if !defined(_KERNEL) && !defined(IPFILTER_LKM)
+# if !defined(_KERNEL) && !defined(IPFILTER_LKM) && !defined(USE_INET6)
# if (defined(__FreeBSD_version) && (__FreeBSD_version >= 400000)) || \
(defined(OpenBSD) && (OpenBSD >= 200111)) || \
(defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 105000000))
@@ -573,7 +573,8 @@ extern void m_copyback __P((struct mbuf *, int, int, caddr_t));
# endif
# if (BSD >= 199306) || defined(__FreeBSD__)
# if (defined(__NetBSD_Version__) && (__NetBSD_Version__ < 105180000)) || \
- defined(__FreeBSD__) || defined(__OpenBSD__) || defined(_BSDI_VERSION)
+ defined(__FreeBSD__) || (defined(OpenBSD) && (OpenBSD < 200206)) || \
+ defined(_BSDI_VERSION)
# include <vm/vm.h>
# endif
# if !defined(__FreeBSD__) || (defined (__FreeBSD_version) && \
diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
index ce673d9..93d76bd 100644
--- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c
@@ -184,7 +184,11 @@ int dlen;
if ((inc + ip->ip_len) > 65535)
return 0;
-#if SOLARIS
+#if !defined(_KERNEL)
+ m = *((mb_t **)fin->fin_mp);
+ bcopy(newbuf, (char *)m + off, nlen);
+#else
+# if SOLARIS
m = fin->fin_qfm;
for (m1 = m; m1->b_cont; m1 = m1->b_cont)
;
@@ -210,19 +214,20 @@ int dlen;
m1->b_wptr += inc;
}
copyin_mblk(m, off, nlen, newbuf);
-#else
+# else
m = *((mb_t **)fin->fin_mp);
if (inc < 0)
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
m_copyback(m, off, nlen, newbuf);
-# ifdef M_PKTHDR
+# ifdef M_PKTHDR
if (!(m->m_flags & M_PKTHDR))
m->m_pkthdr.len += inc;
+# endif
# endif
#endif
if (inc != 0) {
-#if SOLARIS || defined(__sgi)
+#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
register u_32_t sum1, sum2;
sum1 = ip->ip_len;
@@ -269,6 +274,7 @@ int dlen;
tcp2->th_win = htons(8192);
tcp2->th_sport = htons(sp);
tcp2->th_off = 5;
+ tcp2->th_flags = TH_SYN;
tcp2->th_dport = 0; /* XXX - don't specify remote port */
fi.fin_data[1] = 0;
fi.fin_dlen = sizeof(*tcp2);
@@ -452,7 +458,11 @@ int dlen;
if ((inc + ip->ip_len) > 65535)
return 0;
-#if SOLARIS
+#if !defined(_KERNEL)
+ m = *((mb_t **)fin->fin_mp);
+ m_copyback(m, off, nlen, newbuf);
+#else
+# if SOLARIS
m = fin->fin_qfm;
for (m1 = m; m1->b_cont; m1 = m1->b_cont)
;
@@ -475,15 +485,16 @@ int dlen;
m1->b_wptr += inc;
}
/*copyin_mblk(m, off, nlen, newbuf);*/
-#else /* SOLARIS */
+# else /* SOLARIS */
m = *((mb_t **)fin->fin_mp);
if (inc < 0)
m_adj(m, inc);
/* the mbuf chain will be extended if necessary by m_copyback() */
/*m_copyback(m, off, nlen, newbuf);*/
-#endif /* SOLARIS */
+# endif /* SOLARIS */
+#endif /* _KERNEL */
if (inc != 0) {
-#if SOLARIS || defined(__sgi)
+#if (SOLARIS || defined(__sgi)) && defined(_KERNEL)
register u_32_t sum1, sum2;
sum1 = ip->ip_len;
@@ -520,6 +531,7 @@ int dlen;
tcp2->th_win = htons(8192);
tcp2->th_sport = 0; /* XXX - fake it for nat_new */
tcp2->th_off = 5;
+ tcp2->th_flags = TH_SYN;
fi.fin_data[1] = a5 << 8 | a6;
fi.fin_dlen = sizeof(*tcp2);
tcp2->th_dport = htons(fi.fin_data[1]);
@@ -721,17 +733,22 @@ int rv;
tcp = (tcphdr_t *)fin->fin_dp;
off = fin->fin_hlen + (tcp->th_off << 2);
-#if SOLARIS
+#if SOLARIS && defined(_KERNEL)
m = fin->fin_qfm;
#else
m = *((mb_t **)fin->fin_mp);
#endif
-#if SOLARIS
- mlen = msgdsize(m) - off;
+#ifndef _KERNEL
+ mlen = mbuflen(m);
#else
- mlen = mbufchainlen(m) - off;
+# if SOLARIS
+ mlen = msgdsize(m);
+# else
+ mlen = mbufchainlen(m);
+# endif
#endif
+ mlen -= off;
t = &ftp->ftp_side[1 - rv];
f = &ftp->ftp_side[rv];
@@ -743,15 +760,18 @@ int rv;
return 0;
}
- inc = 0;
rptr = f->ftps_rptr;
wptr = f->ftps_wptr;
+ i = 0;
sel = nat->nat_aps->aps_sel[1 - rv];
- if (rv)
- i = nat->nat_aps->aps_ackoff[sel];
- else
- i = nat->nat_aps->aps_seqoff[sel];
+ if (rv) {
+ if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq))
+ i = nat->nat_aps->aps_ackoff[sel];
+ } else {
+ if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq))
+ i = nat->nat_aps->aps_seqoff[sel];
+ }
/*
* XXX - Ideally, this packet should get dropped because we now know
* that it is out of order (and there is no real danger in doing so
@@ -759,18 +779,26 @@ int rv;
*/
if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq))
f->ftps_seq = ntohl(tcp->th_seq);
- else if (ntohl(tcp->th_seq) + i != f->ftps_seq) {
- return APR_ERR(1);
+ else {
+ inc = ntohl(tcp->th_seq) - f->ftps_seq;
+ if (inc > i) {
+ return APR_ERR(1);
+ }
}
+ inc = 0;
f->ftps_len = mlen;
while (mlen > 0) {
len = MIN(mlen, FTP_BUFSZ / 2);
-#if SOLARIS
- copyout_mblk(m, off, len, wptr);
+#if !defined(_KERNEL)
+ bcopy((char *)m + off, wptr, len);
#else
+# if SOLARIS
+ copyout_mblk(m, off, len, wptr);
+# else
m_copydata(m, off, len, wptr);
+# endif
#endif
mlen -= len;
off += len;
@@ -800,8 +828,9 @@ int rv;
* Off to a bad start so lets just forget about using the
* ftp proxy for this connection.
*/
- if ((f->ftps_cmds == 0) && (f->ftps_junk == 1))
+ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) {
return APR_ERR(2);
+ }
while ((f->ftps_junk == 1) && (rptr < wptr)) {
while ((rptr < wptr) && (*rptr != '\r'))
diff --git a/sys/contrib/ipfilter/netinet/ip_log.c b/sys/contrib/ipfilter/netinet/ip_log.c
index 7126b20..4e8488b 100644
--- a/sys/contrib/ipfilter/netinet/ip_log.c
+++ b/sys/contrib/ipfilter/netinet/ip_log.c
@@ -10,7 +10,8 @@
#if defined(KERNEL) && !defined(_KERNEL)
# define _KERNEL
#endif
-#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM)
+#if defined(__NetBSD__) && (NetBSD >= 199905) && !defined(IPFILTER_LKM) && \
+ defined(_KERNEL)
# include "opt_ipfilter_log.h"
#endif
#ifdef __FreeBSD__
diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c
index 2e10f83..aca0cd3 100644
--- a/sys/contrib/ipfilter/netinet/ip_nat.c
+++ b/sys/contrib/ipfilter/netinet/ip_nat.c
@@ -1770,7 +1770,6 @@ int dir;
sumd2 = sumd;
}
-#if 1
/*
* Fix TCP pseudo header checksum to compensate for the
* IP address change. Before we can do the change, we
@@ -1790,7 +1789,6 @@ int dir;
CALC_SUMD(sum1, sum2, sumd);
sumd2 = sumd;
}
-#endif
} else {
/*
@@ -1839,7 +1837,6 @@ int dir;
sumd2 = sumd;
}
-#if 1
/*
* Fix TCP pseudo header checksum to compensate for the
* IP address change. Before we can do the change, we
@@ -1858,9 +1855,7 @@ int dir;
*/
CALC_SUMD(sum1, sum2, sumd);
sumd2 = sumd;
- };
-#endif
-
+ }
#endif
}
diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c
index 10694e3..484bf18 100644
--- a/sys/contrib/ipfilter/netinet/ip_proxy.c
+++ b/sys/contrib/ipfilter/netinet/ip_proxy.c
@@ -93,8 +93,8 @@ static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int ));
#define AP_SESS_SIZE 53
-#if defined(_KERNEL)
#include "netinet/ip_ftp_pxy.c"
+#if defined(_KERNEL)
#include "netinet/ip_rcmd_pxy.c"
#include "netinet/ip_raudio_pxy.c"
#include "netinet/ip_netbios_pxy.c"
diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c
index 350cd1f1..be64b21 100644
--- a/sys/contrib/ipfilter/netinet/ip_state.c
+++ b/sys/contrib/ipfilter/netinet/ip_state.c
@@ -685,11 +685,18 @@ u_int flags;
hv += is->is_sport;
hv += is->is_dport;
}
- is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
- (off = (tcp->th_off << 2)) +
- ((tcp->th_flags & TH_SYN) ? 1 : 0) +
- ((tcp->th_flags & TH_FIN) ? 1 : 0);
- is->is_maxsend = is->is_send;
+ if ((flags & FI_IGNOREPKT) == 0) {
+ is->is_send = ntohl(tcp->th_seq) + fin->fin_dlen -
+ (off = (tcp->th_off << 2)) +
+ ((tcp->th_flags & TH_SYN) ? 1 : 0) +
+ ((tcp->th_flags & TH_FIN) ? 1 : 0);
+ is->is_maxsend = is->is_send;
+
+ if ((tcp->th_flags & TH_SYN) &&
+ ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
+ is->is_swscale = fr_tcpoptions(tcp);
+ }
+
is->is_maxdwin = 1;
is->is_maxswin = ntohs(tcp->th_win);
if (is->is_maxswin == 0)
@@ -698,10 +705,6 @@ u_int flags;
if ((tcp->th_flags & TH_OPENING) == TH_SYN)
is->is_fsm = 1;
- if ((tcp->th_flags & TH_SYN) &&
- ((tcp->th_off << 2) >= (sizeof(*tcp) + 4)))
- is->is_swscale = fr_tcpoptions(tcp);
-
/*
* If we're creating state for a starting connection, start the
* timer on it as we'll never see an error if it fails to
@@ -972,7 +975,7 @@ tcphdr_t *tcp;
}
}
MUTEX_EXIT(&is->is_lock);
- if ((ret == 0) && (tcp->th_flags != TH_SYN))
+ if ((ret == 0) && ((tcp->th_flags & TH_OPENING) != TH_SYN))
fin->fin_misc |= FM_BADSTATE;
return ret;
}
@@ -1226,6 +1229,10 @@ fr_info_t *fin;
*/
bzero((char *)&src, sizeof(src));
bzero((char *)&dst, sizeof(dst));
+ bzero((char *)&ofin, sizeof(ofin));
+ ofin.fin_ifp = fin->fin_ifp;
+ ofin.fin_out = !fin->fin_out;
+ ofin.fin_v = 4;
fr = NULL;
switch (oip->ip_p)
@@ -1260,12 +1267,8 @@ fr_info_t *fin;
savelen = oip->ip_len;
oip->ip_len = len;
- ofin.fin_v = 4;
fr_makefrip(ohlen, oip, &ofin);
oip->ip_len = savelen;
- ofin.fin_ifp = fin->fin_ifp;
- ofin.fin_out = !fin->fin_out;
- ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
READ_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext)
@@ -1314,12 +1317,8 @@ fr_info_t *fin;
*/
savelen = oip->ip_len;
oip->ip_len = len;
- ofin.fin_v = 4;
fr_makefrip(ohlen, oip, &ofin);
oip->ip_len = savelen;
- ofin.fin_ifp = fin->fin_ifp;
- ofin.fin_out = !fin->fin_out;
- ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
READ_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) {
/*
@@ -1849,7 +1848,7 @@ int dir, fsm;
break;
case TCPS_SYN_SENT: /* 2 */
- if (flags == TH_SYN) {
+ if ((flags & ~(TH_ECN|TH_CWR)) == TH_SYN) {
/*
* A retransmitted SYN packet. We do not reset the
* timeout here to fr_tcptimeout because a connection
@@ -1895,6 +1894,12 @@ int dir, fsm;
*/
state[dir] = TCPS_ESTABLISHED;
newage = fr_tcpidletimeout;
+ } else if ((flags & ~(TH_ECN|TH_CWR)) == TH_OPENING) {
+ /*
+ * We see an SA from 'dir' which is already in
+ * SYN_RECEIVED state.
+ */
+ newage = fr_tcptimeout;
} else if (flags & TH_FIN) {
/*
* We see an F from 'dir' which is in SYN_RECEIVED
@@ -1989,6 +1994,8 @@ int dir, fsm;
* timeout
*/
newage = fr_tcplastack;
+ else
+ newage = *age;
}
/*
* We cannot detect when we go out of LAST_ACK state to CLOSED
@@ -2096,6 +2103,15 @@ fr_info_t *fin;
if (fin->fin_plen < sizeof(*oip))
return NULL;
+ if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP) &&
+ (oip->ip6_nxt != IPPROTO_ICMPV6))
+ return NULL;
+
+ bzero((char *)&ofin, sizeof(ofin));
+ ofin.fin_out = !fin->fin_out;
+ ofin.fin_ifp = fin->fin_ifp;
+ ofin.fin_v = 6;
+
if (oip->ip6_nxt == IPPROTO_ICMPV6) {
oic = (struct icmp6_hdr *)(oip + 1);
/*
@@ -2121,12 +2137,8 @@ fr_info_t *fin;
hv %= fr_statesize;
oip->ip6_plen = ntohs(oip->ip6_plen);
- ofin.fin_v = 6;
fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin);
oip->ip6_plen = htons(oip->ip6_plen);
- ofin.fin_ifp = fin->fin_ifp;
- ofin.fin_out = !fin->fin_out;
- ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
READ_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext)
@@ -2151,10 +2163,8 @@ fr_info_t *fin;
RWLOCK_EXIT(&ipf_state);
return NULL;
- };
+ }
- if ((oip->ip6_nxt != IPPROTO_TCP) && (oip->ip6_nxt != IPPROTO_UDP))
- return NULL;
tcp = (tcphdr_t *)(oip + 1);
dport = tcp->th_dport;
sport = tcp->th_sport;
@@ -2185,12 +2195,8 @@ fr_info_t *fin;
*/
savelen = oip->ip6_plen;
oip->ip6_plen = ip->ip6_plen - sizeof(*ip) - ICMPERR_ICMPHLEN;
- ofin.fin_v = 6;
fr_makefrip(sizeof(*oip), (ip_t *)oip, &ofin);
oip->ip6_plen = savelen;
- ofin.fin_ifp = fin->fin_ifp;
- ofin.fin_out = !fin->fin_out;
- ofin.fin_mp = NULL; /* if dereferenced, panic XXX */
READ_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_hnext) {
/*
diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h
index 96a2a20..8548710 100644
--- a/sys/contrib/ipfilter/netinet/ipl.h
+++ b/sys/contrib/ipfilter/netinet/ipl.h
@@ -10,6 +10,6 @@
#ifndef __IPL_H__
#define __IPL_H__
-#define IPL_VERSION "IP Filter: v3.4.26"
+#define IPL_VERSION "IP Filter: v3.4.27"
#endif
OpenPOWER on IntegriCloud