diff options
-rw-r--r-- | sys/contrib/ipfilter/netinet/fil.c | 8 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_auth.c | 19 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_fil_freebsd.c | 2 |
3 files changed, 11 insertions, 18 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 9c6d6ea..ea19254 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -17,7 +17,7 @@ #include <sys/time.h> #if defined(__NetBSD__) # if (NetBSD >= 199905) && !defined(IPFILTER_LKM) && defined(_KERNEL) -# if (__NetBSD_Version__ < 399001400) +# if (__NetBSD_Version__ < 301000000) # include "opt_ipfilter_log.h" # else # include "opt_ipfilter.h" @@ -2307,8 +2307,7 @@ u_32_t *passp; if (FR_ISAUTH(pass)) { if (fr_newauth(fin->fin_m, fin) != 0) { #ifdef _KERNEL - if ((pass & FR_RETMASK) == 0) - fin->fin_m = *fin->fin_mp = NULL; + fin->fin_m = *fin->fin_mp = NULL; #else ; #endif @@ -2600,7 +2599,8 @@ int out; * Here rather than fr_firewall because fr_checkauth may decide * to return a packet for "keep state" */ - if ((pass & FR_KEEPSTATE) && !(fin->fin_flx & FI_STATE)) { + if ((pass & FR_KEEPSTATE) && (fin->fin_m != NULL) && + !(fin->fin_flx & FI_STATE)) { if (fr_addstate(fin, NULL, 0) != NULL) { ATOMIC_INCL(frstats[out].fr_ads); } else { diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index fddb043..42d29d4 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -303,7 +303,7 @@ u_32_t *passp; /* ------------------------------------------------------------------------ */ /* Function: fr_newauth */ -/* Returns: int - 0 == success, else error */ +/* Returns: int - 1 == success, 0 = did not put packet on auth queue */ /* Parameters: m(I) - pointer to mb_t with packet in it */ /* fin(I) - pointer to packet information */ /* */ @@ -339,10 +339,10 @@ fr_info_t *fin; i = fr_authend++; if (fr_authend == fr_authsize) fr_authend = 0; - RWLOCK_EXIT(&ipf_auth); - fra = fr_auth + i; fra->fra_index = i; + RWLOCK_EXIT(&ipf_auth); + if (fin->fin_fr != NULL) fra->fra_pass = fin->fin_fr->fr_flags; else @@ -903,16 +903,6 @@ fr_authioctlloop: } RWLOCK_EXIT(&ipf_auth); - /* - * We exit ipf_global here because a program that enters in - * here will have a lock on it and goto sleep having this lock. - * If someone were to do an 'ipf -D' the system would then - * deadlock. The catch with releasing it here is that the - * caller of this function expects it to be held when we - * return so we have to reacquire it in here. - */ - RWLOCK_EXIT(&ipf_global); - MUTEX_ENTER(&ipf_authmx); #ifdef _KERNEL # if SOLARIS @@ -939,7 +929,6 @@ fr_authioctlloop: # endif /* SOLARIS */ #endif MUTEX_EXIT(&ipf_authmx); - READ_ENTER(&ipf_global); if (error == 0) goto fr_authioctlloop; return error; @@ -1027,6 +1016,7 @@ char *data; * not being processed, make sure we advance to the next one. */ if (error == ENOBUFS) { + WRITE_ENTER(&ipf_auth); fr_authused--; fra->fra_index = -1; fra->fra_pass = 0; @@ -1044,6 +1034,7 @@ char *data; fr_authstart = fr_authend = 0; } } + RWLOCK_EXIT(&ipf_auth); } #endif /* _KERNEL */ SPL_X(s); diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c index 0f39afa..4a279fa 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c +++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c @@ -1518,6 +1518,8 @@ mb_t *m; } #endif } else { + fin->fin_ip->ip_len = ntohs(fin->fin_ip->ip_len); + fin->fin_ip->ip_off = ntohs(fin->fin_ip->ip_off); #if (__FreeBSD_version >= 470102) error = ip_output(m, NULL, NULL, IP_FORWARDING, NULL, NULL); #else |