diff options
Diffstat (limited to 'contrib/ipfilter/ip_proxy.c')
| -rw-r--r-- | contrib/ipfilter/ip_proxy.c | 94 |
1 files changed, 80 insertions, 14 deletions
diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index 2051f2a..f36753a 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -89,6 +89,8 @@ extern KRWLOCK_T ipf_nat, ipf_state; static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); +#define PROXY_DEBUG 0 + #define AP_SESS_SIZE 53 #include "netinet/ip_ftp_pxy.c" @@ -313,9 +315,19 @@ nat_t *nat; sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif if (sum != tcp->th_sum) { +#if PROXY_DEBUG + printf("proxy tcp checksum failure\n"); +#endif frstats[fin->fin_out].fr_tcpbad++; return -1; } + + /* + * Don't both the proxy with these...or in fact, should + * we free up proxy stuff when seen? + */ + if ((tcp->th_flags & TH_RST) != 0) + return 0; } apr = aps->aps_apr; @@ -329,9 +341,16 @@ nat_t *nat; } rv = APR_EXIT(err); - if (rv == 1) + if (rv == 1) { +#if PROXY_DEBUG + printf("proxy says bad packet received\n"); +#endif return -1; + } if (rv == 2) { +#if PROXY_DEBUG + printf("proxy says free app proxy data\n"); +#endif appr_free(apr); nat->nat_aps = NULL; return -1; @@ -412,6 +431,9 @@ ap_session_t *aps; } +/* + * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise + */ static int appr_fixseqack(fin, ip, aps, inc) fr_info_t *fin; ip_t *ip; @@ -425,8 +447,12 @@ int inc; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; + /* + * ip_len has already been adjusted by 'inc'. + */ nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; inc = (int)inc2; @@ -436,8 +462,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; @@ -450,8 +481,13 @@ int inc; } if (inc && (seq1 > aps->aps_seqmin[!sel])) { - aps->aps_seqmin[!sel] = seq1 + nlen - 1; - aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; + aps->aps_seqmin[sel] = seq1 + nlen - 1; + aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy seq set %d at %x to %d + %d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -461,8 +497,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; @@ -475,12 +516,16 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_ackoff[sel]) { - seq2 = aps->aps_ackmin[sel] - - aps->aps_ackoff[sel]; + seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; if (seq1 > seq2) { seq2 = aps->aps_ackoff[sel]; seq1 += seq2; @@ -492,6 +537,11 @@ int inc; if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy ack set %d at %x to %d + %d\n", !sel, + aps->aps_seqmin[!sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -501,15 +551,31 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} - if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { - seq2 = aps->aps_seqoff[sel]; - tcp->th_ack = htonl(seq1 - seq2); - ch = 1; + if (aps->aps_seqoff[sel] != 0) { +#if PROXY_DEBUG + printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, + aps->aps_seqoff[sel], seq1, + aps->aps_seqmin[sel]); +#endif + if (seq1 > aps->aps_seqmin[sel]) { + seq2 = aps->aps_seqoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } } } +#if PROXY_DEBUG + printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq), + ntohl(tcp->th_ack)); +#endif return ch ? 2 : 0; } |
