diff options
Diffstat (limited to 'sys/contrib')
-rw-r--r-- | sys/contrib/ipfilter/netinet/fil.c | 3 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_auth.c | 5 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_compat.h | 6 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_fil.c | 38 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_fil.h | 1 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_ftp_pxy.c | 8 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_nat.c | 6 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_proxy.c | 5 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ip_state.c | 17 | ||||
-rw-r--r-- | sys/contrib/ipfilter/netinet/ipl.h | 2 |
10 files changed, 67 insertions, 24 deletions
diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 605f8d3..28eb05b 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -1517,7 +1517,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.60 2002/04/26 10:20:34 darrenr Exp $ + * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, @@ -1632,7 +1632,6 @@ frgroup_t ***fgpp; fgp = &ipfgroups[0][set]; else return NULL; - num &= 0xffff; while ((fg = *fgp)) if (fg->fg_num == num) diff --git a/sys/contrib/ipfilter/netinet/ip_auth.c b/sys/contrib/ipfilter/netinet/ip_auth.c index cdbfb92..b395b53 100644 --- a/sys/contrib/ipfilter/netinet/ip_auth.c +++ b/sys/contrib/ipfilter/netinet/ip_auth.c @@ -613,7 +613,10 @@ void fr_authexpire() } else faep = &fae->fae_next; } - ipauth = &fae_list->fae_fr; + if (fae_list != NULL) + ipauth = &fae_list->fae_fr; + else + ipauth = NULL; for (frp = &fr_authlist; (fr = *frp); ) { if (fr->fr_ref == 1) { diff --git a/sys/contrib/ipfilter/netinet/ip_compat.h b/sys/contrib/ipfilter/netinet/ip_compat.h index 3f9707e..608424a 100644 --- a/sys/contrib/ipfilter/netinet/ip_compat.h +++ b/sys/contrib/ipfilter/netinet/ip_compat.h @@ -214,7 +214,11 @@ typedef int minor_t; #if defined(__FreeBSD__) && (defined(KERNEL) || defined(_KERNEL)) # include <sys/param.h> # ifndef __FreeBSD_version -# include <sys/osreldate.h> +# ifdef IPFILTER_LKM +# include <osreldate.h> +# else +# include <sys/osreldate.h> +# endif # endif # ifdef IPFILTER_LKM # define ACTUALLY_LKM_NOT_KERNEL diff --git a/sys/contrib/ipfilter/netinet/ip_fil.c b/sys/contrib/ipfilter/netinet/ip_fil.c index 3a41c5c..6305663 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.c +++ b/sys/contrib/ipfilter/netinet/ip_fil.c @@ -649,6 +649,9 @@ int mode; unit = dev; #endif + if (fr_running == 0 && (cmd != SIOCFRENB || unit != IPL_LOGIPF)) + return ENODEV; + SPL_NET(s); if (unit == IPL_LOGNAT) { @@ -893,7 +896,8 @@ caddr_t data; * Check that the group number does exist and that if a head group * has been specified, doesn't exist. */ - if ((req != SIOCZRLST) && fp->fr_grhead && + if ((req != SIOCZRLST) && ((req == SIOCINAFR) || (req == SIOCINIFR) || + (req == SIOCADAFR) || (req == SIOCADIFR)) && fp->fr_grhead && fr_findgroup((u_int)fp->fr_grhead, fp->fr_flags, unit, set, NULL)) return EEXIST; if ((req != SIOCZRLST) && fp->fr_group && @@ -1227,13 +1231,18 @@ fr_info_t *fin; struct mbuf **mp; { struct mbuf *m = *mp; - char *dpsave; - int error; + int error, hlen; + fr_info_t frn; ip_t *ip; - dpsave = fin->fin_dp; + bzero((char *)&frn, sizeof(frn)); + frn.fin_ifp = fin->fin_ifp; + frn.fin_v = fin->fin_v; + frn.fin_out = fin->fin_out; + frn.fin_mp = fin->fin_mp; ip = mtod(m, ip_t *); + hlen = sizeof(*ip); ip->ip_v = fin->fin_v; if (ip->ip_v == 4) { @@ -1248,21 +1257,24 @@ struct mbuf **mp; ip->ip_ttl = ip_defttl; # endif ip->ip_sum = 0; - fin->fin_dp = (char *)(ip + 1); + frn.fin_dp = (char *)(ip + 1); } # ifdef USE_INET6 else if (ip->ip_v == 6) { ip6_t *ip6 = (ip6_t *)ip; + hlen = sizeof(*ip6); ip6->ip6_hlim = 127; - fin->fin_dp = (char *)(ip6 + 1); + frn.fin_dp = (char *)(ip6 + 1); } # endif # ifdef IPSEC m->m_pkthdr.rcvif = NULL; # endif - error = ipfr_fastroute(m, mp, fin, NULL); - fin->fin_dp = dpsave; + + fr_makefrip(hlen, ip, &frn); + + error = ipfr_fastroute(m, mp, &frn, NULL); return error; } @@ -1569,6 +1581,9 @@ frdest_t *fdp; /* * Route packet. */ +#ifdef __sgi + ROUTE_RDLOCK(); +#endif bzero((caddr_t)ro, sizeof (*ro)); dst = (struct sockaddr_in *)&ro->ro_dst; dst->sin_family = AF_INET; @@ -1605,6 +1620,11 @@ frdest_t *fdp; # else rtalloc(ro); # endif + +#ifdef __sgi + ROUTE_UNLOCK(); +#endif + if (!ifp) { if (!fr || !(fr->fr_flags & FR_FASTROUTE)) { error = -2; @@ -2104,7 +2124,7 @@ int code; fr_info_t *fin; int dst; { - verbose("- ICMP UNREACHABLE RST sent\n"); + verbose("- ICMP UNREACHABLE sent\n"); return 0; } diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 5088fb3..ae5025c 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -510,6 +510,7 @@ extern int send_reset __P((ip_t *, fr_info_t *)); extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); extern int ipf_log __P((void)); extern struct ifnet *get_unit __P((char *, int)); +extern int mbuflen __P((mb_t *)); # if defined(__NetBSD__) || defined(__OpenBSD__) || \ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) extern int iplioctl __P((dev_t, u_long, caddr_t, int)); diff --git a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c index 93d76bd..68a3455 100644 --- a/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c +++ b/sys/contrib/ipfilter/netinet/ip_ftp_pxy.c @@ -766,10 +766,10 @@ int rv; i = 0; sel = nat->nat_aps->aps_sel[1 - rv]; if (rv) { - if (nat->nat_aps->aps_ackmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_ackoff[sel]; } else { - if (nat->nat_aps->aps_seqmin[sel] > ntohl(tcp->th_seq)) + if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) i = nat->nat_aps->aps_seqoff[sel]; } /* @@ -781,6 +781,10 @@ int rv; f->ftps_seq = ntohl(tcp->th_seq); else { inc = ntohl(tcp->th_seq) - f->ftps_seq; + if (inc < 0) + inc = -inc; + if (i < 0) + i = -i; if (inc > i) { return APR_ERR(1); } diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index aca0cd3..ce6574f 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -471,8 +471,12 @@ int mode; } for (np = &nat_list; (n = *np); np = &n->in_next) if (!bcmp((char *)&nat->in_flags, (char *)&n->in_flags, - IPN_CMPSIZ)) + IPN_CMPSIZ)) { + if (n->in_redir == NAT_REDIRECT && + n->in_pnext != nat->in_pnext) + continue; break; + } } switch (cmd) diff --git a/sys/contrib/ipfilter/netinet/ip_proxy.c b/sys/contrib/ipfilter/netinet/ip_proxy.c index 484bf18..9212582 100644 --- a/sys/contrib/ipfilter/netinet/ip_proxy.c +++ b/sys/contrib/ipfilter/netinet/ip_proxy.c @@ -123,7 +123,7 @@ aproxy_t ap_proxies[] = { ippr_ipsec_match }, #endif #ifdef IPF_NETBIOS_PROXY - { NULL, "netbios", (char)IPPROTO_TCP, 0, 0, ippr_netbios_init, NULL, + { NULL, "netbios", (char)IPPROTO_UDP, 0, 0, ippr_netbios_init, NULL, NULL, NULL, NULL, ippr_netbios_out, NULL }, #endif #ifdef IPF_H323_PROXY @@ -422,11 +422,14 @@ int inc; int sel, ch = 0, out, nlen; u_32_t seq1, seq2; tcphdr_t *tcp; + short inc2; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; + inc = (int)inc2; if (out != 0) { seq1 = (u_32_t)ntohl(tcp->th_seq); diff --git a/sys/contrib/ipfilter/netinet/ip_state.c b/sys/contrib/ipfilter/netinet/ip_state.c index be64b21..619c46b 100644 --- a/sys/contrib/ipfilter/netinet/ip_state.c +++ b/sys/contrib/ipfilter/netinet/ip_state.c @@ -577,9 +577,9 @@ u_int flags; register u_int hv; struct icmp *ic; ipstate_t ips; + int out, ws; u_int pass; void *ifp; - int out; if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT) || (fin->fin_misc & FM_BADSTATE)) @@ -693,8 +693,11 @@ u_int flags; is->is_maxsend = is->is_send; if ((tcp->th_flags & TH_SYN) && - ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) - is->is_swscale = fr_tcpoptions(tcp); + ((tcp->th_off << 2) >= (sizeof(*tcp) + 4))) { + ws = fr_tcpoptions(tcp); + if (ws >= 0) + is->is_swscale = ws; + } } is->is_maxdwin = 1; @@ -902,6 +905,7 @@ tcphdr_t *tcp; fdata->td_wscale = wscale; else if (wscale == -2) fdata->td_wscale = tdata->td_wscale = 0; + win <<= fdata->td_wscale; if ((fdata->td_end == 0) && (!is->is_fsm || ((tcp->th_flags & TH_OPENING) == TH_OPENING))) { @@ -910,7 +914,9 @@ tcphdr_t *tcp; */ fdata->td_end = end; fdata->td_maxwin = 1; - fdata->td_maxend = end + 1; + fdata->td_maxend = end + win; + if (win == 0) + fdata->td_maxend++; } if (!(tcp->th_flags & TH_ACK)) { /* Pretend an ack was sent */ @@ -924,7 +930,6 @@ tcphdr_t *tcp; if (seq == end) seq = end = fdata->td_end; - win <<= fdata->td_wscale; maxwin = tdata->td_maxwin; ackskew = tdata->td_end - ack; @@ -1459,7 +1464,7 @@ icmp6again: rev = fin->fin_rev; if (is->is_frage[rev] != 0) is->is_age = is->is_frage[rev]; - else if (fin->fin_rev) + else if (rev != 0) is->is_age = fr_icmpacktimeout; else is->is_age = fr_icmptimeout; diff --git a/sys/contrib/ipfilter/netinet/ipl.h b/sys/contrib/ipfilter/netinet/ipl.h index 8548710..24245b0 100644 --- a/sys/contrib/ipfilter/netinet/ipl.h +++ b/sys/contrib/ipfilter/netinet/ipl.h @@ -10,6 +10,6 @@ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.27" +#define IPL_VERSION "IP Filter: v3.4.28" #endif |