From 3aab5fb9fd5d3200009207f552a48b8100b853b2 Mon Sep 17 00:00:00 2001 From: darrenr Date: Wed, 28 Aug 2002 13:42:48 +0000 Subject: With a bit of luck, this will be a first-time right import of ipfilter 3.4.29 on to the vendor branch. --- contrib/ipfilter/BSD/Makefile | 9 +- contrib/ipfilter/HISTORY | 23 +++++ contrib/ipfilter/fil.c | 17 +++- contrib/ipfilter/fils.c | 8 +- contrib/ipfilter/ip_compat.h | 5 +- contrib/ipfilter/ip_fil.c | 23 ++++- contrib/ipfilter/ip_frag.c | 21 ++-- contrib/ipfilter/ip_frag.h | 6 +- contrib/ipfilter/ip_ftp_pxy.c | 190 ++++++++++++++++++++++++++++++------- contrib/ipfilter/ip_h323_pxy.c | 1 + contrib/ipfilter/ip_nat.c | 13 ++- contrib/ipfilter/ip_nat.h | 3 +- contrib/ipfilter/ip_proxy.c | 94 +++++++++++++++--- contrib/ipfilter/ip_proxy.h | 4 +- contrib/ipfilter/ip_sfil.c | 19 +++- contrib/ipfilter/ip_state.c | 14 ++- contrib/ipfilter/ip_state.h | 5 +- contrib/ipfilter/ipf.c | 6 +- contrib/ipfilter/ipft_ef.c | 12 +-- contrib/ipfilter/ipft_td.c | 6 +- contrib/ipfilter/ipft_tx.c | 6 +- contrib/ipfilter/ipl.h | 4 +- contrib/ipfilter/ipmon.c | 6 +- contrib/ipfilter/kmem.c | 23 +++-- contrib/ipfilter/man/ipmon.8 | 7 +- contrib/ipfilter/man/ipnat.5 | 9 ++ contrib/ipfilter/parse.c | 4 +- contrib/ipfilter/printnat.c | 7 +- contrib/ipfilter/rules/example.9 | 2 +- contrib/ipfilter/test/expected/f13 | 12 +++ contrib/ipfilter/test/input/f13 | 14 ++- 31 files changed, 435 insertions(+), 138 deletions(-) diff --git a/contrib/ipfilter/BSD/Makefile b/contrib/ipfilter/BSD/Makefile index 835d233..4d97a9b 100644 --- a/contrib/ipfilter/BSD/Makefile +++ b/contrib/ipfilter/BSD/Makefile @@ -231,7 +231,7 @@ clean: ${RM} -f *.core *.o ipt fils ipf ipfstat ipftest ipmon if_ipl ipnat \ vnode_if.h $(LKM) ioconf.h *.ko setdef1.c setdef0.c setdefs.h \ y.tab.? lex.yy.c ipfs - ${RM} -f ../opt_inet6.h + ${RM} -f ../opt_inet6.h ../ipftest ../ipmon ../ipf ../ipnat ${MAKE} -f Makefile.ipsend ${MFLAGS} clean -(for i in *; do \ @@ -243,8 +243,11 @@ clean: done) install: - -$(CP) $(TOP)/ip_fil.h /usr/include/netinet/ip_fil.h - -$(CHMOD) 444 /usr/include/netinet/ip_fil.h + for i in ip_compat.h ip_fil.h ip_nat.h ip_state.h ip_proxy.h \ + ip_frag.h ip_auth.h; do \ + /bin/cp $(TOP)/$$i /usr/include/netinet/; \ + -$(CHMOD) 444 /usr/include/netinet/$$i; \ + done -if [ -d /lkm -a -f if_ipl.o ] ; then \ cp if_ipl.o /lkm; \ fi diff --git a/contrib/ipfilter/HISTORY b/contrib/ipfilter/HISTORY index 0369d3f..75026a0 100644 --- a/contrib/ipfilter/HISTORY +++ b/contrib/ipfilter/HISTORY @@ -22,6 +22,29 @@ # and especially those who have found the time to port IP Filter to new # platforms. # +3.4.29 28/8/2002 - Released + +Make substantial changes to the FTP proxy to improve reliability, security +and functionality. + +don't send ICMP errors/TCP RST's in response to blocked proxy packets + +fix potential memory leaks when unloading ipfilter from kernel + +fix bug in SIOCGNATL handler that did not preserve the expected +byte order from earlier versions in the port number + +set do not fragment flag in generated packets according to system flags, +where available. + +preserve filter rule number and group number in state structure + +fix bug in ipmon printing of p/P/b/B + +make some changes to the kmem.c code for IRIX compatibility + +add code to specifically handle ip.tun* interfaces on Solaris + 3.4.28 6/6/2002 - Released Fix for H.323 proxy to work on little endian boxes diff --git a/contrib/ipfilter/fil.c b/contrib/ipfilter/fil.c index ed319d4..146e70a 100644 --- a/contrib/ipfilter/fil.c +++ b/contrib/ipfilter/fil.c @@ -97,7 +97,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fil.c 1.36 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $"; #endif #ifndef _KERNEL @@ -1076,7 +1076,7 @@ int out; fin->fin_fr = fr; if ((pass & (FR_KEEPFRAG|FR_KEEPSTATE)) == FR_KEEPFRAG) { if (fin->fin_fl & FI_FRAG) { - if (ipfr_newfrag(ip, fin, pass) == -1) { + if (ipfr_newfrag(ip, fin) == -1) { ATOMIC_INCL(frstats[out].fr_bnfr); } else { ATOMIC_INCL(frstats[out].fr_nfr); @@ -1191,7 +1191,16 @@ logit: * some operating systems. */ if (!out) { - if (pass & FR_RETICMP) { + if (changed == -1) + /* + * If a packet results in a NAT error, do not + * send a reset or ICMP error as it may disrupt + * an existing flow. This is the proxy saying + * the content is bad so just drop the packet + * silently. + */ + ; + else if (pass & FR_RETICMP) { int dst; if ((pass & FR_RETMASK) == FR_FAKEICMP) @@ -1501,7 +1510,7 @@ nodata: * SUCH DAMAGE. * * @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94 - * $Id: fil.c,v 2.35.2.61 2002/06/05 08:18:09 darrenr Exp $ + * $Id: fil.c,v 2.35.2.63 2002/08/28 12:40:08 darrenr Exp $ */ /* * Copy data from an mbuf chain starting "off" bytes from the beginning, diff --git a/contrib/ipfilter/fils.c b/contrib/ipfilter/fils.c index dcf74e5..e6bf11f 100644 --- a/contrib/ipfilter/fils.c +++ b/contrib/ipfilter/fils.c @@ -94,7 +94,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)fils.c 1.21 4/20/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.35 2002/04/03 14:18:36 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: fils.c,v 2.21.2.36 2002/06/27 14:29:16 darrenr Exp $"; #endif extern char *optarg; @@ -197,7 +197,7 @@ char *argv[]; ipfrstat_t *ifrstp = &ifrst; char *device = IPL_NAME, *memf = NULL; char *kern = NULL; - int c, fd, myoptind; + int c, myoptind; struct protoent *proto; int protocol = -1; /* -1 = wild card for any protocol */ @@ -354,8 +354,8 @@ char *argv[]; bzero((char *)&ipsst, sizeof(ipsst)); bzero((char *)&ifrst, sizeof(ifrst)); - fd = ipfstate_live(device, &fiop, &ipsstp, &ifrstp, - &frauthstp, &frf); + ipfstate_live(device, &fiop, &ipsstp, &ifrstp, + &frauthstp, &frf); } else ipfstate_dead(kern, &fiop, &ipsstp, &ifrstp, &frauthstp, &frf); diff --git a/contrib/ipfilter/ip_compat.h b/contrib/ipfilter/ip_compat.h index 81690a7..4d8cfaf 100644 --- a/contrib/ipfilter/ip_compat.h +++ b/contrib/ipfilter/ip_compat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_compat.h 1.8 1/14/96 - * $Id: ip_compat.h,v 2.26.2.45 2002/06/04 14:40:54 darrenr Exp $ + * $Id: ip_compat.h,v 2.26.2.46 2002/06/27 14:39:40 darrenr Exp $ */ #ifndef __IP_COMPAT_H__ @@ -186,6 +186,9 @@ typedef struct qif { */ size_t qf_hl; /* header length */ int qf_sap; +# if SOLARIS2 >= 8 + int qf_tunoff; /* tunnel offset */ +#endif size_t qf_incnt; size_t qf_outcnt; } qif_t; diff --git a/contrib/ipfilter/ip_fil.c b/contrib/ipfilter/ip_fil.c index 5238356..90bcb82 100644 --- a/contrib/ipfilter/ip_fil.c +++ b/contrib/ipfilter/ip_fil.c @@ -120,7 +120,7 @@ extern int ip_optcopy __P((struct ip *, struct ip *)); #if !defined(lint) static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.58 2002/06/06 10:47:27 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_fil.c,v 2.42.2.60 2002/08/28 12:40:39 darrenr Exp $"; #endif @@ -157,6 +157,7 @@ static int ipfr_fastroute6 __P((struct mbuf *, struct mbuf **, fr_info_t *, frdest_t *)); # endif # ifdef __sgi +extern int tcp_mtudisc; extern kmutex_t ipf_rw; extern KRWLOCK_T ipf_mutex; # endif @@ -482,7 +483,7 @@ int ipl_disable() int ipldetach() # endif { - int s, i = FR_INQUE|FR_OUTQUE; + int s, i; #if defined(NETBSD_PF) && (__NetBSD_Version__ >= 104200000) int error = 0; # if __NetBSD_Version__ >= 105150000 @@ -523,7 +524,8 @@ int ipldetach() printf("%s unloaded\n", ipfilter_version); fr_checkp = fr_savep; - i = frflush(IPL_LOGIPF, i); + i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); fr_running = 0; # ifdef NETBSD_PF @@ -1244,7 +1246,17 @@ struct mbuf **mp; ip->ip_v = IPVERSION; ip->ip_tos = oip->ip_tos; ip->ip_id = oip->ip_id; - ip->ip_off = 0; + +# if defined(__NetBSD__) || defined(__OpenBSD__) + if (ip_mtudisc != 0) + ip->ip_off = IP_DF; +# else +# if defined(__sgi) + if (ip->ip_p == IPPROTO_TCP && tcp_mtudisc != 0) + ip->ip_off = IP_DF; +# endif +# endif + # if (BSD < 199306) || defined(__sgi) ip->ip_ttl = tcp_ttl; # else @@ -1671,7 +1683,8 @@ frdest_t *fdp; */ if (ip->ip_len <= ifp->if_mtu) { # ifndef sparc -# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) +# if (!defined(__FreeBSD__) && !(_BSDI_VERSION >= 199510)) && \ + !(__NetBSD_Version__ >= 105110000) ip->ip_id = htons(ip->ip_id); # endif ip->ip_len = htons(ip->ip_len); diff --git a/contrib/ipfilter/ip_frag.c b/contrib/ipfilter/ip_frag.c index f240cd9..bed47b7 100644 --- a/contrib/ipfilter/ip_frag.c +++ b/contrib/ipfilter/ip_frag.c @@ -90,7 +90,7 @@ extern struct timeout ipfr_slowtimer_ch; #if !defined(lint) static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.21 2002/04/10 04:56:10 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.24 2002/08/28 12:41:04 darrenr Exp $"; #endif @@ -120,7 +120,7 @@ extern kmutex_t ipf_rw; #endif -static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, u_int, ipfr_t **)); +static ipfr_t *ipfr_new __P((ip_t *, fr_info_t *, ipfr_t **)); static ipfr_t *ipfr_lookup __P((ip_t *, fr_info_t *, ipfr_t **)); static void ipfr_delete __P((ipfr_t *)); @@ -138,10 +138,9 @@ ipfrstat_t *ipfr_fragstats() * add a new entry to the fragment cache, registering it as having come * through this box, with the result of the filter operation. */ -static ipfr_t *ipfr_new(ip, fin, pass, table) +static ipfr_t *ipfr_new(ip, fin, table) ip_t *ip; fr_info_t *fin; -u_int pass; ipfr_t *table[]; { ipfr_t **fp, *fra, frag; @@ -198,7 +197,7 @@ ipfr_t *table[]; /* * Instert the fragment into the fragment table, copy the struct used * in the search using bcopy rather than reassign each field. - * Set the ttl to the default and mask out logging from "pass" + * Set the ttl to the default. */ if ((fra->ipfr_next = table[idx])) table[idx]->ipfr_prev = fra; @@ -220,17 +219,16 @@ ipfr_t *table[]; } -int ipfr_newfrag(ip, fin, pass) +int ipfr_newfrag(ip, fin) ip_t *ip; fr_info_t *fin; -u_int pass; { ipfr_t *ipf; if ((ip->ip_v != 4) || (fr_frag_lock)) return -1; WRITE_ENTER(&ipf_frag); - ipf = ipfr_new(ip, fin, pass, ipfr_heads); + ipf = ipfr_new(ip, fin, ipfr_heads); RWLOCK_EXIT(&ipf_frag); if (ipf == NULL) { ATOMIC_INCL(frstats[fin->fin_out].fr_bnfr); @@ -241,10 +239,9 @@ u_int pass; } -int ipfr_nat_newfrag(ip, fin, pass, nat) +int ipfr_nat_newfrag(ip, fin, nat) ip_t *ip; fr_info_t *fin; -u_int pass; nat_t *nat; { ipfr_t *ipf; @@ -256,10 +253,10 @@ nat_t *nat; off = fin->fin_off; off <<= 3; if ((off + fin->fin_dlen) > 0xffff || (fin->fin_dlen == 0)) - return NULL; + return -1; WRITE_ENTER(&ipf_natfrag); - ipf = ipfr_new(ip, fin, pass, ipfr_nattab); + ipf = ipfr_new(ip, fin, ipfr_nattab); if (ipf != NULL) { ipf->ipfr_data = nat; nat->nat_data = ipf; diff --git a/contrib/ipfilter/ip_frag.h b/contrib/ipfilter/ip_frag.h index 03f41f8..4bd6b52 100644 --- a/contrib/ipfilter/ip_frag.h +++ b/contrib/ipfilter/ip_frag.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_frag.h 1.5 3/24/96 - * $Id: ip_frag.h,v 2.4.2.6 2002/01/01 15:09:38 darrenr Exp $ + * $Id: ip_frag.h,v 2.4.2.7 2002/07/06 14:17:51 darrenr Exp $ */ #ifndef __IP_FRAG_H__ @@ -48,8 +48,8 @@ typedef struct ipfrstat { extern int fr_ipfrttl; extern int fr_frag_lock; extern ipfrstat_t *ipfr_fragstats __P((void)); -extern int ipfr_newfrag __P((ip_t *, fr_info_t *, u_int)); -extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, u_int, struct nat *)); +extern int ipfr_newfrag __P((ip_t *, fr_info_t *)); +extern int ipfr_nat_newfrag __P((ip_t *, fr_info_t *, struct nat *)); extern nat_t *ipfr_nat_knownfrag __P((ip_t *, fr_info_t *)); extern frentry_t *ipfr_knownfrag __P((ip_t *, fr_info_t *)); extern void ipfr_forget __P((void *)); diff --git a/contrib/ipfilter/ip_ftp_pxy.c b/contrib/ipfilter/ip_ftp_pxy.c index f2603e0..a5a27be 100644 --- a/contrib/ipfilter/ip_ftp_pxy.c +++ b/contrib/ipfilter/ip_ftp_pxy.c @@ -2,7 +2,7 @@ * Simple FTP transparent proxy for in-kernel use. For use with the NAT * code. * - * $Id: ip_ftp_pxy.c,v 2.7.2.36 2002/06/06 10:44:40 darrenr Exp $ + * $Id: ip_ftp_pxy.c,v 2.7.2.38 2002/08/28 12:45:47 darrenr Exp $ */ #if SOLARIS && defined(_KERNEL) extern kmutex_t ipf_rw; @@ -294,7 +294,7 @@ int dlen; ip->ip_len = slen; ip->ip_src = swip; } - return APR_INC(inc); + return inc; } @@ -577,7 +577,7 @@ int dlen; wptr = f->ftps_wptr; if (!isdigit(*rptr) || !isdigit(*(rptr + 1)) || !isdigit(*(rptr + 2))) - return inc; + return 0; if (ftp->ftp_passok == FTPXY_GO) { if (!strncmp(rptr, "227 ", 4)) inc = ippr_ftp_pasv(fin, ip, nat, f, dlen); @@ -717,6 +717,10 @@ size_t len; } +/* + * rv == 0 for outbound processing, + * rv == 1 for inbound processing. + */ int ippr_ftp_process(fin, ip, nat, ftp, rv) fr_info_t *fin; ip_t *ip; @@ -724,15 +728,16 @@ nat_t *nat; ftpinfo_t *ftp; int rv; { - int mlen, len, off, inc, i, sel; + int mlen, len, off, inc, i, sel, sel2, ok, ackoff, seqoff; + u_32_t thseq, thack; char *rptr, *wptr; + ap_session_t *aps; ftpside_t *f, *t; tcphdr_t *tcp; mb_t *m; tcp = (tcphdr_t *)fin->fin_dp; off = fin->fin_hlen + (tcp->th_off << 2); - #if SOLARIS && defined(_KERNEL) m = fin->fin_qfm; #else @@ -750,46 +755,149 @@ int rv; #endif mlen -= off; + aps = nat->nat_aps; t = &ftp->ftp_side[1 - rv]; f = &ftp->ftp_side[rv]; - if (!mlen) { - if (!t->ftps_seq || - (int)ntohl(tcp->th_ack) - (int)t->ftps_seq > 0) - t->ftps_seq = ntohl(tcp->th_ack); - f->ftps_len = 0; - return 0; - } - - rptr = f->ftps_rptr; - wptr = f->ftps_wptr; - - i = 0; - sel = nat->nat_aps->aps_sel[1 - rv]; - if (rv) { - if (nat->nat_aps->aps_ackmin[sel] < ntohl(tcp->th_seq)) - i = nat->nat_aps->aps_ackoff[sel]; + thseq = ntohl(tcp->th_seq); + thack = ntohl(tcp->th_ack); + + sel = aps->aps_sel[1 - rv]; + sel2 = aps->aps_sel[rv]; + if (rv == 0) { + seqoff = aps->aps_seqoff[sel]; + if (aps->aps_seqmin[sel] > seqoff + thseq) + seqoff = aps->aps_seqoff[!sel]; + ackoff = aps->aps_ackoff[sel2]; + if (aps->aps_ackmin[sel2] > ackoff + thack) + ackoff = aps->aps_ackoff[!sel2]; } else { - if (nat->nat_aps->aps_seqmin[sel] < ntohl(tcp->th_seq)) - i = nat->nat_aps->aps_seqoff[sel]; +#if PROXY_DEBUG + printf("seqoff %d thseq %x ackmin %x\n", seqoff, thseq, + aps->aps_ackmin[sel]); +#endif + seqoff = aps->aps_ackoff[sel]; + if (aps->aps_ackmin[sel] > seqoff + thseq) + seqoff = aps->aps_ackoff[!sel]; + +#if PROXY_DEBUG + printf("ackoff %d thack %x seqmin %x\n", ackoff, thack, + aps->aps_seqmin[sel2]); +#endif + ackoff = aps->aps_seqoff[sel2]; + if (ackoff > 0) { + if (aps->aps_seqmin[sel2] > ackoff + thack) + ackoff = aps->aps_seqoff[!sel2]; + } else { + if (aps->aps_seqmin[sel2] > thack) + ackoff = aps->aps_seqoff[!sel2]; + } } +#if PROXY_DEBUG + printf("%s: %x seq %x/%d ack %x/%d len %d\n", rv ? "IN" : "OUT", + tcp->th_flags, thseq, seqoff, thack, ackoff, mlen); + printf("sel %d seqmin %x/%x offset %d/%d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqmin[sel2], + aps->aps_seqoff[sel], aps->aps_seqoff[sel2]); + printf("sel %d ackmin %x/%x offset %d/%d\n", sel2, + aps->aps_ackmin[sel], aps->aps_ackmin[sel2], + aps->aps_ackoff[sel], aps->aps_ackoff[sel2]); +#endif + /* * XXX - Ideally, this packet should get dropped because we now know * that it is out of order (and there is no real danger in doing so * apart from causing packets to go through here ordered). */ - if (f->ftps_len + f->ftps_seq == ntohl(tcp->th_seq)) - f->ftps_seq = ntohl(tcp->th_seq); +#if PROXY_DEBUG + printf("rv %d t:seq[0] %x seq[1] %x %d/%d\n", + rv, t->ftps_seq[0], t->ftps_seq[1], seqoff, ackoff); +#endif + + ok = 0; + if (t->ftps_seq[0] == 0) + t->ftps_seq[0] = thack, ok = 1; else { - inc = ntohl(tcp->th_seq) - f->ftps_seq; - if (inc < 0) - inc = -inc; - if (i < 0) - i = -i; - if (inc > i) { + if (ackoff == 0) { + if (t->ftps_seq[0] == thack) + ok = 1; + else if (t->ftps_seq[1] == thack) { + t->ftps_seq[0] = thack; + ok = 1; + } + } else { + if (t->ftps_seq[0] + ackoff == thack) + ok = 1; + else if (t->ftps_seq[0] == thack + ackoff) + ok = 1; + else if (t->ftps_seq[1] + ackoff == thack) { + t->ftps_seq[0] = thack - ackoff; + ok = 1; + } else if (t->ftps_seq[1] == thack + ackoff) { + t->ftps_seq[0] = thack - ackoff; + ok = 1; + } + } + } + +#if PROXY_DEBUG + if (!ok) + printf("not ok\n"); +#endif + + if (!mlen) { + if (t->ftps_seq[0] + ackoff != thack) return APR_ERR(1); + +#if PROXY_DEBUG + printf("f:seq[0] %x seq[1] %x\n", f->ftps_seq[0], f->ftps_seq[1]); +#endif + if (tcp->th_flags & TH_FIN) { + if (thseq + seqoff == f->ftps_seq[0] + 1 || + f->ftps_seq[0] + seqoff + 1 == thseq || + thseq + seqoff == f->ftps_seq[0] || + thseq == f->ftps_seq[0] + seqoff) + ; + else { +#if PROXY_DEBUG + printf("FIN: thseq %x seqoff %d ftps_seq %x\n", + thseq, seqoff, f->ftps_seq[0]); +#endif + return APR_ERR(1); + } } + f->ftps_len = 0; + return 0; } + + ok = 0; + if (thseq == f->ftps_seq[0] || thseq == f->ftps_seq[1]) + ok = 1; + /* + * Retransmitted data packet. + */ + else if (thseq + mlen == f->ftps_seq[0] || + thseq + mlen == f->ftps_seq[1]) + ok = 1; + if (ok == 0) { + inc = thseq - f->ftps_seq[0]; +#if PROXY_DEBUG + printf("inc %d sel %d rv %d\n", inc, sel, rv); + printf("th_seq %x ftps_seq %x/%x\n", thseq, f->ftps_seq[0], + f->ftps_seq[1]); + printf("ackmin %x ackoff %d\n", aps->aps_ackmin[sel], + aps->aps_ackoff[sel]); + printf("seqmin %x seqoff %d\n", aps->aps_seqmin[sel], + aps->aps_seqoff[sel]); +#endif + + return APR_ERR(1); + } + inc = 0; + rptr = f->ftps_rptr; + wptr = f->ftps_wptr; + f->ftps_seq[0] = thseq; + f->ftps_seq[1] = f->ftps_seq[0] + mlen; f->ftps_len = mlen; while (mlen > 0) { @@ -833,6 +941,7 @@ int rv; * ftp proxy for this connection. */ if ((f->ftps_cmds == 0) && (f->ftps_junk == 1)) { + /* f->ftps_seq[1] += inc; */ return APR_ERR(2); } @@ -873,7 +982,24 @@ int rv; } } - t->ftps_seq = ntohl(tcp->th_ack); + /* f->ftps_seq[1] += inc; */ + if (tcp->th_flags & TH_FIN) + f->ftps_seq[1]++; +#ifndef _KERNEL + mlen = mbuflen(m); +#else +# if SOLARIS + mlen = msgdsize(m); +# else + mlen = mbufchainlen(m); +# endif +#endif + off = fin->fin_hlen + (tcp->th_off << 2); + mlen -= off; +#if PROXY_DEBUG + printf("ftps_seq[1] = %x inc %d len %d\n", f->ftps_seq[1], inc, mlen); +#endif + f->ftps_rptr = rptr; f->ftps_wptr = wptr; return APR_INC(inc); diff --git a/contrib/ipfilter/ip_h323_pxy.c b/contrib/ipfilter/ip_h323_pxy.c index ec9b2fe..8d8ef92 100644 --- a/contrib/ipfilter/ip_h323_pxy.c +++ b/contrib/ipfilter/ip_h323_pxy.c @@ -9,6 +9,7 @@ * authorized by a written license agreement from QSSL. For more information, * please email licensing@qnx.com. * + * For more details, see QNX_OCL.txt provided with this distribution. */ /* diff --git a/contrib/ipfilter/ip_nat.c b/contrib/ipfilter/ip_nat.c index da5235a..854c68d 100644 --- a/contrib/ipfilter/ip_nat.c +++ b/contrib/ipfilter/ip_nat.c @@ -109,7 +109,7 @@ extern struct ifnet vpnif; #if !defined(lint) static const char sccsid[] = "@(#)ip_nat.c 1.11 6/5/96 (C) 1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.68 2002/06/04 14:46:08 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.37.2.70 2002/08/28 12:45:48 darrenr Exp $"; #endif nat_t **nat_table[2] = { NULL, NULL }, @@ -2265,8 +2265,8 @@ register natlookup_t *np; fr_info_t fi; bzero((char *)&fi, sizeof(fi)); - fi.fin_data[0] = np->nl_inport; - fi.fin_data[1] = np->nl_outport; + fi.fin_data[0] = ntohs(np->nl_inport); + fi.fin_data[1] = ntohs(np->nl_outport); /* * If nl_inip is non null, this is a lookup based on the real @@ -2448,7 +2448,7 @@ maskloop: if (nat) { np = nat->nat_ptr; if (natadd && (fin->fin_fl & FI_FRAG) && np) - ipfr_nat_newfrag(ip, fin, 0, nat); + ipfr_nat_newfrag(ip, fin, nat); MUTEX_ENTER(&nat->nat_lock); if (fin->fin_p != IPPROTO_TCP) { if (np && np->in_age[1]) @@ -2540,6 +2540,8 @@ maskloop: i = appr_check(ip, fin, nat); if (i == 0) i = 1; + else if (i == -1) + nat->nat_drop[1]++; } else i = 1; ATOMIC_INCL(nat_stats.ns_mapped[1]); @@ -2664,11 +2666,12 @@ maskloop: np = nat->nat_ptr; fin->fin_fr = nat->nat_fr; if (natadd && (fin->fin_fl & FI_FRAG) && np) - ipfr_nat_newfrag(ip, fin, 0, nat); + ipfr_nat_newfrag(ip, fin, nat); if (np && (np->in_apr != NULL) && (np->in_dport == 0 || (tcp != NULL && sport == np->in_dport))) { i = appr_check(ip, fin, nat); if (i == -1) { + nat->nat_drop[0]++; RWLOCK_EXIT(&ipf_nat); return i; } diff --git a/contrib/ipfilter/ip_nat.h b/contrib/ipfilter/ip_nat.h index b3b0b27..e1b160f 100644 --- a/contrib/ipfilter/ip_nat.h +++ b/contrib/ipfilter/ip_nat.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_nat.h 1.5 2/4/96 - * $Id: ip_nat.h,v 2.17.2.26 2002/04/20 16:42:05 darrenr Exp $ + * $Id: ip_nat.h,v 2.17.2.27 2002/08/28 12:45:51 darrenr Exp $ */ #ifndef __IP_NAT_H__ @@ -77,6 +77,7 @@ typedef struct nat { struct in_addr nat_oip; /* other ip */ U_QUAD_T nat_pkts; U_QUAD_T nat_bytes; + u_int nat_drop[2]; u_short nat_oport; /* other port */ u_short nat_inport; u_short nat_outport; diff --git a/contrib/ipfilter/ip_proxy.c b/contrib/ipfilter/ip_proxy.c index 2051f2a..f36753a 100644 --- a/contrib/ipfilter/ip_proxy.c +++ b/contrib/ipfilter/ip_proxy.c @@ -75,7 +75,7 @@ #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.23 2002/06/04 14:45:42 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_proxy.c,v 2.9.2.24 2002/08/28 12:45:51 darrenr Exp $"; #endif #if defined(_KERNEL) && (SOLARIS || defined(__sgi)) @@ -89,6 +89,8 @@ extern KRWLOCK_T ipf_nat, ipf_state; static int appr_fixseqack __P((fr_info_t *, ip_t *, ap_session_t *, int )); +#define PROXY_DEBUG 0 + #define AP_SESS_SIZE 53 #include "netinet/ip_ftp_pxy.c" @@ -313,9 +315,19 @@ nat_t *nat; sum = fr_tcpsum(*(mb_t **)fin->fin_mp, ip, tcp); #endif if (sum != tcp->th_sum) { +#if PROXY_DEBUG + printf("proxy tcp checksum failure\n"); +#endif frstats[fin->fin_out].fr_tcpbad++; return -1; } + + /* + * Don't both the proxy with these...or in fact, should + * we free up proxy stuff when seen? + */ + if ((tcp->th_flags & TH_RST) != 0) + return 0; } apr = aps->aps_apr; @@ -329,9 +341,16 @@ nat_t *nat; } rv = APR_EXIT(err); - if (rv == 1) + if (rv == 1) { +#if PROXY_DEBUG + printf("proxy says bad packet received\n"); +#endif return -1; + } if (rv == 2) { +#if PROXY_DEBUG + printf("proxy says free app proxy data\n"); +#endif appr_free(apr); nat->nat_aps = NULL; return -1; @@ -412,6 +431,9 @@ ap_session_t *aps; } +/* + * returns 2 if ack or seq number in TCP header is changed, returns 0 otherwise + */ static int appr_fixseqack(fin, ip, aps, inc) fr_info_t *fin; ip_t *ip; @@ -425,8 +447,12 @@ int inc; tcp = (tcphdr_t *)fin->fin_dp; out = fin->fin_out; + /* + * ip_len has already been adjusted by 'inc'. + */ nlen = ip->ip_len; nlen -= (ip->ip_hl << 2) + (tcp->th_off << 2); + inc2 = inc; inc = (int)inc2; @@ -436,8 +462,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_seqoff[sel]) { seq2 = aps->aps_seqmin[sel] - aps->aps_seqoff[sel]; @@ -450,8 +481,13 @@ int inc; } if (inc && (seq1 > aps->aps_seqmin[!sel])) { - aps->aps_seqmin[!sel] = seq1 + nlen - 1; - aps->aps_seqoff[!sel] = aps->aps_seqoff[sel] + inc; + aps->aps_seqmin[sel] = seq1 + nlen - 1; + aps->aps_seqoff[sel] = aps->aps_seqoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy seq set %d at %x to %d + %d\n", sel, + aps->aps_seqmin[sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -461,8 +497,13 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy out switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} if (aps->aps_ackoff[sel] && (seq1 > aps->aps_ackmin[sel])) { seq2 = aps->aps_ackoff[sel]; @@ -475,12 +516,16 @@ int inc; /* switch to other set ? */ if ((aps->aps_ackmin[!sel] > aps->aps_ackmin[sel]) && - (seq1 > aps->aps_ackmin[!sel])) + (seq1 > aps->aps_ackmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set ack %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_ackmin[!sel]); +#endif sel = aps->aps_sel[out] = !sel; +} if (aps->aps_ackoff[sel]) { - seq2 = aps->aps_ackmin[sel] - - aps->aps_ackoff[sel]; + seq2 = aps->aps_ackmin[sel] - aps->aps_ackoff[sel]; if (seq1 > seq2) { seq2 = aps->aps_ackoff[sel]; seq1 += seq2; @@ -492,6 +537,11 @@ int inc; if (inc && (seq1 > aps->aps_ackmin[!sel])) { aps->aps_ackmin[!sel] = seq1 + nlen - 1; aps->aps_ackoff[!sel] = aps->aps_ackoff[sel] + inc; +#if PROXY_DEBUG + printf("proxy ack set %d at %x to %d + %d\n", !sel, + aps->aps_seqmin[!sel], aps->aps_seqoff[sel], + inc); +#endif } /***/ @@ -501,15 +551,31 @@ int inc; /* switch to other set ? */ if ((aps->aps_seqmin[!sel] > aps->aps_seqmin[sel]) && - (seq1 > aps->aps_seqmin[!sel])) + (seq1 > aps->aps_seqmin[!sel])) { +#if PROXY_DEBUG + printf("proxy in switch set seq %d -> %d %x > %x\n", + sel, !sel, seq1, aps->aps_seqmin[!sel]); +#endif sel = aps->aps_sel[1 - out] = !sel; +} - if (aps->aps_seqoff[sel] && (seq1 > aps->aps_seqmin[sel])) { - seq2 = aps->aps_seqoff[sel]; - tcp->th_ack = htonl(seq1 - seq2); - ch = 1; + if (aps->aps_seqoff[sel] != 0) { +#if PROXY_DEBUG + printf("sel %d seqoff %d seq1 %x seqmin %x\n", sel, + aps->aps_seqoff[sel], seq1, + aps->aps_seqmin[sel]); +#endif + if (seq1 > aps->aps_seqmin[sel]) { + seq2 = aps->aps_seqoff[sel]; + tcp->th_ack = htonl(seq1 - seq2); + ch = 1; + } } } +#if PROXY_DEBUG + printf("appr_fixseqack: seq %x ack %x\n", ntohl(tcp->th_seq), + ntohl(tcp->th_ack)); +#endif return ch ? 2 : 0; } diff --git a/contrib/ipfilter/ip_proxy.h b/contrib/ipfilter/ip_proxy.h index 0f1ab84..fad791d 100644 --- a/contrib/ipfilter/ip_proxy.h +++ b/contrib/ipfilter/ip_proxy.h @@ -3,7 +3,7 @@ * * See the IPFILTER.LICENCE file for details on licencing. * - * $Id: ip_proxy.h,v 2.8.2.12 2002/01/01 13:41:43 darrenr Exp $ + * $Id: ip_proxy.h,v 2.8.2.13 2002/07/04 11:07:37 darrenr Exp $ */ #ifndef __IP_PROXY_H__ @@ -95,7 +95,7 @@ typedef struct aproxy { typedef struct ftpside { char *ftps_rptr; char *ftps_wptr; - u_32_t ftps_seq; + u_32_t ftps_seq[2]; u_32_t ftps_len; int ftps_junk; int ftps_cmds; diff --git a/contrib/ipfilter/ip_sfil.c b/contrib/ipfilter/ip_sfil.c index 5a76f4b..2904585 100644 --- a/contrib/ipfilter/ip_sfil.c +++ b/contrib/ipfilter/ip_sfil.c @@ -7,7 +7,7 @@ */ #if !defined(lint) static const char sccsid[] = "%W% %G% (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.18 2002/06/06 10:47:26 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_sfil.c,v 2.23.2.20 2002/08/28 12:42:44 darrenr Exp $"; #endif #include @@ -63,8 +63,10 @@ u_long ipl_frouteok[2] = {0, 0}; static int frzerostats __P((caddr_t)); #if SOLARIS2 >= 7 static u_int *ip_ttl_ptr; +static u_int *ip_mtudisc; #else static u_long *ip_ttl_ptr; +static u_long *ip_mtudisc; #endif static int frrequest __P((minor_t, int, caddr_t, int)); @@ -86,8 +88,8 @@ int ipldetach() for (i = IPL_LOGMAX; i >= 0; i--) ipflog_clear(i); #endif - i = FR_INQUE|FR_OUTQUE; - (void) frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); + i = frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE|FR_INACTIVE); + i += frflush(IPL_LOGIPF, FR_INQUE|FR_OUTQUE); ipfr_unload(); fr_stateunload(); ip_natunload(); @@ -142,16 +144,22 @@ int iplattach __P((void)) return -1; ip_ttl_ptr = NULL; + ip_mtudisc = NULL; /* * XXX - There is no terminator for this array, so it is not possible * to tell if what we are looking for is missing and go off the end * of the array. */ for (i = 0; ; i++) { - if (!strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl")) { + if (strcmp(ip_param_arr[i].ip_param_name, "ip_def_ttl") == 0) { ip_ttl_ptr = &ip_param_arr[i].ip_param_value; - break; + } else if (strcmp(ip_param_arr[i].ip_param_name, + "ip_path_mtu_discovery") == 0) { + ip_mtudisc = &ip_param_arr[i].ip_param_value; } + + if (ip_mtudisc != NULL && ip_ttl_ptr != NULL) + break; } return 0; } @@ -799,6 +807,7 @@ mblk_t *m; ip = (ip_t *)m->b_rptr; ip->ip_v = IPVERSION; ip->ip_ttl = (u_char)(*ip_ttl_ptr); + ip->ip_off = htons(*ip_mtudisc ? IP_DF : 0); ip_wput(((qif_t *)fin->fin_qif)->qf_ill->ill_wq, m); } READ_ENTER(&ipf_solaris); diff --git a/contrib/ipfilter/ip_state.c b/contrib/ipfilter/ip_state.c index f4dac8a..43fe820 100644 --- a/contrib/ipfilter/ip_state.c +++ b/contrib/ipfilter/ip_state.c @@ -93,7 +93,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ip_state.c 1.8 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.71 2002/05/29 14:23:05 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ip_state.c,v 2.30.2.74 2002/07/27 15:58:10 darrenr Exp $"; #endif #ifndef MIN @@ -741,6 +741,7 @@ u_int flags; is->is_hv = hv; is->is_rule = fin->fin_fr; if (is->is_rule != NULL) { + is->is_group = is->is_rule->fr_group; ATOMIC_INC32(is->is_rule->fr_ref); pass = is->is_rule->fr_flags; is->is_frage[0] = is->is_rule->fr_age[0]; @@ -810,7 +811,7 @@ u_int flags; RWLOCK_EXIT(&ipf_state); fin->fin_rev = IP6NEQ(is->is_dst, fin->fin_fi.fi_dst); if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + ipfr_newfrag(ip, fin); return is; } @@ -1066,7 +1067,7 @@ tcphdr_t *tcp; } else { is->is_src = fin->fin_fi.fi_dst; } - } else if ((flags & FI_W_DPORT) != 0) { + } else if ((flags & FI_W_DADDR) != 0) { if (rev == 0) { is->is_dst = fin->fin_fi.fi_dst; } else { @@ -1402,7 +1403,8 @@ fr_info_t *fin; tcphdr_t *tcp; int rev; - if (fr_state_lock || (fin->fin_off != 0) || (fin->fin_fl & FI_SHORT)) + if ((ips_list == NULL) || (fin->fin_off != 0) || fr_state_lock || + (fin->fin_fl & FI_SHORT)) return NULL; is = NULL; @@ -1633,7 +1635,7 @@ retry_tcpudp: pass = is->is_pass; RWLOCK_EXIT(&ipf_state); if ((fin->fin_fl & FI_FRAG) && (pass & FR_KEEPFRAG)) - ipfr_newfrag(ip, fin, pass ^ FR_KEEPSTATE); + ipfr_newfrag(ip, fin); #ifndef _KERNEL if ((tcp != NULL) && (tcp->th_flags & TCP_CLOSE)) fr_delstate(is); @@ -2044,6 +2046,8 @@ u_int type; ipsl.isl_p = is->is_p; ipsl.isl_v = is->is_v; ipsl.isl_flags = is->is_flags; + ipsl.isl_rulen = is->is_rulen; + ipsl.isl_group = is->is_group; if (ipsl.isl_p == IPPROTO_TCP || ipsl.isl_p == IPPROTO_UDP) { ipsl.isl_sport = is->is_sport; ipsl.isl_dport = is->is_dport; diff --git a/contrib/ipfilter/ip_state.h b/contrib/ipfilter/ip_state.h index 01b1256..35368c4 100644 --- a/contrib/ipfilter/ip_state.h +++ b/contrib/ipfilter/ip_state.h @@ -4,7 +4,7 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed - * $Id: ip_state.h,v 2.13.2.12 2002/03/25 11:14:55 darrenr Exp $ + * $Id: ip_state.h,v 2.13.2.13 2002/06/27 14:40:29 darrenr Exp $ */ #ifndef __IP_STATE_H__ #define __IP_STATE_H__ @@ -86,6 +86,7 @@ typedef struct ipstate { tcpstate_t is_ts; udpstate_t is_us; } is_ps; + u_32_t is_group; char is_ifname[4][IFNAMSIZ]; #if SOLARIS || defined(__sgi) kmutex_t is_lock; @@ -147,6 +148,8 @@ typedef struct ipslog { u_char isl_p; u_char isl_flags; u_char isl_state[2]; + u_32_t isl_rulen; + u_32_t isl_group; } ipslog_t; #define isl_sport isl_ps.isl_ports[0] diff --git a/contrib/ipfilter/ipf.c b/contrib/ipfilter/ipf.c index f9b85af..b22addf 100644 --- a/contrib/ipfilter/ipf.c +++ b/contrib/ipfilter/ipf.c @@ -50,7 +50,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.16 2002/06/06 10:48:35 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipf.c,v 2.10.2.17 2002/06/27 14:29:17 darrenr Exp $"; #endif #if SOLARIS @@ -389,7 +389,7 @@ int *linenum; static void packetlogon(opt) char *opt; { - int flag, err; + int flag; flag = get_flags(); if (flag != 0) { @@ -415,7 +415,7 @@ char *opt; printf("set log flag: block\n"); } - if (opendevice(ipfname) != -2 && (err = ioctl(fd, SIOCSETFF, &flag))) + if (opendevice(ipfname) != -2 && (ioctl(fd, SIOCSETFF, &flag) != 0)) perror("ioctl(SIOCSETFF)"); if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) { diff --git a/contrib/ipfilter/ipft_ef.c b/contrib/ipfilter/ipft_ef.c index 8344d5f..ae40827 100644 --- a/contrib/ipfilter/ipft_ef.c +++ b/contrib/ipfilter/ipft_ef.c @@ -52,7 +52,7 @@ etherfind -n -t #if !defined(lint) static const char sccsid[] = "@(#)ipft_ef.c 1.6 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.2 2002/02/22 15:32:53 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_ef.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $"; #endif static int etherf_open __P((char *)); @@ -97,7 +97,7 @@ int cnt, *dir; struct protoent *p = NULL; char src[16], dst[16], sprt[16], dprt[16]; char lbuf[128], len[8], prot[8], time[8], *s; - int slen, extra = 0, i, n; + int slen, extra = 0, i; if (!fgets(lbuf, sizeof(lbuf) - 1, efp)) return 0; @@ -108,10 +108,10 @@ int cnt, *dir; bzero(&pkt, sizeof(pkt)); - if ((n = sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, - sprt, dprt)) != 6) - if ((n = sscanf(lbuf, "%s %s %s %s %s %s %s", time, - len, prot, src, dst, sprt, dprt)) != 7) + if (sscanf(lbuf, "%s %s %s %s %s %s", len, prot, src, dst, + sprt, dprt) != 6) + if (sscanf(lbuf, "%s %s %s %s %s %s %s", time, + len, prot, src, dst, sprt, dprt) != 7) return -1; ip->ip_p = atoi(prot); diff --git a/contrib/ipfilter/ipft_td.c b/contrib/ipfilter/ipft_td.c index 253aa86..7fede06 100644 --- a/contrib/ipfilter/ipft_td.c +++ b/contrib/ipfilter/ipft_td.c @@ -61,7 +61,7 @@ tcpdump -nqte #if !defined(lint) static const char sccsid[] = "@(#)ipft_td.c 1.8 2/4/96 (C)1995 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.2 2002/02/22 15:32:54 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_td.c,v 2.2.2.3 2002/06/27 14:29:17 darrenr Exp $"; #endif static int tcpd_open __P((char *)); @@ -120,7 +120,7 @@ int cnt, *dir; struct protoent *p; char src[32], dst[32], misc[256], time[32], link1[32], link2[32]; char lbuf[160], *s; - int n, dots, slen, extra = 0; + int n, slen, extra = 0; if (!fgets(lbuf, sizeof(lbuf) - 1, tfp)) return 0; @@ -142,7 +142,7 @@ int cnt, *dir; return -1; } - if ((dots = count_dots(dst)) == 4) { + if (count_dots(dst) == 4) { s = strrchr(src, '.'); *s++ = '\0'; (void) inet_aton(src, &ip->ip_src); diff --git a/contrib/ipfilter/ipft_tx.c b/contrib/ipfilter/ipft_tx.c index f61b0d0..1de5713 100644 --- a/contrib/ipfilter/ipft_tx.c +++ b/contrib/ipfilter/ipft_tx.c @@ -44,7 +44,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipft_tx.c 1.7 6/5/96 (C) 1993 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.6 2002/03/13 03:55:15 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipft_tx.c,v 2.3.2.7 2002/06/27 14:29:17 darrenr Exp $"; #endif extern int opts; @@ -177,10 +177,8 @@ char *buf, **ifn; int cnt, *dir; { register char *s; - ip_t *ip; char line[513]; - ip = (ip_t *)buf; *ifn = NULL; while (fgets(line, sizeof(line)-1, tfp)) { if ((s = index(line, '\n'))) @@ -197,7 +195,7 @@ int cnt, *dir; *dir = 0; if (!parseline(line, (ip_t *)buf, ifn, dir)) #if 0 - return sizeof(*ip) + sizeof(tcphdr_t); + return sizeof(ip_t) + sizeof(tcphdr_t); #else return sizeof(ip_t); #endif diff --git a/contrib/ipfilter/ipl.h b/contrib/ipfilter/ipl.h index 6cd868d..ced3e56 100644 --- a/contrib/ipfilter/ipl.h +++ b/contrib/ipfilter/ipl.h @@ -4,12 +4,12 @@ * See the IPFILTER.LICENCE file for details on licencing. * * @(#)ipl.h 1.21 6/5/96 - * $Id: ipl.h,v 2.15.2.34 2002/06/06 11:11:45 darrenr Exp $ + * $Id: ipl.h,v 2.15.2.35 2002/08/28 13:00:50 darrenr Exp $ */ #ifndef __IPL_H__ #define __IPL_H__ -#define IPL_VERSION "IP Filter: v3.4.28" +#define IPL_VERSION "IP Filter: v3.4.29" #endif diff --git a/contrib/ipfilter/ipmon.c b/contrib/ipfilter/ipmon.c index 6bf90b9..88270b9 100644 --- a/contrib/ipfilter/ipmon.c +++ b/contrib/ipfilter/ipmon.c @@ -68,7 +68,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)ipmon.c 1.21 6/5/96 (C)1993-2000 Darren Reed"; -static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.35 2002/06/04 14:43:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: ipmon.c,v 2.12.2.36 2002/08/22 15:12:23 darrenr Exp $"; #endif @@ -959,13 +959,13 @@ int blen; *t++ = 'S'; lvl = LOG_ERR; } else if (ipf->fl_flags & FR_PASS) { - if (ipf->fl_flags & FR_LOGP) + if (ipf->fl_flags & FR_LOG) *t++ = 'p'; else *t++ = 'P'; lvl = LOG_NOTICE; } else if (ipf->fl_flags & FR_BLOCK) { - if (ipf->fl_flags & FR_LOGB) + if (ipf->fl_flags & FR_LOG) *t++ = 'b'; else *t++ = 'B'; diff --git a/contrib/ipfilter/kmem.c b/contrib/ipfilter/kmem.c index 254bbf9..5cb0efd 100644 --- a/contrib/ipfilter/kmem.c +++ b/contrib/ipfilter/kmem.c @@ -46,7 +46,7 @@ #if !defined(lint) static const char sccsid[] = "@(#)kmem.c 1.4 1/12/96 (C) 1992 Darren Reed"; -static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.14 2002/04/17 17:44:44 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: kmem.c,v 2.2.2.15 2002/07/27 15:59:37 darrenr Exp $"; #endif #ifdef __sgi @@ -55,7 +55,7 @@ typedef int kvm_t; static int kvm_fd = -1; static char *kvm_errstr; -kvm_t kvm_open(kernel, core, swap, mode, errstr) +kvm_t *kvm_open(kernel, core, swap, mode, errstr) char *kernel, *core, *swap; int mode; char *errstr; @@ -65,17 +65,18 @@ char *errstr; if (core == NULL) core = "/dev/kmem"; kvm_fd = open(core, mode); - return (kvm_fd >= 0) ? (kvm_t)&kvm_fd : NULL; + return (kvm_fd >= 0) ? (kvm_t *)&kvm_fd : NULL; } int kvm_read(kvm, pos, buffer, size) -kvm_t kvm; +kvm_t *kvm; u_long pos; char *buffer; size_t size; { - int r, left; + size_t left; char *bufp; + int r; if (lseek(*kvm, pos, 0) == -1) { fprintf(stderr, "%s", kvm_errstr); @@ -97,13 +98,19 @@ static kvm_t *kvm_f = NULL; int openkmem(kern, core) char *kern, *core; { + union { + int ui; + kvm_t *uk; + } k; + kvm_f = kvm_open(kern, core, NULL, O_RDONLY, ""); if (kvm_f == NULL) { perror("openkmem:open"); return -1; } - return (int)kvm_f; + k.uk = kvm_f; + return k.ui; } int kmemcpy(buf, pos, n) @@ -120,7 +127,7 @@ register int n; if (openkmem(NULL, NULL) == -1) return -1; - while ((r = kvm_read(kvm_f, pos, buf, n)) < n) + while ((r = kvm_read(kvm_f, pos, buf, (size_t)n)) < n) if (r <= 0) { fprintf(stderr, "pos=0x%x ", (u_int)pos); @@ -152,7 +159,7 @@ register int n; while (n > 0) { - r = kvm_read(kvm_f, pos, buf, 1); + r = kvm_read(kvm_f, pos, buf, (size_t)1); if (r <= 0) { fprintf(stderr, "pos=0x%x ", (u_int)pos); diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 index 0ec7854..0030c74 100644 --- a/contrib/ipfilter/man/ipmon.8 +++ b/contrib/ipfilter/man/ipmon.8 @@ -46,8 +46,11 @@ long). 4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be viewed with \fBipfstat -n\fP. .LP -5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short -packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. +5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fBS\fP for a short +packet, \fBn\fP did not match any rules, \fBL\fP for a log rule. The order +of precedence in showing flags is: S, p, b, n, L. A capital \fBP\fP or +\fBB\fP means that the packet has been logged due to a global logging +setting, not a particular rule. .LP 6. The addresses. This is actually three fields: the source address and port diff --git a/contrib/ipfilter/man/ipnat.5 b/contrib/ipfilter/man/ipnat.5 index a8beb6f..f0a4ac9 100644 --- a/contrib/ipfilter/man/ipnat.5 +++ b/contrib/ipfilter/man/ipnat.5 @@ -96,6 +96,15 @@ or as map de0 from 10.1.0.0/16 to any -> 201.2.3.4/32 .fi .LP +For even greater control, one may negate either of the "from" or "to" clauses +with a preceding exclamation mark ("!"). Please note that one may not use a +negated "from" within a \fBmap\fP rule or a negated "to" within a \fBrdr\fP +rule. Such a rule might look like the following: +.LP +.nf ++map de0 from 10.1.0.0/16 ! to 10.1.0.0/16 -> 201.2.3.4/32 +.fi +.PP Only IP address and port numbers can be compared against. This is available with all NAT rules. .SH TRANSLATION diff --git a/contrib/ipfilter/parse.c b/contrib/ipfilter/parse.c index 02590df..ea13356 100644 --- a/contrib/ipfilter/parse.c +++ b/contrib/ipfilter/parse.c @@ -935,7 +935,6 @@ u_long optmsk, optbits; u_short secmsk = sec[0], secbits = sec[1]; struct ipopt_names *io, *so; char *s; - int secflag = 0; s = " opt "; for (io = ionames; io->on_name; io++) @@ -947,8 +946,7 @@ u_long optmsk, optbits; if (io->on_value == IPOPT_SECURITY) io++; s = ","; - } else - secflag = 1; + } } diff --git a/contrib/ipfilter/printnat.c b/contrib/ipfilter/printnat.c index ba5524b..9ccae18 100644 --- a/contrib/ipfilter/printnat.c +++ b/contrib/ipfilter/printnat.c @@ -58,7 +58,7 @@ extern char *sys_errlist[]; #endif #if !defined(lint) -static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.9 2002/05/03 11:48:49 darrenr Exp $"; +static const char rcsid[] = "@(#)$Id: printnat.c,v 1.1.2.10 2002/08/28 12:45:51 darrenr Exp $"; #endif @@ -242,9 +242,10 @@ int opts; 0xffffffff), hv2 = NAT_HASH_FN(nat->nat_oip.s_addr, hv2 + nat->nat_oport, NAT_TABLE_SZ), - printf("%s pr %u bkt %d/%d flags %x\n", + printf("%s pr %u bkt %d/%d flags %x drop %d/%d\n", getsumd(nat->nat_sumd[1]), nat->nat_p, - hv1, hv2, nat->nat_flags); + hv1, hv2, nat->nat_flags, + nat->nat_drop[0], nat->nat_drop[1]); printf("\tifp %s ", getifname(nat->nat_ifp)); #ifdef USE_QUAD_T printf("bytes %qu pkts %qu", diff --git a/contrib/ipfilter/rules/example.9 b/contrib/ipfilter/rules/example.9 index 77968f8..daff203 100644 --- a/contrib/ipfilter/rules/example.9 +++ b/contrib/ipfilter/rules/example.9 @@ -4,7 +4,7 @@ block in all pass in all with opt sec # -# only allow packets in and out on le0 which are top secret +# only allow packets in and out on le1 which are top secret # block out on le1 all pass out on le1 all with opt sec-class topsecret diff --git a/contrib/ipfilter/test/expected/f13 b/contrib/ipfilter/test/expected/f13 index a2a950a..b3c7e54 100644 --- a/contrib/ipfilter/test/expected/f13 +++ b/contrib/ipfilter/test/expected/f13 @@ -9,6 +9,8 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- block nomatch @@ -21,6 +23,8 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- nomatch nomatch @@ -32,6 +36,8 @@ nomatch pass pass nomatch +nomatch +nomatch pass -------- nomatch @@ -44,6 +50,8 @@ nomatch block block nomatch +nomatch +nomatch block -------- pass @@ -57,6 +65,8 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- block nomatch @@ -69,4 +79,6 @@ nomatch nomatch nomatch nomatch +nomatch +nomatch -------- diff --git a/contrib/ipfilter/test/input/f13 b/contrib/ipfilter/test/input/f13 index b90d6ba..ccd74a3 100644 --- a/contrib/ipfilter/test/input/f13 +++ b/contrib/ipfilter/test/input/f13 @@ -29,15 +29,23 @@ 45 00 0018 0007 2000 3f 11 0000 01010101 02010101 0035 0035 -# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 +# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP MF FO=0 45 00 001c 0008 2000 3f 11 0000 01010101 02010101 0035003500040000 -# 1.1.1.1,1 -> 2.1.1.1,1 TTL=63 UDP MF FO=0 (short) +# 1.1.1.1,53 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 (short) 45 00 0018 0008 2000 3f 11 0000 01010101 02010101 00350036 -# 1.1.1.1,53 -> 2.1.1.1,53 TTL=63 UDP FO=1 +# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 UDP MF FO=0 +45 00 001c 0008 2000 3f 11 0000 01010101 02010101 +0015003600040000 + +# 1.1.1.1,21 -> 2.1.1.1,54 TTL=63 TCP MF FO=0 +45 00 001c 0008 2000 3f 06 0000 01010101 02010101 +0015 0036 00000000 00000000 50 02 2000 0000 0000 + +# 1.1.1.1 -> 2.1.1.1 TTL=63 UDP FO=1 45 00 001c 0008 0001 3f 11 0000 01010101 02010101 0000000000000000 -- cgit v1.1